diff --git a/charts/f5/f5-bigip-ctlr/.helmignore b/charts/f5/f5-bigip-ctlr/0.0.2601/.helmignore similarity index 100% rename from charts/f5/f5-bigip-ctlr/.helmignore rename to charts/f5/f5-bigip-ctlr/0.0.2601/.helmignore diff --git a/charts/f5/f5-bigip-ctlr/0.0.2601/Chart.yaml b/charts/f5/f5-bigip-ctlr/0.0.2601/Chart.yaml new file mode 100644 index 0000000000..3ea13102e3 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2601/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: F5 Container Ingress Services for Kubernetes and + OpenShift + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: f5-bigip-ctlr +apiVersion: v1 +description: Deploy the F5 Networks BIG-IP Controller for Kubernetes and OpenShift + (k8s-bigip-ctlr). +home: https://www.f5.com/products/automation-and-orchestration/container-ingress-services +icon: https://avatars.githubusercontent.com/u/8935905?s=200&v=4 +keywords: +- F5 +- BIG-IP +- Containers +- Kubernetes +- OpenShift +maintainers: +- email: f5_cis_operators@f5.com + name: F5CISSupport +name: f5-bigip-ctlr +sources: +- https://github.com/F5Networks/k8s-bigip-ctlr +- https://github.com/F5Networks/charts +version: 0.0.2601 diff --git a/charts/f5/f5-bigip-ctlr/README.md b/charts/f5/f5-bigip-ctlr/0.0.2601/README.md similarity index 100% rename from charts/f5/f5-bigip-ctlr/README.md rename to charts/f5/f5-bigip-ctlr/0.0.2601/README.md diff --git a/charts/f5/f5-bigip-ctlr/app-readme.md b/charts/f5/f5-bigip-ctlr/0.0.2601/app-readme.md similarity index 100% rename from charts/f5/f5-bigip-ctlr/app-readme.md rename to charts/f5/f5-bigip-ctlr/0.0.2601/app-readme.md diff --git a/charts/f5/f5-bigip-ctlr/0.0.2601/crds/f5-bigip-ctlr-customresourcedefinitions.yml b/charts/f5/f5-bigip-ctlr/0.0.2601/crds/f5-bigip-ctlr-customresourcedefinitions.yml new file mode 100644 index 0000000000..d9b56e2f70 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2601/crds/f5-bigip-ctlr-customresourcedefinitions.yml @@ -0,0 +1,1058 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: virtualservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: VirtualServer + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostGroup: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$' + httpTraffic: + type: string + enum: [allow, none, redirect] + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + tlsProfileName: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http2: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + botDefense: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + policyName: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + rewriteAppRoot: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + waf: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileMultiplex: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$' + type: array + allowSourceRange: + items: + type: string + type: array + httpMrfRoutingEnabled: + type: boolean + iRules: + type: array + items: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: [enable, disable, selective] + routeAdvertisement: + type: string + enum: [enable, disable, selective, always, any, all] + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + defaultPool: + type: object + properties: + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [ bigip ] + send: + type: string + recv: + type: string + reference: + type: string + enum: [ bigip, service ] + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + required: + - reference + pools: + type: array + items: + type: object + properties: + name: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + path: + type: string + pattern: '^\/([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + weight: + type: integer + minimum: 0 + maximum: 256 + alternateBackends: + type: array + items: + type: object + properties: + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + weight: + type: integer + minimum: 0 + maximum: 256 + required: + - service + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + rewrite: + type: string + pattern: '^\/([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + hostRewrite: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + waf: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + monitor: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ http, https, tcp ] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + serviceName: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + namespace: + type: string + port: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + weight: + type: integer + minimum: 0 + maximum: 256 + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + additionalVirtualServerAddresses: + type: array + items: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + virtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' + virtualServerHTTPPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerHTTPSPort: + type: integer + minimum: 1 + maximum: 65535 + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + additionalPrinterColumns: + - name: host + type: string + description: hostname + jsonPath: .spec.host + - name: tlsProfileName + type: string + description: TLS Profile attached + jsonPath: .spec.tlsProfileName + - name: httpTraffic + type: string + description: Http Traffic Termination + jsonPath: .spec.httpTraffic + - name: IPAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: ipamLabel + type: string + description: ipamLabel for virtual server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of VirtualServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: tlsprofiles.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TLSProfile + plural: tlsprofiles + shortNames: + - tls + singular: tlsprofile + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + hosts: + type: array + items: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + tls: + type: object + properties: + termination: + type: string + enum: [edge, reencrypt, passthrough] + clientSSL: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + clientSSLs: + type: array + items: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + serverSSL: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + serverSSLs: + type: array + items: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip, secret] + required: + - termination + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: transportservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TransportServer + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + virtualServerPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostGroup: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$' + policyName: + type: string + pattern: '^([A-z0-9-_+])*([A-z0-9])$' + mode: + type: string + enum: [standard, performance] + type: + type: string + enum: [tcp, udp, sctp] + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileL4: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$' + type: array + iRules: + type: array + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: [enable, disable, selective] + routeAdvertisement: + type: string + enum: [enable, disable, selective, always, any, all] + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + pool: + type: object + properties: + name: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitor: + type: object + properties: + type: + type: string + enum: [tcp, udp, http, https] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + serviceName: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + namespace: + type: string + port: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + required: + - service + - servicePort + required: + - virtualServerPort + - pool + - mode + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + additionalPrinterColumns: + - name: virtualServerAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: virtualServerPort + type: integer + description: Port of virtualServer + jsonPath: .spec.virtualServerPort + - name: pool + type: string + description: Name of service + jsonPath: .spec.pool.service + - name: poolPort + type: string + description: Port of service + jsonPath: .spec.pool.servicePort + - name: ipamLabel + type: string + description: ipamLabel for transport server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of transport server + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of TransportServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: { } +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: externaldnses.cis.f5.com +spec: + group: cis.f5.com + names: + kind: ExternalDNS + plural: externaldnses + shortNames: + - edns + singular: externaldns + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + domainName: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + dnsRecordType: + type: string + pattern: 'A' + loadBalanceMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + clientSubnetPreferred: + type: boolean + persistenceEnabled: + type: boolean + persistCidrIpv4: + type: integer + minimum: 0 + maximum: 32 + persistCidrIpv6: + type: integer + minimum: 0 + maximum: 128 + ttlPersistence: + type: integer + format: int64 + minimum: 0 + maximum: 4294967295 + pools: + type: array + items: + type: object + properties: + dataServerName: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + dnsRecordType: + type: string + pattern: 'A' + loadBalanceMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + lbModeFallback: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + order: + type: integer + ratio: + type: integer + monitor: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + required: + - type + - interval + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + required: + - type + - interval + required: + - dataServerName + required: + - domainName + additionalPrinterColumns: + - name: domainName + type: string + description: Domain name of virtual server resource + jsonPath: .spec.domainName + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + - name: CREATED ON + type: string + jsonPath: .metadata.creationTimestamp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: ingresslinks.cis.f5.com +spec: + group: cis.f5.com + names: + kind: IngressLink + shortNames: + - il + singular: ingresslink + plural: ingresslinks + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + iRules: + type: array + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + status: + type: object + properties: + vsAddress: + type: string + additionalPrinterColumns: + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: { } +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: policies.cis.f5.com +spec: + group: cis.f5.com + names: + kind: Policy + shortNames: + - plc + singular: policy + plural: policies + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + l7Policies: + type: object + properties: + waf: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + l3Policies: + type: object + properties: + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + botDefense: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + firewallPolicy: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + ipIntelligencePolicy: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowSourceRange: + items: + type: string + type: array + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([A-z0-9-_.\s]+\/?)*$' + type: array + ltmPolicies: + type: object + properties: + insecure: + type: string + pattern: '^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$' + secure: + type: string + pattern: '^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$' + priority: + type: string + enum: [low, high] + iRules: + type: object + properties: + insecure: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + secure: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + priority: + type: string + enum: [ low, high ] + iRuleList: + type: array + items: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + udp: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http2: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + profileL4: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileWebSocket: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileMultiplex: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + rewriteProfile: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + logProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9._\s]+\/?)*$' + type: array + httpMrfRoutingEnabled: + type: boolean + sslProfiles: + type: object + properties: + clientProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + type: array + serverProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + type: array + analyticsProfiles: + type: object + properties: + http: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + autoLastHop: + type: string + enum: [ default, auto, disable ] + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' \ No newline at end of file diff --git a/charts/f5/f5-bigip-ctlr/questions.yaml b/charts/f5/f5-bigip-ctlr/0.0.2601/questions.yaml similarity index 100% rename from charts/f5/f5-bigip-ctlr/questions.yaml rename to charts/f5/f5-bigip-ctlr/0.0.2601/questions.yaml diff --git a/charts/f5/f5-bigip-ctlr/templates/NOTES.txt b/charts/f5/f5-bigip-ctlr/0.0.2601/templates/NOTES.txt similarity index 100% rename from charts/f5/f5-bigip-ctlr/templates/NOTES.txt rename to charts/f5/f5-bigip-ctlr/0.0.2601/templates/NOTES.txt diff --git a/charts/f5/f5-bigip-ctlr/templates/_helpers.tpl b/charts/f5/f5-bigip-ctlr/0.0.2601/templates/_helpers.tpl similarity index 100% rename from charts/f5/f5-bigip-ctlr/templates/_helpers.tpl rename to charts/f5/f5-bigip-ctlr/0.0.2601/templates/_helpers.tpl diff --git a/charts/f5/f5-bigip-ctlr/templates/f5-bigip-ctlr-clusterrole.yaml b/charts/f5/f5-bigip-ctlr/0.0.2601/templates/f5-bigip-ctlr-clusterrole.yaml similarity index 100% rename from charts/f5/f5-bigip-ctlr/templates/f5-bigip-ctlr-clusterrole.yaml rename to charts/f5/f5-bigip-ctlr/0.0.2601/templates/f5-bigip-ctlr-clusterrole.yaml diff --git a/charts/f5/f5-bigip-ctlr/templates/f5-bigip-ctlr-clusterrolebinding.yaml b/charts/f5/f5-bigip-ctlr/0.0.2601/templates/f5-bigip-ctlr-clusterrolebinding.yaml similarity index 100% rename from charts/f5/f5-bigip-ctlr/templates/f5-bigip-ctlr-clusterrolebinding.yaml rename to charts/f5/f5-bigip-ctlr/0.0.2601/templates/f5-bigip-ctlr-clusterrolebinding.yaml diff --git a/charts/f5/f5-bigip-ctlr/templates/f5-bigip-ctlr-deploy.yaml b/charts/f5/f5-bigip-ctlr/0.0.2601/templates/f5-bigip-ctlr-deploy.yaml similarity index 100% rename from charts/f5/f5-bigip-ctlr/templates/f5-bigip-ctlr-deploy.yaml rename to charts/f5/f5-bigip-ctlr/0.0.2601/templates/f5-bigip-ctlr-deploy.yaml diff --git a/charts/f5/f5-bigip-ctlr/templates/f5-bigip-ctlr-ingress-class.yaml b/charts/f5/f5-bigip-ctlr/0.0.2601/templates/f5-bigip-ctlr-ingress-class.yaml similarity index 100% rename from charts/f5/f5-bigip-ctlr/templates/f5-bigip-ctlr-ingress-class.yaml rename to charts/f5/f5-bigip-ctlr/0.0.2601/templates/f5-bigip-ctlr-ingress-class.yaml diff --git a/charts/f5/f5-bigip-ctlr/templates/f5-bigip-ctlr-secrets.yaml b/charts/f5/f5-bigip-ctlr/0.0.2601/templates/f5-bigip-ctlr-secrets.yaml similarity index 100% rename from charts/f5/f5-bigip-ctlr/templates/f5-bigip-ctlr-secrets.yaml rename to charts/f5/f5-bigip-ctlr/0.0.2601/templates/f5-bigip-ctlr-secrets.yaml diff --git a/charts/f5/f5-bigip-ctlr/templates/f5-bigip-ctlr-serviceaccount.yaml b/charts/f5/f5-bigip-ctlr/0.0.2601/templates/f5-bigip-ctlr-serviceaccount.yaml similarity index 100% rename from charts/f5/f5-bigip-ctlr/templates/f5-bigip-ctlr-serviceaccount.yaml rename to charts/f5/f5-bigip-ctlr/0.0.2601/templates/f5-bigip-ctlr-serviceaccount.yaml diff --git a/charts/f5/f5-bigip-ctlr/values.yaml b/charts/f5/f5-bigip-ctlr/0.0.2601/values.yaml similarity index 100% rename from charts/f5/f5-bigip-ctlr/values.yaml rename to charts/f5/f5-bigip-ctlr/0.0.2601/values.yaml diff --git a/charts/gluu/gluu/charts/admin-ui/.helmignore b/charts/f5/f5-bigip-ctlr/0.0.2701/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/admin-ui/.helmignore rename to charts/f5/f5-bigip-ctlr/0.0.2701/.helmignore diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/Chart.yaml b/charts/f5/f5-bigip-ctlr/0.0.2701/Chart.yaml new file mode 100644 index 0000000000..3d9453372d --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: F5 Container Ingress Services for Kubernetes and + OpenShift + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: f5-bigip-ctlr +apiVersion: v1 +description: Deploy the F5 Networks BIG-IP Controller for Kubernetes and OpenShift + (k8s-bigip-ctlr). +home: https://www.f5.com/products/automation-and-orchestration/container-ingress-services +icon: https://avatars.githubusercontent.com/u/8935905?s=200&v=4 +keywords: +- F5 +- BIG-IP +- Containers +- Kubernetes +- OpenShift +maintainers: +- email: f5_cis_operators@f5.com + name: F5CISSupport +name: f5-bigip-ctlr +sources: +- https://github.com/F5Networks/k8s-bigip-ctlr +- https://github.com/F5Networks/charts +version: 0.0.2701 diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/README.md b/charts/f5/f5-bigip-ctlr/0.0.2701/README.md new file mode 100644 index 0000000000..0dc941a99d --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/README.md @@ -0,0 +1,93 @@ +# Helm Chart for the F5 Container Ingress Services + +This chart simplifies repeatable, versioned deployment of the [Container Ingress Services](https://clouddocs.f5.com/containers/latest/). + +### Prerequisites +- Refer to [CIS Prerequisites](https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html#prerequisites) to install Container Ingress Services on Kubernetes or Openshift +- [Helm 3](https://helm.sh/docs/intro/) should be installed. + + +## Installing CIS Using Helm Charts + +This is the simplest way to install the CIS on OpenShift/Kubernetes cluster. Helm is a package manager for Kubernetes. Helm is Kubernetes version of yum or apt. Helm deploys something called charts, which you can think of as a packaged application. It is a collection of all your versioned, pre-configured application resources which can be deployed as one unit. This chart creates a Deployment for one Pod containing the [k8s-bigip-ctlr](https://clouddocs.f5.com/containers/latest/), it's supporting RBAC, Service Account and Custom Resources Definition installations. + +## Installing the Chart + +- (Optional) Add BIG-IP credentials as K8S secrets. + +For Kubernetes, use the following command: + +```kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +For OpenShift, use the following command: + +```oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +- Add the CIS chart repository in Helm using following command: + +```helm repo add f5-stable https://f5networks.github.io/charts/stable``` + +- Create values.yaml as shown in [examples](https://github.com/F5Networks/charts/tree/master/example_values/f5-bigip-ctlr): + +- Install the Helm chart if BIGIP credential secrets created manually using the following command: + +```helm install -f values.yaml f5-stable/f5-bigip-ctlr``` + +- Install the Helm chart with skip crds if BIGIP credential secrets created manually (without custom resource definitions installations) + +```helm install --skip-crds -f values.yaml f5-stable/f5-bigip-ctlr``` + +- If you want to create the BIGIP credential secret with helm charts use the following command: + +```helm install --set bigip_secret.create="true" --set bigip_secret.username=$BIGIP_USERNAME --set bigip_secret.password=$BIGIP_PASSWORD -f values.yaml f5-stable/f5-bigip-ctlr``` + +## Chart parameters: + +Parameter | Required | Description | Default +----------|-------------|-------------|-------- +bigip_login_secret | Optional | Secret that contains BIG-IP login credentials | f5-bigip-ctlr-login +args.bigip_url | Required | The management IP for your BIG-IP device | **Required**, no default +args.bigip_partition | Required | BIG-IP partition the CIS Controller will manage | f5-bigip-ctlr +args.namespaces | Optional | List of Kubernetes namespaces which CIS will monitor | empty +bigip_secret.create | Optional | Create kubernetes secret using username and password | false +bigip_secret.username | Optional | bigip username to create the kubernetes secret | empty +bigip_secret.password | Optional | bigip password to create the kubernetes secret | empty +rbac.create | Optional | Create ClusterRole and ClusterRoleBinding | true +serviceAccount.name | Optional | name of the ServiceAccount for CIS controller | f5-bigip-ctlr-serviceaccount +serviceAccount.create | Optional | Create service account for the CIS controller | true +namespace | Optional | name of namespace CIS will use to create deployment and other resources | kube-system +image.user | Optional | CIS Controller image repository username | f5networks +image.repo | Optional | CIS Controller image repository name | k8s-bigip-ctlr +image.pullPolicy | Optional | CIS Controller image pull policy | Always +image.pullSecrets | Optional | List of secrets of container registry to pull image | empty +version | Optional | CIS Controller image tag | latest +nodeSelector | Optional | dictionary of Node selector labels | empty +tolerations | Optional | Array of labels | empty +limits_cpu | Optional | CPU limits for the pod | 100m +limits_memory | Optional | Memory limits for the pod | 512Mi +requests_cpu | Optional | CPU request for the pod | 100m +requests_memory | Optional | Memory request for the pod | 512Mi +affinity | Optional | Dictionary of affinity | empty +securityContext | Optional | Dictionary of deployment securityContext | empty +podSecurityContext | Optional | Dictionary of pod securityContext | empty +ingressClass.ingressClassName | Optional | Name of ingress class | f5 +ingressClass.isDefaultIngressController | Optional | CIS will monitor all the ingresses resource if set true | false +ingressClass.create | Optional | Create ingress class | true + +Note: bigip_login_secret and bigip_secret are mutually exclusive, if both are defined in values.yaml file bigip_secret will be given priority. + + +See the CIS documentation for a full list of args supported for CIS [CIS Configuration Options](https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html) + +> **Note:** Helm value names cannot include the character `-` which is commonly used in the names of parameters passed to the controller. To accomodate Helm, the parameter names in `values.yaml` use `_` and then replace them with `-` when rendering. +> e.g. `args.bigip_url` is rendered as `bigip-url` as required by the CIS Controller. + + +If you have a specific use case for F5 products in the Kubernetes environment that would benefit from a curated chart, please [open an issue](https://github.com/F5Networks/charts/issues) describing your use case and providing example resources. + +## Uninstalling Helm Chart + +Run the following command to uninstall the chart. + +```helm uninstall ``` + diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/app-readme.md b/charts/f5/f5-bigip-ctlr/0.0.2701/app-readme.md new file mode 100644 index 0000000000..6f28ef779d --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/app-readme.md @@ -0,0 +1,87 @@ +# Helm Chart for the F5 Container Ingress Services + +This chart simplifies repeatable, versioned deployment of the [Container Ingress Services](https://clouddocs.f5.com/containers/latest/). + +### Prerequisites +- Refer to [CIS Prerequisites](https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html#prerequisites) to install Container Ingress Services on Kubernetes or Openshift +- [Helm 3](https://helm.sh/docs/intro/) should be installed. + + +## Installing CIS Using Helm Charts + +This is the simplest way to install the CIS on OpenShift/Kubernetes cluster. Helm is a package manager for Kubernetes. Helm is Kubernetes version of yum or apt. Helm deploys something called charts, which you can think of as a packaged application. It is a collection of all your versioned, pre-configured application resources which can be deployed as one unit. This chart creates a Deployment for one Pod containing the [k8s-bigip-ctlr](https://clouddocs.f5.com/containers/latest/), it's supporting RBAC, Service Account and Custom Resources Definition installations. + +## Installing the Chart + +- Add BIG-IP credentials as K8S secrets. + +For Kubernetes, use the following command: + +```kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +For OpenShift, use the following command: + +```oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +- Add the CIS chart repository in Helm using following command: + +```helm repo add f5-stable https://f5networks.github.io/charts/stable``` + +- Create values.yaml as shown in [examples](https://github.com/F5Networks/charts/tree/master/example_values/f5-bigip-ctlr): + +- Install the Helm chart using the following command: + +```helm install -f values.yaml f5-stable/f5-bigip-ctlr``` + +- Install the Helm chart with skip crds (without custom resource definitions installations) + +```helm install --skip-crds -f values.yaml f5-stable/f5-bigip-ctlr``` + +## Chart parameters: + +Parameter | Required | Description | Default +----------|-------------|-------------|-------- +bigip_login_secret | Required | Secret that contains BIG-IP login credentials | f5-bigip-ctlr-login +args.bigip_url | Required | The management IP for your BIG-IP device | **Required**, no default +args.bigip_partition | Required | BIG-IP partition the CIS Controller will manage | f5-bigip-ctlr +args.namespaces | Optional | List of Kubernetes namespaces which CIS will monitor | empty +rbac.create | Optional | Create ClusterRole and ClusterRoleBinding | true +serviceAccount.name | Optional | name of the ServiceAccount for CIS controller | f5-bigip-ctlr-serviceaccount +serviceAccount.create | Optional | Create service account for the CIS controller | true +namespace | Optional | name of namespace CIS will use to create deployment and other resources | kube-system +image.user | Optional | CIS Controller image repository username | f5networks +image.repo | Optional | CIS Controller image repository name | k8s-bigip-ctlr +image.pullPolicy | Optional | CIS Controller image pull policy | Always +image.pullSecrets | Optional | List of secrets of container registry to pull image | empty +version | Optional | CIS Controller image tag | latest +nodeSelector | Optional | dictionary of Node selector labels | empty +tolerations | Optional | Array of labels | empty +limits_cpu | Optional | CPU limits for the pod | 100m +limits_memory | Optional | Memory limits for the pod | 512Mi +requests_cpu | Optional | CPU request for the pod | 100m +requests_memory | Optional | Memory request for the pod | 512Mi +affinity | Optional | Dictionary of affinity | empty +securityContext | Optional | Dictionary of securityContext | empty +ingressClass.ingressClassName | Optional | Name of ingress class | f5 +ingressClass.defaultIngressController | Optional | CIS will monitor all the ingresses resource if set true | false +ingressClass.create | Optional | Create ingress class | true + + + + + + +See the CIS documentation for a full list of args supported for CIS [CIS Configuration Options](https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html) + +> **Note:** Helm value names cannot include the character `-` which is commonly used in the names of parameters passed to the controller. To accomodate Helm, the parameter names in `values.yaml` use `_` and then replace them with `-` when rendering. +> e.g. `args.bigip_url` is rendered as `bigip-url` as required by the CIS Controller. + + +If you have a specific use case for F5 products in the Kubernetes environment that would benefit from a curated chart, please [open an issue](https://github.com/F5Networks/charts/issues) describing your use case and providing example resources. + +## Uninstalling Helm Chart + +Run the following command to uninstall the chart. + +```helm uninstall ``` + diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/crds/f5-bigip-ctlr-customresourcedefinitions.yml b/charts/f5/f5-bigip-ctlr/0.0.2701/crds/f5-bigip-ctlr-customresourcedefinitions.yml new file mode 100644 index 0000000000..1ca5659768 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/crds/f5-bigip-ctlr-customresourcedefinitions.yml @@ -0,0 +1,1092 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: virtualservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: VirtualServer + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostGroup: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$' + httpTraffic: + type: string + enum: [allow, none, redirect] + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + connectionMirroring: + type: string + enum: [ none, L4 ] + tlsProfileName: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http2: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + botDefense: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + policyName: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + rewriteAppRoot: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + waf: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileMultiplex: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$' + type: array + allowSourceRange: + items: + type: string + type: array + httpMrfRoutingEnabled: + type: boolean + iRules: + type: array + items: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: [enable, disable, selective] + routeAdvertisement: + type: string + enum: [enable, disable, selective, always, any, all] + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + defaultPool: + type: object + properties: + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [ bigip ] + send: + type: string + recv: + type: string + reference: + type: string + enum: [ bigip, service ] + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + required: + - reference + pools: + type: array + items: + type: object + properties: + name: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + path: + type: string + pattern: '^\/([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + weight: + type: integer + minimum: 0 + maximum: 256 + alternateBackends: + type: array + items: + type: object + properties: + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + weight: + type: integer + minimum: 0 + maximum: 256 + required: + - service + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + rewrite: + type: string + pattern: '^\/([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + hostRewrite: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + waf: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + monitor: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ http, https, tcp ] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + minimumMonitors: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + serviceName: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + namespace: + type: string + port: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + weight: + type: integer + minimum: 0 + maximum: 256 + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + additionalVirtualServerAddresses: + type: array + items: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + virtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' + virtualServerHTTPPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerHTTPSPort: + type: integer + minimum: 1 + maximum: 65535 + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + additionalPrinterColumns: + - name: host + type: string + description: hostname + jsonPath: .spec.host + - name: tlsProfileName + type: string + description: TLS Profile attached + jsonPath: .spec.tlsProfileName + - name: httpTraffic + type: string + description: Http Traffic Termination + jsonPath: .spec.httpTraffic + - name: IPAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: ipamLabel + type: string + description: ipamLabel for virtual server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of VirtualServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: tlsprofiles.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TLSProfile + plural: tlsprofiles + shortNames: + - tls + singular: tlsprofile + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + hosts: + type: array + items: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + tls: + type: object + properties: + termination: + type: string + enum: [edge, reencrypt, passthrough] + clientSSL: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + clientSSLs: + type: array + items: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + serverSSL: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + serverSSLs: + type: array + items: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip, secret] + required: + - termination + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: transportservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TransportServer + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + virtualServerPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostGroup: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$' + policyName: + type: string + pattern: '^([A-z0-9-_+])*([A-z0-9])$' + mode: + type: string + enum: [standard, performance] + type: + type: string + enum: [tcp, udp, sctp] + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + connectionMirroring: + type: string + enum: [ none, L4 ] + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileL4: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$' + type: array + iRules: + type: array + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: [enable, disable, selective] + routeAdvertisement: + type: string + enum: [enable, disable, selective, always, any, all] + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + pool: + type: object + properties: + name: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitor: + type: object + properties: + type: + type: string + enum: [tcp, udp, http, https] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + serviceName: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + namespace: + type: string + port: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + required: + - service + - servicePort + required: + - virtualServerPort + - pool + - mode + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + additionalPrinterColumns: + - name: virtualServerAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: virtualServerPort + type: integer + description: Port of virtualServer + jsonPath: .spec.virtualServerPort + - name: pool + type: string + description: Name of service + jsonPath: .spec.pool.service + - name: poolPort + type: string + description: Port of service + jsonPath: .spec.pool.servicePort + - name: ipamLabel + type: string + description: ipamLabel for transport server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of transport server + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of TransportServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: { } +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: externaldnses.cis.f5.com +spec: + group: cis.f5.com + names: + kind: ExternalDNS + plural: externaldnses + shortNames: + - edns + singular: externaldns + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + domainName: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + dnsRecordType: + type: string + pattern: 'A' + loadBalanceMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + clientSubnetPreferred: + type: boolean + persistenceEnabled: + type: boolean + persistCidrIpv4: + type: integer + minimum: 0 + maximum: 32 + persistCidrIpv6: + type: integer + minimum: 0 + maximum: 128 + ttlPersistence: + type: integer + format: int64 + minimum: 0 + maximum: 4294967295 + pools: + type: array + items: + type: object + properties: + dataServerName: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + dnsRecordType: + type: string + pattern: 'A' + loadBalanceMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + lbModeFallback: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + order: + type: integer + ratio: + type: integer + monitor: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + required: + - type + - interval + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + required: + - type + - interval + required: + - dataServerName + required: + - domainName + additionalPrinterColumns: + - name: domainName + type: string + description: Domain name of virtual server resource + jsonPath: .spec.domainName + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + - name: CREATED ON + type: string + jsonPath: .metadata.creationTimestamp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: ingresslinks.cis.f5.com +spec: + group: cis.f5.com + names: + kind: IngressLink + shortNames: + - il + singular: ingresslink + plural: ingresslinks + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + iRules: + type: array + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + status: + type: object + properties: + vsAddress: + type: string + additionalPrinterColumns: + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: { } +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: policies.cis.f5.com +spec: + group: cis.f5.com + names: + kind: Policy + shortNames: + - plc + singular: policy + plural: policies + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + l7Policies: + type: object + properties: + waf: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + l3Policies: + type: object + properties: + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + botDefense: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + firewallPolicy: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + ipIntelligencePolicy: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowSourceRange: + items: + type: string + type: array + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([A-z0-9-_.\s]+\/?)*$' + type: array + ltmPolicies: + type: object + properties: + insecure: + type: string + pattern: '^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$' + secure: + type: string + pattern: '^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$' + priority: + type: string + enum: [low, high] + iRules: + type: object + properties: + insecure: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + secure: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + priority: + type: string + enum: [ low, high ] + iRuleList: + type: array + items: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + udp: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http2: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + profileL4: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileWebSocket: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileMultiplex: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + rewriteProfile: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + logProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9._\s]+\/?)*$' + type: array + httpMrfRoutingEnabled: + type: boolean + sslProfiles: + type: object + properties: + clientProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + type: array + serverProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + type: array + analyticsProfiles: + type: object + properties: + http: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + autoLastHop: + type: string + enum: [ default, auto, disable ] + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + poolSettings: + type: object + properties: + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + slowRampTime: + type: integer + minimum: 0 + maximum: 900 + multiPoolPersistence: + type: object + properties: + method: + type: string + enum: [ uieSourceAddress, hashSourceAddress ] + timeOut: + type: integer + minimum: 1 + default: 180 \ No newline at end of file diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/questions.yaml b/charts/f5/f5-bigip-ctlr/0.0.2701/questions.yaml new file mode 100644 index 0000000000..4d276dfbde --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/questions.yaml @@ -0,0 +1,75 @@ +questions: +- variable: bigip_login_secret + required: true + type: string + label: "Name of the k8s secret object with BIG-IP login credentials." +- variable: args.bigip_url + required: true + type: string + label: "BIG-IP Management IP/URL" +- variable: args.bigip_partition + required: true + type: string + label: "BIG-IP Partition" +- variable: image.user + type: string + label: "Image Repository where CIS image is hosted" +- variable: image.repo + type: string + label: "CIS image name" +- variable: version + type: string + label: "CIS version tag." + default: "latest" +- variable: args.pool_member_type + type: string + label: "Type of BIG-IP Pool members to create." + default: "nodeport" +- variable: args.node_poll_interval + type: string + label: "In seconds, the interval at which the CIS polls the cluster to find all node members." + default: "30" +- variable: args.verify_interval + type: string + label: "In seconds, the interval at which the CIS verifies that the BIG-IP configuration matches the state of the orchestration system." + default: "30" +- variable: args.agent + type: string + label: "Specify the agent for CIS to communicate with BIG-IP. CCCL or AS3" + default: "as3" +- variable: args.custom_resource_mode + type: string + label: "Set 'true' to process CRD resources. Supported in AS3 agent. When true ConfigMaps, Routes, and Ingress are not processed by CIS." + default: "false" +- variable: args.ipam + type: string + label: "Specify if CIS provides the ability to interface with F5 IPAM Controller (FIC). Valid with agent AS3." + default: "false" +- variable: args.disable_teems + type: string + label: "If true, analytics data is not sent to F5." + default: "false" +- variable: args.hubmode + type: string + label: "When `true`, ConfigMaps with Services in same and different namespace are processed. CIS >= 2.5.0+. Valid with agent AS3." + default: "false" +- variable: args.default_route_domain + type: string + label: "Set default Route Domain for Custom resources. Valid with agent AS3." + default: "0" +- variable: args.filter_tenants + type: string + label: "Specify to use tenant filtering API for AS3 declaration. This allows CIS to process each AS3 Tenant separately. Compatible with ConfigMap only. Valid with agent AS3. CIS >= 2.7" + default: "false" +- variable: args.enable_ipv6 + type: string + label: "When set to true, it enables IPv6 network support. CIS >= 2.7." + default: "false" +- variable: args.log_level + type: string + label: "Configured the log level. INFO, DEBUG, CRITICAL, WARNING, ERROR." + default: "INFO" +- variable: args.log_as3_response + type: string + label: "When set to true, adds the body of AS3 API response in Controller logs." + default: "false" diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/templates/NOTES.txt b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/NOTES.txt new file mode 100644 index 0000000000..302512a9b3 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/NOTES.txt @@ -0,0 +1,6 @@ +Container Ingress Services controller: {{ .Release.Name }} + +Controller Documentation: +- Kubernetes: https://clouddocs.f5.com/containers/latest/userguide/kubernetes/ +- OpenShift: https://clouddocs.f5.com/containers/latest/userguide/openshift/ + diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/templates/_helpers.tpl b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/_helpers.tpl new file mode 100644 index 0000000000..7ce05d2ef2 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/_helpers.tpl @@ -0,0 +1,64 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "f5-bigip-ctlr.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "deployment.apiVersion" -}} +{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "apps/v1" -}} +{{- else -}} +{{- print "extensions/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Check for user given namespace or give kube-system +*/}} +{{- define "f5-bigip-ctlr.namespace" -}} +{{- if hasKey .Values "namespace" -}} +{{- .Values.namespace -}} +{{- else -}} +{{- print "kube-system" -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "f5-bigip-ctlr.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "f5-bigip-ctlr.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + {{/* +Create the name of the service account to use +*/}} +{{- define "f5-bigip-ctlr.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "f5-bigip-ctlr.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-clusterrole.yaml b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-clusterrole.yaml new file mode 100644 index 0000000000..c60eb6eb8a --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-clusterrole.yaml @@ -0,0 +1,111 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "f5-bigip-ctlr.fullname" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - '' + - extensions + - networking.k8s.io + - route.openshift.io + resources: + - nodes + - services + - endpoints + - namespaces + - ingresses + - pods + - ingressclasses + - policies + - routes + verbs: + - get + - list + - watch + - apiGroups: + - '' + - extensions + - networking.k8s.io + - route.openshift.io + resources: + - configmaps + - events + - ingresses/status + - services/status + - routes/status + verbs: + - get + - list + - watch + - update + - create + - patch + - apiGroups: + - cis.f5.com + resources: + - virtualservers + - virtualservers/status + - tlsprofiles + - transportservers + - transportservers/status + - ingresslinks + - ingresslinks/status + - externaldnses + - policies + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - '' + - extensions + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - config.openshift.io/v1 + resources: + - network + verbs: + - list +{{- if .Values.args.ipam }} + - apiGroups: + - fic.f5.com + resources: + - ipams + - ipams/status + verbs: + - get + - list + - watch + - update + - create + - patch + - delete + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update + - create + - patch +{{- end }} +{{- end }} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-clusterrolebinding.yaml b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-clusterrolebinding.yaml new file mode 100644 index 0000000000..aba54704d7 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-clusterrolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "f5-bigip-ctlr.fullname" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "f5-bigip-ctlr.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "f5-bigip-ctlr.serviceAccountName" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-deploy.yaml b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-deploy.yaml new file mode 100644 index 0000000000..7cb7152803 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-deploy.yaml @@ -0,0 +1,135 @@ +{{- if or (not .Values.args.bigip_url) (not .Values.args.bigip_partition) }} +{{/* +Generate errors for missing required values. +*/}} +# {{required "BIG-IP url not specified - add to Values or pass with `--set` " .Values.args.bigip_url }} +# {{required "BIG-IP partition not specified - add to Values or pass with `--set` " .Values.args.bigip_partition }} +{{- else -}} +apiVersion: {{ template "deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "f5-bigip-ctlr.fullname" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "-" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "f5-bigip-ctlr.name" . }} + template: + metadata: + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + release: {{ .Release.Name }} + spec: +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} +{{- end }} + serviceAccountName: {{ template "f5-bigip-ctlr.serviceAccountName" . }} +{{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range $pullSecret := .Values.image.pullSecrets }} + - name: {{ $pullSecret }} + {{- end }} +{{- end }} + securityContext: + {{- $securityContext := .Values.securityContext | default dict }} + {{- if $securityContext.runAsUser }} + runAsUser: {{ $securityContext.runAsUser }} + {{- else }} + runAsUser: 1000 + {{- end }} + {{- $securityContext := .Values.securityContext | default dict }} + {{- if $securityContext.runAsGroup }} + runAsGroup: {{ $securityContext.runAsGroup }} + {{- else }} + runAsGroup: 1000 + {{- end }} + {{- $securityContext := .Values.securityContext | default dict }} + {{- if $securityContext.fsGroup }} + fsGroup: {{ $securityContext.fsGroup }} + {{- else }} + fsGroup: 1000 + {{- end }} + containers: + - name: {{ template "f5-bigip-ctlr.name" . }} + image: "{{ .Values.image.user }}/{{ .Values.image.repo }}:{{ .Values.version }}" + {{- if .Values.podSecurityContext }} + securityContext: +{{ toYaml .Values.podSecurityContext | indent 12 }} + {{- end }} + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 15 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 15 + volumeMounts: + - name: bigip-creds + mountPath: "/tmp/creds" + readOnly: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /app/bin/k8s-bigip-ctlr + args: + - --credentials-directory + - /tmp/creds + {{- $ns := .Values.args.namespaces }} + {{- range $key, $value := .Values.args }} + {{- if eq $key "namespaces" }} + {{- range $ns}} + - --namespace={{ . }} + {{- end }} + {{- else }} + - --{{ $key | replace "_" "-"}}={{ $value }} + {{- end }} + {{- end }} + resources: + limits: + cpu: {{ .Values.limits_cpu | default "100m" }} + memory: {{ .Values.limits_memory | default "512Mi" }} + requests: + cpu: {{ .Values.requests_cpu | default "100m" }} + memory: {{ .Values.requests_memory | default "512Mi" }} +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6}} +{{- end }} + volumes: + - name: bigip-creds + secret: + {{- if .Values.bigip_secret.create }} + secretName: f5-bigip-ctlr-login + {{- else }} + secretName: {{ .Values.bigip_login_secret }} + {{- end }} +{{- end }} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-ingress-class.yaml b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-ingress-class.yaml new file mode 100644 index 0000000000..2105a219a2 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-ingress-class.yaml @@ -0,0 +1,12 @@ +{{- if .Values.ingressClass.create -}} + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.ingressClass.ingressClassName | default "f5" }} + annotations: + ingressclass.kubernetes.io/is-default-class: "{{ .Values.ingressClass.isDefaultIngressController | default false }}" +spec: + controller: f5.com/cntr-ingress-svcs + +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-secrets.yaml b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-secrets.yaml new file mode 100644 index 0000000000..181415835a --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-secrets.yaml @@ -0,0 +1,19 @@ +{{- if .Values.bigip_secret.create -}} +apiVersion: v1 +kind: Secret +metadata: + name: f5-bigip-ctlr-login + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + username: {{ .Values.bigip_secret.username | b64enc | quote }} + password: {{ .Values.bigip_secret.password | b64enc | quote }} +{{- end -}} \ No newline at end of file diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-serviceaccount.yaml b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-serviceaccount.yaml new file mode 100644 index 0000000000..5729a8bc15 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/templates/f5-bigip-ctlr-serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create -}} +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "f5-bigip-ctlr.serviceAccountName" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- end -}} +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2701/values.yaml b/charts/f5/f5-bigip-ctlr/0.0.2701/values.yaml new file mode 100644 index 0000000000..d9952d45af --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2701/values.yaml @@ -0,0 +1,90 @@ +# For additional information on installing the k8-bigip-ctlr please see: +# Kubernetes: https://clouddocs.f5.com/containers/latest/userguide/kubernetes/#cis-installation +# OpenShift: https://clouddocs.f5.com/containers/latest/userguide/openshift/#cis-installation +# +# access / permissions / RBAC +# To create a secret using kubectl see +# https://clouddocs.f5.com/containers/latest/userguide/kubernetes/#installing-cis-manually +bigip_login_secret: f5-bigip-ctlr-login + +bigip_secret: + create: false + username: + password: + +rbac: + create: true +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: f5-bigip-ctlr-serviceaccount +# This namespace is where the Controller lives; +namespace: kube-system + +ingressClass: + create: true + ingressClassName: f5 + isDefaultIngressController: true +args: + # See https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html + # NOTE: helm has difficulty with values using `-`; `_` are used for naming + # and are replaced with `-` during rendering. + # REQUIRED Params + bigip_url: ~ + bigip_partition: f5-bigip-ctlr + # OPTIONAL PARAMS -- uncomment and provide values for those you wish to use. + # verify_interval: + # node-poll_interval: + # log_level: + # python_basedir: ~ + # VXLAN + # openshift_sdn_name: + # flannel_name: + # KUBERNETES + # default_ingress_ip: + # kubeconfig: + # namespaces: ["foo", "bar"] + # namespace_label: + # node_label_selector: + # pool_member_type: + # resolve_ingress_names: + # running_in_cluster: + # use_node_internal: + # use_secrets: + # insecure: true + # custom-resource-mode: true + # log-as3-response: true + # gtm-bigip-password + # gtm-bigip-url + # gtm-bigip-username + # ipam : true + +image: + # Use the tag to target a specific version of the Controller + user: f5networks + repo: k8s-bigip-ctlr + pullPolicy: Always +version: latest +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: kubernetes.io/arch +# operator: Exists +# securityContext: +# runAsUser: 1000 +# runAsGroup: 3000 +# fsGroup: 2000 +# If you want to specify resources, uncomment the following +# limits_cpu: 100m +# limits_memory: 512Mi +# requests_cpu: 100m +# requests_memory: 512Mi +# Set podSecurityContext for Pod Security Admission and Pod Security Standards +# podSecurityContext: +# runAsUser: 1000 +# runAsGroup: 1000 +# privileged: true diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/.helmignore b/charts/f5/f5-bigip-ctlr/0.0.2801/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/auth-server-key-rotation/.helmignore rename to charts/f5/f5-bigip-ctlr/0.0.2801/.helmignore diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/Chart.yaml b/charts/f5/f5-bigip-ctlr/0.0.2801/Chart.yaml new file mode 100644 index 0000000000..b652af4cc6 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: F5 Container Ingress Services for Kubernetes and + OpenShift + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: f5-bigip-ctlr +apiVersion: v1 +description: Deploy the F5 Networks BIG-IP Controller for Kubernetes and OpenShift + (k8s-bigip-ctlr). +home: https://www.f5.com/products/automation-and-orchestration/container-ingress-services +icon: https://avatars.githubusercontent.com/u/8935905?s=200&v=4 +keywords: +- F5 +- BIG-IP +- Containers +- Kubernetes +- OpenShift +maintainers: +- email: f5_cis_operators@f5.com + name: F5CISSupport +name: f5-bigip-ctlr +sources: +- https://github.com/F5Networks/k8s-bigip-ctlr +- https://github.com/F5Networks/charts +version: 0.0.2801 diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/README.md b/charts/f5/f5-bigip-ctlr/0.0.2801/README.md new file mode 100644 index 0000000000..0dc941a99d --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/README.md @@ -0,0 +1,93 @@ +# Helm Chart for the F5 Container Ingress Services + +This chart simplifies repeatable, versioned deployment of the [Container Ingress Services](https://clouddocs.f5.com/containers/latest/). + +### Prerequisites +- Refer to [CIS Prerequisites](https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html#prerequisites) to install Container Ingress Services on Kubernetes or Openshift +- [Helm 3](https://helm.sh/docs/intro/) should be installed. + + +## Installing CIS Using Helm Charts + +This is the simplest way to install the CIS on OpenShift/Kubernetes cluster. Helm is a package manager for Kubernetes. Helm is Kubernetes version of yum or apt. Helm deploys something called charts, which you can think of as a packaged application. It is a collection of all your versioned, pre-configured application resources which can be deployed as one unit. This chart creates a Deployment for one Pod containing the [k8s-bigip-ctlr](https://clouddocs.f5.com/containers/latest/), it's supporting RBAC, Service Account and Custom Resources Definition installations. + +## Installing the Chart + +- (Optional) Add BIG-IP credentials as K8S secrets. + +For Kubernetes, use the following command: + +```kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +For OpenShift, use the following command: + +```oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +- Add the CIS chart repository in Helm using following command: + +```helm repo add f5-stable https://f5networks.github.io/charts/stable``` + +- Create values.yaml as shown in [examples](https://github.com/F5Networks/charts/tree/master/example_values/f5-bigip-ctlr): + +- Install the Helm chart if BIGIP credential secrets created manually using the following command: + +```helm install -f values.yaml f5-stable/f5-bigip-ctlr``` + +- Install the Helm chart with skip crds if BIGIP credential secrets created manually (without custom resource definitions installations) + +```helm install --skip-crds -f values.yaml f5-stable/f5-bigip-ctlr``` + +- If you want to create the BIGIP credential secret with helm charts use the following command: + +```helm install --set bigip_secret.create="true" --set bigip_secret.username=$BIGIP_USERNAME --set bigip_secret.password=$BIGIP_PASSWORD -f values.yaml f5-stable/f5-bigip-ctlr``` + +## Chart parameters: + +Parameter | Required | Description | Default +----------|-------------|-------------|-------- +bigip_login_secret | Optional | Secret that contains BIG-IP login credentials | f5-bigip-ctlr-login +args.bigip_url | Required | The management IP for your BIG-IP device | **Required**, no default +args.bigip_partition | Required | BIG-IP partition the CIS Controller will manage | f5-bigip-ctlr +args.namespaces | Optional | List of Kubernetes namespaces which CIS will monitor | empty +bigip_secret.create | Optional | Create kubernetes secret using username and password | false +bigip_secret.username | Optional | bigip username to create the kubernetes secret | empty +bigip_secret.password | Optional | bigip password to create the kubernetes secret | empty +rbac.create | Optional | Create ClusterRole and ClusterRoleBinding | true +serviceAccount.name | Optional | name of the ServiceAccount for CIS controller | f5-bigip-ctlr-serviceaccount +serviceAccount.create | Optional | Create service account for the CIS controller | true +namespace | Optional | name of namespace CIS will use to create deployment and other resources | kube-system +image.user | Optional | CIS Controller image repository username | f5networks +image.repo | Optional | CIS Controller image repository name | k8s-bigip-ctlr +image.pullPolicy | Optional | CIS Controller image pull policy | Always +image.pullSecrets | Optional | List of secrets of container registry to pull image | empty +version | Optional | CIS Controller image tag | latest +nodeSelector | Optional | dictionary of Node selector labels | empty +tolerations | Optional | Array of labels | empty +limits_cpu | Optional | CPU limits for the pod | 100m +limits_memory | Optional | Memory limits for the pod | 512Mi +requests_cpu | Optional | CPU request for the pod | 100m +requests_memory | Optional | Memory request for the pod | 512Mi +affinity | Optional | Dictionary of affinity | empty +securityContext | Optional | Dictionary of deployment securityContext | empty +podSecurityContext | Optional | Dictionary of pod securityContext | empty +ingressClass.ingressClassName | Optional | Name of ingress class | f5 +ingressClass.isDefaultIngressController | Optional | CIS will monitor all the ingresses resource if set true | false +ingressClass.create | Optional | Create ingress class | true + +Note: bigip_login_secret and bigip_secret are mutually exclusive, if both are defined in values.yaml file bigip_secret will be given priority. + + +See the CIS documentation for a full list of args supported for CIS [CIS Configuration Options](https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html) + +> **Note:** Helm value names cannot include the character `-` which is commonly used in the names of parameters passed to the controller. To accomodate Helm, the parameter names in `values.yaml` use `_` and then replace them with `-` when rendering. +> e.g. `args.bigip_url` is rendered as `bigip-url` as required by the CIS Controller. + + +If you have a specific use case for F5 products in the Kubernetes environment that would benefit from a curated chart, please [open an issue](https://github.com/F5Networks/charts/issues) describing your use case and providing example resources. + +## Uninstalling Helm Chart + +Run the following command to uninstall the chart. + +```helm uninstall ``` + diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/app-readme.md b/charts/f5/f5-bigip-ctlr/0.0.2801/app-readme.md new file mode 100644 index 0000000000..6f28ef779d --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/app-readme.md @@ -0,0 +1,87 @@ +# Helm Chart for the F5 Container Ingress Services + +This chart simplifies repeatable, versioned deployment of the [Container Ingress Services](https://clouddocs.f5.com/containers/latest/). + +### Prerequisites +- Refer to [CIS Prerequisites](https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html#prerequisites) to install Container Ingress Services on Kubernetes or Openshift +- [Helm 3](https://helm.sh/docs/intro/) should be installed. + + +## Installing CIS Using Helm Charts + +This is the simplest way to install the CIS on OpenShift/Kubernetes cluster. Helm is a package manager for Kubernetes. Helm is Kubernetes version of yum or apt. Helm deploys something called charts, which you can think of as a packaged application. It is a collection of all your versioned, pre-configured application resources which can be deployed as one unit. This chart creates a Deployment for one Pod containing the [k8s-bigip-ctlr](https://clouddocs.f5.com/containers/latest/), it's supporting RBAC, Service Account and Custom Resources Definition installations. + +## Installing the Chart + +- Add BIG-IP credentials as K8S secrets. + +For Kubernetes, use the following command: + +```kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +For OpenShift, use the following command: + +```oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +- Add the CIS chart repository in Helm using following command: + +```helm repo add f5-stable https://f5networks.github.io/charts/stable``` + +- Create values.yaml as shown in [examples](https://github.com/F5Networks/charts/tree/master/example_values/f5-bigip-ctlr): + +- Install the Helm chart using the following command: + +```helm install -f values.yaml f5-stable/f5-bigip-ctlr``` + +- Install the Helm chart with skip crds (without custom resource definitions installations) + +```helm install --skip-crds -f values.yaml f5-stable/f5-bigip-ctlr``` + +## Chart parameters: + +Parameter | Required | Description | Default +----------|-------------|-------------|-------- +bigip_login_secret | Required | Secret that contains BIG-IP login credentials | f5-bigip-ctlr-login +args.bigip_url | Required | The management IP for your BIG-IP device | **Required**, no default +args.bigip_partition | Required | BIG-IP partition the CIS Controller will manage | f5-bigip-ctlr +args.namespaces | Optional | List of Kubernetes namespaces which CIS will monitor | empty +rbac.create | Optional | Create ClusterRole and ClusterRoleBinding | true +serviceAccount.name | Optional | name of the ServiceAccount for CIS controller | f5-bigip-ctlr-serviceaccount +serviceAccount.create | Optional | Create service account for the CIS controller | true +namespace | Optional | name of namespace CIS will use to create deployment and other resources | kube-system +image.user | Optional | CIS Controller image repository username | f5networks +image.repo | Optional | CIS Controller image repository name | k8s-bigip-ctlr +image.pullPolicy | Optional | CIS Controller image pull policy | Always +image.pullSecrets | Optional | List of secrets of container registry to pull image | empty +version | Optional | CIS Controller image tag | latest +nodeSelector | Optional | dictionary of Node selector labels | empty +tolerations | Optional | Array of labels | empty +limits_cpu | Optional | CPU limits for the pod | 100m +limits_memory | Optional | Memory limits for the pod | 512Mi +requests_cpu | Optional | CPU request for the pod | 100m +requests_memory | Optional | Memory request for the pod | 512Mi +affinity | Optional | Dictionary of affinity | empty +securityContext | Optional | Dictionary of securityContext | empty +ingressClass.ingressClassName | Optional | Name of ingress class | f5 +ingressClass.defaultIngressController | Optional | CIS will monitor all the ingresses resource if set true | false +ingressClass.create | Optional | Create ingress class | true + + + + + + +See the CIS documentation for a full list of args supported for CIS [CIS Configuration Options](https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html) + +> **Note:** Helm value names cannot include the character `-` which is commonly used in the names of parameters passed to the controller. To accomodate Helm, the parameter names in `values.yaml` use `_` and then replace them with `-` when rendering. +> e.g. `args.bigip_url` is rendered as `bigip-url` as required by the CIS Controller. + + +If you have a specific use case for F5 products in the Kubernetes environment that would benefit from a curated chart, please [open an issue](https://github.com/F5Networks/charts/issues) describing your use case and providing example resources. + +## Uninstalling Helm Chart + +Run the following command to uninstall the chart. + +```helm uninstall ``` + diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/crds/f5-bigip-ctlr-customresourcedefinitions.yml b/charts/f5/f5-bigip-ctlr/0.0.2801/crds/f5-bigip-ctlr-customresourcedefinitions.yml new file mode 100644 index 0000000000..dcd85c9493 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/crds/f5-bigip-ctlr-customresourcedefinitions.yml @@ -0,0 +1,1113 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: virtualservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: VirtualServer + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostGroup: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$' + httpTraffic: + type: string + enum: [allow, none, redirect] + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + connectionMirroring: + type: string + enum: [ none, L4 ] + tlsProfileName: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + htmlProfile: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http2: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + botDefense: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + policyName: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + rewriteAppRoot: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + waf: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileMultiplex: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$' + type: array + allowSourceRange: + items: + type: string + type: array + httpMrfRoutingEnabled: + type: boolean + iRules: + type: array + items: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: [enable, disable, selective] + routeAdvertisement: + type: string + enum: [enable, disable, selective, always, any, all] + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + defaultPool: + type: object + properties: + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [ bigip ] + send: + type: string + recv: + type: string + reference: + type: string + enum: [ bigip, service ] + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + required: + - reference + pools: + type: array + items: + type: object + properties: + name: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + path: + type: string + pattern: '^\/([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + weight: + type: integer + minimum: 0 + maximum: 256 + alternateBackends: + type: array + items: + type: object + properties: + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + weight: + type: integer + minimum: 0 + maximum: 256 + required: + - service + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + rewrite: + type: string + pattern: '^\/([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + hostRewrite: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + waf: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + monitor: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ http, https, tcp ] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + minimumMonitors: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + serviceName: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + namespace: + type: string + port: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + weight: + type: integer + minimum: 0 + maximum: 256 + required: + - service + - servicePort + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + additionalVirtualServerAddresses: + type: array + items: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + virtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' + virtualServerHTTPPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerHTTPSPort: + type: integer + minimum: 1 + maximum: 65535 + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + additionalPrinterColumns: + - name: host + type: string + description: hostname + jsonPath: .spec.host + - name: tlsProfileName + type: string + description: TLS Profile attached + jsonPath: .spec.tlsProfileName + - name: httpTraffic + type: string + description: Http Traffic Termination + jsonPath: .spec.httpTraffic + - name: IPAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: ipamLabel + type: string + description: ipamLabel for virtual server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of VirtualServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: tlsprofiles.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TLSProfile + plural: tlsprofiles + shortNames: + - tls + singular: tlsprofile + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + hosts: + type: array + items: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + tls: + type: object + properties: + termination: + type: string + enum: [edge, reencrypt, passthrough] + clientSSL: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + clientSSLs: + type: array + items: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + serverSSL: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + serverSSLs: + type: array + items: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip, secret] + clientSSLParams: + type: object + properties: + renegotiationEnabled: + type: boolean + default: true + serverSSLParams: + type: object + properties: + renegotiationEnabled: + type: boolean + default: true + required: + - termination + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: transportservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TransportServer + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + virtualServerPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostGroup: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$' + policyName: + type: string + pattern: '^([A-z0-9-_+])*([A-z0-9])$' + mode: + type: string + enum: [standard, performance] + type: + type: string + enum: [tcp, udp, sctp] + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + connectionMirroring: + type: string + enum: [ none, L4 ] + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileL4: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$' + type: array + iRules: + type: array + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: [enable, disable, selective] + routeAdvertisement: + type: string + enum: [enable, disable, selective, always, any, all] + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + pool: + type: object + properties: + name: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitor: + type: object + properties: + type: + type: string + enum: [tcp, udp, http, https] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + serviceName: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + namespace: + type: string + port: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + required: + - service + - servicePort + required: + - virtualServerPort + - pool + - mode + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + additionalPrinterColumns: + - name: virtualServerAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: virtualServerPort + type: integer + description: Port of virtualServer + jsonPath: .spec.virtualServerPort + - name: pool + type: string + description: Name of service + jsonPath: .spec.pool.service + - name: poolPort + type: string + description: Port of service + jsonPath: .spec.pool.servicePort + - name: ipamLabel + type: string + description: ipamLabel for transport server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of transport server + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of TransportServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: { } +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: externaldnses.cis.f5.com +spec: + group: cis.f5.com + names: + kind: ExternalDNS + plural: externaldnses + shortNames: + - edns + singular: externaldns + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + domainName: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + dnsRecordType: + type: string + pattern: 'A' + loadBalanceMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + clientSubnetPreferred: + type: boolean + persistenceEnabled: + type: boolean + persistCidrIpv4: + type: integer + minimum: 0 + maximum: 32 + persistCidrIpv6: + type: integer + minimum: 0 + maximum: 128 + ttlPersistence: + type: integer + format: int64 + minimum: 0 + maximum: 4294967295 + pools: + type: array + items: + type: object + properties: + dataServerName: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + dnsRecordType: + type: string + pattern: 'A' + loadBalanceMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + lbModeFallback: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + order: + type: integer + ratio: + type: integer + monitor: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + required: + - type + - interval + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + required: + - type + - interval + required: + - dataServerName + required: + - domainName + additionalPrinterColumns: + - name: domainName + type: string + description: Domain name of virtual server resource + jsonPath: .spec.domainName + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + - name: CREATED ON + type: string + jsonPath: .metadata.creationTimestamp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: ingresslinks.cis.f5.com +spec: + group: cis.f5.com + names: + kind: IngressLink + shortNames: + - il + singular: ingresslink + plural: ingresslinks + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + iRules: + type: array + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + status: + type: object + properties: + vsAddress: + type: string + additionalPrinterColumns: + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: { } +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: policies.cis.f5.com +spec: + group: cis.f5.com + names: + kind: Policy + shortNames: + - plc + singular: policy + plural: policies + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + l7Policies: + type: object + properties: + waf: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + l3Policies: + type: object + properties: + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + botDefense: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + firewallPolicy: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + ipIntelligencePolicy: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowSourceRange: + items: + type: string + type: array + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([A-z0-9-_.\s]+\/?)*$' + type: array + ltmPolicies: + type: object + properties: + insecure: + type: string + pattern: '^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$' + secure: + type: string + pattern: '^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$' + priority: + type: string + enum: [low, high] + iRules: + type: object + properties: + insecure: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + secure: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + priority: + type: string + enum: [ low, high ] + iRuleList: + type: array + items: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + udp: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http2: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + profileL4: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileWebSocket: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileMultiplex: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + rewriteProfile: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + logProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9._\s]+\/?)*$' + type: array + httpMrfRoutingEnabled: + type: boolean + sslProfiles: + type: object + properties: + clientProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + type: array + serverProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + type: array + analyticsProfiles: + type: object + properties: + http: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + htmlProfile: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + autoLastHop: + type: string + enum: [ default, auto, disable ] + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + poolSettings: + type: object + properties: + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + slowRampTime: + type: integer + minimum: 0 + maximum: 900 + multiPoolPersistence: + type: object + properties: + method: + type: string + enum: [ uieSourceAddress, hashSourceAddress ] + timeOut: + type: integer + minimum: 1 + default: 180 diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/questions.yaml b/charts/f5/f5-bigip-ctlr/0.0.2801/questions.yaml new file mode 100644 index 0000000000..4d276dfbde --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/questions.yaml @@ -0,0 +1,75 @@ +questions: +- variable: bigip_login_secret + required: true + type: string + label: "Name of the k8s secret object with BIG-IP login credentials." +- variable: args.bigip_url + required: true + type: string + label: "BIG-IP Management IP/URL" +- variable: args.bigip_partition + required: true + type: string + label: "BIG-IP Partition" +- variable: image.user + type: string + label: "Image Repository where CIS image is hosted" +- variable: image.repo + type: string + label: "CIS image name" +- variable: version + type: string + label: "CIS version tag." + default: "latest" +- variable: args.pool_member_type + type: string + label: "Type of BIG-IP Pool members to create." + default: "nodeport" +- variable: args.node_poll_interval + type: string + label: "In seconds, the interval at which the CIS polls the cluster to find all node members." + default: "30" +- variable: args.verify_interval + type: string + label: "In seconds, the interval at which the CIS verifies that the BIG-IP configuration matches the state of the orchestration system." + default: "30" +- variable: args.agent + type: string + label: "Specify the agent for CIS to communicate with BIG-IP. CCCL or AS3" + default: "as3" +- variable: args.custom_resource_mode + type: string + label: "Set 'true' to process CRD resources. Supported in AS3 agent. When true ConfigMaps, Routes, and Ingress are not processed by CIS." + default: "false" +- variable: args.ipam + type: string + label: "Specify if CIS provides the ability to interface with F5 IPAM Controller (FIC). Valid with agent AS3." + default: "false" +- variable: args.disable_teems + type: string + label: "If true, analytics data is not sent to F5." + default: "false" +- variable: args.hubmode + type: string + label: "When `true`, ConfigMaps with Services in same and different namespace are processed. CIS >= 2.5.0+. Valid with agent AS3." + default: "false" +- variable: args.default_route_domain + type: string + label: "Set default Route Domain for Custom resources. Valid with agent AS3." + default: "0" +- variable: args.filter_tenants + type: string + label: "Specify to use tenant filtering API for AS3 declaration. This allows CIS to process each AS3 Tenant separately. Compatible with ConfigMap only. Valid with agent AS3. CIS >= 2.7" + default: "false" +- variable: args.enable_ipv6 + type: string + label: "When set to true, it enables IPv6 network support. CIS >= 2.7." + default: "false" +- variable: args.log_level + type: string + label: "Configured the log level. INFO, DEBUG, CRITICAL, WARNING, ERROR." + default: "INFO" +- variable: args.log_as3_response + type: string + label: "When set to true, adds the body of AS3 API response in Controller logs." + default: "false" diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/templates/NOTES.txt b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/NOTES.txt new file mode 100644 index 0000000000..302512a9b3 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/NOTES.txt @@ -0,0 +1,6 @@ +Container Ingress Services controller: {{ .Release.Name }} + +Controller Documentation: +- Kubernetes: https://clouddocs.f5.com/containers/latest/userguide/kubernetes/ +- OpenShift: https://clouddocs.f5.com/containers/latest/userguide/openshift/ + diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/templates/_helpers.tpl b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/_helpers.tpl new file mode 100644 index 0000000000..7ce05d2ef2 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/_helpers.tpl @@ -0,0 +1,64 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "f5-bigip-ctlr.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "deployment.apiVersion" -}} +{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "apps/v1" -}} +{{- else -}} +{{- print "extensions/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Check for user given namespace or give kube-system +*/}} +{{- define "f5-bigip-ctlr.namespace" -}} +{{- if hasKey .Values "namespace" -}} +{{- .Values.namespace -}} +{{- else -}} +{{- print "kube-system" -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "f5-bigip-ctlr.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "f5-bigip-ctlr.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + {{/* +Create the name of the service account to use +*/}} +{{- define "f5-bigip-ctlr.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "f5-bigip-ctlr.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-clusterrole.yaml b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-clusterrole.yaml new file mode 100644 index 0000000000..c60eb6eb8a --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-clusterrole.yaml @@ -0,0 +1,111 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "f5-bigip-ctlr.fullname" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - '' + - extensions + - networking.k8s.io + - route.openshift.io + resources: + - nodes + - services + - endpoints + - namespaces + - ingresses + - pods + - ingressclasses + - policies + - routes + verbs: + - get + - list + - watch + - apiGroups: + - '' + - extensions + - networking.k8s.io + - route.openshift.io + resources: + - configmaps + - events + - ingresses/status + - services/status + - routes/status + verbs: + - get + - list + - watch + - update + - create + - patch + - apiGroups: + - cis.f5.com + resources: + - virtualservers + - virtualservers/status + - tlsprofiles + - transportservers + - transportservers/status + - ingresslinks + - ingresslinks/status + - externaldnses + - policies + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - '' + - extensions + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - config.openshift.io/v1 + resources: + - network + verbs: + - list +{{- if .Values.args.ipam }} + - apiGroups: + - fic.f5.com + resources: + - ipams + - ipams/status + verbs: + - get + - list + - watch + - update + - create + - patch + - delete + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update + - create + - patch +{{- end }} +{{- end }} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-clusterrolebinding.yaml b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-clusterrolebinding.yaml new file mode 100644 index 0000000000..aba54704d7 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-clusterrolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "f5-bigip-ctlr.fullname" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "f5-bigip-ctlr.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "f5-bigip-ctlr.serviceAccountName" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-deploy.yaml b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-deploy.yaml new file mode 100644 index 0000000000..7cb7152803 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-deploy.yaml @@ -0,0 +1,135 @@ +{{- if or (not .Values.args.bigip_url) (not .Values.args.bigip_partition) }} +{{/* +Generate errors for missing required values. +*/}} +# {{required "BIG-IP url not specified - add to Values or pass with `--set` " .Values.args.bigip_url }} +# {{required "BIG-IP partition not specified - add to Values or pass with `--set` " .Values.args.bigip_partition }} +{{- else -}} +apiVersion: {{ template "deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "f5-bigip-ctlr.fullname" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "-" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "f5-bigip-ctlr.name" . }} + template: + metadata: + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + release: {{ .Release.Name }} + spec: +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} +{{- end }} + serviceAccountName: {{ template "f5-bigip-ctlr.serviceAccountName" . }} +{{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range $pullSecret := .Values.image.pullSecrets }} + - name: {{ $pullSecret }} + {{- end }} +{{- end }} + securityContext: + {{- $securityContext := .Values.securityContext | default dict }} + {{- if $securityContext.runAsUser }} + runAsUser: {{ $securityContext.runAsUser }} + {{- else }} + runAsUser: 1000 + {{- end }} + {{- $securityContext := .Values.securityContext | default dict }} + {{- if $securityContext.runAsGroup }} + runAsGroup: {{ $securityContext.runAsGroup }} + {{- else }} + runAsGroup: 1000 + {{- end }} + {{- $securityContext := .Values.securityContext | default dict }} + {{- if $securityContext.fsGroup }} + fsGroup: {{ $securityContext.fsGroup }} + {{- else }} + fsGroup: 1000 + {{- end }} + containers: + - name: {{ template "f5-bigip-ctlr.name" . }} + image: "{{ .Values.image.user }}/{{ .Values.image.repo }}:{{ .Values.version }}" + {{- if .Values.podSecurityContext }} + securityContext: +{{ toYaml .Values.podSecurityContext | indent 12 }} + {{- end }} + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 15 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 15 + volumeMounts: + - name: bigip-creds + mountPath: "/tmp/creds" + readOnly: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /app/bin/k8s-bigip-ctlr + args: + - --credentials-directory + - /tmp/creds + {{- $ns := .Values.args.namespaces }} + {{- range $key, $value := .Values.args }} + {{- if eq $key "namespaces" }} + {{- range $ns}} + - --namespace={{ . }} + {{- end }} + {{- else }} + - --{{ $key | replace "_" "-"}}={{ $value }} + {{- end }} + {{- end }} + resources: + limits: + cpu: {{ .Values.limits_cpu | default "100m" }} + memory: {{ .Values.limits_memory | default "512Mi" }} + requests: + cpu: {{ .Values.requests_cpu | default "100m" }} + memory: {{ .Values.requests_memory | default "512Mi" }} +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6}} +{{- end }} + volumes: + - name: bigip-creds + secret: + {{- if .Values.bigip_secret.create }} + secretName: f5-bigip-ctlr-login + {{- else }} + secretName: {{ .Values.bigip_login_secret }} + {{- end }} +{{- end }} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-ingress-class.yaml b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-ingress-class.yaml new file mode 100644 index 0000000000..2105a219a2 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-ingress-class.yaml @@ -0,0 +1,12 @@ +{{- if .Values.ingressClass.create -}} + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.ingressClass.ingressClassName | default "f5" }} + annotations: + ingressclass.kubernetes.io/is-default-class: "{{ .Values.ingressClass.isDefaultIngressController | default false }}" +spec: + controller: f5.com/cntr-ingress-svcs + +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-secrets.yaml b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-secrets.yaml new file mode 100644 index 0000000000..181415835a --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-secrets.yaml @@ -0,0 +1,19 @@ +{{- if .Values.bigip_secret.create -}} +apiVersion: v1 +kind: Secret +metadata: + name: f5-bigip-ctlr-login + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + username: {{ .Values.bigip_secret.username | b64enc | quote }} + password: {{ .Values.bigip_secret.password | b64enc | quote }} +{{- end -}} \ No newline at end of file diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-serviceaccount.yaml b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-serviceaccount.yaml new file mode 100644 index 0000000000..5729a8bc15 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/templates/f5-bigip-ctlr-serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create -}} +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "f5-bigip-ctlr.serviceAccountName" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- end -}} +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2801/values.yaml b/charts/f5/f5-bigip-ctlr/0.0.2801/values.yaml new file mode 100644 index 0000000000..d9952d45af --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2801/values.yaml @@ -0,0 +1,90 @@ +# For additional information on installing the k8-bigip-ctlr please see: +# Kubernetes: https://clouddocs.f5.com/containers/latest/userguide/kubernetes/#cis-installation +# OpenShift: https://clouddocs.f5.com/containers/latest/userguide/openshift/#cis-installation +# +# access / permissions / RBAC +# To create a secret using kubectl see +# https://clouddocs.f5.com/containers/latest/userguide/kubernetes/#installing-cis-manually +bigip_login_secret: f5-bigip-ctlr-login + +bigip_secret: + create: false + username: + password: + +rbac: + create: true +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: f5-bigip-ctlr-serviceaccount +# This namespace is where the Controller lives; +namespace: kube-system + +ingressClass: + create: true + ingressClassName: f5 + isDefaultIngressController: true +args: + # See https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html + # NOTE: helm has difficulty with values using `-`; `_` are used for naming + # and are replaced with `-` during rendering. + # REQUIRED Params + bigip_url: ~ + bigip_partition: f5-bigip-ctlr + # OPTIONAL PARAMS -- uncomment and provide values for those you wish to use. + # verify_interval: + # node-poll_interval: + # log_level: + # python_basedir: ~ + # VXLAN + # openshift_sdn_name: + # flannel_name: + # KUBERNETES + # default_ingress_ip: + # kubeconfig: + # namespaces: ["foo", "bar"] + # namespace_label: + # node_label_selector: + # pool_member_type: + # resolve_ingress_names: + # running_in_cluster: + # use_node_internal: + # use_secrets: + # insecure: true + # custom-resource-mode: true + # log-as3-response: true + # gtm-bigip-password + # gtm-bigip-url + # gtm-bigip-username + # ipam : true + +image: + # Use the tag to target a specific version of the Controller + user: f5networks + repo: k8s-bigip-ctlr + pullPolicy: Always +version: latest +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: kubernetes.io/arch +# operator: Exists +# securityContext: +# runAsUser: 1000 +# runAsGroup: 3000 +# fsGroup: 2000 +# If you want to specify resources, uncomment the following +# limits_cpu: 100m +# limits_memory: 512Mi +# requests_cpu: 100m +# requests_memory: 512Mi +# Set podSecurityContext for Pod Security Admission and Pod Security Standards +# podSecurityContext: +# runAsUser: 1000 +# runAsGroup: 1000 +# privileged: true diff --git a/charts/gluu/gluu/charts/auth-server/.helmignore b/charts/f5/f5-bigip-ctlr/0.0.2901/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/auth-server/.helmignore rename to charts/f5/f5-bigip-ctlr/0.0.2901/.helmignore diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/Chart.yaml b/charts/f5/f5-bigip-ctlr/0.0.2901/Chart.yaml new file mode 100644 index 0000000000..428f7ecd0b --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: F5 Container Ingress Services for Kubernetes and + OpenShift + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: f5-bigip-ctlr +apiVersion: v1 +description: Deploy the F5 Networks BIG-IP Controller for Kubernetes and OpenShift + (k8s-bigip-ctlr). +home: https://www.f5.com/products/automation-and-orchestration/container-ingress-services +icon: https://avatars.githubusercontent.com/u/8935905?s=200&v=4 +keywords: +- F5 +- BIG-IP +- Containers +- Kubernetes +- OpenShift +maintainers: +- email: f5_cis_operators@f5.com + name: F5CISSupport +name: f5-bigip-ctlr +sources: +- https://github.com/F5Networks/k8s-bigip-ctlr +- https://github.com/F5Networks/charts +version: 0.0.2901 diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/README.md b/charts/f5/f5-bigip-ctlr/0.0.2901/README.md new file mode 100644 index 0000000000..0dc941a99d --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/README.md @@ -0,0 +1,93 @@ +# Helm Chart for the F5 Container Ingress Services + +This chart simplifies repeatable, versioned deployment of the [Container Ingress Services](https://clouddocs.f5.com/containers/latest/). + +### Prerequisites +- Refer to [CIS Prerequisites](https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html#prerequisites) to install Container Ingress Services on Kubernetes or Openshift +- [Helm 3](https://helm.sh/docs/intro/) should be installed. + + +## Installing CIS Using Helm Charts + +This is the simplest way to install the CIS on OpenShift/Kubernetes cluster. Helm is a package manager for Kubernetes. Helm is Kubernetes version of yum or apt. Helm deploys something called charts, which you can think of as a packaged application. It is a collection of all your versioned, pre-configured application resources which can be deployed as one unit. This chart creates a Deployment for one Pod containing the [k8s-bigip-ctlr](https://clouddocs.f5.com/containers/latest/), it's supporting RBAC, Service Account and Custom Resources Definition installations. + +## Installing the Chart + +- (Optional) Add BIG-IP credentials as K8S secrets. + +For Kubernetes, use the following command: + +```kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +For OpenShift, use the following command: + +```oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +- Add the CIS chart repository in Helm using following command: + +```helm repo add f5-stable https://f5networks.github.io/charts/stable``` + +- Create values.yaml as shown in [examples](https://github.com/F5Networks/charts/tree/master/example_values/f5-bigip-ctlr): + +- Install the Helm chart if BIGIP credential secrets created manually using the following command: + +```helm install -f values.yaml f5-stable/f5-bigip-ctlr``` + +- Install the Helm chart with skip crds if BIGIP credential secrets created manually (without custom resource definitions installations) + +```helm install --skip-crds -f values.yaml f5-stable/f5-bigip-ctlr``` + +- If you want to create the BIGIP credential secret with helm charts use the following command: + +```helm install --set bigip_secret.create="true" --set bigip_secret.username=$BIGIP_USERNAME --set bigip_secret.password=$BIGIP_PASSWORD -f values.yaml f5-stable/f5-bigip-ctlr``` + +## Chart parameters: + +Parameter | Required | Description | Default +----------|-------------|-------------|-------- +bigip_login_secret | Optional | Secret that contains BIG-IP login credentials | f5-bigip-ctlr-login +args.bigip_url | Required | The management IP for your BIG-IP device | **Required**, no default +args.bigip_partition | Required | BIG-IP partition the CIS Controller will manage | f5-bigip-ctlr +args.namespaces | Optional | List of Kubernetes namespaces which CIS will monitor | empty +bigip_secret.create | Optional | Create kubernetes secret using username and password | false +bigip_secret.username | Optional | bigip username to create the kubernetes secret | empty +bigip_secret.password | Optional | bigip password to create the kubernetes secret | empty +rbac.create | Optional | Create ClusterRole and ClusterRoleBinding | true +serviceAccount.name | Optional | name of the ServiceAccount for CIS controller | f5-bigip-ctlr-serviceaccount +serviceAccount.create | Optional | Create service account for the CIS controller | true +namespace | Optional | name of namespace CIS will use to create deployment and other resources | kube-system +image.user | Optional | CIS Controller image repository username | f5networks +image.repo | Optional | CIS Controller image repository name | k8s-bigip-ctlr +image.pullPolicy | Optional | CIS Controller image pull policy | Always +image.pullSecrets | Optional | List of secrets of container registry to pull image | empty +version | Optional | CIS Controller image tag | latest +nodeSelector | Optional | dictionary of Node selector labels | empty +tolerations | Optional | Array of labels | empty +limits_cpu | Optional | CPU limits for the pod | 100m +limits_memory | Optional | Memory limits for the pod | 512Mi +requests_cpu | Optional | CPU request for the pod | 100m +requests_memory | Optional | Memory request for the pod | 512Mi +affinity | Optional | Dictionary of affinity | empty +securityContext | Optional | Dictionary of deployment securityContext | empty +podSecurityContext | Optional | Dictionary of pod securityContext | empty +ingressClass.ingressClassName | Optional | Name of ingress class | f5 +ingressClass.isDefaultIngressController | Optional | CIS will monitor all the ingresses resource if set true | false +ingressClass.create | Optional | Create ingress class | true + +Note: bigip_login_secret and bigip_secret are mutually exclusive, if both are defined in values.yaml file bigip_secret will be given priority. + + +See the CIS documentation for a full list of args supported for CIS [CIS Configuration Options](https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html) + +> **Note:** Helm value names cannot include the character `-` which is commonly used in the names of parameters passed to the controller. To accomodate Helm, the parameter names in `values.yaml` use `_` and then replace them with `-` when rendering. +> e.g. `args.bigip_url` is rendered as `bigip-url` as required by the CIS Controller. + + +If you have a specific use case for F5 products in the Kubernetes environment that would benefit from a curated chart, please [open an issue](https://github.com/F5Networks/charts/issues) describing your use case and providing example resources. + +## Uninstalling Helm Chart + +Run the following command to uninstall the chart. + +```helm uninstall ``` + diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/app-readme.md b/charts/f5/f5-bigip-ctlr/0.0.2901/app-readme.md new file mode 100644 index 0000000000..6f28ef779d --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/app-readme.md @@ -0,0 +1,87 @@ +# Helm Chart for the F5 Container Ingress Services + +This chart simplifies repeatable, versioned deployment of the [Container Ingress Services](https://clouddocs.f5.com/containers/latest/). + +### Prerequisites +- Refer to [CIS Prerequisites](https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html#prerequisites) to install Container Ingress Services on Kubernetes or Openshift +- [Helm 3](https://helm.sh/docs/intro/) should be installed. + + +## Installing CIS Using Helm Charts + +This is the simplest way to install the CIS on OpenShift/Kubernetes cluster. Helm is a package manager for Kubernetes. Helm is Kubernetes version of yum or apt. Helm deploys something called charts, which you can think of as a packaged application. It is a collection of all your versioned, pre-configured application resources which can be deployed as one unit. This chart creates a Deployment for one Pod containing the [k8s-bigip-ctlr](https://clouddocs.f5.com/containers/latest/), it's supporting RBAC, Service Account and Custom Resources Definition installations. + +## Installing the Chart + +- Add BIG-IP credentials as K8S secrets. + +For Kubernetes, use the following command: + +```kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +For OpenShift, use the following command: + +```oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +- Add the CIS chart repository in Helm using following command: + +```helm repo add f5-stable https://f5networks.github.io/charts/stable``` + +- Create values.yaml as shown in [examples](https://github.com/F5Networks/charts/tree/master/example_values/f5-bigip-ctlr): + +- Install the Helm chart using the following command: + +```helm install -f values.yaml f5-stable/f5-bigip-ctlr``` + +- Install the Helm chart with skip crds (without custom resource definitions installations) + +```helm install --skip-crds -f values.yaml f5-stable/f5-bigip-ctlr``` + +## Chart parameters: + +Parameter | Required | Description | Default +----------|-------------|-------------|-------- +bigip_login_secret | Required | Secret that contains BIG-IP login credentials | f5-bigip-ctlr-login +args.bigip_url | Required | The management IP for your BIG-IP device | **Required**, no default +args.bigip_partition | Required | BIG-IP partition the CIS Controller will manage | f5-bigip-ctlr +args.namespaces | Optional | List of Kubernetes namespaces which CIS will monitor | empty +rbac.create | Optional | Create ClusterRole and ClusterRoleBinding | true +serviceAccount.name | Optional | name of the ServiceAccount for CIS controller | f5-bigip-ctlr-serviceaccount +serviceAccount.create | Optional | Create service account for the CIS controller | true +namespace | Optional | name of namespace CIS will use to create deployment and other resources | kube-system +image.user | Optional | CIS Controller image repository username | f5networks +image.repo | Optional | CIS Controller image repository name | k8s-bigip-ctlr +image.pullPolicy | Optional | CIS Controller image pull policy | Always +image.pullSecrets | Optional | List of secrets of container registry to pull image | empty +version | Optional | CIS Controller image tag | latest +nodeSelector | Optional | dictionary of Node selector labels | empty +tolerations | Optional | Array of labels | empty +limits_cpu | Optional | CPU limits for the pod | 100m +limits_memory | Optional | Memory limits for the pod | 512Mi +requests_cpu | Optional | CPU request for the pod | 100m +requests_memory | Optional | Memory request for the pod | 512Mi +affinity | Optional | Dictionary of affinity | empty +securityContext | Optional | Dictionary of securityContext | empty +ingressClass.ingressClassName | Optional | Name of ingress class | f5 +ingressClass.defaultIngressController | Optional | CIS will monitor all the ingresses resource if set true | false +ingressClass.create | Optional | Create ingress class | true + + + + + + +See the CIS documentation for a full list of args supported for CIS [CIS Configuration Options](https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html) + +> **Note:** Helm value names cannot include the character `-` which is commonly used in the names of parameters passed to the controller. To accomodate Helm, the parameter names in `values.yaml` use `_` and then replace them with `-` when rendering. +> e.g. `args.bigip_url` is rendered as `bigip-url` as required by the CIS Controller. + + +If you have a specific use case for F5 products in the Kubernetes environment that would benefit from a curated chart, please [open an issue](https://github.com/F5Networks/charts/issues) describing your use case and providing example resources. + +## Uninstalling Helm Chart + +Run the following command to uninstall the chart. + +```helm uninstall ``` + diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/crds/f5-bigip-ctlr-customresourcedefinitions.yml b/charts/f5/f5-bigip-ctlr/0.0.2901/crds/f5-bigip-ctlr-customresourcedefinitions.yml new file mode 100644 index 0000000000..8cad89b784 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/crds/f5-bigip-ctlr-customresourcedefinitions.yml @@ -0,0 +1,1230 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: virtualservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: VirtualServer + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostAliases: + type: array + items: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostGroup: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$' + hostGroupVirtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' + httpTraffic: + type: string + enum: [allow, none, redirect] + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + connectionMirroring: + type: string + enum: [ none, L4 ] + tlsProfileName: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + hostPersistence: + type: object + properties: + method: + type: string + enum: [ sourceAddress, destinationAddress, cookieInsert, cookieRewrite, cookiePassive, cookieHash, universal, hash, carp, none ] + metaData: + type: object + properties: + name: + type: string + key: + type: string + netmask: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + timeout: + type: integer + minimum: 1 + maximum: 65535 + offset: + type: integer + minimum: 1 + maximum: 65535 + length: + type: integer + minimum: 1 + maximum: 65535 + expiry: + type: string + pattern: '^((?:(?:[0-9]+d))|(?:(?:[0-9]+d)?((?:[01]?[0-9]|2[0-3]):[0-5][0-9](?::[0-5][0-9])?)))$' + required: + - method + htmlProfile: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http2: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + botDefense: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + policyName: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + rewriteAppRoot: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + waf: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileMultiplex: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$' + type: array + allowSourceRange: + items: + type: string + type: array + httpMrfRoutingEnabled: + type: boolean + iRules: + type: array + items: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: [enable, disable, selective] + routeAdvertisement: + type: string + enum: [enable, disable, selective, always, any, all] + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + defaultPool: + type: object + properties: + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [ bigip ] + send: + type: string + recv: + type: string + sslProfile: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + reference: + type: string + enum: [ bigip, service ] + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + required: + - reference + pools: + type: array + items: + type: object + properties: + name: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + path: + type: string + pattern: '^\/([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + weight: + type: integer + minimum: 0 + maximum: 256 + alternateBackends: + type: array + items: + type: object + properties: + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + weight: + type: integer + minimum: 0 + maximum: 256 + required: + - service + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + rewrite: + type: string + pattern: '^\/([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + hostRewrite: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + waf: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + monitor: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + sslProfile: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ http, https, tcp ] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + sslProfile: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + minimumMonitors: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + namespace: + type: string + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + weight: + type: integer + minimum: 0 + maximum: 256 + required: + - service + - servicePort + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + additionalVirtualServerAddresses: + type: array + items: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + virtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' + virtualServerHTTPPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerHTTPSPort: + type: integer + minimum: 1 + maximum: 65535 + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + additionalPrinterColumns: + - name: host + type: string + description: hostname + jsonPath: .spec.host + - name: tlsProfileName + type: string + description: TLS Profile attached + jsonPath: .spec.tlsProfileName + - name: httpTraffic + type: string + description: Http Traffic Termination + jsonPath: .spec.httpTraffic + - name: IPAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: ipamLabel + type: string + description: ipamLabel for virtual server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of VirtualServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: tlsprofiles.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TLSProfile + plural: tlsprofiles + shortNames: + - tls + singular: tlsprofile + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + hosts: + type: array + items: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + tls: + type: object + properties: + termination: + type: string + enum: [edge, reencrypt, passthrough] + clientSSL: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + clientSSLs: + type: array + items: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + serverSSL: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + serverSSLs: + type: array + items: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip, secret, hybrid] + clientSSLParams: + type: object + properties: + renegotiationEnabled: + type: boolean + default: true + profileReference: + type: string + enum: [ bigip, secret ] + serverSSLParams: + type: object + properties: + renegotiationEnabled: + type: boolean + default: true + profileReference: + type: string + enum: [ bigip, secret ] + required: + - termination + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: transportservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TransportServer + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + virtualServerPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostGroup: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$' + policyName: + type: string + pattern: '^([A-z0-9-_+])*([A-z0-9])$' + mode: + type: string + enum: [standard, performance] + type: + type: string + enum: [tcp, udp, sctp] + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + connectionMirroring: + type: string + enum: [ none, L4 ] + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileL4: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$' + type: array + iRules: + type: array + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: [enable, disable, selective] + routeAdvertisement: + type: string + enum: [enable, disable, selective, always, any, all] + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + pool: + type: object + properties: + name: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitor: + type: object + properties: + type: + type: string + enum: [tcp, udp, http, https] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + namespace: + type: string + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + required: + - service + - servicePort + required: + - virtualServerPort + - pool + - mode + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + additionalPrinterColumns: + - name: virtualServerAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: virtualServerPort + type: integer + description: Port of virtualServer + jsonPath: .spec.virtualServerPort + - name: pool + type: string + description: Name of service + jsonPath: .spec.pool.service + - name: poolPort + type: string + description: Port of service + jsonPath: .spec.pool.servicePort + - name: ipamLabel + type: string + description: ipamLabel for transport server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of transport server + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of TransportServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: { } +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: externaldnses.cis.f5.com +spec: + group: cis.f5.com + names: + kind: ExternalDNS + plural: externaldnses + shortNames: + - edns + singular: externaldns + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + domainName: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + dnsRecordType: + type: string + pattern: 'A' + loadBalanceMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + clientSubnetPreferred: + type: boolean + persistenceEnabled: + type: boolean + persistCidrIpv4: + type: integer + minimum: 0 + maximum: 32 + persistCidrIpv6: + type: integer + minimum: 0 + maximum: 128 + ttlPersistence: + type: integer + format: int64 + minimum: 0 + maximum: 4294967295 + pools: + type: array + items: + type: object + properties: + dataServerName: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + dnsRecordType: + type: string + pattern: 'A' + loadBalanceMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + lbModeFallback: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + order: + type: integer + ratio: + type: integer + monitor: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + required: + - type + - interval + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + required: + - type + - interval + required: + - dataServerName + required: + - domainName + additionalPrinterColumns: + - name: domainName + type: string + description: Domain name of virtual server resource + jsonPath: .spec.domainName + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + - name: CREATED ON + type: string + jsonPath: .metadata.creationTimestamp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: ingresslinks.cis.f5.com +spec: + group: cis.f5.com + names: + kind: IngressLink + shortNames: + - il + singular: ingresslink + plural: ingresslinks + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + iRules: + type: array + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + status: + type: object + properties: + vsAddress: + type: string + additionalPrinterColumns: + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: { } +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: policies.cis.f5.com +spec: + group: cis.f5.com + names: + kind: Policy + shortNames: + - plc + singular: policy + plural: policies + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + l7Policies: + type: object + properties: + waf: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + l3Policies: + type: object + properties: + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + botDefense: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + firewallPolicy: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + ipIntelligencePolicy: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowSourceRange: + items: + type: string + type: array + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([A-z0-9-_.\s]+\/?)*$' + type: array + ltmPolicies: + type: object + properties: + insecure: + type: string + pattern: '^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$' + secure: + type: string + pattern: '^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$' + priority: + type: string + enum: [low, high] + iRules: + type: object + properties: + insecure: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + secure: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + priority: + type: string + enum: [ low, high ] + iRuleList: + type: array + items: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + defaultPool: + type: object + properties: + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [ bigip ] + send: + type: string + recv: + type: string + sslProfile: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + reference: + type: string + enum: [ bigip, service ] + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + required: + - reference + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + udp: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http2: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + profileL4: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileWebSocket: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileMultiplex: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + rewriteProfile: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + logProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9._\s]+\/?)*$' + type: array + httpMrfRoutingEnabled: + type: boolean + sslProfiles: + type: object + properties: + clientProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + type: array + serverProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + type: array + analyticsProfiles: + type: object + properties: + http: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + htmlProfile: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + autoLastHop: + type: string + enum: [ default, auto, disable ] + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + poolSettings: + type: object + properties: + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + slowRampTime: + type: integer + minimum: 0 + maximum: 900 + multiPoolPersistence: + type: object + properties: + method: + type: string + enum: [ uieSourceAddress, hashSourceAddress ] + timeOut: + type: integer + minimum: 1 + default: 180 diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/questions.yaml b/charts/f5/f5-bigip-ctlr/0.0.2901/questions.yaml new file mode 100644 index 0000000000..4d276dfbde --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/questions.yaml @@ -0,0 +1,75 @@ +questions: +- variable: bigip_login_secret + required: true + type: string + label: "Name of the k8s secret object with BIG-IP login credentials." +- variable: args.bigip_url + required: true + type: string + label: "BIG-IP Management IP/URL" +- variable: args.bigip_partition + required: true + type: string + label: "BIG-IP Partition" +- variable: image.user + type: string + label: "Image Repository where CIS image is hosted" +- variable: image.repo + type: string + label: "CIS image name" +- variable: version + type: string + label: "CIS version tag." + default: "latest" +- variable: args.pool_member_type + type: string + label: "Type of BIG-IP Pool members to create." + default: "nodeport" +- variable: args.node_poll_interval + type: string + label: "In seconds, the interval at which the CIS polls the cluster to find all node members." + default: "30" +- variable: args.verify_interval + type: string + label: "In seconds, the interval at which the CIS verifies that the BIG-IP configuration matches the state of the orchestration system." + default: "30" +- variable: args.agent + type: string + label: "Specify the agent for CIS to communicate with BIG-IP. CCCL or AS3" + default: "as3" +- variable: args.custom_resource_mode + type: string + label: "Set 'true' to process CRD resources. Supported in AS3 agent. When true ConfigMaps, Routes, and Ingress are not processed by CIS." + default: "false" +- variable: args.ipam + type: string + label: "Specify if CIS provides the ability to interface with F5 IPAM Controller (FIC). Valid with agent AS3." + default: "false" +- variable: args.disable_teems + type: string + label: "If true, analytics data is not sent to F5." + default: "false" +- variable: args.hubmode + type: string + label: "When `true`, ConfigMaps with Services in same and different namespace are processed. CIS >= 2.5.0+. Valid with agent AS3." + default: "false" +- variable: args.default_route_domain + type: string + label: "Set default Route Domain for Custom resources. Valid with agent AS3." + default: "0" +- variable: args.filter_tenants + type: string + label: "Specify to use tenant filtering API for AS3 declaration. This allows CIS to process each AS3 Tenant separately. Compatible with ConfigMap only. Valid with agent AS3. CIS >= 2.7" + default: "false" +- variable: args.enable_ipv6 + type: string + label: "When set to true, it enables IPv6 network support. CIS >= 2.7." + default: "false" +- variable: args.log_level + type: string + label: "Configured the log level. INFO, DEBUG, CRITICAL, WARNING, ERROR." + default: "INFO" +- variable: args.log_as3_response + type: string + label: "When set to true, adds the body of AS3 API response in Controller logs." + default: "false" diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/templates/NOTES.txt b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/NOTES.txt new file mode 100644 index 0000000000..302512a9b3 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/NOTES.txt @@ -0,0 +1,6 @@ +Container Ingress Services controller: {{ .Release.Name }} + +Controller Documentation: +- Kubernetes: https://clouddocs.f5.com/containers/latest/userguide/kubernetes/ +- OpenShift: https://clouddocs.f5.com/containers/latest/userguide/openshift/ + diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/templates/_helpers.tpl b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/_helpers.tpl new file mode 100644 index 0000000000..7ce05d2ef2 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/_helpers.tpl @@ -0,0 +1,64 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "f5-bigip-ctlr.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "deployment.apiVersion" -}} +{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "apps/v1" -}} +{{- else -}} +{{- print "extensions/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Check for user given namespace or give kube-system +*/}} +{{- define "f5-bigip-ctlr.namespace" -}} +{{- if hasKey .Values "namespace" -}} +{{- .Values.namespace -}} +{{- else -}} +{{- print "kube-system" -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "f5-bigip-ctlr.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "f5-bigip-ctlr.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + {{/* +Create the name of the service account to use +*/}} +{{- define "f5-bigip-ctlr.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "f5-bigip-ctlr.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-clusterrole.yaml b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-clusterrole.yaml new file mode 100644 index 0000000000..c60eb6eb8a --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-clusterrole.yaml @@ -0,0 +1,111 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "f5-bigip-ctlr.fullname" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - '' + - extensions + - networking.k8s.io + - route.openshift.io + resources: + - nodes + - services + - endpoints + - namespaces + - ingresses + - pods + - ingressclasses + - policies + - routes + verbs: + - get + - list + - watch + - apiGroups: + - '' + - extensions + - networking.k8s.io + - route.openshift.io + resources: + - configmaps + - events + - ingresses/status + - services/status + - routes/status + verbs: + - get + - list + - watch + - update + - create + - patch + - apiGroups: + - cis.f5.com + resources: + - virtualservers + - virtualservers/status + - tlsprofiles + - transportservers + - transportservers/status + - ingresslinks + - ingresslinks/status + - externaldnses + - policies + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - '' + - extensions + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - config.openshift.io/v1 + resources: + - network + verbs: + - list +{{- if .Values.args.ipam }} + - apiGroups: + - fic.f5.com + resources: + - ipams + - ipams/status + verbs: + - get + - list + - watch + - update + - create + - patch + - delete + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update + - create + - patch +{{- end }} +{{- end }} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-clusterrolebinding.yaml b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-clusterrolebinding.yaml new file mode 100644 index 0000000000..aba54704d7 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-clusterrolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "f5-bigip-ctlr.fullname" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "f5-bigip-ctlr.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "f5-bigip-ctlr.serviceAccountName" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-deploy.yaml b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-deploy.yaml new file mode 100644 index 0000000000..7cb7152803 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-deploy.yaml @@ -0,0 +1,135 @@ +{{- if or (not .Values.args.bigip_url) (not .Values.args.bigip_partition) }} +{{/* +Generate errors for missing required values. +*/}} +# {{required "BIG-IP url not specified - add to Values or pass with `--set` " .Values.args.bigip_url }} +# {{required "BIG-IP partition not specified - add to Values or pass with `--set` " .Values.args.bigip_partition }} +{{- else -}} +apiVersion: {{ template "deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "f5-bigip-ctlr.fullname" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "-" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "f5-bigip-ctlr.name" . }} + template: + metadata: + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + release: {{ .Release.Name }} + spec: +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} +{{- end }} + serviceAccountName: {{ template "f5-bigip-ctlr.serviceAccountName" . }} +{{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range $pullSecret := .Values.image.pullSecrets }} + - name: {{ $pullSecret }} + {{- end }} +{{- end }} + securityContext: + {{- $securityContext := .Values.securityContext | default dict }} + {{- if $securityContext.runAsUser }} + runAsUser: {{ $securityContext.runAsUser }} + {{- else }} + runAsUser: 1000 + {{- end }} + {{- $securityContext := .Values.securityContext | default dict }} + {{- if $securityContext.runAsGroup }} + runAsGroup: {{ $securityContext.runAsGroup }} + {{- else }} + runAsGroup: 1000 + {{- end }} + {{- $securityContext := .Values.securityContext | default dict }} + {{- if $securityContext.fsGroup }} + fsGroup: {{ $securityContext.fsGroup }} + {{- else }} + fsGroup: 1000 + {{- end }} + containers: + - name: {{ template "f5-bigip-ctlr.name" . }} + image: "{{ .Values.image.user }}/{{ .Values.image.repo }}:{{ .Values.version }}" + {{- if .Values.podSecurityContext }} + securityContext: +{{ toYaml .Values.podSecurityContext | indent 12 }} + {{- end }} + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 15 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 15 + volumeMounts: + - name: bigip-creds + mountPath: "/tmp/creds" + readOnly: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /app/bin/k8s-bigip-ctlr + args: + - --credentials-directory + - /tmp/creds + {{- $ns := .Values.args.namespaces }} + {{- range $key, $value := .Values.args }} + {{- if eq $key "namespaces" }} + {{- range $ns}} + - --namespace={{ . }} + {{- end }} + {{- else }} + - --{{ $key | replace "_" "-"}}={{ $value }} + {{- end }} + {{- end }} + resources: + limits: + cpu: {{ .Values.limits_cpu | default "100m" }} + memory: {{ .Values.limits_memory | default "512Mi" }} + requests: + cpu: {{ .Values.requests_cpu | default "100m" }} + memory: {{ .Values.requests_memory | default "512Mi" }} +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6}} +{{- end }} + volumes: + - name: bigip-creds + secret: + {{- if .Values.bigip_secret.create }} + secretName: f5-bigip-ctlr-login + {{- else }} + secretName: {{ .Values.bigip_login_secret }} + {{- end }} +{{- end }} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-ingress-class.yaml b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-ingress-class.yaml new file mode 100644 index 0000000000..2105a219a2 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-ingress-class.yaml @@ -0,0 +1,12 @@ +{{- if .Values.ingressClass.create -}} + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.ingressClass.ingressClassName | default "f5" }} + annotations: + ingressclass.kubernetes.io/is-default-class: "{{ .Values.ingressClass.isDefaultIngressController | default false }}" +spec: + controller: f5.com/cntr-ingress-svcs + +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-secrets.yaml b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-secrets.yaml new file mode 100644 index 0000000000..181415835a --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-secrets.yaml @@ -0,0 +1,19 @@ +{{- if .Values.bigip_secret.create -}} +apiVersion: v1 +kind: Secret +metadata: + name: f5-bigip-ctlr-login + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + username: {{ .Values.bigip_secret.username | b64enc | quote }} + password: {{ .Values.bigip_secret.password | b64enc | quote }} +{{- end -}} \ No newline at end of file diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-serviceaccount.yaml b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-serviceaccount.yaml new file mode 100644 index 0000000000..5729a8bc15 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/templates/f5-bigip-ctlr-serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create -}} +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "f5-bigip-ctlr.serviceAccountName" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- end -}} +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.2901/values.yaml b/charts/f5/f5-bigip-ctlr/0.0.2901/values.yaml new file mode 100644 index 0000000000..d9952d45af --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.2901/values.yaml @@ -0,0 +1,90 @@ +# For additional information on installing the k8-bigip-ctlr please see: +# Kubernetes: https://clouddocs.f5.com/containers/latest/userguide/kubernetes/#cis-installation +# OpenShift: https://clouddocs.f5.com/containers/latest/userguide/openshift/#cis-installation +# +# access / permissions / RBAC +# To create a secret using kubectl see +# https://clouddocs.f5.com/containers/latest/userguide/kubernetes/#installing-cis-manually +bigip_login_secret: f5-bigip-ctlr-login + +bigip_secret: + create: false + username: + password: + +rbac: + create: true +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: f5-bigip-ctlr-serviceaccount +# This namespace is where the Controller lives; +namespace: kube-system + +ingressClass: + create: true + ingressClassName: f5 + isDefaultIngressController: true +args: + # See https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html + # NOTE: helm has difficulty with values using `-`; `_` are used for naming + # and are replaced with `-` during rendering. + # REQUIRED Params + bigip_url: ~ + bigip_partition: f5-bigip-ctlr + # OPTIONAL PARAMS -- uncomment and provide values for those you wish to use. + # verify_interval: + # node-poll_interval: + # log_level: + # python_basedir: ~ + # VXLAN + # openshift_sdn_name: + # flannel_name: + # KUBERNETES + # default_ingress_ip: + # kubeconfig: + # namespaces: ["foo", "bar"] + # namespace_label: + # node_label_selector: + # pool_member_type: + # resolve_ingress_names: + # running_in_cluster: + # use_node_internal: + # use_secrets: + # insecure: true + # custom-resource-mode: true + # log-as3-response: true + # gtm-bigip-password + # gtm-bigip-url + # gtm-bigip-username + # ipam : true + +image: + # Use the tag to target a specific version of the Controller + user: f5networks + repo: k8s-bigip-ctlr + pullPolicy: Always +version: latest +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: kubernetes.io/arch +# operator: Exists +# securityContext: +# runAsUser: 1000 +# runAsGroup: 3000 +# fsGroup: 2000 +# If you want to specify resources, uncomment the following +# limits_cpu: 100m +# limits_memory: 512Mi +# requests_cpu: 100m +# requests_memory: 512Mi +# Set podSecurityContext for Pod Security Admission and Pod Security Standards +# podSecurityContext: +# runAsUser: 1000 +# runAsGroup: 1000 +# privileged: true diff --git a/charts/gluu/gluu/charts/config-api/.helmignore b/charts/f5/f5-bigip-ctlr/0.0.3001/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/config-api/.helmignore rename to charts/f5/f5-bigip-ctlr/0.0.3001/.helmignore diff --git a/charts/f5/f5-bigip-ctlr/Chart.yaml b/charts/f5/f5-bigip-ctlr/0.0.3001/Chart.yaml similarity index 100% rename from charts/f5/f5-bigip-ctlr/Chart.yaml rename to charts/f5/f5-bigip-ctlr/0.0.3001/Chart.yaml diff --git a/charts/f5/f5-bigip-ctlr/0.0.3001/README.md b/charts/f5/f5-bigip-ctlr/0.0.3001/README.md new file mode 100644 index 0000000000..0dc941a99d --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.3001/README.md @@ -0,0 +1,93 @@ +# Helm Chart for the F5 Container Ingress Services + +This chart simplifies repeatable, versioned deployment of the [Container Ingress Services](https://clouddocs.f5.com/containers/latest/). + +### Prerequisites +- Refer to [CIS Prerequisites](https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html#prerequisites) to install Container Ingress Services on Kubernetes or Openshift +- [Helm 3](https://helm.sh/docs/intro/) should be installed. + + +## Installing CIS Using Helm Charts + +This is the simplest way to install the CIS on OpenShift/Kubernetes cluster. Helm is a package manager for Kubernetes. Helm is Kubernetes version of yum or apt. Helm deploys something called charts, which you can think of as a packaged application. It is a collection of all your versioned, pre-configured application resources which can be deployed as one unit. This chart creates a Deployment for one Pod containing the [k8s-bigip-ctlr](https://clouddocs.f5.com/containers/latest/), it's supporting RBAC, Service Account and Custom Resources Definition installations. + +## Installing the Chart + +- (Optional) Add BIG-IP credentials as K8S secrets. + +For Kubernetes, use the following command: + +```kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +For OpenShift, use the following command: + +```oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +- Add the CIS chart repository in Helm using following command: + +```helm repo add f5-stable https://f5networks.github.io/charts/stable``` + +- Create values.yaml as shown in [examples](https://github.com/F5Networks/charts/tree/master/example_values/f5-bigip-ctlr): + +- Install the Helm chart if BIGIP credential secrets created manually using the following command: + +```helm install -f values.yaml f5-stable/f5-bigip-ctlr``` + +- Install the Helm chart with skip crds if BIGIP credential secrets created manually (without custom resource definitions installations) + +```helm install --skip-crds -f values.yaml f5-stable/f5-bigip-ctlr``` + +- If you want to create the BIGIP credential secret with helm charts use the following command: + +```helm install --set bigip_secret.create="true" --set bigip_secret.username=$BIGIP_USERNAME --set bigip_secret.password=$BIGIP_PASSWORD -f values.yaml f5-stable/f5-bigip-ctlr``` + +## Chart parameters: + +Parameter | Required | Description | Default +----------|-------------|-------------|-------- +bigip_login_secret | Optional | Secret that contains BIG-IP login credentials | f5-bigip-ctlr-login +args.bigip_url | Required | The management IP for your BIG-IP device | **Required**, no default +args.bigip_partition | Required | BIG-IP partition the CIS Controller will manage | f5-bigip-ctlr +args.namespaces | Optional | List of Kubernetes namespaces which CIS will monitor | empty +bigip_secret.create | Optional | Create kubernetes secret using username and password | false +bigip_secret.username | Optional | bigip username to create the kubernetes secret | empty +bigip_secret.password | Optional | bigip password to create the kubernetes secret | empty +rbac.create | Optional | Create ClusterRole and ClusterRoleBinding | true +serviceAccount.name | Optional | name of the ServiceAccount for CIS controller | f5-bigip-ctlr-serviceaccount +serviceAccount.create | Optional | Create service account for the CIS controller | true +namespace | Optional | name of namespace CIS will use to create deployment and other resources | kube-system +image.user | Optional | CIS Controller image repository username | f5networks +image.repo | Optional | CIS Controller image repository name | k8s-bigip-ctlr +image.pullPolicy | Optional | CIS Controller image pull policy | Always +image.pullSecrets | Optional | List of secrets of container registry to pull image | empty +version | Optional | CIS Controller image tag | latest +nodeSelector | Optional | dictionary of Node selector labels | empty +tolerations | Optional | Array of labels | empty +limits_cpu | Optional | CPU limits for the pod | 100m +limits_memory | Optional | Memory limits for the pod | 512Mi +requests_cpu | Optional | CPU request for the pod | 100m +requests_memory | Optional | Memory request for the pod | 512Mi +affinity | Optional | Dictionary of affinity | empty +securityContext | Optional | Dictionary of deployment securityContext | empty +podSecurityContext | Optional | Dictionary of pod securityContext | empty +ingressClass.ingressClassName | Optional | Name of ingress class | f5 +ingressClass.isDefaultIngressController | Optional | CIS will monitor all the ingresses resource if set true | false +ingressClass.create | Optional | Create ingress class | true + +Note: bigip_login_secret and bigip_secret are mutually exclusive, if both are defined in values.yaml file bigip_secret will be given priority. + + +See the CIS documentation for a full list of args supported for CIS [CIS Configuration Options](https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html) + +> **Note:** Helm value names cannot include the character `-` which is commonly used in the names of parameters passed to the controller. To accomodate Helm, the parameter names in `values.yaml` use `_` and then replace them with `-` when rendering. +> e.g. `args.bigip_url` is rendered as `bigip-url` as required by the CIS Controller. + + +If you have a specific use case for F5 products in the Kubernetes environment that would benefit from a curated chart, please [open an issue](https://github.com/F5Networks/charts/issues) describing your use case and providing example resources. + +## Uninstalling Helm Chart + +Run the following command to uninstall the chart. + +```helm uninstall ``` + diff --git a/charts/f5/f5-bigip-ctlr/0.0.3001/app-readme.md b/charts/f5/f5-bigip-ctlr/0.0.3001/app-readme.md new file mode 100644 index 0000000000..6f28ef779d --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.3001/app-readme.md @@ -0,0 +1,87 @@ +# Helm Chart for the F5 Container Ingress Services + +This chart simplifies repeatable, versioned deployment of the [Container Ingress Services](https://clouddocs.f5.com/containers/latest/). + +### Prerequisites +- Refer to [CIS Prerequisites](https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html#prerequisites) to install Container Ingress Services on Kubernetes or Openshift +- [Helm 3](https://helm.sh/docs/intro/) should be installed. + + +## Installing CIS Using Helm Charts + +This is the simplest way to install the CIS on OpenShift/Kubernetes cluster. Helm is a package manager for Kubernetes. Helm is Kubernetes version of yum or apt. Helm deploys something called charts, which you can think of as a packaged application. It is a collection of all your versioned, pre-configured application resources which can be deployed as one unit. This chart creates a Deployment for one Pod containing the [k8s-bigip-ctlr](https://clouddocs.f5.com/containers/latest/), it's supporting RBAC, Service Account and Custom Resources Definition installations. + +## Installing the Chart + +- Add BIG-IP credentials as K8S secrets. + +For Kubernetes, use the following command: + +```kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +For OpenShift, use the following command: + +```oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=admin --from-literal=password=``` + +- Add the CIS chart repository in Helm using following command: + +```helm repo add f5-stable https://f5networks.github.io/charts/stable``` + +- Create values.yaml as shown in [examples](https://github.com/F5Networks/charts/tree/master/example_values/f5-bigip-ctlr): + +- Install the Helm chart using the following command: + +```helm install -f values.yaml f5-stable/f5-bigip-ctlr``` + +- Install the Helm chart with skip crds (without custom resource definitions installations) + +```helm install --skip-crds -f values.yaml f5-stable/f5-bigip-ctlr``` + +## Chart parameters: + +Parameter | Required | Description | Default +----------|-------------|-------------|-------- +bigip_login_secret | Required | Secret that contains BIG-IP login credentials | f5-bigip-ctlr-login +args.bigip_url | Required | The management IP for your BIG-IP device | **Required**, no default +args.bigip_partition | Required | BIG-IP partition the CIS Controller will manage | f5-bigip-ctlr +args.namespaces | Optional | List of Kubernetes namespaces which CIS will monitor | empty +rbac.create | Optional | Create ClusterRole and ClusterRoleBinding | true +serviceAccount.name | Optional | name of the ServiceAccount for CIS controller | f5-bigip-ctlr-serviceaccount +serviceAccount.create | Optional | Create service account for the CIS controller | true +namespace | Optional | name of namespace CIS will use to create deployment and other resources | kube-system +image.user | Optional | CIS Controller image repository username | f5networks +image.repo | Optional | CIS Controller image repository name | k8s-bigip-ctlr +image.pullPolicy | Optional | CIS Controller image pull policy | Always +image.pullSecrets | Optional | List of secrets of container registry to pull image | empty +version | Optional | CIS Controller image tag | latest +nodeSelector | Optional | dictionary of Node selector labels | empty +tolerations | Optional | Array of labels | empty +limits_cpu | Optional | CPU limits for the pod | 100m +limits_memory | Optional | Memory limits for the pod | 512Mi +requests_cpu | Optional | CPU request for the pod | 100m +requests_memory | Optional | Memory request for the pod | 512Mi +affinity | Optional | Dictionary of affinity | empty +securityContext | Optional | Dictionary of securityContext | empty +ingressClass.ingressClassName | Optional | Name of ingress class | f5 +ingressClass.defaultIngressController | Optional | CIS will monitor all the ingresses resource if set true | false +ingressClass.create | Optional | Create ingress class | true + + + + + + +See the CIS documentation for a full list of args supported for CIS [CIS Configuration Options](https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html) + +> **Note:** Helm value names cannot include the character `-` which is commonly used in the names of parameters passed to the controller. To accomodate Helm, the parameter names in `values.yaml` use `_` and then replace them with `-` when rendering. +> e.g. `args.bigip_url` is rendered as `bigip-url` as required by the CIS Controller. + + +If you have a specific use case for F5 products in the Kubernetes environment that would benefit from a curated chart, please [open an issue](https://github.com/F5Networks/charts/issues) describing your use case and providing example resources. + +## Uninstalling Helm Chart + +Run the following command to uninstall the chart. + +```helm uninstall ``` + diff --git a/charts/f5/f5-bigip-ctlr/crds/f5-bigip-ctlr-customresourcedefinitions.yml b/charts/f5/f5-bigip-ctlr/0.0.3001/crds/f5-bigip-ctlr-customresourcedefinitions.yml similarity index 100% rename from charts/f5/f5-bigip-ctlr/crds/f5-bigip-ctlr-customresourcedefinitions.yml rename to charts/f5/f5-bigip-ctlr/0.0.3001/crds/f5-bigip-ctlr-customresourcedefinitions.yml diff --git a/charts/f5/f5-bigip-ctlr/0.0.3001/questions.yaml b/charts/f5/f5-bigip-ctlr/0.0.3001/questions.yaml new file mode 100644 index 0000000000..4d276dfbde --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.3001/questions.yaml @@ -0,0 +1,75 @@ +questions: +- variable: bigip_login_secret + required: true + type: string + label: "Name of the k8s secret object with BIG-IP login credentials." +- variable: args.bigip_url + required: true + type: string + label: "BIG-IP Management IP/URL" +- variable: args.bigip_partition + required: true + type: string + label: "BIG-IP Partition" +- variable: image.user + type: string + label: "Image Repository where CIS image is hosted" +- variable: image.repo + type: string + label: "CIS image name" +- variable: version + type: string + label: "CIS version tag." + default: "latest" +- variable: args.pool_member_type + type: string + label: "Type of BIG-IP Pool members to create." + default: "nodeport" +- variable: args.node_poll_interval + type: string + label: "In seconds, the interval at which the CIS polls the cluster to find all node members." + default: "30" +- variable: args.verify_interval + type: string + label: "In seconds, the interval at which the CIS verifies that the BIG-IP configuration matches the state of the orchestration system." + default: "30" +- variable: args.agent + type: string + label: "Specify the agent for CIS to communicate with BIG-IP. CCCL or AS3" + default: "as3" +- variable: args.custom_resource_mode + type: string + label: "Set 'true' to process CRD resources. Supported in AS3 agent. When true ConfigMaps, Routes, and Ingress are not processed by CIS." + default: "false" +- variable: args.ipam + type: string + label: "Specify if CIS provides the ability to interface with F5 IPAM Controller (FIC). Valid with agent AS3." + default: "false" +- variable: args.disable_teems + type: string + label: "If true, analytics data is not sent to F5." + default: "false" +- variable: args.hubmode + type: string + label: "When `true`, ConfigMaps with Services in same and different namespace are processed. CIS >= 2.5.0+. Valid with agent AS3." + default: "false" +- variable: args.default_route_domain + type: string + label: "Set default Route Domain for Custom resources. Valid with agent AS3." + default: "0" +- variable: args.filter_tenants + type: string + label: "Specify to use tenant filtering API for AS3 declaration. This allows CIS to process each AS3 Tenant separately. Compatible with ConfigMap only. Valid with agent AS3. CIS >= 2.7" + default: "false" +- variable: args.enable_ipv6 + type: string + label: "When set to true, it enables IPv6 network support. CIS >= 2.7." + default: "false" +- variable: args.log_level + type: string + label: "Configured the log level. INFO, DEBUG, CRITICAL, WARNING, ERROR." + default: "INFO" +- variable: args.log_as3_response + type: string + label: "When set to true, adds the body of AS3 API response in Controller logs." + default: "false" diff --git a/charts/f5/f5-bigip-ctlr/0.0.3001/templates/NOTES.txt b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/NOTES.txt new file mode 100644 index 0000000000..302512a9b3 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/NOTES.txt @@ -0,0 +1,6 @@ +Container Ingress Services controller: {{ .Release.Name }} + +Controller Documentation: +- Kubernetes: https://clouddocs.f5.com/containers/latest/userguide/kubernetes/ +- OpenShift: https://clouddocs.f5.com/containers/latest/userguide/openshift/ + diff --git a/charts/f5/f5-bigip-ctlr/0.0.3001/templates/_helpers.tpl b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/_helpers.tpl new file mode 100644 index 0000000000..7ce05d2ef2 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/_helpers.tpl @@ -0,0 +1,64 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "f5-bigip-ctlr.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "deployment.apiVersion" -}} +{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "apps/v1" -}} +{{- else -}} +{{- print "extensions/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Check for user given namespace or give kube-system +*/}} +{{- define "f5-bigip-ctlr.namespace" -}} +{{- if hasKey .Values "namespace" -}} +{{- .Values.namespace -}} +{{- else -}} +{{- print "kube-system" -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "f5-bigip-ctlr.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "f5-bigip-ctlr.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + {{/* +Create the name of the service account to use +*/}} +{{- define "f5-bigip-ctlr.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "f5-bigip-ctlr.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-clusterrole.yaml b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-clusterrole.yaml new file mode 100644 index 0000000000..c60eb6eb8a --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-clusterrole.yaml @@ -0,0 +1,111 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "f5-bigip-ctlr.fullname" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - '' + - extensions + - networking.k8s.io + - route.openshift.io + resources: + - nodes + - services + - endpoints + - namespaces + - ingresses + - pods + - ingressclasses + - policies + - routes + verbs: + - get + - list + - watch + - apiGroups: + - '' + - extensions + - networking.k8s.io + - route.openshift.io + resources: + - configmaps + - events + - ingresses/status + - services/status + - routes/status + verbs: + - get + - list + - watch + - update + - create + - patch + - apiGroups: + - cis.f5.com + resources: + - virtualservers + - virtualservers/status + - tlsprofiles + - transportservers + - transportservers/status + - ingresslinks + - ingresslinks/status + - externaldnses + - policies + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - '' + - extensions + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - config.openshift.io/v1 + resources: + - network + verbs: + - list +{{- if .Values.args.ipam }} + - apiGroups: + - fic.f5.com + resources: + - ipams + - ipams/status + verbs: + - get + - list + - watch + - update + - create + - patch + - delete + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update + - create + - patch +{{- end }} +{{- end }} diff --git a/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-clusterrolebinding.yaml b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-clusterrolebinding.yaml new file mode 100644 index 0000000000..aba54704d7 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-clusterrolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "f5-bigip-ctlr.fullname" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "f5-bigip-ctlr.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "f5-bigip-ctlr.serviceAccountName" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-deploy.yaml b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-deploy.yaml new file mode 100644 index 0000000000..7cb7152803 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-deploy.yaml @@ -0,0 +1,135 @@ +{{- if or (not .Values.args.bigip_url) (not .Values.args.bigip_partition) }} +{{/* +Generate errors for missing required values. +*/}} +# {{required "BIG-IP url not specified - add to Values or pass with `--set` " .Values.args.bigip_url }} +# {{required "BIG-IP partition not specified - add to Values or pass with `--set` " .Values.args.bigip_partition }} +{{- else -}} +apiVersion: {{ template "deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "f5-bigip-ctlr.fullname" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "-" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "f5-bigip-ctlr.name" . }} + template: + metadata: + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + release: {{ .Release.Name }} + spec: +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} +{{- end }} + serviceAccountName: {{ template "f5-bigip-ctlr.serviceAccountName" . }} +{{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range $pullSecret := .Values.image.pullSecrets }} + - name: {{ $pullSecret }} + {{- end }} +{{- end }} + securityContext: + {{- $securityContext := .Values.securityContext | default dict }} + {{- if $securityContext.runAsUser }} + runAsUser: {{ $securityContext.runAsUser }} + {{- else }} + runAsUser: 1000 + {{- end }} + {{- $securityContext := .Values.securityContext | default dict }} + {{- if $securityContext.runAsGroup }} + runAsGroup: {{ $securityContext.runAsGroup }} + {{- else }} + runAsGroup: 1000 + {{- end }} + {{- $securityContext := .Values.securityContext | default dict }} + {{- if $securityContext.fsGroup }} + fsGroup: {{ $securityContext.fsGroup }} + {{- else }} + fsGroup: 1000 + {{- end }} + containers: + - name: {{ template "f5-bigip-ctlr.name" . }} + image: "{{ .Values.image.user }}/{{ .Values.image.repo }}:{{ .Values.version }}" + {{- if .Values.podSecurityContext }} + securityContext: +{{ toYaml .Values.podSecurityContext | indent 12 }} + {{- end }} + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 15 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 15 + volumeMounts: + - name: bigip-creds + mountPath: "/tmp/creds" + readOnly: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /app/bin/k8s-bigip-ctlr + args: + - --credentials-directory + - /tmp/creds + {{- $ns := .Values.args.namespaces }} + {{- range $key, $value := .Values.args }} + {{- if eq $key "namespaces" }} + {{- range $ns}} + - --namespace={{ . }} + {{- end }} + {{- else }} + - --{{ $key | replace "_" "-"}}={{ $value }} + {{- end }} + {{- end }} + resources: + limits: + cpu: {{ .Values.limits_cpu | default "100m" }} + memory: {{ .Values.limits_memory | default "512Mi" }} + requests: + cpu: {{ .Values.requests_cpu | default "100m" }} + memory: {{ .Values.requests_memory | default "512Mi" }} +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 6}} +{{- end }} + volumes: + - name: bigip-creds + secret: + {{- if .Values.bigip_secret.create }} + secretName: f5-bigip-ctlr-login + {{- else }} + secretName: {{ .Values.bigip_login_secret }} + {{- end }} +{{- end }} diff --git a/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-ingress-class.yaml b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-ingress-class.yaml new file mode 100644 index 0000000000..2105a219a2 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-ingress-class.yaml @@ -0,0 +1,12 @@ +{{- if .Values.ingressClass.create -}} + +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.ingressClass.ingressClassName | default "f5" }} + annotations: + ingressclass.kubernetes.io/is-default-class: "{{ .Values.ingressClass.isDefaultIngressController | default false }}" +spec: + controller: f5.com/cntr-ingress-svcs + +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-secrets.yaml b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-secrets.yaml new file mode 100644 index 0000000000..181415835a --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-secrets.yaml @@ -0,0 +1,19 @@ +{{- if .Values.bigip_secret.create -}} +apiVersion: v1 +kind: Secret +metadata: + name: f5-bigip-ctlr-login + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + username: {{ .Values.bigip_secret.username | b64enc | quote }} + password: {{ .Values.bigip_secret.password | b64enc | quote }} +{{- end -}} \ No newline at end of file diff --git a/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-serviceaccount.yaml b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-serviceaccount.yaml new file mode 100644 index 0000000000..5729a8bc15 --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.3001/templates/f5-bigip-ctlr-serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create -}} +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "f5-bigip-ctlr.serviceAccountName" . }} + namespace: {{ template "f5-bigip-ctlr.namespace" . }} + labels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "f5-bigip-ctlr.name" . }} + app: {{ template "f5-bigip-ctlr.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- end -}} +{{- end -}} diff --git a/charts/f5/f5-bigip-ctlr/0.0.3001/values.yaml b/charts/f5/f5-bigip-ctlr/0.0.3001/values.yaml new file mode 100644 index 0000000000..d9952d45af --- /dev/null +++ b/charts/f5/f5-bigip-ctlr/0.0.3001/values.yaml @@ -0,0 +1,90 @@ +# For additional information on installing the k8-bigip-ctlr please see: +# Kubernetes: https://clouddocs.f5.com/containers/latest/userguide/kubernetes/#cis-installation +# OpenShift: https://clouddocs.f5.com/containers/latest/userguide/openshift/#cis-installation +# +# access / permissions / RBAC +# To create a secret using kubectl see +# https://clouddocs.f5.com/containers/latest/userguide/kubernetes/#installing-cis-manually +bigip_login_secret: f5-bigip-ctlr-login + +bigip_secret: + create: false + username: + password: + +rbac: + create: true +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: f5-bigip-ctlr-serviceaccount +# This namespace is where the Controller lives; +namespace: kube-system + +ingressClass: + create: true + ingressClassName: f5 + isDefaultIngressController: true +args: + # See https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html + # NOTE: helm has difficulty with values using `-`; `_` are used for naming + # and are replaced with `-` during rendering. + # REQUIRED Params + bigip_url: ~ + bigip_partition: f5-bigip-ctlr + # OPTIONAL PARAMS -- uncomment and provide values for those you wish to use. + # verify_interval: + # node-poll_interval: + # log_level: + # python_basedir: ~ + # VXLAN + # openshift_sdn_name: + # flannel_name: + # KUBERNETES + # default_ingress_ip: + # kubeconfig: + # namespaces: ["foo", "bar"] + # namespace_label: + # node_label_selector: + # pool_member_type: + # resolve_ingress_names: + # running_in_cluster: + # use_node_internal: + # use_secrets: + # insecure: true + # custom-resource-mode: true + # log-as3-response: true + # gtm-bigip-password + # gtm-bigip-url + # gtm-bigip-username + # ipam : true + +image: + # Use the tag to target a specific version of the Controller + user: f5networks + repo: k8s-bigip-ctlr + pullPolicy: Always +version: latest +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: kubernetes.io/arch +# operator: Exists +# securityContext: +# runAsUser: 1000 +# runAsGroup: 3000 +# fsGroup: 2000 +# If you want to specify resources, uncomment the following +# limits_cpu: 100m +# limits_memory: 512Mi +# requests_cpu: 100m +# requests_memory: 512Mi +# Set podSecurityContext for Pod Security Admission and Pod Security Standards +# podSecurityContext: +# runAsUser: 1000 +# runAsGroup: 1000 +# privileged: true diff --git a/charts/f5/nginx-ingress/.helmignore b/charts/f5/nginx-ingress/1.0.2/.helmignore similarity index 100% rename from charts/f5/nginx-ingress/.helmignore rename to charts/f5/nginx-ingress/1.0.2/.helmignore diff --git a/charts/f5/nginx-ingress/1.0.2/Chart.yaml b/charts/f5/nginx-ingress/1.0.2/Chart.yaml new file mode 100644 index 0000000000..43a7a13c63 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Ingress Controller + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: nginx-ingress +apiVersion: v2 +appVersion: 3.3.2 +description: NGINX Ingress Controller +home: https://github.com/nginxinc/kubernetes-ingress +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deployments/helm-chart/chart-icon.png +keywords: +- ingress +- nginx +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: kubernetes@nginx.com + name: nginxinc +name: nginx-ingress +sources: +- https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/deployments/helm-chart +type: application +version: 1.0.2 diff --git a/charts/f5/nginx-ingress/1.0.2/README.md b/charts/f5/nginx-ingress/1.0.2/README.md new file mode 100644 index 0000000000..95115a070d --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/README.md @@ -0,0 +1,479 @@ +# NGINX Ingress Controller Helm Chart + +## Introduction + +This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. + +## Prerequisites + +**Note** All documentation should only be used with the latest stable release, indicated on +[the releases page](https://github.com/nginxinc/kubernetes-ingress/releases) of the GitHub repository. + +- A [Kubernetes Version Supported by the Ingress + Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) +- Helm 3.0+. +- If you’d like to use NGINX Plus: + - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal + by following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). Make sure to + specify the secret using `controller.serviceAccount.imagePullSecretName` parameter. + - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following + the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). + - Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by + following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image). + - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. +- If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator [helm + chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). Make sure to install in the same namespace as the + NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will + need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single + namespace. + +## CRDs + +By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The +Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. + +If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` +set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), +the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. + +### Upgrading the CRDs + +To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl apply -f crds/ +``` + +> **Note** +> +> The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by +> either kubectl create --save-config or kubectl apply`. +> +> Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release +> for any special upgrade procedures. + +### Uninstalling the CRDs + +To remove the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl delete -f crds/ +``` + +> **Note** +> +> This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure +> there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the +> cluster. + +## Managing the Chart via OCI Registry + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 +``` + +For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry +`myregistry.example.com`) + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +``` + +This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to +use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with +`registry-1.docker.io/nginxcharts/nginx-ingress`. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +### Edge Version + +To test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version. This +version is built from the `main` branch of the NGINX Ingress Controller repository. You can install the `edge` version +by specifying the `--version` flag with the value `0.0.0-edge`: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge +``` + +> **Warning** +> +> The `edge` version is not intended for production use. It is intended for testing and development purposes only. + +## Managing the Chart via Sources + +### Pulling the Chart + +This step is required if you're installing the chart using its sources. Additionally, the step is also required for +managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for +upgrading/deleting the CRDs. + +1. Pull the chart sources: + + ```console + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.0.2 + ``` + +2. Change your working directory to nginx-ingress: + + ```console + cd nginx-ingress + ``` + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release . +``` + +For NGINX Plus: + +```console +helm install my-release -f values-plus.yaml . +``` + +The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration +section lists the parameters that can be configured during installation. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release . +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +## Upgrading without downtime + +### Background + +In NGINX Ingress Controller version 3.1.0, [changes were introduced](https://github.com/nginxinc/kubernetes-ingress/pull/3606) +to Helm resource names, labels and annotations to fit with Helm best practices. +When using Helm to upgrade from a version prior to 3.1.0, certain resources like Deployment, DaemonSet and Service will +be recreated due to the aforementioned changes, which will result in downtime. + +Although the advisory is to update all resources in accordance with new naming convention, to avoid the downtime +please follow the steps listed in this page. + +### Upgrade Steps + +**Note** The following steps apply to both 2.x and 3.0.x releases. + +The steps you should follow depend on the Helm release name: + +{{}} + +{{%tab name="Helm release name is `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployments -n + ``` + + Copy the key=value under `Selector`, such as: + + ```shell + Selector: app=nginx-ingress-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.3.2` + +3. Navigate to `/kubernates-ingress/deployments/helm-chart` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/deployments/helm-chart` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: nginx-ingress-nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="nginx-ingress-nginx-ingress" + --set controller.name="" + --set fullnameOverride="nginx-ingress-nginx-ingress" + ``` + + It could look as follows: + + ```shell + helm upgrade nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="nginx-ingress-nginx-ingress" --set controller.name="" --set fullnameOverride="nginx-ingress-nginx-ingress" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set nginx-ingress-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{%tab name="Helm release name is not `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployment/daemonset -n + ``` + + Copy the key=value under ```Selector```, such as: + + ```shell + Selector: app=-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.3.2` + +3. Navigate to `/kubernates-ingress/deployments/helm-chart` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/deployments/helm-chart` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: -nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="-nginx-ingress" + --set controller.name="" + ``` + + It could look as follows: + + ```shell + helm upgrade test-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="test-release-nginx-ingress" --set controller.name="" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set test-release-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{}} + +## Running Multiple Ingress Controllers + +If you are running multiple Ingress Controller releases in your cluster with enabled custom resources, the releases will +share a single version of the CRDs. As a result, make sure that the Ingress Controller versions match the version of the +CRDs. Additionally, when uninstalling a release, ensure that you don’t remove the CRDs until there are no other Ingress +Controller releases running in the cluster. + +See [running multiple Ingress Controllers](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) +for more details. + +## Configuration + +The following tables lists the configurable parameters of the NGINX Ingress Controller chart and their default values. + +|Parameter | Description | Default | +| --- | --- | --- | +|`controller.name` | The name of the Ingress Controller daemonset or deployment. | Autogenerated | +|`controller.kind` | The kind of the Ingress Controller installation - deployment or daemonset. | deployment | +|`controller.annotations` | Allows for setting of `annotations` for deployment or daemonset. | {} | +|`controller.nginxplus` | Deploys the Ingress Controller for NGINX Plus. | false | +|`controller.nginxReloadTimeout` | The timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. | 60000 | +|`controller.hostNetwork` | Enables the Ingress Controller pods to use the host's network namespace. | false | +|`controller.dnsPolicy` | DNS policy for the Ingress Controller pods. | ClusterFirst | +|`controller.nginxDebug` | Enables debugging for NGINX. Uses the `nginx-debug` binary. Requires `error-log-level: debug` in the ConfigMap via `controller.config.entries`. | false | +|`controller.logLevel` | The log level of the Ingress Controller. | 1 | +|`controller.image.digest` | The image digest of the Ingress Controller. | None | +|`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.3.2 | +|`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | +|`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | +|`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | +|`controller.config.name` | The name of the ConfigMap used by the Ingress Controller. | Autogenerated | +|`controller.config.annotations` | The annotations of the Ingress Controller configmap. | {} | +|`controller.config.entries` | The entries of the ConfigMap for customizing NGINX configuration. See [ConfigMap resource docs](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) for the list of supported ConfigMap keys. | {} | +|`controller.customPorts` | A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. | [] | +|`controller.defaultTLS.cert` | The base64-encoded TLS certificate for the default HTTPS server. **Note:** It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | +|`controller.defaultTLS.key` | The base64-encoded TLS key for the default HTTPS server. **Note:** It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | +|`controller.defaultTLS.secret` | The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. **Note:** Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | None | +|`controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None | +|`controller.nodeSelector` | The node selector for pod assignment for the Ingress Controller pods. | {} | +|`controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress Controller pod. | 30 | +|`controller.tolerations` | The tolerations of the Ingress Controller pods. | [] | +|`controller.affinity` | The affinity of the Ingress Controller pods. | {} | +|`controller.topologySpreadConstraints` | The topology spread constraints of the Ingress controller pods. | {} | +|`controller.env` | The additional environment variables to be set on the Ingress Controller pods. | [] | +|`controller.volumes` | The volumes of the Ingress Controller pods. | [] | +|`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] | +|`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] | +|`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | +|`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | +|`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | +|`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.2, do not set the value to false. | true | +|`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | +|`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | +|`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | +|`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `controller.watchNamespace` and `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" | +|`controller.enableCustomResources` | Enable the custom resources. | true | +|`controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false | +|`controller.enableOIDC` | Enable OIDC policies. | false | +|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | +|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | +|`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false | +|`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.spec` | The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. | {} | +|`controller.enableSnippets` | Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. | false | +|`controller.healthStatus` | Add a location "/nginx-health" to the default server. The location responds with the 200 status code for any request. Useful for external health-checking of the Ingress Controller. | false | +|`controller.healthStatusURI` | Sets the URI of health status location in the default server. Requires `controller.healthStatus`. | "/nginx-health" | +|`controller.nginxStatus.enable` | Enable the NGINX stub_status, or the NGINX Plus API. | true | +|`controller.nginxStatus.port` | Set the port where the NGINX stub_status or the NGINX Plus API is exposed. | 8080 | +|`controller.nginxStatus.allowCidrs` | Add IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. | 127.0.0.1,::1 | +|`controller.priorityClassName` | The PriorityClass of the Ingress Controller pods. | None | +|`controller.service.create` | Creates a service to expose the Ingress Controller pods. | true | +|`controller.service.type` | The type of service to create for the Ingress Controller. | LoadBalancer | +|`controller.service.externalTrafficPolicy` | The externalTrafficPolicy of the service. The value Local preserves the client source IP. | Local | +|`controller.service.annotations` | The annotations of the Ingress Controller service. | {} | +|`controller.service.extraLabels` | The extra labels of the service. | {} | +|`controller.service.loadBalancerIP` | The static IP address for the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | "" | +|`controller.service.externalIPs` | The list of external IPs for the Ingress Controller service. | [] | +|`controller.service.clusterIP` | The clusterIP for the Ingress Controller service, autoassigned if not specified. | "" | +|`controller.service.loadBalancerSourceRanges` | The IP ranges (CIDR) that are allowed to access the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | [] | +|`controller.service.name` | The name of the service. | Autogenerated | +|`controller.service.customPorts` | A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. | [] | +|`controller.service.httpPort.enable` | Enables the HTTP port for the Ingress Controller service. | true | +|`controller.service.httpPort.port` | The HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpPort.nodePort` | The custom NodePort for the HTTP port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpPort.targetPort` | The target port of the HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpsPort.enable` | Enables the HTTPS port for the Ingress Controller service. | true | +|`controller.service.httpsPort.port` | The HTTPS port of the Ingress Controller service. | 443 | +|`controller.service.httpsPort.nodePort` | The custom NodePort for the HTTPS port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpsPort.targetPort` | The target port of the HTTPS port of the Ingress Controller service. | 443 | +|`controller.serviceAccount.annotations` | The annotations of the Ingress Controller service account. | {} | +|`controller.serviceAccount.name` | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated | +|`controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" | +|`controller.serviceMonitor.name` | The name of the serviceMonitor. | Autogenerated | +|`controller.serviceMonitor.create` | Create a ServiceMonitor custom resource. | false | +|`controller.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | "" | +|`controller.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | "" | +|`controller.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | "" | +|`controller.reportIngressStatus.enable` | Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. You must also specify the source of the external address either through an external service via `controller.reportIngressStatus.externalService`, `controller.reportIngressStatus.ingressLink` or the `external-status-address` entry in the ConfigMap via `controller.config.entries`. **Note:** `controller.config.entries.external-status-address` takes precedence over the others. | true | +|`controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated | +|`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | "" | +|`controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true | +|`controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated | +|`controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {} | +|`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} | +|`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} | +|`controller.appprotect.enable` | Enables the App Protect WAF module in the Ingress Controller. | false | +|`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false | +|`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false | +|`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 | +|`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine | +|`controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller | +|`controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true | +|`controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 | +|`controller.readyStatus.initialDelaySeconds` | The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. | 0 | +|`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false | +|`controller.minReadySeconds` | Specifies the minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. [docs](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds) | 0 | +|`controller.autoscaling.enabled` | Enables HorizontalPodAutoscaling. | false | +|`controller.autoscaling.annotations` | The annotations of the Ingress Controller HorizontalPodAutoscaler. | {} | +|`controller.autoscaling.minReplicas` | Minimum number of replicas for the HPA. | 1 | +|`controller.autoscaling.maxReplicas` | Maximum number of replicas for the HPA. | 3 | +|`controller.autoscaling.targetCPUUtilizationPercentage` | The target CPU utilization percentage. | 50 | +|`controller.autoscaling.targetMemoryUtilizationPercentage` | The target memory utilization percentage. | 50 | +|`controller.podDisruptionBudget.enabled` | Enables PodDisruptionBudget. | false | +|`controller.podDisruptionBudget.annotations` | The annotations of the Ingress Controller pod disruption budget | {} | +|`controller.podDisruptionBudget.minAvailable` | The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". | 0 | +|`controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 | +|`controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} | +|`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | +|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false | +|`rbac.create` | Configures RBAC. | true | +|`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | +|`prometheus.port` | Configures the port to scrape the metrics. | 9113 | +|`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http | +|`prometheus.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" | +|`prometheus.service.create` | Create a Headless service to expose prometheus metrics. Requires `prometheus.create`. | false | +|`prometheus.service.labels` | Kubernetes object labels to attach to the service object. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.create` | Create a ServiceMonitor custom resource. Requires ServiceMonitor CRD to be installed. For the latest CRD, check the latest release on the [prometheus-operator](https://github.com/prometheus-operator/prometheus-operator) GitHub repo under `example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml` | false | +|`prometheus.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | {} | +|`prometheus.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | [port: prometheus] | +|`serviceInsight.create` | Expose NGINX Plus Service Insight endpoint. | false | +|`serviceInsight.port` | Configures the port to expose endpoints. | 9114 | +|`serviceInsight.scheme` | Configures the HTTP scheme to use for connections to the Service Insight endpoint. | http | +|`serviceInsight.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Service Insight endpoint with TLS connections. | "" | +|`serviceNameOverride` | Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades. | "" | +|`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false | +|`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false | + +## Notes + +- The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog + post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. +- The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service + Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. diff --git a/charts/f5/nginx-ingress/app-readme.md b/charts/f5/nginx-ingress/1.0.2/app-readme.md similarity index 100% rename from charts/f5/nginx-ingress/app-readme.md rename to charts/f5/nginx-ingress/1.0.2/app-readme.md diff --git a/charts/f5/nginx-ingress/1.0.2/crds/appprotect.f5.com_aplogconfs.yaml b/charts/f5/nginx-ingress/1.0.2/crds/appprotect.f5.com_aplogconfs.yaml new file mode 100644 index 0000000000..53b7fb40d7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/crds/appprotect.f5.com_aplogconfs.yaml @@ -0,0 +1,80 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: aplogconfs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APLogConf + listKind: APLogConfList + plural: aplogconfs + singular: aplogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + escaping_characters: + items: + properties: + from: + type: string + to: + type: string + type: object + type: array + format: + enum: + - splunk + - arcsight + - default + - user-defined + - grpc + type: string + format_string: + type: string + list_delimiter: + type: string + list_prefix: + type: string + list_suffix: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.0.2/crds/appprotect.f5.com_appolicies.yaml b/charts/f5/nginx-ingress/1.0.2/crds/appprotect.f5.com_appolicies.yaml new file mode 100644 index 0000000000..8c494414cb --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/crds/appprotect.f5.com_appolicies.yaml @@ -0,0 +1,1903 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: appolicies.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APPolicy + listKind: APPolicyList + plural: appolicies + singular: appolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: + properties: + action: + type: string + description: + type: string + entity: + properties: + name: + type: string + type: object + entityChanges: + properties: + type: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + modificationsReference: + properties: + link: + pattern: ^http + type: string + type: object + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: + properties: + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unescaped space in URL + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxHeaders: + type: integer + maxParams: + type: integer + type: object + type: array + violations: + items: + properties: + alarm: + type: boolean + block: + type: boolean + description: + type: string + name: + enum: + - VIOL_GRPC_FORMAT + - VIOL_GRPC_MALFORMED + - VIOL_GRPC_METHOD + - VIOL_PARAMETER_ARRAY_VALUE + - VIOL_PARAMETER_VALUE_REGEXP + - VIOL_CSRF + - VIOL_PARAMETER_VALUE_BASE64 + - VIOL_MANDATORY_HEADER + - VIOL_HEADER_REPEATED + - VIOL_ASM_COOKIE_MODIFIED + - VIOL_BLACKLISTED_IP + - VIOL_COOKIE_EXPIRED + - VIOL_COOKIE_LENGTH + - VIOL_COOKIE_MALFORMED + - VIOL_COOKIE_MODIFIED + - VIOL_DATA_GUARD + - VIOL_ENCODING + - VIOL_EVASION + - VIOL_FILETYPE + - VIOL_FILE_UPLOAD + - VIOL_FILE_UPLOAD_IN_BODY + - VIOL_HEADER_LENGTH + - VIOL_HEADER_METACHAR + - VIOL_HTTP_PROTOCOL + - VIOL_HTTP_RESPONSE_STATUS + - VIOL_JSON_FORMAT + - VIOL_JSON_MALFORMED + - VIOL_JSON_SCHEMA + - VIOL_MANDATORY_PARAMETER + - VIOL_MANDATORY_REQUEST_BODY + - VIOL_METHOD + - VIOL_PARAMETER + - VIOL_PARAMETER_DATA_TYPE + - VIOL_PARAMETER_EMPTY_VALUE + - VIOL_PARAMETER_LOCATION + - VIOL_PARAMETER_MULTIPART_NULL_VALUE + - VIOL_PARAMETER_NAME_METACHAR + - VIOL_PARAMETER_NUMERIC_VALUE + - VIOL_PARAMETER_REPEATED + - VIOL_PARAMETER_STATIC_VALUE + - VIOL_PARAMETER_VALUE_LENGTH + - VIOL_PARAMETER_VALUE_METACHAR + - VIOL_POST_DATA_LENGTH + - VIOL_QUERY_STRING_LENGTH + - VIOL_RATING_THREAT + - VIOL_RATING_NEED_EXAMINATION + - VIOL_REQUEST_MAX_LENGTH + - VIOL_REQUEST_LENGTH + - VIOL_THREAT_CAMPAIGN + - VIOL_URL + - VIOL_URL_CONTENT_TYPE + - VIOL_URL_LENGTH + - VIOL_URL_METACHAR + - VIOL_XML_FORMAT + - VIOL_XML_MALFORMED + type: string + type: object + type: array + type: object + blockingSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + bot-defense: + properties: + mitigations: + properties: + anomalies: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - default + - detect + - ignore + type: string + name: + type: string + scoreThreshold: + pattern: '[0-9]|[1-9][0-9]|1[0-4][0-9]|150|default' + type: string + type: object + type: array + browsers: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + type: string + browserDefinition: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + maxVersion: + maximum: 2147483647 + minimum: 0 + type: integer + minVersion: + maximum: 2147483647 + minimum: 0 + type: integer + name: + type: string + type: object + type: array + classes: + items: + properties: + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + enum: + - browser + - malicious-bot + - suspicious-browser + - trusted-bot + - unknown + - untrusted-bot + type: string + type: object + type: array + signatures: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + type: string + type: object + type: array + type: object + settings: + properties: + caseSensitiveHttpHeaders: + type: boolean + isEnabled: + type: boolean + type: object + type: object + browser-definitions: + items: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + type: array + caseInsensitive: + type: boolean + character-sets: + items: + properties: + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content + type: string + type: object + type: array + characterSetReference: + properties: + link: + pattern: ^http + type: string + type: object + cookie-settings: + properties: + maximumCookieHeaderLength: + pattern: any|\d+ + type: string + type: object + cookieReference: + properties: + link: + pattern: ^http + type: string + type: object + cookieSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + cookies: + items: + properties: + $action: + enum: + - delete + type: string + accessibleOnlyThroughTheHttpProtocol: + type: boolean + attackSignaturesCheck: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + wildcardOrder: + type: integer + type: object + type: array + csrf-protection: + properties: + enabled: + type: boolean + expirationTimeInSeconds: + pattern: disabled|\d+ + type: string + sslOnly: + type: boolean + type: object + csrf-urls: + items: + properties: + $action: + enum: + - delete + type: string + enforcementAction: + enum: + - verify-origin + - none + type: string + method: + enum: + - GET + - POST + - any + type: string + url: + type: string + wildcardOrder: + type: integer + type: object + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + lastCcnDigitsToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + dataGuardReference: + properties: + link: + pattern: ^http + type: string + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + enforcer-settings: + properties: + enforcerStateCookies: + properties: + httpOnlyAttribute: + type: boolean + sameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + secureAttribute: + enum: + - always + - never + type: string + type: object + type: object + filetypeReference: + properties: + link: + pattern: ^http + type: string + type: object + filetypes: + items: + properties: + $action: + enum: + - delete + type: string + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: + type: string + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlLength: + type: integer + wildcardOrder: + type: integer + type: object + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + generalReference: + properties: + link: + pattern: ^http + type: string + type: object + grpc-profiles: + items: + properties: + $action: + enum: + - delete + type: string + associateUrls: + type: boolean + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowUnknownFields: + type: boolean + maximumDataLength: + pattern: any|\d+ + type: string + type: object + description: + type: string + hasIdlFiles: + type: boolean + idlFiles: + items: + properties: + idlFile: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + importUrl: + type: string + isPrimary: + type: boolean + primaryIdlFileName: + type: string + type: object + type: array + metacharElementCheck: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + header-settings: + properties: + maximumHttpHeaderLength: + pattern: any|\d+ + type: string + type: object + headerReference: + properties: + link: + pattern: ^http + type: string + type: object + headerSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + headers: + items: + properties: + $action: + enum: + - delete + type: string + allowRepeatedOccurrences: + type: boolean + base64Decoding: + type: boolean + checkSignatures: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: + type: string + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlNormalization: + type: boolean + wildcardOrder: + type: integer + type: object + type: array + host-names: + items: + properties: + $action: + enum: + - delete + type: string + includeSubdomains: + type: boolean + name: + type: string + type: object + type: array + idl-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + json-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + maximumArrayLength: + pattern: any|\d+ + type: string + maximumStructureDepth: + pattern: any|\d+ + type: string + maximumTotalLengthOfJSONData: + pattern: any|\d+ + type: string + maximumValueLength: + pattern: any|\d+ + type: string + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + handleJsonValuesAsParameters: + type: boolean + hasValidationFiles: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + validationFiles: + items: + properties: + importUrl: + type: string + isPrimary: + type: boolean + jsonValidationFile: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: object + type: array + type: object + type: array + json-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + jsonProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + jsonValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + methodReference: + properties: + link: + pattern: ^http + type: string + type: object + methods: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + name: + type: string + open-api-files: + items: + properties: + link: + pattern: ^http + type: string + type: object + type: array + parameterReference: + properties: + link: + pattern: ^http + type: string + type: object + parameters: + items: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + type: array + response-pages: + items: + properties: + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: string + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + grpcStatusCode: + pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ + type: string + grpcStatusMessage: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + - grpc + type: string + responseRedirectUrl: + type: string + type: object + type: array + responsePageReference: + properties: + link: + pattern: ^http + type: string + type: object + sensitive-parameters: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + sensitiveParameterReference: + properties: + link: + pattern: ^http + type: string + type: object + server-technologies: + items: + properties: + $action: + enum: + - delete + type: string + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + serverTechnologyReference: + properties: + link: + pattern: ^http + type: string + type: object + signature-requirements: + items: + properties: + $action: + enum: + - delete + type: string + tag: + type: string + type: object + type: array + signature-sets: + items: + properties: + $action: + enum: + - delete + type: string + alarm: + type: boolean + block: + type: boolean + name: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatureReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSetReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + threat-campaigns: + items: + properties: + isEnabled: + type: boolean + name: + type: string + type: object + type: array + threatCampaignReference: + properties: + link: + pattern: ^http + type: string + type: object + urlReference: + properties: + link: + pattern: ^http + type: string + type: object + urls: + items: + properties: + $action: + enum: + - delete + type: string + allowRenderingInFrames: + enum: + - never + - only-same + type: string + allowRenderingInFramesOnlyFrom: + type: string + attackSignaturesCheck: + type: boolean + clickjackingProtection: + type: boolean + description: + type: string + disallowFileUploadOfExecutables: + type: boolean + html5CrossOriginRequestsEnforcement: + properties: + allowOriginsEnforcementMode: + enum: + - replace-with + - unmodified + type: string + checkAllowedMethods: + type: boolean + crossDomainAllowedOrigin: + items: + properties: + includeSubDomains: + type: boolean + originName: + type: string + originPort: + pattern: any|\d+ + type: string + originProtocol: + enum: + - http + - http/https + - https + type: string + type: object + type: array + enforcementMode: + enum: + - disabled + - enforce + type: string + type: object + isAllowed: + type: boolean + mandatoryBody: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + metacharsOnUrlCheck: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + methodOverrides: + items: + properties: + allowed: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + type: string + type: object + type: array + methodsOverrideOnUrlCheck: + type: boolean + name: + type: string + operationId: + type: string + positionalParameters: + items: + properties: + parameter: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + urlSegmentIndex: + type: integer + type: object + type: array + protocol: + enum: + - http + - https + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlContentProfiles: + items: + properties: + contentProfile: + properties: + name: + type: string + type: object + headerName: + type: string + headerOrder: + type: string + headerValue: + type: string + name: + type: string + type: + enum: + - apply-content-signatures + - apply-value-and-content-signatures + - disallow + - do-nothing + - form-data + - gwt + - json + - xml + - grpc + type: string + type: object + type: array + wildcardOrder: + type: integer + type: object + type: array + whitelist-ips: + items: + properties: + $action: + enum: + - delete + type: string + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + neverLogRequests: + type: boolean + type: object + type: array + whitelistIpReference: + properties: + link: + pattern: ^http + type: string + type: object + xml-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + pattern: any|\d+ + type: string + maximumAttributesPerElement: + pattern: any|\d+ + type: string + maximumChildrenPerElement: + pattern: any|\d+ + type: string + maximumDocumentDepth: + pattern: any|\d+ + type: string + maximumDocumentSize: + pattern: any|\d+ + type: string + maximumElements: + pattern: any|\d+ + type: string + maximumNSDeclarations: + pattern: any|\d+ + type: string + maximumNameLength: + pattern: any|\d+ + type: string + maximumNamespaceLength: + pattern: any|\d+ + type: string + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + xml-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + xmlProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + xmlValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.0.2/crds/appprotect.f5.com_apusersigs.yaml b/charts/f5/nginx-ingress/1.0.2/crds/appprotect.f5.com_apusersigs.yaml new file mode 100644 index 0000000000..34eb0784f4 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/crds/appprotect.f5.com_apusersigs.yaml @@ -0,0 +1,93 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: apusersigs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APUserSig + listKind: APUserSigList + plural: apusersigs + singular: apusersig + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APUserSig is the Schema for the apusersigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APUserSigSpec defines the desired state of APUserSig + properties: + properties: + type: string + signatures: + items: + properties: + accuracy: + enum: + - high + - medium + - low + type: string + attackType: + properties: + name: + type: string + type: object + description: + type: string + name: + type: string + references: + properties: + type: + enum: + - bugtraq + - cve + - nessus + - url + type: string + value: + type: string + type: object + risk: + enum: + - high + - medium + - low + type: string + rule: + type: string + signatureType: + enum: + - request + - response + type: string + systems: + items: + properties: + name: + type: string + type: object + type: array + type: object + type: array + tag: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/charts/f5/nginx-ingress/1.0.2/crds/appprotectdos.f5.com_apdoslogconfs.yaml similarity index 100% rename from charts/f5/nginx-ingress/crds/appprotectdos.f5.com_apdoslogconfs.yaml rename to charts/f5/nginx-ingress/1.0.2/crds/appprotectdos.f5.com_apdoslogconfs.yaml diff --git a/charts/f5/nginx-ingress/crds/appprotectdos.f5.com_apdospolicy.yaml b/charts/f5/nginx-ingress/1.0.2/crds/appprotectdos.f5.com_apdospolicy.yaml similarity index 100% rename from charts/f5/nginx-ingress/crds/appprotectdos.f5.com_apdospolicy.yaml rename to charts/f5/nginx-ingress/1.0.2/crds/appprotectdos.f5.com_apdospolicy.yaml diff --git a/charts/f5/nginx-ingress/1.0.2/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/charts/f5/nginx-ingress/1.0.2/crds/appprotectdos.f5.com_dosprotectedresources.yaml new file mode 100644 index 0000000000..53a51c4939 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/crds/appprotectdos.f5.com_dosprotectedresources.yaml @@ -0,0 +1,81 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: dosprotectedresources.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: DosProtectedResource + listKind: DosProtectedResourceList + plural: dosprotectedresources + shortNames: + - pr + singular: dosprotectedresource + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: DosProtectedResource defines a Dos protected resource. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DosProtectedResourceSpec defines the properties and values a DosProtectedResource can have. + type: object + properties: + apDosMonitor: + description: 'ApDosMonitor is how NGINX App Protect DoS monitors the stress level of the protected object. The monitor requests are sent from localhost (127.0.0.1). Default value: URI - None, protocol - http1, timeout - NGINX App Protect DoS default.' + type: object + properties: + protocol: + description: Protocol determines if the server listens on http1 / http2 / grpc / websocket. The default is http1. + type: string + enum: + - http1 + - http2 + - grpc + - websocket + timeout: + description: Timeout determines how long (in seconds) should NGINX App Protect DoS wait for a response. Default is 10 seconds for http1/http2 and 5 seconds for grpc. + type: integer + format: int64 + uri: + description: 'URI is the destination to the desired protected object in the nginx.conf:' + type: string + apDosPolicy: + description: ApDosPolicy is the namespace/name of a ApDosPolicy resource + type: string + dosAccessLogDest: + description: DosAccessLogDest is the network address for the access logs + type: string + dosSecurityLog: + description: DosSecurityLog defines the security log of the DosProtectedResource. + type: object + properties: + apDosLogConf: + description: ApDosLogConf is the namespace/name of a APDosLogConf resource + type: string + dosLogDest: + description: DosLogDest is the network address of a logging service, can be either IP or DNS name. + type: string + enable: + description: Enable enables the security logging feature if set to true + type: boolean + enable: + description: Enable enables the DOS feature if set to true + type: boolean + name: + description: Name is the name of protected object, max of 63 characters. + type: string + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.0.2/crds/externaldns.nginx.org_dnsendpoints.yaml b/charts/f5/nginx-ingress/1.0.2/crds/externaldns.nginx.org_dnsendpoints.yaml new file mode 100644 index 0000000000..82790713bf --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/crds/externaldns.nginx.org_dnsendpoints.yaml @@ -0,0 +1,84 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: dnsendpoints.externaldns.nginx.org +spec: + group: externaldns.nginx.org + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: DNSEndpoint is the CRD wrapper for Endpoint + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec holds information about endpoints. + type: object + properties: + endpoints: + type: array + items: + description: Endpoint describes DNS Endpoint. + type: object + properties: + dnsName: + description: The hostname for the DNS record + type: string + labels: + description: Labels stores labels defined for the Endpoint + type: object + additionalProperties: + type: string + providerSpecific: + description: ProviderSpecific stores provider specific config + type: array + items: + description: ProviderSpecificProperty represents provider specific config property. + type: object + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + recordTTL: + description: TTL for the record + type: integer + format: int64 + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, TXT, MX + type: string + targets: + description: The targets the DNS service points to + type: array + items: + type: string + status: + description: DNSEndpointStatus represents generation observed by the external dns controller. + type: object + properties: + observedGeneration: + description: The generation observed by by the external-dns controller. + type: integer + format: int64 + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_globalconfigurations.yaml b/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_globalconfigurations.yaml new file mode 100644 index 0000000000..b0dc371fd7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_globalconfigurations.yaml @@ -0,0 +1,51 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: globalconfigurations.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: GlobalConfiguration + listKind: GlobalConfigurationList + plural: globalconfigurations + shortNames: + - gc + singular: globalconfiguration + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration resource. + type: object + properties: + listeners: + type: array + items: + description: Listener defines a listener. + type: object + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_policies.yaml b/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_policies.yaml new file mode 100644 index 0000000000..907c22a88f --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_policies.yaml @@ -0,0 +1,303 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: policies.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. + type: object + properties: + accessControl: + description: AccessControl defines an access policy based on the source IP of a request. + type: object + properties: + allow: + type: array + items: + type: string + deny: + type: array + items: + type: string + basicAuth: + description: 'BasicAuth holds HTTP Basic authentication configuration policy status: preview' + type: object + properties: + realm: + type: string + secret: + type: string + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + type: object + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + type: object + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + jwt: + description: JWTAuth holds JWT authentication configuration. + type: object + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + oidc: + description: OIDC defines an Open ID Connect policy. + type: object + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + type: array + items: + type: string + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + rateLimit: + description: RateLimit defines a rate limit policy. + type: object + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + waf: + description: WAF defines an WAF policy. + type: object + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + type: object + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + securityLogs: + type: array + items: + description: SecurityLog defines the security log of a WAF policy. + type: object + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + status: + description: PolicyStatus is the status of the policy resource + type: object + properties: + message: + type: string + reason: + type: string + state: + type: string + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. + type: object + properties: + accessControl: + description: AccessControl defines an access policy based on the source IP of a request. + type: object + properties: + allow: + type: array + items: + type: string + deny: + type: array + items: + type: string + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + type: object + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + type: object + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + jwt: + description: JWTAuth holds JWT authentication configuration. + type: object + properties: + realm: + type: string + secret: + type: string + token: + type: string + rateLimit: + description: RateLimit defines a rate limit policy. + type: object + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_transportservers.yaml b/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_transportservers.yaml new file mode 100644 index 0000000000..b1448e9e3b --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_transportservers.yaml @@ -0,0 +1,156 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: transportservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: TransportServer + listKind: TransportServerList + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + type: object + properties: + action: + description: Action defines an action. + type: object + properties: + pass: + type: string + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + type: object + properties: + name: + type: string + protocol: + type: string + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + type: object + properties: + timeout: + type: string + streamSnippets: + type: string + tls: + description: TLS defines TLS configuration for a TransportServer. + type: object + properties: + secret: + type: string + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + type: object + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + upstreams: + type: array + items: + description: Upstream defines an upstream. + type: object + properties: + failTimeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream HealthChecks. + type: object + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: Match defines the parameters of a custom health check. + type: object + properties: + expect: + type: string + send: + type: string + passes: + type: integer + port: + type: integer + timeout: + type: string + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + status: + description: TransportServerStatus defines the status for the TransportServer resource. + type: object + properties: + message: + type: string + reason: + type: string + state: + type: string + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_virtualserverroutes.yaml b/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_virtualserverroutes.yaml new file mode 100644 index 0000000000..d21640a398 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -0,0 +1,638 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: virtualserverroutes.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServerRoute + listKind: VirtualServerRouteList + plural: virtualserverroutes + shortNames: + - vsr + singular: virtualserverroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute resource. + type: object + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + type: array + items: + description: Route defines a route. + type: object + properties: + action: + description: Action defines an action. + type: object + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + type: object + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. + type: object + properties: + pass: + type: boolean + set: + type: array + items: + description: Header defines an HTTP Header. + type: object + properties: + name: + type: string + value: + type: string + responseHeaders: + description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. + type: object + properties: + add: + type: array + items: + description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. + type: object + properties: + always: + type: boolean + name: + type: string + value: + type: string + hide: + type: array + items: + type: string + ignore: + type: array + items: + type: string + pass: + type: array + items: + type: string + rewritePath: + type: string + upstream: + type: string + redirect: + description: ActionRedirect defines a redirect in an Action. + type: object + properties: + code: + type: integer + url: + type: string + return: + description: ActionReturn defines a return in an Action. + type: object + properties: + body: + type: string + code: + type: integer + type: + type: string + dos: + type: string + errorPages: + type: array + items: + description: ErrorPage defines an ErrorPage in a Route. + type: object + properties: + codes: + type: array + items: + type: integer + redirect: + description: ErrorPageRedirect defines a redirect for an ErrorPage. + type: object + properties: + code: + type: integer + url: + type: string + return: + description: ErrorPageReturn defines a return for an ErrorPage. + type: object + properties: + body: + type: string + code: + type: integer + headers: + type: array + items: + description: Header defines an HTTP Header. + type: object + properties: + name: + type: string + value: + type: string + type: + type: string + location-snippets: + type: string + matches: + type: array + items: + description: Match defines a match. + type: object + properties: + action: + description: Action defines an action. + type: object + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + type: object + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. + type: object + properties: + pass: + type: boolean + set: + type: array + items: + description: Header defines an HTTP Header. + type: object + properties: + name: + type: string + value: + type: string + responseHeaders: + description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. + type: object + properties: + add: + type: array + items: + description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. + type: object + properties: + always: + type: boolean + name: + type: string + value: + type: string + hide: + type: array + items: + type: string + ignore: + type: array + items: + type: string + pass: + type: array + items: + type: string + rewritePath: + type: string + upstream: + type: string + redirect: + description: ActionRedirect defines a redirect in an Action. + type: object + properties: + code: + type: integer + url: + type: string + return: + description: ActionReturn defines a return in an Action. + type: object + properties: + body: + type: string + code: + type: integer + type: + type: string + conditions: + type: array + items: + description: Condition defines a condition in a MatchRule. + type: object + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + splits: + type: array + items: + description: Split defines a split. + type: object + properties: + action: + description: Action defines an action. + type: object + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + type: object + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. + type: object + properties: + pass: + type: boolean + set: + type: array + items: + description: Header defines an HTTP Header. + type: object + properties: + name: + type: string + value: + type: string + responseHeaders: + description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. + type: object + properties: + add: + type: array + items: + description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. + type: object + properties: + always: + type: boolean + name: + type: string + value: + type: string + hide: + type: array + items: + type: string + ignore: + type: array + items: + type: string + pass: + type: array + items: + type: string + rewritePath: + type: string + upstream: + type: string + redirect: + description: ActionRedirect defines a redirect in an Action. + type: object + properties: + code: + type: integer + url: + type: string + return: + description: ActionReturn defines a return in an Action. + type: object + properties: + body: + type: string + code: + type: integer + type: + type: string + weight: + type: integer + path: + type: string + policies: + type: array + items: + description: PolicyReference references a policy by name and an optional namespace. + type: object + properties: + name: + type: string + namespace: + type: string + route: + type: string + splits: + type: array + items: + description: Split defines a split. + type: object + properties: + action: + description: Action defines an action. + type: object + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + type: object + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. + type: object + properties: + pass: + type: boolean + set: + type: array + items: + description: Header defines an HTTP Header. + type: object + properties: + name: + type: string + value: + type: string + responseHeaders: + description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. + type: object + properties: + add: + type: array + items: + description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. + type: object + properties: + always: + type: boolean + name: + type: string + value: + type: string + hide: + type: array + items: + type: string + ignore: + type: array + items: + type: string + pass: + type: array + items: + type: string + rewritePath: + type: string + upstream: + type: string + redirect: + description: ActionRedirect defines a redirect in an Action. + type: object + properties: + code: + type: integer + url: + type: string + return: + description: ActionReturn defines a return in an Action. + type: object + properties: + body: + type: string + code: + type: integer + type: + type: string + weight: + type: integer + upstreams: + type: array + items: + description: Upstream defines an upstream. + type: object + properties: + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for an Upstream. + type: object + properties: + number: + type: integer + size: + type: string + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream HealthChecks. + type: object + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + type: array + items: + description: Header defines an HTTP Header. + type: object + properties: + name: + type: string + value: + type: string + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for an Upstream. + type: object + properties: + enable: + type: boolean + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an Upstream. + type: object + properties: + size: + type: integer + timeout: + type: string + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session persistence. + type: object + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + slow-start: + type: string + subselector: + type: object + additionalProperties: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for an Upstream. + type: object + properties: + enable: + type: boolean + type: + type: string + use-cluster-ip: + type: boolean + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute resource. + type: object + properties: + externalEndpoints: + type: array + items: + description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. + type: object + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_virtualservers.yaml b/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_virtualservers.yaml new file mode 100644 index 0000000000..189cce4f6e --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/crds/k8s.nginx.org_virtualservers.yaml @@ -0,0 +1,731 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: virtualservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServer + listKind: VirtualServerList + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + type: object + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual server. + type: object + properties: + enable: + type: boolean + labels: + description: Labels stores labels defined for the Endpoint + type: object + additionalProperties: + type: string + providerSpecific: + description: ProviderSpecific stores provider specific config + type: array + items: + description: ProviderSpecificProperty defines specific property for using with ExternalDNS sub-resource. + type: object + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + recordTTL: + description: TTL for the record + type: integer + format: int64 + recordType: + type: string + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal routing. + type: boolean + listener: + description: Listener references a custom http and/or https listener defined in GlobalConfiguration. + type: object + properties: + http: + type: string + https: + type: string + policies: + type: array + items: + description: PolicyReference references a policy by name and an optional namespace. + type: object + properties: + name: + type: string + namespace: + type: string + routes: + type: array + items: + description: Route defines a route. + type: object + properties: + action: + description: Action defines an action. + type: object + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + type: object + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. + type: object + properties: + pass: + type: boolean + set: + type: array + items: + description: Header defines an HTTP Header. + type: object + properties: + name: + type: string + value: + type: string + responseHeaders: + description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. + type: object + properties: + add: + type: array + items: + description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. + type: object + properties: + always: + type: boolean + name: + type: string + value: + type: string + hide: + type: array + items: + type: string + ignore: + type: array + items: + type: string + pass: + type: array + items: + type: string + rewritePath: + type: string + upstream: + type: string + redirect: + description: ActionRedirect defines a redirect in an Action. + type: object + properties: + code: + type: integer + url: + type: string + return: + description: ActionReturn defines a return in an Action. + type: object + properties: + body: + type: string + code: + type: integer + type: + type: string + dos: + type: string + errorPages: + type: array + items: + description: ErrorPage defines an ErrorPage in a Route. + type: object + properties: + codes: + type: array + items: + type: integer + redirect: + description: ErrorPageRedirect defines a redirect for an ErrorPage. + type: object + properties: + code: + type: integer + url: + type: string + return: + description: ErrorPageReturn defines a return for an ErrorPage. + type: object + properties: + body: + type: string + code: + type: integer + headers: + type: array + items: + description: Header defines an HTTP Header. + type: object + properties: + name: + type: string + value: + type: string + type: + type: string + location-snippets: + type: string + matches: + type: array + items: + description: Match defines a match. + type: object + properties: + action: + description: Action defines an action. + type: object + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + type: object + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. + type: object + properties: + pass: + type: boolean + set: + type: array + items: + description: Header defines an HTTP Header. + type: object + properties: + name: + type: string + value: + type: string + responseHeaders: + description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. + type: object + properties: + add: + type: array + items: + description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. + type: object + properties: + always: + type: boolean + name: + type: string + value: + type: string + hide: + type: array + items: + type: string + ignore: + type: array + items: + type: string + pass: + type: array + items: + type: string + rewritePath: + type: string + upstream: + type: string + redirect: + description: ActionRedirect defines a redirect in an Action. + type: object + properties: + code: + type: integer + url: + type: string + return: + description: ActionReturn defines a return in an Action. + type: object + properties: + body: + type: string + code: + type: integer + type: + type: string + conditions: + type: array + items: + description: Condition defines a condition in a MatchRule. + type: object + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + splits: + type: array + items: + description: Split defines a split. + type: object + properties: + action: + description: Action defines an action. + type: object + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + type: object + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. + type: object + properties: + pass: + type: boolean + set: + type: array + items: + description: Header defines an HTTP Header. + type: object + properties: + name: + type: string + value: + type: string + responseHeaders: + description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. + type: object + properties: + add: + type: array + items: + description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. + type: object + properties: + always: + type: boolean + name: + type: string + value: + type: string + hide: + type: array + items: + type: string + ignore: + type: array + items: + type: string + pass: + type: array + items: + type: string + rewritePath: + type: string + upstream: + type: string + redirect: + description: ActionRedirect defines a redirect in an Action. + type: object + properties: + code: + type: integer + url: + type: string + return: + description: ActionReturn defines a return in an Action. + type: object + properties: + body: + type: string + code: + type: integer + type: + type: string + weight: + type: integer + path: + type: string + policies: + type: array + items: + description: PolicyReference references a policy by name and an optional namespace. + type: object + properties: + name: + type: string + namespace: + type: string + route: + type: string + splits: + type: array + items: + description: Split defines a split. + type: object + properties: + action: + description: Action defines an action. + type: object + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + type: object + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. + type: object + properties: + pass: + type: boolean + set: + type: array + items: + description: Header defines an HTTP Header. + type: object + properties: + name: + type: string + value: + type: string + responseHeaders: + description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. + type: object + properties: + add: + type: array + items: + description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. + type: object + properties: + always: + type: boolean + name: + type: string + value: + type: string + hide: + type: array + items: + type: string + ignore: + type: array + items: + type: string + pass: + type: array + items: + type: string + rewritePath: + type: string + upstream: + type: string + redirect: + description: ActionRedirect defines a redirect in an Action. + type: object + properties: + code: + type: integer + url: + type: string + return: + description: ActionReturn defines a return in an Action. + type: object + properties: + body: + type: string + code: + type: integer + type: + type: string + weight: + type: integer + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + type: object + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. + type: object + properties: + cluster-issuer: + type: string + common-name: + type: string + duration: + type: string + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + redirect: + description: TLSRedirect defines a redirect for a TLS. + type: object + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + secret: + type: string + upstreams: + type: array + items: + description: Upstream defines an upstream. + type: object + properties: + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for an Upstream. + type: object + properties: + number: + type: integer + size: + type: string + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream HealthChecks. + type: object + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + type: array + items: + description: Header defines an HTTP Header. + type: object + properties: + name: + type: string + value: + type: string + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for an Upstream. + type: object + properties: + enable: + type: boolean + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an Upstream. + type: object + properties: + size: + type: integer + timeout: + type: string + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session persistence. + type: object + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + slow-start: + type: string + subselector: + type: object + additionalProperties: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for an Upstream. + type: object + properties: + enable: + type: boolean + type: + type: string + use-cluster-ip: + type: boolean + status: + description: VirtualServerStatus defines the status for the VirtualServer resource. + type: object + properties: + externalEndpoints: + type: array + items: + description: ExternalEndpoint defines the IP/ Hostname and ports used to connect to this resource. + type: object + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + message: + type: string + reason: + type: string + state: + type: string + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/questions.yaml b/charts/f5/nginx-ingress/1.0.2/questions.yaml similarity index 100% rename from charts/f5/nginx-ingress/questions.yaml rename to charts/f5/nginx-ingress/1.0.2/questions.yaml diff --git a/charts/f5/nginx-ingress/1.0.2/templates/NOTES.txt b/charts/f5/nginx-ingress/1.0.2/templates/NOTES.txt new file mode 100644 index 0000000000..c5f4cdf405 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/templates/NOTES.txt @@ -0,0 +1 @@ +The NGINX Ingress Controller has been installed. diff --git a/charts/f5/nginx-ingress/1.0.2/templates/_helpers.tpl b/charts/f5/nginx-ingress/1.0.2/templates/_helpers.tpl new file mode 100644 index 0000000000..5372053b0c --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/templates/_helpers.tpl @@ -0,0 +1,135 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.fullname" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified controller service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.service.name" -}} +{{- default (include "nginx-ingress.controller.fullname" .) .Values.serviceNameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nginx-ingress.labels" -}} +helm.sh/chart: {{ include "nginx-ingress.chart" . }} +{{ include "nginx-ingress.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nginx-ingress.selectorLabels" -}} +{{- if .Values.controller.selectorLabels -}} +{{ toYaml .Values.controller.selectorLabels }} +{{- else -}} +app.kubernetes.io/name: {{ include "nginx-ingress.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap. +*/}} +{{- define "nginx-ingress.configName" -}} +{{- if .Values.controller.customConfigMap -}} +{{ .Values.controller.customConfigMap }} +{{- else -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.config.name -}} +{{- end -}} +{{- end -}} + +{{/* +Expand leader election lock name. +*/}} +{{- define "nginx-ingress.leaderElectionName" -}} +{{- if .Values.controller.reportIngressStatus.leaderElectionLockName -}} +{{ .Values.controller.reportIngressStatus.leaderElectionLockName }} +{{- else -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "leader-election" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand service account name. +*/}} +{{- define "nginx-ingress.serviceAccountName" -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.serviceAccount.name -}} +{{- end -}} + +{{/* +Expand default TLS name. +*/}} +{{- define "nginx-ingress.defaultTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "default-server-tls" -}} +{{- end -}} + +{{/* +Expand wildcard TLS name. +*/}} +{{- define "nginx-ingress.wildcardTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "wildcard-tls" -}} +{{- end -}} + +{{- define "nginx-ingress.tag" -}} +{{- default .Chart.AppVersion .Values.controller.image.tag -}} +{{- end -}} + +{{/* +Expand image name. +*/}} +{{- define "nginx-ingress.image" -}} +{{- if .Values.controller.image.digest -}} +{{- printf "%s@%s" .Values.controller.image.repository .Values.controller.image.digest -}} +{{- else -}} +{{- printf "%s:%s" .Values.controller.image.repository (include "nginx-ingress.tag" .) -}} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.prometheus.serviceName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} +{{- end -}} diff --git a/charts/f5/nginx-ingress/1.0.2/templates/controller-configmap.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-configmap.yaml new file mode 100644 index 0000000000..fd11991865 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/templates/controller-configmap.yaml @@ -0,0 +1,17 @@ +{{- if not .Values.controller.customConfigMap -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.configName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.config.entries }} +{{ toYaml .Values.controller.config.entries | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.0.2/templates/controller-daemonset.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..d6012c3a3b --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/templates/controller-daemonset.yaml @@ -0,0 +1,280 @@ +{{- if eq .Values.controller.kind "daemonset" }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.selectorLabels" . | nindent 8 }} +{{- if .Values.nginxServiceMesh.enable }} + nsm.nginx.com/enable-ingress: "true" + nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" + nsm.nginx.com/daemonset: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels | indent 8 }} +{{- end }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }} + volumes: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: nginx-etc + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} + - name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes | indent 6 }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + containers: + - name: {{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{ if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{ end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} + volumeMounts: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - mountPath: /etc/nginx + name: nginx-etc + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.volumeMounts }} +{{ toYaml .Values.controller.volumeMounts | indent 8 }} +{{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + args: + - -nginx-plus={{ .Values.controller.nginxplus }} + - -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} + - -enable-app-protect={{ .Values.controller.appprotect.enable }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} + - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} +{{ end }} + - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} + {{- if .Values.controller.appprotectdos.enable }} + - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} + - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} + - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} + - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} + {{ end }} + - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} +{{- if .Values.controller.defaultTLS.secret }} + - -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} +{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} + - -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} +{{- end }} + - -ingress-class={{ .Values.controller.ingressClass.name }} +{{- if .Values.controller.watchNamespace }} + - -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchNamespaceLabel }} + - -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} + - -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} +{{- end }} + - -health-status={{ .Values.controller.healthStatus }} + - -health-status-uri={{ .Values.controller.healthStatusURI }} + - -nginx-debug={{ .Values.controller.nginxDebug }} + - -v={{ .Values.controller.logLevel }} + - -nginx-status={{ .Values.controller.nginxStatus.enable }} +{{- if .Values.controller.nginxStatus.enable }} + - -nginx-status-port={{ .Values.controller.nginxStatus.port }} + - -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} +{{- end }} +{{- if .Values.controller.reportIngressStatus.enable }} + - -report-ingress-status +{{- if .Values.controller.reportIngressStatus.ingressLink }} + - -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} +{{- else if .Values.controller.reportIngressStatus.externalService }} + - -external-service={{ .Values.controller.reportIngressStatus.externalService }} +{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} + - -external-service={{ include "nginx-ingress.controller.service.name" . }} +{{- end }} +{{- end }} + - -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} + - -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} +{{- end }} +{{- if .Values.controller.wildcardTLS.secret }} + - -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} +{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} + - -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} +{{- end }} + - -enable-prometheus-metrics={{ .Values.prometheus.create }} + - -prometheus-metrics-listen-port={{ .Values.prometheus.port }} + - -prometheus-tls-secret={{ .Values.prometheus.secret }} + - -enable-service-insight={{ .Values.serviceInsight.create }} + - -service-insight-listen-port={{ .Values.serviceInsight.port }} + - -service-insight-tls-secret={{ .Values.serviceInsight.secret }} + - -enable-custom-resources={{ .Values.controller.enableCustomResources }} + - -enable-snippets={{ .Values.controller.enableSnippets }} + - -include-year={{ .Values.controller.includeYear }} + - -disable-ipv6={{ .Values.controller.disableIPV6 }} +{{- if .Values.controller.enableCustomResources }} + - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{ if .Values.controller.enableTLSPassthrough }} + - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{ end }} + - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }} + - -enable-cert-manager={{ .Values.controller.enableCertManager }} + - -enable-oidc={{ .Values.controller.enableOIDC }} + - -enable-external-dns={{ .Values.controller.enableExternalDNS }} +{{- if .Values.controller.globalConfiguration.create }} + - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- end }} + - -ready-status={{ .Values.controller.readyStatus.enable }} + - -ready-status-port={{ .Values.controller.readyStatus.port }} + - -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + updateStrategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.0.2/templates/controller-deployment.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-deployment.yaml new file mode 100644 index 0000000000..f23f515ef3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/templates/controller-deployment.yaml @@ -0,0 +1,287 @@ +{{- if eq .Values.controller.kind "deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + {{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.selectorLabels" . | nindent 8 }} +{{- if .Values.nginxServiceMesh.enable }} + nsm.nginx.com/enable-ingress: "true" + nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" + nsm.nginx.com/deployment: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels | indent 8 }} +{{- end }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }} + volumes: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: nginx-etc + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} + - name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes | indent 6 }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + containers: + - image: {{ include "nginx-ingress.image" . }} + name: {{ include "nginx-ingress.name" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{- if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{- end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} + volumeMounts: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - mountPath: /etc/nginx + name: nginx-etc + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.volumeMounts}} +{{ toYaml .Values.controller.volumeMounts | indent 8 }} +{{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + args: + - -nginx-plus={{ .Values.controller.nginxplus }} + - -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} + - -enable-app-protect={{ .Values.controller.appprotect.enable }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} + - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} +{{ end }} + - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} +{{- if .Values.controller.appprotectdos.enable }} + - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} + - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} + - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} + - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} +{{ end }} + - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} +{{- if .Values.controller.defaultTLS.secret }} + - -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} +{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} + - -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} +{{- end }} + - -ingress-class={{ .Values.controller.ingressClass.name }} +{{- if .Values.controller.watchNamespace }} + - -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchNamespaceLabel }} + - -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} + - -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} +{{- end }} + - -health-status={{ .Values.controller.healthStatus }} + - -health-status-uri={{ .Values.controller.healthStatusURI }} + - -nginx-debug={{ .Values.controller.nginxDebug }} + - -v={{ .Values.controller.logLevel }} + - -nginx-status={{ .Values.controller.nginxStatus.enable }} +{{- if .Values.controller.nginxStatus.enable }} + - -nginx-status-port={{ .Values.controller.nginxStatus.port }} + - -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} +{{- end }} +{{- if .Values.controller.reportIngressStatus.enable }} + - -report-ingress-status +{{- if .Values.controller.reportIngressStatus.ingressLink }} + - -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} +{{- else if .Values.controller.reportIngressStatus.externalService }} + - -external-service={{ .Values.controller.reportIngressStatus.externalService }} +{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} + - -external-service={{ include "nginx-ingress.controller.service.name" . }} +{{- end }} +{{- end }} + - -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} + - -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} +{{- end }} +{{- if .Values.controller.wildcardTLS.secret }} + - -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} +{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} + - -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} +{{- end }} + - -enable-prometheus-metrics={{ .Values.prometheus.create }} + - -prometheus-metrics-listen-port={{ .Values.prometheus.port }} + - -prometheus-tls-secret={{ .Values.prometheus.secret }} + - -enable-service-insight={{ .Values.serviceInsight.create }} + - -service-insight-listen-port={{ .Values.serviceInsight.port }} + - -service-insight-tls-secret={{ .Values.serviceInsight.secret }} + - -enable-custom-resources={{ .Values.controller.enableCustomResources }} + - -enable-snippets={{ .Values.controller.enableSnippets }} + - -include-year={{ .Values.controller.includeYear }} + - -disable-ipv6={{ .Values.controller.disableIPV6 }} +{{- if .Values.controller.enableCustomResources }} + - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{ if .Values.controller.enableTLSPassthrough }} + - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{ end }} + - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }} + - -enable-cert-manager={{ .Values.controller.enableCertManager }} + - -enable-oidc={{ .Values.controller.enableOIDC }} + - -enable-external-dns={{ .Values.controller.enableExternalDNS }} +{{- if .Values.controller.globalConfiguration.create }} + - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- end }} + - -ready-status={{ .Values.controller.readyStatus.enable }} + - -ready-status-port={{ .Values.controller.readyStatus.port }} + - -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-globalconfiguration.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-globalconfiguration.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-globalconfiguration.yaml rename to charts/f5/nginx-ingress/1.0.2/templates/controller-globalconfiguration.yaml diff --git a/charts/f5/nginx-ingress/1.0.2/templates/controller-hpa.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-hpa.yaml new file mode 100644 index 0000000000..b8691648e9 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/templates/controller-hpa.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.controller.autoscaling.enabled (eq .Values.controller.kind "deployment") (.Capabilities.APIVersions.Has "autoscaling/v2") -}} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "nginx-ingress.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-ingress-class.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-ingress-class.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-ingress-class.yaml rename to charts/f5/nginx-ingress/1.0.2/templates/controller-ingress-class.yaml diff --git a/charts/f5/nginx-ingress/templates/controller-leader-election-configmap.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-leader-election-configmap.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-leader-election-configmap.yaml rename to charts/f5/nginx-ingress/1.0.2/templates/controller-leader-election-configmap.yaml diff --git a/charts/f5/nginx-ingress/templates/controller-pdb.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-pdb.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-pdb.yaml rename to charts/f5/nginx-ingress/1.0.2/templates/controller-pdb.yaml diff --git a/charts/f5/nginx-ingress/templates/controller-prometheus-service.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-prometheus-service.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-prometheus-service.yaml rename to charts/f5/nginx-ingress/1.0.2/templates/controller-prometheus-service.yaml diff --git a/charts/f5/nginx-ingress/templates/controller-secret.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-secret.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-secret.yaml rename to charts/f5/nginx-ingress/1.0.2/templates/controller-secret.yaml diff --git a/charts/f5/nginx-ingress/templates/controller-service.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-service.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-service.yaml rename to charts/f5/nginx-ingress/1.0.2/templates/controller-service.yaml diff --git a/charts/f5/nginx-ingress/1.0.2/templates/controller-serviceaccount.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..0553a0e23a --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/templates/controller-serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nginx-ingress.serviceAccountName" . }} +{{- if .Values.controller.serviceAccount.annotations }} + annotations: {{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.serviceAccount.imagePullSecretName }} +imagePullSecrets: +- name: {{ .Values.controller.serviceAccount.imagePullSecretName }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-servicemonitor.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-servicemonitor.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-servicemonitor.yaml rename to charts/f5/nginx-ingress/1.0.2/templates/controller-servicemonitor.yaml diff --git a/charts/f5/nginx-ingress/templates/controller-wildcard-secret.yaml b/charts/f5/nginx-ingress/1.0.2/templates/controller-wildcard-secret.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-wildcard-secret.yaml rename to charts/f5/nginx-ingress/1.0.2/templates/controller-wildcard-secret.yaml diff --git a/charts/f5/nginx-ingress/1.0.2/templates/rbac.yaml b/charts/f5/nginx-ingress/1.0.2/templates/rbac.yaml new file mode 100644 index 0000000000..1410642d9c --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/templates/rbac.yaml @@ -0,0 +1,206 @@ +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +rules: +{{- if .Values.controller.appprotect.enable }} +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.appprotectdos.enable }} +- apiGroups: + - appprotectdos.f5.com + resources: + - apdospolicies + - apdoslogconfs + - dosprotectedresources + verbs: + - get + - watch + - list +{{- end }} +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} + - update + - create +{{- end }} +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +{{- if .Values.controller.reportIngressStatus.enable }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +{{- end }} +{{- if .Values.controller.enableCustomResources }} +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +{{- end }} +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- apiGroups: + - cis.f5.com + resources: + - ingresslinks + verbs: + - list + - watch + - get +{{- end }} +{{- if .Values.controller.enableCertManager }} +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - list + - watch + - get + - update + - create + - delete +{{- end }} +{{- if .Values.controller.enableExternalDNS }} +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints + verbs: + - list + - watch + - get + - update + - create + - delete +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints/status + verbs: + - update +{{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "nginx-ingress.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/f5/nginx-ingress/1.0.2/values-icp.yaml b/charts/f5/nginx-ingress/1.0.2/values-icp.yaml new file mode 100644 index 0000000000..7c1025ba69 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/values-icp.yaml @@ -0,0 +1,17 @@ +controller: + name: controller + kind: daemonset + nginxplus: true + image: + repository: mycluster.icp:8500/kube-system/nginx-plus-ingress + tag: "3.3.2" + nodeSelector: + beta.kubernetes.io/arch: "amd64" + proxy: true + terminationGracePeriodSeconds: 60 + tolerations: + - key: "dedicated" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" diff --git a/charts/f5/nginx-ingress/values-nsm.yaml b/charts/f5/nginx-ingress/1.0.2/values-nsm.yaml similarity index 100% rename from charts/f5/nginx-ingress/values-nsm.yaml rename to charts/f5/nginx-ingress/1.0.2/values-nsm.yaml diff --git a/charts/f5/nginx-ingress/1.0.2/values-plus.yaml b/charts/f5/nginx-ingress/1.0.2/values-plus.yaml new file mode 100644 index 0000000000..072e265b06 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/values-plus.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + nginxplus: true + image: + repository: nginx-plus-ingress + tag: "3.3.2" diff --git a/charts/f5/nginx-ingress/1.0.2/values.schema.json b/charts/f5/nginx-ingress/1.0.2/values.schema.json new file mode 100644 index 0000000000..39f65da624 --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/values.schema.json @@ -0,0 +1,1812 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "type": "object", + "default": {}, + "title": "Root Schema", + "required": [ + "controller", + "rbac", + "prometheus", + "serviceInsight", + "nginxServiceMesh" + ], + "properties": { + "controller": { + "type": "object", + "default": {}, + "title": "The Ingress Controller Helm Schema", + "required": [ + "name", + "kind", + "image" + ], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name of the Ingress Controller", + "examples": [ + "controller" + ] + }, + "kind": { + "type": "string", + "default": "", + "title": "The kind of the Ingress Controller", + "enum": [ + "deployment", + "daemonset" + ], + "examples": [ + "deployment", + "daemonset" + ] + }, + "selectorLabels": { + "type": "object", + "default": {}, + "title": "The selectorLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "nginxplus": { + "type": "boolean", + "default": false, + "title": "Deploys the Ingress Controller for NGINX Plus", + "examples": [ + false, + true + ] + }, + "nginxReloadTimeout": { + "type": "integer", + "default": 0, + "title": "Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start", + "examples": [ + 60000 + ] + }, + "appprotect": { + "type": "object", + "default": {}, + "title": "The App Protect WAF Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect WAF module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "string", + "default": "", + "title": "The logLevel for App Protect WAF", + "enum": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ], + "examples": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ] + } + }, + "examples": [ + { + "enable": true, + "logLevel": "fatal" + } + ] + }, + "appprotectdos": { + "type": "object", + "default": {}, + "title": "The App Protect DoS Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect DoS module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "boolean", + "default": false, + "title": "debugging for App Protect DoS", + "examples": [ + false, + true + ] + }, + "maxWorkers": { + "type": "integer", + "default": 0, + "title": "Max number of nginx processes to support", + "examples": [ + 0 + ] + }, + "maxDaemons": { + "type": "integer", + "default": 0, + "title": "Max number of ADMD instances", + "examples": [ + 0 + ] + }, + "memory": { + "type": "integer", + "default": 0, + "title": "RAM memory size to consume in MB", + "examples": [ + 0 + ] + } + }, + "examples": [ + { + "enable": true, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + } + ] + }, + "hostNetwork": { + "type": "boolean", + "default": false, + "title": "The hostNetwork Schema", + "examples": [ + false, + true + ] + }, + "hostPort": { + "type": "object", + "default": {}, + "title": "The hostPort Schema", + "patternProperties": { + "^.*$": { + "anyOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + }, + { + "type": "boolean" + } + ] + } + }, + "additionalProperties": false + }, + "containerPort": { + "type": "object", + "default": {}, + "title": "The containerPort Schema", + "patternProperties": { + "^.*$": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + } + }, + "additionalProperties": false + }, + "dnsPolicy": { + "type": "string", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + }, + { + "enum": [ + "ClusterFirstWithHostNet", + "ClusterFirst", + "Default", + "None" + ] + } + ] + }, + "nginxDebug": { + "type": "boolean", + "default": false, + "title": "Enables debugging for NGINX", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "integer", + "default": 1, + "title": "The logLevel of the Ingress Controller", + "enum": [ + 0, + 1, + 2, + 3 + ], + "examples": [ + 1 + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts to expose on the NGINX Ingress Controller pod", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + }, + "examples": [ + [ + { + "name": "http", + "containerPort": 80, + "protocol": "TCP" + }, + { + "name": "https", + "containerPort": 443, + "protocol": "TCP" + } + ] + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "nginx/nginx-ingress", + "title": "The repository of the Ingress Controller", + "examples": [ + "nginx/nginx-ingress" + ] + }, + "tag": { + "type": "string", + "default": "2.3.1", + "title": "The tag of the Ingress Controller image", + "examples": [ + "2.3.1" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the Ingress Controller image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the Ingress Controller image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "nginx/nginx-ingress", + "tag": "2.3.1", + "pullPolicy": "IfNotPresent" + } + ] + }, + "lifecycle": { + "type": "object", + "default": {}, + "title": "The lifecycle Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + }, + "customConfigMap": { + "type": "string", + "default": "", + "title": "The customConfigMap Schema", + "examples": [ + "" + ] + }, + "config": { + "type": "object", + "default": {}, + "title": "The config Schema", + "required": [], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "entries": { + "type": "object", + "default": {}, + "title": "The entries Schema", + "required": [], + "properties": {}, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "name": "", + "annotations": {}, + "entries": {} + } + ] + }, + "defaultTLS": { + "type": "object", + "default": {}, + "title": "The defaultTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "wildcardTLS": { + "type": "object", + "default": {}, + "title": "The wildcardTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [ + "" + ] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [ + "" + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "nodeSelector": { + "type": "object", + "default": {}, + "title": "The nodeSelector Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + }, + "terminationGracePeriodSeconds": { + "type": "integer", + "default": 30, + "title": "The terminationGracePeriodSeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + }, + "resources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "tolerations": { + "type": "array", + "default": [], + "title": "The tolerations Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + } + }, + "affinity": { + "type": "object", + "default": {}, + "title": "The affinity Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + }, + "topologySpreadConstraints": { + "type": "object", + "default": {}, + "title": "The topologySpreadConstraints Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + }, + "env": { + "type": "array", + "default": [], + "title": "The env Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + } + }, + "volumes": { + "type": "array", + "default": [], + "title": "The volumes Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "volumeMounts": { + "type": "array", + "default": [], + "title": "The volumeMounts Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + } + }, + "initContainers": { + "type": "array", + "default": [], + "title": "The initContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "minReadySeconds": { + "type": "integer", + "default": 0, + "title": "The minReadySeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + }, + "strategy": { + "type": "object", + "default": {}, + "title": "The strategy Schema", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + }, + { + "properties": { + "type": { + "type": "string", + "enum": [ + "Recreate", + "RollingUpdate", + "OnDelete" + ] + } + } + } + ] + }, + "extraContainers": { + "type": "array", + "default": [], + "title": "The extraContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "replicaCount": { + "type": "integer", + "default": 1, + "title": "The replicaCount", + "examples": [ + 1 + ] + }, + "ingressClass": { + "type": "object", + "default": {}, + "title": "The ingressClass", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": true, + "title": "The create", + "examples": [ + true + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The ingressClass name", + "examples": [ + "nginx" + ] + }, + "setAsDefaultIngress": { + "type": "boolean", + "default": false, + "title": "The setAsDefaultIngress", + "examples": [ + false + ] + } + } + }, + "watchNamespace": { + "type": "string", + "default": "", + "title": "The watchNamespace", + "examples": [ + "" + ] + }, + "watchSecretNamespace": { + "type": "string", + "default": "", + "title": "The watchSecretNamespace", + "examples": [ + "" + ] + }, + "enableCustomResources": { + "type": "boolean", + "default": false, + "title": "The enableCustomResources", + "examples": [ + true + ] + }, + "enablePreviewPolicies": { + "type": "boolean", + "default": false, + "title": "The enablePreviewPolicies", + "examples": [ + false + ] + }, + "enableOIDC": { + "type": "boolean", + "default": false, + "title": "The enableOIDC", + "examples": [ + false + ] + }, + "includeYear": { + "type": "boolean", + "default": false, + "title": "The includeYear", + "examples": [ + false + ] + }, + "enableTLSPassthrough": { + "type": "boolean", + "default": false, + "title": "The enableTLSPassthrough", + "examples": [ + false + ] + }, + "tlsPassthroughPort": { + "type": "integer", + "default": 443, + "title": "The tlsPassthroughPort", + "examples": [ + 443 + ] + }, + "enableCertManager": { + "type": "boolean", + "default": false, + "title": "The enableCertManager", + "examples": [ + false + ] + }, + "enableExternalDNS": { + "type": "boolean", + "default": false, + "title": "The enableExternalDNS", + "examples": [ + false + ] + }, + "globalConfiguration": { + "type": "object", + "default": {}, + "title": "The globalConfiguration Schema", + "required": [ + "create", + "spec" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + false + ] + }, + "spec": { + "type": "object", + "default": {}, + "title": "The spec Schema", + "required": [], + "properties": { + "listeners": { + "type": "array", + "default": [], + "title": "The listeners Schema", + "items": { + "type": "object", + "default": {}, + "properties": { + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 5353 + ] + }, + "protocol": { + "type": "string", + "default": "", + "title": "The protocol", + "examples": [ + "TCP" + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The name", + "examples": [ + "dns-tcp" + ] + } + } + } + } + }, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "create": false, + "spec": {} + } + ] + }, + "enableSnippets": { + "type": "boolean", + "default": false, + "title": "The enableSnippets", + "examples": [ + false + ] + }, + "healthStatus": { + "type": "boolean", + "default": false, + "title": "The healthStatus", + "examples": [ + false + ] + }, + "healthStatusURI": { + "type": "string", + "format": "uri-reference", + "default": "/nginx-health", + "title": "The healthStatusURI Schema", + "examples": [ + "/nginx-health" + ] + }, + "nginxStatus": { + "type": "object", + "default": {}, + "title": "The nginxStatus Schema", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 8080, + "title": "The port", + "examples": [ + 8080 + ] + }, + "allowCidrs": { + "type": "string", + "default": "127.0.0.1", + "title": "The allowCidrs", + "examples": [ + "127.0.0.1" + ] + } + }, + "examples": [ + { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + } + ] + }, + "service": { + "type": "object", + "default": {}, + "title": "The service Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "type": { + "type": "string", + "default": "", + "title": "The type", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + }, + "externalTrafficPolicy": { + "type": "string", + "default": "", + "title": "The externalTrafficPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels", + "required": [], + "properties": {}, + "examples": [ + {} + ] + }, + "loadBalancerIP": { + "type": "string", + "default": "", + "title": "The loadBalancerIP", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + }, + "externalIPs": { + "type": "array", + "default": [], + "title": "The externalIPs", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + }, + "loadBalancerSourceRanges": { + "type": "array", + "default": [], + "title": "The loadBalancerSourceRanges", + "items": {}, + "examples": [ + [] + ] + }, + "allocateLoadBalancerNodePorts": { + "type": "boolean", + "default": false, + "title": "The allocateLoadBalancerNodePorts Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + }, + "ipFamilyPolicy": { + "type": "string", + "default": "", + "title": "The ipFamilyPolicy Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "examples": [ + "" + ] + }, + "ipFamilies": { + "type": "array", + "default": [], + "title": "The ipFamilies Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + }, + "httpPort": { + "type": "object", + "default": {}, + "title": "The httpPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 80 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 80 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + } + ] + }, + "httpsPort": { + "type": "object", + "default": {}, + "title": "The httpsPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 443 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 443 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + } + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts", + "items": { + "type": "object", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + } + } + }, + "examples": [ + { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "name": "", + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + } + ] + }, + "serviceAccount": { + "type": "object", + "default": {}, + "title": "The serviceAccount Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "imagePullSecretName": { + "type": "string", + "default": "", + "title": "The imagePullSecretName", + "examples": [ + "" + ] + } + }, + "examples": [ + { + "name": "", + "imagePullSecretName": "" + } + ] + }, + "reportIngressStatus": { + "type": "object", + "default": {}, + "title": "The reportIngressStatus Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "externalService": { + "type": "string", + "default": "", + "title": "The externalService", + "examples": [ + "" + ] + }, + "ingressLink": { + "type": "string", + "default": "", + "title": "The ingressLink", + "examples": [ + "" + ] + }, + "enableLeaderElection": { + "type": "boolean", + "default": false, + "title": "The enableLeaderElection", + "examples": [ + true + ] + }, + "leaderElectionLockName": { + "type": "string", + "default": "", + "title": "The leaderElectionLockName", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + } + }, + "examples": [ + { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + } + ] + }, + "pod": { + "type": "object", + "default": {}, + "title": "The pod Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + }, + "examples": [ + { + "annotations": {}, + "extraLabels": {} + } + ] + }, + "priorityClassName": { + "type": "string", + "default": "", + "title": "The priorityClassName", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + }, + "podDisruptionBudget": { + "type": "object", + "default": {}, + "title": "The podDisruptionBudget Schema", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "minAvailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + }, + "maxUnavailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + } + }, + "examples": [ + { + "enable": true, + "minAvailable": 1 + }, + { + "enable": true, + "maxUnavailable": 1 + } + ] + }, + "readyStatus": { + "type": "object", + "default": {}, + "title": "The readyStatus", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 8081 + ] + }, + "initialDelaySeconds": { + "type": "integer", + "default": 0, + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + } + }, + "examples": [ + { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + } + ] + }, + "enableLatencyMetrics": { + "type": "boolean", + "default": false, + "title": "The enableLatencyMetrics", + "examples": [ + false + ] + }, + "disableIPV6": { + "type": "boolean", + "default": false, + "title": "The disableIPV6", + "examples": [ + false + ] + }, + "readOnlyRootFilesystem": { + "type": "boolean", + "default": false, + "title": "The readOnlyRootFilesystem", + "examples": [ + false + ] + } + }, + "examples": [ + { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "2.3.1", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enablePreviewPolicies": false, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "tlsPassthroughPort": 443, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "" + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "readOnlyRootFilesystem": false + } + ] + }, + "rbac": { + "type": "object", + "default": {}, + "title": "The rbac Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + true + ] + } + }, + "examples": [ + { + "create": true + } + ] + }, + "prometheus": { + "type": "object", + "default": {}, + "title": "The prometheus Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9113, + "title": "The port", + "examples": [ + 9113 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + }, + "service": { + "type": "object", + "default": {}, + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + } + }, + "serviceMonitor": { + "type": "object", + "default": {}, + "title": "The serviceMonitor Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + false + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + }, + "selectorMatchLabels": { + "type": "object", + "default": {}, + "title": "The selectorMatchLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.27.4/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "endpoints": { + "type": "array", + "default": [], + "title": "The endpoints", + "required": [], + "items": {} + } + }, + "examples": [ + { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": [] + } + ] + } + }, + "examples": [ + { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http" + } + ] + }, + "serviceInsight": { + "type": "object", + "default": {}, + "title": "The Service Insight Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9114, + "title": "The port", + "examples": [ + 9114 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + } + }, + "examples": [ + { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + } + ] + }, + "nginxServiceMesh": { + "type": "object", + "default": {}, + "title": "The nginxServiceMesh Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + false + ] + }, + "enableEgress": { + "type": "boolean", + "default": false, + "title": "The enableEgress", + "examples": [ + false + ] + } + }, + "examples": [ + { + "enable": false, + "enableEgress": false + } + ] + } + }, + "examples": [ + { + "controller": { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "2.3.1", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enablePreviewPolicies": false, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "" + }, + "podDisruptionBudget": { + "enabled": false, + "annotations": {}, + "minAvailable": 0, + "minUnavailable": 0 + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "readOnlyRootFilesystem": false + }, + "rbac": { + "create": true + }, + "prometheus": { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http", + "service": { + "create": false, + "labels": {} + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + } + }, + "serviceInsight": { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + }, + "nginxServiceMesh": { + "enable": false, + "enableEgress": false + } + } + ] +} diff --git a/charts/f5/nginx-ingress/1.0.2/values.yaml b/charts/f5/nginx-ingress/1.0.2/values.yaml new file mode 100644 index 0000000000..352497d95e --- /dev/null +++ b/charts/f5/nginx-ingress/1.0.2/values.yaml @@ -0,0 +1,507 @@ +controller: + ## The name of the Ingress Controller daemonset or deployment. + name: controller + + ## The kind of the Ingress Controller installation - deployment or daemonset. + kind: deployment + + ## The selectorLabels used to override the default values. + selectorLabels: {} + + ## Annotations for deployments and daemonsets + annotations: {} + + ## Deploys the Ingress Controller for NGINX Plus. + nginxplus: false + + # Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. + nginxReloadTimeout: 60000 + + ## Support for App Protect WAF + appprotect: + ## Enable the App Protect WAF module in the Ingress Controller. + enable: false + ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace + # logLevel: fatal + + ## Support for App Protect DoS + appprotectdos: + ## Enable the App Protect DoS module in the Ingress Controller. + enable: false + ## Enable debugging for App Protect DoS. + debug: false + ## Max number of nginx processes to support. + maxWorkers: 0 + ## Max number of ADMD instances. + maxDaemons: 0 + ## RAM memory size to consume in MB. + memory: 0 + + ## Enables the Ingress Controller pods to use the host's network namespace. + hostNetwork: false + + ## The hostPort configuration for the Ingress Controller pods. + hostPort: + ## Enables hostPort for the Ingress Controller pods. + enable: false + + ## The HTTP hostPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS hostPort configuration for the Ingress Controller pods. + https: 443 + + containerPort: + ## The HTTP containerPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS containerPort configuration for the Ingress Controller pods. + https: 443 + + ## DNS policy for the Ingress Controller pods + dnsPolicy: ClusterFirst + + ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. + nginxDebug: false + + ## The log level of the Ingress Controller. + logLevel: 1 + + ## A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: [] + + image: + ## The image repository of the Ingress Controller. + repository: nginx/nginx-ingress + + ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. + # tag: "3.3.2" + + ## The digest of the Ingress Controller image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the Ingress Controller image. + pullPolicy: IfNotPresent + + ## The lifecycle of the Ingress Controller pods. + lifecycle: {} + + ## The custom ConfigMap to use instead of the one provided by default + customConfigMap: "" + + config: + ## The name of the ConfigMap used by the Ingress Controller. + ## Autogenerated if not set or set to "". + # name: nginx-config + + ## The annotations of the Ingress Controller configmap. + annotations: {} + + ## The entries of the ConfigMap for customizing NGINX configuration. + entries: {} + + ## It is recommended to use your own TLS certificates and keys + defaultTLS: + ## The base64-encoded TLS certificate for the default HTTPS server. + ## Note: It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + cert: "" + + ## The base64-encoded TLS key for the default HTTPS server. + ## Note: It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + key: "" + + ## The secret with a TLS certificate and key for the default HTTPS server. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. + ## Note: Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + ## Format: / + secret: "" + + wildcardTLS: + ## The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + cert: "" + + ## The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + key: "" + + ## The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. + ## Format: / + secret: "" + + ## The node selector for pod assignment for the Ingress Controller pods. + # nodeSelector: {} + + ## The termination grace period of the Ingress Controller pod. + terminationGracePeriodSeconds: 30 + + ## HorizontalPodAutoscaling (HPA) + autoscaling: + ## Enables HorizontalPodAutoscaling. + enabled: false + ## The annotations of the Ingress Controller HorizontalPodAutoscaler. + annotations: {} + ## Minimum number of replicas for the HPA. + minReplicas: 1 + ## Maximum number of replicas for the HPA. + maxReplicas: 3 + ## The target cpu utilization percentage. + targetCPUUtilizationPercentage: 50 + ## The target memory utilization percentage. + targetMemoryUtilizationPercentage: 50 + + ## The resources of the Ingress Controller pods. + resources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The tolerations of the Ingress Controller pods. + tolerations: [] + + ## The affinity of the Ingress Controller pods. + affinity: {} + + ## The topology spread constraints of the Ingress controller pods. + # topologySpreadConstraints: {} + + ## The additional environment variables to be set on the Ingress Controller pods. + env: [] + # - name: MY_VAR + # value: myvalue + + ## The volumes of the Ingress Controller pods. + volumes: [] + # - name: extra-conf + # configMap: + # name: extra-conf + + ## The volumeMounts of the Ingress Controller pods. + volumeMounts: [] + # - name: extra-conf + # mountPath: /etc/nginx/conf.d/extra.conf + # subPath: extra.conf + + ## InitContainers for the Ingress Controller pods. + initContainers: [] + # - name: init-container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is initial setup!'] + + ## The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. + minReadySeconds: 0 + + ## Pod disruption budget for the Ingress Controller pods. + podDisruptionBudget: + ## Enables PodDisruptionBudget. + enabled: false + ## The annotations of the Ingress Controller pod disruption budget. + annotations: {} + ## The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". + # minAvailable: 1 + ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". + # maxUnavailable: 1 + + ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. + strategy: {} + + ## Extra containers for the Ingress Controller pods. + extraContainers: [] + # - name: container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is a sidecar!'] + + ## The number of replicas of the Ingress Controller deployment. + replicaCount: 1 + + # Configures the ingress class the Ingress Controller uses. + ingressClass: + ## A class of the Ingress Controller. + + ## IngressClass resource with the name equal to the class must be deployed. Otherwise, + ## the Ingress Controller will fail to start. + ## The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. + + ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. + name: nginx + + ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.2, do not set the value to false. + create: true + + ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". + setAsDefaultIngress: false + + ## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". + watchNamespace: "" + + ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". + watchNamespaceLabel: "" + + ## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces. + watchSecretNamespace: "" + + ## Enable the custom resources. + enableCustomResources: true + + ## Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use controller.enableOIDC instead. + enablePreviewPolicies: false + + ## Enable OIDC policies. + enableOIDC: false + + ## Include year in log header. This parameter will be removed in release 2.7 and the year will be included by default. + includeYear: false + + ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. + enableTLSPassthrough: false + + ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough. + tlsPassthroughPort: 443 + + ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. + enableCertManager: false + + ## Enable external DNS for Virtual Server resources. Requires controller.enableCustomResources. + enableExternalDNS: false + + globalConfiguration: + ## Creates the GlobalConfiguration custom resource. Requires controller.enableCustomResources. + create: false + + ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. + spec: {} ## Ensure both curly brackets are removed when adding listeners in YAML format. + # listeners: + # - name: dns-udp + # port: 5353 + # protocol: UDP + # - name: dns-tcp + # port: 5353 + # protocol: TCP + + + ## Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. + enableSnippets: false + + ## Add a location based on the value of health-status-uri to the default server. The location responds with the 200 status code for any request. + ## Useful for external health-checking of the Ingress Controller. + healthStatus: false + + ## Sets the URI of health status location in the default server. Requires controller.healthStatus. + healthStatusURI: "/nginx-health" + + nginxStatus: + ## Enable the NGINX stub_status, or the NGINX Plus API. + enable: true + + ## Set the port where the NGINX stub_status or the NGINX Plus API is exposed. + port: 8080 + + ## Add IPv4 IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. + allowCidrs: "127.0.0.1" + + service: + ## Creates a service to expose the Ingress Controller pods. + create: true + + ## The type of service to create for the Ingress Controller. + type: LoadBalancer + + ## The externalTrafficPolicy of the service. The value Local preserves the client source IP. + externalTrafficPolicy: Local + + ## The annotations of the Ingress Controller service. + annotations: {} + + ## The extra labels of the service. + extraLabels: {} + + ## The static IP address for the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerIP: "" + + ## The ClusterIP for the Ingress Controller service, autoassigned if not specified. + clusterIP: "" + + ## The list of external IPs for the Ingress Controller service. + externalIPs: [] + + ## The IP ranges (CIDR) that are allowed to access the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerSourceRanges: [] + + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + ## Dual stack preference. + ## Valid values: SingleStack, PreferDualStack, RequireDualStack + # ipFamilyPolicy: SingleStack + + ## List of IP families assigned to this service. + ## Valid values: IPv4, IPv6 + # ipFamilies: + # - IPv6 + + httpPort: + ## Enables the HTTP port for the Ingress Controller service. + enable: true + + ## The HTTP port of the Ingress Controller service. + port: 80 + + ## The custom NodePort for the HTTP port. Requires controller.service.type set to NodePort. + # nodePort: 80 + + ## The HTTP port on the POD where the Ingress Controller service is running. + targetPort: 80 + + httpsPort: + ## Enables the HTTPS port for the Ingress Controller service. + enable: true + + ## The HTTPS port of the Ingress Controller service. + port: 443 + + ## The custom NodePort for the HTTPS port. Requires controller.service.type set to NodePort. + # nodePort: 443 + + ## The HTTPS port on the POD where the Ingress Controller service is running. + targetPort: 443 + + ## A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: [] + + serviceAccount: + ## The annotations of the service account of the Ingress Controller pods. + annotations: {} + + ## The name of the service account of the Ingress Controller pods. Used for RBAC. + ## Autogenerated if not set or set to "". + # name: nginx-ingress + + ## The name of the secret containing docker registry credentials. + ## Secret must exist in the same namespace as the helm release. + imagePullSecretName: "" + + reportIngressStatus: + ## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. + ## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService, + ## controller.reportIngressStatus.ingressLink or the external-status-address entry in the ConfigMap via controller.config.entries. + ## Note: controller.config.entries.external-status-address takes precedence over the others. + enable: true + + ## Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. + ## The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ## The default is autogenerated and matches the created service (see controller.service.create). + # externalService: nginx-ingress + + ## Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. + ## The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ingressLink: "" + + ## Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. controller.reportIngressStatus.enable must be set to true. + enableLeaderElection: true + + ## Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. + ## Autogenerated if not set or set to "". + # leaderElectionLockName: "nginx-ingress-leader-election" + + ## The annotations of the leader election configmap. + annotations: {} + + pod: + ## The annotations of the Ingress Controller pod. + annotations: {} + + ## The additional extra labels of the Ingress Controller pod. + extraLabels: {} + + ## The PriorityClass of the Ingress Controller pods. + # priorityClassName: "" + + readyStatus: + ## Enables readiness endpoint "/nginx-ready". The endpoint returns a success code when NGINX has loaded all the config after startup. + enable: true + + ## Set the port where the readiness endpoint is exposed. + port: 8081 + + ## The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. + initialDelaySeconds: 0 + + ## Enable collection of latency metrics for upstreams. Requires prometheus.create. + enableLatencyMetrics: false + + ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. + disableIPV6: false + + ## Configure root filesystem as read-only and add volumes for temporary data. + readOnlyRootFilesystem: false + +rbac: + ## Configures RBAC. + create: true + +prometheus: + ## Expose NGINX or NGINX Plus metrics in the Prometheus format. + create: true + + ## Configures the port to scrape the metrics. + port: 9113 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Prometheus endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + + service: + ## Creates a ClusterIP Service to expose Prometheus metrics internally + ## Requires prometheus.create=true + create: false + + labels: + service: "nginx-ingress-prometheus-service" + + serviceMonitor: + ## Creates a serviceMonitor to expose statistics on the kubernetes pods. + create: false + + ## Kubernetes object labels to attach to the serviceMonitor object. + labels: {} + + ## A set of labels to allow the selection of endpoints for the ServiceMonitor. + selectorMatchLabels: + service: "nginx-ingress-prometheus-service" + + ## A list of endpoints allowed as part of this ServiceMonitor. + ## Matches on the name of a Service port. + endpoints: + - port: prometheus + +serviceInsight: + ## Expose NGINX Plus Service Insight endpoint. + create: false + + ## Configures the port to expose endpoint. + port: 9114 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Service Insight endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + +nginxServiceMesh: + ## Enables integration with NGINX Service Mesh. + enable: false + + ## Enables NGINX Service Mesh workload to route egress traffic through the Ingress Controller. + ## Requires nginxServiceMesh.enable + enableEgress: false diff --git a/charts/f5/nginx-ingress/1.1.0/.helmignore b/charts/f5/nginx-ingress/1.1.0/.helmignore new file mode 100644 index 0000000000..c1347c2c27 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/.helmignore @@ -0,0 +1,2 @@ +# Patterns to ignore when building packages. +*.png diff --git a/charts/f5/nginx-ingress/1.1.0/Chart.yaml b/charts/f5/nginx-ingress/1.1.0/Chart.yaml new file mode 100644 index 0000000000..345a3e4011 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Ingress Controller + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: nginx-ingress +apiVersion: v2 +appVersion: 3.4.0 +description: NGINX Ingress Controller +home: https://github.com/nginxinc/kubernetes-ingress +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/charts/nginx-ingress/chart-icon.png +keywords: +- ingress +- nginx +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: kubernetes@nginx.com + name: nginxinc +name: nginx-ingress +sources: +- https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/charts/nginx-ingress +type: application +version: 1.1.0 diff --git a/charts/f5/nginx-ingress/1.1.0/README.md b/charts/f5/nginx-ingress/1.1.0/README.md new file mode 100644 index 0000000000..cb0ffdc50d --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/README.md @@ -0,0 +1,486 @@ +# NGINX Ingress Controller Helm Chart + +## Introduction + +This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. + +## Prerequisites + +**Note** All documentation should only be used with the latest stable release, indicated on +[the releases page](https://github.com/nginxinc/kubernetes-ingress/releases) of the GitHub repository. + +- A [Kubernetes Version Supported by the Ingress + Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) +- Helm 3.0+. +- If you’d like to use NGINX Plus: + - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal + by following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). + Make sure to specify the secret using one of the following parameters: + `controller.serviceAccount.imagePullSecretName` or `controller.serviceAccount.imagePullSecretsNames`. + - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following + the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). + - Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by + following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image). + - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. +- If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator [helm + chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). Make sure to install in the same namespace as the + NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will + need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single + namespace. + +## CRDs + +By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The +Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. + +If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` +set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), +the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. + +### Upgrading the CRDs + +To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl apply -f crds/ +``` + +> **Note** +> +> The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by +> either kubectl create --save-config or kubectl apply`. +> +> Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release +> for any special upgrade procedures. + +### Uninstalling the CRDs + +To remove the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl delete -f crds/ +``` + +> **Note** +> +> This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure +> there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the +> cluster. + +## Managing the Chart via OCI Registry + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 +``` + +For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry +`myregistry.example.com`) + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +``` + +This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to +use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with +`registry-1.docker.io/nginxcharts/nginx-ingress`. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +### Edge Version + +To test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version. This +version is built from the `main` branch of the NGINX Ingress Controller repository. You can install the `edge` version +by specifying the `--version` flag with the value `0.0.0-edge`: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge +``` + +> **Warning** +> +> The `edge` version is not intended for production use. It is intended for testing and development purposes only. + +## Managing the Chart via Sources + +### Pulling the Chart + +This step is required if you're installing the chart using its sources. Additionally, the step is also required for +managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for +upgrading/deleting the CRDs. + +1. Pull the chart sources: + + ```console + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.0 + ``` + +2. Change your working directory to nginx-ingress: + + ```console + cd nginx-ingress + ``` + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release . +``` + +For NGINX Plus: + +```console +helm install my-release -f values-plus.yaml . +``` + +The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration +section lists the parameters that can be configured during installation. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release . +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +## Upgrading without downtime + +### Background + +In NGINX Ingress Controller version 3.1.0, [changes were introduced](https://github.com/nginxinc/kubernetes-ingress/pull/3606) +to Helm resource names, labels and annotations to fit with Helm best practices. +When using Helm to upgrade from a version prior to 3.1.0, certain resources like Deployment, DaemonSet and Service will +be recreated due to the aforementioned changes, which will result in downtime. + +Although the advisory is to update all resources in accordance with new naming convention, to avoid the downtime +please follow the steps listed in this page. + +### Upgrade Steps + +**Note** The following steps apply to both 2.x and 3.0.x releases. + +The steps you should follow depend on the Helm release name: + +{{}} + +{{%tab name="Helm release name is `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployments -n + ``` + + Copy the key=value under `Selector`, such as: + + ```shell + Selector: app=nginx-ingress-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.4.0` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: nginx-ingress-nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="nginx-ingress-nginx-ingress" + --set controller.name="" + --set fullnameOverride="nginx-ingress-nginx-ingress" + ``` + + It could look as follows: + + ```shell + helm upgrade nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="nginx-ingress-nginx-ingress" --set controller.name="" --set fullnameOverride="nginx-ingress-nginx-ingress" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set nginx-ingress-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{%tab name="Helm release name is not `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployment/daemonset -n + ``` + + Copy the key=value under ```Selector```, such as: + + ```shell + Selector: app=-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.4.0` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: -nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="-nginx-ingress" + --set controller.name="" + ``` + + It could look as follows: + + ```shell + helm upgrade test-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="test-release-nginx-ingress" --set controller.name="" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set test-release-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{}} + +## Running Multiple Ingress Controllers + +If you are running multiple Ingress Controller releases in your cluster with enabled custom resources, the releases will +share a single version of the CRDs. As a result, make sure that the Ingress Controller versions match the version of the +CRDs. Additionally, when uninstalling a release, ensure that you don’t remove the CRDs until there are no other Ingress +Controller releases running in the cluster. + +See [running multiple Ingress Controllers](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) +for more details. + +## Configuration + +The following tables lists the configurable parameters of the NGINX Ingress Controller chart and their default values. + +|Parameter | Description | Default | +| --- | --- | --- | +|`controller.name` | The name of the Ingress Controller daemonset or deployment. | Autogenerated | +|`controller.kind` | The kind of the Ingress Controller installation - deployment or daemonset. | deployment | +|`controller.annotations` | Allows for setting of `annotations` for deployment or daemonset. | {} | +|`controller.nginxplus` | Deploys the Ingress Controller for NGINX Plus. | false | +|`controller.nginxReloadTimeout` | The timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. | 60000 | +|`controller.hostNetwork` | Enables the Ingress Controller pods to use the host's network namespace. | false | +|`controller.dnsPolicy` | DNS policy for the Ingress Controller pods. | ClusterFirst | +|`controller.nginxDebug` | Enables debugging for NGINX. Uses the `nginx-debug` binary. Requires `error-log-level: debug` in the ConfigMap via `controller.config.entries`. | false | +| `controller.shareProcessNamespace` | Enables process namespace sharing. When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod. [docs](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) | false | +|`controller.logLevel` | The log level of the Ingress Controller. | 1 | +|`controller.image.digest` | The image digest of the Ingress Controller. | None | +|`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.0 | +|`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | +|`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | +|`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | +|`controller.config.name` | The name of the ConfigMap used by the Ingress Controller. | Autogenerated | +|`controller.config.annotations` | The annotations of the Ingress Controller configmap. | {} | +|`controller.config.entries` | The entries of the ConfigMap for customizing NGINX configuration. See [ConfigMap resource docs](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) for the list of supported ConfigMap keys. | {} | +|`controller.customPorts` | A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. | [] | +|`controller.defaultTLS.cert` | The base64-encoded TLS certificate for the default HTTPS server. **Note:** It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | +|`controller.defaultTLS.key` | The base64-encoded TLS key for the default HTTPS server. **Note:** It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | +|`controller.defaultTLS.secret` | The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. **Note:** Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | None | +|`controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None | +|`controller.nodeSelector` | The node selector for pod assignment for the Ingress Controller pods. | {} | +|`controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress Controller pod. | 30 | +|`controller.tolerations` | The tolerations of the Ingress Controller pods. | [] | +|`controller.affinity` | The affinity of the Ingress Controller pods. | {} | +|`controller.topologySpreadConstraints` | The topology spread constraints of the Ingress controller pods. | {} | +|`controller.env` | The additional environment variables to be set on the Ingress Controller pods. | [] | +|`controller.volumes` | The volumes of the Ingress Controller pods. | [] | +|`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] | +|`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] | +|`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | +|`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | +|`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi | +|`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | +|`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.0, do not set the value to false. | true | +|`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | +|`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | +|`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | +|`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `controller.watchNamespace` and `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" | +|`controller.enableCustomResources` | Enable the custom resources. | true | +|`controller.enableOIDC` | Enable OIDC policies. | false | +|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | +|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | +|`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false | +|`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.spec` | The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. | {} | +|`controller.enableSnippets` | Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. | false | +|`controller.healthStatus` | Add a location "/nginx-health" to the default server. The location responds with the 200 status code for any request. Useful for external health-checking of the Ingress Controller. | false | +|`controller.healthStatusURI` | Sets the URI of health status location in the default server. Requires `controller.healthStatus`. | "/nginx-health" | +|`controller.nginxStatus.enable` | Enable the NGINX stub_status, or the NGINX Plus API. | true | +|`controller.nginxStatus.port` | Set the port where the NGINX stub_status or the NGINX Plus API is exposed. | 8080 | +|`controller.nginxStatus.allowCidrs` | Add IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. | 127.0.0.1,::1 | +|`controller.priorityClassName` | The PriorityClass of the Ingress Controller pods. | None | +|`controller.service.create` | Creates a service to expose the Ingress Controller pods. | true | +|`controller.service.type` | The type of service to create for the Ingress Controller. | LoadBalancer | +|`controller.service.externalTrafficPolicy` | The externalTrafficPolicy of the service. The value Local preserves the client source IP. | Local | +|`controller.service.annotations` | The annotations of the Ingress Controller service. | {} | +|`controller.service.extraLabels` | The extra labels of the service. | {} | +|`controller.service.loadBalancerIP` | The static IP address for the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | "" | +|`controller.service.externalIPs` | The list of external IPs for the Ingress Controller service. | [] | +|`controller.service.clusterIP` | The clusterIP for the Ingress Controller service, autoassigned if not specified. | "" | +|`controller.service.loadBalancerSourceRanges` | The IP ranges (CIDR) that are allowed to access the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | [] | +|`controller.service.name` | The name of the service. | Autogenerated | +|`controller.service.customPorts` | A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. | [] | +|`controller.service.httpPort.enable` | Enables the HTTP port for the Ingress Controller service. | true | +|`controller.service.httpPort.port` | The HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpPort.nodePort` | The custom NodePort for the HTTP port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpPort.targetPort` | The target port of the HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpsPort.enable` | Enables the HTTPS port for the Ingress Controller service. | true | +|`controller.service.httpsPort.port` | The HTTPS port of the Ingress Controller service. | 443 | +|`controller.service.httpsPort.nodePort` | The custom NodePort for the HTTPS port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpsPort.targetPort` | The target port of the HTTPS port of the Ingress Controller service. | 443 | +|`controller.serviceAccount.annotations` | The annotations of the Ingress Controller service account. | {} | +|`controller.serviceAccount.name` | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated | +|`controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" | +|`controller.serviceAccount.imagePullSecretsNames` | The list of secret names containing docker registry credentials. Secret must exist in the same namespace as the helm release. | [] | +|`controller.serviceMonitor.name` | The name of the serviceMonitor. | Autogenerated | +|`controller.serviceMonitor.create` | Create a ServiceMonitor custom resource. | false | +|`controller.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | "" | +|`controller.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | "" | +|`controller.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | "" | +|`controller.reportIngressStatus.enable` | Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. You must also specify the source of the external address either through an external service via `controller.reportIngressStatus.externalService`, `controller.reportIngressStatus.ingressLink` or the `external-status-address` entry in the ConfigMap via `controller.config.entries`. **Note:** `controller.config.entries.external-status-address` takes precedence over the others. | true | +|`controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated | +|`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | "" | +|`controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true | +|`controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated | +|`controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {} | +|`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} | +|`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} | +|`controller.appprotect.enable` | Enables the App Protect WAF module in the Ingress Controller. | false | +|`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false | +|`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false | +|`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 | +|`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine | +|`controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller | +|`controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true | +|`controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 | +|`controller.readyStatus.initialDelaySeconds` | The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. | 0 | +|`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false | +|`controller.minReadySeconds` | Specifies the minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. [docs](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds) | 0 | +|`controller.autoscaling.enabled` | Enables HorizontalPodAutoscaling. | false | +|`controller.autoscaling.annotations` | The annotations of the Ingress Controller HorizontalPodAutoscaler. | {} | +|`controller.autoscaling.behavior` | Behavior configuration for the HPA. | {} | +|`controller.autoscaling.minReplicas` | Minimum number of replicas for the HPA. | 1 | +|`controller.autoscaling.maxReplicas` | Maximum number of replicas for the HPA. | 3 | +|`controller.autoscaling.targetCPUUtilizationPercentage` | The target CPU utilization percentage. | 50 | +|`controller.autoscaling.targetMemoryUtilizationPercentage` | The target memory utilization percentage. | 50 | +|`controller.podDisruptionBudget.enabled` | Enables PodDisruptionBudget. | false | +|`controller.podDisruptionBudget.annotations` | The annotations of the Ingress Controller pod disruption budget | {} | +|`controller.podDisruptionBudget.minAvailable` | The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". | 0 | +|`controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 | +|`controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} | +|`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | +|`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 | +|`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 | +|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false | +|`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true | +|`rbac.create` | Configures RBAC. | true | +|`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | +|`prometheus.port` | Configures the port to scrape the metrics. | 9113 | +|`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http | +|`prometheus.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" | +|`prometheus.service.create` | Create a Headless service to expose prometheus metrics. Requires `prometheus.create`. | false | +|`prometheus.service.labels` | Kubernetes object labels to attach to the service object. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.create` | Create a ServiceMonitor custom resource. Requires ServiceMonitor CRD to be installed. For the latest CRD, check the latest release on the [prometheus-operator](https://github.com/prometheus-operator/prometheus-operator) GitHub repo under `example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml` | false | +|`prometheus.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | {} | +|`prometheus.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | [port: prometheus] | +|`serviceInsight.create` | Expose NGINX Plus Service Insight endpoint. | false | +|`serviceInsight.port` | Configures the port to expose endpoints. | 9114 | +|`serviceInsight.scheme` | Configures the HTTP scheme to use for connections to the Service Insight endpoint. | http | +|`serviceInsight.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Service Insight endpoint with TLS connections. | "" | +|`serviceNameOverride` | Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades. | "" | +|`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false | +|`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false | + +## Notes + +- The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog + post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. +- The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service + Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. diff --git a/charts/f5/nginx-ingress/1.1.0/app-readme.md b/charts/f5/nginx-ingress/1.1.0/app-readme.md new file mode 100644 index 0000000000..0824f4c0f0 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/app-readme.md @@ -0,0 +1,15 @@ +# NGINX Ingress Controller + +The [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress) for Kubernetes provides an enterprise‑grade implementation of an Ingress controller for NGINX and NGINX Plus for Kubernetes applications. + +The Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources. The load balancer can be a software load balancer running in the cluster or a hardware or cloud load balancer running externally. Different load balancers require different Ingress controller implementations. + +In the case of NGINX, the Ingress controller is deployed in a pod along with the load balancer. + +NGINX Ingress controller works with both NGINX and NGINX Plus and supports the standard Ingress features - content-based routing and TLS/SSL termination. + +Additionally, several NGINX and NGINX Plus features are available as extensions to the Ingress resource via annotations and the ConfigMap resource. In addition to HTTP, NGINX Ingress controller supports load balancing Websocket, gRPC, TCP and UDP applications. See ConfigMap and Annotations docs to learn more about the supported features and customization options. + +As an alternative to the Ingress, NGINX Ingress controller supports the VirtualServer and VirtualServerRoute resources. They enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. + +TCP, UDP and TLS Passthrough load balancing is also supported. diff --git a/charts/f5/nginx-ingress/1.1.0/crds/appprotect.f5.com_aplogconfs.yaml b/charts/f5/nginx-ingress/1.1.0/crds/appprotect.f5.com_aplogconfs.yaml new file mode 100644 index 0000000000..53b7fb40d7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/crds/appprotect.f5.com_aplogconfs.yaml @@ -0,0 +1,80 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: aplogconfs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APLogConf + listKind: APLogConfList + plural: aplogconfs + singular: aplogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + escaping_characters: + items: + properties: + from: + type: string + to: + type: string + type: object + type: array + format: + enum: + - splunk + - arcsight + - default + - user-defined + - grpc + type: string + format_string: + type: string + list_delimiter: + type: string + list_prefix: + type: string + list_suffix: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.0/crds/appprotect.f5.com_appolicies.yaml b/charts/f5/nginx-ingress/1.1.0/crds/appprotect.f5.com_appolicies.yaml new file mode 100644 index 0000000000..0ca4649ce7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/crds/appprotect.f5.com_appolicies.yaml @@ -0,0 +1,2158 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: appolicies.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APPolicy + listKind: APPolicyList + plural: appolicies + singular: appolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: + properties: + action: + type: string + description: + type: string + entity: + properties: + name: + type: string + type: object + entityChanges: + properties: + type: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + modificationsReference: + properties: + link: + pattern: ^http + type: string + type: object + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: + properties: + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + - Multiple slashes + - Semicolon path parameters + - Trailing dot + - Trailing slash + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unescaped space in URL + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of cookies + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxCookies: + maximum: 100 + minimum: 1 + type: integer + maxHeaders: + maximum: 150 + minimum: 1 + type: integer + maxParams: + maximum: 5000 + minimum: 1 + type: integer + type: object + type: array + violations: + items: + properties: + alarm: + type: boolean + block: + type: boolean + description: + type: string + name: + enum: + - "VIOL_ACCESS_INVALID" + - "VIOL_ACCESS_MALFORMED" + - "VIOL_ACCESS_MISSING" + - "VIOL_ASM_COOKIE_HIJACKING" + - "VIOL_ASM_COOKIE_MODIFIED" + - "VIOL_BLACKLISTED_IP" + - "VIOL_COOKIE_EXPIRED" + - "VIOL_COOKIE_LENGTH" + - "VIOL_COOKIE_MALFORMED" + - "VIOL_COOKIE_MODIFIED" + - "VIOL_CSRF" + - "VIOL_DATA_GUARD" + - "VIOL_ENCODING" + - "VIOL_EVASION" + - "VIOL_FILETYPE" + - "VIOL_FILE_UPLOAD" + - "VIOL_FILE_UPLOAD_IN_BODY" + - "VIOL_GRAPHQL_ERROR_RESPONSE" + - "VIOL_GRAPHQL_FORMAT" + - "VIOL_GRAPHQL_INTROSPECTION_QUERY" + - "VIOL_GRAPHQL_MALFORMED" + - "VIOL_GRPC_FORMAT" + - "VIOL_GRPC_MALFORMED" + - "VIOL_GRPC_METHOD" + - "VIOL_HEADER_LENGTH" + - "VIOL_HEADER_METACHAR" + - "VIOL_HEADER_REPEATED" + - "VIOL_HTTP_PROTOCOL" + - "VIOL_HTTP_RESPONSE_STATUS" + - "VIOL_JSON_FORMAT" + - "VIOL_JSON_MALFORMED" + - "VIOL_JSON_SCHEMA" + - "VIOL_MANDATORY_HEADER" + - "VIOL_MANDATORY_PARAMETER" + - "VIOL_MANDATORY_REQUEST_BODY" + - "VIOL_METHOD" + - "VIOL_PARAMETER" + - "VIOL_PARAMETER_ARRAY_VALUE" + - "VIOL_PARAMETER_DATA_TYPE" + - "VIOL_PARAMETER_EMPTY_VALUE" + - "VIOL_PARAMETER_LOCATION" + - "VIOL_PARAMETER_MULTIPART_NULL_VALUE" + - "VIOL_PARAMETER_NAME_METACHAR" + - "VIOL_PARAMETER_NUMERIC_VALUE" + - "VIOL_PARAMETER_REPEATED" + - "VIOL_PARAMETER_STATIC_VALUE" + - "VIOL_PARAMETER_VALUE_BASE64" + - "VIOL_PARAMETER_VALUE_LENGTH" + - "VIOL_PARAMETER_VALUE_METACHAR" + - "VIOL_PARAMETER_VALUE_REGEXP" + - "VIOL_POST_DATA_LENGTH" + - "VIOL_QUERY_STRING_LENGTH" + - "VIOL_RATING_NEED_EXAMINATION" + - "VIOL_RATING_THREAT" + - "VIOL_REQUEST_LENGTH" + - "VIOL_REQUEST_MAX_LENGTH" + - "VIOL_THREAT_CAMPAIGN" + - "VIOL_URL" + - "VIOL_URL_CONTENT_TYPE" + - "VIOL_URL_LENGTH" + - "VIOL_URL_METACHAR" + - "VIOL_XML_FORMAT" + - "VIOL_XML_MALFORMED" + type: string + type: object + type: array + type: object + blockingSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + bot-defense: + properties: + mitigations: + properties: + anomalies: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - default + - detect + - ignore + type: string + name: + type: string + scoreThreshold: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: array + browsers: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + type: string + maxVersion: + maximum: 2147483647 + minimum: 0 + type: integer + minVersion: + maximum: 2147483647 + minimum: 0 + type: integer + name: + type: string + type: object + type: array + classes: + items: + properties: + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + enum: + - browser + - malicious-bot + - suspicious-browser + - trusted-bot + - unknown + - untrusted-bot + type: string + type: object + type: array + signatures: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + type: string + type: object + type: array + type: object + settings: + properties: + caseSensitiveHttpHeaders: + type: boolean + isEnabled: + type: boolean + type: object + type: object + browser-definitions: + items: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + type: array + caseInsensitive: + type: boolean + character-sets: + items: + properties: + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content + type: string + type: object + type: array + characterSetReference: + properties: + link: + pattern: ^http + type: string + type: object + cookie-settings: + properties: + maximumCookieHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + cookieReference: + properties: + link: + pattern: ^http + type: string + type: object + cookieSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + cookies: + items: + properties: + $action: + enum: + - delete + type: string + accessibleOnlyThroughTheHttpProtocol: + type: boolean + attackSignaturesCheck: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + maskValueInLogs: + type: boolean + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + wildcardOrder: + type: integer + type: object + type: array + csrf-protection: + properties: + enabled: + type: boolean + expirationTimeInSeconds: + pattern: disabled|\d+ + type: string + sslOnly: + type: boolean + type: object + csrf-urls: + items: + properties: + $action: + enum: + - delete + type: string + enforcementAction: + enum: + - verify-origin + - none + type: string + method: + enum: + - GET + - POST + - any + type: string + url: + type: string + wildcardOrder: + type: integer + type: object + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + lastCcnDigitsToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + dataGuardReference: + properties: + link: + pattern: ^http + type: string + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + enforcer-settings: + properties: + enforcerStateCookies: + properties: + httpOnlyAttribute: + type: boolean + sameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + secureAttribute: + enum: + - always + - never + type: string + type: object + type: object + filetypeReference: + properties: + link: + pattern: ^http + type: string + type: object + filetypes: + items: + properties: + $action: + enum: + - delete + type: string + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: + type: string + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlLength: + type: integer + wildcardOrder: + type: integer + type: object + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + generalReference: + properties: + link: + pattern: ^http + type: string + type: object + grpc-profiles: + items: + properties: + $action: + enum: + - delete + type: string + associateUrls: + type: boolean + attackSignaturesCheck: + type: boolean + metacharCheck: + type: boolean + decodeStringValuesAsBase64: + enum: + - disabled + - enabled + type: string + defenseAttributes: + properties: + allowUnknownFields: + type: boolean + maximumDataLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + description: + type: string + hasIdlFiles: + type: boolean + idlFiles: + items: + properties: + idlFile: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + importUrl: + type: string + isPrimary: + type: boolean + primaryIdlFileName: + type: string + type: object + type: array + metacharElementCheck: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + header-settings: + properties: + maximumHttpHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + headerReference: + properties: + link: + pattern: ^http + type: string + type: object + headerSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + headers: + items: + properties: + $action: + enum: + - delete + type: string + allowRepeatedOccurrences: + type: boolean + base64Decoding: + type: boolean + checkSignatures: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: + type: string + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlNormalization: + type: boolean + wildcardOrder: + type: integer + type: object + type: array + host-names: + items: + properties: + $action: + enum: + - delete + type: string + includeSubdomains: + type: boolean + name: + type: string + type: object + type: array + idl-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + json-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + maximumArrayLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLengthOfJSONData: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + handleJsonValuesAsParameters: + type: boolean + hasValidationFiles: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + validationFiles: + items: + properties: + importUrl: + type: string + isPrimary: + type: boolean + jsonValidationFile: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: object + type: array + type: object + type: array + json-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + jsonProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + jsonValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + methodReference: + properties: + link: + pattern: ^http + type: string + type: object + methods: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + name: + type: string + open-api-files: + items: + properties: + link: + pattern: ^http + type: string + type: object + type: array + parameterReference: + properties: + link: + pattern: ^http + type: string + type: object + parameters: + items: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + type: array + response-pages: + items: + properties: + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: string + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + grpcStatusCode: + pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ + type: string + grpcStatusMessage: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + - grpc + type: string + responseRedirectUrl: + type: string + type: object + type: array + responsePageReference: + properties: + link: + pattern: ^http + type: string + type: object + sensitive-parameters: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + sensitiveParameterReference: + properties: + link: + pattern: ^http + type: string + type: object + server-technologies: + items: + properties: + $action: + enum: + - delete + type: string + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + serverTechnologyReference: + properties: + link: + pattern: ^http + type: string + type: object + signature-requirements: + items: + properties: + $action: + enum: + - delete + type: string + tag: + type: string + type: object + type: array + signature-sets: + items: + properties: + $action: + enum: + - delete + type: string + alarm: + type: boolean + block: + type: boolean + name: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatureReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSetReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + threat-campaigns: + items: + properties: + isEnabled: + type: boolean + name: + type: string + type: object + type: array + threatCampaignReference: + properties: + link: + pattern: ^http + type: string + type: object + urlReference: + properties: + link: + pattern: ^http + type: string + type: object + urls: + items: + properties: + $action: + enum: + - delete + type: string + allowRenderingInFrames: + enum: + - never + - only-same + type: string + allowRenderingInFramesOnlyFrom: + type: string + attackSignaturesCheck: + type: boolean + clickjackingProtection: + type: boolean + description: + type: string + disallowFileUploadOfExecutables: + type: boolean + html5CrossOriginRequestsEnforcement: + properties: + allowOriginsEnforcementMode: + enum: + - replace-with + - unmodified + type: string + checkAllowedMethods: + type: boolean + crossDomainAllowedOrigin: + items: + properties: + includeSubDomains: + type: boolean + originName: + type: string + originPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + originProtocol: + enum: + - http + - http/https + - https + type: string + type: object + type: array + enforcementMode: + enum: + - disabled + - enforce + type: string + type: object + isAllowed: + type: boolean + mandatoryBody: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + metacharsOnUrlCheck: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + methodOverrides: + items: + properties: + allowed: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + type: string + type: object + type: array + methodsOverrideOnUrlCheck: + type: boolean + name: + type: string + operationId: + type: string + positionalParameters: + items: + properties: + parameter: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + urlSegmentIndex: + type: integer + type: object + type: array + protocol: + enum: + - http + - https + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlContentProfiles: + items: + properties: + contentProfile: + properties: + name: + type: string + type: object + headerName: + type: string + headerOrder: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + headerValue: + type: string + name: + type: string + type: + enum: + - apply-content-signatures + - apply-value-and-content-signatures + - disallow + - do-nothing + - form-data + - gwt + - json + - xml + - grpc + type: string + type: object + type: array + wildcardOrder: + type: integer + type: object + type: array + whitelist-ips: + items: + properties: + $action: + enum: + - delete + type: string + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + neverLogRequests: + type: boolean + type: object + type: array + whitelistIpReference: + properties: + link: + pattern: ^http + type: string + type: object + xml-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumAttributesPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumChildrenPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentSize: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumElements: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNSDeclarations: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNameLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNamespaceLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + useXmlResponsePage: + type: boolean + type: object + type: array + xml-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + xmlProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + xmlValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + graphql-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowIntrospectionQueries: + type: boolean + maximumBatchedQueries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumQueryCost: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateParsingWarnings: + type: boolean + type: object + description: + type: string + metacharElementCheck: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + responseEnforcement: + properties: + blockDisallowedPatterns: + type: boolean + disallowedPatterns: + items: + type: string + type: array + type: object + sensetiveData: + items: + properties: + parameterName: + type: string + type: object + type: array + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + name: + type: string + type: object + type: array + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.0/crds/appprotect.f5.com_apusersigs.yaml b/charts/f5/nginx-ingress/1.1.0/crds/appprotect.f5.com_apusersigs.yaml new file mode 100644 index 0000000000..34eb0784f4 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/crds/appprotect.f5.com_apusersigs.yaml @@ -0,0 +1,93 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: apusersigs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APUserSig + listKind: APUserSigList + plural: apusersigs + singular: apusersig + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APUserSig is the Schema for the apusersigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APUserSigSpec defines the desired state of APUserSig + properties: + properties: + type: string + signatures: + items: + properties: + accuracy: + enum: + - high + - medium + - low + type: string + attackType: + properties: + name: + type: string + type: object + description: + type: string + name: + type: string + references: + properties: + type: + enum: + - bugtraq + - cve + - nessus + - url + type: string + value: + type: string + type: object + risk: + enum: + - high + - medium + - low + type: string + rule: + type: string + signatureType: + enum: + - request + - response + type: string + systems: + items: + properties: + name: + type: string + type: object + type: array + type: object + type: array + tag: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.0/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/charts/f5/nginx-ingress/1.1.0/crds/appprotectdos.f5.com_apdoslogconfs.yaml new file mode 100644 index 0000000000..e23e87184b --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/crds/appprotectdos.f5.com_apdoslogconfs.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdoslogconfs.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosLogConf + listKind: APDosLogConfList + plural: apdoslogconfs + singular: apdoslogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APDosLogConf is the Schema for the APDosLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APDosLogConfSpec defines the desired state of APDosLogConf + properties: + content: + properties: + format: + enum: + - splunk + - arcsight + - user-defined + type: string + format_string: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + type: object + filter: + properties: + traffic-mitigation-stats: + enum: + - none + - all + default: all + type: string + bad-actors: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + attack-signatures: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.0/crds/appprotectdos.f5.com_apdospolicy.yaml b/charts/f5/nginx-ingress/1.1.0/crds/appprotectdos.f5.com_apdospolicy.yaml new file mode 100644 index 0000000000..a16399a1a2 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/crds/appprotectdos.f5.com_apdospolicy.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdospolicies.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosPolicy + listKind: APDosPoliciesList + plural: apdospolicies + singular: apdospolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + description: APDosPolicy is the Schema for the APDosPolicy API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + description: APDosPolicySpec defines the desired state of APDosPolicy + properties: + mitigation_mode: + enum: + - "standard" + - "conservative" + - "none" + default: "standard" + type: string + signatures: + enum: + - "on" + - "off" + default: "on" + type: string + bad_actors: + enum: + - "on" + - "off" + default: "on" + type: string + automation_tools_detection: + enum: + - "on" + - "off" + default: "on" + type: string + tls_fingerprint: + enum: + - "on" + - "off" + default: "on" + type: string + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.0/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/charts/f5/nginx-ingress/1.1.0/crds/appprotectdos.f5.com_dosprotectedresources.yaml new file mode 100644 index 0000000000..34d85433fe --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/crds/appprotectdos.f5.com_dosprotectedresources.yaml @@ -0,0 +1,98 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: dosprotectedresources.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: DosProtectedResource + listKind: DosProtectedResourceList + plural: dosprotectedresources + shortNames: + - pr + singular: dosprotectedresource + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: DosProtectedResource defines a Dos protected resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DosProtectedResourceSpec defines the properties and values + a DosProtectedResource can have. + properties: + apDosMonitor: + description: 'ApDosMonitor is how NGINX App Protect DoS monitors the + stress level of the protected object. The monitor requests are sent + from localhost (127.0.0.1). Default value: URI - None, protocol + - http1, timeout - NGINX App Protect DoS default.' + properties: + protocol: + description: Protocol determines if the server listens on http1 + / http2 / grpc / websocket. The default is http1. + enum: + - http1 + - http2 + - grpc + - websocket + type: string + timeout: + description: Timeout determines how long (in seconds) should NGINX + App Protect DoS wait for a response. Default is 10 seconds for + http1/http2 and 5 seconds for grpc. + format: int64 + type: integer + uri: + description: 'URI is the destination to the desired protected + object in the nginx.conf:' + type: string + type: object + apDosPolicy: + description: ApDosPolicy is the namespace/name of a ApDosPolicy resource + type: string + dosAccessLogDest: + description: DosAccessLogDest is the network address for the access + logs + type: string + dosSecurityLog: + description: DosSecurityLog defines the security log of the DosProtectedResource. + properties: + apDosLogConf: + description: ApDosLogConf is the namespace/name of a APDosLogConf + resource + type: string + dosLogDest: + description: DosLogDest is the network address of a logging service, + can be either IP or DNS name. + type: string + enable: + description: Enable enables the security logging feature if set + to true + type: boolean + type: object + enable: + description: Enable enables the DOS feature if set to true + type: boolean + name: + description: Name is the name of protected object, max of 63 characters. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.0/crds/externaldns.nginx.org_dnsendpoints.yaml b/charts/f5/nginx-ingress/1.1.0/crds/externaldns.nginx.org_dnsendpoints.yaml new file mode 100644 index 0000000000..54d27d796e --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/crds/externaldns.nginx.org_dnsendpoints.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: dnsendpoints.externaldns.nginx.org +spec: + group: externaldns.nginx.org + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: DNSEndpoint is the CRD wrapper for Endpoint + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec holds information about endpoints. + properties: + endpoints: + items: + description: Endpoint describes DNS Endpoint. + properties: + dnsName: + description: The hostname for the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty represents provider + specific config property. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT, MX + type: string + targets: + description: The targets the DNS service points to + items: + type: string + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus represents generation observed by the external + dns controller. + properties: + observedGeneration: + description: The generation observed by by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_globalconfigurations.yaml b/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_globalconfigurations.yaml new file mode 100644 index 0000000000..e5695ddd8f --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_globalconfigurations.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: globalconfigurations.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: GlobalConfiguration + listKind: GlobalConfigurationList + plural: globalconfigurations + shortNames: + - gc + singular: globalconfiguration + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_policies.yaml b/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_policies.yaml new file mode 100644 index 0000000000..59bc5cb9d4 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_policies.yaml @@ -0,0 +1,322 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: policies.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes + multiple fields, where each field represents a different policy. Only + one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + basicAuth: + description: 'BasicAuth holds HTTP Basic authentication configuration + policy status: preview' + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + securityLogs: + items: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes + multiple fields, where each field represents a different policy. Only + one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + realm: + type: string + secret: + type: string + token: + type: string + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_transportservers.yaml b/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_transportservers.yaml new file mode 100644 index 0000000000..ab3079a16c --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_transportservers.yaml @@ -0,0 +1,322 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: transportservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: TransportServer + listKind: TransportServerList + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_virtualserverroutes.yaml b/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_virtualserverroutes.yaml new file mode 100644 index 0000000000..bc5b47c505 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -0,0 +1,684 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: virtualserverroutes.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServerRoute + listKind: VirtualServerRouteList + plural: virtualserverroutes + shortNames: + - vsr + singular: virtualserverroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a + valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute + resource. + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_virtualservers.yaml b/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_virtualservers.yaml new file mode 100644 index 0000000000..73f12b1697 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/crds/k8s.nginx.org_virtualservers.yaml @@ -0,0 +1,783 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: virtualservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServer + listKind: VirtualServerList + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual + server. + properties: + enable: + type: boolean + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty defines specific property + for using with ExternalDNS sub-resource. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + type: string + type: object + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal + routing. + type: boolean + listener: + description: VirtualServerListener references a custom http and/or + https listener defined in GlobalConfiguration. + properties: + http: + type: string + https: + type: string + type: object + policies: + items: + description: PolicyReference references a policy by name and an + optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + routes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. + properties: + cluster-issuer: + type: string + common-name: + type: string + duration: + type: string + issue-temp-cert: + type: boolean + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + type: object + redirect: + description: TLSRedirect defines a redirect for a TLS. + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + type: object + secret: + type: string + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerStatus defines the status for the VirtualServer + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.1.0/questions.yaml b/charts/f5/nginx-ingress/1.1.0/questions.yaml new file mode 100644 index 0000000000..b63834893b --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/questions.yaml @@ -0,0 +1,185 @@ +questions: +- variable: controller.kind + type: enum + options: + - deployment + - daemonset + default: deployment + description: "The kind of the Ingress controller installation - deployment or daemonset." + label: Installation Kind + group: "Settings" +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.nginxplus + default: false + description: "Deploys the Ingress controller for NGINX Plus." + label: Deploy NGINX Plus + type: boolean + group: "NGINX Plus" + - variable: controller.appprotect.enable + default: false + description: "Enable the App Protect module in the Ingress Controller." + label: Enable the App Protect module. + type: boolean + - variable: controller.appprotectdos.enable + default: false + description: "Enable the App Protect DoS module in the Ingress Controller." + label: Enable the App Protect DoS module. + type: boolean + - variable: controller.image.repository + default: nginx/nginx-ingress + description: "The image repository of the Ingress controller." + type: string + label: NGINX Ingress Controller Image Repository + required: true + - variable: controller.image.tag + description: "The tag of the Ingress controller image." + type: string + label: NGINX Ingress Controller Image Tag + required: true + - variable: controller.image.pullPolicy + type: enum + options: + - IfNotPresent + - Always + - Never + default: IfNotPresent + description: "The pull policy for the Ingress controller image." + label: NGINX Ingress Controller Image Pull Policy + - variable: controller.serviceAccount.imagePullSecretName + default: "" + description: "The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release." + type: string + label: Image Pull Secret Name +- variable: controller.defaultTLS.secret + default: "" + description: "The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`." + label: TLS Secret + type: string + group: "Settings" +- variable: controller.ingressClass + default: nginx + description: "A class of the Ingress controller. The Ingress controller only processes Ingress resources that belong to its class - i.e. have the annotation `[kubernetes.io/ingress.class]` equal to the class. Additionally, the Ingress controller processes Ingress resources that do not have that annotation which can be disabled by setting the [-use-ingress-class-only] flag." + label: Ingress Class + type: string + group: "Settings" + required: true + subquestions: + - variable: controller.useIngressClassOnly + default: false + description: "Ignore Ingress resources without the `[kubernetes.io/ingress.class]` annotation." + label: Use Ingress Class Only + type: boolean + group: "Settings" +- variable: controller.enableCustomResources + default: true + label: Enable Custom Resources + type: boolean + group: "Settings" + show_subquestion_if: true + subquestions: + - variable: controller.globalConfiguration.create + default: true + description: "Creates the GlobalConfiguration custom resource." + label: Create GlobalConfiguration Custom Resource + type: boolean + group: "Settings" + - variable: controller.enableOIDC + default: false + description: "Enables OIDC policies." + label: Enable OIDC policies + type: boolean + group: "Settings" + - variable: controller.enableCertManager + default: false + description: "Enables cert manager for Virtual Server resources." + label: Enable cert manager for Virtual Server resources + type: boolean + group: "Settings" + - variable: controller.enableExternalDNS + default: false + description: "Enables external-dns for Virtual Server resources." + label: Enable external-dns for Virtual Server resources + type: boolean + group: "Settings" +- variable: controller.watchNamespace + default: "" + description: "Comma-separated list of namespaces to watch for Ingress resources. By default the Ingress controller watches all namespaces." + label: Watch Namespace + type: string + group: "Settings" +- variable: controller.service.create + default: true + description: "Creates a service to expose the Ingress controller pods." + label: Create a Service + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.type + type: enum + options: + - LoadBalancer + - NodePort + default: LoadBalancer + description: "The type of service to create for the Ingress controller." + label: Type of Service +- variable: controller.service.httpPort.enable + default: true + description: "Enables the HTTP port for the Ingress controller service." + label: Enable HTTP Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpPort.port + default: 80 + description: "The HTTP port of the Ingress controller service." + label: HTTP Port + type: int + required: true +- variable: controller.service.httpsPort.enable + default: true + description: "Enables the HTTPS port for the Ingress controller service." + label: Enable HTTPS Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpsPort.port + default: 443 + description: "The HTTPS port of the Ingress controller service." + label: HTTPS Port + type: int + required: true +- variable: prometheus.create + default: false + description: "Expose NGINX or NGINX Plus metrics in the Prometheus format." + label: Enable Exposing Prometheus Metrics + type: boolean + group: "Prometheus" + show_subquestion_if: true + subquestions: + - variable: prometheus.port + default: 9113 + description: "Configures the port to scrape the metrics." + label: Prometheus Port + type: int + required: true + - variable: prometheus.scheme + default: http + description: "Configures the HTTP scheme to use for connections to the Prometheus endpoint." + label: Prometheus Scheme + type: string + required: true + - variable: prometheus.secret + default: "" + description: "The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections." + label: Prometheus Secret + type: string diff --git a/charts/f5/nginx-ingress/1.1.0/templates/NOTES.txt b/charts/f5/nginx-ingress/1.1.0/templates/NOTES.txt new file mode 100644 index 0000000000..c5f4cdf405 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/NOTES.txt @@ -0,0 +1 @@ +The NGINX Ingress Controller has been installed. diff --git a/charts/f5/nginx-ingress/1.1.0/templates/_helpers.tpl b/charts/f5/nginx-ingress/1.1.0/templates/_helpers.tpl new file mode 100644 index 0000000000..2f5add833d --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/_helpers.tpl @@ -0,0 +1,226 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.fullname" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified controller service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.service.name" -}} +{{- default (include "nginx-ingress.controller.fullname" .) .Values.serviceNameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nginx-ingress.labels" -}} +helm.sh/chart: {{ include "nginx-ingress.chart" . }} +{{ include "nginx-ingress.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nginx-ingress.selectorLabels" -}} +{{- if .Values.controller.selectorLabels -}} +{{ toYaml .Values.controller.selectorLabels }} +{{- else -}} +app.kubernetes.io/name: {{ include "nginx-ingress.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap. +*/}} +{{- define "nginx-ingress.configName" -}} +{{- if .Values.controller.customConfigMap -}} +{{ .Values.controller.customConfigMap }} +{{- else -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.config.name -}} +{{- end -}} +{{- end -}} + +{{/* +Expand leader election lock name. +*/}} +{{- define "nginx-ingress.leaderElectionName" -}} +{{- if .Values.controller.reportIngressStatus.leaderElectionLockName -}} +{{ .Values.controller.reportIngressStatus.leaderElectionLockName }} +{{- else -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "leader-election" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand service account name. +*/}} +{{- define "nginx-ingress.serviceAccountName" -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.serviceAccount.name -}} +{{- end -}} + +{{/* +Expand default TLS name. +*/}} +{{- define "nginx-ingress.defaultTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "default-server-tls" -}} +{{- end -}} + +{{/* +Expand wildcard TLS name. +*/}} +{{- define "nginx-ingress.wildcardTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "wildcard-tls" -}} +{{- end -}} + +{{- define "nginx-ingress.tag" -}} +{{- default .Chart.AppVersion .Values.controller.image.tag -}} +{{- end -}} + +{{/* +Expand image name. +*/}} +{{- define "nginx-ingress.image" -}} +{{- if .Values.controller.image.digest -}} +{{- printf "%s@%s" .Values.controller.image.repository .Values.controller.image.digest -}} +{{- else -}} +{{- printf "%s:%s" .Values.controller.image.repository (include "nginx-ingress.tag" .) -}} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.prometheus.serviceName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} +{{- end -}} + +{{/* +Build the args for the service binary. +*/}} +{{- define "nginx-ingress.args" -}} +- -nginx-plus={{ .Values.controller.nginxplus }} +- -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} +- -enable-app-protect={{ .Values.controller.appprotect.enable }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} +- -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} +{{ end }} +- -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} +{{- if .Values.controller.appprotectdos.enable }} +- -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} +- -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} +- -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} +- -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} +{{ end }} +- -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} +{{- if .Values.controller.defaultTLS.secret }} +- -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} +{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +- -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} +{{- end }} +- -ingress-class={{ .Values.controller.ingressClass.name }} +{{- if .Values.controller.watchNamespace }} +- -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchNamespaceLabel }} +- -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} +- -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} +{{- end }} +- -health-status={{ .Values.controller.healthStatus }} +- -health-status-uri={{ .Values.controller.healthStatusURI }} +- -nginx-debug={{ .Values.controller.nginxDebug }} +- -v={{ .Values.controller.logLevel }} +- -nginx-status={{ .Values.controller.nginxStatus.enable }} +{{- if .Values.controller.nginxStatus.enable }} +- -nginx-status-port={{ .Values.controller.nginxStatus.port }} +- -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} +{{- end }} +{{- if .Values.controller.reportIngressStatus.enable }} +- -report-ingress-status +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} +{{- else if .Values.controller.reportIngressStatus.externalService }} +- -external-service={{ .Values.controller.reportIngressStatus.externalService }} +{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} +- -external-service={{ include "nginx-ingress.controller.service.name" . }} +{{- end }} +{{- end }} +- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +- -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} +{{- end }} +{{- if .Values.controller.wildcardTLS.secret }} +- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} +{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} +- -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} +{{- end }} +- -enable-prometheus-metrics={{ .Values.prometheus.create }} +- -prometheus-metrics-listen-port={{ .Values.prometheus.port }} +- -prometheus-tls-secret={{ .Values.prometheus.secret }} +- -enable-service-insight={{ .Values.serviceInsight.create }} +- -service-insight-listen-port={{ .Values.serviceInsight.port }} +- -service-insight-tls-secret={{ .Values.serviceInsight.secret }} +- -enable-custom-resources={{ .Values.controller.enableCustomResources }} +- -enable-snippets={{ .Values.controller.enableSnippets }} +- -include-year={{ .Values.controller.includeYear }} +- -disable-ipv6={{ .Values.controller.disableIPV6 }} +{{- if .Values.controller.enableCustomResources }} +- -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{- if .Values.controller.enableTLSPassthrough }} +- -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{- end }} +- -enable-cert-manager={{ .Values.controller.enableCertManager }} +- -enable-oidc={{ .Values.controller.enableOIDC }} +- -enable-external-dns={{ .Values.controller.enableExternalDNS }} +- -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} +- -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} +{{- if .Values.controller.globalConfiguration.create }} +- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- end }} +- -ready-status={{ .Values.controller.readyStatus.enable }} +- -ready-status-port={{ .Values.controller.readyStatus.port }} +- -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +- -ssl-dynamic-reload={{ .Values.controller.enableSSLDynamicReload }} +{{- end -}} diff --git a/charts/f5/nginx-ingress/1.1.0/templates/clusterrole.yaml b/charts/f5/nginx-ingress/1.1.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..559006ff61 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/clusterrole.yaml @@ -0,0 +1,155 @@ +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +{{- if .Values.controller.reportIngressStatus.enable }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +{{- end }} +{{- if .Values.controller.appprotect.enable }} +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.appprotectdos.enable }} +- apiGroups: + - appprotectdos.f5.com + resources: + - apdospolicies + - apdoslogconfs + - dosprotectedresources + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.enableCustomResources }} +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +{{- end }} +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- apiGroups: + - cis.f5.com + resources: + - ingresslinks + verbs: + - list + - watch + - get +{{- end }} +{{- if .Values.controller.enableCertManager }} +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - list + - watch + - get + - update + - create + - delete +{{- end }} +{{- if .Values.controller.enableExternalDNS }} +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints + verbs: + - list + - watch + - get + - update + - create + - delete +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints/status + verbs: + - update +{{- end }} +{{- end}} diff --git a/charts/f5/nginx-ingress/templates/clusterrolebinding.yaml b/charts/f5/nginx-ingress/1.1.0/templates/clusterrolebiding.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/clusterrolebinding.yaml rename to charts/f5/nginx-ingress/1.1.0/templates/clusterrolebiding.yaml diff --git a/charts/f5/nginx-ingress/1.1.0/templates/controller-configmap.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-configmap.yaml new file mode 100644 index 0000000000..fd11991865 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/controller-configmap.yaml @@ -0,0 +1,17 @@ +{{- if not .Values.controller.customConfigMap -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.configName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.config.entries }} +{{ toYaml .Values.controller.config.entries | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.0/templates/controller-daemonset.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..b2459c927c --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/controller-daemonset.yaml @@ -0,0 +1,205 @@ +{{- if eq .Values.controller.kind "daemonset" }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.selectorLabels" . | nindent 8 }} +{{- if .Values.nginxServiceMesh.enable }} + nsm.nginx.com/enable-ingress: "true" + nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" + nsm.nginx.com/daemonset: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels | indent 8 }} +{{- end }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }} + volumes: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: nginx-etc + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} + - name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes | indent 6 }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - name: {{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{ if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{ end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} + volumeMounts: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - mountPath: /etc/nginx + name: nginx-etc + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.volumeMounts }} +{{ toYaml .Values.controller.volumeMounts | indent 8 }} +{{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + updateStrategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.0/templates/controller-deployment.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-deployment.yaml new file mode 100644 index 0000000000..1f291ff4cd --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/controller-deployment.yaml @@ -0,0 +1,212 @@ +{{- if eq .Values.controller.kind "deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + {{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.selectorLabels" . | nindent 8 }} +{{- if .Values.nginxServiceMesh.enable }} + nsm.nginx.com/enable-ingress: "true" + nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" + nsm.nginx.com/deployment: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels | indent 8 }} +{{- end }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }} + volumes: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: nginx-etc + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} + - name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes | indent 6 }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - image: {{ include "nginx-ingress.image" . }} + name: {{ include "nginx-ingress.name" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{- if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{- end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} + volumeMounts: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - mountPath: /etc/nginx + name: nginx-etc + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.volumeMounts}} +{{ toYaml .Values.controller.volumeMounts | indent 8 }} +{{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.0/templates/controller-globalconfiguration.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-globalconfiguration.yaml new file mode 100644 index 0000000000..9039ab0440 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/controller-globalconfiguration.yaml @@ -0,0 +1,11 @@ +{{ if .Values.controller.globalConfiguration.create }} +apiVersion: k8s.nginx.org/v1alpha1 +kind: GlobalConfiguration +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +spec: +{{ toYaml .Values.controller.globalConfiguration.spec | indent 2 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-hpa.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-hpa.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-hpa.yaml rename to charts/f5/nginx-ingress/1.1.0/templates/controller-hpa.yaml diff --git a/charts/f5/nginx-ingress/1.1.0/templates/controller-ingress-class.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-ingress-class.yaml new file mode 100644 index 0000000000..a351d697c6 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/controller-ingress-class.yaml @@ -0,0 +1,14 @@ +{{ if .Values.controller.ingressClass.create }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClass.name }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.ingressClass.setAsDefaultIngress }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: nginx.org/ingress-controller +{{ end }} diff --git a/charts/f5/nginx-ingress/1.1.0/templates/controller-leader-election-configmap.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-leader-election-configmap.yaml new file mode 100644 index 0000000000..440914eb3e --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/controller-leader-election-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.leaderElectionName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.reportIngressStatus.annotations }} + annotations: +{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.0/templates/controller-pdb.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-pdb.yaml new file mode 100644 index 0000000000..1c3ddc8ae5 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/controller-pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.controller.podDisruptionBudget.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.podDisruptionBudget.annotations }} + annotations: +{{ toYaml .Values.controller.podDisruptionBudget.annotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} +{{- if .Values.controller.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.controller.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.0/templates/controller-prometheus-service.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-prometheus-service.yaml new file mode 100644 index 0000000000..d36514284b --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/controller-prometheus-service.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.prometheus.create .Values.prometheus.service.create}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.prometheus.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.service.labels -}} + {{- toYaml .Values.prometheus.service.labels | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + - name: prometheus + protocol: TCP + port: {{ .Values.prometheus.port }} + targetPort: {{ .Values.prometheus.port }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-role.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-role.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-role.yaml rename to charts/f5/nginx-ingress/1.1.0/templates/controller-role.yaml diff --git a/charts/f5/nginx-ingress/templates/controller-rolebinding.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-rolebiding.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-rolebinding.yaml rename to charts/f5/nginx-ingress/1.1.0/templates/controller-rolebiding.yaml diff --git a/charts/f5/nginx-ingress/1.1.0/templates/controller-secret.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-secret.yaml new file mode 100644 index 0000000000..f9941e8878 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/controller-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.defaultTLS.secret) (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.defaultTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.defaultTLS.cert }} + tls.key: {{ .Values.controller.defaultTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.0/templates/controller-service.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-service.yaml new file mode 100644 index 0000000000..a25de94561 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/controller-service.yaml @@ -0,0 +1,72 @@ +{{- if .Values.controller.service.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.controller.service.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.service.extraLabels }} +{{ toYaml .Values.controller.service.extraLabels | indent 4 }} +{{- end }} +{{- if .Values.controller.service.annotations }} + annotations: +{{ toYaml .Values.controller.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.controller.service.clusterIP }} + clusterIP: {{ .Values.controller.service.clusterIP }} +{{- end }} +{{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} +{{- end }} +{{- if eq .Values.controller.service.type "LoadBalancer" }} + {{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} + {{- end }} + {{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} + {{- end }} +{{- end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.controller.service.ipFamilies }} + ipFamilies: {{ .Values.controller.service.ipFamilies }} + {{- end }} + ports: +{{- if .Values.controller.service.customPorts }} +{{ toYaml .Values.controller.service.customPorts | indent 2 }} +{{ end }} +{{- if .Values.controller.service.httpPort.enable }} + - port: {{ .Values.controller.service.httpPort.port }} + targetPort: {{ .Values.controller.service.httpPort.targetPort }} + protocol: TCP + name: http + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpPort.nodePort }} + {{- end }} +{{- end }} +{{- if .Values.controller.service.httpsPort.enable }} + - port: {{ .Values.controller.service.httpsPort.port }} + targetPort: {{ .Values.controller.service.httpsPort.targetPort }} + protocol: TCP + name: https + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpsPort.nodePort }} + {{- end }} +{{- end }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} + {{- if .Values.controller.service.externalIPs }} + externalIPs: +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-serviceaccount.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-serviceaccount.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-serviceaccount.yaml rename to charts/f5/nginx-ingress/1.1.0/templates/controller-serviceaccount.yaml diff --git a/charts/f5/nginx-ingress/1.1.0/templates/controller-servicemonitor.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..e1a4268f95 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/controller-servicemonitor.yaml @@ -0,0 +1,21 @@ +{{- if .Values.prometheus.serviceMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.serviceMonitor.labels -}} + {{- toYaml .Values.prometheus.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- if .Values.prometheus.serviceMonitor.selectorMatchLabels -}} + {{- toYaml .Values.prometheus.serviceMonitor.selectorMatchLabels | nindent 6 }} + {{- end }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + endpoints: + {{- toYaml .Values.prometheus.serviceMonitor.endpoints | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.0/templates/controller-wildcard-secret.yaml b/charts/f5/nginx-ingress/1.1.0/templates/controller-wildcard-secret.yaml new file mode 100644 index 0000000000..3abe16c4c3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/templates/controller-wildcard-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.wildcardTLS.secret) (and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.wildcardTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.wildcardTLS.cert }} + tls.key: {{ .Values.controller.wildcardTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.0/values-icp.yaml b/charts/f5/nginx-ingress/1.1.0/values-icp.yaml new file mode 100644 index 0000000000..c2969ed7cf --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/values-icp.yaml @@ -0,0 +1,17 @@ +controller: + name: controller + kind: daemonset + nginxplus: true + image: + repository: mycluster.icp:8500/kube-system/nginx-plus-ingress + tag: "3.4.0" + nodeSelector: + beta.kubernetes.io/arch: "amd64" + proxy: true + terminationGracePeriodSeconds: 60 + tolerations: + - key: "dedicated" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" diff --git a/charts/f5/nginx-ingress/1.1.0/values-nsm.yaml b/charts/f5/nginx-ingress/1.1.0/values-nsm.yaml new file mode 100644 index 0000000000..47d11e0571 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/values-nsm.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + enableLatencyMetrics: true +nginxServiceMesh: + enable: true + enableEgress: true diff --git a/charts/f5/nginx-ingress/1.1.0/values-plus.yaml b/charts/f5/nginx-ingress/1.1.0/values-plus.yaml new file mode 100644 index 0000000000..54d8551ac2 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/values-plus.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + nginxplus: true + image: + repository: nginx-plus-ingress + tag: "3.4.0" diff --git a/charts/f5/nginx-ingress/1.1.0/values.schema.json b/charts/f5/nginx-ingress/1.1.0/values.schema.json new file mode 100644 index 0000000000..0292118102 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/values.schema.json @@ -0,0 +1,1927 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "type": "object", + "default": {}, + "title": "Root Schema", + "required": [ + "controller", + "rbac", + "prometheus", + "serviceInsight", + "nginxServiceMesh" + ], + "properties": { + "controller": { + "type": "object", + "default": {}, + "title": "The Ingress Controller Helm Schema", + "required": [ + "name", + "kind", + "image" + ], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name of the Ingress Controller", + "examples": [ + "controller" + ] + }, + "kind": { + "type": "string", + "default": "", + "title": "The kind of the Ingress Controller", + "enum": [ + "deployment", + "daemonset" + ], + "examples": [ + "deployment", + "daemonset" + ] + }, + "selectorLabels": { + "type": "object", + "default": {}, + "title": "The selectorLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "nginxplus": { + "type": "boolean", + "default": false, + "title": "Deploys the Ingress Controller for NGINX Plus", + "examples": [ + false, + true + ] + }, + "nginxReloadTimeout": { + "type": "integer", + "default": 0, + "title": "Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start", + "examples": [ + 60000 + ] + }, + "appprotect": { + "type": "object", + "default": {}, + "title": "The App Protect WAF Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect WAF module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "string", + "default": "", + "title": "The logLevel for App Protect WAF", + "enum": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ], + "examples": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ] + } + }, + "examples": [ + { + "enable": true, + "logLevel": "fatal" + } + ] + }, + "appprotectdos": { + "type": "object", + "default": {}, + "title": "The App Protect DoS Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect DoS module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "boolean", + "default": false, + "title": "debugging for App Protect DoS", + "examples": [ + false, + true + ] + }, + "maxWorkers": { + "type": "integer", + "default": 0, + "title": "Max number of nginx processes to support", + "examples": [ + 0 + ] + }, + "maxDaemons": { + "type": "integer", + "default": 0, + "title": "Max number of ADMD instances", + "examples": [ + 0 + ] + }, + "memory": { + "type": "integer", + "default": 0, + "title": "RAM memory size to consume in MB", + "examples": [ + 0 + ] + } + }, + "examples": [ + { + "enable": true, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + } + ] + }, + "hostNetwork": { + "type": "boolean", + "default": false, + "title": "The hostNetwork Schema", + "examples": [ + false, + true + ] + }, + "hostPort": { + "type": "object", + "default": {}, + "title": "The hostPort Schema", + "patternProperties": { + "^.*$": { + "anyOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + }, + { + "type": "boolean" + } + ] + } + }, + "additionalProperties": false + }, + "containerPort": { + "type": "object", + "default": {}, + "title": "The containerPort Schema", + "patternProperties": { + "^.*$": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + } + }, + "additionalProperties": false + }, + "dnsPolicy": { + "type": "string", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + }, + { + "enum": [ + "ClusterFirstWithHostNet", + "ClusterFirst", + "Default", + "None" + ] + } + ] + }, + "nginxDebug": { + "type": "boolean", + "default": false, + "title": "Enables debugging for NGINX", + "examples": [ + false, + true + ] + }, + "shareProcessNamespace": { + "type": "boolean", + "default": false, + "title": "Enables sharing of the process namespace between pods within the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "integer", + "default": 1, + "title": "The logLevel of the Ingress Controller", + "enum": [ + 0, + 1, + 2, + 3 + ], + "examples": [ + 1 + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts to expose on the NGINX Ingress Controller pod", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + }, + "examples": [ + [ + { + "name": "http", + "containerPort": 80, + "protocol": "TCP" + }, + { + "name": "https", + "containerPort": 443, + "protocol": "TCP" + } + ] + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "nginx/nginx-ingress", + "title": "The repository of the Ingress Controller", + "examples": [ + "nginx/nginx-ingress" + ] + }, + "tag": { + "type": "string", + "default": "3.4.0", + "title": "The tag of the Ingress Controller image", + "examples": [ + "3.4.0" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the Ingress Controller image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the Ingress Controller image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "nginx/nginx-ingress", + "tag": "3.4.0", + "pullPolicy": "IfNotPresent" + } + ] + }, + "lifecycle": { + "type": "object", + "default": {}, + "title": "The lifecycle Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + }, + "customConfigMap": { + "type": "string", + "default": "", + "title": "The customConfigMap Schema", + "examples": [ + "" + ] + }, + "config": { + "type": "object", + "default": {}, + "title": "The config Schema", + "required": [], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "entries": { + "type": "object", + "default": {}, + "title": "The entries Schema", + "required": [], + "properties": {}, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "name": "", + "annotations": {}, + "entries": {} + } + ] + }, + "defaultTLS": { + "type": "object", + "default": {}, + "title": "The defaultTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "wildcardTLS": { + "type": "object", + "default": {}, + "title": "The wildcardTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [ + "" + ] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [ + "" + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "nodeSelector": { + "type": "object", + "default": {}, + "title": "The nodeSelector Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + }, + "terminationGracePeriodSeconds": { + "type": "integer", + "default": 30, + "title": "The terminationGracePeriodSeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + }, + "resources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "initContainerResources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "tolerations": { + "type": "array", + "default": [], + "title": "The tolerations Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + } + }, + "affinity": { + "type": "object", + "default": {}, + "title": "The affinity Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + }, + "topologySpreadConstraints": { + "type": "object", + "default": {}, + "title": "The topologySpreadConstraints Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + }, + "env": { + "type": "array", + "default": [], + "title": "The env Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + } + }, + "volumes": { + "type": "array", + "default": [], + "title": "The volumes Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "volumeMounts": { + "type": "array", + "default": [], + "title": "The volumeMounts Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + } + }, + "initContainers": { + "type": "array", + "default": [], + "title": "The initContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "minReadySeconds": { + "type": "integer", + "default": 0, + "title": "The minReadySeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + }, + "strategy": { + "type": "object", + "default": {}, + "title": "The strategy Schema", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + }, + { + "properties": { + "type": { + "type": "string", + "enum": [ + "Recreate", + "RollingUpdate", + "OnDelete" + ] + } + } + } + ] + }, + "extraContainers": { + "type": "array", + "default": [], + "title": "The extraContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "replicaCount": { + "type": "integer", + "default": 1, + "title": "The replicaCount", + "examples": [ + 1 + ] + }, + "ingressClass": { + "type": "object", + "default": {}, + "title": "The ingressClass", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": true, + "title": "The create", + "examples": [ + true + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The ingressClass name", + "examples": [ + "nginx" + ] + }, + "setAsDefaultIngress": { + "type": "boolean", + "default": false, + "title": "The setAsDefaultIngress", + "examples": [ + false + ] + } + } + }, + "watchNamespace": { + "type": "string", + "default": "", + "title": "The watchNamespace", + "examples": [ + "" + ] + }, + "watchSecretNamespace": { + "type": "string", + "default": "", + "title": "The watchSecretNamespace", + "examples": [ + "" + ] + }, + "enableCustomResources": { + "type": "boolean", + "default": false, + "title": "The enableCustomResources", + "examples": [ + true + ] + }, + "enableOIDC": { + "type": "boolean", + "default": false, + "title": "The enableOIDC", + "examples": [ + false + ] + }, + "includeYear": { + "type": "boolean", + "default": false, + "title": "The includeYear", + "examples": [ + false + ] + }, + "enableTLSPassthrough": { + "type": "boolean", + "default": false, + "title": "The enableTLSPassthrough", + "examples": [ + false + ] + }, + "tlsPassthroughPort": { + "type": "integer", + "default": 443, + "title": "The tlsPassthroughPort", + "examples": [ + 443 + ] + }, + "enableCertManager": { + "type": "boolean", + "default": false, + "title": "The enableCertManager", + "examples": [ + false + ] + }, + "enableExternalDNS": { + "type": "boolean", + "default": false, + "title": "The enableExternalDNS", + "examples": [ + false + ] + }, + "globalConfiguration": { + "type": "object", + "default": {}, + "title": "The globalConfiguration Schema", + "required": [ + "create", + "spec" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + false + ] + }, + "spec": { + "type": "object", + "default": {}, + "title": "The spec Schema", + "required": [], + "properties": { + "listeners": { + "type": "array", + "default": [], + "title": "The listeners Schema", + "items": { + "type": "object", + "default": {}, + "properties": { + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 5353 + ] + }, + "protocol": { + "type": "string", + "default": "", + "title": "The protocol", + "examples": [ + "TCP" + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The name", + "examples": [ + "dns-tcp" + ] + } + } + } + } + }, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "create": false, + "spec": {} + } + ] + }, + "enableSnippets": { + "type": "boolean", + "default": false, + "title": "The enableSnippets", + "examples": [ + false + ] + }, + "healthStatus": { + "type": "boolean", + "default": false, + "title": "The healthStatus", + "examples": [ + false + ] + }, + "healthStatusURI": { + "type": "string", + "format": "uri-reference", + "default": "/nginx-health", + "title": "The healthStatusURI Schema", + "examples": [ + "/nginx-health" + ] + }, + "nginxStatus": { + "type": "object", + "default": {}, + "title": "The nginxStatus Schema", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 8080, + "title": "The port", + "examples": [ + 8080 + ] + }, + "allowCidrs": { + "type": "string", + "default": "127.0.0.1", + "title": "The allowCidrs", + "examples": [ + "127.0.0.1" + ] + } + }, + "examples": [ + { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + } + ] + }, + "service": { + "type": "object", + "default": {}, + "title": "The service Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "type": { + "type": "string", + "default": "", + "title": "The type", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + }, + "externalTrafficPolicy": { + "type": "string", + "default": "", + "title": "The externalTrafficPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels", + "required": [], + "properties": {}, + "examples": [ + {} + ] + }, + "loadBalancerIP": { + "type": "string", + "default": "", + "title": "The loadBalancerIP", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + }, + "externalIPs": { + "type": "array", + "default": [], + "title": "The externalIPs", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + }, + "loadBalancerSourceRanges": { + "type": "array", + "default": [], + "title": "The loadBalancerSourceRanges", + "items": {}, + "examples": [ + [] + ] + }, + "allocateLoadBalancerNodePorts": { + "type": "boolean", + "default": false, + "title": "The allocateLoadBalancerNodePorts Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + }, + "ipFamilyPolicy": { + "type": "string", + "default": "", + "title": "The ipFamilyPolicy Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "examples": [ + "" + ] + }, + "ipFamilies": { + "type": "array", + "default": [], + "title": "The ipFamilies Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + }, + "httpPort": { + "type": "object", + "default": {}, + "title": "The httpPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 80 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 80 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + } + ] + }, + "httpsPort": { + "type": "object", + "default": {}, + "title": "The httpsPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 443 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 443 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + } + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts", + "items": { + "type": "object", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + } + } + }, + "examples": [ + { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "name": "", + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + } + ] + }, + "serviceAccount": { + "type": "object", + "default": {}, + "title": "The serviceAccount Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "imagePullSecretName": { + "type": "string", + "default": "", + "title": "The imagePullSecretName", + "examples": [ + "" + ] + }, + "imagePullSecretsNames": { + "type": "array", + "default": [], + "title": "The imagePullSecretName list", + "examples": [ + [] + ] + } + }, + "oneOf": [ + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "minItems": 1 + } + }, + "required": [ + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "minLength": 1 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "not": { + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + } + } + ], + "examples": [ + { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + } + ] + }, + "reportIngressStatus": { + "type": "object", + "default": {}, + "title": "The reportIngressStatus Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "externalService": { + "type": "string", + "default": "", + "title": "The externalService", + "examples": [ + "" + ] + }, + "ingressLink": { + "type": "string", + "default": "", + "title": "The ingressLink", + "examples": [ + "" + ] + }, + "enableLeaderElection": { + "type": "boolean", + "default": false, + "title": "The enableLeaderElection", + "examples": [ + true + ] + }, + "leaderElectionLockName": { + "type": "string", + "default": "", + "title": "The leaderElectionLockName", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + } + }, + "examples": [ + { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + } + ] + }, + "pod": { + "type": "object", + "default": {}, + "title": "The pod Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + }, + "examples": [ + { + "annotations": {}, + "extraLabels": {} + } + ] + }, + "priorityClassName": { + "type": "string", + "default": "", + "title": "The priorityClassName", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + }, + "podDisruptionBudget": { + "type": "object", + "default": {}, + "title": "The podDisruptionBudget Schema", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "minAvailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + }, + "maxUnavailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + } + }, + "examples": [ + { + "enable": true, + "minAvailable": 1 + }, + { + "enable": true, + "maxUnavailable": 1 + } + ] + }, + "readyStatus": { + "type": "object", + "default": {}, + "title": "The readyStatus", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 8081 + ] + }, + "initialDelaySeconds": { + "type": "integer", + "default": 0, + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + } + }, + "examples": [ + { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + } + ] + }, + "enableLatencyMetrics": { + "type": "boolean", + "default": false, + "title": "The enableLatencyMetrics", + "examples": [ + false + ] + }, + "disableIPV6": { + "type": "boolean", + "default": false, + "title": "The disableIPV6", + "examples": [ + false + ] + }, + "defaultHTTPListenerPort": { + "type": "integer", + "default": 80, + "title": "The defaultHTTPListenerPort", + "examples": [ + 80 + ] + }, + "defaultHTTPSListenerPort": { + "type": "integer", + "default": 443, + "title": "The defaultHTTPSListenerPort", + "examples": [ + 443 + ] + }, + "readOnlyRootFilesystem": { + "type": "boolean", + "default": false, + "title": "The readOnlyRootFilesystem", + "examples": [ + false + ] + }, + "enableSSLDynamicReload": { + "type": "boolean", + "default": true, + "title": "Enable dynamic certificate reloads for NGINX Plus", + "examples": [ + true + ] + } + }, + "examples": [ + { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "shareProcessNamespace": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.4.0", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "tlsPassthroughPort": 443, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + } + ] + }, + "rbac": { + "type": "object", + "default": {}, + "title": "The rbac Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + true + ] + } + }, + "examples": [ + { + "create": true + } + ] + }, + "prometheus": { + "type": "object", + "default": {}, + "title": "The prometheus Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9113, + "title": "The port", + "examples": [ + 9113 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + }, + "service": { + "type": "object", + "default": {}, + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + } + }, + "serviceMonitor": { + "type": "object", + "default": {}, + "title": "The serviceMonitor Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + false + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + }, + "selectorMatchLabels": { + "type": "object", + "default": {}, + "title": "The selectorMatchLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "endpoints": { + "type": "array", + "default": [], + "title": "The endpoints", + "required": [], + "items": {} + } + }, + "examples": [ + { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": [] + } + ] + } + }, + "examples": [ + { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http" + } + ] + }, + "serviceInsight": { + "type": "object", + "default": {}, + "title": "The Service Insight Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9114, + "title": "The port", + "examples": [ + 9114 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + } + }, + "examples": [ + { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + } + ] + }, + "nginxServiceMesh": { + "type": "object", + "default": {}, + "title": "The nginxServiceMesh Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + false + ] + }, + "enableEgress": { + "type": "boolean", + "default": false, + "title": "The enableEgress", + "examples": [ + false + ] + } + }, + "examples": [ + { + "enable": false, + "enableEgress": false + } + ] + } + }, + "examples": [ + { + "controller": { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.4.0", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "podDisruptionBudget": { + "enabled": false, + "annotations": {}, + "minAvailable": 0, + "minUnavailable": 0 + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + }, + "rbac": { + "create": true + }, + "prometheus": { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http", + "service": { + "create": false, + "labels": {} + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + } + }, + "serviceInsight": { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + }, + "nginxServiceMesh": { + "enable": false, + "enableEgress": false + } + } + ] +} diff --git a/charts/f5/nginx-ingress/1.1.0/values.yaml b/charts/f5/nginx-ingress/1.1.0/values.yaml new file mode 100644 index 0000000000..1d7829266d --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.0/values.yaml @@ -0,0 +1,529 @@ +controller: + ## The name of the Ingress Controller daemonset or deployment. + name: controller + + ## The kind of the Ingress Controller installation - deployment or daemonset. + kind: deployment + + ## The selectorLabels used to override the default values. + selectorLabels: {} + + ## Annotations for deployments and daemonsets + annotations: {} + + ## Deploys the Ingress Controller for NGINX Plus. + nginxplus: false + + ## Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. + nginxReloadTimeout: 60000 + + ## Support for App Protect WAF + appprotect: + ## Enable the App Protect WAF module in the Ingress Controller. + enable: false + ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace + # logLevel: fatal + + ## Support for App Protect DoS + appprotectdos: + ## Enable the App Protect DoS module in the Ingress Controller. + enable: false + ## Enable debugging for App Protect DoS. + debug: false + ## Max number of nginx processes to support. + maxWorkers: 0 + ## Max number of ADMD instances. + maxDaemons: 0 + ## RAM memory size to consume in MB. + memory: 0 + + ## Enables the Ingress Controller pods to use the host's network namespace. + hostNetwork: false + + ## The hostPort configuration for the Ingress Controller pods. + hostPort: + ## Enables hostPort for the Ingress Controller pods. + enable: false + + ## The HTTP hostPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS hostPort configuration for the Ingress Controller pods. + https: 443 + + containerPort: + ## The HTTP containerPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS containerPort configuration for the Ingress Controller pods. + https: 443 + + ## DNS policy for the Ingress Controller pods + dnsPolicy: ClusterFirst + + ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. + nginxDebug: false + + ## Share process namespace between containers in the Ingress Controller pod. + shareProcessNamespace: false + + ## The log level of the Ingress Controller. + logLevel: 1 + + ## A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: [] + + image: + ## The image repository of the Ingress Controller. + repository: nginx/nginx-ingress + + ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. + # tag: "3.4.0" + + ## The digest of the Ingress Controller image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the Ingress Controller image. + pullPolicy: IfNotPresent + + ## The lifecycle of the Ingress Controller pods. + lifecycle: {} + + ## The custom ConfigMap to use instead of the one provided by default + customConfigMap: "" + + config: + ## The name of the ConfigMap used by the Ingress Controller. + ## Autogenerated if not set or set to "". + # name: nginx-config + + ## The annotations of the Ingress Controller configmap. + annotations: {} + + ## The entries of the ConfigMap for customizing NGINX configuration. + entries: {} + + ## It is recommended to use your own TLS certificates and keys + defaultTLS: + ## The base64-encoded TLS certificate for the default HTTPS server. + ## Note: It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + cert: "" + + ## The base64-encoded TLS key for the default HTTPS server. + ## Note: It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + key: "" + + ## The secret with a TLS certificate and key for the default HTTPS server. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. + ## Note: Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + ## Format: / + secret: "" + + wildcardTLS: + ## The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + cert: "" + + ## The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + key: "" + + ## The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. + ## Format: / + secret: "" + + ## The node selector for pod assignment for the Ingress Controller pods. + # nodeSelector: {} + + ## The termination grace period of the Ingress Controller pod. + terminationGracePeriodSeconds: 30 + + ## HorizontalPodAutoscaling (HPA) + autoscaling: + ## Enables HorizontalPodAutoscaling. + enabled: false + ## The annotations of the Ingress Controller HorizontalPodAutoscaler. + annotations: {} + ## Minimum number of replicas for the HPA. + minReplicas: 1 + ## Maximum number of replicas for the HPA. + maxReplicas: 3 + ## The target cpu utilization percentage. + targetCPUUtilizationPercentage: 50 + ## The target memory utilization percentage. + targetMemoryUtilizationPercentage: 50 + ## Custom behavior policies + behavior: {} + + ## The resources of the Ingress Controller pods. + resources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerResources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The tolerations of the Ingress Controller pods. + tolerations: [] + + ## The affinity of the Ingress Controller pods. + affinity: {} + + ## The topology spread constraints of the Ingress controller pods. + # topologySpreadConstraints: {} + + ## The additional environment variables to be set on the Ingress Controller pods. + env: [] + # - name: MY_VAR + # value: myvalue + + ## The volumes of the Ingress Controller pods. + volumes: [] + # - name: extra-conf + # configMap: + # name: extra-conf + + ## The volumeMounts of the Ingress Controller pods. + volumeMounts: [] + # - name: extra-conf + # mountPath: /etc/nginx/conf.d/extra.conf + # subPath: extra.conf + + ## InitContainers for the Ingress Controller pods. + initContainers: [] + # - name: init-container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is initial setup!'] + + ## The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. + minReadySeconds: 0 + + ## Pod disruption budget for the Ingress Controller pods. + podDisruptionBudget: + ## Enables PodDisruptionBudget. + enabled: false + ## The annotations of the Ingress Controller pod disruption budget. + annotations: {} + ## The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". + # minAvailable: 1 + ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". + # maxUnavailable: 1 + + ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. + strategy: {} + + ## Extra containers for the Ingress Controller pods. + extraContainers: [] + # - name: container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is a sidecar!'] + + ## The number of replicas of the Ingress Controller deployment. + replicaCount: 1 + + ## Configures the ingress class the Ingress Controller uses. + ingressClass: + ## A class of the Ingress Controller. + + ## IngressClass resource with the name equal to the class must be deployed. Otherwise, + ## the Ingress Controller will fail to start. + ## The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. + + ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. + name: nginx + + ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.0, do not set the value to false. + create: true + + ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". + setAsDefaultIngress: false + + ## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". + watchNamespace: "" + + ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". + watchNamespaceLabel: "" + + ## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces. + watchSecretNamespace: "" + + ## Enable the custom resources. + enableCustomResources: true + + ## Enable OIDC policies. + enableOIDC: false + + ## Include year in log header. This parameter will be removed in release 2.7 and the year will be included by default. + includeYear: false + + ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. + enableTLSPassthrough: false + + ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough. + tlsPassthroughPort: 443 + + ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. + enableCertManager: false + + ## Enable external DNS for Virtual Server resources. Requires controller.enableCustomResources. + enableExternalDNS: false + + globalConfiguration: + ## Creates the GlobalConfiguration custom resource. Requires controller.enableCustomResources. + create: false + + ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. + spec: {} ## Ensure both curly brackets are removed when adding listeners in YAML format. + # listeners: + # - name: dns-udp + # port: 5353 + # protocol: UDP + # - name: dns-tcp + # port: 5353 + # protocol: TCP + + ## Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. + enableSnippets: false + + ## Add a location based on the value of health-status-uri to the default server. The location responds with the 200 status code for any request. + ## Useful for external health-checking of the Ingress Controller. + healthStatus: false + + ## Sets the URI of health status location in the default server. Requires controller.healthStatus. + healthStatusURI: "/nginx-health" + + nginxStatus: + ## Enable the NGINX stub_status, or the NGINX Plus API. + enable: true + + ## Set the port where the NGINX stub_status or the NGINX Plus API is exposed. + port: 8080 + + ## Add IPv4 IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. + allowCidrs: "127.0.0.1" + + service: + ## Creates a service to expose the Ingress Controller pods. + create: true + + ## The type of service to create for the Ingress Controller. + type: LoadBalancer + + ## The externalTrafficPolicy of the service. The value Local preserves the client source IP. + externalTrafficPolicy: Local + + ## The annotations of the Ingress Controller service. + annotations: {} + + ## The extra labels of the service. + extraLabels: {} + + ## The static IP address for the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerIP: "" + + ## The ClusterIP for the Ingress Controller service, autoassigned if not specified. + clusterIP: "" + + ## The list of external IPs for the Ingress Controller service. + externalIPs: [] + + ## The IP ranges (CIDR) that are allowed to access the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerSourceRanges: [] + + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + ## Dual stack preference. + ## Valid values: SingleStack, PreferDualStack, RequireDualStack + # ipFamilyPolicy: SingleStack + + ## List of IP families assigned to this service. + ## Valid values: IPv4, IPv6 + # ipFamilies: + # - IPv6 + + httpPort: + ## Enables the HTTP port for the Ingress Controller service. + enable: true + + ## The HTTP port of the Ingress Controller service. + port: 80 + + ## The custom NodePort for the HTTP port. Requires controller.service.type set to NodePort. + # nodePort: 80 + + ## The HTTP port on the POD where the Ingress Controller service is running. + targetPort: 80 + + httpsPort: + ## Enables the HTTPS port for the Ingress Controller service. + enable: true + + ## The HTTPS port of the Ingress Controller service. + port: 443 + + ## The custom NodePort for the HTTPS port. Requires controller.service.type set to NodePort. + # nodePort: 443 + + ## The HTTPS port on the POD where the Ingress Controller service is running. + targetPort: 443 + + ## A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: [] + + serviceAccount: + ## The annotations of the service account of the Ingress Controller pods. + annotations: {} + + ## The name of the service account of the Ingress Controller pods. Used for RBAC. + ## Autogenerated if not set or set to "". + # name: nginx-ingress + + ## The name of the secret containing docker registry credentials. + ## Secret must exist in the same namespace as the helm release. + imagePullSecretName: "" + + ## A list of secret names containing docker registry credentials. + ## Secrets must exist in the same namespace as the helm release. + imagePullSecretsNames: [] + + reportIngressStatus: + ## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. + ## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService, + ## controller.reportIngressStatus.ingressLink or the external-status-address entry in the ConfigMap via controller.config.entries. + ## Note: controller.config.entries.external-status-address takes precedence over the others. + enable: true + + ## Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. + ## The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ## The default is autogenerated and matches the created service (see controller.service.create). + # externalService: nginx-ingress + + ## Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. + ## The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ingressLink: "" + + ## Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. controller.reportIngressStatus.enable must be set to true. + enableLeaderElection: true + + ## Specifies the name to be used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. + leaderElectionLockName: "nginx-ingress-leader" + + ## The annotations of the leader election configmap. + annotations: {} + + pod: + ## The annotations of the Ingress Controller pod. + annotations: {} + + ## The additional extra labels of the Ingress Controller pod. + extraLabels: {} + + ## The PriorityClass of the Ingress Controller pods. + # priorityClassName: "" + + readyStatus: + ## Enables readiness endpoint "/nginx-ready". The endpoint returns a success code when NGINX has loaded all the config after startup. + enable: true + + ## Set the port where the readiness endpoint is exposed. + port: 8081 + + ## The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. + initialDelaySeconds: 0 + + ## Enable collection of latency metrics for upstreams. Requires prometheus.create. + enableLatencyMetrics: false + + ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. + disableIPV6: false + + ## Sets the port for the HTTP `default_server` listener. + defaultHTTPListenerPort: 80 + + ## Sets the port for the HTTPS `default_server` listener. + defaultHTTPSListenerPort: 443 + + ## Configure root filesystem as read-only and add volumes for temporary data. + readOnlyRootFilesystem: false + + ## Enable dynamic reloading of certificates + enableSSLDynamicReload: true + +rbac: + ## Configures RBAC. + create: true + +prometheus: + ## Expose NGINX or NGINX Plus metrics in the Prometheus format. + create: true + + ## Configures the port to scrape the metrics. + port: 9113 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Prometheus endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + + service: + ## Creates a ClusterIP Service to expose Prometheus metrics internally + ## Requires prometheus.create=true + create: false + + labels: + service: "nginx-ingress-prometheus-service" + + serviceMonitor: + ## Creates a serviceMonitor to expose statistics on the kubernetes pods. + create: false + + ## Kubernetes object labels to attach to the serviceMonitor object. + labels: {} + + ## A set of labels to allow the selection of endpoints for the ServiceMonitor. + selectorMatchLabels: + service: "nginx-ingress-prometheus-service" + + ## A list of endpoints allowed as part of this ServiceMonitor. + ## Matches on the name of a Service port. + endpoints: + - port: prometheus + +serviceInsight: + ## Expose NGINX Plus Service Insight endpoint. + create: false + + ## Configures the port to expose endpoint. + port: 9114 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Service Insight endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + +nginxServiceMesh: + ## Enables integration with NGINX Service Mesh. + enable: false + + ## Enables NGINX Service Mesh workload to route egress traffic through the Ingress Controller. + ## Requires nginxServiceMesh.enable + enableEgress: false diff --git a/charts/f5/nginx-ingress/1.1.2/.helmignore b/charts/f5/nginx-ingress/1.1.2/.helmignore new file mode 100644 index 0000000000..c1347c2c27 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/.helmignore @@ -0,0 +1,2 @@ +# Patterns to ignore when building packages. +*.png diff --git a/charts/f5/nginx-ingress/1.1.2/Chart.yaml b/charts/f5/nginx-ingress/1.1.2/Chart.yaml new file mode 100644 index 0000000000..05d4d68d17 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Ingress Controller + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: nginx-ingress +apiVersion: v2 +appVersion: 3.4.2 +description: NGINX Ingress Controller +home: https://github.com/nginxinc/kubernetes-ingress +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/charts/nginx-ingress/chart-icon.png +keywords: +- ingress +- nginx +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: kubernetes@nginx.com + name: nginxinc +name: nginx-ingress +sources: +- https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/charts/nginx-ingress +type: application +version: 1.1.2 diff --git a/charts/f5/nginx-ingress/1.1.2/README.md b/charts/f5/nginx-ingress/1.1.2/README.md new file mode 100644 index 0000000000..f4ecf5d29c --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/README.md @@ -0,0 +1,486 @@ +# NGINX Ingress Controller Helm Chart + +## Introduction + +This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. + +## Prerequisites + +**Note** All documentation should only be used with the latest stable release, indicated on +[the releases page](https://github.com/nginxinc/kubernetes-ingress/releases) of the GitHub repository. + +- A [Kubernetes Version Supported by the Ingress + Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) +- Helm 3.0+. +- If you’d like to use NGINX Plus: + - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal + by following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). + Make sure to specify the secret using one of the following parameters: + `controller.serviceAccount.imagePullSecretName` or `controller.serviceAccount.imagePullSecretsNames`. + - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following + the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). + - Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by + following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image). + - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. +- If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator [helm + chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). Make sure to install in the same namespace as the + NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will + need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single + namespace. + +## CRDs + +By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The +Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. + +If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` +set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), +the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. + +### Upgrading the CRDs + +To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl apply -f crds/ +``` + +> **Note** +> +> The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by +> either kubectl create --save-config or kubectl apply`. +> +> Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release +> for any special upgrade procedures. + +### Uninstalling the CRDs + +To remove the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl delete -f crds/ +``` + +> **Note** +> +> This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure +> there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the +> cluster. + +## Managing the Chart via OCI Registry + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 +``` + +For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry +`myregistry.example.com`) + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +``` + +This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to +use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with +`registry-1.docker.io/nginxcharts/nginx-ingress`. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +### Edge Version + +To test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version. This +version is built from the `main` branch of the NGINX Ingress Controller repository. You can install the `edge` version +by specifying the `--version` flag with the value `0.0.0-edge`: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge +``` + +> **Warning** +> +> The `edge` version is not intended for production use. It is intended for testing and development purposes only. + +## Managing the Chart via Sources + +### Pulling the Chart + +This step is required if you're installing the chart using its sources. Additionally, the step is also required for +managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for +upgrading/deleting the CRDs. + +1. Pull the chart sources: + + ```console + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.2 + ``` + +2. Change your working directory to nginx-ingress: + + ```console + cd nginx-ingress + ``` + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release . +``` + +For NGINX Plus: + +```console +helm install my-release -f values-plus.yaml . +``` + +The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration +section lists the parameters that can be configured during installation. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release . +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +## Upgrading without downtime + +### Background + +In NGINX Ingress Controller version 3.1.0, [changes were introduced](https://github.com/nginxinc/kubernetes-ingress/pull/3606) +to Helm resource names, labels and annotations to fit with Helm best practices. +When using Helm to upgrade from a version prior to 3.1.0, certain resources like Deployment, DaemonSet and Service will +be recreated due to the aforementioned changes, which will result in downtime. + +Although the advisory is to update all resources in accordance with new naming convention, to avoid the downtime +please follow the steps listed in this page. + +### Upgrade Steps + +**Note** The following steps apply to both 2.x and 3.0.x releases. + +The steps you should follow depend on the Helm release name: + +{{}} + +{{%tab name="Helm release name is `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployments -n + ``` + + Copy the key=value under `Selector`, such as: + + ```shell + Selector: app=nginx-ingress-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.4.2` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: nginx-ingress-nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="nginx-ingress-nginx-ingress" + --set controller.name="" + --set fullnameOverride="nginx-ingress-nginx-ingress" + ``` + + It could look as follows: + + ```shell + helm upgrade nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="nginx-ingress-nginx-ingress" --set controller.name="" --set fullnameOverride="nginx-ingress-nginx-ingress" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set nginx-ingress-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{%tab name="Helm release name is not `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployment/daemonset -n + ``` + + Copy the key=value under ```Selector```, such as: + + ```shell + Selector: app=-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.4.2` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: -nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="-nginx-ingress" + --set controller.name="" + ``` + + It could look as follows: + + ```shell + helm upgrade test-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="test-release-nginx-ingress" --set controller.name="" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set test-release-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{}} + +## Running Multiple Ingress Controllers + +If you are running multiple Ingress Controller releases in your cluster with enabled custom resources, the releases will +share a single version of the CRDs. As a result, make sure that the Ingress Controller versions match the version of the +CRDs. Additionally, when uninstalling a release, ensure that you don’t remove the CRDs until there are no other Ingress +Controller releases running in the cluster. + +See [running multiple Ingress Controllers](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) +for more details. + +## Configuration + +The following tables lists the configurable parameters of the NGINX Ingress Controller chart and their default values. + +|Parameter | Description | Default | +| --- | --- | --- | +|`controller.name` | The name of the Ingress Controller daemonset or deployment. | Autogenerated | +|`controller.kind` | The kind of the Ingress Controller installation - deployment or daemonset. | deployment | +|`controller.annotations` | Allows for setting of `annotations` for deployment or daemonset. | {} | +|`controller.nginxplus` | Deploys the Ingress Controller for NGINX Plus. | false | +|`controller.nginxReloadTimeout` | The timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. | 60000 | +|`controller.hostNetwork` | Enables the Ingress Controller pods to use the host's network namespace. | false | +|`controller.dnsPolicy` | DNS policy for the Ingress Controller pods. | ClusterFirst | +|`controller.nginxDebug` | Enables debugging for NGINX. Uses the `nginx-debug` binary. Requires `error-log-level: debug` in the ConfigMap via `controller.config.entries`. | false | +| `controller.shareProcessNamespace` | Enables process namespace sharing. When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod. [docs](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) | false | +|`controller.logLevel` | The log level of the Ingress Controller. | 1 | +|`controller.image.digest` | The image digest of the Ingress Controller. | None | +|`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.2 | +|`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | +|`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | +|`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | +|`controller.config.name` | The name of the ConfigMap used by the Ingress Controller. | Autogenerated | +|`controller.config.annotations` | The annotations of the Ingress Controller configmap. | {} | +|`controller.config.entries` | The entries of the ConfigMap for customizing NGINX configuration. See [ConfigMap resource docs](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) for the list of supported ConfigMap keys. | {} | +|`controller.customPorts` | A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. | [] | +|`controller.defaultTLS.cert` | The base64-encoded TLS certificate for the default HTTPS server. **Note:** It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | +|`controller.defaultTLS.key` | The base64-encoded TLS key for the default HTTPS server. **Note:** It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | +|`controller.defaultTLS.secret` | The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. **Note:** Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | None | +|`controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None | +|`controller.nodeSelector` | The node selector for pod assignment for the Ingress Controller pods. | {} | +|`controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress Controller pod. | 30 | +|`controller.tolerations` | The tolerations of the Ingress Controller pods. | [] | +|`controller.affinity` | The affinity of the Ingress Controller pods. | {} | +|`controller.topologySpreadConstraints` | The topology spread constraints of the Ingress controller pods. | {} | +|`controller.env` | The additional environment variables to be set on the Ingress Controller pods. | [] | +|`controller.volumes` | The volumes of the Ingress Controller pods. | [] | +|`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] | +|`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] | +|`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | +|`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | +|`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi | +|`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | +|`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. | true | +|`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | +|`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | +|`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | +|`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `controller.watchNamespace` and `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" | +|`controller.enableCustomResources` | Enable the custom resources. | true | +|`controller.enableOIDC` | Enable OIDC policies. | false | +|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | +|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | +|`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false | +|`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.spec` | The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. | {} | +|`controller.enableSnippets` | Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. | false | +|`controller.healthStatus` | Add a location "/nginx-health" to the default server. The location responds with the 200 status code for any request. Useful for external health-checking of the Ingress Controller. | false | +|`controller.healthStatusURI` | Sets the URI of health status location in the default server. Requires `controller.healthStatus`. | "/nginx-health" | +|`controller.nginxStatus.enable` | Enable the NGINX stub_status, or the NGINX Plus API. | true | +|`controller.nginxStatus.port` | Set the port where the NGINX stub_status or the NGINX Plus API is exposed. | 8080 | +|`controller.nginxStatus.allowCidrs` | Add IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. | 127.0.0.1,::1 | +|`controller.priorityClassName` | The PriorityClass of the Ingress Controller pods. | None | +|`controller.service.create` | Creates a service to expose the Ingress Controller pods. | true | +|`controller.service.type` | The type of service to create for the Ingress Controller. | LoadBalancer | +|`controller.service.externalTrafficPolicy` | The externalTrafficPolicy of the service. The value Local preserves the client source IP. | Local | +|`controller.service.annotations` | The annotations of the Ingress Controller service. | {} | +|`controller.service.extraLabels` | The extra labels of the service. | {} | +|`controller.service.loadBalancerIP` | The static IP address for the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | "" | +|`controller.service.externalIPs` | The list of external IPs for the Ingress Controller service. | [] | +|`controller.service.clusterIP` | The clusterIP for the Ingress Controller service, autoassigned if not specified. | "" | +|`controller.service.loadBalancerSourceRanges` | The IP ranges (CIDR) that are allowed to access the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | [] | +|`controller.service.name` | The name of the service. | Autogenerated | +|`controller.service.customPorts` | A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. | [] | +|`controller.service.httpPort.enable` | Enables the HTTP port for the Ingress Controller service. | true | +|`controller.service.httpPort.port` | The HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpPort.nodePort` | The custom NodePort for the HTTP port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpPort.targetPort` | The target port of the HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpsPort.enable` | Enables the HTTPS port for the Ingress Controller service. | true | +|`controller.service.httpsPort.port` | The HTTPS port of the Ingress Controller service. | 443 | +|`controller.service.httpsPort.nodePort` | The custom NodePort for the HTTPS port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpsPort.targetPort` | The target port of the HTTPS port of the Ingress Controller service. | 443 | +|`controller.serviceAccount.annotations` | The annotations of the Ingress Controller service account. | {} | +|`controller.serviceAccount.name` | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated | +|`controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" | +|`controller.serviceAccount.imagePullSecretsNames` | The list of secret names containing docker registry credentials. Secret must exist in the same namespace as the helm release. | [] | +|`controller.serviceMonitor.name` | The name of the serviceMonitor. | Autogenerated | +|`controller.serviceMonitor.create` | Create a ServiceMonitor custom resource. | false | +|`controller.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | "" | +|`controller.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | "" | +|`controller.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | "" | +|`controller.reportIngressStatus.enable` | Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. You must also specify the source of the external address either through an external service via `controller.reportIngressStatus.externalService`, `controller.reportIngressStatus.ingressLink` or the `external-status-address` entry in the ConfigMap via `controller.config.entries`. **Note:** `controller.config.entries.external-status-address` takes precedence over the others. | true | +|`controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated | +|`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | "" | +|`controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true | +|`controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated | +|`controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {} | +|`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} | +|`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} | +|`controller.appprotect.enable` | Enables the App Protect WAF module in the Ingress Controller. | false | +|`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false | +|`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false | +|`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 | +|`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine | +|`controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller | +|`controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true | +|`controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 | +|`controller.readyStatus.initialDelaySeconds` | The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. | 0 | +|`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false | +|`controller.minReadySeconds` | Specifies the minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. [docs](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds) | 0 | +|`controller.autoscaling.enabled` | Enables HorizontalPodAutoscaling. | false | +|`controller.autoscaling.annotations` | The annotations of the Ingress Controller HorizontalPodAutoscaler. | {} | +|`controller.autoscaling.behavior` | Behavior configuration for the HPA. | {} | +|`controller.autoscaling.minReplicas` | Minimum number of replicas for the HPA. | 1 | +|`controller.autoscaling.maxReplicas` | Maximum number of replicas for the HPA. | 3 | +|`controller.autoscaling.targetCPUUtilizationPercentage` | The target CPU utilization percentage. | 50 | +|`controller.autoscaling.targetMemoryUtilizationPercentage` | The target memory utilization percentage. | 50 | +|`controller.podDisruptionBudget.enabled` | Enables PodDisruptionBudget. | false | +|`controller.podDisruptionBudget.annotations` | The annotations of the Ingress Controller pod disruption budget | {} | +|`controller.podDisruptionBudget.minAvailable` | The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". | 0 | +|`controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 | +|`controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} | +|`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | +|`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 | +|`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 | +|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false | +|`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true | +|`rbac.create` | Configures RBAC. | true | +|`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | +|`prometheus.port` | Configures the port to scrape the metrics. | 9113 | +|`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http | +|`prometheus.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" | +|`prometheus.service.create` | Create a Headless service to expose prometheus metrics. Requires `prometheus.create`. | false | +|`prometheus.service.labels` | Kubernetes object labels to attach to the service object. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.create` | Create a ServiceMonitor custom resource. Requires ServiceMonitor CRD to be installed. For the latest CRD, check the latest release on the [prometheus-operator](https://github.com/prometheus-operator/prometheus-operator) GitHub repo under `example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml` | false | +|`prometheus.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | {} | +|`prometheus.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | [port: prometheus] | +|`serviceInsight.create` | Expose NGINX Plus Service Insight endpoint. | false | +|`serviceInsight.port` | Configures the port to expose endpoints. | 9114 | +|`serviceInsight.scheme` | Configures the HTTP scheme to use for connections to the Service Insight endpoint. | http | +|`serviceInsight.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Service Insight endpoint with TLS connections. | "" | +|`serviceNameOverride` | Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades. | "" | +|`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false | +|`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false | + +## Notes + +- The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog + post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. +- The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service + Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. diff --git a/charts/f5/nginx-ingress/1.1.2/app-readme.md b/charts/f5/nginx-ingress/1.1.2/app-readme.md new file mode 100644 index 0000000000..0824f4c0f0 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/app-readme.md @@ -0,0 +1,15 @@ +# NGINX Ingress Controller + +The [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress) for Kubernetes provides an enterprise‑grade implementation of an Ingress controller for NGINX and NGINX Plus for Kubernetes applications. + +The Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources. The load balancer can be a software load balancer running in the cluster or a hardware or cloud load balancer running externally. Different load balancers require different Ingress controller implementations. + +In the case of NGINX, the Ingress controller is deployed in a pod along with the load balancer. + +NGINX Ingress controller works with both NGINX and NGINX Plus and supports the standard Ingress features - content-based routing and TLS/SSL termination. + +Additionally, several NGINX and NGINX Plus features are available as extensions to the Ingress resource via annotations and the ConfigMap resource. In addition to HTTP, NGINX Ingress controller supports load balancing Websocket, gRPC, TCP and UDP applications. See ConfigMap and Annotations docs to learn more about the supported features and customization options. + +As an alternative to the Ingress, NGINX Ingress controller supports the VirtualServer and VirtualServerRoute resources. They enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. + +TCP, UDP and TLS Passthrough load balancing is also supported. diff --git a/charts/f5/nginx-ingress/1.1.2/crds/appprotect.f5.com_aplogconfs.yaml b/charts/f5/nginx-ingress/1.1.2/crds/appprotect.f5.com_aplogconfs.yaml new file mode 100644 index 0000000000..53b7fb40d7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/crds/appprotect.f5.com_aplogconfs.yaml @@ -0,0 +1,80 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: aplogconfs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APLogConf + listKind: APLogConfList + plural: aplogconfs + singular: aplogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + escaping_characters: + items: + properties: + from: + type: string + to: + type: string + type: object + type: array + format: + enum: + - splunk + - arcsight + - default + - user-defined + - grpc + type: string + format_string: + type: string + list_delimiter: + type: string + list_prefix: + type: string + list_suffix: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.2/crds/appprotect.f5.com_appolicies.yaml b/charts/f5/nginx-ingress/1.1.2/crds/appprotect.f5.com_appolicies.yaml new file mode 100644 index 0000000000..0ca4649ce7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/crds/appprotect.f5.com_appolicies.yaml @@ -0,0 +1,2158 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: appolicies.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APPolicy + listKind: APPolicyList + plural: appolicies + singular: appolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: + properties: + action: + type: string + description: + type: string + entity: + properties: + name: + type: string + type: object + entityChanges: + properties: + type: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + modificationsReference: + properties: + link: + pattern: ^http + type: string + type: object + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: + properties: + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + - Multiple slashes + - Semicolon path parameters + - Trailing dot + - Trailing slash + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unescaped space in URL + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of cookies + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxCookies: + maximum: 100 + minimum: 1 + type: integer + maxHeaders: + maximum: 150 + minimum: 1 + type: integer + maxParams: + maximum: 5000 + minimum: 1 + type: integer + type: object + type: array + violations: + items: + properties: + alarm: + type: boolean + block: + type: boolean + description: + type: string + name: + enum: + - "VIOL_ACCESS_INVALID" + - "VIOL_ACCESS_MALFORMED" + - "VIOL_ACCESS_MISSING" + - "VIOL_ASM_COOKIE_HIJACKING" + - "VIOL_ASM_COOKIE_MODIFIED" + - "VIOL_BLACKLISTED_IP" + - "VIOL_COOKIE_EXPIRED" + - "VIOL_COOKIE_LENGTH" + - "VIOL_COOKIE_MALFORMED" + - "VIOL_COOKIE_MODIFIED" + - "VIOL_CSRF" + - "VIOL_DATA_GUARD" + - "VIOL_ENCODING" + - "VIOL_EVASION" + - "VIOL_FILETYPE" + - "VIOL_FILE_UPLOAD" + - "VIOL_FILE_UPLOAD_IN_BODY" + - "VIOL_GRAPHQL_ERROR_RESPONSE" + - "VIOL_GRAPHQL_FORMAT" + - "VIOL_GRAPHQL_INTROSPECTION_QUERY" + - "VIOL_GRAPHQL_MALFORMED" + - "VIOL_GRPC_FORMAT" + - "VIOL_GRPC_MALFORMED" + - "VIOL_GRPC_METHOD" + - "VIOL_HEADER_LENGTH" + - "VIOL_HEADER_METACHAR" + - "VIOL_HEADER_REPEATED" + - "VIOL_HTTP_PROTOCOL" + - "VIOL_HTTP_RESPONSE_STATUS" + - "VIOL_JSON_FORMAT" + - "VIOL_JSON_MALFORMED" + - "VIOL_JSON_SCHEMA" + - "VIOL_MANDATORY_HEADER" + - "VIOL_MANDATORY_PARAMETER" + - "VIOL_MANDATORY_REQUEST_BODY" + - "VIOL_METHOD" + - "VIOL_PARAMETER" + - "VIOL_PARAMETER_ARRAY_VALUE" + - "VIOL_PARAMETER_DATA_TYPE" + - "VIOL_PARAMETER_EMPTY_VALUE" + - "VIOL_PARAMETER_LOCATION" + - "VIOL_PARAMETER_MULTIPART_NULL_VALUE" + - "VIOL_PARAMETER_NAME_METACHAR" + - "VIOL_PARAMETER_NUMERIC_VALUE" + - "VIOL_PARAMETER_REPEATED" + - "VIOL_PARAMETER_STATIC_VALUE" + - "VIOL_PARAMETER_VALUE_BASE64" + - "VIOL_PARAMETER_VALUE_LENGTH" + - "VIOL_PARAMETER_VALUE_METACHAR" + - "VIOL_PARAMETER_VALUE_REGEXP" + - "VIOL_POST_DATA_LENGTH" + - "VIOL_QUERY_STRING_LENGTH" + - "VIOL_RATING_NEED_EXAMINATION" + - "VIOL_RATING_THREAT" + - "VIOL_REQUEST_LENGTH" + - "VIOL_REQUEST_MAX_LENGTH" + - "VIOL_THREAT_CAMPAIGN" + - "VIOL_URL" + - "VIOL_URL_CONTENT_TYPE" + - "VIOL_URL_LENGTH" + - "VIOL_URL_METACHAR" + - "VIOL_XML_FORMAT" + - "VIOL_XML_MALFORMED" + type: string + type: object + type: array + type: object + blockingSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + bot-defense: + properties: + mitigations: + properties: + anomalies: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - default + - detect + - ignore + type: string + name: + type: string + scoreThreshold: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: array + browsers: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + type: string + maxVersion: + maximum: 2147483647 + minimum: 0 + type: integer + minVersion: + maximum: 2147483647 + minimum: 0 + type: integer + name: + type: string + type: object + type: array + classes: + items: + properties: + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + enum: + - browser + - malicious-bot + - suspicious-browser + - trusted-bot + - unknown + - untrusted-bot + type: string + type: object + type: array + signatures: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + type: string + type: object + type: array + type: object + settings: + properties: + caseSensitiveHttpHeaders: + type: boolean + isEnabled: + type: boolean + type: object + type: object + browser-definitions: + items: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + type: array + caseInsensitive: + type: boolean + character-sets: + items: + properties: + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content + type: string + type: object + type: array + characterSetReference: + properties: + link: + pattern: ^http + type: string + type: object + cookie-settings: + properties: + maximumCookieHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + cookieReference: + properties: + link: + pattern: ^http + type: string + type: object + cookieSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + cookies: + items: + properties: + $action: + enum: + - delete + type: string + accessibleOnlyThroughTheHttpProtocol: + type: boolean + attackSignaturesCheck: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + maskValueInLogs: + type: boolean + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + wildcardOrder: + type: integer + type: object + type: array + csrf-protection: + properties: + enabled: + type: boolean + expirationTimeInSeconds: + pattern: disabled|\d+ + type: string + sslOnly: + type: boolean + type: object + csrf-urls: + items: + properties: + $action: + enum: + - delete + type: string + enforcementAction: + enum: + - verify-origin + - none + type: string + method: + enum: + - GET + - POST + - any + type: string + url: + type: string + wildcardOrder: + type: integer + type: object + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + lastCcnDigitsToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + dataGuardReference: + properties: + link: + pattern: ^http + type: string + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + enforcer-settings: + properties: + enforcerStateCookies: + properties: + httpOnlyAttribute: + type: boolean + sameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + secureAttribute: + enum: + - always + - never + type: string + type: object + type: object + filetypeReference: + properties: + link: + pattern: ^http + type: string + type: object + filetypes: + items: + properties: + $action: + enum: + - delete + type: string + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: + type: string + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlLength: + type: integer + wildcardOrder: + type: integer + type: object + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + generalReference: + properties: + link: + pattern: ^http + type: string + type: object + grpc-profiles: + items: + properties: + $action: + enum: + - delete + type: string + associateUrls: + type: boolean + attackSignaturesCheck: + type: boolean + metacharCheck: + type: boolean + decodeStringValuesAsBase64: + enum: + - disabled + - enabled + type: string + defenseAttributes: + properties: + allowUnknownFields: + type: boolean + maximumDataLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + description: + type: string + hasIdlFiles: + type: boolean + idlFiles: + items: + properties: + idlFile: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + importUrl: + type: string + isPrimary: + type: boolean + primaryIdlFileName: + type: string + type: object + type: array + metacharElementCheck: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + header-settings: + properties: + maximumHttpHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + headerReference: + properties: + link: + pattern: ^http + type: string + type: object + headerSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + headers: + items: + properties: + $action: + enum: + - delete + type: string + allowRepeatedOccurrences: + type: boolean + base64Decoding: + type: boolean + checkSignatures: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: + type: string + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlNormalization: + type: boolean + wildcardOrder: + type: integer + type: object + type: array + host-names: + items: + properties: + $action: + enum: + - delete + type: string + includeSubdomains: + type: boolean + name: + type: string + type: object + type: array + idl-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + json-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + maximumArrayLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLengthOfJSONData: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + handleJsonValuesAsParameters: + type: boolean + hasValidationFiles: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + validationFiles: + items: + properties: + importUrl: + type: string + isPrimary: + type: boolean + jsonValidationFile: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: object + type: array + type: object + type: array + json-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + jsonProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + jsonValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + methodReference: + properties: + link: + pattern: ^http + type: string + type: object + methods: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + name: + type: string + open-api-files: + items: + properties: + link: + pattern: ^http + type: string + type: object + type: array + parameterReference: + properties: + link: + pattern: ^http + type: string + type: object + parameters: + items: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + type: array + response-pages: + items: + properties: + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: string + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + grpcStatusCode: + pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ + type: string + grpcStatusMessage: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + - grpc + type: string + responseRedirectUrl: + type: string + type: object + type: array + responsePageReference: + properties: + link: + pattern: ^http + type: string + type: object + sensitive-parameters: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + sensitiveParameterReference: + properties: + link: + pattern: ^http + type: string + type: object + server-technologies: + items: + properties: + $action: + enum: + - delete + type: string + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + serverTechnologyReference: + properties: + link: + pattern: ^http + type: string + type: object + signature-requirements: + items: + properties: + $action: + enum: + - delete + type: string + tag: + type: string + type: object + type: array + signature-sets: + items: + properties: + $action: + enum: + - delete + type: string + alarm: + type: boolean + block: + type: boolean + name: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatureReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSetReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + threat-campaigns: + items: + properties: + isEnabled: + type: boolean + name: + type: string + type: object + type: array + threatCampaignReference: + properties: + link: + pattern: ^http + type: string + type: object + urlReference: + properties: + link: + pattern: ^http + type: string + type: object + urls: + items: + properties: + $action: + enum: + - delete + type: string + allowRenderingInFrames: + enum: + - never + - only-same + type: string + allowRenderingInFramesOnlyFrom: + type: string + attackSignaturesCheck: + type: boolean + clickjackingProtection: + type: boolean + description: + type: string + disallowFileUploadOfExecutables: + type: boolean + html5CrossOriginRequestsEnforcement: + properties: + allowOriginsEnforcementMode: + enum: + - replace-with + - unmodified + type: string + checkAllowedMethods: + type: boolean + crossDomainAllowedOrigin: + items: + properties: + includeSubDomains: + type: boolean + originName: + type: string + originPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + originProtocol: + enum: + - http + - http/https + - https + type: string + type: object + type: array + enforcementMode: + enum: + - disabled + - enforce + type: string + type: object + isAllowed: + type: boolean + mandatoryBody: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + metacharsOnUrlCheck: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + methodOverrides: + items: + properties: + allowed: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + type: string + type: object + type: array + methodsOverrideOnUrlCheck: + type: boolean + name: + type: string + operationId: + type: string + positionalParameters: + items: + properties: + parameter: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + urlSegmentIndex: + type: integer + type: object + type: array + protocol: + enum: + - http + - https + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlContentProfiles: + items: + properties: + contentProfile: + properties: + name: + type: string + type: object + headerName: + type: string + headerOrder: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + headerValue: + type: string + name: + type: string + type: + enum: + - apply-content-signatures + - apply-value-and-content-signatures + - disallow + - do-nothing + - form-data + - gwt + - json + - xml + - grpc + type: string + type: object + type: array + wildcardOrder: + type: integer + type: object + type: array + whitelist-ips: + items: + properties: + $action: + enum: + - delete + type: string + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + neverLogRequests: + type: boolean + type: object + type: array + whitelistIpReference: + properties: + link: + pattern: ^http + type: string + type: object + xml-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumAttributesPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumChildrenPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentSize: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumElements: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNSDeclarations: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNameLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNamespaceLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + useXmlResponsePage: + type: boolean + type: object + type: array + xml-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + xmlProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + xmlValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + graphql-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowIntrospectionQueries: + type: boolean + maximumBatchedQueries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumQueryCost: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateParsingWarnings: + type: boolean + type: object + description: + type: string + metacharElementCheck: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + responseEnforcement: + properties: + blockDisallowedPatterns: + type: boolean + disallowedPatterns: + items: + type: string + type: array + type: object + sensetiveData: + items: + properties: + parameterName: + type: string + type: object + type: array + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + name: + type: string + type: object + type: array + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.2/crds/appprotect.f5.com_apusersigs.yaml b/charts/f5/nginx-ingress/1.1.2/crds/appprotect.f5.com_apusersigs.yaml new file mode 100644 index 0000000000..34eb0784f4 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/crds/appprotect.f5.com_apusersigs.yaml @@ -0,0 +1,93 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: apusersigs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APUserSig + listKind: APUserSigList + plural: apusersigs + singular: apusersig + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APUserSig is the Schema for the apusersigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APUserSigSpec defines the desired state of APUserSig + properties: + properties: + type: string + signatures: + items: + properties: + accuracy: + enum: + - high + - medium + - low + type: string + attackType: + properties: + name: + type: string + type: object + description: + type: string + name: + type: string + references: + properties: + type: + enum: + - bugtraq + - cve + - nessus + - url + type: string + value: + type: string + type: object + risk: + enum: + - high + - medium + - low + type: string + rule: + type: string + signatureType: + enum: + - request + - response + type: string + systems: + items: + properties: + name: + type: string + type: object + type: array + type: object + type: array + tag: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.2/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/charts/f5/nginx-ingress/1.1.2/crds/appprotectdos.f5.com_apdoslogconfs.yaml new file mode 100644 index 0000000000..e23e87184b --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/crds/appprotectdos.f5.com_apdoslogconfs.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdoslogconfs.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosLogConf + listKind: APDosLogConfList + plural: apdoslogconfs + singular: apdoslogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APDosLogConf is the Schema for the APDosLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APDosLogConfSpec defines the desired state of APDosLogConf + properties: + content: + properties: + format: + enum: + - splunk + - arcsight + - user-defined + type: string + format_string: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + type: object + filter: + properties: + traffic-mitigation-stats: + enum: + - none + - all + default: all + type: string + bad-actors: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + attack-signatures: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.2/crds/appprotectdos.f5.com_apdospolicy.yaml b/charts/f5/nginx-ingress/1.1.2/crds/appprotectdos.f5.com_apdospolicy.yaml new file mode 100644 index 0000000000..a16399a1a2 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/crds/appprotectdos.f5.com_apdospolicy.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdospolicies.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosPolicy + listKind: APDosPoliciesList + plural: apdospolicies + singular: apdospolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + description: APDosPolicy is the Schema for the APDosPolicy API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + description: APDosPolicySpec defines the desired state of APDosPolicy + properties: + mitigation_mode: + enum: + - "standard" + - "conservative" + - "none" + default: "standard" + type: string + signatures: + enum: + - "on" + - "off" + default: "on" + type: string + bad_actors: + enum: + - "on" + - "off" + default: "on" + type: string + automation_tools_detection: + enum: + - "on" + - "off" + default: "on" + type: string + tls_fingerprint: + enum: + - "on" + - "off" + default: "on" + type: string + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.2/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/charts/f5/nginx-ingress/1.1.2/crds/appprotectdos.f5.com_dosprotectedresources.yaml new file mode 100644 index 0000000000..34d85433fe --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/crds/appprotectdos.f5.com_dosprotectedresources.yaml @@ -0,0 +1,98 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: dosprotectedresources.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: DosProtectedResource + listKind: DosProtectedResourceList + plural: dosprotectedresources + shortNames: + - pr + singular: dosprotectedresource + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: DosProtectedResource defines a Dos protected resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DosProtectedResourceSpec defines the properties and values + a DosProtectedResource can have. + properties: + apDosMonitor: + description: 'ApDosMonitor is how NGINX App Protect DoS monitors the + stress level of the protected object. The monitor requests are sent + from localhost (127.0.0.1). Default value: URI - None, protocol + - http1, timeout - NGINX App Protect DoS default.' + properties: + protocol: + description: Protocol determines if the server listens on http1 + / http2 / grpc / websocket. The default is http1. + enum: + - http1 + - http2 + - grpc + - websocket + type: string + timeout: + description: Timeout determines how long (in seconds) should NGINX + App Protect DoS wait for a response. Default is 10 seconds for + http1/http2 and 5 seconds for grpc. + format: int64 + type: integer + uri: + description: 'URI is the destination to the desired protected + object in the nginx.conf:' + type: string + type: object + apDosPolicy: + description: ApDosPolicy is the namespace/name of a ApDosPolicy resource + type: string + dosAccessLogDest: + description: DosAccessLogDest is the network address for the access + logs + type: string + dosSecurityLog: + description: DosSecurityLog defines the security log of the DosProtectedResource. + properties: + apDosLogConf: + description: ApDosLogConf is the namespace/name of a APDosLogConf + resource + type: string + dosLogDest: + description: DosLogDest is the network address of a logging service, + can be either IP or DNS name. + type: string + enable: + description: Enable enables the security logging feature if set + to true + type: boolean + type: object + enable: + description: Enable enables the DOS feature if set to true + type: boolean + name: + description: Name is the name of protected object, max of 63 characters. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.2/crds/externaldns.nginx.org_dnsendpoints.yaml b/charts/f5/nginx-ingress/1.1.2/crds/externaldns.nginx.org_dnsendpoints.yaml new file mode 100644 index 0000000000..54d27d796e --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/crds/externaldns.nginx.org_dnsendpoints.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: dnsendpoints.externaldns.nginx.org +spec: + group: externaldns.nginx.org + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: DNSEndpoint is the CRD wrapper for Endpoint + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec holds information about endpoints. + properties: + endpoints: + items: + description: Endpoint describes DNS Endpoint. + properties: + dnsName: + description: The hostname for the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty represents provider + specific config property. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT, MX + type: string + targets: + description: The targets the DNS service points to + items: + type: string + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus represents generation observed by the external + dns controller. + properties: + observedGeneration: + description: The generation observed by by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_globalconfigurations.yaml b/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_globalconfigurations.yaml new file mode 100644 index 0000000000..e5695ddd8f --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_globalconfigurations.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: globalconfigurations.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: GlobalConfiguration + listKind: GlobalConfigurationList + plural: globalconfigurations + shortNames: + - gc + singular: globalconfiguration + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_policies.yaml b/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_policies.yaml new file mode 100644 index 0000000000..59bc5cb9d4 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_policies.yaml @@ -0,0 +1,322 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: policies.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes + multiple fields, where each field represents a different policy. Only + one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + basicAuth: + description: 'BasicAuth holds HTTP Basic authentication configuration + policy status: preview' + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + securityLogs: + items: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes + multiple fields, where each field represents a different policy. Only + one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + realm: + type: string + secret: + type: string + token: + type: string + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_transportservers.yaml b/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_transportservers.yaml new file mode 100644 index 0000000000..ab3079a16c --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_transportservers.yaml @@ -0,0 +1,322 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: transportservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: TransportServer + listKind: TransportServerList + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_virtualserverroutes.yaml b/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_virtualserverroutes.yaml new file mode 100644 index 0000000000..bc5b47c505 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -0,0 +1,684 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: virtualserverroutes.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServerRoute + listKind: VirtualServerRouteList + plural: virtualserverroutes + shortNames: + - vsr + singular: virtualserverroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a + valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute + resource. + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_virtualservers.yaml b/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_virtualservers.yaml new file mode 100644 index 0000000000..73f12b1697 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/crds/k8s.nginx.org_virtualservers.yaml @@ -0,0 +1,783 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: virtualservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServer + listKind: VirtualServerList + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual + server. + properties: + enable: + type: boolean + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty defines specific property + for using with ExternalDNS sub-resource. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + type: string + type: object + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal + routing. + type: boolean + listener: + description: VirtualServerListener references a custom http and/or + https listener defined in GlobalConfiguration. + properties: + http: + type: string + https: + type: string + type: object + policies: + items: + description: PolicyReference references a policy by name and an + optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + routes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. + properties: + cluster-issuer: + type: string + common-name: + type: string + duration: + type: string + issue-temp-cert: + type: boolean + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + type: object + redirect: + description: TLSRedirect defines a redirect for a TLS. + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + type: object + secret: + type: string + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerStatus defines the status for the VirtualServer + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.1.2/questions.yaml b/charts/f5/nginx-ingress/1.1.2/questions.yaml new file mode 100644 index 0000000000..b63834893b --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/questions.yaml @@ -0,0 +1,185 @@ +questions: +- variable: controller.kind + type: enum + options: + - deployment + - daemonset + default: deployment + description: "The kind of the Ingress controller installation - deployment or daemonset." + label: Installation Kind + group: "Settings" +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.nginxplus + default: false + description: "Deploys the Ingress controller for NGINX Plus." + label: Deploy NGINX Plus + type: boolean + group: "NGINX Plus" + - variable: controller.appprotect.enable + default: false + description: "Enable the App Protect module in the Ingress Controller." + label: Enable the App Protect module. + type: boolean + - variable: controller.appprotectdos.enable + default: false + description: "Enable the App Protect DoS module in the Ingress Controller." + label: Enable the App Protect DoS module. + type: boolean + - variable: controller.image.repository + default: nginx/nginx-ingress + description: "The image repository of the Ingress controller." + type: string + label: NGINX Ingress Controller Image Repository + required: true + - variable: controller.image.tag + description: "The tag of the Ingress controller image." + type: string + label: NGINX Ingress Controller Image Tag + required: true + - variable: controller.image.pullPolicy + type: enum + options: + - IfNotPresent + - Always + - Never + default: IfNotPresent + description: "The pull policy for the Ingress controller image." + label: NGINX Ingress Controller Image Pull Policy + - variable: controller.serviceAccount.imagePullSecretName + default: "" + description: "The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release." + type: string + label: Image Pull Secret Name +- variable: controller.defaultTLS.secret + default: "" + description: "The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`." + label: TLS Secret + type: string + group: "Settings" +- variable: controller.ingressClass + default: nginx + description: "A class of the Ingress controller. The Ingress controller only processes Ingress resources that belong to its class - i.e. have the annotation `[kubernetes.io/ingress.class]` equal to the class. Additionally, the Ingress controller processes Ingress resources that do not have that annotation which can be disabled by setting the [-use-ingress-class-only] flag." + label: Ingress Class + type: string + group: "Settings" + required: true + subquestions: + - variable: controller.useIngressClassOnly + default: false + description: "Ignore Ingress resources without the `[kubernetes.io/ingress.class]` annotation." + label: Use Ingress Class Only + type: boolean + group: "Settings" +- variable: controller.enableCustomResources + default: true + label: Enable Custom Resources + type: boolean + group: "Settings" + show_subquestion_if: true + subquestions: + - variable: controller.globalConfiguration.create + default: true + description: "Creates the GlobalConfiguration custom resource." + label: Create GlobalConfiguration Custom Resource + type: boolean + group: "Settings" + - variable: controller.enableOIDC + default: false + description: "Enables OIDC policies." + label: Enable OIDC policies + type: boolean + group: "Settings" + - variable: controller.enableCertManager + default: false + description: "Enables cert manager for Virtual Server resources." + label: Enable cert manager for Virtual Server resources + type: boolean + group: "Settings" + - variable: controller.enableExternalDNS + default: false + description: "Enables external-dns for Virtual Server resources." + label: Enable external-dns for Virtual Server resources + type: boolean + group: "Settings" +- variable: controller.watchNamespace + default: "" + description: "Comma-separated list of namespaces to watch for Ingress resources. By default the Ingress controller watches all namespaces." + label: Watch Namespace + type: string + group: "Settings" +- variable: controller.service.create + default: true + description: "Creates a service to expose the Ingress controller pods." + label: Create a Service + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.type + type: enum + options: + - LoadBalancer + - NodePort + default: LoadBalancer + description: "The type of service to create for the Ingress controller." + label: Type of Service +- variable: controller.service.httpPort.enable + default: true + description: "Enables the HTTP port for the Ingress controller service." + label: Enable HTTP Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpPort.port + default: 80 + description: "The HTTP port of the Ingress controller service." + label: HTTP Port + type: int + required: true +- variable: controller.service.httpsPort.enable + default: true + description: "Enables the HTTPS port for the Ingress controller service." + label: Enable HTTPS Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpsPort.port + default: 443 + description: "The HTTPS port of the Ingress controller service." + label: HTTPS Port + type: int + required: true +- variable: prometheus.create + default: false + description: "Expose NGINX or NGINX Plus metrics in the Prometheus format." + label: Enable Exposing Prometheus Metrics + type: boolean + group: "Prometheus" + show_subquestion_if: true + subquestions: + - variable: prometheus.port + default: 9113 + description: "Configures the port to scrape the metrics." + label: Prometheus Port + type: int + required: true + - variable: prometheus.scheme + default: http + description: "Configures the HTTP scheme to use for connections to the Prometheus endpoint." + label: Prometheus Scheme + type: string + required: true + - variable: prometheus.secret + default: "" + description: "The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections." + label: Prometheus Secret + type: string diff --git a/charts/f5/nginx-ingress/1.1.2/templates/NOTES.txt b/charts/f5/nginx-ingress/1.1.2/templates/NOTES.txt new file mode 100644 index 0000000000..c5f4cdf405 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/NOTES.txt @@ -0,0 +1 @@ +The NGINX Ingress Controller has been installed. diff --git a/charts/f5/nginx-ingress/1.1.2/templates/_helpers.tpl b/charts/f5/nginx-ingress/1.1.2/templates/_helpers.tpl new file mode 100644 index 0000000000..2f5add833d --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/_helpers.tpl @@ -0,0 +1,226 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.fullname" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified controller service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.service.name" -}} +{{- default (include "nginx-ingress.controller.fullname" .) .Values.serviceNameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nginx-ingress.labels" -}} +helm.sh/chart: {{ include "nginx-ingress.chart" . }} +{{ include "nginx-ingress.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nginx-ingress.selectorLabels" -}} +{{- if .Values.controller.selectorLabels -}} +{{ toYaml .Values.controller.selectorLabels }} +{{- else -}} +app.kubernetes.io/name: {{ include "nginx-ingress.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap. +*/}} +{{- define "nginx-ingress.configName" -}} +{{- if .Values.controller.customConfigMap -}} +{{ .Values.controller.customConfigMap }} +{{- else -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.config.name -}} +{{- end -}} +{{- end -}} + +{{/* +Expand leader election lock name. +*/}} +{{- define "nginx-ingress.leaderElectionName" -}} +{{- if .Values.controller.reportIngressStatus.leaderElectionLockName -}} +{{ .Values.controller.reportIngressStatus.leaderElectionLockName }} +{{- else -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "leader-election" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand service account name. +*/}} +{{- define "nginx-ingress.serviceAccountName" -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.serviceAccount.name -}} +{{- end -}} + +{{/* +Expand default TLS name. +*/}} +{{- define "nginx-ingress.defaultTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "default-server-tls" -}} +{{- end -}} + +{{/* +Expand wildcard TLS name. +*/}} +{{- define "nginx-ingress.wildcardTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "wildcard-tls" -}} +{{- end -}} + +{{- define "nginx-ingress.tag" -}} +{{- default .Chart.AppVersion .Values.controller.image.tag -}} +{{- end -}} + +{{/* +Expand image name. +*/}} +{{- define "nginx-ingress.image" -}} +{{- if .Values.controller.image.digest -}} +{{- printf "%s@%s" .Values.controller.image.repository .Values.controller.image.digest -}} +{{- else -}} +{{- printf "%s:%s" .Values.controller.image.repository (include "nginx-ingress.tag" .) -}} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.prometheus.serviceName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} +{{- end -}} + +{{/* +Build the args for the service binary. +*/}} +{{- define "nginx-ingress.args" -}} +- -nginx-plus={{ .Values.controller.nginxplus }} +- -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} +- -enable-app-protect={{ .Values.controller.appprotect.enable }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} +- -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} +{{ end }} +- -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} +{{- if .Values.controller.appprotectdos.enable }} +- -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} +- -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} +- -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} +- -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} +{{ end }} +- -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} +{{- if .Values.controller.defaultTLS.secret }} +- -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} +{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +- -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} +{{- end }} +- -ingress-class={{ .Values.controller.ingressClass.name }} +{{- if .Values.controller.watchNamespace }} +- -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchNamespaceLabel }} +- -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} +- -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} +{{- end }} +- -health-status={{ .Values.controller.healthStatus }} +- -health-status-uri={{ .Values.controller.healthStatusURI }} +- -nginx-debug={{ .Values.controller.nginxDebug }} +- -v={{ .Values.controller.logLevel }} +- -nginx-status={{ .Values.controller.nginxStatus.enable }} +{{- if .Values.controller.nginxStatus.enable }} +- -nginx-status-port={{ .Values.controller.nginxStatus.port }} +- -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} +{{- end }} +{{- if .Values.controller.reportIngressStatus.enable }} +- -report-ingress-status +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} +{{- else if .Values.controller.reportIngressStatus.externalService }} +- -external-service={{ .Values.controller.reportIngressStatus.externalService }} +{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} +- -external-service={{ include "nginx-ingress.controller.service.name" . }} +{{- end }} +{{- end }} +- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +- -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} +{{- end }} +{{- if .Values.controller.wildcardTLS.secret }} +- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} +{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} +- -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} +{{- end }} +- -enable-prometheus-metrics={{ .Values.prometheus.create }} +- -prometheus-metrics-listen-port={{ .Values.prometheus.port }} +- -prometheus-tls-secret={{ .Values.prometheus.secret }} +- -enable-service-insight={{ .Values.serviceInsight.create }} +- -service-insight-listen-port={{ .Values.serviceInsight.port }} +- -service-insight-tls-secret={{ .Values.serviceInsight.secret }} +- -enable-custom-resources={{ .Values.controller.enableCustomResources }} +- -enable-snippets={{ .Values.controller.enableSnippets }} +- -include-year={{ .Values.controller.includeYear }} +- -disable-ipv6={{ .Values.controller.disableIPV6 }} +{{- if .Values.controller.enableCustomResources }} +- -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{- if .Values.controller.enableTLSPassthrough }} +- -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{- end }} +- -enable-cert-manager={{ .Values.controller.enableCertManager }} +- -enable-oidc={{ .Values.controller.enableOIDC }} +- -enable-external-dns={{ .Values.controller.enableExternalDNS }} +- -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} +- -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} +{{- if .Values.controller.globalConfiguration.create }} +- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- end }} +- -ready-status={{ .Values.controller.readyStatus.enable }} +- -ready-status-port={{ .Values.controller.readyStatus.port }} +- -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +- -ssl-dynamic-reload={{ .Values.controller.enableSSLDynamicReload }} +{{- end -}} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/clusterrole.yaml b/charts/f5/nginx-ingress/1.1.2/templates/clusterrole.yaml new file mode 100644 index 0000000000..559006ff61 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/clusterrole.yaml @@ -0,0 +1,155 @@ +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +{{- if .Values.controller.reportIngressStatus.enable }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +{{- end }} +{{- if .Values.controller.appprotect.enable }} +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.appprotectdos.enable }} +- apiGroups: + - appprotectdos.f5.com + resources: + - apdospolicies + - apdoslogconfs + - dosprotectedresources + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.enableCustomResources }} +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +{{- end }} +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- apiGroups: + - cis.f5.com + resources: + - ingresslinks + verbs: + - list + - watch + - get +{{- end }} +{{- if .Values.controller.enableCertManager }} +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - list + - watch + - get + - update + - create + - delete +{{- end }} +{{- if .Values.controller.enableExternalDNS }} +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints + verbs: + - list + - watch + - get + - update + - create + - delete +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints/status + verbs: + - update +{{- end }} +{{- end}} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/clusterrolebiding.yaml b/charts/f5/nginx-ingress/1.1.2/templates/clusterrolebiding.yaml new file mode 100644 index 0000000000..ed06c48ccb --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/clusterrolebiding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "nginx-ingress.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-configmap.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-configmap.yaml new file mode 100644 index 0000000000..fd11991865 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-configmap.yaml @@ -0,0 +1,17 @@ +{{- if not .Values.controller.customConfigMap -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.configName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.config.entries }} +{{ toYaml .Values.controller.config.entries | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-daemonset.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..b2459c927c --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-daemonset.yaml @@ -0,0 +1,205 @@ +{{- if eq .Values.controller.kind "daemonset" }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.selectorLabels" . | nindent 8 }} +{{- if .Values.nginxServiceMesh.enable }} + nsm.nginx.com/enable-ingress: "true" + nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" + nsm.nginx.com/daemonset: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels | indent 8 }} +{{- end }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }} + volumes: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: nginx-etc + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} + - name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes | indent 6 }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - name: {{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{ if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{ end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} + volumeMounts: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - mountPath: /etc/nginx + name: nginx-etc + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.volumeMounts }} +{{ toYaml .Values.controller.volumeMounts | indent 8 }} +{{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + updateStrategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-deployment.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-deployment.yaml new file mode 100644 index 0000000000..1f291ff4cd --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-deployment.yaml @@ -0,0 +1,212 @@ +{{- if eq .Values.controller.kind "deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + {{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.selectorLabels" . | nindent 8 }} +{{- if .Values.nginxServiceMesh.enable }} + nsm.nginx.com/enable-ingress: "true" + nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" + nsm.nginx.com/deployment: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels | indent 8 }} +{{- end }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }} + volumes: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: nginx-etc + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} + - name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes | indent 6 }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - image: {{ include "nginx-ingress.image" . }} + name: {{ include "nginx-ingress.name" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{- if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{- end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} + volumeMounts: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - mountPath: /etc/nginx + name: nginx-etc + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.volumeMounts}} +{{ toYaml .Values.controller.volumeMounts | indent 8 }} +{{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-globalconfiguration.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-globalconfiguration.yaml new file mode 100644 index 0000000000..9039ab0440 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-globalconfiguration.yaml @@ -0,0 +1,11 @@ +{{ if .Values.controller.globalConfiguration.create }} +apiVersion: k8s.nginx.org/v1alpha1 +kind: GlobalConfiguration +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +spec: +{{ toYaml .Values.controller.globalConfiguration.spec | indent 2 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-hpa.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-hpa.yaml new file mode 100644 index 0000000000..971aca90d3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-hpa.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.controller.autoscaling.enabled (eq .Values.controller.kind "deployment") (.Capabilities.APIVersions.Has "autoscaling/v2") -}} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "nginx-ingress.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} +{{- if .Values.controller.autoscaling.behavior }} + behavior: +{{ toYaml .Values.controller.autoscaling.behavior | indent 4 }} +{{- end }} + metrics: + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-ingress-class.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-ingress-class.yaml new file mode 100644 index 0000000000..a351d697c6 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-ingress-class.yaml @@ -0,0 +1,14 @@ +{{ if .Values.controller.ingressClass.create }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClass.name }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.ingressClass.setAsDefaultIngress }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: nginx.org/ingress-controller +{{ end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-leader-election-configmap.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-leader-election-configmap.yaml new file mode 100644 index 0000000000..440914eb3e --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-leader-election-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.leaderElectionName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.reportIngressStatus.annotations }} + annotations: +{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-pdb.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-pdb.yaml new file mode 100644 index 0000000000..1c3ddc8ae5 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.controller.podDisruptionBudget.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.podDisruptionBudget.annotations }} + annotations: +{{ toYaml .Values.controller.podDisruptionBudget.annotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} +{{- if .Values.controller.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.controller.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-prometheus-service.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-prometheus-service.yaml new file mode 100644 index 0000000000..d36514284b --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-prometheus-service.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.prometheus.create .Values.prometheus.service.create}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.prometheus.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.service.labels -}} + {{- toYaml .Values.prometheus.service.labels | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + - name: prometheus + protocol: TCP + port: {{ .Values.prometheus.port }} + targetPort: {{ .Values.prometheus.port }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-role.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-role.yaml new file mode 100644 index 0000000000..e902381775 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-role.yaml @@ -0,0 +1,56 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - {{ .Values.controller.reportIngressStatus.leaderElectionLockName }} + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-rolebiding.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-rolebiding.yaml new file mode 100644 index 0000000000..51ee528da3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-rolebiding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "nginx-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-secret.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-secret.yaml new file mode 100644 index 0000000000..f9941e8878 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.defaultTLS.secret) (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.defaultTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.defaultTLS.cert }} + tls.key: {{ .Values.controller.defaultTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-service.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-service.yaml new file mode 100644 index 0000000000..a25de94561 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-service.yaml @@ -0,0 +1,72 @@ +{{- if .Values.controller.service.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.controller.service.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.service.extraLabels }} +{{ toYaml .Values.controller.service.extraLabels | indent 4 }} +{{- end }} +{{- if .Values.controller.service.annotations }} + annotations: +{{ toYaml .Values.controller.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.controller.service.clusterIP }} + clusterIP: {{ .Values.controller.service.clusterIP }} +{{- end }} +{{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} +{{- end }} +{{- if eq .Values.controller.service.type "LoadBalancer" }} + {{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} + {{- end }} + {{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} + {{- end }} +{{- end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.controller.service.ipFamilies }} + ipFamilies: {{ .Values.controller.service.ipFamilies }} + {{- end }} + ports: +{{- if .Values.controller.service.customPorts }} +{{ toYaml .Values.controller.service.customPorts | indent 2 }} +{{ end }} +{{- if .Values.controller.service.httpPort.enable }} + - port: {{ .Values.controller.service.httpPort.port }} + targetPort: {{ .Values.controller.service.httpPort.targetPort }} + protocol: TCP + name: http + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpPort.nodePort }} + {{- end }} +{{- end }} +{{- if .Values.controller.service.httpsPort.enable }} + - port: {{ .Values.controller.service.httpsPort.port }} + targetPort: {{ .Values.controller.service.httpsPort.targetPort }} + protocol: TCP + name: https + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpsPort.nodePort }} + {{- end }} +{{- end }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} + {{- if .Values.controller.service.externalIPs }} + externalIPs: +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-serviceaccount.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..8cde4f5b01 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nginx-ingress.serviceAccountName" . }} +{{- if .Values.controller.serviceAccount.annotations }} + annotations: {{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if or .Values.controller.serviceAccount.imagePullSecretName .Values.controller.serviceAccount.imagePullSecretsNames }} +imagePullSecrets: +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretName }} +- name: {{ .Values.controller.serviceAccount.imagePullSecretName}} +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretsNames }} +{{- range .Values.controller.serviceAccount.imagePullSecretsNames }} +- name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-servicemonitor.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..e1a4268f95 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-servicemonitor.yaml @@ -0,0 +1,21 @@ +{{- if .Values.prometheus.serviceMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.serviceMonitor.labels -}} + {{- toYaml .Values.prometheus.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- if .Values.prometheus.serviceMonitor.selectorMatchLabels -}} + {{- toYaml .Values.prometheus.serviceMonitor.selectorMatchLabels | nindent 6 }} + {{- end }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + endpoints: + {{- toYaml .Values.prometheus.serviceMonitor.endpoints | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/templates/controller-wildcard-secret.yaml b/charts/f5/nginx-ingress/1.1.2/templates/controller-wildcard-secret.yaml new file mode 100644 index 0000000000..3abe16c4c3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/templates/controller-wildcard-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.wildcardTLS.secret) (and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.wildcardTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.wildcardTLS.cert }} + tls.key: {{ .Values.controller.wildcardTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.2/values-icp.yaml b/charts/f5/nginx-ingress/1.1.2/values-icp.yaml new file mode 100644 index 0000000000..2c2d1f2663 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/values-icp.yaml @@ -0,0 +1,17 @@ +controller: + name: controller + kind: daemonset + nginxplus: true + image: + repository: mycluster.icp:8500/kube-system/nginx-plus-ingress + tag: "3.4.2" + nodeSelector: + beta.kubernetes.io/arch: "amd64" + proxy: true + terminationGracePeriodSeconds: 60 + tolerations: + - key: "dedicated" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" diff --git a/charts/f5/nginx-ingress/1.1.2/values-nsm.yaml b/charts/f5/nginx-ingress/1.1.2/values-nsm.yaml new file mode 100644 index 0000000000..47d11e0571 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/values-nsm.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + enableLatencyMetrics: true +nginxServiceMesh: + enable: true + enableEgress: true diff --git a/charts/f5/nginx-ingress/1.1.2/values-plus.yaml b/charts/f5/nginx-ingress/1.1.2/values-plus.yaml new file mode 100644 index 0000000000..d30f65751b --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/values-plus.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + nginxplus: true + image: + repository: nginx-plus-ingress + tag: "3.4.2" diff --git a/charts/f5/nginx-ingress/1.1.2/values.schema.json b/charts/f5/nginx-ingress/1.1.2/values.schema.json new file mode 100644 index 0000000000..ce40e1983e --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/values.schema.json @@ -0,0 +1,1927 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "type": "object", + "default": {}, + "title": "Root Schema", + "required": [ + "controller", + "rbac", + "prometheus", + "serviceInsight", + "nginxServiceMesh" + ], + "properties": { + "controller": { + "type": "object", + "default": {}, + "title": "The Ingress Controller Helm Schema", + "required": [ + "name", + "kind", + "image" + ], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name of the Ingress Controller", + "examples": [ + "controller" + ] + }, + "kind": { + "type": "string", + "default": "", + "title": "The kind of the Ingress Controller", + "enum": [ + "deployment", + "daemonset" + ], + "examples": [ + "deployment", + "daemonset" + ] + }, + "selectorLabels": { + "type": "object", + "default": {}, + "title": "The selectorLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "nginxplus": { + "type": "boolean", + "default": false, + "title": "Deploys the Ingress Controller for NGINX Plus", + "examples": [ + false, + true + ] + }, + "nginxReloadTimeout": { + "type": "integer", + "default": 0, + "title": "Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start", + "examples": [ + 60000 + ] + }, + "appprotect": { + "type": "object", + "default": {}, + "title": "The App Protect WAF Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect WAF module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "string", + "default": "", + "title": "The logLevel for App Protect WAF", + "enum": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ], + "examples": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ] + } + }, + "examples": [ + { + "enable": true, + "logLevel": "fatal" + } + ] + }, + "appprotectdos": { + "type": "object", + "default": {}, + "title": "The App Protect DoS Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect DoS module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "boolean", + "default": false, + "title": "debugging for App Protect DoS", + "examples": [ + false, + true + ] + }, + "maxWorkers": { + "type": "integer", + "default": 0, + "title": "Max number of nginx processes to support", + "examples": [ + 0 + ] + }, + "maxDaemons": { + "type": "integer", + "default": 0, + "title": "Max number of ADMD instances", + "examples": [ + 0 + ] + }, + "memory": { + "type": "integer", + "default": 0, + "title": "RAM memory size to consume in MB", + "examples": [ + 0 + ] + } + }, + "examples": [ + { + "enable": true, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + } + ] + }, + "hostNetwork": { + "type": "boolean", + "default": false, + "title": "The hostNetwork Schema", + "examples": [ + false, + true + ] + }, + "hostPort": { + "type": "object", + "default": {}, + "title": "The hostPort Schema", + "patternProperties": { + "^.*$": { + "anyOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + }, + { + "type": "boolean" + } + ] + } + }, + "additionalProperties": false + }, + "containerPort": { + "type": "object", + "default": {}, + "title": "The containerPort Schema", + "patternProperties": { + "^.*$": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + } + }, + "additionalProperties": false + }, + "dnsPolicy": { + "type": "string", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + }, + { + "enum": [ + "ClusterFirstWithHostNet", + "ClusterFirst", + "Default", + "None" + ] + } + ] + }, + "nginxDebug": { + "type": "boolean", + "default": false, + "title": "Enables debugging for NGINX", + "examples": [ + false, + true + ] + }, + "shareProcessNamespace": { + "type": "boolean", + "default": false, + "title": "Enables sharing of the process namespace between pods within the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "integer", + "default": 1, + "title": "The logLevel of the Ingress Controller", + "enum": [ + 0, + 1, + 2, + 3 + ], + "examples": [ + 1 + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts to expose on the NGINX Ingress Controller pod", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + }, + "examples": [ + [ + { + "name": "http", + "containerPort": 80, + "protocol": "TCP" + }, + { + "name": "https", + "containerPort": 443, + "protocol": "TCP" + } + ] + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "nginx/nginx-ingress", + "title": "The repository of the Ingress Controller", + "examples": [ + "nginx/nginx-ingress" + ] + }, + "tag": { + "type": "string", + "default": "3.4.2", + "title": "The tag of the Ingress Controller image", + "examples": [ + "3.4.2" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the Ingress Controller image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the Ingress Controller image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "nginx/nginx-ingress", + "tag": "3.4.2", + "pullPolicy": "IfNotPresent" + } + ] + }, + "lifecycle": { + "type": "object", + "default": {}, + "title": "The lifecycle Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + }, + "customConfigMap": { + "type": "string", + "default": "", + "title": "The customConfigMap Schema", + "examples": [ + "" + ] + }, + "config": { + "type": "object", + "default": {}, + "title": "The config Schema", + "required": [], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "entries": { + "type": "object", + "default": {}, + "title": "The entries Schema", + "required": [], + "properties": {}, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "name": "", + "annotations": {}, + "entries": {} + } + ] + }, + "defaultTLS": { + "type": "object", + "default": {}, + "title": "The defaultTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "wildcardTLS": { + "type": "object", + "default": {}, + "title": "The wildcardTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [ + "" + ] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [ + "" + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "nodeSelector": { + "type": "object", + "default": {}, + "title": "The nodeSelector Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + }, + "terminationGracePeriodSeconds": { + "type": "integer", + "default": 30, + "title": "The terminationGracePeriodSeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + }, + "resources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "initContainerResources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "tolerations": { + "type": "array", + "default": [], + "title": "The tolerations Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + } + }, + "affinity": { + "type": "object", + "default": {}, + "title": "The affinity Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + }, + "topologySpreadConstraints": { + "type": "object", + "default": {}, + "title": "The topologySpreadConstraints Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + }, + "env": { + "type": "array", + "default": [], + "title": "The env Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + } + }, + "volumes": { + "type": "array", + "default": [], + "title": "The volumes Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "volumeMounts": { + "type": "array", + "default": [], + "title": "The volumeMounts Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + } + }, + "initContainers": { + "type": "array", + "default": [], + "title": "The initContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "minReadySeconds": { + "type": "integer", + "default": 0, + "title": "The minReadySeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + }, + "strategy": { + "type": "object", + "default": {}, + "title": "The strategy Schema", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + }, + { + "properties": { + "type": { + "type": "string", + "enum": [ + "Recreate", + "RollingUpdate", + "OnDelete" + ] + } + } + } + ] + }, + "extraContainers": { + "type": "array", + "default": [], + "title": "The extraContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "replicaCount": { + "type": "integer", + "default": 1, + "title": "The replicaCount", + "examples": [ + 1 + ] + }, + "ingressClass": { + "type": "object", + "default": {}, + "title": "The ingressClass", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": true, + "title": "The create", + "examples": [ + true + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The ingressClass name", + "examples": [ + "nginx" + ] + }, + "setAsDefaultIngress": { + "type": "boolean", + "default": false, + "title": "The setAsDefaultIngress", + "examples": [ + false + ] + } + } + }, + "watchNamespace": { + "type": "string", + "default": "", + "title": "The watchNamespace", + "examples": [ + "" + ] + }, + "watchSecretNamespace": { + "type": "string", + "default": "", + "title": "The watchSecretNamespace", + "examples": [ + "" + ] + }, + "enableCustomResources": { + "type": "boolean", + "default": false, + "title": "The enableCustomResources", + "examples": [ + true + ] + }, + "enableOIDC": { + "type": "boolean", + "default": false, + "title": "The enableOIDC", + "examples": [ + false + ] + }, + "includeYear": { + "type": "boolean", + "default": false, + "title": "The includeYear", + "examples": [ + false + ] + }, + "enableTLSPassthrough": { + "type": "boolean", + "default": false, + "title": "The enableTLSPassthrough", + "examples": [ + false + ] + }, + "tlsPassthroughPort": { + "type": "integer", + "default": 443, + "title": "The tlsPassthroughPort", + "examples": [ + 443 + ] + }, + "enableCertManager": { + "type": "boolean", + "default": false, + "title": "The enableCertManager", + "examples": [ + false + ] + }, + "enableExternalDNS": { + "type": "boolean", + "default": false, + "title": "The enableExternalDNS", + "examples": [ + false + ] + }, + "globalConfiguration": { + "type": "object", + "default": {}, + "title": "The globalConfiguration Schema", + "required": [ + "create", + "spec" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + false + ] + }, + "spec": { + "type": "object", + "default": {}, + "title": "The spec Schema", + "required": [], + "properties": { + "listeners": { + "type": "array", + "default": [], + "title": "The listeners Schema", + "items": { + "type": "object", + "default": {}, + "properties": { + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 5353 + ] + }, + "protocol": { + "type": "string", + "default": "", + "title": "The protocol", + "examples": [ + "TCP" + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The name", + "examples": [ + "dns-tcp" + ] + } + } + } + } + }, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "create": false, + "spec": {} + } + ] + }, + "enableSnippets": { + "type": "boolean", + "default": false, + "title": "The enableSnippets", + "examples": [ + false + ] + }, + "healthStatus": { + "type": "boolean", + "default": false, + "title": "The healthStatus", + "examples": [ + false + ] + }, + "healthStatusURI": { + "type": "string", + "format": "uri-reference", + "default": "/nginx-health", + "title": "The healthStatusURI Schema", + "examples": [ + "/nginx-health" + ] + }, + "nginxStatus": { + "type": "object", + "default": {}, + "title": "The nginxStatus Schema", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 8080, + "title": "The port", + "examples": [ + 8080 + ] + }, + "allowCidrs": { + "type": "string", + "default": "127.0.0.1", + "title": "The allowCidrs", + "examples": [ + "127.0.0.1" + ] + } + }, + "examples": [ + { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + } + ] + }, + "service": { + "type": "object", + "default": {}, + "title": "The service Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "type": { + "type": "string", + "default": "", + "title": "The type", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + }, + "externalTrafficPolicy": { + "type": "string", + "default": "", + "title": "The externalTrafficPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels", + "required": [], + "properties": {}, + "examples": [ + {} + ] + }, + "loadBalancerIP": { + "type": "string", + "default": "", + "title": "The loadBalancerIP", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + }, + "externalIPs": { + "type": "array", + "default": [], + "title": "The externalIPs", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + }, + "loadBalancerSourceRanges": { + "type": "array", + "default": [], + "title": "The loadBalancerSourceRanges", + "items": {}, + "examples": [ + [] + ] + }, + "allocateLoadBalancerNodePorts": { + "type": "boolean", + "default": false, + "title": "The allocateLoadBalancerNodePorts Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + }, + "ipFamilyPolicy": { + "type": "string", + "default": "", + "title": "The ipFamilyPolicy Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "examples": [ + "" + ] + }, + "ipFamilies": { + "type": "array", + "default": [], + "title": "The ipFamilies Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + }, + "httpPort": { + "type": "object", + "default": {}, + "title": "The httpPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 80 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 80 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + } + ] + }, + "httpsPort": { + "type": "object", + "default": {}, + "title": "The httpsPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 443 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 443 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + } + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts", + "items": { + "type": "object", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + } + } + }, + "examples": [ + { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "name": "", + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + } + ] + }, + "serviceAccount": { + "type": "object", + "default": {}, + "title": "The serviceAccount Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "imagePullSecretName": { + "type": "string", + "default": "", + "title": "The imagePullSecretName", + "examples": [ + "" + ] + }, + "imagePullSecretsNames": { + "type": "array", + "default": [], + "title": "The imagePullSecretName list", + "examples": [ + [] + ] + } + }, + "oneOf": [ + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "minItems": 1 + } + }, + "required": [ + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "minLength": 1 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "not": { + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + } + } + ], + "examples": [ + { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + } + ] + }, + "reportIngressStatus": { + "type": "object", + "default": {}, + "title": "The reportIngressStatus Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "externalService": { + "type": "string", + "default": "", + "title": "The externalService", + "examples": [ + "" + ] + }, + "ingressLink": { + "type": "string", + "default": "", + "title": "The ingressLink", + "examples": [ + "" + ] + }, + "enableLeaderElection": { + "type": "boolean", + "default": false, + "title": "The enableLeaderElection", + "examples": [ + true + ] + }, + "leaderElectionLockName": { + "type": "string", + "default": "", + "title": "The leaderElectionLockName", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + } + }, + "examples": [ + { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + } + ] + }, + "pod": { + "type": "object", + "default": {}, + "title": "The pod Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + }, + "examples": [ + { + "annotations": {}, + "extraLabels": {} + } + ] + }, + "priorityClassName": { + "type": "string", + "default": "", + "title": "The priorityClassName", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + }, + "podDisruptionBudget": { + "type": "object", + "default": {}, + "title": "The podDisruptionBudget Schema", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "minAvailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + }, + "maxUnavailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + } + }, + "examples": [ + { + "enable": true, + "minAvailable": 1 + }, + { + "enable": true, + "maxUnavailable": 1 + } + ] + }, + "readyStatus": { + "type": "object", + "default": {}, + "title": "The readyStatus", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 8081 + ] + }, + "initialDelaySeconds": { + "type": "integer", + "default": 0, + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + } + }, + "examples": [ + { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + } + ] + }, + "enableLatencyMetrics": { + "type": "boolean", + "default": false, + "title": "The enableLatencyMetrics", + "examples": [ + false + ] + }, + "disableIPV6": { + "type": "boolean", + "default": false, + "title": "The disableIPV6", + "examples": [ + false + ] + }, + "defaultHTTPListenerPort": { + "type": "integer", + "default": 80, + "title": "The defaultHTTPListenerPort", + "examples": [ + 80 + ] + }, + "defaultHTTPSListenerPort": { + "type": "integer", + "default": 443, + "title": "The defaultHTTPSListenerPort", + "examples": [ + 443 + ] + }, + "readOnlyRootFilesystem": { + "type": "boolean", + "default": false, + "title": "The readOnlyRootFilesystem", + "examples": [ + false + ] + }, + "enableSSLDynamicReload": { + "type": "boolean", + "default": true, + "title": "Enable dynamic certificate reloads for NGINX Plus", + "examples": [ + true + ] + } + }, + "examples": [ + { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "shareProcessNamespace": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.4.2", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "tlsPassthroughPort": 443, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + } + ] + }, + "rbac": { + "type": "object", + "default": {}, + "title": "The rbac Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + true + ] + } + }, + "examples": [ + { + "create": true + } + ] + }, + "prometheus": { + "type": "object", + "default": {}, + "title": "The prometheus Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9113, + "title": "The port", + "examples": [ + 9113 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + }, + "service": { + "type": "object", + "default": {}, + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + } + }, + "serviceMonitor": { + "type": "object", + "default": {}, + "title": "The serviceMonitor Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + false + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + }, + "selectorMatchLabels": { + "type": "object", + "default": {}, + "title": "The selectorMatchLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "endpoints": { + "type": "array", + "default": [], + "title": "The endpoints", + "required": [], + "items": {} + } + }, + "examples": [ + { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": [] + } + ] + } + }, + "examples": [ + { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http" + } + ] + }, + "serviceInsight": { + "type": "object", + "default": {}, + "title": "The Service Insight Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9114, + "title": "The port", + "examples": [ + 9114 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + } + }, + "examples": [ + { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + } + ] + }, + "nginxServiceMesh": { + "type": "object", + "default": {}, + "title": "The nginxServiceMesh Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + false + ] + }, + "enableEgress": { + "type": "boolean", + "default": false, + "title": "The enableEgress", + "examples": [ + false + ] + } + }, + "examples": [ + { + "enable": false, + "enableEgress": false + } + ] + } + }, + "examples": [ + { + "controller": { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.4.2", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "podDisruptionBudget": { + "enabled": false, + "annotations": {}, + "minAvailable": 0, + "minUnavailable": 0 + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + }, + "rbac": { + "create": true + }, + "prometheus": { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http", + "service": { + "create": false, + "labels": {} + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + } + }, + "serviceInsight": { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + }, + "nginxServiceMesh": { + "enable": false, + "enableEgress": false + } + } + ] +} diff --git a/charts/f5/nginx-ingress/1.1.2/values.yaml b/charts/f5/nginx-ingress/1.1.2/values.yaml new file mode 100644 index 0000000000..f0e2c9b2e2 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.2/values.yaml @@ -0,0 +1,529 @@ +controller: + ## The name of the Ingress Controller daemonset or deployment. + name: controller + + ## The kind of the Ingress Controller installation - deployment or daemonset. + kind: deployment + + ## The selectorLabels used to override the default values. + selectorLabels: {} + + ## Annotations for deployments and daemonsets + annotations: {} + + ## Deploys the Ingress Controller for NGINX Plus. + nginxplus: false + + ## Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. + nginxReloadTimeout: 60000 + + ## Support for App Protect WAF + appprotect: + ## Enable the App Protect WAF module in the Ingress Controller. + enable: false + ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace + # logLevel: fatal + + ## Support for App Protect DoS + appprotectdos: + ## Enable the App Protect DoS module in the Ingress Controller. + enable: false + ## Enable debugging for App Protect DoS. + debug: false + ## Max number of nginx processes to support. + maxWorkers: 0 + ## Max number of ADMD instances. + maxDaemons: 0 + ## RAM memory size to consume in MB. + memory: 0 + + ## Enables the Ingress Controller pods to use the host's network namespace. + hostNetwork: false + + ## The hostPort configuration for the Ingress Controller pods. + hostPort: + ## Enables hostPort for the Ingress Controller pods. + enable: false + + ## The HTTP hostPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS hostPort configuration for the Ingress Controller pods. + https: 443 + + containerPort: + ## The HTTP containerPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS containerPort configuration for the Ingress Controller pods. + https: 443 + + ## DNS policy for the Ingress Controller pods + dnsPolicy: ClusterFirst + + ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. + nginxDebug: false + + ## Share process namespace between containers in the Ingress Controller pod. + shareProcessNamespace: false + + ## The log level of the Ingress Controller. + logLevel: 1 + + ## A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: [] + + image: + ## The image repository of the Ingress Controller. + repository: nginx/nginx-ingress + + ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. + # tag: "3.4.2" + + ## The digest of the Ingress Controller image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the Ingress Controller image. + pullPolicy: IfNotPresent + + ## The lifecycle of the Ingress Controller pods. + lifecycle: {} + + ## The custom ConfigMap to use instead of the one provided by default + customConfigMap: "" + + config: + ## The name of the ConfigMap used by the Ingress Controller. + ## Autogenerated if not set or set to "". + # name: nginx-config + + ## The annotations of the Ingress Controller configmap. + annotations: {} + + ## The entries of the ConfigMap for customizing NGINX configuration. + entries: {} + + ## It is recommended to use your own TLS certificates and keys + defaultTLS: + ## The base64-encoded TLS certificate for the default HTTPS server. + ## Note: It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + cert: "" + + ## The base64-encoded TLS key for the default HTTPS server. + ## Note: It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + key: "" + + ## The secret with a TLS certificate and key for the default HTTPS server. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. + ## Note: Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + ## Format: / + secret: "" + + wildcardTLS: + ## The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + cert: "" + + ## The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + key: "" + + ## The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. + ## Format: / + secret: "" + + ## The node selector for pod assignment for the Ingress Controller pods. + # nodeSelector: {} + + ## The termination grace period of the Ingress Controller pod. + terminationGracePeriodSeconds: 30 + + ## HorizontalPodAutoscaling (HPA) + autoscaling: + ## Enables HorizontalPodAutoscaling. + enabled: false + ## The annotations of the Ingress Controller HorizontalPodAutoscaler. + annotations: {} + ## Minimum number of replicas for the HPA. + minReplicas: 1 + ## Maximum number of replicas for the HPA. + maxReplicas: 3 + ## The target cpu utilization percentage. + targetCPUUtilizationPercentage: 50 + ## The target memory utilization percentage. + targetMemoryUtilizationPercentage: 50 + ## Custom behavior policies + behavior: {} + + ## The resources of the Ingress Controller pods. + resources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerResources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The tolerations of the Ingress Controller pods. + tolerations: [] + + ## The affinity of the Ingress Controller pods. + affinity: {} + + ## The topology spread constraints of the Ingress controller pods. + # topologySpreadConstraints: {} + + ## The additional environment variables to be set on the Ingress Controller pods. + env: [] + # - name: MY_VAR + # value: myvalue + + ## The volumes of the Ingress Controller pods. + volumes: [] + # - name: extra-conf + # configMap: + # name: extra-conf + + ## The volumeMounts of the Ingress Controller pods. + volumeMounts: [] + # - name: extra-conf + # mountPath: /etc/nginx/conf.d/extra.conf + # subPath: extra.conf + + ## InitContainers for the Ingress Controller pods. + initContainers: [] + # - name: init-container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is initial setup!'] + + ## The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. + minReadySeconds: 0 + + ## Pod disruption budget for the Ingress Controller pods. + podDisruptionBudget: + ## Enables PodDisruptionBudget. + enabled: false + ## The annotations of the Ingress Controller pod disruption budget. + annotations: {} + ## The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". + # minAvailable: 1 + ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". + # maxUnavailable: 1 + + ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. + strategy: {} + + ## Extra containers for the Ingress Controller pods. + extraContainers: [] + # - name: container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is a sidecar!'] + + ## The number of replicas of the Ingress Controller deployment. + replicaCount: 1 + + ## Configures the ingress class the Ingress Controller uses. + ingressClass: + ## A class of the Ingress Controller. + + ## IngressClass resource with the name equal to the class must be deployed. Otherwise, + ## the Ingress Controller will fail to start. + ## The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. + + ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. + name: nginx + + ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. + create: true + + ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". + setAsDefaultIngress: false + + ## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". + watchNamespace: "" + + ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". + watchNamespaceLabel: "" + + ## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces. + watchSecretNamespace: "" + + ## Enable the custom resources. + enableCustomResources: true + + ## Enable OIDC policies. + enableOIDC: false + + ## Include year in log header. This parameter will be removed in release 2.7 and the year will be included by default. + includeYear: false + + ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. + enableTLSPassthrough: false + + ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough. + tlsPassthroughPort: 443 + + ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. + enableCertManager: false + + ## Enable external DNS for Virtual Server resources. Requires controller.enableCustomResources. + enableExternalDNS: false + + globalConfiguration: + ## Creates the GlobalConfiguration custom resource. Requires controller.enableCustomResources. + create: false + + ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. + spec: {} ## Ensure both curly brackets are removed when adding listeners in YAML format. + # listeners: + # - name: dns-udp + # port: 5353 + # protocol: UDP + # - name: dns-tcp + # port: 5353 + # protocol: TCP + + ## Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. + enableSnippets: false + + ## Add a location based on the value of health-status-uri to the default server. The location responds with the 200 status code for any request. + ## Useful for external health-checking of the Ingress Controller. + healthStatus: false + + ## Sets the URI of health status location in the default server. Requires controller.healthStatus. + healthStatusURI: "/nginx-health" + + nginxStatus: + ## Enable the NGINX stub_status, or the NGINX Plus API. + enable: true + + ## Set the port where the NGINX stub_status or the NGINX Plus API is exposed. + port: 8080 + + ## Add IPv4 IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. + allowCidrs: "127.0.0.1" + + service: + ## Creates a service to expose the Ingress Controller pods. + create: true + + ## The type of service to create for the Ingress Controller. + type: LoadBalancer + + ## The externalTrafficPolicy of the service. The value Local preserves the client source IP. + externalTrafficPolicy: Local + + ## The annotations of the Ingress Controller service. + annotations: {} + + ## The extra labels of the service. + extraLabels: {} + + ## The static IP address for the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerIP: "" + + ## The ClusterIP for the Ingress Controller service, autoassigned if not specified. + clusterIP: "" + + ## The list of external IPs for the Ingress Controller service. + externalIPs: [] + + ## The IP ranges (CIDR) that are allowed to access the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerSourceRanges: [] + + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + ## Dual stack preference. + ## Valid values: SingleStack, PreferDualStack, RequireDualStack + # ipFamilyPolicy: SingleStack + + ## List of IP families assigned to this service. + ## Valid values: IPv4, IPv6 + # ipFamilies: + # - IPv6 + + httpPort: + ## Enables the HTTP port for the Ingress Controller service. + enable: true + + ## The HTTP port of the Ingress Controller service. + port: 80 + + ## The custom NodePort for the HTTP port. Requires controller.service.type set to NodePort. + # nodePort: 80 + + ## The HTTP port on the POD where the Ingress Controller service is running. + targetPort: 80 + + httpsPort: + ## Enables the HTTPS port for the Ingress Controller service. + enable: true + + ## The HTTPS port of the Ingress Controller service. + port: 443 + + ## The custom NodePort for the HTTPS port. Requires controller.service.type set to NodePort. + # nodePort: 443 + + ## The HTTPS port on the POD where the Ingress Controller service is running. + targetPort: 443 + + ## A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: [] + + serviceAccount: + ## The annotations of the service account of the Ingress Controller pods. + annotations: {} + + ## The name of the service account of the Ingress Controller pods. Used for RBAC. + ## Autogenerated if not set or set to "". + # name: nginx-ingress + + ## The name of the secret containing docker registry credentials. + ## Secret must exist in the same namespace as the helm release. + imagePullSecretName: "" + + ## A list of secret names containing docker registry credentials. + ## Secrets must exist in the same namespace as the helm release. + imagePullSecretsNames: [] + + reportIngressStatus: + ## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. + ## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService, + ## controller.reportIngressStatus.ingressLink or the external-status-address entry in the ConfigMap via controller.config.entries. + ## Note: controller.config.entries.external-status-address takes precedence over the others. + enable: true + + ## Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. + ## The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ## The default is autogenerated and matches the created service (see controller.service.create). + # externalService: nginx-ingress + + ## Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. + ## The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ingressLink: "" + + ## Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. controller.reportIngressStatus.enable must be set to true. + enableLeaderElection: true + + ## Specifies the name to be used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. + leaderElectionLockName: "nginx-ingress-leader" + + ## The annotations of the leader election configmap. + annotations: {} + + pod: + ## The annotations of the Ingress Controller pod. + annotations: {} + + ## The additional extra labels of the Ingress Controller pod. + extraLabels: {} + + ## The PriorityClass of the Ingress Controller pods. + # priorityClassName: "" + + readyStatus: + ## Enables readiness endpoint "/nginx-ready". The endpoint returns a success code when NGINX has loaded all the config after startup. + enable: true + + ## Set the port where the readiness endpoint is exposed. + port: 8081 + + ## The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. + initialDelaySeconds: 0 + + ## Enable collection of latency metrics for upstreams. Requires prometheus.create. + enableLatencyMetrics: false + + ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. + disableIPV6: false + + ## Sets the port for the HTTP `default_server` listener. + defaultHTTPListenerPort: 80 + + ## Sets the port for the HTTPS `default_server` listener. + defaultHTTPSListenerPort: 443 + + ## Configure root filesystem as read-only and add volumes for temporary data. + readOnlyRootFilesystem: false + + ## Enable dynamic reloading of certificates + enableSSLDynamicReload: true + +rbac: + ## Configures RBAC. + create: true + +prometheus: + ## Expose NGINX or NGINX Plus metrics in the Prometheus format. + create: true + + ## Configures the port to scrape the metrics. + port: 9113 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Prometheus endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + + service: + ## Creates a ClusterIP Service to expose Prometheus metrics internally + ## Requires prometheus.create=true + create: false + + labels: + service: "nginx-ingress-prometheus-service" + + serviceMonitor: + ## Creates a serviceMonitor to expose statistics on the kubernetes pods. + create: false + + ## Kubernetes object labels to attach to the serviceMonitor object. + labels: {} + + ## A set of labels to allow the selection of endpoints for the ServiceMonitor. + selectorMatchLabels: + service: "nginx-ingress-prometheus-service" + + ## A list of endpoints allowed as part of this ServiceMonitor. + ## Matches on the name of a Service port. + endpoints: + - port: prometheus + +serviceInsight: + ## Expose NGINX Plus Service Insight endpoint. + create: false + + ## Configures the port to expose endpoint. + port: 9114 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Service Insight endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + +nginxServiceMesh: + ## Enables integration with NGINX Service Mesh. + enable: false + + ## Enables NGINX Service Mesh workload to route egress traffic through the Ingress Controller. + ## Requires nginxServiceMesh.enable + enableEgress: false diff --git a/charts/f5/nginx-ingress/1.1.3/.helmignore b/charts/f5/nginx-ingress/1.1.3/.helmignore new file mode 100644 index 0000000000..c1347c2c27 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/.helmignore @@ -0,0 +1,2 @@ +# Patterns to ignore when building packages. +*.png diff --git a/charts/f5/nginx-ingress/1.1.3/Chart.yaml b/charts/f5/nginx-ingress/1.1.3/Chart.yaml new file mode 100644 index 0000000000..9338316416 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Ingress Controller + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: nginx-ingress +apiVersion: v2 +appVersion: 3.4.3 +description: NGINX Ingress Controller +home: https://github.com/nginxinc/kubernetes-ingress +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/charts/nginx-ingress/chart-icon.png +keywords: +- ingress +- nginx +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: kubernetes@nginx.com + name: nginxinc +name: nginx-ingress +sources: +- https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/charts/nginx-ingress +type: application +version: 1.1.3 diff --git a/charts/f5/nginx-ingress/1.1.3/README.md b/charts/f5/nginx-ingress/1.1.3/README.md new file mode 100644 index 0000000000..053585ad8d --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/README.md @@ -0,0 +1,494 @@ +# NGINX Ingress Controller Helm Chart + +## Introduction + +This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. + +## Prerequisites + +**Note** All documentation should only be used with the latest stable release, indicated on +[the releases page](https://github.com/nginxinc/kubernetes-ingress/releases) of the GitHub repository. + +- A [Kubernetes Version Supported by the Ingress + Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) +- Helm 3.0+. +- If you’d like to use NGINX Plus: + - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal + by following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). + Make sure to specify the secret using one of the following parameters: + `controller.serviceAccount.imagePullSecretName` or `controller.serviceAccount.imagePullSecretsNames`. + - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following + the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). + - Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by + following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image). + - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. +- If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator [helm + chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). Make sure to install in the same namespace as the + NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will + need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single + namespace. + +## CRDs + +By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The +Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. + +If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` +set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), +the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. + +### Upgrading the CRDs + +To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl apply -f crds/ +``` + +Alternatively, CRDs can be upgraded without pulling the chart by running: + +```console +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/deploy/crds.yaml +``` + +In the above command, `v3.4.3` represents the version of NGINX Ingress Controller release rather than the Helm chart version. + +> **Note** +> +> The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by +> either kubectl create --save-config or kubectl apply`. +> +> Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release +> for any special upgrade procedures. + +### Uninstalling the CRDs + +To remove the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl delete -f crds/ +``` + +> **Note** +> +> This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure +> there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the +> cluster. + +## Managing the Chart via OCI Registry + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 +``` + +For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry +`myregistry.example.com`) + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +``` + +This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to +use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with +`registry-1.docker.io/nginxcharts/nginx-ingress`. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +### Edge Version + +To test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version. This +version is built from the `main` branch of the NGINX Ingress Controller repository. You can install the `edge` version +by specifying the `--version` flag with the value `0.0.0-edge`: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge +``` + +> **Warning** +> +> The `edge` version is not intended for production use. It is intended for testing and development purposes only. + +## Managing the Chart via Sources + +### Pulling the Chart + +This step is required if you're installing the chart using its sources. Additionally, the step is also required for +managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for +upgrading/deleting the CRDs. + +1. Pull the chart sources: + + ```console + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.3 + ``` + +2. Change your working directory to nginx-ingress: + + ```console + cd nginx-ingress + ``` + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release . +``` + +For NGINX Plus: + +```console +helm install my-release -f values-plus.yaml . +``` + +The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration +section lists the parameters that can be configured during installation. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release . +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +## Upgrading without downtime + +### Background + +In NGINX Ingress Controller version 3.1.0, [changes were introduced](https://github.com/nginxinc/kubernetes-ingress/pull/3606) +to Helm resource names, labels and annotations to fit with Helm best practices. +When using Helm to upgrade from a version prior to 3.1.0, certain resources like Deployment, DaemonSet and Service will +be recreated due to the aforementioned changes, which will result in downtime. + +Although the advisory is to update all resources in accordance with new naming convention, to avoid the downtime +please follow the steps listed in this page. + +### Upgrade Steps + +**Note** The following steps apply to both 2.x and 3.0.x releases. + +The steps you should follow depend on the Helm release name: + +{{}} + +{{%tab name="Helm release name is `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployments -n + ``` + + Copy the key=value under `Selector`, such as: + + ```shell + Selector: app=nginx-ingress-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.4.3` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: nginx-ingress-nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="nginx-ingress-nginx-ingress" + --set controller.name="" + --set fullnameOverride="nginx-ingress-nginx-ingress" + ``` + + It could look as follows: + + ```shell + helm upgrade nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="nginx-ingress-nginx-ingress" --set controller.name="" --set fullnameOverride="nginx-ingress-nginx-ingress" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set nginx-ingress-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{%tab name="Helm release name is not `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployment/daemonset -n + ``` + + Copy the key=value under ```Selector```, such as: + + ```shell + Selector: app=-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.4.3` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: -nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="-nginx-ingress" + --set controller.name="" + ``` + + It could look as follows: + + ```shell + helm upgrade test-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="test-release-nginx-ingress" --set controller.name="" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set test-release-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{}} + +## Running Multiple Ingress Controllers + +If you are running multiple Ingress Controller releases in your cluster with enabled custom resources, the releases will +share a single version of the CRDs. As a result, make sure that the Ingress Controller versions match the version of the +CRDs. Additionally, when uninstalling a release, ensure that you don’t remove the CRDs until there are no other Ingress +Controller releases running in the cluster. + +See [running multiple Ingress Controllers](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) +for more details. + +## Configuration + +The following tables lists the configurable parameters of the NGINX Ingress Controller chart and their default values. + +|Parameter | Description | Default | +| --- | --- | --- | +|`controller.name` | The name of the Ingress Controller daemonset or deployment. | Autogenerated | +|`controller.kind` | The kind of the Ingress Controller installation - deployment or daemonset. | deployment | +|`controller.annotations` | Allows for setting of `annotations` for deployment or daemonset. | {} | +|`controller.nginxplus` | Deploys the Ingress Controller for NGINX Plus. | false | +|`controller.nginxReloadTimeout` | The timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. | 60000 | +|`controller.hostNetwork` | Enables the Ingress Controller pods to use the host's network namespace. | false | +|`controller.dnsPolicy` | DNS policy for the Ingress Controller pods. | ClusterFirst | +|`controller.nginxDebug` | Enables debugging for NGINX. Uses the `nginx-debug` binary. Requires `error-log-level: debug` in the ConfigMap via `controller.config.entries`. | false | +| `controller.shareProcessNamespace` | Enables process namespace sharing. When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod. [docs](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) | false | +|`controller.logLevel` | The log level of the Ingress Controller. | 1 | +|`controller.image.digest` | The image digest of the Ingress Controller. | None | +|`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.3 | +|`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | +|`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | +|`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | +|`controller.config.name` | The name of the ConfigMap used by the Ingress Controller. | Autogenerated | +|`controller.config.annotations` | The annotations of the Ingress Controller configmap. | {} | +|`controller.config.entries` | The entries of the ConfigMap for customizing NGINX configuration. See [ConfigMap resource docs](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) for the list of supported ConfigMap keys. | {} | +|`controller.customPorts` | A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. | [] | +|`controller.defaultTLS.cert` | The base64-encoded TLS certificate for the default HTTPS server. **Note:** It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | +|`controller.defaultTLS.key` | The base64-encoded TLS key for the default HTTPS server. **Note:** It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | +|`controller.defaultTLS.secret` | The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. **Note:** Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | None | +|`controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None | +|`controller.nodeSelector` | The node selector for pod assignment for the Ingress Controller pods. | {} | +|`controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress Controller pod. | 30 | +|`controller.tolerations` | The tolerations of the Ingress Controller pods. | [] | +|`controller.affinity` | The affinity of the Ingress Controller pods. | {} | +|`controller.topologySpreadConstraints` | The topology spread constraints of the Ingress controller pods. | {} | +|`controller.env` | The additional environment variables to be set on the Ingress Controller pods. | [] | +|`controller.volumes` | The volumes of the Ingress Controller pods. | [] | +|`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] | +|`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] | +|`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | +|`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | +|`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi | +|`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | +|`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. | true | +|`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | +|`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | +|`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | +|`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `controller.watchNamespace` and `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" | +|`controller.enableCustomResources` | Enable the custom resources. | true | +|`controller.enableOIDC` | Enable OIDC policies. | false | +|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | +|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | +|`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false | +|`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.spec` | The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. | {} | +|`controller.enableSnippets` | Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. | false | +|`controller.healthStatus` | Add a location "/nginx-health" to the default server. The location responds with the 200 status code for any request. Useful for external health-checking of the Ingress Controller. | false | +|`controller.healthStatusURI` | Sets the URI of health status location in the default server. Requires `controller.healthStatus`. | "/nginx-health" | +|`controller.nginxStatus.enable` | Enable the NGINX stub_status, or the NGINX Plus API. | true | +|`controller.nginxStatus.port` | Set the port where the NGINX stub_status or the NGINX Plus API is exposed. | 8080 | +|`controller.nginxStatus.allowCidrs` | Add IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. | 127.0.0.1,::1 | +|`controller.priorityClassName` | The PriorityClass of the Ingress Controller pods. | None | +|`controller.service.create` | Creates a service to expose the Ingress Controller pods. | true | +|`controller.service.type` | The type of service to create for the Ingress Controller. | LoadBalancer | +|`controller.service.externalTrafficPolicy` | The externalTrafficPolicy of the service. The value Local preserves the client source IP. | Local | +|`controller.service.annotations` | The annotations of the Ingress Controller service. | {} | +|`controller.service.extraLabels` | The extra labels of the service. | {} | +|`controller.service.loadBalancerIP` | The static IP address for the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | "" | +|`controller.service.externalIPs` | The list of external IPs for the Ingress Controller service. | [] | +|`controller.service.clusterIP` | The clusterIP for the Ingress Controller service, autoassigned if not specified. | "" | +|`controller.service.loadBalancerSourceRanges` | The IP ranges (CIDR) that are allowed to access the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | [] | +|`controller.service.name` | The name of the service. | Autogenerated | +|`controller.service.customPorts` | A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. | [] | +|`controller.service.httpPort.enable` | Enables the HTTP port for the Ingress Controller service. | true | +|`controller.service.httpPort.port` | The HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpPort.nodePort` | The custom NodePort for the HTTP port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpPort.targetPort` | The target port of the HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpsPort.enable` | Enables the HTTPS port for the Ingress Controller service. | true | +|`controller.service.httpsPort.port` | The HTTPS port of the Ingress Controller service. | 443 | +|`controller.service.httpsPort.nodePort` | The custom NodePort for the HTTPS port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpsPort.targetPort` | The target port of the HTTPS port of the Ingress Controller service. | 443 | +|`controller.serviceAccount.annotations` | The annotations of the Ingress Controller service account. | {} | +|`controller.serviceAccount.name` | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated | +|`controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" | +|`controller.serviceAccount.imagePullSecretsNames` | The list of secret names containing docker registry credentials. Secret must exist in the same namespace as the helm release. | [] | +|`controller.serviceMonitor.name` | The name of the serviceMonitor. | Autogenerated | +|`controller.serviceMonitor.create` | Create a ServiceMonitor custom resource. | false | +|`controller.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | "" | +|`controller.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | "" | +|`controller.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | "" | +|`controller.reportIngressStatus.enable` | Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. You must also specify the source of the external address either through an external service via `controller.reportIngressStatus.externalService`, `controller.reportIngressStatus.ingressLink` or the `external-status-address` entry in the ConfigMap via `controller.config.entries`. **Note:** `controller.config.entries.external-status-address` takes precedence over the others. | true | +|`controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated | +|`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | "" | +|`controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true | +|`controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated | +|`controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {} | +|`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} | +|`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} | +|`controller.appprotect.enable` | Enables the App Protect WAF module in the Ingress Controller. | false | +|`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false | +|`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false | +|`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 | +|`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine | +|`controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller | +|`controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true | +|`controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 | +|`controller.readyStatus.initialDelaySeconds` | The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. | 0 | +|`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false | +|`controller.minReadySeconds` | Specifies the minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. [docs](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds) | 0 | +|`controller.autoscaling.enabled` | Enables HorizontalPodAutoscaling. | false | +|`controller.autoscaling.annotations` | The annotations of the Ingress Controller HorizontalPodAutoscaler. | {} | +|`controller.autoscaling.behavior` | Behavior configuration for the HPA. | {} | +|`controller.autoscaling.minReplicas` | Minimum number of replicas for the HPA. | 1 | +|`controller.autoscaling.maxReplicas` | Maximum number of replicas for the HPA. | 3 | +|`controller.autoscaling.targetCPUUtilizationPercentage` | The target CPU utilization percentage. | 50 | +|`controller.autoscaling.targetMemoryUtilizationPercentage` | The target memory utilization percentage. | 50 | +|`controller.podDisruptionBudget.enabled` | Enables PodDisruptionBudget. | false | +|`controller.podDisruptionBudget.annotations` | The annotations of the Ingress Controller pod disruption budget | {} | +|`controller.podDisruptionBudget.minAvailable` | The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". | 0 | +|`controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 | +|`controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} | +|`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | +|`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 | +|`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 | +|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false | +|`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true | +|`rbac.create` | Configures RBAC. | true | +|`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | +|`prometheus.port` | Configures the port to scrape the metrics. | 9113 | +|`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http | +|`prometheus.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" | +|`prometheus.service.create` | Create a Headless service to expose prometheus metrics. Requires `prometheus.create`. | false | +|`prometheus.service.labels` | Kubernetes object labels to attach to the service object. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.create` | Create a ServiceMonitor custom resource. Requires ServiceMonitor CRD to be installed. For the latest CRD, check the latest release on the [prometheus-operator](https://github.com/prometheus-operator/prometheus-operator) GitHub repo under `example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml` | false | +|`prometheus.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | {} | +|`prometheus.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | [port: prometheus] | +|`serviceInsight.create` | Expose NGINX Plus Service Insight endpoint. | false | +|`serviceInsight.port` | Configures the port to expose endpoints. | 9114 | +|`serviceInsight.scheme` | Configures the HTTP scheme to use for connections to the Service Insight endpoint. | http | +|`serviceInsight.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Service Insight endpoint with TLS connections. | "" | +|`serviceNameOverride` | Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades. | "" | +|`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false | +|`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false | + +## Notes + +- The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog + post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. +- The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service + Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. diff --git a/charts/f5/nginx-ingress/1.1.3/app-readme.md b/charts/f5/nginx-ingress/1.1.3/app-readme.md new file mode 100644 index 0000000000..0824f4c0f0 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/app-readme.md @@ -0,0 +1,15 @@ +# NGINX Ingress Controller + +The [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress) for Kubernetes provides an enterprise‑grade implementation of an Ingress controller for NGINX and NGINX Plus for Kubernetes applications. + +The Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources. The load balancer can be a software load balancer running in the cluster or a hardware or cloud load balancer running externally. Different load balancers require different Ingress controller implementations. + +In the case of NGINX, the Ingress controller is deployed in a pod along with the load balancer. + +NGINX Ingress controller works with both NGINX and NGINX Plus and supports the standard Ingress features - content-based routing and TLS/SSL termination. + +Additionally, several NGINX and NGINX Plus features are available as extensions to the Ingress resource via annotations and the ConfigMap resource. In addition to HTTP, NGINX Ingress controller supports load balancing Websocket, gRPC, TCP and UDP applications. See ConfigMap and Annotations docs to learn more about the supported features and customization options. + +As an alternative to the Ingress, NGINX Ingress controller supports the VirtualServer and VirtualServerRoute resources. They enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. + +TCP, UDP and TLS Passthrough load balancing is also supported. diff --git a/charts/f5/nginx-ingress/1.1.3/crds/appprotect.f5.com_aplogconfs.yaml b/charts/f5/nginx-ingress/1.1.3/crds/appprotect.f5.com_aplogconfs.yaml new file mode 100644 index 0000000000..53b7fb40d7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/crds/appprotect.f5.com_aplogconfs.yaml @@ -0,0 +1,80 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: aplogconfs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APLogConf + listKind: APLogConfList + plural: aplogconfs + singular: aplogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + escaping_characters: + items: + properties: + from: + type: string + to: + type: string + type: object + type: array + format: + enum: + - splunk + - arcsight + - default + - user-defined + - grpc + type: string + format_string: + type: string + list_delimiter: + type: string + list_prefix: + type: string + list_suffix: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.3/crds/appprotect.f5.com_appolicies.yaml b/charts/f5/nginx-ingress/1.1.3/crds/appprotect.f5.com_appolicies.yaml new file mode 100644 index 0000000000..0ca4649ce7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/crds/appprotect.f5.com_appolicies.yaml @@ -0,0 +1,2158 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: appolicies.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APPolicy + listKind: APPolicyList + plural: appolicies + singular: appolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: + properties: + action: + type: string + description: + type: string + entity: + properties: + name: + type: string + type: object + entityChanges: + properties: + type: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + modificationsReference: + properties: + link: + pattern: ^http + type: string + type: object + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: + properties: + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + - Multiple slashes + - Semicolon path parameters + - Trailing dot + - Trailing slash + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unescaped space in URL + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of cookies + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxCookies: + maximum: 100 + minimum: 1 + type: integer + maxHeaders: + maximum: 150 + minimum: 1 + type: integer + maxParams: + maximum: 5000 + minimum: 1 + type: integer + type: object + type: array + violations: + items: + properties: + alarm: + type: boolean + block: + type: boolean + description: + type: string + name: + enum: + - "VIOL_ACCESS_INVALID" + - "VIOL_ACCESS_MALFORMED" + - "VIOL_ACCESS_MISSING" + - "VIOL_ASM_COOKIE_HIJACKING" + - "VIOL_ASM_COOKIE_MODIFIED" + - "VIOL_BLACKLISTED_IP" + - "VIOL_COOKIE_EXPIRED" + - "VIOL_COOKIE_LENGTH" + - "VIOL_COOKIE_MALFORMED" + - "VIOL_COOKIE_MODIFIED" + - "VIOL_CSRF" + - "VIOL_DATA_GUARD" + - "VIOL_ENCODING" + - "VIOL_EVASION" + - "VIOL_FILETYPE" + - "VIOL_FILE_UPLOAD" + - "VIOL_FILE_UPLOAD_IN_BODY" + - "VIOL_GRAPHQL_ERROR_RESPONSE" + - "VIOL_GRAPHQL_FORMAT" + - "VIOL_GRAPHQL_INTROSPECTION_QUERY" + - "VIOL_GRAPHQL_MALFORMED" + - "VIOL_GRPC_FORMAT" + - "VIOL_GRPC_MALFORMED" + - "VIOL_GRPC_METHOD" + - "VIOL_HEADER_LENGTH" + - "VIOL_HEADER_METACHAR" + - "VIOL_HEADER_REPEATED" + - "VIOL_HTTP_PROTOCOL" + - "VIOL_HTTP_RESPONSE_STATUS" + - "VIOL_JSON_FORMAT" + - "VIOL_JSON_MALFORMED" + - "VIOL_JSON_SCHEMA" + - "VIOL_MANDATORY_HEADER" + - "VIOL_MANDATORY_PARAMETER" + - "VIOL_MANDATORY_REQUEST_BODY" + - "VIOL_METHOD" + - "VIOL_PARAMETER" + - "VIOL_PARAMETER_ARRAY_VALUE" + - "VIOL_PARAMETER_DATA_TYPE" + - "VIOL_PARAMETER_EMPTY_VALUE" + - "VIOL_PARAMETER_LOCATION" + - "VIOL_PARAMETER_MULTIPART_NULL_VALUE" + - "VIOL_PARAMETER_NAME_METACHAR" + - "VIOL_PARAMETER_NUMERIC_VALUE" + - "VIOL_PARAMETER_REPEATED" + - "VIOL_PARAMETER_STATIC_VALUE" + - "VIOL_PARAMETER_VALUE_BASE64" + - "VIOL_PARAMETER_VALUE_LENGTH" + - "VIOL_PARAMETER_VALUE_METACHAR" + - "VIOL_PARAMETER_VALUE_REGEXP" + - "VIOL_POST_DATA_LENGTH" + - "VIOL_QUERY_STRING_LENGTH" + - "VIOL_RATING_NEED_EXAMINATION" + - "VIOL_RATING_THREAT" + - "VIOL_REQUEST_LENGTH" + - "VIOL_REQUEST_MAX_LENGTH" + - "VIOL_THREAT_CAMPAIGN" + - "VIOL_URL" + - "VIOL_URL_CONTENT_TYPE" + - "VIOL_URL_LENGTH" + - "VIOL_URL_METACHAR" + - "VIOL_XML_FORMAT" + - "VIOL_XML_MALFORMED" + type: string + type: object + type: array + type: object + blockingSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + bot-defense: + properties: + mitigations: + properties: + anomalies: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - default + - detect + - ignore + type: string + name: + type: string + scoreThreshold: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: array + browsers: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + type: string + maxVersion: + maximum: 2147483647 + minimum: 0 + type: integer + minVersion: + maximum: 2147483647 + minimum: 0 + type: integer + name: + type: string + type: object + type: array + classes: + items: + properties: + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + enum: + - browser + - malicious-bot + - suspicious-browser + - trusted-bot + - unknown + - untrusted-bot + type: string + type: object + type: array + signatures: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + type: string + type: object + type: array + type: object + settings: + properties: + caseSensitiveHttpHeaders: + type: boolean + isEnabled: + type: boolean + type: object + type: object + browser-definitions: + items: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + type: array + caseInsensitive: + type: boolean + character-sets: + items: + properties: + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content + type: string + type: object + type: array + characterSetReference: + properties: + link: + pattern: ^http + type: string + type: object + cookie-settings: + properties: + maximumCookieHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + cookieReference: + properties: + link: + pattern: ^http + type: string + type: object + cookieSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + cookies: + items: + properties: + $action: + enum: + - delete + type: string + accessibleOnlyThroughTheHttpProtocol: + type: boolean + attackSignaturesCheck: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + maskValueInLogs: + type: boolean + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + wildcardOrder: + type: integer + type: object + type: array + csrf-protection: + properties: + enabled: + type: boolean + expirationTimeInSeconds: + pattern: disabled|\d+ + type: string + sslOnly: + type: boolean + type: object + csrf-urls: + items: + properties: + $action: + enum: + - delete + type: string + enforcementAction: + enum: + - verify-origin + - none + type: string + method: + enum: + - GET + - POST + - any + type: string + url: + type: string + wildcardOrder: + type: integer + type: object + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + lastCcnDigitsToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + dataGuardReference: + properties: + link: + pattern: ^http + type: string + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + enforcer-settings: + properties: + enforcerStateCookies: + properties: + httpOnlyAttribute: + type: boolean + sameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + secureAttribute: + enum: + - always + - never + type: string + type: object + type: object + filetypeReference: + properties: + link: + pattern: ^http + type: string + type: object + filetypes: + items: + properties: + $action: + enum: + - delete + type: string + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: + type: string + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlLength: + type: integer + wildcardOrder: + type: integer + type: object + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + generalReference: + properties: + link: + pattern: ^http + type: string + type: object + grpc-profiles: + items: + properties: + $action: + enum: + - delete + type: string + associateUrls: + type: boolean + attackSignaturesCheck: + type: boolean + metacharCheck: + type: boolean + decodeStringValuesAsBase64: + enum: + - disabled + - enabled + type: string + defenseAttributes: + properties: + allowUnknownFields: + type: boolean + maximumDataLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + description: + type: string + hasIdlFiles: + type: boolean + idlFiles: + items: + properties: + idlFile: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + importUrl: + type: string + isPrimary: + type: boolean + primaryIdlFileName: + type: string + type: object + type: array + metacharElementCheck: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + header-settings: + properties: + maximumHttpHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + headerReference: + properties: + link: + pattern: ^http + type: string + type: object + headerSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + headers: + items: + properties: + $action: + enum: + - delete + type: string + allowRepeatedOccurrences: + type: boolean + base64Decoding: + type: boolean + checkSignatures: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: + type: string + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlNormalization: + type: boolean + wildcardOrder: + type: integer + type: object + type: array + host-names: + items: + properties: + $action: + enum: + - delete + type: string + includeSubdomains: + type: boolean + name: + type: string + type: object + type: array + idl-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + json-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + maximumArrayLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLengthOfJSONData: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + handleJsonValuesAsParameters: + type: boolean + hasValidationFiles: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + validationFiles: + items: + properties: + importUrl: + type: string + isPrimary: + type: boolean + jsonValidationFile: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: object + type: array + type: object + type: array + json-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + jsonProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + jsonValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + methodReference: + properties: + link: + pattern: ^http + type: string + type: object + methods: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + name: + type: string + open-api-files: + items: + properties: + link: + pattern: ^http + type: string + type: object + type: array + parameterReference: + properties: + link: + pattern: ^http + type: string + type: object + parameters: + items: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + type: array + response-pages: + items: + properties: + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: string + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + grpcStatusCode: + pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ + type: string + grpcStatusMessage: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + - grpc + type: string + responseRedirectUrl: + type: string + type: object + type: array + responsePageReference: + properties: + link: + pattern: ^http + type: string + type: object + sensitive-parameters: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + sensitiveParameterReference: + properties: + link: + pattern: ^http + type: string + type: object + server-technologies: + items: + properties: + $action: + enum: + - delete + type: string + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + serverTechnologyReference: + properties: + link: + pattern: ^http + type: string + type: object + signature-requirements: + items: + properties: + $action: + enum: + - delete + type: string + tag: + type: string + type: object + type: array + signature-sets: + items: + properties: + $action: + enum: + - delete + type: string + alarm: + type: boolean + block: + type: boolean + name: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatureReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSetReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + threat-campaigns: + items: + properties: + isEnabled: + type: boolean + name: + type: string + type: object + type: array + threatCampaignReference: + properties: + link: + pattern: ^http + type: string + type: object + urlReference: + properties: + link: + pattern: ^http + type: string + type: object + urls: + items: + properties: + $action: + enum: + - delete + type: string + allowRenderingInFrames: + enum: + - never + - only-same + type: string + allowRenderingInFramesOnlyFrom: + type: string + attackSignaturesCheck: + type: boolean + clickjackingProtection: + type: boolean + description: + type: string + disallowFileUploadOfExecutables: + type: boolean + html5CrossOriginRequestsEnforcement: + properties: + allowOriginsEnforcementMode: + enum: + - replace-with + - unmodified + type: string + checkAllowedMethods: + type: boolean + crossDomainAllowedOrigin: + items: + properties: + includeSubDomains: + type: boolean + originName: + type: string + originPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + originProtocol: + enum: + - http + - http/https + - https + type: string + type: object + type: array + enforcementMode: + enum: + - disabled + - enforce + type: string + type: object + isAllowed: + type: boolean + mandatoryBody: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + metacharsOnUrlCheck: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + methodOverrides: + items: + properties: + allowed: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + type: string + type: object + type: array + methodsOverrideOnUrlCheck: + type: boolean + name: + type: string + operationId: + type: string + positionalParameters: + items: + properties: + parameter: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + urlSegmentIndex: + type: integer + type: object + type: array + protocol: + enum: + - http + - https + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlContentProfiles: + items: + properties: + contentProfile: + properties: + name: + type: string + type: object + headerName: + type: string + headerOrder: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + headerValue: + type: string + name: + type: string + type: + enum: + - apply-content-signatures + - apply-value-and-content-signatures + - disallow + - do-nothing + - form-data + - gwt + - json + - xml + - grpc + type: string + type: object + type: array + wildcardOrder: + type: integer + type: object + type: array + whitelist-ips: + items: + properties: + $action: + enum: + - delete + type: string + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + neverLogRequests: + type: boolean + type: object + type: array + whitelistIpReference: + properties: + link: + pattern: ^http + type: string + type: object + xml-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumAttributesPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumChildrenPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentSize: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumElements: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNSDeclarations: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNameLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNamespaceLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + useXmlResponsePage: + type: boolean + type: object + type: array + xml-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + xmlProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + xmlValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + graphql-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowIntrospectionQueries: + type: boolean + maximumBatchedQueries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumQueryCost: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateParsingWarnings: + type: boolean + type: object + description: + type: string + metacharElementCheck: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + responseEnforcement: + properties: + blockDisallowedPatterns: + type: boolean + disallowedPatterns: + items: + type: string + type: array + type: object + sensetiveData: + items: + properties: + parameterName: + type: string + type: object + type: array + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + name: + type: string + type: object + type: array + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.3/crds/appprotect.f5.com_apusersigs.yaml b/charts/f5/nginx-ingress/1.1.3/crds/appprotect.f5.com_apusersigs.yaml new file mode 100644 index 0000000000..34eb0784f4 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/crds/appprotect.f5.com_apusersigs.yaml @@ -0,0 +1,93 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: apusersigs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APUserSig + listKind: APUserSigList + plural: apusersigs + singular: apusersig + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APUserSig is the Schema for the apusersigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APUserSigSpec defines the desired state of APUserSig + properties: + properties: + type: string + signatures: + items: + properties: + accuracy: + enum: + - high + - medium + - low + type: string + attackType: + properties: + name: + type: string + type: object + description: + type: string + name: + type: string + references: + properties: + type: + enum: + - bugtraq + - cve + - nessus + - url + type: string + value: + type: string + type: object + risk: + enum: + - high + - medium + - low + type: string + rule: + type: string + signatureType: + enum: + - request + - response + type: string + systems: + items: + properties: + name: + type: string + type: object + type: array + type: object + type: array + tag: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.3/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/charts/f5/nginx-ingress/1.1.3/crds/appprotectdos.f5.com_apdoslogconfs.yaml new file mode 100644 index 0000000000..e23e87184b --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/crds/appprotectdos.f5.com_apdoslogconfs.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdoslogconfs.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosLogConf + listKind: APDosLogConfList + plural: apdoslogconfs + singular: apdoslogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APDosLogConf is the Schema for the APDosLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APDosLogConfSpec defines the desired state of APDosLogConf + properties: + content: + properties: + format: + enum: + - splunk + - arcsight + - user-defined + type: string + format_string: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + type: object + filter: + properties: + traffic-mitigation-stats: + enum: + - none + - all + default: all + type: string + bad-actors: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + attack-signatures: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.3/crds/appprotectdos.f5.com_apdospolicy.yaml b/charts/f5/nginx-ingress/1.1.3/crds/appprotectdos.f5.com_apdospolicy.yaml new file mode 100644 index 0000000000..a16399a1a2 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/crds/appprotectdos.f5.com_apdospolicy.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdospolicies.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosPolicy + listKind: APDosPoliciesList + plural: apdospolicies + singular: apdospolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + description: APDosPolicy is the Schema for the APDosPolicy API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + description: APDosPolicySpec defines the desired state of APDosPolicy + properties: + mitigation_mode: + enum: + - "standard" + - "conservative" + - "none" + default: "standard" + type: string + signatures: + enum: + - "on" + - "off" + default: "on" + type: string + bad_actors: + enum: + - "on" + - "off" + default: "on" + type: string + automation_tools_detection: + enum: + - "on" + - "off" + default: "on" + type: string + tls_fingerprint: + enum: + - "on" + - "off" + default: "on" + type: string + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.3/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/charts/f5/nginx-ingress/1.1.3/crds/appprotectdos.f5.com_dosprotectedresources.yaml new file mode 100644 index 0000000000..c95fe76547 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/crds/appprotectdos.f5.com_dosprotectedresources.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: dosprotectedresources.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: DosProtectedResource + listKind: DosProtectedResourceList + plural: dosprotectedresources + shortNames: + - pr + singular: dosprotectedresource + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: DosProtectedResource defines a Dos protected resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DosProtectedResourceSpec defines the properties and values + a DosProtectedResource can have. + properties: + apDosMonitor: + description: 'ApDosMonitor is how NGINX App Protect DoS monitors the + stress level of the protected object. The monitor requests are sent + from localhost (127.0.0.1). Default value: URI - None, protocol + - http1, timeout - NGINX App Protect DoS default.' + properties: + protocol: + description: Protocol determines if the server listens on http1 + / http2 / grpc / websocket. The default is http1. + enum: + - http1 + - http2 + - grpc + - websocket + type: string + timeout: + description: Timeout determines how long (in seconds) should NGINX + App Protect DoS wait for a response. Default is 10 seconds for + http1/http2 and 5 seconds for grpc. + format: int64 + type: integer + uri: + description: 'URI is the destination to the desired protected + object in the nginx.conf:' + type: string + type: object + apDosPolicy: + description: ApDosPolicy is the namespace/name of a ApDosPolicy resource + type: string + dosAccessLogDest: + description: DosAccessLogDest is the network address for the access + logs + type: string + dosSecurityLog: + description: DosSecurityLog defines the security log of the DosProtectedResource. + properties: + apDosLogConf: + description: ApDosLogConf is the namespace/name of a APDosLogConf + resource + type: string + dosLogDest: + description: DosLogDest is the network address of a logging service, + can be either IP or DNS name. + type: string + enable: + description: Enable enables the security logging feature if set + to true + type: boolean + type: object + enable: + description: Enable enables the DOS feature if set to true + type: boolean + name: + description: Name is the name of protected object, max of 63 characters. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.1.3/crds/externaldns.nginx.org_dnsendpoints.yaml b/charts/f5/nginx-ingress/1.1.3/crds/externaldns.nginx.org_dnsendpoints.yaml new file mode 100644 index 0000000000..33d91c9168 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/crds/externaldns.nginx.org_dnsendpoints.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: dnsendpoints.externaldns.nginx.org +spec: + group: externaldns.nginx.org + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: DNSEndpoint is the CRD wrapper for Endpoint + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec holds information about endpoints. + properties: + endpoints: + items: + description: Endpoint describes DNS Endpoint. + properties: + dnsName: + description: The hostname for the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty represents provider + specific config property. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT, MX + type: string + targets: + description: The targets the DNS service points to + items: + type: string + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus represents generation observed by the external + dns controller. + properties: + observedGeneration: + description: The generation observed by by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_globalconfigurations.yaml b/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_globalconfigurations.yaml new file mode 100644 index 0000000000..63d9195cf0 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_globalconfigurations.yaml @@ -0,0 +1,106 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: globalconfigurations.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: GlobalConfiguration + listKind: GlobalConfigurationList + plural: globalconfigurations + shortNames: + - gc + singular: globalconfiguration + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_policies.yaml b/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_policies.yaml new file mode 100644 index 0000000000..1954063005 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_policies.yaml @@ -0,0 +1,335 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: policies.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + basicAuth: + description: |- + BasicAuth holds HTTP Basic authentication configuration + policy status: preview + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + securityLogs: + items: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + realm: + type: string + secret: + type: string + token: + type: string + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_transportservers.yaml b/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_transportservers.yaml new file mode 100644 index 0000000000..1f272a2efd --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_transportservers.yaml @@ -0,0 +1,332 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: transportservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: TransportServer + listKind: TransportServerList + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_virtualserverroutes.yaml b/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_virtualserverroutes.yaml new file mode 100644 index 0000000000..b51167a7ee --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -0,0 +1,689 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: virtualserverroutes.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServerRoute + listKind: VirtualServerRouteList + plural: virtualserverroutes + shortNames: + - vsr + singular: virtualserverroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a + valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute + resource. + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_virtualservers.yaml b/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_virtualservers.yaml new file mode 100644 index 0000000000..74e762459c --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/crds/k8s.nginx.org_virtualservers.yaml @@ -0,0 +1,789 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: virtualservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServer + listKind: VirtualServerList + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual + server. + properties: + enable: + type: boolean + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: |- + ProviderSpecificProperty defines specific property + for using with ExternalDNS sub-resource. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + type: string + type: object + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal + routing. + type: boolean + listener: + description: VirtualServerListener references a custom http and/or + https listener defined in GlobalConfiguration. + properties: + http: + type: string + https: + type: string + type: object + policies: + items: + description: PolicyReference references a policy by name and an + optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + routes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. + properties: + cluster-issuer: + type: string + common-name: + type: string + duration: + type: string + issue-temp-cert: + type: boolean + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + type: object + redirect: + description: TLSRedirect defines a redirect for a TLS. + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + type: object + secret: + type: string + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerStatus defines the status for the VirtualServer + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.1.3/questions.yaml b/charts/f5/nginx-ingress/1.1.3/questions.yaml new file mode 100644 index 0000000000..b63834893b --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/questions.yaml @@ -0,0 +1,185 @@ +questions: +- variable: controller.kind + type: enum + options: + - deployment + - daemonset + default: deployment + description: "The kind of the Ingress controller installation - deployment or daemonset." + label: Installation Kind + group: "Settings" +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.nginxplus + default: false + description: "Deploys the Ingress controller for NGINX Plus." + label: Deploy NGINX Plus + type: boolean + group: "NGINX Plus" + - variable: controller.appprotect.enable + default: false + description: "Enable the App Protect module in the Ingress Controller." + label: Enable the App Protect module. + type: boolean + - variable: controller.appprotectdos.enable + default: false + description: "Enable the App Protect DoS module in the Ingress Controller." + label: Enable the App Protect DoS module. + type: boolean + - variable: controller.image.repository + default: nginx/nginx-ingress + description: "The image repository of the Ingress controller." + type: string + label: NGINX Ingress Controller Image Repository + required: true + - variable: controller.image.tag + description: "The tag of the Ingress controller image." + type: string + label: NGINX Ingress Controller Image Tag + required: true + - variable: controller.image.pullPolicy + type: enum + options: + - IfNotPresent + - Always + - Never + default: IfNotPresent + description: "The pull policy for the Ingress controller image." + label: NGINX Ingress Controller Image Pull Policy + - variable: controller.serviceAccount.imagePullSecretName + default: "" + description: "The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release." + type: string + label: Image Pull Secret Name +- variable: controller.defaultTLS.secret + default: "" + description: "The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`." + label: TLS Secret + type: string + group: "Settings" +- variable: controller.ingressClass + default: nginx + description: "A class of the Ingress controller. The Ingress controller only processes Ingress resources that belong to its class - i.e. have the annotation `[kubernetes.io/ingress.class]` equal to the class. Additionally, the Ingress controller processes Ingress resources that do not have that annotation which can be disabled by setting the [-use-ingress-class-only] flag." + label: Ingress Class + type: string + group: "Settings" + required: true + subquestions: + - variable: controller.useIngressClassOnly + default: false + description: "Ignore Ingress resources without the `[kubernetes.io/ingress.class]` annotation." + label: Use Ingress Class Only + type: boolean + group: "Settings" +- variable: controller.enableCustomResources + default: true + label: Enable Custom Resources + type: boolean + group: "Settings" + show_subquestion_if: true + subquestions: + - variable: controller.globalConfiguration.create + default: true + description: "Creates the GlobalConfiguration custom resource." + label: Create GlobalConfiguration Custom Resource + type: boolean + group: "Settings" + - variable: controller.enableOIDC + default: false + description: "Enables OIDC policies." + label: Enable OIDC policies + type: boolean + group: "Settings" + - variable: controller.enableCertManager + default: false + description: "Enables cert manager for Virtual Server resources." + label: Enable cert manager for Virtual Server resources + type: boolean + group: "Settings" + - variable: controller.enableExternalDNS + default: false + description: "Enables external-dns for Virtual Server resources." + label: Enable external-dns for Virtual Server resources + type: boolean + group: "Settings" +- variable: controller.watchNamespace + default: "" + description: "Comma-separated list of namespaces to watch for Ingress resources. By default the Ingress controller watches all namespaces." + label: Watch Namespace + type: string + group: "Settings" +- variable: controller.service.create + default: true + description: "Creates a service to expose the Ingress controller pods." + label: Create a Service + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.type + type: enum + options: + - LoadBalancer + - NodePort + default: LoadBalancer + description: "The type of service to create for the Ingress controller." + label: Type of Service +- variable: controller.service.httpPort.enable + default: true + description: "Enables the HTTP port for the Ingress controller service." + label: Enable HTTP Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpPort.port + default: 80 + description: "The HTTP port of the Ingress controller service." + label: HTTP Port + type: int + required: true +- variable: controller.service.httpsPort.enable + default: true + description: "Enables the HTTPS port for the Ingress controller service." + label: Enable HTTPS Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpsPort.port + default: 443 + description: "The HTTPS port of the Ingress controller service." + label: HTTPS Port + type: int + required: true +- variable: prometheus.create + default: false + description: "Expose NGINX or NGINX Plus metrics in the Prometheus format." + label: Enable Exposing Prometheus Metrics + type: boolean + group: "Prometheus" + show_subquestion_if: true + subquestions: + - variable: prometheus.port + default: 9113 + description: "Configures the port to scrape the metrics." + label: Prometheus Port + type: int + required: true + - variable: prometheus.scheme + default: http + description: "Configures the HTTP scheme to use for connections to the Prometheus endpoint." + label: Prometheus Scheme + type: string + required: true + - variable: prometheus.secret + default: "" + description: "The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections." + label: Prometheus Secret + type: string diff --git a/charts/f5/nginx-ingress/templates/NOTES.txt b/charts/f5/nginx-ingress/1.1.3/templates/NOTES.txt similarity index 100% rename from charts/f5/nginx-ingress/templates/NOTES.txt rename to charts/f5/nginx-ingress/1.1.3/templates/NOTES.txt diff --git a/charts/f5/nginx-ingress/1.1.3/templates/_helpers.tpl b/charts/f5/nginx-ingress/1.1.3/templates/_helpers.tpl new file mode 100644 index 0000000000..2f5add833d --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/_helpers.tpl @@ -0,0 +1,226 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.fullname" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified controller service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.service.name" -}} +{{- default (include "nginx-ingress.controller.fullname" .) .Values.serviceNameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nginx-ingress.labels" -}} +helm.sh/chart: {{ include "nginx-ingress.chart" . }} +{{ include "nginx-ingress.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nginx-ingress.selectorLabels" -}} +{{- if .Values.controller.selectorLabels -}} +{{ toYaml .Values.controller.selectorLabels }} +{{- else -}} +app.kubernetes.io/name: {{ include "nginx-ingress.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap. +*/}} +{{- define "nginx-ingress.configName" -}} +{{- if .Values.controller.customConfigMap -}} +{{ .Values.controller.customConfigMap }} +{{- else -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.config.name -}} +{{- end -}} +{{- end -}} + +{{/* +Expand leader election lock name. +*/}} +{{- define "nginx-ingress.leaderElectionName" -}} +{{- if .Values.controller.reportIngressStatus.leaderElectionLockName -}} +{{ .Values.controller.reportIngressStatus.leaderElectionLockName }} +{{- else -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "leader-election" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand service account name. +*/}} +{{- define "nginx-ingress.serviceAccountName" -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.serviceAccount.name -}} +{{- end -}} + +{{/* +Expand default TLS name. +*/}} +{{- define "nginx-ingress.defaultTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "default-server-tls" -}} +{{- end -}} + +{{/* +Expand wildcard TLS name. +*/}} +{{- define "nginx-ingress.wildcardTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "wildcard-tls" -}} +{{- end -}} + +{{- define "nginx-ingress.tag" -}} +{{- default .Chart.AppVersion .Values.controller.image.tag -}} +{{- end -}} + +{{/* +Expand image name. +*/}} +{{- define "nginx-ingress.image" -}} +{{- if .Values.controller.image.digest -}} +{{- printf "%s@%s" .Values.controller.image.repository .Values.controller.image.digest -}} +{{- else -}} +{{- printf "%s:%s" .Values.controller.image.repository (include "nginx-ingress.tag" .) -}} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.prometheus.serviceName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} +{{- end -}} + +{{/* +Build the args for the service binary. +*/}} +{{- define "nginx-ingress.args" -}} +- -nginx-plus={{ .Values.controller.nginxplus }} +- -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} +- -enable-app-protect={{ .Values.controller.appprotect.enable }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} +- -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} +{{ end }} +- -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} +{{- if .Values.controller.appprotectdos.enable }} +- -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} +- -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} +- -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} +- -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} +{{ end }} +- -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} +{{- if .Values.controller.defaultTLS.secret }} +- -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} +{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +- -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} +{{- end }} +- -ingress-class={{ .Values.controller.ingressClass.name }} +{{- if .Values.controller.watchNamespace }} +- -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchNamespaceLabel }} +- -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} +- -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} +{{- end }} +- -health-status={{ .Values.controller.healthStatus }} +- -health-status-uri={{ .Values.controller.healthStatusURI }} +- -nginx-debug={{ .Values.controller.nginxDebug }} +- -v={{ .Values.controller.logLevel }} +- -nginx-status={{ .Values.controller.nginxStatus.enable }} +{{- if .Values.controller.nginxStatus.enable }} +- -nginx-status-port={{ .Values.controller.nginxStatus.port }} +- -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} +{{- end }} +{{- if .Values.controller.reportIngressStatus.enable }} +- -report-ingress-status +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} +{{- else if .Values.controller.reportIngressStatus.externalService }} +- -external-service={{ .Values.controller.reportIngressStatus.externalService }} +{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} +- -external-service={{ include "nginx-ingress.controller.service.name" . }} +{{- end }} +{{- end }} +- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +- -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} +{{- end }} +{{- if .Values.controller.wildcardTLS.secret }} +- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} +{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} +- -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} +{{- end }} +- -enable-prometheus-metrics={{ .Values.prometheus.create }} +- -prometheus-metrics-listen-port={{ .Values.prometheus.port }} +- -prometheus-tls-secret={{ .Values.prometheus.secret }} +- -enable-service-insight={{ .Values.serviceInsight.create }} +- -service-insight-listen-port={{ .Values.serviceInsight.port }} +- -service-insight-tls-secret={{ .Values.serviceInsight.secret }} +- -enable-custom-resources={{ .Values.controller.enableCustomResources }} +- -enable-snippets={{ .Values.controller.enableSnippets }} +- -include-year={{ .Values.controller.includeYear }} +- -disable-ipv6={{ .Values.controller.disableIPV6 }} +{{- if .Values.controller.enableCustomResources }} +- -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{- if .Values.controller.enableTLSPassthrough }} +- -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{- end }} +- -enable-cert-manager={{ .Values.controller.enableCertManager }} +- -enable-oidc={{ .Values.controller.enableOIDC }} +- -enable-external-dns={{ .Values.controller.enableExternalDNS }} +- -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} +- -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} +{{- if .Values.controller.globalConfiguration.create }} +- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- end }} +- -ready-status={{ .Values.controller.readyStatus.enable }} +- -ready-status-port={{ .Values.controller.readyStatus.port }} +- -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +- -ssl-dynamic-reload={{ .Values.controller.enableSSLDynamicReload }} +{{- end -}} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/clusterrole.yaml b/charts/f5/nginx-ingress/1.1.3/templates/clusterrole.yaml new file mode 100644 index 0000000000..559006ff61 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/clusterrole.yaml @@ -0,0 +1,155 @@ +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +{{- if .Values.controller.reportIngressStatus.enable }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +{{- end }} +{{- if .Values.controller.appprotect.enable }} +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.appprotectdos.enable }} +- apiGroups: + - appprotectdos.f5.com + resources: + - apdospolicies + - apdoslogconfs + - dosprotectedresources + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.enableCustomResources }} +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +{{- end }} +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- apiGroups: + - cis.f5.com + resources: + - ingresslinks + verbs: + - list + - watch + - get +{{- end }} +{{- if .Values.controller.enableCertManager }} +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - list + - watch + - get + - update + - create + - delete +{{- end }} +{{- if .Values.controller.enableExternalDNS }} +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints + verbs: + - list + - watch + - get + - update + - create + - delete +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints/status + verbs: + - update +{{- end }} +{{- end}} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/clusterrolebiding.yaml b/charts/f5/nginx-ingress/1.1.3/templates/clusterrolebiding.yaml new file mode 100644 index 0000000000..ed06c48ccb --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/clusterrolebiding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "nginx-ingress.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-configmap.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-configmap.yaml new file mode 100644 index 0000000000..fd11991865 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-configmap.yaml @@ -0,0 +1,17 @@ +{{- if not .Values.controller.customConfigMap -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.configName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.config.entries }} +{{ toYaml .Values.controller.config.entries | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-daemonset.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..b2459c927c --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-daemonset.yaml @@ -0,0 +1,205 @@ +{{- if eq .Values.controller.kind "daemonset" }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.selectorLabels" . | nindent 8 }} +{{- if .Values.nginxServiceMesh.enable }} + nsm.nginx.com/enable-ingress: "true" + nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" + nsm.nginx.com/daemonset: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels | indent 8 }} +{{- end }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }} + volumes: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: nginx-etc + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} + - name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes | indent 6 }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - name: {{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{ if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{ end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} + volumeMounts: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - mountPath: /etc/nginx + name: nginx-etc + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.volumeMounts }} +{{ toYaml .Values.controller.volumeMounts | indent 8 }} +{{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + updateStrategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-deployment.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-deployment.yaml new file mode 100644 index 0000000000..1f291ff4cd --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-deployment.yaml @@ -0,0 +1,212 @@ +{{- if eq .Values.controller.kind "deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + {{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.selectorLabels" . | nindent 8 }} +{{- if .Values.nginxServiceMesh.enable }} + nsm.nginx.com/enable-ingress: "true" + nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" + nsm.nginx.com/deployment: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels | indent 8 }} +{{- end }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumes }} + volumes: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: nginx-etc + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-lib + emptyDir: {} + - name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes | indent 6 }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - image: {{ include "nginx-ingress.image" . }} + name: {{ include "nginx-ingress.name" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{- if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{- end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.volumeMounts }} + volumeMounts: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - mountPath: /etc/nginx + name: nginx-etc + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.volumeMounts}} +{{ toYaml .Values.controller.volumeMounts | indent 8 }} +{{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or .Values.controller.readOnlyRootFilesystem .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if .Values.controller.readOnlyRootFilesystem }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-globalconfiguration.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-globalconfiguration.yaml new file mode 100644 index 0000000000..9039ab0440 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-globalconfiguration.yaml @@ -0,0 +1,11 @@ +{{ if .Values.controller.globalConfiguration.create }} +apiVersion: k8s.nginx.org/v1alpha1 +kind: GlobalConfiguration +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +spec: +{{ toYaml .Values.controller.globalConfiguration.spec | indent 2 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-hpa.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-hpa.yaml new file mode 100644 index 0000000000..971aca90d3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-hpa.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.controller.autoscaling.enabled (eq .Values.controller.kind "deployment") (.Capabilities.APIVersions.Has "autoscaling/v2") -}} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "nginx-ingress.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} +{{- if .Values.controller.autoscaling.behavior }} + behavior: +{{ toYaml .Values.controller.autoscaling.behavior | indent 4 }} +{{- end }} + metrics: + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-ingress-class.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-ingress-class.yaml new file mode 100644 index 0000000000..a351d697c6 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-ingress-class.yaml @@ -0,0 +1,14 @@ +{{ if .Values.controller.ingressClass.create }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClass.name }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.ingressClass.setAsDefaultIngress }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: nginx.org/ingress-controller +{{ end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-leader-election-configmap.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-leader-election-configmap.yaml new file mode 100644 index 0000000000..440914eb3e --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-leader-election-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.leaderElectionName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.reportIngressStatus.annotations }} + annotations: +{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-pdb.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-pdb.yaml new file mode 100644 index 0000000000..1c3ddc8ae5 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.controller.podDisruptionBudget.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.podDisruptionBudget.annotations }} + annotations: +{{ toYaml .Values.controller.podDisruptionBudget.annotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} +{{- if .Values.controller.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.controller.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-prometheus-service.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-prometheus-service.yaml new file mode 100644 index 0000000000..d36514284b --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-prometheus-service.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.prometheus.create .Values.prometheus.service.create}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.prometheus.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.service.labels -}} + {{- toYaml .Values.prometheus.service.labels | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + - name: prometheus + protocol: TCP + port: {{ .Values.prometheus.port }} + targetPort: {{ .Values.prometheus.port }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-role.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-role.yaml new file mode 100644 index 0000000000..e902381775 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-role.yaml @@ -0,0 +1,56 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - {{ .Values.controller.reportIngressStatus.leaderElectionLockName }} + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-rolebiding.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-rolebiding.yaml new file mode 100644 index 0000000000..51ee528da3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-rolebiding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "nginx-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-secret.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-secret.yaml new file mode 100644 index 0000000000..f9941e8878 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.defaultTLS.secret) (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.defaultTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.defaultTLS.cert }} + tls.key: {{ .Values.controller.defaultTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-service.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-service.yaml new file mode 100644 index 0000000000..a25de94561 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-service.yaml @@ -0,0 +1,72 @@ +{{- if .Values.controller.service.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.controller.service.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.service.extraLabels }} +{{ toYaml .Values.controller.service.extraLabels | indent 4 }} +{{- end }} +{{- if .Values.controller.service.annotations }} + annotations: +{{ toYaml .Values.controller.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.controller.service.clusterIP }} + clusterIP: {{ .Values.controller.service.clusterIP }} +{{- end }} +{{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} +{{- end }} +{{- if eq .Values.controller.service.type "LoadBalancer" }} + {{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} + {{- end }} + {{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} + {{- end }} +{{- end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.controller.service.ipFamilies }} + ipFamilies: {{ .Values.controller.service.ipFamilies }} + {{- end }} + ports: +{{- if .Values.controller.service.customPorts }} +{{ toYaml .Values.controller.service.customPorts | indent 2 }} +{{ end }} +{{- if .Values.controller.service.httpPort.enable }} + - port: {{ .Values.controller.service.httpPort.port }} + targetPort: {{ .Values.controller.service.httpPort.targetPort }} + protocol: TCP + name: http + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpPort.nodePort }} + {{- end }} +{{- end }} +{{- if .Values.controller.service.httpsPort.enable }} + - port: {{ .Values.controller.service.httpsPort.port }} + targetPort: {{ .Values.controller.service.httpsPort.targetPort }} + protocol: TCP + name: https + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpsPort.nodePort }} + {{- end }} +{{- end }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} + {{- if .Values.controller.service.externalIPs }} + externalIPs: +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-serviceaccount.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..8cde4f5b01 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nginx-ingress.serviceAccountName" . }} +{{- if .Values.controller.serviceAccount.annotations }} + annotations: {{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if or .Values.controller.serviceAccount.imagePullSecretName .Values.controller.serviceAccount.imagePullSecretsNames }} +imagePullSecrets: +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretName }} +- name: {{ .Values.controller.serviceAccount.imagePullSecretName}} +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretsNames }} +{{- range .Values.controller.serviceAccount.imagePullSecretsNames }} +- name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-servicemonitor.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..e1a4268f95 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-servicemonitor.yaml @@ -0,0 +1,21 @@ +{{- if .Values.prometheus.serviceMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.serviceMonitor.labels -}} + {{- toYaml .Values.prometheus.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- if .Values.prometheus.serviceMonitor.selectorMatchLabels -}} + {{- toYaml .Values.prometheus.serviceMonitor.selectorMatchLabels | nindent 6 }} + {{- end }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + endpoints: + {{- toYaml .Values.prometheus.serviceMonitor.endpoints | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/templates/controller-wildcard-secret.yaml b/charts/f5/nginx-ingress/1.1.3/templates/controller-wildcard-secret.yaml new file mode 100644 index 0000000000..3abe16c4c3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/templates/controller-wildcard-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.wildcardTLS.secret) (and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.wildcardTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.wildcardTLS.cert }} + tls.key: {{ .Values.controller.wildcardTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.1.3/values-icp.yaml b/charts/f5/nginx-ingress/1.1.3/values-icp.yaml new file mode 100644 index 0000000000..a9c49c5c64 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/values-icp.yaml @@ -0,0 +1,17 @@ +controller: + name: controller + kind: daemonset + nginxplus: true + image: + repository: mycluster.icp:8500/kube-system/nginx-plus-ingress + tag: "3.4.3" + nodeSelector: + beta.kubernetes.io/arch: "amd64" + proxy: true + terminationGracePeriodSeconds: 60 + tolerations: + - key: "dedicated" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" diff --git a/charts/f5/nginx-ingress/1.1.3/values-nsm.yaml b/charts/f5/nginx-ingress/1.1.3/values-nsm.yaml new file mode 100644 index 0000000000..47d11e0571 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/values-nsm.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + enableLatencyMetrics: true +nginxServiceMesh: + enable: true + enableEgress: true diff --git a/charts/f5/nginx-ingress/1.1.3/values-plus.yaml b/charts/f5/nginx-ingress/1.1.3/values-plus.yaml new file mode 100644 index 0000000000..7f5b0b1f6e --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/values-plus.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + nginxplus: true + image: + repository: nginx-plus-ingress + tag: "3.4.3" diff --git a/charts/f5/nginx-ingress/1.1.3/values.schema.json b/charts/f5/nginx-ingress/1.1.3/values.schema.json new file mode 100644 index 0000000000..2b05640725 --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/values.schema.json @@ -0,0 +1,1927 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "type": "object", + "default": {}, + "title": "Root Schema", + "required": [ + "controller", + "rbac", + "prometheus", + "serviceInsight", + "nginxServiceMesh" + ], + "properties": { + "controller": { + "type": "object", + "default": {}, + "title": "The Ingress Controller Helm Schema", + "required": [ + "name", + "kind", + "image" + ], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name of the Ingress Controller", + "examples": [ + "controller" + ] + }, + "kind": { + "type": "string", + "default": "", + "title": "The kind of the Ingress Controller", + "enum": [ + "deployment", + "daemonset" + ], + "examples": [ + "deployment", + "daemonset" + ] + }, + "selectorLabels": { + "type": "object", + "default": {}, + "title": "The selectorLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "nginxplus": { + "type": "boolean", + "default": false, + "title": "Deploys the Ingress Controller for NGINX Plus", + "examples": [ + false, + true + ] + }, + "nginxReloadTimeout": { + "type": "integer", + "default": 0, + "title": "Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start", + "examples": [ + 60000 + ] + }, + "appprotect": { + "type": "object", + "default": {}, + "title": "The App Protect WAF Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect WAF module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "string", + "default": "", + "title": "The logLevel for App Protect WAF", + "enum": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ], + "examples": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ] + } + }, + "examples": [ + { + "enable": true, + "logLevel": "fatal" + } + ] + }, + "appprotectdos": { + "type": "object", + "default": {}, + "title": "The App Protect DoS Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect DoS module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "boolean", + "default": false, + "title": "debugging for App Protect DoS", + "examples": [ + false, + true + ] + }, + "maxWorkers": { + "type": "integer", + "default": 0, + "title": "Max number of nginx processes to support", + "examples": [ + 0 + ] + }, + "maxDaemons": { + "type": "integer", + "default": 0, + "title": "Max number of ADMD instances", + "examples": [ + 0 + ] + }, + "memory": { + "type": "integer", + "default": 0, + "title": "RAM memory size to consume in MB", + "examples": [ + 0 + ] + } + }, + "examples": [ + { + "enable": true, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + } + ] + }, + "hostNetwork": { + "type": "boolean", + "default": false, + "title": "The hostNetwork Schema", + "examples": [ + false, + true + ] + }, + "hostPort": { + "type": "object", + "default": {}, + "title": "The hostPort Schema", + "patternProperties": { + "^.*$": { + "anyOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + }, + { + "type": "boolean" + } + ] + } + }, + "additionalProperties": false + }, + "containerPort": { + "type": "object", + "default": {}, + "title": "The containerPort Schema", + "patternProperties": { + "^.*$": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + } + }, + "additionalProperties": false + }, + "dnsPolicy": { + "type": "string", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + }, + { + "enum": [ + "ClusterFirstWithHostNet", + "ClusterFirst", + "Default", + "None" + ] + } + ] + }, + "nginxDebug": { + "type": "boolean", + "default": false, + "title": "Enables debugging for NGINX", + "examples": [ + false, + true + ] + }, + "shareProcessNamespace": { + "type": "boolean", + "default": false, + "title": "Enables sharing of the process namespace between pods within the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "integer", + "default": 1, + "title": "The logLevel of the Ingress Controller", + "enum": [ + 0, + 1, + 2, + 3 + ], + "examples": [ + 1 + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts to expose on the NGINX Ingress Controller pod", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + }, + "examples": [ + [ + { + "name": "http", + "containerPort": 80, + "protocol": "TCP" + }, + { + "name": "https", + "containerPort": 443, + "protocol": "TCP" + } + ] + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "nginx/nginx-ingress", + "title": "The repository of the Ingress Controller", + "examples": [ + "nginx/nginx-ingress" + ] + }, + "tag": { + "type": "string", + "default": "3.4.3", + "title": "The tag of the Ingress Controller image", + "examples": [ + "3.4.3" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the Ingress Controller image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the Ingress Controller image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "nginx/nginx-ingress", + "tag": "3.4.3", + "pullPolicy": "IfNotPresent" + } + ] + }, + "lifecycle": { + "type": "object", + "default": {}, + "title": "The lifecycle Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + }, + "customConfigMap": { + "type": "string", + "default": "", + "title": "The customConfigMap Schema", + "examples": [ + "" + ] + }, + "config": { + "type": "object", + "default": {}, + "title": "The config Schema", + "required": [], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "entries": { + "type": "object", + "default": {}, + "title": "The entries Schema", + "required": [], + "properties": {}, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "name": "", + "annotations": {}, + "entries": {} + } + ] + }, + "defaultTLS": { + "type": "object", + "default": {}, + "title": "The defaultTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "wildcardTLS": { + "type": "object", + "default": {}, + "title": "The wildcardTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [ + "" + ] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [ + "" + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "nodeSelector": { + "type": "object", + "default": {}, + "title": "The nodeSelector Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + }, + "terminationGracePeriodSeconds": { + "type": "integer", + "default": 30, + "title": "The terminationGracePeriodSeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + }, + "resources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "initContainerResources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "tolerations": { + "type": "array", + "default": [], + "title": "The tolerations Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + } + }, + "affinity": { + "type": "object", + "default": {}, + "title": "The affinity Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + }, + "topologySpreadConstraints": { + "type": "object", + "default": {}, + "title": "The topologySpreadConstraints Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + }, + "env": { + "type": "array", + "default": [], + "title": "The env Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + } + }, + "volumes": { + "type": "array", + "default": [], + "title": "The volumes Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "volumeMounts": { + "type": "array", + "default": [], + "title": "The volumeMounts Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + } + }, + "initContainers": { + "type": "array", + "default": [], + "title": "The initContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "minReadySeconds": { + "type": "integer", + "default": 0, + "title": "The minReadySeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + }, + "strategy": { + "type": "object", + "default": {}, + "title": "The strategy Schema", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + }, + { + "properties": { + "type": { + "type": "string", + "enum": [ + "Recreate", + "RollingUpdate", + "OnDelete" + ] + } + } + } + ] + }, + "extraContainers": { + "type": "array", + "default": [], + "title": "The extraContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "replicaCount": { + "type": "integer", + "default": 1, + "title": "The replicaCount", + "examples": [ + 1 + ] + }, + "ingressClass": { + "type": "object", + "default": {}, + "title": "The ingressClass", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": true, + "title": "The create", + "examples": [ + true + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The ingressClass name", + "examples": [ + "nginx" + ] + }, + "setAsDefaultIngress": { + "type": "boolean", + "default": false, + "title": "The setAsDefaultIngress", + "examples": [ + false + ] + } + } + }, + "watchNamespace": { + "type": "string", + "default": "", + "title": "The watchNamespace", + "examples": [ + "" + ] + }, + "watchSecretNamespace": { + "type": "string", + "default": "", + "title": "The watchSecretNamespace", + "examples": [ + "" + ] + }, + "enableCustomResources": { + "type": "boolean", + "default": false, + "title": "The enableCustomResources", + "examples": [ + true + ] + }, + "enableOIDC": { + "type": "boolean", + "default": false, + "title": "The enableOIDC", + "examples": [ + false + ] + }, + "includeYear": { + "type": "boolean", + "default": false, + "title": "The includeYear", + "examples": [ + false + ] + }, + "enableTLSPassthrough": { + "type": "boolean", + "default": false, + "title": "The enableTLSPassthrough", + "examples": [ + false + ] + }, + "tlsPassthroughPort": { + "type": "integer", + "default": 443, + "title": "The tlsPassthroughPort", + "examples": [ + 443 + ] + }, + "enableCertManager": { + "type": "boolean", + "default": false, + "title": "The enableCertManager", + "examples": [ + false + ] + }, + "enableExternalDNS": { + "type": "boolean", + "default": false, + "title": "The enableExternalDNS", + "examples": [ + false + ] + }, + "globalConfiguration": { + "type": "object", + "default": {}, + "title": "The globalConfiguration Schema", + "required": [ + "create", + "spec" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + false + ] + }, + "spec": { + "type": "object", + "default": {}, + "title": "The spec Schema", + "required": [], + "properties": { + "listeners": { + "type": "array", + "default": [], + "title": "The listeners Schema", + "items": { + "type": "object", + "default": {}, + "properties": { + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 5353 + ] + }, + "protocol": { + "type": "string", + "default": "", + "title": "The protocol", + "examples": [ + "TCP" + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The name", + "examples": [ + "dns-tcp" + ] + } + } + } + } + }, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "create": false, + "spec": {} + } + ] + }, + "enableSnippets": { + "type": "boolean", + "default": false, + "title": "The enableSnippets", + "examples": [ + false + ] + }, + "healthStatus": { + "type": "boolean", + "default": false, + "title": "The healthStatus", + "examples": [ + false + ] + }, + "healthStatusURI": { + "type": "string", + "format": "uri-reference", + "default": "/nginx-health", + "title": "The healthStatusURI Schema", + "examples": [ + "/nginx-health" + ] + }, + "nginxStatus": { + "type": "object", + "default": {}, + "title": "The nginxStatus Schema", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 8080, + "title": "The port", + "examples": [ + 8080 + ] + }, + "allowCidrs": { + "type": "string", + "default": "127.0.0.1", + "title": "The allowCidrs", + "examples": [ + "127.0.0.1" + ] + } + }, + "examples": [ + { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + } + ] + }, + "service": { + "type": "object", + "default": {}, + "title": "The service Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "type": { + "type": "string", + "default": "", + "title": "The type", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + }, + "externalTrafficPolicy": { + "type": "string", + "default": "", + "title": "The externalTrafficPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels", + "required": [], + "properties": {}, + "examples": [ + {} + ] + }, + "loadBalancerIP": { + "type": "string", + "default": "", + "title": "The loadBalancerIP", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + }, + "externalIPs": { + "type": "array", + "default": [], + "title": "The externalIPs", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + }, + "loadBalancerSourceRanges": { + "type": "array", + "default": [], + "title": "The loadBalancerSourceRanges", + "items": {}, + "examples": [ + [] + ] + }, + "allocateLoadBalancerNodePorts": { + "type": "boolean", + "default": false, + "title": "The allocateLoadBalancerNodePorts Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + }, + "ipFamilyPolicy": { + "type": "string", + "default": "", + "title": "The ipFamilyPolicy Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "examples": [ + "" + ] + }, + "ipFamilies": { + "type": "array", + "default": [], + "title": "The ipFamilies Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + }, + "httpPort": { + "type": "object", + "default": {}, + "title": "The httpPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 80 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 80 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + } + ] + }, + "httpsPort": { + "type": "object", + "default": {}, + "title": "The httpsPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 443 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 443 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + } + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts", + "items": { + "type": "object", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + } + } + }, + "examples": [ + { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "name": "", + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + } + ] + }, + "serviceAccount": { + "type": "object", + "default": {}, + "title": "The serviceAccount Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "imagePullSecretName": { + "type": "string", + "default": "", + "title": "The imagePullSecretName", + "examples": [ + "" + ] + }, + "imagePullSecretsNames": { + "type": "array", + "default": [], + "title": "The imagePullSecretName list", + "examples": [ + [] + ] + } + }, + "oneOf": [ + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "minItems": 1 + } + }, + "required": [ + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "minLength": 1 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "not": { + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + } + } + ], + "examples": [ + { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + } + ] + }, + "reportIngressStatus": { + "type": "object", + "default": {}, + "title": "The reportIngressStatus Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "externalService": { + "type": "string", + "default": "", + "title": "The externalService", + "examples": [ + "" + ] + }, + "ingressLink": { + "type": "string", + "default": "", + "title": "The ingressLink", + "examples": [ + "" + ] + }, + "enableLeaderElection": { + "type": "boolean", + "default": false, + "title": "The enableLeaderElection", + "examples": [ + true + ] + }, + "leaderElectionLockName": { + "type": "string", + "default": "", + "title": "The leaderElectionLockName", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + } + }, + "examples": [ + { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + } + ] + }, + "pod": { + "type": "object", + "default": {}, + "title": "The pod Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + }, + "examples": [ + { + "annotations": {}, + "extraLabels": {} + } + ] + }, + "priorityClassName": { + "type": "string", + "default": "", + "title": "The priorityClassName", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + }, + "podDisruptionBudget": { + "type": "object", + "default": {}, + "title": "The podDisruptionBudget Schema", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "minAvailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + }, + "maxUnavailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + } + }, + "examples": [ + { + "enable": true, + "minAvailable": 1 + }, + { + "enable": true, + "maxUnavailable": 1 + } + ] + }, + "readyStatus": { + "type": "object", + "default": {}, + "title": "The readyStatus", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 8081 + ] + }, + "initialDelaySeconds": { + "type": "integer", + "default": 0, + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + } + }, + "examples": [ + { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + } + ] + }, + "enableLatencyMetrics": { + "type": "boolean", + "default": false, + "title": "The enableLatencyMetrics", + "examples": [ + false + ] + }, + "disableIPV6": { + "type": "boolean", + "default": false, + "title": "The disableIPV6", + "examples": [ + false + ] + }, + "defaultHTTPListenerPort": { + "type": "integer", + "default": 80, + "title": "The defaultHTTPListenerPort", + "examples": [ + 80 + ] + }, + "defaultHTTPSListenerPort": { + "type": "integer", + "default": 443, + "title": "The defaultHTTPSListenerPort", + "examples": [ + 443 + ] + }, + "readOnlyRootFilesystem": { + "type": "boolean", + "default": false, + "title": "The readOnlyRootFilesystem", + "examples": [ + false + ] + }, + "enableSSLDynamicReload": { + "type": "boolean", + "default": true, + "title": "Enable dynamic certificate reloads for NGINX Plus", + "examples": [ + true + ] + } + }, + "examples": [ + { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "shareProcessNamespace": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.4.3", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "tlsPassthroughPort": 443, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + } + ] + }, + "rbac": { + "type": "object", + "default": {}, + "title": "The rbac Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + true + ] + } + }, + "examples": [ + { + "create": true + } + ] + }, + "prometheus": { + "type": "object", + "default": {}, + "title": "The prometheus Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9113, + "title": "The port", + "examples": [ + 9113 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + }, + "service": { + "type": "object", + "default": {}, + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + } + }, + "serviceMonitor": { + "type": "object", + "default": {}, + "title": "The serviceMonitor Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + false + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + }, + "selectorMatchLabels": { + "type": "object", + "default": {}, + "title": "The selectorMatchLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.28.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "endpoints": { + "type": "array", + "default": [], + "title": "The endpoints", + "required": [], + "items": {} + } + }, + "examples": [ + { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": [] + } + ] + } + }, + "examples": [ + { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http" + } + ] + }, + "serviceInsight": { + "type": "object", + "default": {}, + "title": "The Service Insight Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9114, + "title": "The port", + "examples": [ + 9114 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + } + }, + "examples": [ + { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + } + ] + }, + "nginxServiceMesh": { + "type": "object", + "default": {}, + "title": "The nginxServiceMesh Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + false + ] + }, + "enableEgress": { + "type": "boolean", + "default": false, + "title": "The enableEgress", + "examples": [ + false + ] + } + }, + "examples": [ + { + "enable": false, + "enableEgress": false + } + ] + } + }, + "examples": [ + { + "controller": { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.4.3", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "podDisruptionBudget": { + "enabled": false, + "annotations": {}, + "minAvailable": 0, + "minUnavailable": 0 + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + }, + "rbac": { + "create": true + }, + "prometheus": { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http", + "service": { + "create": false, + "labels": {} + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + } + }, + "serviceInsight": { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + }, + "nginxServiceMesh": { + "enable": false, + "enableEgress": false + } + } + ] +} diff --git a/charts/f5/nginx-ingress/1.1.3/values.yaml b/charts/f5/nginx-ingress/1.1.3/values.yaml new file mode 100644 index 0000000000..fe85c8a35e --- /dev/null +++ b/charts/f5/nginx-ingress/1.1.3/values.yaml @@ -0,0 +1,529 @@ +controller: + ## The name of the Ingress Controller daemonset or deployment. + name: controller + + ## The kind of the Ingress Controller installation - deployment or daemonset. + kind: deployment + + ## The selectorLabels used to override the default values. + selectorLabels: {} + + ## Annotations for deployments and daemonsets + annotations: {} + + ## Deploys the Ingress Controller for NGINX Plus. + nginxplus: false + + ## Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. + nginxReloadTimeout: 60000 + + ## Support for App Protect WAF + appprotect: + ## Enable the App Protect WAF module in the Ingress Controller. + enable: false + ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace + # logLevel: fatal + + ## Support for App Protect DoS + appprotectdos: + ## Enable the App Protect DoS module in the Ingress Controller. + enable: false + ## Enable debugging for App Protect DoS. + debug: false + ## Max number of nginx processes to support. + maxWorkers: 0 + ## Max number of ADMD instances. + maxDaemons: 0 + ## RAM memory size to consume in MB. + memory: 0 + + ## Enables the Ingress Controller pods to use the host's network namespace. + hostNetwork: false + + ## The hostPort configuration for the Ingress Controller pods. + hostPort: + ## Enables hostPort for the Ingress Controller pods. + enable: false + + ## The HTTP hostPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS hostPort configuration for the Ingress Controller pods. + https: 443 + + containerPort: + ## The HTTP containerPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS containerPort configuration for the Ingress Controller pods. + https: 443 + + ## DNS policy for the Ingress Controller pods + dnsPolicy: ClusterFirst + + ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. + nginxDebug: false + + ## Share process namespace between containers in the Ingress Controller pod. + shareProcessNamespace: false + + ## The log level of the Ingress Controller. + logLevel: 1 + + ## A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: [] + + image: + ## The image repository of the Ingress Controller. + repository: nginx/nginx-ingress + + ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. + # tag: "3.4.3" + + ## The digest of the Ingress Controller image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the Ingress Controller image. + pullPolicy: IfNotPresent + + ## The lifecycle of the Ingress Controller pods. + lifecycle: {} + + ## The custom ConfigMap to use instead of the one provided by default + customConfigMap: "" + + config: + ## The name of the ConfigMap used by the Ingress Controller. + ## Autogenerated if not set or set to "". + # name: nginx-config + + ## The annotations of the Ingress Controller configmap. + annotations: {} + + ## The entries of the ConfigMap for customizing NGINX configuration. + entries: {} + + ## It is recommended to use your own TLS certificates and keys + defaultTLS: + ## The base64-encoded TLS certificate for the default HTTPS server. + ## Note: It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + cert: "" + + ## The base64-encoded TLS key for the default HTTPS server. + ## Note: It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + key: "" + + ## The secret with a TLS certificate and key for the default HTTPS server. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. + ## Note: Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + ## Format: / + secret: "" + + wildcardTLS: + ## The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + cert: "" + + ## The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + key: "" + + ## The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. + ## Format: / + secret: "" + + ## The node selector for pod assignment for the Ingress Controller pods. + # nodeSelector: {} + + ## The termination grace period of the Ingress Controller pod. + terminationGracePeriodSeconds: 30 + + ## HorizontalPodAutoscaling (HPA) + autoscaling: + ## Enables HorizontalPodAutoscaling. + enabled: false + ## The annotations of the Ingress Controller HorizontalPodAutoscaler. + annotations: {} + ## Minimum number of replicas for the HPA. + minReplicas: 1 + ## Maximum number of replicas for the HPA. + maxReplicas: 3 + ## The target cpu utilization percentage. + targetCPUUtilizationPercentage: 50 + ## The target memory utilization percentage. + targetMemoryUtilizationPercentage: 50 + ## Custom behavior policies + behavior: {} + + ## The resources of the Ingress Controller pods. + resources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerResources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The tolerations of the Ingress Controller pods. + tolerations: [] + + ## The affinity of the Ingress Controller pods. + affinity: {} + + ## The topology spread constraints of the Ingress controller pods. + # topologySpreadConstraints: {} + + ## The additional environment variables to be set on the Ingress Controller pods. + env: [] + # - name: MY_VAR + # value: myvalue + + ## The volumes of the Ingress Controller pods. + volumes: [] + # - name: extra-conf + # configMap: + # name: extra-conf + + ## The volumeMounts of the Ingress Controller pods. + volumeMounts: [] + # - name: extra-conf + # mountPath: /etc/nginx/conf.d/extra.conf + # subPath: extra.conf + + ## InitContainers for the Ingress Controller pods. + initContainers: [] + # - name: init-container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is initial setup!'] + + ## The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. + minReadySeconds: 0 + + ## Pod disruption budget for the Ingress Controller pods. + podDisruptionBudget: + ## Enables PodDisruptionBudget. + enabled: false + ## The annotations of the Ingress Controller pod disruption budget. + annotations: {} + ## The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". + # minAvailable: 1 + ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". + # maxUnavailable: 1 + + ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. + strategy: {} + + ## Extra containers for the Ingress Controller pods. + extraContainers: [] + # - name: container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is a sidecar!'] + + ## The number of replicas of the Ingress Controller deployment. + replicaCount: 1 + + ## Configures the ingress class the Ingress Controller uses. + ingressClass: + ## A class of the Ingress Controller. + + ## IngressClass resource with the name equal to the class must be deployed. Otherwise, + ## the Ingress Controller will fail to start. + ## The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. + + ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. + name: nginx + + ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. + create: true + + ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". + setAsDefaultIngress: false + + ## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". + watchNamespace: "" + + ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". + watchNamespaceLabel: "" + + ## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces. + watchSecretNamespace: "" + + ## Enable the custom resources. + enableCustomResources: true + + ## Enable OIDC policies. + enableOIDC: false + + ## Include year in log header. This parameter will be removed in release 2.7 and the year will be included by default. + includeYear: false + + ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. + enableTLSPassthrough: false + + ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough. + tlsPassthroughPort: 443 + + ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. + enableCertManager: false + + ## Enable external DNS for Virtual Server resources. Requires controller.enableCustomResources. + enableExternalDNS: false + + globalConfiguration: + ## Creates the GlobalConfiguration custom resource. Requires controller.enableCustomResources. + create: false + + ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. + spec: {} ## Ensure both curly brackets are removed when adding listeners in YAML format. + # listeners: + # - name: dns-udp + # port: 5353 + # protocol: UDP + # - name: dns-tcp + # port: 5353 + # protocol: TCP + + ## Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. + enableSnippets: false + + ## Add a location based on the value of health-status-uri to the default server. The location responds with the 200 status code for any request. + ## Useful for external health-checking of the Ingress Controller. + healthStatus: false + + ## Sets the URI of health status location in the default server. Requires controller.healthStatus. + healthStatusURI: "/nginx-health" + + nginxStatus: + ## Enable the NGINX stub_status, or the NGINX Plus API. + enable: true + + ## Set the port where the NGINX stub_status or the NGINX Plus API is exposed. + port: 8080 + + ## Add IPv4 IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. + allowCidrs: "127.0.0.1" + + service: + ## Creates a service to expose the Ingress Controller pods. + create: true + + ## The type of service to create for the Ingress Controller. + type: LoadBalancer + + ## The externalTrafficPolicy of the service. The value Local preserves the client source IP. + externalTrafficPolicy: Local + + ## The annotations of the Ingress Controller service. + annotations: {} + + ## The extra labels of the service. + extraLabels: {} + + ## The static IP address for the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerIP: "" + + ## The ClusterIP for the Ingress Controller service, autoassigned if not specified. + clusterIP: "" + + ## The list of external IPs for the Ingress Controller service. + externalIPs: [] + + ## The IP ranges (CIDR) that are allowed to access the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerSourceRanges: [] + + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + ## Dual stack preference. + ## Valid values: SingleStack, PreferDualStack, RequireDualStack + # ipFamilyPolicy: SingleStack + + ## List of IP families assigned to this service. + ## Valid values: IPv4, IPv6 + # ipFamilies: + # - IPv6 + + httpPort: + ## Enables the HTTP port for the Ingress Controller service. + enable: true + + ## The HTTP port of the Ingress Controller service. + port: 80 + + ## The custom NodePort for the HTTP port. Requires controller.service.type set to NodePort. + # nodePort: 80 + + ## The HTTP port on the POD where the Ingress Controller service is running. + targetPort: 80 + + httpsPort: + ## Enables the HTTPS port for the Ingress Controller service. + enable: true + + ## The HTTPS port of the Ingress Controller service. + port: 443 + + ## The custom NodePort for the HTTPS port. Requires controller.service.type set to NodePort. + # nodePort: 443 + + ## The HTTPS port on the POD where the Ingress Controller service is running. + targetPort: 443 + + ## A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: [] + + serviceAccount: + ## The annotations of the service account of the Ingress Controller pods. + annotations: {} + + ## The name of the service account of the Ingress Controller pods. Used for RBAC. + ## Autogenerated if not set or set to "". + # name: nginx-ingress + + ## The name of the secret containing docker registry credentials. + ## Secret must exist in the same namespace as the helm release. + imagePullSecretName: "" + + ## A list of secret names containing docker registry credentials. + ## Secrets must exist in the same namespace as the helm release. + imagePullSecretsNames: [] + + reportIngressStatus: + ## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. + ## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService, + ## controller.reportIngressStatus.ingressLink or the external-status-address entry in the ConfigMap via controller.config.entries. + ## Note: controller.config.entries.external-status-address takes precedence over the others. + enable: true + + ## Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. + ## The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ## The default is autogenerated and matches the created service (see controller.service.create). + # externalService: nginx-ingress + + ## Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. + ## The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ingressLink: "" + + ## Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. controller.reportIngressStatus.enable must be set to true. + enableLeaderElection: true + + ## Specifies the name to be used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. + leaderElectionLockName: "nginx-ingress-leader" + + ## The annotations of the leader election configmap. + annotations: {} + + pod: + ## The annotations of the Ingress Controller pod. + annotations: {} + + ## The additional extra labels of the Ingress Controller pod. + extraLabels: {} + + ## The PriorityClass of the Ingress Controller pods. + # priorityClassName: "" + + readyStatus: + ## Enables readiness endpoint "/nginx-ready". The endpoint returns a success code when NGINX has loaded all the config after startup. + enable: true + + ## Set the port where the readiness endpoint is exposed. + port: 8081 + + ## The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. + initialDelaySeconds: 0 + + ## Enable collection of latency metrics for upstreams. Requires prometheus.create. + enableLatencyMetrics: false + + ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. + disableIPV6: false + + ## Sets the port for the HTTP `default_server` listener. + defaultHTTPListenerPort: 80 + + ## Sets the port for the HTTPS `default_server` listener. + defaultHTTPSListenerPort: 443 + + ## Configure root filesystem as read-only and add volumes for temporary data. + readOnlyRootFilesystem: false + + ## Enable dynamic reloading of certificates + enableSSLDynamicReload: true + +rbac: + ## Configures RBAC. + create: true + +prometheus: + ## Expose NGINX or NGINX Plus metrics in the Prometheus format. + create: true + + ## Configures the port to scrape the metrics. + port: 9113 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Prometheus endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + + service: + ## Creates a ClusterIP Service to expose Prometheus metrics internally + ## Requires prometheus.create=true + create: false + + labels: + service: "nginx-ingress-prometheus-service" + + serviceMonitor: + ## Creates a serviceMonitor to expose statistics on the kubernetes pods. + create: false + + ## Kubernetes object labels to attach to the serviceMonitor object. + labels: {} + + ## A set of labels to allow the selection of endpoints for the ServiceMonitor. + selectorMatchLabels: + service: "nginx-ingress-prometheus-service" + + ## A list of endpoints allowed as part of this ServiceMonitor. + ## Matches on the name of a Service port. + endpoints: + - port: prometheus + +serviceInsight: + ## Expose NGINX Plus Service Insight endpoint. + create: false + + ## Configures the port to expose endpoint. + port: 9114 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Service Insight endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + +nginxServiceMesh: + ## Enables integration with NGINX Service Mesh. + enable: false + + ## Enables NGINX Service Mesh workload to route egress traffic through the Ingress Controller. + ## Requires nginxServiceMesh.enable + enableEgress: false diff --git a/charts/f5/nginx-ingress/1.2.0/.helmignore b/charts/f5/nginx-ingress/1.2.0/.helmignore new file mode 100644 index 0000000000..c1347c2c27 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/.helmignore @@ -0,0 +1,2 @@ +# Patterns to ignore when building packages. +*.png diff --git a/charts/f5/nginx-ingress/1.2.0/Chart.yaml b/charts/f5/nginx-ingress/1.2.0/Chart.yaml new file mode 100644 index 0000000000..62891f17b2 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Ingress Controller + catalog.cattle.io/kube-version: '>= 1.23.0-0' + catalog.cattle.io/release-name: nginx-ingress +apiVersion: v2 +appVersion: 3.5.0 +description: NGINX Ingress Controller +home: https://github.com/nginxinc/kubernetes-ingress +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/charts/nginx-ingress/chart-icon.png +keywords: +- ingress +- nginx +kubeVersion: '>= 1.23.0-0' +maintainers: +- email: kubernetes@nginx.com + name: nginxinc +name: nginx-ingress +sources: +- https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/charts/nginx-ingress +type: application +version: 1.2.0 diff --git a/charts/f5/nginx-ingress/1.2.0/README.md b/charts/f5/nginx-ingress/1.2.0/README.md new file mode 100644 index 0000000000..c8ce00f3aa --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/README.md @@ -0,0 +1,514 @@ +# NGINX Ingress Controller Helm Chart + +## Introduction + +This chart deploys NGINX Ingress Controller in your Kubernetes cluster. + +## Prerequisites + +**Note** All documentation should only be used with the latest stable release, indicated on +[the releases page](https://github.com/nginxinc/kubernetes-ingress/releases) of the GitHub repository. + +- A [Kubernetes Version Supported by the Ingress + Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) +- Helm 3.0+. +- If you’d like to use NGINX Plus: + - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal + by following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). + Make sure to specify the secret using one of the following parameters: + `controller.serviceAccount.imagePullSecretName` or `controller.serviceAccount.imagePullSecretsNames`. + - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following + the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). + - Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by + following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image). + - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. +- If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator [helm + chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). Make sure to install in the same namespace as the + NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will + need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single + namespace. + +## CRDs + +By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The +Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. + +If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` +set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), +the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. + +### Upgrading the CRDs + +To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl apply -f crds/ +``` + +Alternatively, CRDs can be upgraded without pulling the chart by running: + +```console +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/deploy/crds.yaml +``` + +In the above command, `v3.4.3` represents the version of NGINX Ingress Controller release rather than the Helm chart version. + +> **Note** +> +> The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by +> either kubectl create --save-config or kubectl apply`. +> +> Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release +> for any special upgrade procedures. + +### Uninstalling the CRDs + +To remove the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl delete -f crds/ +``` + +> **Note** +> +> This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure +> there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the +> cluster. + +## Managing the Chart via OCI Registry + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 +``` + +For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry +`myregistry.example.com`) + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +``` + +This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to +use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with +`registry-1.docker.io/nginxcharts/nginx-ingress`. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +### Edge Version + +To test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version. This +version is built from the `main` branch of the NGINX Ingress Controller repository. You can install the `edge` version +by specifying the `--version` flag with the value `0.0.0-edge`: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge +``` + +> **Warning** +> +> The `edge` version is not intended for production use. It is intended for testing and development purposes only. + +## Managing the Chart via Sources + +### Pulling the Chart + +This step is required if you're installing the chart using its sources. Additionally, the step is also required for +managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for +upgrading/deleting the CRDs. + +1. Pull the chart sources: + + ```console + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.3 + ``` + +2. Change your working directory to nginx-ingress: + + ```console + cd nginx-ingress + ``` + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release . +``` + +For NGINX Plus: + +```console +helm install my-release -f values-plus.yaml . +``` + +The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration +section lists the parameters that can be configured during installation. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release . +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +## Upgrading without downtime + +### Background + +In NGINX Ingress Controller version 3.1.0, [changes were introduced](https://github.com/nginxinc/kubernetes-ingress/pull/3606) +to Helm resource names, labels and annotations to fit with Helm best practices. +When using Helm to upgrade from a version prior to 3.1.0, certain resources like Deployment, DaemonSet and Service will +be recreated due to the aforementioned changes, which will result in downtime. + +Although the advisory is to update all resources in accordance with new naming convention, to avoid the downtime +please follow the steps listed in this page. + +### Upgrade Steps + +**Note** The following steps apply to both 2.x and 3.0.x releases. + +The steps you should follow depend on the Helm release name: + +{{}} + +{{%tab name="Helm release name is `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployments -n + ``` + + Copy the key=value under `Selector`, such as: + + ```shell + Selector: app=nginx-ingress-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.4.3` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: nginx-ingress-nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="nginx-ingress-nginx-ingress" + --set controller.name="" + --set fullnameOverride="nginx-ingress-nginx-ingress" + ``` + + It could look as follows: + + ```shell + helm upgrade nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="nginx-ingress-nginx-ingress" --set controller.name="" --set fullnameOverride="nginx-ingress-nginx-ingress" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set nginx-ingress-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{%tab name="Helm release name is not `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployment/daemonset -n + ``` + + Copy the key=value under ```Selector```, such as: + + ```shell + Selector: app=-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.4.3` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: -nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="-nginx-ingress" + --set controller.name="" + ``` + + It could look as follows: + + ```shell + helm upgrade test-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="test-release-nginx-ingress" --set controller.name="" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set test-release-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{}} + +## Running Multiple Ingress Controllers + +If you are running multiple Ingress Controller releases in your cluster with enabled custom resources, the releases will +share a single version of the CRDs. As a result, make sure that the Ingress Controller versions match the version of the +CRDs. Additionally, when uninstalling a release, ensure that you don’t remove the CRDs until there are no other Ingress +Controller releases running in the cluster. + +See [running multiple Ingress Controllers](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) +for more details. + +## Configuration + +The following tables lists the configurable parameters of the NGINX Ingress Controller chart and their default values. + +|Parameter | Description | Default | +| --- | --- | --- | +|`controller.name` | The name of the Ingress Controller daemonset or deployment. | Autogenerated | +|`controller.kind` | The kind of the Ingress Controller installation - deployment or daemonset. | deployment | +|`controller.annotations` | Allows for setting of `annotations` for deployment or daemonset. | {} | +|`controller.nginxplus` | Deploys the Ingress Controller for NGINX Plus. | false | +|`controller.nginxReloadTimeout` | The timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. | 60000 | +|`controller.hostNetwork` | Enables the Ingress Controller pods to use the host's network namespace. | false | +|`controller.dnsPolicy` | DNS policy for the Ingress Controller pods. | ClusterFirst | +|`controller.nginxDebug` | Enables debugging for NGINX. Uses the `nginx-debug` binary. Requires `error-log-level: debug` in the ConfigMap via `controller.config.entries`. | false | +| `controller.shareProcessNamespace` | Enables process namespace sharing. When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod. [docs](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) | false | +|`controller.logLevel` | The log level of the Ingress Controller. | 1 | +|`controller.image.digest` | The image digest of the Ingress Controller. | None | +|`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.3 | +|`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | +|`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | +|`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | +|`controller.config.name` | The name of the ConfigMap used by the Ingress Controller. | Autogenerated | +|`controller.config.annotations` | The annotations of the Ingress Controller configmap. | {} | +|`controller.config.entries` | The entries of the ConfigMap for customizing NGINX configuration. See [ConfigMap resource docs](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) for the list of supported ConfigMap keys. | {} | +|`controller.customPorts` | A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. | [] | +|`controller.defaultTLS.cert` | The base64-encoded TLS certificate for the default HTTPS server. **Note:** It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | "" | +|`controller.defaultTLS.key` | The base64-encoded TLS key for the default HTTPS server. **Note:** It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | "" | +|`controller.defaultTLS.secret` | The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. **Note:** Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | None | +|`controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None | +|`controller.nodeSelector` | The node selector for pod assignment for the Ingress Controller pods. | {} | +|`controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress Controller pod. | 30 | +|`controller.tolerations` | The tolerations of the Ingress Controller pods. | [] | +|`controller.affinity` | The affinity of the Ingress Controller pods. | {} | +|`controller.topologySpreadConstraints` | The topology spread constraints of the Ingress controller pods. | {} | +|`controller.env` | The additional environment variables to be set on the Ingress Controller pods. | [] | +|`controller.volumes` | The volumes of the Ingress Controller pods. | [] | +|`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] | +|`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] | +|`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | +|`controller.podSecurityContext`| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} | +|`controller.securityContext`| The SecurityContext for Ingress Controller container. | {} | +|`controller.initContainerSecurityContext`| The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} | +|`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | +|`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi | +|`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | +|`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.3, do not set the value to false. | true | +|`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | +|`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | +|`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | +|`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `controller.watchNamespace` and `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" | +|`controller.enableCustomResources` | Enable the custom resources. | true | +|`controller.enableOIDC` | Enable OIDC policies. | false | +|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | +|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | +|`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false | +|`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.spec` | The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. | {} | +|`controller.enableSnippets` | Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. | false | +|`controller.healthStatus` | Add a location "/nginx-health" to the default server. The location responds with the 200 status code for any request. Useful for external health-checking of the Ingress Controller. | false | +|`controller.healthStatusURI` | Sets the URI of health status location in the default server. Requires `controller.healthStatus`. | "/nginx-health" | +|`controller.nginxStatus.enable` | Enable the NGINX stub_status, or the NGINX Plus API. | true | +|`controller.nginxStatus.port` | Set the port where the NGINX stub_status or the NGINX Plus API is exposed. | 8080 | +|`controller.nginxStatus.allowCidrs` | Add IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. | 127.0.0.1,::1 | +|`controller.priorityClassName` | The PriorityClass of the Ingress Controller pods. | None | +|`controller.service.create` | Creates a service to expose the Ingress Controller pods. | true | +|`controller.service.type` | The type of service to create for the Ingress Controller. | LoadBalancer | +|`controller.service.externalTrafficPolicy` | The externalTrafficPolicy of the service. The value Local preserves the client source IP. | Local | +|`controller.service.annotations` | The annotations of the Ingress Controller service. | {} | +|`controller.service.extraLabels` | The extra labels of the service. | {} | +|`controller.service.loadBalancerIP` | The static IP address for the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | "" | +|`controller.service.externalIPs` | The list of external IPs for the Ingress Controller service. | [] | +|`controller.service.clusterIP` | The clusterIP for the Ingress Controller service, autoassigned if not specified. | "" | +|`controller.service.loadBalancerSourceRanges` | The IP ranges (CIDR) that are allowed to access the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | [] | +|`controller.service.name` | The name of the service. | Autogenerated | +|`controller.service.customPorts` | A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. | [] | +|`controller.service.httpPort.enable` | Enables the HTTP port for the Ingress Controller service. | true | +|`controller.service.httpPort.port` | The HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpPort.nodePort` | The custom NodePort for the HTTP port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpPort.targetPort` | The target port of the HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpsPort.enable` | Enables the HTTPS port for the Ingress Controller service. | true | +|`controller.service.httpsPort.port` | The HTTPS port of the Ingress Controller service. | 443 | +|`controller.service.httpsPort.nodePort` | The custom NodePort for the HTTPS port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpsPort.targetPort` | The target port of the HTTPS port of the Ingress Controller service. | 443 | +|`controller.serviceAccount.annotations` | The annotations of the Ingress Controller service account. | {} | +|`controller.serviceAccount.name` | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated | +|`controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" | +|`controller.serviceAccount.imagePullSecretsNames` | The list of secret names containing docker registry credentials. Secret must exist in the same namespace as the helm release. | [] | +|`controller.serviceMonitor.name` | The name of the serviceMonitor. | Autogenerated | +|`controller.serviceMonitor.create` | Create a ServiceMonitor custom resource. | false | +|`controller.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | "" | +|`controller.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | "" | +|`controller.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | "" | +|`controller.reportIngressStatus.enable` | Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. You must also specify the source of the external address either through an external service via `controller.reportIngressStatus.externalService`, `controller.reportIngressStatus.ingressLink` or the `external-status-address` entry in the ConfigMap via `controller.config.entries`. **Note:** `controller.config.entries.external-status-address` takes precedence over the others. | true | +|`controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated | +|`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | "" | +|`controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true | +|`controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated | +|`controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {} | +|`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} | +|`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} | +|`controller.appprotect.enable` | Enables the App Protect WAF module in the Ingress Controller. | false | +|`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false | +|`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false | +|`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 | +|`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine | +|`controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller | +|`controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true | +|`controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 | +|`controller.readyStatus.initialDelaySeconds` | The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. | 0 | +|`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false | +|`controller.minReadySeconds` | Specifies the minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. [docs](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds) | 0 | +|`controller.autoscaling.enabled` | Enables HorizontalPodAutoscaling. | false | +|`controller.autoscaling.annotations` | The annotations of the Ingress Controller HorizontalPodAutoscaler. | {} | +|`controller.autoscaling.behavior` | Behavior configuration for the HPA. | {} | +|`controller.autoscaling.minReplicas` | Minimum number of replicas for the HPA. | 1 | +|`controller.autoscaling.maxReplicas` | Maximum number of replicas for the HPA. | 3 | +|`controller.autoscaling.targetCPUUtilizationPercentage` | The target CPU utilization percentage. | 50 | +|`controller.autoscaling.targetMemoryUtilizationPercentage` | The target memory utilization percentage. | 50 | +|`controller.podDisruptionBudget.enabled` | Enables PodDisruptionBudget. | false | +|`controller.podDisruptionBudget.annotations` | The annotations of the Ingress Controller pod disruption budget | {} | +|`controller.podDisruptionBudget.minAvailable` | The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". | 0 | +|`controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 | +|`controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} | +|`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | +|`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 | +|`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 | +|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. Three major releases after 3.5.x this argument will be moved permanently to the `controller.securityContext` section. | false | +|`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true | +|`controller.telemetryReporting.enable` | Enable telemetry reporting. | true | +|`controller.enableDynamicWeightChangesReload` | Enable weight changes without reloading the NGINX configuration. May require increasing map_hash_bucket_size, map_hash_max_size, variable_hash_bucket_size, and variable_hash_max_size in the [ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) if there are many two-way splits. Requires `controller.nginxplus` | false | +|`rbac.create` | Configures RBAC. | true | +|`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | +|`prometheus.port` | Configures the port to scrape the metrics. | 9113 | +|`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http | +|`prometheus.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" | +|`prometheus.service.create` | Create a Headless service to expose prometheus metrics. Requires `prometheus.create`. | false | +|`prometheus.service.labels` | Kubernetes object labels to attach to the service object. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.create` | Create a ServiceMonitor custom resource. Requires ServiceMonitor CRD to be installed. For the latest CRD, check the latest release on the [prometheus-operator](https://github.com/prometheus-operator/prometheus-operator) GitHub repo under `example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml` | false | +|`prometheus.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | {} | +|`prometheus.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | [port: prometheus] | +|`serviceInsight.create` | Expose NGINX Plus Service Insight endpoint. | false | +|`serviceInsight.port` | Configures the port to expose endpoints. | 9114 | +|`serviceInsight.scheme` | Configures the HTTP scheme to use for connections to the Service Insight endpoint. | http | +|`serviceInsight.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Service Insight endpoint with TLS connections. | "" | +|`serviceNameOverride` | Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades. | "" | +|`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false | +|`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false | +|`nginxAgent.enable` | Enable NGINX Agent to integrate Security Monitoring and App Protect WAF modules. Requires `controller.appprotect.enable`. | false | +|`nginxAgent.instanceGroup` | Set a custom Instance Group name, shown when connected to NGINX Instance Manager. `nginx-ingress.controller.fullname` will be used if not set. | "" | +|`nginxAgent.logLevel` | Log level for NGINX Agent. | "error | +|`nginxAgent.instanceManager.host` | FQDN or IP for connecting to NGINX Ingress Controller. Required when `nginxAgent.enable` is set to `true` | "" | +|`nginxAgent.instanceManager.grpcPort` | Port for connecting to NGINX Ingress Controller. | 443 | +|`nginxAgent.instanceManager.sni` | Server Name Indication for NGINX Instance Manager. See the NGINX Agent [docs](https://docs.nginx.com/nginx-agent/configuration/encrypt-communication/) for more details. | "" | +|`nginxAgent.instanceManager.tls.enable` | Enable TLS for NGINX Instance Manager connection. | true | +|`nginxAgent.instanceManager.tls.skipVerify` | Skip certification verification for NGINX Instance Manager connection. | false | +|`nginxAgent.instanceManager.tls.caSecret` | Name of `nginx.org/ca` secret used for verification of NGINX Instance Manager TLS. | "" | +|`nginxAgent.instanceManager.tls.secret` | Name of `kubernetes.io/tls` secret with a TLS certificate and key for using mTLS between NGINX Agent and NGINX Instance Manager. See the NGINX Instance Manager [docs](https://docs.nginx.com/nginx-management-suite/admin-guides/configuration/secure-traffic/#mutual-client-certificate-auth-setup-mtls) and the NGINX Agent [docs](https://docs.nginx.com/nginx-agent/configuration/encrypt-communication/) for more details. | "" | +|`nginxAgent.syslog.host` | Address for NGINX Agent to run syslog listener. | 127.0.0.1 | +|`nginxAgent.syslog.port` | Port for NGINX Agent to run syslog listener. | 1514 | +|`nginxAgent.napMonitoring.collectorBufferSize` | Buffer size for collector. Will contain log lines and parsed log lines. | 50000 | +|`nginxAgent.napMonitoring.processorBufferSize` | Buffer size for processor. Will contain log lines and parsed log lines. | 50000 | +|`nginxAgent.customConfigMap` | The name of a custom ConfigMap to use instead of the one provided by default. | "" | + +## Notes + +- The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog + post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. +- The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service + Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. diff --git a/charts/f5/nginx-ingress/1.2.0/app-readme.md b/charts/f5/nginx-ingress/1.2.0/app-readme.md new file mode 100644 index 0000000000..0824f4c0f0 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/app-readme.md @@ -0,0 +1,15 @@ +# NGINX Ingress Controller + +The [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress) for Kubernetes provides an enterprise‑grade implementation of an Ingress controller for NGINX and NGINX Plus for Kubernetes applications. + +The Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources. The load balancer can be a software load balancer running in the cluster or a hardware or cloud load balancer running externally. Different load balancers require different Ingress controller implementations. + +In the case of NGINX, the Ingress controller is deployed in a pod along with the load balancer. + +NGINX Ingress controller works with both NGINX and NGINX Plus and supports the standard Ingress features - content-based routing and TLS/SSL termination. + +Additionally, several NGINX and NGINX Plus features are available as extensions to the Ingress resource via annotations and the ConfigMap resource. In addition to HTTP, NGINX Ingress controller supports load balancing Websocket, gRPC, TCP and UDP applications. See ConfigMap and Annotations docs to learn more about the supported features and customization options. + +As an alternative to the Ingress, NGINX Ingress controller supports the VirtualServer and VirtualServerRoute resources. They enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. + +TCP, UDP and TLS Passthrough load balancing is also supported. diff --git a/charts/f5/nginx-ingress/1.2.0/crds/appprotect.f5.com_aplogconfs.yaml b/charts/f5/nginx-ingress/1.2.0/crds/appprotect.f5.com_aplogconfs.yaml new file mode 100644 index 0000000000..53b7fb40d7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/crds/appprotect.f5.com_aplogconfs.yaml @@ -0,0 +1,80 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: aplogconfs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APLogConf + listKind: APLogConfList + plural: aplogconfs + singular: aplogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + escaping_characters: + items: + properties: + from: + type: string + to: + type: string + type: object + type: array + format: + enum: + - splunk + - arcsight + - default + - user-defined + - grpc + type: string + format_string: + type: string + list_delimiter: + type: string + list_prefix: + type: string + list_suffix: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.0/crds/appprotect.f5.com_appolicies.yaml b/charts/f5/nginx-ingress/1.2.0/crds/appprotect.f5.com_appolicies.yaml new file mode 100644 index 0000000000..0ca4649ce7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/crds/appprotect.f5.com_appolicies.yaml @@ -0,0 +1,2158 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: appolicies.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APPolicy + listKind: APPolicyList + plural: appolicies + singular: appolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: + properties: + action: + type: string + description: + type: string + entity: + properties: + name: + type: string + type: object + entityChanges: + properties: + type: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + modificationsReference: + properties: + link: + pattern: ^http + type: string + type: object + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: + properties: + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + - Multiple slashes + - Semicolon path parameters + - Trailing dot + - Trailing slash + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unescaped space in URL + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of cookies + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxCookies: + maximum: 100 + minimum: 1 + type: integer + maxHeaders: + maximum: 150 + minimum: 1 + type: integer + maxParams: + maximum: 5000 + minimum: 1 + type: integer + type: object + type: array + violations: + items: + properties: + alarm: + type: boolean + block: + type: boolean + description: + type: string + name: + enum: + - "VIOL_ACCESS_INVALID" + - "VIOL_ACCESS_MALFORMED" + - "VIOL_ACCESS_MISSING" + - "VIOL_ASM_COOKIE_HIJACKING" + - "VIOL_ASM_COOKIE_MODIFIED" + - "VIOL_BLACKLISTED_IP" + - "VIOL_COOKIE_EXPIRED" + - "VIOL_COOKIE_LENGTH" + - "VIOL_COOKIE_MALFORMED" + - "VIOL_COOKIE_MODIFIED" + - "VIOL_CSRF" + - "VIOL_DATA_GUARD" + - "VIOL_ENCODING" + - "VIOL_EVASION" + - "VIOL_FILETYPE" + - "VIOL_FILE_UPLOAD" + - "VIOL_FILE_UPLOAD_IN_BODY" + - "VIOL_GRAPHQL_ERROR_RESPONSE" + - "VIOL_GRAPHQL_FORMAT" + - "VIOL_GRAPHQL_INTROSPECTION_QUERY" + - "VIOL_GRAPHQL_MALFORMED" + - "VIOL_GRPC_FORMAT" + - "VIOL_GRPC_MALFORMED" + - "VIOL_GRPC_METHOD" + - "VIOL_HEADER_LENGTH" + - "VIOL_HEADER_METACHAR" + - "VIOL_HEADER_REPEATED" + - "VIOL_HTTP_PROTOCOL" + - "VIOL_HTTP_RESPONSE_STATUS" + - "VIOL_JSON_FORMAT" + - "VIOL_JSON_MALFORMED" + - "VIOL_JSON_SCHEMA" + - "VIOL_MANDATORY_HEADER" + - "VIOL_MANDATORY_PARAMETER" + - "VIOL_MANDATORY_REQUEST_BODY" + - "VIOL_METHOD" + - "VIOL_PARAMETER" + - "VIOL_PARAMETER_ARRAY_VALUE" + - "VIOL_PARAMETER_DATA_TYPE" + - "VIOL_PARAMETER_EMPTY_VALUE" + - "VIOL_PARAMETER_LOCATION" + - "VIOL_PARAMETER_MULTIPART_NULL_VALUE" + - "VIOL_PARAMETER_NAME_METACHAR" + - "VIOL_PARAMETER_NUMERIC_VALUE" + - "VIOL_PARAMETER_REPEATED" + - "VIOL_PARAMETER_STATIC_VALUE" + - "VIOL_PARAMETER_VALUE_BASE64" + - "VIOL_PARAMETER_VALUE_LENGTH" + - "VIOL_PARAMETER_VALUE_METACHAR" + - "VIOL_PARAMETER_VALUE_REGEXP" + - "VIOL_POST_DATA_LENGTH" + - "VIOL_QUERY_STRING_LENGTH" + - "VIOL_RATING_NEED_EXAMINATION" + - "VIOL_RATING_THREAT" + - "VIOL_REQUEST_LENGTH" + - "VIOL_REQUEST_MAX_LENGTH" + - "VIOL_THREAT_CAMPAIGN" + - "VIOL_URL" + - "VIOL_URL_CONTENT_TYPE" + - "VIOL_URL_LENGTH" + - "VIOL_URL_METACHAR" + - "VIOL_XML_FORMAT" + - "VIOL_XML_MALFORMED" + type: string + type: object + type: array + type: object + blockingSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + bot-defense: + properties: + mitigations: + properties: + anomalies: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - default + - detect + - ignore + type: string + name: + type: string + scoreThreshold: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: array + browsers: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + type: string + maxVersion: + maximum: 2147483647 + minimum: 0 + type: integer + minVersion: + maximum: 2147483647 + minimum: 0 + type: integer + name: + type: string + type: object + type: array + classes: + items: + properties: + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + enum: + - browser + - malicious-bot + - suspicious-browser + - trusted-bot + - unknown + - untrusted-bot + type: string + type: object + type: array + signatures: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + type: string + type: object + type: array + type: object + settings: + properties: + caseSensitiveHttpHeaders: + type: boolean + isEnabled: + type: boolean + type: object + type: object + browser-definitions: + items: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + type: array + caseInsensitive: + type: boolean + character-sets: + items: + properties: + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content + type: string + type: object + type: array + characterSetReference: + properties: + link: + pattern: ^http + type: string + type: object + cookie-settings: + properties: + maximumCookieHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + cookieReference: + properties: + link: + pattern: ^http + type: string + type: object + cookieSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + cookies: + items: + properties: + $action: + enum: + - delete + type: string + accessibleOnlyThroughTheHttpProtocol: + type: boolean + attackSignaturesCheck: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + maskValueInLogs: + type: boolean + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + wildcardOrder: + type: integer + type: object + type: array + csrf-protection: + properties: + enabled: + type: boolean + expirationTimeInSeconds: + pattern: disabled|\d+ + type: string + sslOnly: + type: boolean + type: object + csrf-urls: + items: + properties: + $action: + enum: + - delete + type: string + enforcementAction: + enum: + - verify-origin + - none + type: string + method: + enum: + - GET + - POST + - any + type: string + url: + type: string + wildcardOrder: + type: integer + type: object + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + lastCcnDigitsToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + dataGuardReference: + properties: + link: + pattern: ^http + type: string + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + enforcer-settings: + properties: + enforcerStateCookies: + properties: + httpOnlyAttribute: + type: boolean + sameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + secureAttribute: + enum: + - always + - never + type: string + type: object + type: object + filetypeReference: + properties: + link: + pattern: ^http + type: string + type: object + filetypes: + items: + properties: + $action: + enum: + - delete + type: string + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: + type: string + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlLength: + type: integer + wildcardOrder: + type: integer + type: object + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + generalReference: + properties: + link: + pattern: ^http + type: string + type: object + grpc-profiles: + items: + properties: + $action: + enum: + - delete + type: string + associateUrls: + type: boolean + attackSignaturesCheck: + type: boolean + metacharCheck: + type: boolean + decodeStringValuesAsBase64: + enum: + - disabled + - enabled + type: string + defenseAttributes: + properties: + allowUnknownFields: + type: boolean + maximumDataLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + description: + type: string + hasIdlFiles: + type: boolean + idlFiles: + items: + properties: + idlFile: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + importUrl: + type: string + isPrimary: + type: boolean + primaryIdlFileName: + type: string + type: object + type: array + metacharElementCheck: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + header-settings: + properties: + maximumHttpHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + headerReference: + properties: + link: + pattern: ^http + type: string + type: object + headerSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + headers: + items: + properties: + $action: + enum: + - delete + type: string + allowRepeatedOccurrences: + type: boolean + base64Decoding: + type: boolean + checkSignatures: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: + type: string + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlNormalization: + type: boolean + wildcardOrder: + type: integer + type: object + type: array + host-names: + items: + properties: + $action: + enum: + - delete + type: string + includeSubdomains: + type: boolean + name: + type: string + type: object + type: array + idl-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + json-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + maximumArrayLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLengthOfJSONData: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + handleJsonValuesAsParameters: + type: boolean + hasValidationFiles: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + validationFiles: + items: + properties: + importUrl: + type: string + isPrimary: + type: boolean + jsonValidationFile: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: object + type: array + type: object + type: array + json-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + jsonProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + jsonValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + methodReference: + properties: + link: + pattern: ^http + type: string + type: object + methods: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + name: + type: string + open-api-files: + items: + properties: + link: + pattern: ^http + type: string + type: object + type: array + parameterReference: + properties: + link: + pattern: ^http + type: string + type: object + parameters: + items: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + type: array + response-pages: + items: + properties: + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: string + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + grpcStatusCode: + pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ + type: string + grpcStatusMessage: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + - grpc + type: string + responseRedirectUrl: + type: string + type: object + type: array + responsePageReference: + properties: + link: + pattern: ^http + type: string + type: object + sensitive-parameters: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + sensitiveParameterReference: + properties: + link: + pattern: ^http + type: string + type: object + server-technologies: + items: + properties: + $action: + enum: + - delete + type: string + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + serverTechnologyReference: + properties: + link: + pattern: ^http + type: string + type: object + signature-requirements: + items: + properties: + $action: + enum: + - delete + type: string + tag: + type: string + type: object + type: array + signature-sets: + items: + properties: + $action: + enum: + - delete + type: string + alarm: + type: boolean + block: + type: boolean + name: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatureReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSetReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + threat-campaigns: + items: + properties: + isEnabled: + type: boolean + name: + type: string + type: object + type: array + threatCampaignReference: + properties: + link: + pattern: ^http + type: string + type: object + urlReference: + properties: + link: + pattern: ^http + type: string + type: object + urls: + items: + properties: + $action: + enum: + - delete + type: string + allowRenderingInFrames: + enum: + - never + - only-same + type: string + allowRenderingInFramesOnlyFrom: + type: string + attackSignaturesCheck: + type: boolean + clickjackingProtection: + type: boolean + description: + type: string + disallowFileUploadOfExecutables: + type: boolean + html5CrossOriginRequestsEnforcement: + properties: + allowOriginsEnforcementMode: + enum: + - replace-with + - unmodified + type: string + checkAllowedMethods: + type: boolean + crossDomainAllowedOrigin: + items: + properties: + includeSubDomains: + type: boolean + originName: + type: string + originPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + originProtocol: + enum: + - http + - http/https + - https + type: string + type: object + type: array + enforcementMode: + enum: + - disabled + - enforce + type: string + type: object + isAllowed: + type: boolean + mandatoryBody: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + metacharsOnUrlCheck: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + methodOverrides: + items: + properties: + allowed: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + type: string + type: object + type: array + methodsOverrideOnUrlCheck: + type: boolean + name: + type: string + operationId: + type: string + positionalParameters: + items: + properties: + parameter: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + urlSegmentIndex: + type: integer + type: object + type: array + protocol: + enum: + - http + - https + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlContentProfiles: + items: + properties: + contentProfile: + properties: + name: + type: string + type: object + headerName: + type: string + headerOrder: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + headerValue: + type: string + name: + type: string + type: + enum: + - apply-content-signatures + - apply-value-and-content-signatures + - disallow + - do-nothing + - form-data + - gwt + - json + - xml + - grpc + type: string + type: object + type: array + wildcardOrder: + type: integer + type: object + type: array + whitelist-ips: + items: + properties: + $action: + enum: + - delete + type: string + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + neverLogRequests: + type: boolean + type: object + type: array + whitelistIpReference: + properties: + link: + pattern: ^http + type: string + type: object + xml-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumAttributesPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumChildrenPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentSize: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumElements: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNSDeclarations: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNameLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNamespaceLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + useXmlResponsePage: + type: boolean + type: object + type: array + xml-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + xmlProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + xmlValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + graphql-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowIntrospectionQueries: + type: boolean + maximumBatchedQueries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumQueryCost: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateParsingWarnings: + type: boolean + type: object + description: + type: string + metacharElementCheck: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + responseEnforcement: + properties: + blockDisallowedPatterns: + type: boolean + disallowedPatterns: + items: + type: string + type: array + type: object + sensetiveData: + items: + properties: + parameterName: + type: string + type: object + type: array + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + name: + type: string + type: object + type: array + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.0/crds/appprotect.f5.com_apusersigs.yaml b/charts/f5/nginx-ingress/1.2.0/crds/appprotect.f5.com_apusersigs.yaml new file mode 100644 index 0000000000..34eb0784f4 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/crds/appprotect.f5.com_apusersigs.yaml @@ -0,0 +1,93 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: apusersigs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APUserSig + listKind: APUserSigList + plural: apusersigs + singular: apusersig + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APUserSig is the Schema for the apusersigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APUserSigSpec defines the desired state of APUserSig + properties: + properties: + type: string + signatures: + items: + properties: + accuracy: + enum: + - high + - medium + - low + type: string + attackType: + properties: + name: + type: string + type: object + description: + type: string + name: + type: string + references: + properties: + type: + enum: + - bugtraq + - cve + - nessus + - url + type: string + value: + type: string + type: object + risk: + enum: + - high + - medium + - low + type: string + rule: + type: string + signatureType: + enum: + - request + - response + type: string + systems: + items: + properties: + name: + type: string + type: object + type: array + type: object + type: array + tag: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.0/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/charts/f5/nginx-ingress/1.2.0/crds/appprotectdos.f5.com_apdoslogconfs.yaml new file mode 100644 index 0000000000..e23e87184b --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/crds/appprotectdos.f5.com_apdoslogconfs.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdoslogconfs.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosLogConf + listKind: APDosLogConfList + plural: apdoslogconfs + singular: apdoslogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APDosLogConf is the Schema for the APDosLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APDosLogConfSpec defines the desired state of APDosLogConf + properties: + content: + properties: + format: + enum: + - splunk + - arcsight + - user-defined + type: string + format_string: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + type: object + filter: + properties: + traffic-mitigation-stats: + enum: + - none + - all + default: all + type: string + bad-actors: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + attack-signatures: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.0/crds/appprotectdos.f5.com_apdospolicy.yaml b/charts/f5/nginx-ingress/1.2.0/crds/appprotectdos.f5.com_apdospolicy.yaml new file mode 100644 index 0000000000..a16399a1a2 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/crds/appprotectdos.f5.com_apdospolicy.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdospolicies.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosPolicy + listKind: APDosPoliciesList + plural: apdospolicies + singular: apdospolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + description: APDosPolicy is the Schema for the APDosPolicy API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + description: APDosPolicySpec defines the desired state of APDosPolicy + properties: + mitigation_mode: + enum: + - "standard" + - "conservative" + - "none" + default: "standard" + type: string + signatures: + enum: + - "on" + - "off" + default: "on" + type: string + bad_actors: + enum: + - "on" + - "off" + default: "on" + type: string + automation_tools_detection: + enum: + - "on" + - "off" + default: "on" + type: string + tls_fingerprint: + enum: + - "on" + - "off" + default: "on" + type: string + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.0/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/charts/f5/nginx-ingress/1.2.0/crds/appprotectdos.f5.com_dosprotectedresources.yaml new file mode 100644 index 0000000000..c95fe76547 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/crds/appprotectdos.f5.com_dosprotectedresources.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: dosprotectedresources.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: DosProtectedResource + listKind: DosProtectedResourceList + plural: dosprotectedresources + shortNames: + - pr + singular: dosprotectedresource + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: DosProtectedResource defines a Dos protected resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DosProtectedResourceSpec defines the properties and values + a DosProtectedResource can have. + properties: + apDosMonitor: + description: 'ApDosMonitor is how NGINX App Protect DoS monitors the + stress level of the protected object. The monitor requests are sent + from localhost (127.0.0.1). Default value: URI - None, protocol + - http1, timeout - NGINX App Protect DoS default.' + properties: + protocol: + description: Protocol determines if the server listens on http1 + / http2 / grpc / websocket. The default is http1. + enum: + - http1 + - http2 + - grpc + - websocket + type: string + timeout: + description: Timeout determines how long (in seconds) should NGINX + App Protect DoS wait for a response. Default is 10 seconds for + http1/http2 and 5 seconds for grpc. + format: int64 + type: integer + uri: + description: 'URI is the destination to the desired protected + object in the nginx.conf:' + type: string + type: object + apDosPolicy: + description: ApDosPolicy is the namespace/name of a ApDosPolicy resource + type: string + dosAccessLogDest: + description: DosAccessLogDest is the network address for the access + logs + type: string + dosSecurityLog: + description: DosSecurityLog defines the security log of the DosProtectedResource. + properties: + apDosLogConf: + description: ApDosLogConf is the namespace/name of a APDosLogConf + resource + type: string + dosLogDest: + description: DosLogDest is the network address of a logging service, + can be either IP or DNS name. + type: string + enable: + description: Enable enables the security logging feature if set + to true + type: boolean + type: object + enable: + description: Enable enables the DOS feature if set to true + type: boolean + name: + description: Name is the name of protected object, max of 63 characters. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.0/crds/externaldns.nginx.org_dnsendpoints.yaml b/charts/f5/nginx-ingress/1.2.0/crds/externaldns.nginx.org_dnsendpoints.yaml new file mode 100644 index 0000000000..33d91c9168 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/crds/externaldns.nginx.org_dnsendpoints.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: dnsendpoints.externaldns.nginx.org +spec: + group: externaldns.nginx.org + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: DNSEndpoint is the CRD wrapper for Endpoint + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec holds information about endpoints. + properties: + endpoints: + items: + description: Endpoint describes DNS Endpoint. + properties: + dnsName: + description: The hostname for the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty represents provider + specific config property. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT, MX + type: string + targets: + description: The targets the DNS service points to + items: + type: string + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus represents generation observed by the external + dns controller. + properties: + observedGeneration: + description: The generation observed by by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_globalconfigurations.yaml b/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_globalconfigurations.yaml new file mode 100644 index 0000000000..63d9195cf0 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_globalconfigurations.yaml @@ -0,0 +1,106 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: globalconfigurations.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: GlobalConfiguration + listKind: GlobalConfigurationList + plural: globalconfigurations + shortNames: + - gc + singular: globalconfiguration + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_policies.yaml b/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_policies.yaml new file mode 100644 index 0000000000..e31e43c67a --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_policies.yaml @@ -0,0 +1,339 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: policies.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + basicAuth: + description: |- + BasicAuth holds HTTP Basic authentication configuration + policy status: preview + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogBundle: + type: string + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + securityLogs: + items: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogBundle: + type: string + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + realm: + type: string + secret: + type: string + token: + type: string + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_transportservers.yaml b/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_transportservers.yaml new file mode 100644 index 0000000000..1f272a2efd --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_transportservers.yaml @@ -0,0 +1,332 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: transportservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: TransportServer + listKind: TransportServerList + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_virtualserverroutes.yaml b/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_virtualserverroutes.yaml new file mode 100644 index 0000000000..b51167a7ee --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -0,0 +1,689 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: virtualserverroutes.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServerRoute + listKind: VirtualServerRouteList + plural: virtualserverroutes + shortNames: + - vsr + singular: virtualserverroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a + valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute + resource. + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_virtualservers.yaml b/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_virtualservers.yaml new file mode 100644 index 0000000000..74e762459c --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/crds/k8s.nginx.org_virtualservers.yaml @@ -0,0 +1,789 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: virtualservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServer + listKind: VirtualServerList + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual + server. + properties: + enable: + type: boolean + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: |- + ProviderSpecificProperty defines specific property + for using with ExternalDNS sub-resource. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + type: string + type: object + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal + routing. + type: boolean + listener: + description: VirtualServerListener references a custom http and/or + https listener defined in GlobalConfiguration. + properties: + http: + type: string + https: + type: string + type: object + policies: + items: + description: PolicyReference references a policy by name and an + optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + routes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. + properties: + cluster-issuer: + type: string + common-name: + type: string + duration: + type: string + issue-temp-cert: + type: boolean + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + type: object + redirect: + description: TLSRedirect defines a redirect for a TLS. + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + type: object + secret: + type: string + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerStatus defines the status for the VirtualServer + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.2.0/questions.yaml b/charts/f5/nginx-ingress/1.2.0/questions.yaml new file mode 100644 index 0000000000..b63834893b --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/questions.yaml @@ -0,0 +1,185 @@ +questions: +- variable: controller.kind + type: enum + options: + - deployment + - daemonset + default: deployment + description: "The kind of the Ingress controller installation - deployment or daemonset." + label: Installation Kind + group: "Settings" +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.nginxplus + default: false + description: "Deploys the Ingress controller for NGINX Plus." + label: Deploy NGINX Plus + type: boolean + group: "NGINX Plus" + - variable: controller.appprotect.enable + default: false + description: "Enable the App Protect module in the Ingress Controller." + label: Enable the App Protect module. + type: boolean + - variable: controller.appprotectdos.enable + default: false + description: "Enable the App Protect DoS module in the Ingress Controller." + label: Enable the App Protect DoS module. + type: boolean + - variable: controller.image.repository + default: nginx/nginx-ingress + description: "The image repository of the Ingress controller." + type: string + label: NGINX Ingress Controller Image Repository + required: true + - variable: controller.image.tag + description: "The tag of the Ingress controller image." + type: string + label: NGINX Ingress Controller Image Tag + required: true + - variable: controller.image.pullPolicy + type: enum + options: + - IfNotPresent + - Always + - Never + default: IfNotPresent + description: "The pull policy for the Ingress controller image." + label: NGINX Ingress Controller Image Pull Policy + - variable: controller.serviceAccount.imagePullSecretName + default: "" + description: "The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release." + type: string + label: Image Pull Secret Name +- variable: controller.defaultTLS.secret + default: "" + description: "The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`." + label: TLS Secret + type: string + group: "Settings" +- variable: controller.ingressClass + default: nginx + description: "A class of the Ingress controller. The Ingress controller only processes Ingress resources that belong to its class - i.e. have the annotation `[kubernetes.io/ingress.class]` equal to the class. Additionally, the Ingress controller processes Ingress resources that do not have that annotation which can be disabled by setting the [-use-ingress-class-only] flag." + label: Ingress Class + type: string + group: "Settings" + required: true + subquestions: + - variable: controller.useIngressClassOnly + default: false + description: "Ignore Ingress resources without the `[kubernetes.io/ingress.class]` annotation." + label: Use Ingress Class Only + type: boolean + group: "Settings" +- variable: controller.enableCustomResources + default: true + label: Enable Custom Resources + type: boolean + group: "Settings" + show_subquestion_if: true + subquestions: + - variable: controller.globalConfiguration.create + default: true + description: "Creates the GlobalConfiguration custom resource." + label: Create GlobalConfiguration Custom Resource + type: boolean + group: "Settings" + - variable: controller.enableOIDC + default: false + description: "Enables OIDC policies." + label: Enable OIDC policies + type: boolean + group: "Settings" + - variable: controller.enableCertManager + default: false + description: "Enables cert manager for Virtual Server resources." + label: Enable cert manager for Virtual Server resources + type: boolean + group: "Settings" + - variable: controller.enableExternalDNS + default: false + description: "Enables external-dns for Virtual Server resources." + label: Enable external-dns for Virtual Server resources + type: boolean + group: "Settings" +- variable: controller.watchNamespace + default: "" + description: "Comma-separated list of namespaces to watch for Ingress resources. By default the Ingress controller watches all namespaces." + label: Watch Namespace + type: string + group: "Settings" +- variable: controller.service.create + default: true + description: "Creates a service to expose the Ingress controller pods." + label: Create a Service + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.type + type: enum + options: + - LoadBalancer + - NodePort + default: LoadBalancer + description: "The type of service to create for the Ingress controller." + label: Type of Service +- variable: controller.service.httpPort.enable + default: true + description: "Enables the HTTP port for the Ingress controller service." + label: Enable HTTP Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpPort.port + default: 80 + description: "The HTTP port of the Ingress controller service." + label: HTTP Port + type: int + required: true +- variable: controller.service.httpsPort.enable + default: true + description: "Enables the HTTPS port for the Ingress controller service." + label: Enable HTTPS Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpsPort.port + default: 443 + description: "The HTTPS port of the Ingress controller service." + label: HTTPS Port + type: int + required: true +- variable: prometheus.create + default: false + description: "Expose NGINX or NGINX Plus metrics in the Prometheus format." + label: Enable Exposing Prometheus Metrics + type: boolean + group: "Prometheus" + show_subquestion_if: true + subquestions: + - variable: prometheus.port + default: 9113 + description: "Configures the port to scrape the metrics." + label: Prometheus Port + type: int + required: true + - variable: prometheus.scheme + default: http + description: "Configures the HTTP scheme to use for connections to the Prometheus endpoint." + label: Prometheus Scheme + type: string + required: true + - variable: prometheus.secret + default: "" + description: "The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections." + label: Prometheus Secret + type: string diff --git a/charts/f5/nginx-ingress/1.2.0/templates/NOTES.txt b/charts/f5/nginx-ingress/1.2.0/templates/NOTES.txt new file mode 100644 index 0000000000..c9a2739771 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/NOTES.txt @@ -0,0 +1,13 @@ +NGINX Ingress Controller {{ .Chart.AppVersion }} has been installed. + +For release notes for this version please see: https://docs.nginx.com/nginx-ingress-controller/releases/ + +Installation and upgrade instructions: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/ + +{{ if .Release.IsUpgrade -}} +If you are upgrading from a version of the chart that uses older Custom Resource Definitions (CRD) it is necessary to manually upgrade the CRDs as this is not managed by Helm. +To update to the latest version of the CRDs: + $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v{{ .Chart.AppVersion }}/deploy/crds.yaml + +More details on upgrading the CRDs: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/#upgrading-the-crds +{{- end -}} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/_helpers.tpl b/charts/f5/nginx-ingress/1.2.0/templates/_helpers.tpl new file mode 100644 index 0000000000..497e1f6cdb --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/_helpers.tpl @@ -0,0 +1,421 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.fullname" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified controller service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.service.name" -}} +{{- default (include "nginx-ingress.controller.fullname" .) .Values.serviceNameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nginx-ingress.labels" -}} +helm.sh/chart: {{ include "nginx-ingress.chart" . }} +{{ include "nginx-ingress.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Pod labels +*/}} +{{- define "nginx-ingress.podLabels" -}} +{{- include "nginx-ingress.selectorLabels" . }} +{{- if .Values.nginxServiceMesh.enable }} +nsm.nginx.com/enable-ingress: "true" +nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" +nsm.nginx.com/{{ .Values.controller.kind }}: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }} +agent-configuration-revision-hash: {{ include "nginx-ingress.agentConfiguration" . | sha1sum | trunc 8 | quote }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nginx-ingress.selectorLabels" -}} +{{- if .Values.controller.selectorLabels -}} +{{ toYaml .Values.controller.selectorLabels }} +{{- else -}} +app.kubernetes.io/name: {{ include "nginx-ingress.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap. +*/}} +{{- define "nginx-ingress.configName" -}} +{{- if .Values.controller.customConfigMap -}} +{{ .Values.controller.customConfigMap }} +{{- else -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.config.name -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap used for NGINX Agent. +*/}} +{{- define "nginx-ingress.agentConfigName" -}} +{{- if ne (.Values.nginxAgent.customConfigMap | default "") "" -}} +{{ .Values.nginxAgent.customConfigMap }} +{{- else -}} +{{- printf "%s-agent-config" (include "nginx-ingress.fullname" . | trunc 49 | trimSuffix "-") -}} +{{- end -}} +{{- end -}} + +{{/* +Expand leader election lock name. +*/}} +{{- define "nginx-ingress.leaderElectionName" -}} +{{- if .Values.controller.reportIngressStatus.leaderElectionLockName -}} +{{ .Values.controller.reportIngressStatus.leaderElectionLockName }} +{{- else -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "leader-election" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand service account name. +*/}} +{{- define "nginx-ingress.serviceAccountName" -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.serviceAccount.name -}} +{{- end -}} + +{{/* +Expand default TLS name. +*/}} +{{- define "nginx-ingress.defaultTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "default-server-tls" -}} +{{- end -}} + +{{/* +Expand wildcard TLS name. +*/}} +{{- define "nginx-ingress.wildcardTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "wildcard-tls" -}} +{{- end -}} + +{{- define "nginx-ingress.tag" -}} +{{- default .Chart.AppVersion .Values.controller.image.tag -}} +{{- end -}} + +{{/* +Expand image name. +*/}} +{{- define "nginx-ingress.image" -}} +{{- if .Values.controller.image.digest -}} +{{- printf "%s@%s" .Values.controller.image.repository .Values.controller.image.digest -}} +{{- else -}} +{{- printf "%s:%s" .Values.controller.image.repository (include "nginx-ingress.tag" .) -}} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.prometheus.serviceName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} +{{- end -}} + +{{/* +return if readOnlyRootFilesystem is enabled or not. +*/}} +{{- define "nginx-ingress.readOnlyRootFilesystem" -}} +{{- if or .Values.controller.readOnlyRootFilesystem (and .Values.controller.securityContext .Values.controller.securityContext.readOnlyRootFilesystem) -}} +true +{{- else -}} +false +{{- end -}} +{{- end -}} + +{{/* +Build the args for the service binary. +*/}} +{{- define "nginx-ingress.args" -}} +{{- if and .Values.controller.debug .Values.controller.debug.enable }} +- --listen=:2345 +- --headless=true +- --log=true +- --log-output=debugger,debuglineerr,gdbwire,lldbout,rpc,dap,fncall,minidump,stack +- --accept-multiclient +- --api-version=2 +- exec +- ./nginx-ingress +{{- if .Values.controller.debug.continue }} +- --continue +{{- end }} +- -- +{{- end -}} +- -nginx-plus={{ .Values.controller.nginxplus }} +- -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} +- -enable-app-protect={{ .Values.controller.appprotect.enable }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} +- -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} +{{ end }} +- -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} +{{- if .Values.controller.appprotectdos.enable }} +- -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} +- -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} +- -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} +- -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} +{{ end }} +- -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} +{{- if .Values.controller.defaultTLS.secret }} +- -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} +{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +- -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} +{{- end }} +- -ingress-class={{ .Values.controller.ingressClass.name }} +{{- if .Values.controller.watchNamespace }} +- -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchNamespaceLabel }} +- -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} +- -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} +{{- end }} +- -health-status={{ .Values.controller.healthStatus }} +- -health-status-uri={{ .Values.controller.healthStatusURI }} +- -nginx-debug={{ .Values.controller.nginxDebug }} +- -v={{ .Values.controller.logLevel }} +- -nginx-status={{ .Values.controller.nginxStatus.enable }} +{{- if .Values.controller.nginxStatus.enable }} +- -nginx-status-port={{ .Values.controller.nginxStatus.port }} +- -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} +{{- end }} +{{- if .Values.controller.reportIngressStatus.enable }} +- -report-ingress-status +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} +{{- else if .Values.controller.reportIngressStatus.externalService }} +- -external-service={{ .Values.controller.reportIngressStatus.externalService }} +{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} +- -external-service={{ include "nginx-ingress.controller.service.name" . }} +{{- end }} +{{- end }} +- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +- -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} +{{- end }} +{{- if .Values.controller.wildcardTLS.secret }} +- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} +{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} +- -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} +{{- end }} +- -enable-prometheus-metrics={{ .Values.prometheus.create }} +- -prometheus-metrics-listen-port={{ .Values.prometheus.port }} +- -prometheus-tls-secret={{ .Values.prometheus.secret }} +- -enable-service-insight={{ .Values.serviceInsight.create }} +- -service-insight-listen-port={{ .Values.serviceInsight.port }} +- -service-insight-tls-secret={{ .Values.serviceInsight.secret }} +- -enable-custom-resources={{ .Values.controller.enableCustomResources }} +- -enable-snippets={{ .Values.controller.enableSnippets }} +- -include-year={{ .Values.controller.includeYear }} +- -disable-ipv6={{ .Values.controller.disableIPV6 }} +{{- if .Values.controller.enableCustomResources }} +- -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{- if .Values.controller.enableTLSPassthrough }} +- -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{- end }} +- -enable-cert-manager={{ .Values.controller.enableCertManager }} +- -enable-oidc={{ .Values.controller.enableOIDC }} +- -enable-external-dns={{ .Values.controller.enableExternalDNS }} +- -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} +- -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} +{{- if .Values.controller.globalConfiguration.create }} +- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- end }} +- -ready-status={{ .Values.controller.readyStatus.enable }} +- -ready-status-port={{ .Values.controller.readyStatus.port }} +- -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +- -ssl-dynamic-reload={{ .Values.controller.enableSSLDynamicReload }} +- -enable-telemetry-reporting={{ .Values.controller.telemetryReporting.enable}} +- -weight-changes-dynamic-reload={{ .Values.controller.enableWeightChangesDynamicReload}} +{{- if .Values.nginxAgent.enable }} +- -agent=true +- -agent-instance-group={{ default (include "nginx-ingress.controller.fullname" .) .Values.nginxAgent.instanceGroup }} +{{- end }} +{{- end -}} + +{{/* +Volumes for controller. +*/}} +{{- define "nginx-ingress.volumes" -}} +{{- $volumesSet := "false" }} +volumes: +{{- if eq (include "nginx-ingress.volumeEntries" .) "" -}} +{{ toYaml list | printf " %s" }} +{{- else }} +{{ include "nginx-ingress.volumeEntries" . }} +{{- end -}} +{{- end -}} + +{{/* +List of volumes for controller. +*/}} +{{- define "nginx-ingress.volumeEntries" -}} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} +- name: nginx-etc + emptyDir: {} +- name: nginx-cache + emptyDir: {} +- name: nginx-lib + emptyDir: {} +- name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes }} +{{- end }} +{{- if .Values.nginxAgent.enable }} +- name: agent-conf + configMap: + name: {{ include "nginx-ingress.agentConfigName" . }} +- name: agent-dynamic + emptyDir: {} +{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} +- name: nginx-agent-tls + projected: + sources: +{{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }} + - secret: + name: {{ .Values.nginxAgent.instanceManager.tls.secret }} +{{- end }} +{{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }} + - secret: + name: {{ .Values.nginxAgent.instanceManager.tls.caSecret }} +{{- end }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Volume mounts for controller. +*/}} +{{- define "nginx-ingress.volumeMounts" -}} +{{- $volumesSet := "false" }} +volumeMounts: +{{- if eq (include "nginx-ingress.volumeMountEntries" .) "" -}} +{{ toYaml list | printf " %s" }} +{{- else }} +{{ include "nginx-ingress.volumeMountEntries" . }} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.volumeMountEntries" -}} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} +- mountPath: /etc/nginx + name: nginx-etc +- mountPath: /var/cache/nginx + name: nginx-cache +- mountPath: /var/lib/nginx + name: nginx-lib +- mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.volumeMounts }} +{{ toYaml .Values.controller.volumeMounts }} +{{- end }} +{{- if .Values.nginxAgent.enable }} +- name: agent-conf + mountPath: /etc/nginx-agent/nginx-agent.conf + subPath: nginx-agent.conf +- name: agent-dynamic + mountPath: /var/lib/nginx-agent +{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} +- name: nginx-agent-tls + mountPath: /etc/ssl/nms + readOnly: true +{{- end }} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.agentConfiguration" -}} +log: + level: {{ .Values.nginxAgent.logLevel }} + path: "" +server: + host: {{ required ".Values.nginxAgent.instanceManager.host is required when setting .Values.nginxAgent.enable to true" .Values.nginxAgent.instanceManager.host }} + grpcPort: {{ .Values.nginxAgent.instanceManager.grpcPort }} +{{- if ne (.Values.nginxAgent.instanceManager.sni | default "") "" }} + metrics: {{ .Values.nginxAgent.instanceManager.sni }} + command: {{ .Values.nginxAgent.instanceManager.sni }} +{{- end }} +{{- if .Values.nginxAgent.instanceManager.tls }} +tls: + enable: {{ .Values.nginxAgent.instanceManager.tls.enable | default true }} + skip_verify: {{ .Values.nginxAgent.instanceManager.tls.skipVerify | default false }} + {{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }} + ca: "/etc/ssl/nms/ca.crt" + {{- end }} + {{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }} + cert: "/etc/ssl/nms/tls.crt" + key: "/etc/ssl/nms/tls.key" + {{- end }} +{{- end }} +features: + - registration + - nginx-counting + - metrics-sender + - dataplane-status +extensions: + - nginx-app-protect + - nap-monitoring +nginx_app_protect: + report_interval: 15s + precompiled_publication: true +nap_monitoring: + collector_buffer_size: {{ .Values.nginxAgent.napMonitoring.collectorBufferSize }} + processor_buffer_size: {{ .Values.nginxAgent.napMonitoring.processorBufferSize }} + syslog_ip: {{ .Values.nginxAgent.syslog.host }} + syslog_port: {{ .Values.nginxAgent.syslog.port }} + +{{ end -}} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/clusterrole.yaml b/charts/f5/nginx-ingress/1.2.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..a231ca820e --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/clusterrole.yaml @@ -0,0 +1,168 @@ +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "apps" + resources: + - replicasets + - daemonsets + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +{{- if .Values.controller.reportIngressStatus.enable }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +{{- end }} +{{- if .Values.controller.appprotect.enable }} +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.appprotectdos.enable }} +- apiGroups: + - appprotectdos.f5.com + resources: + - apdospolicies + - apdoslogconfs + - dosprotectedresources + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.enableCustomResources }} +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +{{- end }} +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- apiGroups: + - cis.f5.com + resources: + - ingresslinks + verbs: + - list + - watch + - get +{{- end }} +{{- if .Values.controller.enableCertManager }} +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - list + - watch + - get + - update + - create + - delete +{{- end }} +{{- if .Values.controller.enableExternalDNS }} +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints + verbs: + - list + - watch + - get + - update + - create + - delete +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints/status + verbs: + - update +{{- end }} +{{- end}} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/clusterrolebiding.yaml b/charts/f5/nginx-ingress/1.2.0/templates/clusterrolebiding.yaml new file mode 100644 index 0000000000..ed06c48ccb --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/clusterrolebiding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "nginx-ingress.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-configmap.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-configmap.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-configmap.yaml rename to charts/f5/nginx-ingress/1.2.0/templates/controller-configmap.yaml diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-daemonset.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..8da65c4683 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-daemonset.yaml @@ -0,0 +1,176 @@ +{{- if eq .Values.controller.kind "daemonset" }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.podLabels" . | nindent 8 }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- include "nginx-ingress.volumes" . | indent 6 }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - name: {{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{ if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{ end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} +{{- if .Values.controller.securityContext }} + securityContext: +{{ toYaml .Values.controller.securityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- end }} +{{- include "nginx-ingress.volumeMounts" . | indent 8 }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- end }} + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + updateStrategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-deployment.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-deployment.yaml new file mode 100644 index 0000000000..c8bc8f833c --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-deployment.yaml @@ -0,0 +1,183 @@ +{{- if eq .Values.controller.kind "deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + {{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.podLabels" . | nindent 8 }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} +{{- end }} +{{- include "nginx-ingress.volumes" . | indent 6 }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - image: {{ include "nginx-ingress.image" . }} + name: {{ include "nginx-ingress.name" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{- if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{- end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} +{{- if .Values.controller.securityContext }} + securityContext: +{{ toYaml .Values.controller.securityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- end }} +{{- include "nginx-ingress.volumeMounts" . | indent 8 }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- end }} + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-globalconfiguration.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-globalconfiguration.yaml new file mode 100644 index 0000000000..9039ab0440 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-globalconfiguration.yaml @@ -0,0 +1,11 @@ +{{ if .Values.controller.globalConfiguration.create }} +apiVersion: k8s.nginx.org/v1alpha1 +kind: GlobalConfiguration +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +spec: +{{ toYaml .Values.controller.globalConfiguration.spec | indent 2 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-hpa.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-hpa.yaml new file mode 100644 index 0000000000..971aca90d3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-hpa.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.controller.autoscaling.enabled (eq .Values.controller.kind "deployment") (.Capabilities.APIVersions.Has "autoscaling/v2") -}} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "nginx-ingress.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} +{{- if .Values.controller.autoscaling.behavior }} + behavior: +{{ toYaml .Values.controller.autoscaling.behavior | indent 4 }} +{{- end }} + metrics: + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-ingress-class.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-ingress-class.yaml new file mode 100644 index 0000000000..a351d697c6 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-ingress-class.yaml @@ -0,0 +1,14 @@ +{{ if .Values.controller.ingressClass.create }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClass.name }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.ingressClass.setAsDefaultIngress }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: nginx.org/ingress-controller +{{ end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-leader-election-configmap.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-leader-election-configmap.yaml new file mode 100644 index 0000000000..440914eb3e --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-leader-election-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.leaderElectionName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.reportIngressStatus.annotations }} + annotations: +{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-pdb.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-pdb.yaml new file mode 100644 index 0000000000..1c3ddc8ae5 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.controller.podDisruptionBudget.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.podDisruptionBudget.annotations }} + annotations: +{{ toYaml .Values.controller.podDisruptionBudget.annotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} +{{- if .Values.controller.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.controller.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-prometheus-service.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-prometheus-service.yaml new file mode 100644 index 0000000000..d36514284b --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-prometheus-service.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.prometheus.create .Values.prometheus.service.create}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.prometheus.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.service.labels -}} + {{- toYaml .Values.prometheus.service.labels | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + - name: prometheus + protocol: TCP + port: {{ .Values.prometheus.port }} + targetPort: {{ .Values.prometheus.port }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-role.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-role.yaml new file mode 100644 index 0000000000..e902381775 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-role.yaml @@ -0,0 +1,56 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - {{ .Values.controller.reportIngressStatus.leaderElectionLockName }} + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-rolebiding.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-rolebiding.yaml new file mode 100644 index 0000000000..51ee528da3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-rolebiding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "nginx-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-secret.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-secret.yaml new file mode 100644 index 0000000000..f9941e8878 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.defaultTLS.secret) (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.defaultTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.defaultTLS.cert }} + tls.key: {{ .Values.controller.defaultTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-service.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-service.yaml new file mode 100644 index 0000000000..a25de94561 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-service.yaml @@ -0,0 +1,72 @@ +{{- if .Values.controller.service.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.controller.service.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.service.extraLabels }} +{{ toYaml .Values.controller.service.extraLabels | indent 4 }} +{{- end }} +{{- if .Values.controller.service.annotations }} + annotations: +{{ toYaml .Values.controller.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.controller.service.clusterIP }} + clusterIP: {{ .Values.controller.service.clusterIP }} +{{- end }} +{{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} +{{- end }} +{{- if eq .Values.controller.service.type "LoadBalancer" }} + {{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} + {{- end }} + {{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} + {{- end }} +{{- end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.controller.service.ipFamilies }} + ipFamilies: {{ .Values.controller.service.ipFamilies }} + {{- end }} + ports: +{{- if .Values.controller.service.customPorts }} +{{ toYaml .Values.controller.service.customPorts | indent 2 }} +{{ end }} +{{- if .Values.controller.service.httpPort.enable }} + - port: {{ .Values.controller.service.httpPort.port }} + targetPort: {{ .Values.controller.service.httpPort.targetPort }} + protocol: TCP + name: http + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpPort.nodePort }} + {{- end }} +{{- end }} +{{- if .Values.controller.service.httpsPort.enable }} + - port: {{ .Values.controller.service.httpsPort.port }} + targetPort: {{ .Values.controller.service.httpsPort.targetPort }} + protocol: TCP + name: https + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpsPort.nodePort }} + {{- end }} +{{- end }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} + {{- if .Values.controller.service.externalIPs }} + externalIPs: +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-serviceaccount.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..8cde4f5b01 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nginx-ingress.serviceAccountName" . }} +{{- if .Values.controller.serviceAccount.annotations }} + annotations: {{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if or .Values.controller.serviceAccount.imagePullSecretName .Values.controller.serviceAccount.imagePullSecretsNames }} +imagePullSecrets: +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretName }} +- name: {{ .Values.controller.serviceAccount.imagePullSecretName}} +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretsNames }} +{{- range .Values.controller.serviceAccount.imagePullSecretsNames }} +- name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-servicemonitor.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..e1a4268f95 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-servicemonitor.yaml @@ -0,0 +1,21 @@ +{{- if .Values.prometheus.serviceMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.serviceMonitor.labels -}} + {{- toYaml .Values.prometheus.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- if .Values.prometheus.serviceMonitor.selectorMatchLabels -}} + {{- toYaml .Values.prometheus.serviceMonitor.selectorMatchLabels | nindent 6 }} + {{- end }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + endpoints: + {{- toYaml .Values.prometheus.serviceMonitor.endpoints | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/templates/controller-wildcard-secret.yaml b/charts/f5/nginx-ingress/1.2.0/templates/controller-wildcard-secret.yaml new file mode 100644 index 0000000000..3abe16c4c3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/templates/controller-wildcard-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.wildcardTLS.secret) (and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.wildcardTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.wildcardTLS.cert }} + tls.key: {{ .Values.controller.wildcardTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.0/values-icp.yaml b/charts/f5/nginx-ingress/1.2.0/values-icp.yaml new file mode 100644 index 0000000000..a9c49c5c64 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/values-icp.yaml @@ -0,0 +1,17 @@ +controller: + name: controller + kind: daemonset + nginxplus: true + image: + repository: mycluster.icp:8500/kube-system/nginx-plus-ingress + tag: "3.4.3" + nodeSelector: + beta.kubernetes.io/arch: "amd64" + proxy: true + terminationGracePeriodSeconds: 60 + tolerations: + - key: "dedicated" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" diff --git a/charts/f5/nginx-ingress/1.2.0/values-nsm.yaml b/charts/f5/nginx-ingress/1.2.0/values-nsm.yaml new file mode 100644 index 0000000000..47d11e0571 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/values-nsm.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + enableLatencyMetrics: true +nginxServiceMesh: + enable: true + enableEgress: true diff --git a/charts/f5/nginx-ingress/1.2.0/values-plus.yaml b/charts/f5/nginx-ingress/1.2.0/values-plus.yaml new file mode 100644 index 0000000000..7f5b0b1f6e --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/values-plus.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + nginxplus: true + image: + repository: nginx-plus-ingress + tag: "3.4.3" diff --git a/charts/f5/nginx-ingress/1.2.0/values.schema.json b/charts/f5/nginx-ingress/1.2.0/values.schema.json new file mode 100644 index 0000000000..36ec62f77f --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/values.schema.json @@ -0,0 +1,2169 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "type": "object", + "default": {}, + "title": "Root Schema", + "required": [ + "controller", + "rbac", + "prometheus", + "serviceInsight", + "nginxServiceMesh" + ], + "properties": { + "controller": { + "type": "object", + "default": {}, + "title": "The Ingress Controller Helm Schema", + "required": [ + "name", + "kind", + "image" + ], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name of the Ingress Controller", + "examples": [ + "controller" + ] + }, + "kind": { + "type": "string", + "default": "", + "title": "The kind of the Ingress Controller", + "enum": [ + "deployment", + "daemonset" + ], + "examples": [ + "deployment", + "daemonset" + ] + }, + "selectorLabels": { + "type": "object", + "default": {}, + "title": "The selectorLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "nginxplus": { + "type": "boolean", + "default": false, + "title": "Deploys the Ingress Controller for NGINX Plus", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "object", + "default": {}, + "title": "Runs the container with Delve, expects a version of the IC container with dlv as the entrypoint", + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Runs the container with Delve, expects a version of the IC container with dlv as the entrypoint", + "examples": [ + false, + true + ] + }, + "continue": { + "type": "boolean", + "default": true, + "title": "Starts Delve with --continue which means that IC will not wait for a debugger attach to start", + "examples": [ + false, + true + ] + } + }, + "examples": [ + { + "enable": true, + "continue": "fatal" + } + ] + }, + "nginxReloadTimeout": { + "type": "integer", + "default": 0, + "title": "Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start", + "examples": [ + 60000 + ] + }, + "appprotect": { + "type": "object", + "default": {}, + "title": "The App Protect WAF Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect WAF module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "string", + "default": "", + "title": "The logLevel for App Protect WAF", + "enum": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ], + "examples": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ] + } + }, + "examples": [ + { + "enable": true, + "logLevel": "fatal" + } + ] + }, + "appprotectdos": { + "type": "object", + "default": {}, + "title": "The App Protect DoS Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect DoS module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "boolean", + "default": false, + "title": "debugging for App Protect DoS", + "examples": [ + false, + true + ] + }, + "maxWorkers": { + "type": "integer", + "default": 0, + "title": "Max number of nginx processes to support", + "examples": [ + 0 + ] + }, + "maxDaemons": { + "type": "integer", + "default": 0, + "title": "Max number of ADMD instances", + "examples": [ + 0 + ] + }, + "memory": { + "type": "integer", + "default": 0, + "title": "RAM memory size to consume in MB", + "examples": [ + 0 + ] + } + }, + "examples": [ + { + "enable": true, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + } + ] + }, + "hostNetwork": { + "type": "boolean", + "default": false, + "title": "The hostNetwork Schema", + "examples": [ + false, + true + ] + }, + "hostPort": { + "type": "object", + "default": {}, + "title": "The hostPort Schema", + "patternProperties": { + "^.*$": { + "anyOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + }, + { + "type": "boolean" + } + ] + } + }, + "additionalProperties": false + }, + "containerPort": { + "type": "object", + "default": {}, + "title": "The containerPort Schema", + "patternProperties": { + "^.*$": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + } + }, + "additionalProperties": false + }, + "dnsPolicy": { + "type": "string", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + }, + { + "enum": [ + "ClusterFirstWithHostNet", + "ClusterFirst", + "Default", + "None" + ] + } + ] + }, + "nginxDebug": { + "type": "boolean", + "default": false, + "title": "Enables debugging for NGINX", + "examples": [ + false, + true + ] + }, + "shareProcessNamespace": { + "type": "boolean", + "default": false, + "title": "Enables sharing of the process namespace between pods within the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "integer", + "default": 1, + "title": "The logLevel of the Ingress Controller", + "enum": [ + 0, + 1, + 2, + 3 + ], + "examples": [ + 1 + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts to expose on the NGINX Ingress Controller pod", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + }, + "examples": [ + [ + { + "name": "http", + "containerPort": 80, + "protocol": "TCP" + }, + { + "name": "https", + "containerPort": 443, + "protocol": "TCP" + } + ] + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "nginx/nginx-ingress", + "title": "The repository of the Ingress Controller", + "examples": [ + "nginx/nginx-ingress" + ] + }, + "tag": { + "type": "string", + "default": "3.4.3", + "title": "The tag of the Ingress Controller image", + "examples": [ + "3.4.3" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the Ingress Controller image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the Ingress Controller image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "nginx/nginx-ingress", + "tag": "3.4.3", + "pullPolicy": "IfNotPresent" + } + ] + }, + "lifecycle": { + "type": "object", + "default": {}, + "title": "The lifecycle Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + }, + "customConfigMap": { + "type": "string", + "default": "", + "title": "The customConfigMap Schema", + "examples": [ + "" + ] + }, + "config": { + "type": "object", + "default": {}, + "title": "The config Schema", + "required": [], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "entries": { + "type": "object", + "default": {}, + "title": "The entries Schema", + "required": [], + "properties": {}, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "name": "", + "annotations": {}, + "entries": {} + } + ] + }, + "defaultTLS": { + "type": "object", + "default": {}, + "title": "The defaultTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "wildcardTLS": { + "type": "object", + "default": {}, + "title": "The wildcardTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [ + "" + ] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [ + "" + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "nodeSelector": { + "type": "object", + "default": {}, + "title": "The nodeSelector Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + }, + "terminationGracePeriodSeconds": { + "type": "integer", + "default": 30, + "title": "The terminationGracePeriodSeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + }, + "podSecurityContext": { + "type": "object", + "default": {}, + "title": "The podSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" + }, + "securityContext": { + "type": "object", + "default": {}, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "initContainerSecurityContext": { + "type": "object", + "default": {}, + "title": "The initContainerSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "resources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "initContainerResources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "tolerations": { + "type": "array", + "default": [], + "title": "The tolerations Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + } + }, + "affinity": { + "type": "object", + "default": {}, + "title": "The affinity Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + }, + "topologySpreadConstraints": { + "type": "object", + "default": {}, + "title": "The topologySpreadConstraints Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + }, + "env": { + "type": "array", + "default": [], + "title": "The env Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + } + }, + "volumes": { + "type": "array", + "default": [], + "title": "The volumes Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "volumeMounts": { + "type": "array", + "default": [], + "title": "The volumeMounts Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + } + }, + "initContainers": { + "type": "array", + "default": [], + "title": "The initContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "minReadySeconds": { + "type": "integer", + "default": 0, + "title": "The minReadySeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + }, + "strategy": { + "type": "object", + "default": {}, + "title": "The strategy Schema", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + }, + { + "properties": { + "type": { + "type": "string", + "enum": [ + "Recreate", + "RollingUpdate", + "OnDelete" + ] + } + } + } + ] + }, + "extraContainers": { + "type": "array", + "default": [], + "title": "The extraContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "replicaCount": { + "type": "integer", + "default": 1, + "title": "The replicaCount", + "examples": [ + 1 + ] + }, + "ingressClass": { + "type": "object", + "default": {}, + "title": "The ingressClass", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": true, + "title": "The create", + "examples": [ + true + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The ingressClass name", + "examples": [ + "nginx" + ] + }, + "setAsDefaultIngress": { + "type": "boolean", + "default": false, + "title": "The setAsDefaultIngress", + "examples": [ + false + ] + } + } + }, + "watchNamespace": { + "type": "string", + "default": "", + "title": "The watchNamespace", + "examples": [ + "" + ] + }, + "watchSecretNamespace": { + "type": "string", + "default": "", + "title": "The watchSecretNamespace", + "examples": [ + "" + ] + }, + "enableCustomResources": { + "type": "boolean", + "default": false, + "title": "The enableCustomResources", + "examples": [ + true + ] + }, + "enableOIDC": { + "type": "boolean", + "default": false, + "title": "The enableOIDC", + "examples": [ + false + ] + }, + "includeYear": { + "type": "boolean", + "default": false, + "title": "The includeYear", + "examples": [ + false + ] + }, + "enableTLSPassthrough": { + "type": "boolean", + "default": false, + "title": "The enableTLSPassthrough", + "examples": [ + false + ] + }, + "tlsPassthroughPort": { + "type": "integer", + "default": 443, + "title": "The tlsPassthroughPort", + "examples": [ + 443 + ] + }, + "enableCertManager": { + "type": "boolean", + "default": false, + "title": "The enableCertManager", + "examples": [ + false + ] + }, + "enableExternalDNS": { + "type": "boolean", + "default": false, + "title": "The enableExternalDNS", + "examples": [ + false + ] + }, + "globalConfiguration": { + "type": "object", + "default": {}, + "title": "The globalConfiguration Schema", + "required": [ + "create", + "spec" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + false + ] + }, + "spec": { + "type": "object", + "default": {}, + "title": "The spec Schema", + "required": [], + "properties": { + "listeners": { + "type": "array", + "default": [], + "title": "The listeners Schema", + "items": { + "type": "object", + "default": {}, + "properties": { + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 5353 + ] + }, + "protocol": { + "type": "string", + "default": "", + "title": "The protocol", + "examples": [ + "TCP" + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The name", + "examples": [ + "dns-tcp" + ] + } + } + } + } + }, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "create": false, + "spec": {} + } + ] + }, + "enableSnippets": { + "type": "boolean", + "default": false, + "title": "The enableSnippets", + "examples": [ + false + ] + }, + "healthStatus": { + "type": "boolean", + "default": false, + "title": "The healthStatus", + "examples": [ + false + ] + }, + "healthStatusURI": { + "type": "string", + "format": "uri-reference", + "default": "/nginx-health", + "title": "The healthStatusURI Schema", + "examples": [ + "/nginx-health" + ] + }, + "nginxStatus": { + "type": "object", + "default": {}, + "title": "The nginxStatus Schema", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 8080, + "title": "The port", + "examples": [ + 8080 + ] + }, + "allowCidrs": { + "type": "string", + "default": "127.0.0.1", + "title": "The allowCidrs", + "examples": [ + "127.0.0.1" + ] + } + }, + "examples": [ + { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + } + ] + }, + "service": { + "type": "object", + "default": {}, + "title": "The service Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "type": { + "type": "string", + "default": "", + "title": "The type", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + }, + "externalTrafficPolicy": { + "type": "string", + "default": "", + "title": "The externalTrafficPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels", + "required": [], + "properties": {}, + "examples": [ + {} + ] + }, + "loadBalancerIP": { + "type": "string", + "default": "", + "title": "The loadBalancerIP", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + }, + "externalIPs": { + "type": "array", + "default": [], + "title": "The externalIPs", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + }, + "loadBalancerSourceRanges": { + "type": "array", + "default": [], + "title": "The loadBalancerSourceRanges", + "items": {}, + "examples": [ + [] + ] + }, + "allocateLoadBalancerNodePorts": { + "type": "boolean", + "default": false, + "title": "The allocateLoadBalancerNodePorts Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + }, + "ipFamilyPolicy": { + "type": "string", + "default": "", + "title": "The ipFamilyPolicy Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "examples": [ + "" + ] + }, + "ipFamilies": { + "type": "array", + "default": [], + "title": "The ipFamilies Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + }, + "httpPort": { + "type": "object", + "default": {}, + "title": "The httpPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 80 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 80 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + } + ] + }, + "httpsPort": { + "type": "object", + "default": {}, + "title": "The httpsPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 443 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 443 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + } + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts", + "items": { + "type": "object", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + } + } + }, + "examples": [ + { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "name": "", + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + } + ] + }, + "serviceAccount": { + "type": "object", + "default": {}, + "title": "The serviceAccount Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "imagePullSecretName": { + "type": "string", + "default": "", + "title": "The imagePullSecretName", + "examples": [ + "" + ] + }, + "imagePullSecretsNames": { + "type": "array", + "default": [], + "title": "The imagePullSecretName list", + "examples": [ + [] + ] + } + }, + "oneOf": [ + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "minItems": 1 + } + }, + "required": [ + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "minLength": 1 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "not": { + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + } + } + ], + "examples": [ + { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + } + ] + }, + "reportIngressStatus": { + "type": "object", + "default": {}, + "title": "The reportIngressStatus Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "externalService": { + "type": "string", + "default": "", + "title": "The externalService", + "examples": [ + "" + ] + }, + "ingressLink": { + "type": "string", + "default": "", + "title": "The ingressLink", + "examples": [ + "" + ] + }, + "enableLeaderElection": { + "type": "boolean", + "default": false, + "title": "The enableLeaderElection", + "examples": [ + true + ] + }, + "leaderElectionLockName": { + "type": "string", + "default": "", + "title": "The leaderElectionLockName", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + } + }, + "examples": [ + { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + } + ] + }, + "pod": { + "type": "object", + "default": {}, + "title": "The pod Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + }, + "examples": [ + { + "annotations": {}, + "extraLabels": {} + } + ] + }, + "priorityClassName": { + "type": "string", + "default": "", + "title": "The priorityClassName", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + }, + "podDisruptionBudget": { + "type": "object", + "default": {}, + "title": "The podDisruptionBudget Schema", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "minAvailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + }, + "maxUnavailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + } + }, + "examples": [ + { + "enable": true, + "minAvailable": 1 + }, + { + "enable": true, + "maxUnavailable": 1 + } + ] + }, + "readyStatus": { + "type": "object", + "default": {}, + "title": "The readyStatus", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 8081 + ] + }, + "initialDelaySeconds": { + "type": "integer", + "default": 0, + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + } + }, + "examples": [ + { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + } + ] + }, + "enableLatencyMetrics": { + "type": "boolean", + "default": false, + "title": "The enableLatencyMetrics", + "examples": [ + false + ] + }, + "disableIPV6": { + "type": "boolean", + "default": false, + "title": "The disableIPV6", + "examples": [ + false + ] + }, + "defaultHTTPListenerPort": { + "type": "integer", + "default": 80, + "title": "The defaultHTTPListenerPort", + "examples": [ + 80 + ] + }, + "defaultHTTPSListenerPort": { + "type": "integer", + "default": 443, + "title": "The defaultHTTPSListenerPort", + "examples": [ + 443 + ] + }, + "readOnlyRootFilesystem": { + "type": "boolean", + "default": false, + "title": "The readOnlyRootFilesystem", + "examples": [ + false + ] + }, + "enableSSLDynamicReload": { + "type": "boolean", + "default": true, + "title": "Enable dynamic certificate reloads for NGINX Plus", + "examples": [ + true + ] + }, + "telemetryReporting": { + "type": "object", + "default": {}, + "title": "Configure telemetry reporting options", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": true, + "title": "Enable telemetry reporting", + "examples": [ + true + ] + } + } + }, + "enableWeightChangesDynamicReload": { + "type": "boolean", + "default": false, + "title": "Enables weight changes without reloading for NGINX Plus", + "examples": [ + false + ] + } + }, + "examples": [ + { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "shareProcessNamespace": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.4.3", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "podSecurityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "securityContext": {}, + "initContainerSecurityContext": {}, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "tlsPassthroughPort": 443, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + } + ] + }, + "rbac": { + "type": "object", + "default": {}, + "title": "The rbac Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + true + ] + } + }, + "examples": [ + { + "create": true + } + ] + }, + "prometheus": { + "type": "object", + "default": {}, + "title": "The prometheus Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9113, + "title": "The port", + "examples": [ + 9113 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + }, + "service": { + "type": "object", + "default": {}, + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + } + }, + "serviceMonitor": { + "type": "object", + "default": {}, + "title": "The serviceMonitor Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + false + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + }, + "selectorMatchLabels": { + "type": "object", + "default": {}, + "title": "The selectorMatchLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "endpoints": { + "type": "array", + "default": [], + "title": "The endpoints", + "required": [], + "items": {} + } + }, + "examples": [ + { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": [] + } + ] + } + }, + "examples": [ + { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http" + } + ] + }, + "serviceInsight": { + "type": "object", + "default": {}, + "title": "The Service Insight Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9114, + "title": "The port", + "examples": [ + 9114 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + } + }, + "examples": [ + { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + } + ] + }, + "nginxServiceMesh": { + "type": "object", + "default": {}, + "title": "The nginxServiceMesh Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + false + ] + }, + "enableEgress": { + "type": "boolean", + "default": false, + "title": "The enableEgress", + "examples": [ + false + ] + } + }, + "examples": [ + { + "enable": false, + "enableEgress": false + } + ] + }, + "nginxAgent": { + "type": "object", + "default": { + "enable": false + }, + "title": "Configuration for NGINX Agent.", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable NGINX Agent", + "examples": [ + false + ] + }, + "instanceGroup": { + "type": "string", + "default": "", + "title": "Set the --instance-group argument for NGINX Agent", + "examples": [ + "my-instance-group" + ] + }, + "logLevel": { + "type": "string", + "default": "info", + "title": "Log level for NGINX Agent", + "enum": [ + "panic", + "fatal", + "error", + "info", + "debug", + "trace" + ], + "examples": [ + "error" + ] + }, + "instanceManager": { + "type": "object", + "default": {}, + "title": "Configuration for the connection to NGINX Instance Manager", + "examples": [], + "required": [ + "host" + ], + "properties": { + "host": { + "type": "string", + "title": "FQDN or IP for connecting to NGINX Instance Manager", + "examples": [ + "nim.example.com" + ] + }, + "grpcPort": { + "type": "integer", + "title": "Port for connecting to NGINX Instance Manager", + "default": 443, + "examples": [ + 443 + ] + }, + "sni": { + "type": "string", + "title": "Server Name Indication for NGINX Instance Manager", + "default": "", + "examples": [ + "nim.example.com" + ] + }, + "tls": { + "type": "object", + "default": {}, + "title": "TLS configuration for connection between NGINX Agent and NGINX Instance Manager", + "properties": { + "enable": { + "type": "boolean", + "default": "true", + "title": "enable TLS for NGINX Instance Manager connection" + }, + "secret": { + "type": "string", + "default": "", + "title": "kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and NGINX Instance Manager" + }, + "caSecret": { + "type": "string", + "default": "", + "title": "nginx.org/ca secret for verification of Instance Manager TLS" + }, + "skipVerify": { + "type": "boolean", + "default": "false", + "title": "skip certificate verification" + } + } + } + } + }, + "syslog": { + "type": "object", + "default": { + "host": "127.0.0.1", + "port": 1514 + }, + "title": "Syslog listener which NGINX Agent uses to accept messages from App Protect WAF", + "properties": { + "host": { + "type": "string", + "title": "Address for NGINX Agent to run syslog listener", + "default": "127.0.0.1", + "examples": [ + "127.0.0.1" + ] + }, + "port": { + "type": "integer", + "title": "Port for NGINX Agent to run syslog listener", + "default": 1514, + "examples": [ + 1514 + ] + } + } + }, + "napMonitoring": { + "type": "object", + "default": {}, + "title": "NGINX App Protect Monitoring config", + "properties": { + "collectorBufferSize": { + "type": "integer", + "default": 50000, + "title": "Buffer size for collector. Will contain log lines and parsed log lines", + "examples": [ + 50000 + ] + }, + "processorBufferSize": { + "type": "integer", + "default": 50000, + "title": "Buffer size for processor. Will contain log lines and parsed log lines", + "examples": [ + 50000 + ] + } + } + }, + "customConfigMap": { + "type": "string", + "title": "The name of a custom ConfigMap to use instead of the one provided by default", + "default": "", + "examples": [ + "my-custom-configmap" + ] + } + } + } + }, + "examples": [ + { + "controller": { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.4.3", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "podDisruptionBudget": { + "enabled": false, + "annotations": {}, + "minAvailable": 0, + "minUnavailable": 0 + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + }, + "rbac": { + "create": true + }, + "prometheus": { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http", + "service": { + "create": false, + "labels": {} + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + } + }, + "serviceInsight": { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + }, + "nginxServiceMesh": { + "enable": false, + "enableEgress": false + } + } + ] +} diff --git a/charts/f5/nginx-ingress/1.2.0/values.yaml b/charts/f5/nginx-ingress/1.2.0/values.yaml new file mode 100644 index 0000000000..d78eb7705d --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.0/values.yaml @@ -0,0 +1,588 @@ +controller: + ## The name of the Ingress Controller daemonset or deployment. + name: controller + + ## The kind of the Ingress Controller installation - deployment or daemonset. + kind: deployment + + ## The selectorLabels used to override the default values. + selectorLabels: {} + + ## Annotations for deployments and daemonsets + annotations: {} + + ## Deploys the Ingress Controller for NGINX Plus. + nginxplus: false + + ## Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. + nginxReloadTimeout: 60000 + + ## Support for App Protect WAF + appprotect: + ## Enable the App Protect WAF module in the Ingress Controller. + enable: false + ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace + # logLevel: fatal + + ## Support for App Protect DoS + appprotectdos: + ## Enable the App Protect DoS module in the Ingress Controller. + enable: false + ## Enable debugging for App Protect DoS. + debug: false + ## Max number of nginx processes to support. + maxWorkers: 0 + ## Max number of ADMD instances. + maxDaemons: 0 + ## RAM memory size to consume in MB. + memory: 0 + + ## Enables the Ingress Controller pods to use the host's network namespace. + hostNetwork: false + + ## The hostPort configuration for the Ingress Controller pods. + hostPort: + ## Enables hostPort for the Ingress Controller pods. + enable: false + + ## The HTTP hostPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS hostPort configuration for the Ingress Controller pods. + https: 443 + + containerPort: + ## The HTTP containerPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS containerPort configuration for the Ingress Controller pods. + https: 443 + + ## DNS policy for the Ingress Controller pods + dnsPolicy: ClusterFirst + + ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. + nginxDebug: false + + ## Share process namespace between containers in the Ingress Controller pod. + shareProcessNamespace: false + + ## The log level of the Ingress Controller. + logLevel: 1 + + ## A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: [] + + image: + ## The image repository of the Ingress Controller. + repository: nginx/nginx-ingress + + ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. + # tag: "3.4.3" + ## The digest of the Ingress Controller image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the Ingress Controller image. + pullPolicy: IfNotPresent + + ## The lifecycle of the Ingress Controller pods. + lifecycle: {} + + ## The custom ConfigMap to use instead of the one provided by default + customConfigMap: "" + + config: + ## The name of the ConfigMap used by the Ingress Controller. + ## Autogenerated if not set or set to "". + # name: nginx-config + + ## The annotations of the Ingress Controller configmap. + annotations: {} + + ## The entries of the ConfigMap for customizing NGINX configuration. + entries: {} + + ## It is recommended to use your own TLS certificates and keys + defaultTLS: + ## The base64-encoded TLS certificate for the default HTTPS server. + ## Note: It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + cert: "" + + ## The base64-encoded TLS key for the default HTTPS server. + ## Note: It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + key: "" + + ## The secret with a TLS certificate and key for the default HTTPS server. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. + ## Note: Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + ## Format: / + secret: "" + + wildcardTLS: + ## The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + cert: "" + + ## The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + key: "" + + ## The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. + ## Format: / + secret: "" + + ## The node selector for pod assignment for the Ingress Controller pods. + # nodeSelector: {} + + ## The termination grace period of the Ingress Controller pod. + terminationGracePeriodSeconds: 30 + + ## HorizontalPodAutoscaling (HPA) + autoscaling: + ## Enables HorizontalPodAutoscaling. + enabled: false + ## The annotations of the Ingress Controller HorizontalPodAutoscaler. + annotations: {} + ## Minimum number of replicas for the HPA. + minReplicas: 1 + ## Maximum number of replicas for the HPA. + maxReplicas: 3 + ## The target cpu utilization percentage. + targetCPUUtilizationPercentage: 50 + ## The target memory utilization percentage. + targetMemoryUtilizationPercentage: 50 + ## Custom behavior policies + behavior: {} + + ## The resources of the Ingress Controller pods. + resources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The security context for the Ingress Controller pods. + podSecurityContext: + seccompProfile: + type: RuntimeDefault + + ## The security context for the Ingress Controller containers. + securityContext: {} # Remove curly brackets before adding values + # allowPrivilegeEscalation: true + # readOnlyRootFilesystem: true + # runAsUser: 101 #nginx + # runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # add: + # - NET_BIND_SERVICE + + ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerSecurityContext: {} + + ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerResources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The tolerations of the Ingress Controller pods. + tolerations: [] + + ## The affinity of the Ingress Controller pods. + affinity: {} + + ## The topology spread constraints of the Ingress controller pods. + # topologySpreadConstraints: {} + + ## The additional environment variables to be set on the Ingress Controller pods. + env: [] + # - name: MY_VAR + # value: myvalue + + ## The volumes of the Ingress Controller pods. + volumes: [] + # - name: extra-conf + # configMap: + # name: extra-conf + + ## The volumeMounts of the Ingress Controller pods. + volumeMounts: [] + # - name: extra-conf + # mountPath: /etc/nginx/conf.d/extra.conf + # subPath: extra.conf + + ## InitContainers for the Ingress Controller pods. + initContainers: [] + # - name: init-container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is initial setup!'] + + ## The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. + minReadySeconds: 0 + + ## Pod disruption budget for the Ingress Controller pods. + podDisruptionBudget: + ## Enables PodDisruptionBudget. + enabled: false + ## The annotations of the Ingress Controller pod disruption budget. + annotations: {} + ## The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". + # minAvailable: 1 + ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". + # maxUnavailable: 1 + + ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. + strategy: {} + + ## Extra containers for the Ingress Controller pods. + extraContainers: [] + # - name: container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is a sidecar!'] + + ## The number of replicas of the Ingress Controller deployment. + replicaCount: 1 + + ## Configures the ingress class the Ingress Controller uses. + ingressClass: + ## A class of the Ingress Controller. + + ## IngressClass resource with the name equal to the class must be deployed. Otherwise, + ## the Ingress Controller will fail to start. + ## The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. + + ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. + name: nginx + + ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. + create: true + + ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". + setAsDefaultIngress: false + + ## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". + watchNamespace: "" + + ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". + watchNamespaceLabel: "" + + ## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces. + watchSecretNamespace: "" + + ## Enable the custom resources. + enableCustomResources: true + + ## Enable OIDC policies. + enableOIDC: false + + ## Include year in log header. This parameter will be removed in release 2.7 and the year will be included by default. + includeYear: false + + ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. + enableTLSPassthrough: false + + ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough. + tlsPassthroughPort: 443 + + ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. + enableCertManager: false + + ## Enable external DNS for Virtual Server resources. Requires controller.enableCustomResources. + enableExternalDNS: false + + globalConfiguration: + ## Creates the GlobalConfiguration custom resource. Requires controller.enableCustomResources. + create: false + + ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. + spec: {} ## Ensure both curly brackets are removed when adding listeners in YAML format. + # listeners: + # - name: dns-udp + # port: 5353 + # protocol: UDP + # - name: dns-tcp + # port: 5353 + # protocol: TCP + + ## Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. + enableSnippets: false + + ## Add a location based on the value of health-status-uri to the default server. The location responds with the 200 status code for any request. + ## Useful for external health-checking of the Ingress Controller. + healthStatus: false + + ## Sets the URI of health status location in the default server. Requires controller.healthStatus. + healthStatusURI: "/nginx-health" + + nginxStatus: + ## Enable the NGINX stub_status, or the NGINX Plus API. + enable: true + + ## Set the port where the NGINX stub_status or the NGINX Plus API is exposed. + port: 8080 + + ## Add IPv4 IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. + allowCidrs: "127.0.0.1" + + service: + ## Creates a service to expose the Ingress Controller pods. + create: true + + ## The type of service to create for the Ingress Controller. + type: LoadBalancer + + ## The externalTrafficPolicy of the service. The value Local preserves the client source IP. + externalTrafficPolicy: Local + + ## The annotations of the Ingress Controller service. + annotations: {} + + ## The extra labels of the service. + extraLabels: {} + + ## The static IP address for the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerIP: "" + + ## The ClusterIP for the Ingress Controller service, autoassigned if not specified. + clusterIP: "" + + ## The list of external IPs for the Ingress Controller service. + externalIPs: [] + + ## The IP ranges (CIDR) that are allowed to access the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerSourceRanges: [] + + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + ## Dual stack preference. + ## Valid values: SingleStack, PreferDualStack, RequireDualStack + # ipFamilyPolicy: SingleStack + + ## List of IP families assigned to this service. + ## Valid values: IPv4, IPv6 + # ipFamilies: + # - IPv6 + + httpPort: + ## Enables the HTTP port for the Ingress Controller service. + enable: true + + ## The HTTP port of the Ingress Controller service. + port: 80 + + ## The custom NodePort for the HTTP port. Requires controller.service.type set to NodePort. + # nodePort: 80 + + ## The HTTP port on the POD where the Ingress Controller service is running. + targetPort: 80 + + httpsPort: + ## Enables the HTTPS port for the Ingress Controller service. + enable: true + + ## The HTTPS port of the Ingress Controller service. + port: 443 + + ## The custom NodePort for the HTTPS port. Requires controller.service.type set to NodePort. + # nodePort: 443 + + ## The HTTPS port on the POD where the Ingress Controller service is running. + targetPort: 443 + + ## A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: [] + + serviceAccount: + ## The annotations of the service account of the Ingress Controller pods. + annotations: {} + + ## The name of the service account of the Ingress Controller pods. Used for RBAC. + ## Autogenerated if not set or set to "". + # name: nginx-ingress + + ## The name of the secret containing docker registry credentials. + ## Secret must exist in the same namespace as the helm release. + imagePullSecretName: "" + + ## A list of secret names containing docker registry credentials. + ## Secrets must exist in the same namespace as the helm release. + imagePullSecretsNames: [] + + reportIngressStatus: + ## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. + ## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService, + ## controller.reportIngressStatus.ingressLink or the external-status-address entry in the ConfigMap via controller.config.entries. + ## Note: controller.config.entries.external-status-address takes precedence over the others. + enable: true + + ## Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. + ## The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ## The default is autogenerated and matches the created service (see controller.service.create). + # externalService: nginx-ingress + + ## Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. + ## The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ingressLink: "" + + ## Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. controller.reportIngressStatus.enable must be set to true. + enableLeaderElection: true + + ## Specifies the name to be used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. + leaderElectionLockName: "nginx-ingress-leader" + + ## The annotations of the leader election configmap. + annotations: {} + + pod: + ## The annotations of the Ingress Controller pod. + annotations: {} + + ## The additional extra labels of the Ingress Controller pod. + extraLabels: {} + + ## The PriorityClass of the Ingress Controller pods. + # priorityClassName: "" + + readyStatus: + ## Enables readiness endpoint "/nginx-ready". The endpoint returns a success code when NGINX has loaded all the config after startup. + enable: true + + ## Set the port where the readiness endpoint is exposed. + port: 8081 + + ## The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. + initialDelaySeconds: 0 + + ## Enable collection of latency metrics for upstreams. Requires prometheus.create. + enableLatencyMetrics: false + + ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. + disableIPV6: false + + ## Sets the port for the HTTP `default_server` listener. + defaultHTTPListenerPort: 80 + + ## Sets the port for the HTTPS `default_server` listener. + defaultHTTPSListenerPort: 443 + + ## Configure root filesystem as read-only and add volumes for temporary data. + ## Three major releases after 3.5.x this argument will be moved to the `securityContext` section. + ## This value will not be used if `controller.securityContext` is set + readOnlyRootFilesystem: false + + ## Enable dynamic reloading of certificates + enableSSLDynamicReload: true + + ## Configure telemetry reporting options + telemetryReporting: + ## Enable telemetry reporting + enable: true + + ## Allows weight adjustments without reloading the NGINX Configuration for two-way splits in NGINX Plus. + ## May require increasing map_hash_bucket_size, map_hash_max_size, + ## variable_hash_bucket_size, and variable_hash_max_size in the ConfigMap based on the number of two-way splits. + enableWeightChangesDynamicReload: false + +rbac: + ## Configures RBAC. + create: true + +prometheus: + ## Expose NGINX or NGINX Plus metrics in the Prometheus format. + create: true + + ## Configures the port to scrape the metrics. + port: 9113 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Prometheus endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + + service: + ## Creates a ClusterIP Service to expose Prometheus metrics internally + ## Requires prometheus.create=true + create: false + + labels: + service: "nginx-ingress-prometheus-service" + + serviceMonitor: + ## Creates a serviceMonitor to expose statistics on the kubernetes pods. + create: false + + ## Kubernetes object labels to attach to the serviceMonitor object. + labels: {} + + ## A set of labels to allow the selection of endpoints for the ServiceMonitor. + selectorMatchLabels: + service: "nginx-ingress-prometheus-service" + + ## A list of endpoints allowed as part of this ServiceMonitor. + ## Matches on the name of a Service port. + endpoints: + - port: prometheus + +serviceInsight: + ## Expose NGINX Plus Service Insight endpoint. + create: false + + ## Configures the port to expose endpoint. + port: 9114 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Service Insight endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + +nginxServiceMesh: + ## Enables integration with NGINX Service Mesh. + enable: false + + ## Enables NGINX Service Mesh workload to route egress traffic through the Ingress Controller. + ## Requires nginxServiceMesh.enable + enableEgress: false + +nginxAgent: + ## Enables NGINX Agent. + enable: false + ## If nginxAgent.instanceGroup is not set the value of nginx-ingress.controller.fullname will be used + instanceGroup: "" + logLevel: "error" + ## Syslog listener which NGINX Agent uses to accept messages from App Protect WAF + syslog: + host: "127.0.0.1" + port: 1514 + napMonitoring: + collectorBufferSize: 50000 + processorBufferSize: 50000 + instanceManager: + # FQDN or IP for connecting to NGINX Instance Manager, e.g. nim.example.com + host: "" + grpcPort: 443 + sni: "" + tls: + enabled: true + skipVerify: false + ## kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and Instance Manager + secret: "" + ## nginx.org/ca secret for verification of Instance Manager TLS + caSecret: "" + ## The name of a custom ConfigMap to use instead of the one provided by default + customConfigMap: "" diff --git a/charts/f5/nginx-ingress/1.2.1/.helmignore b/charts/f5/nginx-ingress/1.2.1/.helmignore new file mode 100644 index 0000000000..c1347c2c27 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/.helmignore @@ -0,0 +1,2 @@ +# Patterns to ignore when building packages. +*.png diff --git a/charts/f5/nginx-ingress/1.2.1/Chart.yaml b/charts/f5/nginx-ingress/1.2.1/Chart.yaml new file mode 100644 index 0000000000..d5c362a345 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Ingress Controller + catalog.cattle.io/kube-version: '>= 1.23.0-0' + catalog.cattle.io/release-name: nginx-ingress +apiVersion: v2 +appVersion: 3.5.1 +description: NGINX Ingress Controller +home: https://github.com/nginxinc/kubernetes-ingress +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.1/charts/nginx-ingress/chart-icon.png +keywords: +- ingress +- nginx +kubeVersion: '>= 1.23.0-0' +maintainers: +- email: kubernetes@nginx.com + name: nginxinc +name: nginx-ingress +sources: +- https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.1/charts/nginx-ingress +type: application +version: 1.2.1 diff --git a/charts/f5/nginx-ingress/1.2.1/README.md b/charts/f5/nginx-ingress/1.2.1/README.md new file mode 100644 index 0000000000..9187dec5e9 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/README.md @@ -0,0 +1,514 @@ +# NGINX Ingress Controller Helm Chart + +## Introduction + +This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. + +## Prerequisites + +**Note** All documentation should only be used with the latest stable release, indicated on +[the releases page](https://github.com/nginxinc/kubernetes-ingress/releases) of the GitHub repository. + +- A [Kubernetes Version Supported by the Ingress + Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) +- Helm 3.0+. +- If you’d like to use NGINX Plus: + - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal + by following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). + Make sure to specify the secret using one of the following parameters: + `controller.serviceAccount.imagePullSecretName` or `controller.serviceAccount.imagePullSecretsNames`. + - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following + the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). + - Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by + following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image). + - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. +- If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator [helm + chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). Make sure to install in the same namespace as the + NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will + need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single + namespace. + +## CRDs + +By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The +Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. + +If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` +set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), +the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. + +### Upgrading the CRDs + +To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl apply -f crds/ +``` + +Alternatively, CRDs can be upgraded without pulling the chart by running: + +```console +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.1/deploy/crds.yaml +``` + +In the above command, `v3.5.1` represents the version of NGINX Ingress Controller release rather than the Helm chart version. + +> **Note** +> +> The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by +> either kubectl create --save-config or kubectl apply`. +> +> Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release +> for any special upgrade procedures. + +### Uninstalling the CRDs + +To remove the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl delete -f crds/ +``` + +> **Note** +> +> This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure +> there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the +> cluster. + +## Managing the Chart via OCI Registry + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.1 +``` + +For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry +`myregistry.example.com`) + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.1 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +``` + +This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to +use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with +`registry-1.docker.io/nginxcharts/nginx-ingress`. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.1 +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +### Edge Version + +To test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version. This +version is built from the `main` branch of the NGINX Ingress Controller repository. You can install the `edge` version +by specifying the `--version` flag with the value `0.0.0-edge`: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge +``` + +> **Warning** +> +> The `edge` version is not intended for production use. It is intended for testing and development purposes only. + +## Managing the Chart via Sources + +### Pulling the Chart + +This step is required if you're installing the chart using its sources. Additionally, the step is also required for +managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for +upgrading/deleting the CRDs. + +1. Pull the chart sources: + + ```console + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.2.1 + ``` + +2. Change your working directory to nginx-ingress: + + ```console + cd nginx-ingress + ``` + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release . +``` + +For NGINX Plus: + +```console +helm install my-release -f values-plus.yaml . +``` + +The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration +section lists the parameters that can be configured during installation. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release . +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +## Upgrading without downtime + +### Background + +In NGINX Ingress Controller version 3.1.0, [changes were introduced](https://github.com/nginxinc/kubernetes-ingress/pull/3606) +to Helm resource names, labels and annotations to fit with Helm best practices. +When using Helm to upgrade from a version prior to 3.1.0, certain resources like Deployment, DaemonSet and Service will +be recreated due to the aforementioned changes, which will result in downtime. + +Although the advisory is to update all resources in accordance with new naming convention, to avoid the downtime +please follow the steps listed in this page. + +### Upgrade Steps + +**Note** The following steps apply to both 2.x and 3.0.x releases. + +The steps you should follow depend on the Helm release name: + +{{}} + +{{%tab name="Helm release name is `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployments -n + ``` + + Copy the key=value under `Selector`, such as: + + ```shell + Selector: app=nginx-ingress-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.5.1` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: nginx-ingress-nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="nginx-ingress-nginx-ingress" + --set controller.name="" + --set fullnameOverride="nginx-ingress-nginx-ingress" + ``` + + It could look as follows: + + ```shell + helm upgrade nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="nginx-ingress-nginx-ingress" --set controller.name="" --set fullnameOverride="nginx-ingress-nginx-ingress" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set nginx-ingress-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{%tab name="Helm release name is not `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployment/daemonset -n + ``` + + Copy the key=value under ```Selector```, such as: + + ```shell + Selector: app=-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.5.1` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: -nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="-nginx-ingress" + --set controller.name="" + ``` + + It could look as follows: + + ```shell + helm upgrade test-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="test-release-nginx-ingress" --set controller.name="" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set test-release-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{}} + +## Running Multiple Ingress Controllers + +If you are running multiple Ingress Controller releases in your cluster with enabled custom resources, the releases will +share a single version of the CRDs. As a result, make sure that the Ingress Controller versions match the version of the +CRDs. Additionally, when uninstalling a release, ensure that you don’t remove the CRDs until there are no other Ingress +Controller releases running in the cluster. + +See [running multiple Ingress Controllers](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) +for more details. + +## Configuration + +The following tables lists the configurable parameters of the NGINX Ingress Controller chart and their default values. + +|Parameter | Description | Default | +| --- | --- | --- | +|`controller.name` | The name of the Ingress Controller daemonset or deployment. | Autogenerated | +|`controller.kind` | The kind of the Ingress Controller installation - deployment or daemonset. | deployment | +|`controller.annotations` | Allows for setting of `annotations` for deployment or daemonset. | {} | +|`controller.nginxplus` | Deploys the Ingress Controller for NGINX Plus. | false | +|`controller.nginxReloadTimeout` | The timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. | 60000 | +|`controller.hostNetwork` | Enables the Ingress Controller pods to use the host's network namespace. | false | +|`controller.dnsPolicy` | DNS policy for the Ingress Controller pods. | ClusterFirst | +|`controller.nginxDebug` | Enables debugging for NGINX. Uses the `nginx-debug` binary. Requires `error-log-level: debug` in the ConfigMap via `controller.config.entries`. | false | +| `controller.shareProcessNamespace` | Enables process namespace sharing. When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod. [docs](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) | false | +|`controller.logLevel` | The log level of the Ingress Controller. | 1 | +|`controller.image.digest` | The image digest of the Ingress Controller. | None | +|`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.5.1 | +|`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | +|`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | +|`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | +|`controller.config.name` | The name of the ConfigMap used by the Ingress Controller. | Autogenerated | +|`controller.config.annotations` | The annotations of the Ingress Controller configmap. | {} | +|`controller.config.entries` | The entries of the ConfigMap for customizing NGINX configuration. See [ConfigMap resource docs](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) for the list of supported ConfigMap keys. | {} | +|`controller.customPorts` | A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. | [] | +|`controller.defaultTLS.cert` | The base64-encoded TLS certificate for the default HTTPS server. **Note:** It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | "" | +|`controller.defaultTLS.key` | The base64-encoded TLS key for the default HTTPS server. **Note:** It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | "" | +|`controller.defaultTLS.secret` | The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. **Note:** Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | None | +|`controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None | +|`controller.nodeSelector` | The node selector for pod assignment for the Ingress Controller pods. | {} | +|`controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress Controller pod. | 30 | +|`controller.tolerations` | The tolerations of the Ingress Controller pods. | [] | +|`controller.affinity` | The affinity of the Ingress Controller pods. | {} | +|`controller.topologySpreadConstraints` | The topology spread constraints of the Ingress controller pods. | {} | +|`controller.env` | The additional environment variables to be set on the Ingress Controller pods. | [] | +|`controller.volumes` | The volumes of the Ingress Controller pods. | [] | +|`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] | +|`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] | +|`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | +|`controller.podSecurityContext`| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} | +|`controller.securityContext`| The SecurityContext for Ingress Controller container. | {} | +|`controller.initContainerSecurityContext`| The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} | +|`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | +|`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi | +|`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | +|`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.5.1, do not set the value to false. | true | +|`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | +|`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | +|`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | +|`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `controller.watchNamespace` and `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" | +|`controller.enableCustomResources` | Enable the custom resources. | true | +|`controller.enableOIDC` | Enable OIDC policies. | false | +|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | +|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | +|`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false | +|`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.spec` | The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. | {} | +|`controller.enableSnippets` | Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. | false | +|`controller.healthStatus` | Add a location "/nginx-health" to the default server. The location responds with the 200 status code for any request. Useful for external health-checking of the Ingress Controller. | false | +|`controller.healthStatusURI` | Sets the URI of health status location in the default server. Requires `controller.healthStatus`. | "/nginx-health" | +|`controller.nginxStatus.enable` | Enable the NGINX stub_status, or the NGINX Plus API. | true | +|`controller.nginxStatus.port` | Set the port where the NGINX stub_status or the NGINX Plus API is exposed. | 8080 | +|`controller.nginxStatus.allowCidrs` | Add IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. | 127.0.0.1,::1 | +|`controller.priorityClassName` | The PriorityClass of the Ingress Controller pods. | None | +|`controller.service.create` | Creates a service to expose the Ingress Controller pods. | true | +|`controller.service.type` | The type of service to create for the Ingress Controller. | LoadBalancer | +|`controller.service.externalTrafficPolicy` | The externalTrafficPolicy of the service. The value Local preserves the client source IP. | Local | +|`controller.service.annotations` | The annotations of the Ingress Controller service. | {} | +|`controller.service.extraLabels` | The extra labels of the service. | {} | +|`controller.service.loadBalancerIP` | The static IP address for the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | "" | +|`controller.service.externalIPs` | The list of external IPs for the Ingress Controller service. | [] | +|`controller.service.clusterIP` | The clusterIP for the Ingress Controller service, autoassigned if not specified. | "" | +|`controller.service.loadBalancerSourceRanges` | The IP ranges (CIDR) that are allowed to access the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | [] | +|`controller.service.name` | The name of the service. | Autogenerated | +|`controller.service.customPorts` | A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. | [] | +|`controller.service.httpPort.enable` | Enables the HTTP port for the Ingress Controller service. | true | +|`controller.service.httpPort.port` | The HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpPort.nodePort` | The custom NodePort for the HTTP port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpPort.targetPort` | The target port of the HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpsPort.enable` | Enables the HTTPS port for the Ingress Controller service. | true | +|`controller.service.httpsPort.port` | The HTTPS port of the Ingress Controller service. | 443 | +|`controller.service.httpsPort.nodePort` | The custom NodePort for the HTTPS port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpsPort.targetPort` | The target port of the HTTPS port of the Ingress Controller service. | 443 | +|`controller.serviceAccount.annotations` | The annotations of the Ingress Controller service account. | {} | +|`controller.serviceAccount.name` | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated | +|`controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" | +|`controller.serviceAccount.imagePullSecretsNames` | The list of secret names containing docker registry credentials. Secret must exist in the same namespace as the helm release. | [] | +|`controller.serviceMonitor.name` | The name of the serviceMonitor. | Autogenerated | +|`controller.serviceMonitor.create` | Create a ServiceMonitor custom resource. | false | +|`controller.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | "" | +|`controller.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | "" | +|`controller.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | "" | +|`controller.reportIngressStatus.enable` | Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. You must also specify the source of the external address either through an external service via `controller.reportIngressStatus.externalService`, `controller.reportIngressStatus.ingressLink` or the `external-status-address` entry in the ConfigMap via `controller.config.entries`. **Note:** `controller.config.entries.external-status-address` takes precedence over the others. | true | +|`controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated | +|`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | "" | +|`controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true | +|`controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated | +|`controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {} | +|`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} | +|`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} | +|`controller.appprotect.enable` | Enables the App Protect WAF module in the Ingress Controller. | false | +|`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false | +|`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false | +|`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 | +|`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine | +|`controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller | +|`controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true | +|`controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 | +|`controller.readyStatus.initialDelaySeconds` | The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. | 0 | +|`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false | +|`controller.minReadySeconds` | Specifies the minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. [docs](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds) | 0 | +|`controller.autoscaling.enabled` | Enables HorizontalPodAutoscaling. | false | +|`controller.autoscaling.annotations` | The annotations of the Ingress Controller HorizontalPodAutoscaler. | {} | +|`controller.autoscaling.behavior` | Behavior configuration for the HPA. | {} | +|`controller.autoscaling.minReplicas` | Minimum number of replicas for the HPA. | 1 | +|`controller.autoscaling.maxReplicas` | Maximum number of replicas for the HPA. | 3 | +|`controller.autoscaling.targetCPUUtilizationPercentage` | The target CPU utilization percentage. | 50 | +|`controller.autoscaling.targetMemoryUtilizationPercentage` | The target memory utilization percentage. | 50 | +|`controller.podDisruptionBudget.enabled` | Enables PodDisruptionBudget. | false | +|`controller.podDisruptionBudget.annotations` | The annotations of the Ingress Controller pod disruption budget | {} | +|`controller.podDisruptionBudget.minAvailable` | The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". | 0 | +|`controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 | +|`controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} | +|`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | +|`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 | +|`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 | +|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. Three major releases after 3.5.x this argument will be moved permanently to the `controller.securityContext` section. | false | +|`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true | +|`controller.telemetryReporting.enable` | Enable telemetry reporting. | true | +|`controller.enableWeightChangesDynamicReload` | Enable weight changes without reloading the NGINX configuration. May require increasing `map_hash_bucket_size`, `map_hash_max_size`, `variable_hash_bucket_size`, and `variable_hash_max_size` in the [ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) if there are many two-way splits. Requires `controller.nginxplus` | false | +|`rbac.create` | Configures RBAC. | true | +|`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | +|`prometheus.port` | Configures the port to scrape the metrics. | 9113 | +|`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http | +|`prometheus.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" | +|`prometheus.service.create` | Create a Headless service to expose prometheus metrics. Requires `prometheus.create`. | false | +|`prometheus.service.labels` | Kubernetes object labels to attach to the service object. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.create` | Create a ServiceMonitor custom resource. Requires ServiceMonitor CRD to be installed. For the latest CRD, check the latest release on the [prometheus-operator](https://github.com/prometheus-operator/prometheus-operator) GitHub repo under `example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml` | false | +|`prometheus.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | {} | +|`prometheus.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | [port: prometheus] | +|`serviceInsight.create` | Expose NGINX Plus Service Insight endpoint. | false | +|`serviceInsight.port` | Configures the port to expose endpoints. | 9114 | +|`serviceInsight.scheme` | Configures the HTTP scheme to use for connections to the Service Insight endpoint. | http | +|`serviceInsight.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Service Insight endpoint with TLS connections. | "" | +|`serviceNameOverride` | Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades. | "" | +|`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false | +|`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false | +|`nginxAgent.enable` | Enable NGINX Agent to integrate Security Monitoring and App Protect WAF modules. Requires `controller.appprotect.enable`. | false | +|`nginxAgent.instanceGroup` | Set a custom Instance Group name, shown when connected to NGINX Instance Manager. `nginx-ingress.controller.fullname` will be used if not set. | "" | +|`nginxAgent.logLevel` | Log level for NGINX Agent. | "error | +|`nginxAgent.instanceManager.host` | FQDN or IP for connecting to NGINX Ingress Controller. Required when `nginxAgent.enable` is set to `true` | "" | +|`nginxAgent.instanceManager.grpcPort` | Port for connecting to NGINX Ingress Controller. | 443 | +|`nginxAgent.instanceManager.sni` | Server Name Indication for NGINX Instance Manager. See the NGINX Agent [docs](https://docs.nginx.com/nginx-agent/configuration/encrypt-communication/) for more details. | "" | +|`nginxAgent.instanceManager.tls.enable` | Enable TLS for NGINX Instance Manager connection. | true | +|`nginxAgent.instanceManager.tls.skipVerify` | Skip certification verification for NGINX Instance Manager connection. | false | +|`nginxAgent.instanceManager.tls.caSecret` | Name of `nginx.org/ca` secret used for verification of NGINX Instance Manager TLS. | "" | +|`nginxAgent.instanceManager.tls.secret` | Name of `kubernetes.io/tls` secret with a TLS certificate and key for using mTLS between NGINX Agent and NGINX Instance Manager. See the NGINX Instance Manager [docs](https://docs.nginx.com/nginx-management-suite/admin-guides/configuration/secure-traffic/#mutual-client-certificate-auth-setup-mtls) and the NGINX Agent [docs](https://docs.nginx.com/nginx-agent/configuration/encrypt-communication/) for more details. | "" | +|`nginxAgent.syslog.host` | Address for NGINX Agent to run syslog listener. | 127.0.0.1 | +|`nginxAgent.syslog.port` | Port for NGINX Agent to run syslog listener. | 1514 | +|`nginxAgent.napMonitoring.collectorBufferSize` | Buffer size for collector. Will contain log lines and parsed log lines. | 50000 | +|`nginxAgent.napMonitoring.processorBufferSize` | Buffer size for processor. Will contain log lines and parsed log lines. | 50000 | +|`nginxAgent.customConfigMap` | The name of a custom ConfigMap to use instead of the one provided by default. | "" | + +## Notes + +- The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog + post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. +- The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service + Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. diff --git a/charts/f5/nginx-ingress/1.2.1/app-readme.md b/charts/f5/nginx-ingress/1.2.1/app-readme.md new file mode 100644 index 0000000000..0824f4c0f0 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/app-readme.md @@ -0,0 +1,15 @@ +# NGINX Ingress Controller + +The [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress) for Kubernetes provides an enterprise‑grade implementation of an Ingress controller for NGINX and NGINX Plus for Kubernetes applications. + +The Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources. The load balancer can be a software load balancer running in the cluster or a hardware or cloud load balancer running externally. Different load balancers require different Ingress controller implementations. + +In the case of NGINX, the Ingress controller is deployed in a pod along with the load balancer. + +NGINX Ingress controller works with both NGINX and NGINX Plus and supports the standard Ingress features - content-based routing and TLS/SSL termination. + +Additionally, several NGINX and NGINX Plus features are available as extensions to the Ingress resource via annotations and the ConfigMap resource. In addition to HTTP, NGINX Ingress controller supports load balancing Websocket, gRPC, TCP and UDP applications. See ConfigMap and Annotations docs to learn more about the supported features and customization options. + +As an alternative to the Ingress, NGINX Ingress controller supports the VirtualServer and VirtualServerRoute resources. They enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. + +TCP, UDP and TLS Passthrough load balancing is also supported. diff --git a/charts/f5/nginx-ingress/1.2.1/crds/appprotect.f5.com_aplogconfs.yaml b/charts/f5/nginx-ingress/1.2.1/crds/appprotect.f5.com_aplogconfs.yaml new file mode 100644 index 0000000000..53b7fb40d7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/crds/appprotect.f5.com_aplogconfs.yaml @@ -0,0 +1,80 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: aplogconfs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APLogConf + listKind: APLogConfList + plural: aplogconfs + singular: aplogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + escaping_characters: + items: + properties: + from: + type: string + to: + type: string + type: object + type: array + format: + enum: + - splunk + - arcsight + - default + - user-defined + - grpc + type: string + format_string: + type: string + list_delimiter: + type: string + list_prefix: + type: string + list_suffix: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.1/crds/appprotect.f5.com_appolicies.yaml b/charts/f5/nginx-ingress/1.2.1/crds/appprotect.f5.com_appolicies.yaml new file mode 100644 index 0000000000..0ca4649ce7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/crds/appprotect.f5.com_appolicies.yaml @@ -0,0 +1,2158 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: appolicies.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APPolicy + listKind: APPolicyList + plural: appolicies + singular: appolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: + properties: + action: + type: string + description: + type: string + entity: + properties: + name: + type: string + type: object + entityChanges: + properties: + type: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + modificationsReference: + properties: + link: + pattern: ^http + type: string + type: object + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: + properties: + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + - Multiple slashes + - Semicolon path parameters + - Trailing dot + - Trailing slash + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unescaped space in URL + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of cookies + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxCookies: + maximum: 100 + minimum: 1 + type: integer + maxHeaders: + maximum: 150 + minimum: 1 + type: integer + maxParams: + maximum: 5000 + minimum: 1 + type: integer + type: object + type: array + violations: + items: + properties: + alarm: + type: boolean + block: + type: boolean + description: + type: string + name: + enum: + - "VIOL_ACCESS_INVALID" + - "VIOL_ACCESS_MALFORMED" + - "VIOL_ACCESS_MISSING" + - "VIOL_ASM_COOKIE_HIJACKING" + - "VIOL_ASM_COOKIE_MODIFIED" + - "VIOL_BLACKLISTED_IP" + - "VIOL_COOKIE_EXPIRED" + - "VIOL_COOKIE_LENGTH" + - "VIOL_COOKIE_MALFORMED" + - "VIOL_COOKIE_MODIFIED" + - "VIOL_CSRF" + - "VIOL_DATA_GUARD" + - "VIOL_ENCODING" + - "VIOL_EVASION" + - "VIOL_FILETYPE" + - "VIOL_FILE_UPLOAD" + - "VIOL_FILE_UPLOAD_IN_BODY" + - "VIOL_GRAPHQL_ERROR_RESPONSE" + - "VIOL_GRAPHQL_FORMAT" + - "VIOL_GRAPHQL_INTROSPECTION_QUERY" + - "VIOL_GRAPHQL_MALFORMED" + - "VIOL_GRPC_FORMAT" + - "VIOL_GRPC_MALFORMED" + - "VIOL_GRPC_METHOD" + - "VIOL_HEADER_LENGTH" + - "VIOL_HEADER_METACHAR" + - "VIOL_HEADER_REPEATED" + - "VIOL_HTTP_PROTOCOL" + - "VIOL_HTTP_RESPONSE_STATUS" + - "VIOL_JSON_FORMAT" + - "VIOL_JSON_MALFORMED" + - "VIOL_JSON_SCHEMA" + - "VIOL_MANDATORY_HEADER" + - "VIOL_MANDATORY_PARAMETER" + - "VIOL_MANDATORY_REQUEST_BODY" + - "VIOL_METHOD" + - "VIOL_PARAMETER" + - "VIOL_PARAMETER_ARRAY_VALUE" + - "VIOL_PARAMETER_DATA_TYPE" + - "VIOL_PARAMETER_EMPTY_VALUE" + - "VIOL_PARAMETER_LOCATION" + - "VIOL_PARAMETER_MULTIPART_NULL_VALUE" + - "VIOL_PARAMETER_NAME_METACHAR" + - "VIOL_PARAMETER_NUMERIC_VALUE" + - "VIOL_PARAMETER_REPEATED" + - "VIOL_PARAMETER_STATIC_VALUE" + - "VIOL_PARAMETER_VALUE_BASE64" + - "VIOL_PARAMETER_VALUE_LENGTH" + - "VIOL_PARAMETER_VALUE_METACHAR" + - "VIOL_PARAMETER_VALUE_REGEXP" + - "VIOL_POST_DATA_LENGTH" + - "VIOL_QUERY_STRING_LENGTH" + - "VIOL_RATING_NEED_EXAMINATION" + - "VIOL_RATING_THREAT" + - "VIOL_REQUEST_LENGTH" + - "VIOL_REQUEST_MAX_LENGTH" + - "VIOL_THREAT_CAMPAIGN" + - "VIOL_URL" + - "VIOL_URL_CONTENT_TYPE" + - "VIOL_URL_LENGTH" + - "VIOL_URL_METACHAR" + - "VIOL_XML_FORMAT" + - "VIOL_XML_MALFORMED" + type: string + type: object + type: array + type: object + blockingSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + bot-defense: + properties: + mitigations: + properties: + anomalies: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - default + - detect + - ignore + type: string + name: + type: string + scoreThreshold: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: array + browsers: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + type: string + maxVersion: + maximum: 2147483647 + minimum: 0 + type: integer + minVersion: + maximum: 2147483647 + minimum: 0 + type: integer + name: + type: string + type: object + type: array + classes: + items: + properties: + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + enum: + - browser + - malicious-bot + - suspicious-browser + - trusted-bot + - unknown + - untrusted-bot + type: string + type: object + type: array + signatures: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + type: string + type: object + type: array + type: object + settings: + properties: + caseSensitiveHttpHeaders: + type: boolean + isEnabled: + type: boolean + type: object + type: object + browser-definitions: + items: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + type: array + caseInsensitive: + type: boolean + character-sets: + items: + properties: + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content + type: string + type: object + type: array + characterSetReference: + properties: + link: + pattern: ^http + type: string + type: object + cookie-settings: + properties: + maximumCookieHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + cookieReference: + properties: + link: + pattern: ^http + type: string + type: object + cookieSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + cookies: + items: + properties: + $action: + enum: + - delete + type: string + accessibleOnlyThroughTheHttpProtocol: + type: boolean + attackSignaturesCheck: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + maskValueInLogs: + type: boolean + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + wildcardOrder: + type: integer + type: object + type: array + csrf-protection: + properties: + enabled: + type: boolean + expirationTimeInSeconds: + pattern: disabled|\d+ + type: string + sslOnly: + type: boolean + type: object + csrf-urls: + items: + properties: + $action: + enum: + - delete + type: string + enforcementAction: + enum: + - verify-origin + - none + type: string + method: + enum: + - GET + - POST + - any + type: string + url: + type: string + wildcardOrder: + type: integer + type: object + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + lastCcnDigitsToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + dataGuardReference: + properties: + link: + pattern: ^http + type: string + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + enforcer-settings: + properties: + enforcerStateCookies: + properties: + httpOnlyAttribute: + type: boolean + sameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + secureAttribute: + enum: + - always + - never + type: string + type: object + type: object + filetypeReference: + properties: + link: + pattern: ^http + type: string + type: object + filetypes: + items: + properties: + $action: + enum: + - delete + type: string + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: + type: string + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlLength: + type: integer + wildcardOrder: + type: integer + type: object + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + generalReference: + properties: + link: + pattern: ^http + type: string + type: object + grpc-profiles: + items: + properties: + $action: + enum: + - delete + type: string + associateUrls: + type: boolean + attackSignaturesCheck: + type: boolean + metacharCheck: + type: boolean + decodeStringValuesAsBase64: + enum: + - disabled + - enabled + type: string + defenseAttributes: + properties: + allowUnknownFields: + type: boolean + maximumDataLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + description: + type: string + hasIdlFiles: + type: boolean + idlFiles: + items: + properties: + idlFile: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + importUrl: + type: string + isPrimary: + type: boolean + primaryIdlFileName: + type: string + type: object + type: array + metacharElementCheck: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + header-settings: + properties: + maximumHttpHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + headerReference: + properties: + link: + pattern: ^http + type: string + type: object + headerSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + headers: + items: + properties: + $action: + enum: + - delete + type: string + allowRepeatedOccurrences: + type: boolean + base64Decoding: + type: boolean + checkSignatures: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: + type: string + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlNormalization: + type: boolean + wildcardOrder: + type: integer + type: object + type: array + host-names: + items: + properties: + $action: + enum: + - delete + type: string + includeSubdomains: + type: boolean + name: + type: string + type: object + type: array + idl-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + json-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + maximumArrayLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLengthOfJSONData: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + handleJsonValuesAsParameters: + type: boolean + hasValidationFiles: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + validationFiles: + items: + properties: + importUrl: + type: string + isPrimary: + type: boolean + jsonValidationFile: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: object + type: array + type: object + type: array + json-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + jsonProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + jsonValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + methodReference: + properties: + link: + pattern: ^http + type: string + type: object + methods: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + name: + type: string + open-api-files: + items: + properties: + link: + pattern: ^http + type: string + type: object + type: array + parameterReference: + properties: + link: + pattern: ^http + type: string + type: object + parameters: + items: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + type: array + response-pages: + items: + properties: + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: string + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + grpcStatusCode: + pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ + type: string + grpcStatusMessage: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + - grpc + type: string + responseRedirectUrl: + type: string + type: object + type: array + responsePageReference: + properties: + link: + pattern: ^http + type: string + type: object + sensitive-parameters: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + sensitiveParameterReference: + properties: + link: + pattern: ^http + type: string + type: object + server-technologies: + items: + properties: + $action: + enum: + - delete + type: string + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + serverTechnologyReference: + properties: + link: + pattern: ^http + type: string + type: object + signature-requirements: + items: + properties: + $action: + enum: + - delete + type: string + tag: + type: string + type: object + type: array + signature-sets: + items: + properties: + $action: + enum: + - delete + type: string + alarm: + type: boolean + block: + type: boolean + name: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatureReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSetReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + threat-campaigns: + items: + properties: + isEnabled: + type: boolean + name: + type: string + type: object + type: array + threatCampaignReference: + properties: + link: + pattern: ^http + type: string + type: object + urlReference: + properties: + link: + pattern: ^http + type: string + type: object + urls: + items: + properties: + $action: + enum: + - delete + type: string + allowRenderingInFrames: + enum: + - never + - only-same + type: string + allowRenderingInFramesOnlyFrom: + type: string + attackSignaturesCheck: + type: boolean + clickjackingProtection: + type: boolean + description: + type: string + disallowFileUploadOfExecutables: + type: boolean + html5CrossOriginRequestsEnforcement: + properties: + allowOriginsEnforcementMode: + enum: + - replace-with + - unmodified + type: string + checkAllowedMethods: + type: boolean + crossDomainAllowedOrigin: + items: + properties: + includeSubDomains: + type: boolean + originName: + type: string + originPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + originProtocol: + enum: + - http + - http/https + - https + type: string + type: object + type: array + enforcementMode: + enum: + - disabled + - enforce + type: string + type: object + isAllowed: + type: boolean + mandatoryBody: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + metacharsOnUrlCheck: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + methodOverrides: + items: + properties: + allowed: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + type: string + type: object + type: array + methodsOverrideOnUrlCheck: + type: boolean + name: + type: string + operationId: + type: string + positionalParameters: + items: + properties: + parameter: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + urlSegmentIndex: + type: integer + type: object + type: array + protocol: + enum: + - http + - https + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlContentProfiles: + items: + properties: + contentProfile: + properties: + name: + type: string + type: object + headerName: + type: string + headerOrder: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + headerValue: + type: string + name: + type: string + type: + enum: + - apply-content-signatures + - apply-value-and-content-signatures + - disallow + - do-nothing + - form-data + - gwt + - json + - xml + - grpc + type: string + type: object + type: array + wildcardOrder: + type: integer + type: object + type: array + whitelist-ips: + items: + properties: + $action: + enum: + - delete + type: string + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + neverLogRequests: + type: boolean + type: object + type: array + whitelistIpReference: + properties: + link: + pattern: ^http + type: string + type: object + xml-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumAttributesPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumChildrenPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentSize: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumElements: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNSDeclarations: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNameLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNamespaceLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + useXmlResponsePage: + type: boolean + type: object + type: array + xml-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + xmlProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + xmlValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + graphql-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowIntrospectionQueries: + type: boolean + maximumBatchedQueries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumQueryCost: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateParsingWarnings: + type: boolean + type: object + description: + type: string + metacharElementCheck: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + responseEnforcement: + properties: + blockDisallowedPatterns: + type: boolean + disallowedPatterns: + items: + type: string + type: array + type: object + sensetiveData: + items: + properties: + parameterName: + type: string + type: object + type: array + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + name: + type: string + type: object + type: array + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.1/crds/appprotect.f5.com_apusersigs.yaml b/charts/f5/nginx-ingress/1.2.1/crds/appprotect.f5.com_apusersigs.yaml new file mode 100644 index 0000000000..34eb0784f4 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/crds/appprotect.f5.com_apusersigs.yaml @@ -0,0 +1,93 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: apusersigs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APUserSig + listKind: APUserSigList + plural: apusersigs + singular: apusersig + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APUserSig is the Schema for the apusersigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APUserSigSpec defines the desired state of APUserSig + properties: + properties: + type: string + signatures: + items: + properties: + accuracy: + enum: + - high + - medium + - low + type: string + attackType: + properties: + name: + type: string + type: object + description: + type: string + name: + type: string + references: + properties: + type: + enum: + - bugtraq + - cve + - nessus + - url + type: string + value: + type: string + type: object + risk: + enum: + - high + - medium + - low + type: string + rule: + type: string + signatureType: + enum: + - request + - response + type: string + systems: + items: + properties: + name: + type: string + type: object + type: array + type: object + type: array + tag: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.1/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/charts/f5/nginx-ingress/1.2.1/crds/appprotectdos.f5.com_apdoslogconfs.yaml new file mode 100644 index 0000000000..e23e87184b --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/crds/appprotectdos.f5.com_apdoslogconfs.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdoslogconfs.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosLogConf + listKind: APDosLogConfList + plural: apdoslogconfs + singular: apdoslogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APDosLogConf is the Schema for the APDosLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APDosLogConfSpec defines the desired state of APDosLogConf + properties: + content: + properties: + format: + enum: + - splunk + - arcsight + - user-defined + type: string + format_string: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + type: object + filter: + properties: + traffic-mitigation-stats: + enum: + - none + - all + default: all + type: string + bad-actors: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + attack-signatures: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.1/crds/appprotectdos.f5.com_apdospolicy.yaml b/charts/f5/nginx-ingress/1.2.1/crds/appprotectdos.f5.com_apdospolicy.yaml new file mode 100644 index 0000000000..a16399a1a2 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/crds/appprotectdos.f5.com_apdospolicy.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdospolicies.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosPolicy + listKind: APDosPoliciesList + plural: apdospolicies + singular: apdospolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + description: APDosPolicy is the Schema for the APDosPolicy API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + description: APDosPolicySpec defines the desired state of APDosPolicy + properties: + mitigation_mode: + enum: + - "standard" + - "conservative" + - "none" + default: "standard" + type: string + signatures: + enum: + - "on" + - "off" + default: "on" + type: string + bad_actors: + enum: + - "on" + - "off" + default: "on" + type: string + automation_tools_detection: + enum: + - "on" + - "off" + default: "on" + type: string + tls_fingerprint: + enum: + - "on" + - "off" + default: "on" + type: string + served: true + storage: true diff --git a/charts/f5/nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/charts/f5/nginx-ingress/1.2.1/crds/appprotectdos.f5.com_dosprotectedresources.yaml similarity index 100% rename from charts/f5/nginx-ingress/crds/appprotectdos.f5.com_dosprotectedresources.yaml rename to charts/f5/nginx-ingress/1.2.1/crds/appprotectdos.f5.com_dosprotectedresources.yaml diff --git a/charts/f5/nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml b/charts/f5/nginx-ingress/1.2.1/crds/externaldns.nginx.org_dnsendpoints.yaml similarity index 100% rename from charts/f5/nginx-ingress/crds/externaldns.nginx.org_dnsendpoints.yaml rename to charts/f5/nginx-ingress/1.2.1/crds/externaldns.nginx.org_dnsendpoints.yaml diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml b/charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_globalconfigurations.yaml similarity index 100% rename from charts/f5/nginx-ingress/crds/k8s.nginx.org_globalconfigurations.yaml rename to charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_globalconfigurations.yaml diff --git a/charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_policies.yaml b/charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_policies.yaml new file mode 100644 index 0000000000..de6bef324b --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_policies.yaml @@ -0,0 +1,339 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: policies.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + basicAuth: + description: |- + BasicAuth holds HTTP Basic authentication configuration + policy status: preview + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogBundle: + type: string + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + securityLogs: + items: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogBundle: + type: string + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + realm: + type: string + secret: + type: string + token: + type: string + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_transportservers.yaml b/charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_transportservers.yaml similarity index 100% rename from charts/f5/nginx-ingress/crds/k8s.nginx.org_transportservers.yaml rename to charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_transportservers.yaml diff --git a/charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_virtualserverroutes.yaml b/charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_virtualserverroutes.yaml new file mode 100644 index 0000000000..7fde72e89a --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -0,0 +1,689 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: virtualserverroutes.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServerRoute + listKind: VirtualServerRouteList + plural: virtualserverroutes + shortNames: + - vsr + singular: virtualserverroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a + valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute + resource. + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_virtualservers.yaml b/charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_virtualservers.yaml new file mode 100644 index 0000000000..1c28ddec64 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/crds/k8s.nginx.org_virtualservers.yaml @@ -0,0 +1,789 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: virtualservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServer + listKind: VirtualServerList + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual + server. + properties: + enable: + type: boolean + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: |- + ProviderSpecificProperty defines specific property + for using with ExternalDNS sub-resource. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + type: string + type: object + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal + routing. + type: boolean + listener: + description: VirtualServerListener references a custom http and/or + https listener defined in GlobalConfiguration. + properties: + http: + type: string + https: + type: string + type: object + policies: + items: + description: PolicyReference references a policy by name and an + optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + routes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. + properties: + cluster-issuer: + type: string + common-name: + type: string + duration: + type: string + issue-temp-cert: + type: boolean + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + type: object + redirect: + description: TLSRedirect defines a redirect for a TLS. + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + type: object + secret: + type: string + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerStatus defines the status for the VirtualServer + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.2.1/questions.yaml b/charts/f5/nginx-ingress/1.2.1/questions.yaml new file mode 100644 index 0000000000..b63834893b --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/questions.yaml @@ -0,0 +1,185 @@ +questions: +- variable: controller.kind + type: enum + options: + - deployment + - daemonset + default: deployment + description: "The kind of the Ingress controller installation - deployment or daemonset." + label: Installation Kind + group: "Settings" +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.nginxplus + default: false + description: "Deploys the Ingress controller for NGINX Plus." + label: Deploy NGINX Plus + type: boolean + group: "NGINX Plus" + - variable: controller.appprotect.enable + default: false + description: "Enable the App Protect module in the Ingress Controller." + label: Enable the App Protect module. + type: boolean + - variable: controller.appprotectdos.enable + default: false + description: "Enable the App Protect DoS module in the Ingress Controller." + label: Enable the App Protect DoS module. + type: boolean + - variable: controller.image.repository + default: nginx/nginx-ingress + description: "The image repository of the Ingress controller." + type: string + label: NGINX Ingress Controller Image Repository + required: true + - variable: controller.image.tag + description: "The tag of the Ingress controller image." + type: string + label: NGINX Ingress Controller Image Tag + required: true + - variable: controller.image.pullPolicy + type: enum + options: + - IfNotPresent + - Always + - Never + default: IfNotPresent + description: "The pull policy for the Ingress controller image." + label: NGINX Ingress Controller Image Pull Policy + - variable: controller.serviceAccount.imagePullSecretName + default: "" + description: "The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release." + type: string + label: Image Pull Secret Name +- variable: controller.defaultTLS.secret + default: "" + description: "The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`." + label: TLS Secret + type: string + group: "Settings" +- variable: controller.ingressClass + default: nginx + description: "A class of the Ingress controller. The Ingress controller only processes Ingress resources that belong to its class - i.e. have the annotation `[kubernetes.io/ingress.class]` equal to the class. Additionally, the Ingress controller processes Ingress resources that do not have that annotation which can be disabled by setting the [-use-ingress-class-only] flag." + label: Ingress Class + type: string + group: "Settings" + required: true + subquestions: + - variable: controller.useIngressClassOnly + default: false + description: "Ignore Ingress resources without the `[kubernetes.io/ingress.class]` annotation." + label: Use Ingress Class Only + type: boolean + group: "Settings" +- variable: controller.enableCustomResources + default: true + label: Enable Custom Resources + type: boolean + group: "Settings" + show_subquestion_if: true + subquestions: + - variable: controller.globalConfiguration.create + default: true + description: "Creates the GlobalConfiguration custom resource." + label: Create GlobalConfiguration Custom Resource + type: boolean + group: "Settings" + - variable: controller.enableOIDC + default: false + description: "Enables OIDC policies." + label: Enable OIDC policies + type: boolean + group: "Settings" + - variable: controller.enableCertManager + default: false + description: "Enables cert manager for Virtual Server resources." + label: Enable cert manager for Virtual Server resources + type: boolean + group: "Settings" + - variable: controller.enableExternalDNS + default: false + description: "Enables external-dns for Virtual Server resources." + label: Enable external-dns for Virtual Server resources + type: boolean + group: "Settings" +- variable: controller.watchNamespace + default: "" + description: "Comma-separated list of namespaces to watch for Ingress resources. By default the Ingress controller watches all namespaces." + label: Watch Namespace + type: string + group: "Settings" +- variable: controller.service.create + default: true + description: "Creates a service to expose the Ingress controller pods." + label: Create a Service + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.type + type: enum + options: + - LoadBalancer + - NodePort + default: LoadBalancer + description: "The type of service to create for the Ingress controller." + label: Type of Service +- variable: controller.service.httpPort.enable + default: true + description: "Enables the HTTP port for the Ingress controller service." + label: Enable HTTP Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpPort.port + default: 80 + description: "The HTTP port of the Ingress controller service." + label: HTTP Port + type: int + required: true +- variable: controller.service.httpsPort.enable + default: true + description: "Enables the HTTPS port for the Ingress controller service." + label: Enable HTTPS Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpsPort.port + default: 443 + description: "The HTTPS port of the Ingress controller service." + label: HTTPS Port + type: int + required: true +- variable: prometheus.create + default: false + description: "Expose NGINX or NGINX Plus metrics in the Prometheus format." + label: Enable Exposing Prometheus Metrics + type: boolean + group: "Prometheus" + show_subquestion_if: true + subquestions: + - variable: prometheus.port + default: 9113 + description: "Configures the port to scrape the metrics." + label: Prometheus Port + type: int + required: true + - variable: prometheus.scheme + default: http + description: "Configures the HTTP scheme to use for connections to the Prometheus endpoint." + label: Prometheus Scheme + type: string + required: true + - variable: prometheus.secret + default: "" + description: "The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections." + label: Prometheus Secret + type: string diff --git a/charts/f5/nginx-ingress/1.2.1/templates/NOTES.txt b/charts/f5/nginx-ingress/1.2.1/templates/NOTES.txt new file mode 100644 index 0000000000..c9a2739771 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/NOTES.txt @@ -0,0 +1,13 @@ +NGINX Ingress Controller {{ .Chart.AppVersion }} has been installed. + +For release notes for this version please see: https://docs.nginx.com/nginx-ingress-controller/releases/ + +Installation and upgrade instructions: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/ + +{{ if .Release.IsUpgrade -}} +If you are upgrading from a version of the chart that uses older Custom Resource Definitions (CRD) it is necessary to manually upgrade the CRDs as this is not managed by Helm. +To update to the latest version of the CRDs: + $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v{{ .Chart.AppVersion }}/deploy/crds.yaml + +More details on upgrading the CRDs: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/#upgrading-the-crds +{{- end -}} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/_helpers.tpl b/charts/f5/nginx-ingress/1.2.1/templates/_helpers.tpl new file mode 100644 index 0000000000..497e1f6cdb --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/_helpers.tpl @@ -0,0 +1,421 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.fullname" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified controller service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.service.name" -}} +{{- default (include "nginx-ingress.controller.fullname" .) .Values.serviceNameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nginx-ingress.labels" -}} +helm.sh/chart: {{ include "nginx-ingress.chart" . }} +{{ include "nginx-ingress.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Pod labels +*/}} +{{- define "nginx-ingress.podLabels" -}} +{{- include "nginx-ingress.selectorLabels" . }} +{{- if .Values.nginxServiceMesh.enable }} +nsm.nginx.com/enable-ingress: "true" +nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" +nsm.nginx.com/{{ .Values.controller.kind }}: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }} +agent-configuration-revision-hash: {{ include "nginx-ingress.agentConfiguration" . | sha1sum | trunc 8 | quote }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nginx-ingress.selectorLabels" -}} +{{- if .Values.controller.selectorLabels -}} +{{ toYaml .Values.controller.selectorLabels }} +{{- else -}} +app.kubernetes.io/name: {{ include "nginx-ingress.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap. +*/}} +{{- define "nginx-ingress.configName" -}} +{{- if .Values.controller.customConfigMap -}} +{{ .Values.controller.customConfigMap }} +{{- else -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.config.name -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap used for NGINX Agent. +*/}} +{{- define "nginx-ingress.agentConfigName" -}} +{{- if ne (.Values.nginxAgent.customConfigMap | default "") "" -}} +{{ .Values.nginxAgent.customConfigMap }} +{{- else -}} +{{- printf "%s-agent-config" (include "nginx-ingress.fullname" . | trunc 49 | trimSuffix "-") -}} +{{- end -}} +{{- end -}} + +{{/* +Expand leader election lock name. +*/}} +{{- define "nginx-ingress.leaderElectionName" -}} +{{- if .Values.controller.reportIngressStatus.leaderElectionLockName -}} +{{ .Values.controller.reportIngressStatus.leaderElectionLockName }} +{{- else -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "leader-election" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand service account name. +*/}} +{{- define "nginx-ingress.serviceAccountName" -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.serviceAccount.name -}} +{{- end -}} + +{{/* +Expand default TLS name. +*/}} +{{- define "nginx-ingress.defaultTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "default-server-tls" -}} +{{- end -}} + +{{/* +Expand wildcard TLS name. +*/}} +{{- define "nginx-ingress.wildcardTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "wildcard-tls" -}} +{{- end -}} + +{{- define "nginx-ingress.tag" -}} +{{- default .Chart.AppVersion .Values.controller.image.tag -}} +{{- end -}} + +{{/* +Expand image name. +*/}} +{{- define "nginx-ingress.image" -}} +{{- if .Values.controller.image.digest -}} +{{- printf "%s@%s" .Values.controller.image.repository .Values.controller.image.digest -}} +{{- else -}} +{{- printf "%s:%s" .Values.controller.image.repository (include "nginx-ingress.tag" .) -}} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.prometheus.serviceName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} +{{- end -}} + +{{/* +return if readOnlyRootFilesystem is enabled or not. +*/}} +{{- define "nginx-ingress.readOnlyRootFilesystem" -}} +{{- if or .Values.controller.readOnlyRootFilesystem (and .Values.controller.securityContext .Values.controller.securityContext.readOnlyRootFilesystem) -}} +true +{{- else -}} +false +{{- end -}} +{{- end -}} + +{{/* +Build the args for the service binary. +*/}} +{{- define "nginx-ingress.args" -}} +{{- if and .Values.controller.debug .Values.controller.debug.enable }} +- --listen=:2345 +- --headless=true +- --log=true +- --log-output=debugger,debuglineerr,gdbwire,lldbout,rpc,dap,fncall,minidump,stack +- --accept-multiclient +- --api-version=2 +- exec +- ./nginx-ingress +{{- if .Values.controller.debug.continue }} +- --continue +{{- end }} +- -- +{{- end -}} +- -nginx-plus={{ .Values.controller.nginxplus }} +- -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} +- -enable-app-protect={{ .Values.controller.appprotect.enable }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} +- -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} +{{ end }} +- -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} +{{- if .Values.controller.appprotectdos.enable }} +- -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} +- -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} +- -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} +- -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} +{{ end }} +- -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} +{{- if .Values.controller.defaultTLS.secret }} +- -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} +{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +- -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} +{{- end }} +- -ingress-class={{ .Values.controller.ingressClass.name }} +{{- if .Values.controller.watchNamespace }} +- -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchNamespaceLabel }} +- -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} +- -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} +{{- end }} +- -health-status={{ .Values.controller.healthStatus }} +- -health-status-uri={{ .Values.controller.healthStatusURI }} +- -nginx-debug={{ .Values.controller.nginxDebug }} +- -v={{ .Values.controller.logLevel }} +- -nginx-status={{ .Values.controller.nginxStatus.enable }} +{{- if .Values.controller.nginxStatus.enable }} +- -nginx-status-port={{ .Values.controller.nginxStatus.port }} +- -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} +{{- end }} +{{- if .Values.controller.reportIngressStatus.enable }} +- -report-ingress-status +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} +{{- else if .Values.controller.reportIngressStatus.externalService }} +- -external-service={{ .Values.controller.reportIngressStatus.externalService }} +{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} +- -external-service={{ include "nginx-ingress.controller.service.name" . }} +{{- end }} +{{- end }} +- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +- -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} +{{- end }} +{{- if .Values.controller.wildcardTLS.secret }} +- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} +{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} +- -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} +{{- end }} +- -enable-prometheus-metrics={{ .Values.prometheus.create }} +- -prometheus-metrics-listen-port={{ .Values.prometheus.port }} +- -prometheus-tls-secret={{ .Values.prometheus.secret }} +- -enable-service-insight={{ .Values.serviceInsight.create }} +- -service-insight-listen-port={{ .Values.serviceInsight.port }} +- -service-insight-tls-secret={{ .Values.serviceInsight.secret }} +- -enable-custom-resources={{ .Values.controller.enableCustomResources }} +- -enable-snippets={{ .Values.controller.enableSnippets }} +- -include-year={{ .Values.controller.includeYear }} +- -disable-ipv6={{ .Values.controller.disableIPV6 }} +{{- if .Values.controller.enableCustomResources }} +- -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{- if .Values.controller.enableTLSPassthrough }} +- -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{- end }} +- -enable-cert-manager={{ .Values.controller.enableCertManager }} +- -enable-oidc={{ .Values.controller.enableOIDC }} +- -enable-external-dns={{ .Values.controller.enableExternalDNS }} +- -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} +- -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} +{{- if .Values.controller.globalConfiguration.create }} +- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- end }} +- -ready-status={{ .Values.controller.readyStatus.enable }} +- -ready-status-port={{ .Values.controller.readyStatus.port }} +- -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +- -ssl-dynamic-reload={{ .Values.controller.enableSSLDynamicReload }} +- -enable-telemetry-reporting={{ .Values.controller.telemetryReporting.enable}} +- -weight-changes-dynamic-reload={{ .Values.controller.enableWeightChangesDynamicReload}} +{{- if .Values.nginxAgent.enable }} +- -agent=true +- -agent-instance-group={{ default (include "nginx-ingress.controller.fullname" .) .Values.nginxAgent.instanceGroup }} +{{- end }} +{{- end -}} + +{{/* +Volumes for controller. +*/}} +{{- define "nginx-ingress.volumes" -}} +{{- $volumesSet := "false" }} +volumes: +{{- if eq (include "nginx-ingress.volumeEntries" .) "" -}} +{{ toYaml list | printf " %s" }} +{{- else }} +{{ include "nginx-ingress.volumeEntries" . }} +{{- end -}} +{{- end -}} + +{{/* +List of volumes for controller. +*/}} +{{- define "nginx-ingress.volumeEntries" -}} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} +- name: nginx-etc + emptyDir: {} +- name: nginx-cache + emptyDir: {} +- name: nginx-lib + emptyDir: {} +- name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes }} +{{- end }} +{{- if .Values.nginxAgent.enable }} +- name: agent-conf + configMap: + name: {{ include "nginx-ingress.agentConfigName" . }} +- name: agent-dynamic + emptyDir: {} +{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} +- name: nginx-agent-tls + projected: + sources: +{{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }} + - secret: + name: {{ .Values.nginxAgent.instanceManager.tls.secret }} +{{- end }} +{{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }} + - secret: + name: {{ .Values.nginxAgent.instanceManager.tls.caSecret }} +{{- end }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Volume mounts for controller. +*/}} +{{- define "nginx-ingress.volumeMounts" -}} +{{- $volumesSet := "false" }} +volumeMounts: +{{- if eq (include "nginx-ingress.volumeMountEntries" .) "" -}} +{{ toYaml list | printf " %s" }} +{{- else }} +{{ include "nginx-ingress.volumeMountEntries" . }} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.volumeMountEntries" -}} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} +- mountPath: /etc/nginx + name: nginx-etc +- mountPath: /var/cache/nginx + name: nginx-cache +- mountPath: /var/lib/nginx + name: nginx-lib +- mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.volumeMounts }} +{{ toYaml .Values.controller.volumeMounts }} +{{- end }} +{{- if .Values.nginxAgent.enable }} +- name: agent-conf + mountPath: /etc/nginx-agent/nginx-agent.conf + subPath: nginx-agent.conf +- name: agent-dynamic + mountPath: /var/lib/nginx-agent +{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} +- name: nginx-agent-tls + mountPath: /etc/ssl/nms + readOnly: true +{{- end }} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.agentConfiguration" -}} +log: + level: {{ .Values.nginxAgent.logLevel }} + path: "" +server: + host: {{ required ".Values.nginxAgent.instanceManager.host is required when setting .Values.nginxAgent.enable to true" .Values.nginxAgent.instanceManager.host }} + grpcPort: {{ .Values.nginxAgent.instanceManager.grpcPort }} +{{- if ne (.Values.nginxAgent.instanceManager.sni | default "") "" }} + metrics: {{ .Values.nginxAgent.instanceManager.sni }} + command: {{ .Values.nginxAgent.instanceManager.sni }} +{{- end }} +{{- if .Values.nginxAgent.instanceManager.tls }} +tls: + enable: {{ .Values.nginxAgent.instanceManager.tls.enable | default true }} + skip_verify: {{ .Values.nginxAgent.instanceManager.tls.skipVerify | default false }} + {{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }} + ca: "/etc/ssl/nms/ca.crt" + {{- end }} + {{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }} + cert: "/etc/ssl/nms/tls.crt" + key: "/etc/ssl/nms/tls.key" + {{- end }} +{{- end }} +features: + - registration + - nginx-counting + - metrics-sender + - dataplane-status +extensions: + - nginx-app-protect + - nap-monitoring +nginx_app_protect: + report_interval: 15s + precompiled_publication: true +nap_monitoring: + collector_buffer_size: {{ .Values.nginxAgent.napMonitoring.collectorBufferSize }} + processor_buffer_size: {{ .Values.nginxAgent.napMonitoring.processorBufferSize }} + syslog_ip: {{ .Values.nginxAgent.syslog.host }} + syslog_port: {{ .Values.nginxAgent.syslog.port }} + +{{ end -}} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/clusterrole.yaml b/charts/f5/nginx-ingress/1.2.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..a231ca820e --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/clusterrole.yaml @@ -0,0 +1,168 @@ +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "apps" + resources: + - replicasets + - daemonsets + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +{{- if .Values.controller.reportIngressStatus.enable }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +{{- end }} +{{- if .Values.controller.appprotect.enable }} +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.appprotectdos.enable }} +- apiGroups: + - appprotectdos.f5.com + resources: + - apdospolicies + - apdoslogconfs + - dosprotectedresources + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.enableCustomResources }} +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +{{- end }} +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- apiGroups: + - cis.f5.com + resources: + - ingresslinks + verbs: + - list + - watch + - get +{{- end }} +{{- if .Values.controller.enableCertManager }} +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - list + - watch + - get + - update + - create + - delete +{{- end }} +{{- if .Values.controller.enableExternalDNS }} +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints + verbs: + - list + - watch + - get + - update + - create + - delete +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints/status + verbs: + - update +{{- end }} +{{- end}} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/clusterrolebiding.yaml b/charts/f5/nginx-ingress/1.2.1/templates/clusterrolebiding.yaml new file mode 100644 index 0000000000..ed06c48ccb --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/clusterrolebiding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "nginx-ingress.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-configmap.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-configmap.yaml new file mode 100644 index 0000000000..8f1d3e47bb --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-configmap.yaml @@ -0,0 +1,32 @@ +{{- if not .Values.controller.customConfigMap -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.configName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: +{{ toYaml (default dict .Values.controller.config.entries) | indent 2 }} +{{- end }} +--- +{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.agentConfigName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: + nginx-agent.conf: |- +{{ include "nginx-ingress.agentConfiguration" . | indent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-daemonset.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..8da65c4683 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-daemonset.yaml @@ -0,0 +1,176 @@ +{{- if eq .Values.controller.kind "daemonset" }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.podLabels" . | nindent 8 }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- include "nginx-ingress.volumes" . | indent 6 }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - name: {{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{ if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{ end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} +{{- if .Values.controller.securityContext }} + securityContext: +{{ toYaml .Values.controller.securityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- end }} +{{- include "nginx-ingress.volumeMounts" . | indent 8 }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- end }} + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + updateStrategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-deployment.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-deployment.yaml new file mode 100644 index 0000000000..c8bc8f833c --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-deployment.yaml @@ -0,0 +1,183 @@ +{{- if eq .Values.controller.kind "deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + {{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.podLabels" . | nindent 8 }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} +{{- end }} +{{- include "nginx-ingress.volumes" . | indent 6 }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - image: {{ include "nginx-ingress.image" . }} + name: {{ include "nginx-ingress.name" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{- if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{- end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} +{{- if .Values.controller.securityContext }} + securityContext: +{{ toYaml .Values.controller.securityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- end }} +{{- include "nginx-ingress.volumeMounts" . | indent 8 }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- end }} + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-globalconfiguration.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-globalconfiguration.yaml new file mode 100644 index 0000000000..9039ab0440 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-globalconfiguration.yaml @@ -0,0 +1,11 @@ +{{ if .Values.controller.globalConfiguration.create }} +apiVersion: k8s.nginx.org/v1alpha1 +kind: GlobalConfiguration +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +spec: +{{ toYaml .Values.controller.globalConfiguration.spec | indent 2 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-hpa.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-hpa.yaml new file mode 100644 index 0000000000..971aca90d3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-hpa.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.controller.autoscaling.enabled (eq .Values.controller.kind "deployment") (.Capabilities.APIVersions.Has "autoscaling/v2") -}} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "nginx-ingress.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} +{{- if .Values.controller.autoscaling.behavior }} + behavior: +{{ toYaml .Values.controller.autoscaling.behavior | indent 4 }} +{{- end }} + metrics: + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-ingress-class.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-ingress-class.yaml new file mode 100644 index 0000000000..a351d697c6 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-ingress-class.yaml @@ -0,0 +1,14 @@ +{{ if .Values.controller.ingressClass.create }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClass.name }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.ingressClass.setAsDefaultIngress }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: nginx.org/ingress-controller +{{ end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-leader-election-configmap.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-leader-election-configmap.yaml new file mode 100644 index 0000000000..440914eb3e --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-leader-election-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.leaderElectionName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.reportIngressStatus.annotations }} + annotations: +{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-pdb.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-pdb.yaml new file mode 100644 index 0000000000..1c3ddc8ae5 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.controller.podDisruptionBudget.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.podDisruptionBudget.annotations }} + annotations: +{{ toYaml .Values.controller.podDisruptionBudget.annotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} +{{- if .Values.controller.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.controller.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-prometheus-service.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-prometheus-service.yaml new file mode 100644 index 0000000000..d36514284b --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-prometheus-service.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.prometheus.create .Values.prometheus.service.create}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.prometheus.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.service.labels -}} + {{- toYaml .Values.prometheus.service.labels | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + - name: prometheus + protocol: TCP + port: {{ .Values.prometheus.port }} + targetPort: {{ .Values.prometheus.port }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-role.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-role.yaml new file mode 100644 index 0000000000..e902381775 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-role.yaml @@ -0,0 +1,56 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - {{ .Values.controller.reportIngressStatus.leaderElectionLockName }} + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-rolebiding.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-rolebiding.yaml new file mode 100644 index 0000000000..51ee528da3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-rolebiding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "nginx-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-secret.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-secret.yaml new file mode 100644 index 0000000000..f9941e8878 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.defaultTLS.secret) (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.defaultTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.defaultTLS.cert }} + tls.key: {{ .Values.controller.defaultTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-service.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-service.yaml new file mode 100644 index 0000000000..a25de94561 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-service.yaml @@ -0,0 +1,72 @@ +{{- if .Values.controller.service.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.controller.service.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.service.extraLabels }} +{{ toYaml .Values.controller.service.extraLabels | indent 4 }} +{{- end }} +{{- if .Values.controller.service.annotations }} + annotations: +{{ toYaml .Values.controller.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.controller.service.clusterIP }} + clusterIP: {{ .Values.controller.service.clusterIP }} +{{- end }} +{{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} +{{- end }} +{{- if eq .Values.controller.service.type "LoadBalancer" }} + {{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} + {{- end }} + {{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} + {{- end }} +{{- end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.controller.service.ipFamilies }} + ipFamilies: {{ .Values.controller.service.ipFamilies }} + {{- end }} + ports: +{{- if .Values.controller.service.customPorts }} +{{ toYaml .Values.controller.service.customPorts | indent 2 }} +{{ end }} +{{- if .Values.controller.service.httpPort.enable }} + - port: {{ .Values.controller.service.httpPort.port }} + targetPort: {{ .Values.controller.service.httpPort.targetPort }} + protocol: TCP + name: http + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpPort.nodePort }} + {{- end }} +{{- end }} +{{- if .Values.controller.service.httpsPort.enable }} + - port: {{ .Values.controller.service.httpsPort.port }} + targetPort: {{ .Values.controller.service.httpsPort.targetPort }} + protocol: TCP + name: https + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpsPort.nodePort }} + {{- end }} +{{- end }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} + {{- if .Values.controller.service.externalIPs }} + externalIPs: +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-serviceaccount.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..8cde4f5b01 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nginx-ingress.serviceAccountName" . }} +{{- if .Values.controller.serviceAccount.annotations }} + annotations: {{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if or .Values.controller.serviceAccount.imagePullSecretName .Values.controller.serviceAccount.imagePullSecretsNames }} +imagePullSecrets: +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretName }} +- name: {{ .Values.controller.serviceAccount.imagePullSecretName}} +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretsNames }} +{{- range .Values.controller.serviceAccount.imagePullSecretsNames }} +- name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-servicemonitor.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..e1a4268f95 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-servicemonitor.yaml @@ -0,0 +1,21 @@ +{{- if .Values.prometheus.serviceMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.serviceMonitor.labels -}} + {{- toYaml .Values.prometheus.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- if .Values.prometheus.serviceMonitor.selectorMatchLabels -}} + {{- toYaml .Values.prometheus.serviceMonitor.selectorMatchLabels | nindent 6 }} + {{- end }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + endpoints: + {{- toYaml .Values.prometheus.serviceMonitor.endpoints | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/templates/controller-wildcard-secret.yaml b/charts/f5/nginx-ingress/1.2.1/templates/controller-wildcard-secret.yaml new file mode 100644 index 0000000000..3abe16c4c3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/templates/controller-wildcard-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.wildcardTLS.secret) (and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.wildcardTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.wildcardTLS.cert }} + tls.key: {{ .Values.controller.wildcardTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.1/values-icp.yaml b/charts/f5/nginx-ingress/1.2.1/values-icp.yaml new file mode 100644 index 0000000000..a89e0e55a5 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/values-icp.yaml @@ -0,0 +1,17 @@ +controller: + name: controller + kind: daemonset + nginxplus: true + image: + repository: mycluster.icp:8500/kube-system/nginx-plus-ingress + tag: "3.5.1" + nodeSelector: + beta.kubernetes.io/arch: "amd64" + proxy: true + terminationGracePeriodSeconds: 60 + tolerations: + - key: "dedicated" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" diff --git a/charts/f5/nginx-ingress/1.2.1/values-nsm.yaml b/charts/f5/nginx-ingress/1.2.1/values-nsm.yaml new file mode 100644 index 0000000000..47d11e0571 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/values-nsm.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + enableLatencyMetrics: true +nginxServiceMesh: + enable: true + enableEgress: true diff --git a/charts/f5/nginx-ingress/1.2.1/values-plus.yaml b/charts/f5/nginx-ingress/1.2.1/values-plus.yaml new file mode 100644 index 0000000000..5bb25e01a5 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/values-plus.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + nginxplus: true + image: + repository: nginx-plus-ingress + tag: "3.5.1" diff --git a/charts/f5/nginx-ingress/1.2.1/values.schema.json b/charts/f5/nginx-ingress/1.2.1/values.schema.json new file mode 100644 index 0000000000..9c1d9b5115 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/values.schema.json @@ -0,0 +1,2169 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "type": "object", + "default": {}, + "title": "Root Schema", + "required": [ + "controller", + "rbac", + "prometheus", + "serviceInsight", + "nginxServiceMesh" + ], + "properties": { + "controller": { + "type": "object", + "default": {}, + "title": "The Ingress Controller Helm Schema", + "required": [ + "name", + "kind", + "image" + ], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name of the Ingress Controller", + "examples": [ + "controller" + ] + }, + "kind": { + "type": "string", + "default": "", + "title": "The kind of the Ingress Controller", + "enum": [ + "deployment", + "daemonset" + ], + "examples": [ + "deployment", + "daemonset" + ] + }, + "selectorLabels": { + "type": "object", + "default": {}, + "title": "The selectorLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "nginxplus": { + "type": "boolean", + "default": false, + "title": "Deploys the Ingress Controller for NGINX Plus", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "object", + "default": {}, + "title": "Runs the container with Delve, expects a version of the IC container with dlv as the entrypoint", + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Runs the container with Delve, expects a version of the IC container with dlv as the entrypoint", + "examples": [ + false, + true + ] + }, + "continue": { + "type": "boolean", + "default": true, + "title": "Starts Delve with --continue which means that IC will not wait for a debugger attach to start", + "examples": [ + false, + true + ] + } + }, + "examples": [ + { + "enable": true, + "continue": "fatal" + } + ] + }, + "nginxReloadTimeout": { + "type": "integer", + "default": 0, + "title": "Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start", + "examples": [ + 60000 + ] + }, + "appprotect": { + "type": "object", + "default": {}, + "title": "The App Protect WAF Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect WAF module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "string", + "default": "", + "title": "The logLevel for App Protect WAF", + "enum": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ], + "examples": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ] + } + }, + "examples": [ + { + "enable": true, + "logLevel": "fatal" + } + ] + }, + "appprotectdos": { + "type": "object", + "default": {}, + "title": "The App Protect DoS Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect DoS module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "boolean", + "default": false, + "title": "debugging for App Protect DoS", + "examples": [ + false, + true + ] + }, + "maxWorkers": { + "type": "integer", + "default": 0, + "title": "Max number of nginx processes to support", + "examples": [ + 0 + ] + }, + "maxDaemons": { + "type": "integer", + "default": 0, + "title": "Max number of ADMD instances", + "examples": [ + 0 + ] + }, + "memory": { + "type": "integer", + "default": 0, + "title": "RAM memory size to consume in MB", + "examples": [ + 0 + ] + } + }, + "examples": [ + { + "enable": true, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + } + ] + }, + "hostNetwork": { + "type": "boolean", + "default": false, + "title": "The hostNetwork Schema", + "examples": [ + false, + true + ] + }, + "hostPort": { + "type": "object", + "default": {}, + "title": "The hostPort Schema", + "patternProperties": { + "^.*$": { + "anyOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + }, + { + "type": "boolean" + } + ] + } + }, + "additionalProperties": false + }, + "containerPort": { + "type": "object", + "default": {}, + "title": "The containerPort Schema", + "patternProperties": { + "^.*$": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + } + }, + "additionalProperties": false + }, + "dnsPolicy": { + "type": "string", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + }, + { + "enum": [ + "ClusterFirstWithHostNet", + "ClusterFirst", + "Default", + "None" + ] + } + ] + }, + "nginxDebug": { + "type": "boolean", + "default": false, + "title": "Enables debugging for NGINX", + "examples": [ + false, + true + ] + }, + "shareProcessNamespace": { + "type": "boolean", + "default": false, + "title": "Enables sharing of the process namespace between pods within the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "integer", + "default": 1, + "title": "The logLevel of the Ingress Controller", + "enum": [ + 0, + 1, + 2, + 3 + ], + "examples": [ + 1 + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts to expose on the NGINX Ingress Controller pod", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + }, + "examples": [ + [ + { + "name": "http", + "containerPort": 80, + "protocol": "TCP" + }, + { + "name": "https", + "containerPort": 443, + "protocol": "TCP" + } + ] + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "nginx/nginx-ingress", + "title": "The repository of the Ingress Controller", + "examples": [ + "nginx/nginx-ingress" + ] + }, + "tag": { + "type": "string", + "default": "3.5.1", + "title": "The tag of the Ingress Controller image", + "examples": [ + "3.5.1" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the Ingress Controller image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the Ingress Controller image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "nginx/nginx-ingress", + "tag": "3.5.1", + "pullPolicy": "IfNotPresent" + } + ] + }, + "lifecycle": { + "type": "object", + "default": {}, + "title": "The lifecycle Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + }, + "customConfigMap": { + "type": "string", + "default": "", + "title": "The customConfigMap Schema", + "examples": [ + "" + ] + }, + "config": { + "type": "object", + "default": {}, + "title": "The config Schema", + "required": [], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "entries": { + "type": "object", + "default": {}, + "title": "The entries Schema", + "required": [], + "properties": {}, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "name": "", + "annotations": {}, + "entries": {} + } + ] + }, + "defaultTLS": { + "type": "object", + "default": {}, + "title": "The defaultTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "wildcardTLS": { + "type": "object", + "default": {}, + "title": "The wildcardTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [ + "" + ] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [ + "" + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "nodeSelector": { + "type": "object", + "default": {}, + "title": "The nodeSelector Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + }, + "terminationGracePeriodSeconds": { + "type": "integer", + "default": 30, + "title": "The terminationGracePeriodSeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + }, + "podSecurityContext": { + "type": "object", + "default": {}, + "title": "The podSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" + }, + "securityContext": { + "type": "object", + "default": {}, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "initContainerSecurityContext": { + "type": "object", + "default": {}, + "title": "The initContainerSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "resources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "initContainerResources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "tolerations": { + "type": "array", + "default": [], + "title": "The tolerations Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + } + }, + "affinity": { + "type": "object", + "default": {}, + "title": "The affinity Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + }, + "topologySpreadConstraints": { + "type": "object", + "default": {}, + "title": "The topologySpreadConstraints Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + }, + "env": { + "type": "array", + "default": [], + "title": "The env Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + } + }, + "volumes": { + "type": "array", + "default": [], + "title": "The volumes Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "volumeMounts": { + "type": "array", + "default": [], + "title": "The volumeMounts Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + } + }, + "initContainers": { + "type": "array", + "default": [], + "title": "The initContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "minReadySeconds": { + "type": "integer", + "default": 0, + "title": "The minReadySeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + }, + "strategy": { + "type": "object", + "default": {}, + "title": "The strategy Schema", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + }, + { + "properties": { + "type": { + "type": "string", + "enum": [ + "Recreate", + "RollingUpdate", + "OnDelete" + ] + } + } + } + ] + }, + "extraContainers": { + "type": "array", + "default": [], + "title": "The extraContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "replicaCount": { + "type": "integer", + "default": 1, + "title": "The replicaCount", + "examples": [ + 1 + ] + }, + "ingressClass": { + "type": "object", + "default": {}, + "title": "The ingressClass", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": true, + "title": "The create", + "examples": [ + true + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The ingressClass name", + "examples": [ + "nginx" + ] + }, + "setAsDefaultIngress": { + "type": "boolean", + "default": false, + "title": "The setAsDefaultIngress", + "examples": [ + false + ] + } + } + }, + "watchNamespace": { + "type": "string", + "default": "", + "title": "The watchNamespace", + "examples": [ + "" + ] + }, + "watchSecretNamespace": { + "type": "string", + "default": "", + "title": "The watchSecretNamespace", + "examples": [ + "" + ] + }, + "enableCustomResources": { + "type": "boolean", + "default": false, + "title": "The enableCustomResources", + "examples": [ + true + ] + }, + "enableOIDC": { + "type": "boolean", + "default": false, + "title": "The enableOIDC", + "examples": [ + false + ] + }, + "includeYear": { + "type": "boolean", + "default": false, + "title": "The includeYear", + "examples": [ + false + ] + }, + "enableTLSPassthrough": { + "type": "boolean", + "default": false, + "title": "The enableTLSPassthrough", + "examples": [ + false + ] + }, + "tlsPassthroughPort": { + "type": "integer", + "default": 443, + "title": "The tlsPassthroughPort", + "examples": [ + 443 + ] + }, + "enableCertManager": { + "type": "boolean", + "default": false, + "title": "The enableCertManager", + "examples": [ + false + ] + }, + "enableExternalDNS": { + "type": "boolean", + "default": false, + "title": "The enableExternalDNS", + "examples": [ + false + ] + }, + "globalConfiguration": { + "type": "object", + "default": {}, + "title": "The globalConfiguration Schema", + "required": [ + "create", + "spec" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + false + ] + }, + "spec": { + "type": "object", + "default": {}, + "title": "The spec Schema", + "required": [], + "properties": { + "listeners": { + "type": "array", + "default": [], + "title": "The listeners Schema", + "items": { + "type": "object", + "default": {}, + "properties": { + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 5353 + ] + }, + "protocol": { + "type": "string", + "default": "", + "title": "The protocol", + "examples": [ + "TCP" + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The name", + "examples": [ + "dns-tcp" + ] + } + } + } + } + }, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "create": false, + "spec": {} + } + ] + }, + "enableSnippets": { + "type": "boolean", + "default": false, + "title": "The enableSnippets", + "examples": [ + false + ] + }, + "healthStatus": { + "type": "boolean", + "default": false, + "title": "The healthStatus", + "examples": [ + false + ] + }, + "healthStatusURI": { + "type": "string", + "format": "uri-reference", + "default": "/nginx-health", + "title": "The healthStatusURI Schema", + "examples": [ + "/nginx-health" + ] + }, + "nginxStatus": { + "type": "object", + "default": {}, + "title": "The nginxStatus Schema", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 8080, + "title": "The port", + "examples": [ + 8080 + ] + }, + "allowCidrs": { + "type": "string", + "default": "127.0.0.1", + "title": "The allowCidrs", + "examples": [ + "127.0.0.1" + ] + } + }, + "examples": [ + { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + } + ] + }, + "service": { + "type": "object", + "default": {}, + "title": "The service Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "type": { + "type": "string", + "default": "", + "title": "The type", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + }, + "externalTrafficPolicy": { + "type": "string", + "default": "", + "title": "The externalTrafficPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels", + "required": [], + "properties": {}, + "examples": [ + {} + ] + }, + "loadBalancerIP": { + "type": "string", + "default": "", + "title": "The loadBalancerIP", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + }, + "externalIPs": { + "type": "array", + "default": [], + "title": "The externalIPs", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + }, + "loadBalancerSourceRanges": { + "type": "array", + "default": [], + "title": "The loadBalancerSourceRanges", + "items": {}, + "examples": [ + [] + ] + }, + "allocateLoadBalancerNodePorts": { + "type": "boolean", + "default": false, + "title": "The allocateLoadBalancerNodePorts Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + }, + "ipFamilyPolicy": { + "type": "string", + "default": "", + "title": "The ipFamilyPolicy Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "examples": [ + "" + ] + }, + "ipFamilies": { + "type": "array", + "default": [], + "title": "The ipFamilies Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + }, + "httpPort": { + "type": "object", + "default": {}, + "title": "The httpPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 80 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 80 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + } + ] + }, + "httpsPort": { + "type": "object", + "default": {}, + "title": "The httpsPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 443 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 443 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + } + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts", + "items": { + "type": "object", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + } + } + }, + "examples": [ + { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "name": "", + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + } + ] + }, + "serviceAccount": { + "type": "object", + "default": {}, + "title": "The serviceAccount Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "imagePullSecretName": { + "type": "string", + "default": "", + "title": "The imagePullSecretName", + "examples": [ + "" + ] + }, + "imagePullSecretsNames": { + "type": "array", + "default": [], + "title": "The imagePullSecretName list", + "examples": [ + [] + ] + } + }, + "oneOf": [ + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "minItems": 1 + } + }, + "required": [ + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "minLength": 1 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "not": { + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + } + } + ], + "examples": [ + { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + } + ] + }, + "reportIngressStatus": { + "type": "object", + "default": {}, + "title": "The reportIngressStatus Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "externalService": { + "type": "string", + "default": "", + "title": "The externalService", + "examples": [ + "" + ] + }, + "ingressLink": { + "type": "string", + "default": "", + "title": "The ingressLink", + "examples": [ + "" + ] + }, + "enableLeaderElection": { + "type": "boolean", + "default": false, + "title": "The enableLeaderElection", + "examples": [ + true + ] + }, + "leaderElectionLockName": { + "type": "string", + "default": "", + "title": "The leaderElectionLockName", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + } + }, + "examples": [ + { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + } + ] + }, + "pod": { + "type": "object", + "default": {}, + "title": "The pod Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + }, + "examples": [ + { + "annotations": {}, + "extraLabels": {} + } + ] + }, + "priorityClassName": { + "type": "string", + "default": "", + "title": "The priorityClassName", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + }, + "podDisruptionBudget": { + "type": "object", + "default": {}, + "title": "The podDisruptionBudget Schema", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "minAvailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + }, + "maxUnavailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + } + }, + "examples": [ + { + "enable": true, + "minAvailable": 1 + }, + { + "enable": true, + "maxUnavailable": 1 + } + ] + }, + "readyStatus": { + "type": "object", + "default": {}, + "title": "The readyStatus", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 8081 + ] + }, + "initialDelaySeconds": { + "type": "integer", + "default": 0, + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + } + }, + "examples": [ + { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + } + ] + }, + "enableLatencyMetrics": { + "type": "boolean", + "default": false, + "title": "The enableLatencyMetrics", + "examples": [ + false + ] + }, + "disableIPV6": { + "type": "boolean", + "default": false, + "title": "The disableIPV6", + "examples": [ + false + ] + }, + "defaultHTTPListenerPort": { + "type": "integer", + "default": 80, + "title": "The defaultHTTPListenerPort", + "examples": [ + 80 + ] + }, + "defaultHTTPSListenerPort": { + "type": "integer", + "default": 443, + "title": "The defaultHTTPSListenerPort", + "examples": [ + 443 + ] + }, + "readOnlyRootFilesystem": { + "type": "boolean", + "default": false, + "title": "The readOnlyRootFilesystem", + "examples": [ + false + ] + }, + "enableSSLDynamicReload": { + "type": "boolean", + "default": true, + "title": "Enable dynamic certificate reloads for NGINX Plus", + "examples": [ + true + ] + }, + "telemetryReporting": { + "type": "object", + "default": {}, + "title": "Configure telemetry reporting options", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": true, + "title": "Enable telemetry reporting", + "examples": [ + true + ] + } + } + }, + "enableWeightChangesDynamicReload": { + "type": "boolean", + "default": false, + "title": "Enables weight changes without reloading for NGINX Plus", + "examples": [ + false + ] + } + }, + "examples": [ + { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "shareProcessNamespace": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.5.1", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "podSecurityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "securityContext": {}, + "initContainerSecurityContext": {}, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "tlsPassthroughPort": 443, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + } + ] + }, + "rbac": { + "type": "object", + "default": {}, + "title": "The rbac Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + true + ] + } + }, + "examples": [ + { + "create": true + } + ] + }, + "prometheus": { + "type": "object", + "default": {}, + "title": "The prometheus Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9113, + "title": "The port", + "examples": [ + 9113 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + }, + "service": { + "type": "object", + "default": {}, + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + } + }, + "serviceMonitor": { + "type": "object", + "default": {}, + "title": "The serviceMonitor Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + false + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + }, + "selectorMatchLabels": { + "type": "object", + "default": {}, + "title": "The selectorMatchLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "endpoints": { + "type": "array", + "default": [], + "title": "The endpoints", + "required": [], + "items": {} + } + }, + "examples": [ + { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": [] + } + ] + } + }, + "examples": [ + { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http" + } + ] + }, + "serviceInsight": { + "type": "object", + "default": {}, + "title": "The Service Insight Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9114, + "title": "The port", + "examples": [ + 9114 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + } + }, + "examples": [ + { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + } + ] + }, + "nginxServiceMesh": { + "type": "object", + "default": {}, + "title": "The nginxServiceMesh Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + false + ] + }, + "enableEgress": { + "type": "boolean", + "default": false, + "title": "The enableEgress", + "examples": [ + false + ] + } + }, + "examples": [ + { + "enable": false, + "enableEgress": false + } + ] + }, + "nginxAgent": { + "type": "object", + "default": { + "enable": false + }, + "title": "Configuration for NGINX Agent.", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable NGINX Agent", + "examples": [ + false + ] + }, + "instanceGroup": { + "type": "string", + "default": "", + "title": "Set the --instance-group argument for NGINX Agent", + "examples": [ + "my-instance-group" + ] + }, + "logLevel": { + "type": "string", + "default": "info", + "title": "Log level for NGINX Agent", + "enum": [ + "panic", + "fatal", + "error", + "info", + "debug", + "trace" + ], + "examples": [ + "error" + ] + }, + "instanceManager": { + "type": "object", + "default": {}, + "title": "Configuration for the connection to NGINX Instance Manager", + "examples": [], + "required": [ + "host" + ], + "properties": { + "host": { + "type": "string", + "title": "FQDN or IP for connecting to NGINX Instance Manager", + "examples": [ + "nim.example.com" + ] + }, + "grpcPort": { + "type": "integer", + "title": "Port for connecting to NGINX Instance Manager", + "default": 443, + "examples": [ + 443 + ] + }, + "sni": { + "type": "string", + "title": "Server Name Indication for NGINX Instance Manager", + "default": "", + "examples": [ + "nim.example.com" + ] + }, + "tls": { + "type": "object", + "default": {}, + "title": "TLS configuration for connection between NGINX Agent and NGINX Instance Manager", + "properties": { + "enable": { + "type": "boolean", + "default": "true", + "title": "enable TLS for NGINX Instance Manager connection" + }, + "secret": { + "type": "string", + "default": "", + "title": "kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and NGINX Instance Manager" + }, + "caSecret": { + "type": "string", + "default": "", + "title": "nginx.org/ca secret for verification of Instance Manager TLS" + }, + "skipVerify": { + "type": "boolean", + "default": "false", + "title": "skip certificate verification" + } + } + } + } + }, + "syslog": { + "type": "object", + "default": { + "host": "127.0.0.1", + "port": 1514 + }, + "title": "Syslog listener which NGINX Agent uses to accept messages from App Protect WAF", + "properties": { + "host": { + "type": "string", + "title": "Address for NGINX Agent to run syslog listener", + "default": "127.0.0.1", + "examples": [ + "127.0.0.1" + ] + }, + "port": { + "type": "integer", + "title": "Port for NGINX Agent to run syslog listener", + "default": 1514, + "examples": [ + 1514 + ] + } + } + }, + "napMonitoring": { + "type": "object", + "default": {}, + "title": "NGINX App Protect Monitoring config", + "properties": { + "collectorBufferSize": { + "type": "integer", + "default": 50000, + "title": "Buffer size for collector. Will contain log lines and parsed log lines", + "examples": [ + 50000 + ] + }, + "processorBufferSize": { + "type": "integer", + "default": 50000, + "title": "Buffer size for processor. Will contain log lines and parsed log lines", + "examples": [ + 50000 + ] + } + } + }, + "customConfigMap": { + "type": "string", + "title": "The name of a custom ConfigMap to use instead of the one provided by default", + "default": "", + "examples": [ + "my-custom-configmap" + ] + } + } + } + }, + "examples": [ + { + "controller": { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.5.1", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "podDisruptionBudget": { + "enabled": false, + "annotations": {}, + "minAvailable": 0, + "minUnavailable": 0 + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + }, + "rbac": { + "create": true + }, + "prometheus": { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http", + "service": { + "create": false, + "labels": {} + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + } + }, + "serviceInsight": { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + }, + "nginxServiceMesh": { + "enable": false, + "enableEgress": false + } + } + ] +} diff --git a/charts/f5/nginx-ingress/1.2.1/values.yaml b/charts/f5/nginx-ingress/1.2.1/values.yaml new file mode 100644 index 0000000000..dbc289d344 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.1/values.yaml @@ -0,0 +1,588 @@ +controller: + ## The name of the Ingress Controller daemonset or deployment. + name: controller + + ## The kind of the Ingress Controller installation - deployment or daemonset. + kind: deployment + + ## The selectorLabels used to override the default values. + selectorLabels: {} + + ## Annotations for deployments and daemonsets + annotations: {} + + ## Deploys the Ingress Controller for NGINX Plus. + nginxplus: false + + ## Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. + nginxReloadTimeout: 60000 + + ## Support for App Protect WAF + appprotect: + ## Enable the App Protect WAF module in the Ingress Controller. + enable: false + ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace + # logLevel: fatal + + ## Support for App Protect DoS + appprotectdos: + ## Enable the App Protect DoS module in the Ingress Controller. + enable: false + ## Enable debugging for App Protect DoS. + debug: false + ## Max number of nginx processes to support. + maxWorkers: 0 + ## Max number of ADMD instances. + maxDaemons: 0 + ## RAM memory size to consume in MB. + memory: 0 + + ## Enables the Ingress Controller pods to use the host's network namespace. + hostNetwork: false + + ## The hostPort configuration for the Ingress Controller pods. + hostPort: + ## Enables hostPort for the Ingress Controller pods. + enable: false + + ## The HTTP hostPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS hostPort configuration for the Ingress Controller pods. + https: 443 + + containerPort: + ## The HTTP containerPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS containerPort configuration for the Ingress Controller pods. + https: 443 + + ## DNS policy for the Ingress Controller pods + dnsPolicy: ClusterFirst + + ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. + nginxDebug: false + + ## Share process namespace between containers in the Ingress Controller pod. + shareProcessNamespace: false + + ## The log level of the Ingress Controller. + logLevel: 1 + + ## A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: [] + + image: + ## The image repository of the Ingress Controller. + repository: nginx/nginx-ingress + + ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. + # tag: "3.5.1" + ## The digest of the Ingress Controller image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the Ingress Controller image. + pullPolicy: IfNotPresent + + ## The lifecycle of the Ingress Controller pods. + lifecycle: {} + + ## The custom ConfigMap to use instead of the one provided by default + customConfigMap: "" + + config: + ## The name of the ConfigMap used by the Ingress Controller. + ## Autogenerated if not set or set to "". + # name: nginx-config + + ## The annotations of the Ingress Controller configmap. + annotations: {} + + ## The entries of the ConfigMap for customizing NGINX configuration. + entries: {} + + ## It is recommended to use your own TLS certificates and keys + defaultTLS: + ## The base64-encoded TLS certificate for the default HTTPS server. + ## Note: It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + cert: "" + + ## The base64-encoded TLS key for the default HTTPS server. + ## Note: It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + key: "" + + ## The secret with a TLS certificate and key for the default HTTPS server. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. + ## Note: Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + ## Format: / + secret: "" + + wildcardTLS: + ## The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + cert: "" + + ## The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + key: "" + + ## The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. + ## Format: / + secret: "" + + ## The node selector for pod assignment for the Ingress Controller pods. + # nodeSelector: {} + + ## The termination grace period of the Ingress Controller pod. + terminationGracePeriodSeconds: 30 + + ## HorizontalPodAutoscaling (HPA) + autoscaling: + ## Enables HorizontalPodAutoscaling. + enabled: false + ## The annotations of the Ingress Controller HorizontalPodAutoscaler. + annotations: {} + ## Minimum number of replicas for the HPA. + minReplicas: 1 + ## Maximum number of replicas for the HPA. + maxReplicas: 3 + ## The target cpu utilization percentage. + targetCPUUtilizationPercentage: 50 + ## The target memory utilization percentage. + targetMemoryUtilizationPercentage: 50 + ## Custom behavior policies + behavior: {} + + ## The resources of the Ingress Controller pods. + resources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The security context for the Ingress Controller pods. + podSecurityContext: + seccompProfile: + type: RuntimeDefault + + ## The security context for the Ingress Controller containers. + securityContext: {} # Remove curly brackets before adding values + # allowPrivilegeEscalation: true + # readOnlyRootFilesystem: true + # runAsUser: 101 #nginx + # runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # add: + # - NET_BIND_SERVICE + + ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerSecurityContext: {} + + ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerResources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The tolerations of the Ingress Controller pods. + tolerations: [] + + ## The affinity of the Ingress Controller pods. + affinity: {} + + ## The topology spread constraints of the Ingress controller pods. + # topologySpreadConstraints: {} + + ## The additional environment variables to be set on the Ingress Controller pods. + env: [] + # - name: MY_VAR + # value: myvalue + + ## The volumes of the Ingress Controller pods. + volumes: [] + # - name: extra-conf + # configMap: + # name: extra-conf + + ## The volumeMounts of the Ingress Controller pods. + volumeMounts: [] + # - name: extra-conf + # mountPath: /etc/nginx/conf.d/extra.conf + # subPath: extra.conf + + ## InitContainers for the Ingress Controller pods. + initContainers: [] + # - name: init-container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is initial setup!'] + + ## The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. + minReadySeconds: 0 + + ## Pod disruption budget for the Ingress Controller pods. + podDisruptionBudget: + ## Enables PodDisruptionBudget. + enabled: false + ## The annotations of the Ingress Controller pod disruption budget. + annotations: {} + ## The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". + # minAvailable: 1 + ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". + # maxUnavailable: 1 + + ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. + strategy: {} + + ## Extra containers for the Ingress Controller pods. + extraContainers: [] + # - name: container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is a sidecar!'] + + ## The number of replicas of the Ingress Controller deployment. + replicaCount: 1 + + ## Configures the ingress class the Ingress Controller uses. + ingressClass: + ## A class of the Ingress Controller. + + ## IngressClass resource with the name equal to the class must be deployed. Otherwise, + ## the Ingress Controller will fail to start. + ## The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. + + ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. + name: nginx + + ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. + create: true + + ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". + setAsDefaultIngress: false + + ## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". + watchNamespace: "" + + ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". + watchNamespaceLabel: "" + + ## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces. + watchSecretNamespace: "" + + ## Enable the custom resources. + enableCustomResources: true + + ## Enable OIDC policies. + enableOIDC: false + + ## Include year in log header. This parameter will be removed in release 2.7 and the year will be included by default. + includeYear: false + + ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. + enableTLSPassthrough: false + + ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough. + tlsPassthroughPort: 443 + + ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. + enableCertManager: false + + ## Enable external DNS for Virtual Server resources. Requires controller.enableCustomResources. + enableExternalDNS: false + + globalConfiguration: + ## Creates the GlobalConfiguration custom resource. Requires controller.enableCustomResources. + create: false + + ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. + spec: {} ## Ensure both curly brackets are removed when adding listeners in YAML format. + # listeners: + # - name: dns-udp + # port: 5353 + # protocol: UDP + # - name: dns-tcp + # port: 5353 + # protocol: TCP + + ## Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. + enableSnippets: false + + ## Add a location based on the value of health-status-uri to the default server. The location responds with the 200 status code for any request. + ## Useful for external health-checking of the Ingress Controller. + healthStatus: false + + ## Sets the URI of health status location in the default server. Requires controller.healthStatus. + healthStatusURI: "/nginx-health" + + nginxStatus: + ## Enable the NGINX stub_status, or the NGINX Plus API. + enable: true + + ## Set the port where the NGINX stub_status or the NGINX Plus API is exposed. + port: 8080 + + ## Add IPv4 IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. + allowCidrs: "127.0.0.1" + + service: + ## Creates a service to expose the Ingress Controller pods. + create: true + + ## The type of service to create for the Ingress Controller. + type: LoadBalancer + + ## The externalTrafficPolicy of the service. The value Local preserves the client source IP. + externalTrafficPolicy: Local + + ## The annotations of the Ingress Controller service. + annotations: {} + + ## The extra labels of the service. + extraLabels: {} + + ## The static IP address for the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerIP: "" + + ## The ClusterIP for the Ingress Controller service, autoassigned if not specified. + clusterIP: "" + + ## The list of external IPs for the Ingress Controller service. + externalIPs: [] + + ## The IP ranges (CIDR) that are allowed to access the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerSourceRanges: [] + + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + ## Dual stack preference. + ## Valid values: SingleStack, PreferDualStack, RequireDualStack + # ipFamilyPolicy: SingleStack + + ## List of IP families assigned to this service. + ## Valid values: IPv4, IPv6 + # ipFamilies: + # - IPv6 + + httpPort: + ## Enables the HTTP port for the Ingress Controller service. + enable: true + + ## The HTTP port of the Ingress Controller service. + port: 80 + + ## The custom NodePort for the HTTP port. Requires controller.service.type set to NodePort. + # nodePort: 80 + + ## The HTTP port on the POD where the Ingress Controller service is running. + targetPort: 80 + + httpsPort: + ## Enables the HTTPS port for the Ingress Controller service. + enable: true + + ## The HTTPS port of the Ingress Controller service. + port: 443 + + ## The custom NodePort for the HTTPS port. Requires controller.service.type set to NodePort. + # nodePort: 443 + + ## The HTTPS port on the POD where the Ingress Controller service is running. + targetPort: 443 + + ## A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: [] + + serviceAccount: + ## The annotations of the service account of the Ingress Controller pods. + annotations: {} + + ## The name of the service account of the Ingress Controller pods. Used for RBAC. + ## Autogenerated if not set or set to "". + # name: nginx-ingress + + ## The name of the secret containing docker registry credentials. + ## Secret must exist in the same namespace as the helm release. + imagePullSecretName: "" + + ## A list of secret names containing docker registry credentials. + ## Secrets must exist in the same namespace as the helm release. + imagePullSecretsNames: [] + + reportIngressStatus: + ## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. + ## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService, + ## controller.reportIngressStatus.ingressLink or the external-status-address entry in the ConfigMap via controller.config.entries. + ## Note: controller.config.entries.external-status-address takes precedence over the others. + enable: true + + ## Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. + ## The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ## The default is autogenerated and matches the created service (see controller.service.create). + # externalService: nginx-ingress + + ## Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. + ## The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ingressLink: "" + + ## Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. controller.reportIngressStatus.enable must be set to true. + enableLeaderElection: true + + ## Specifies the name to be used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. + leaderElectionLockName: "nginx-ingress-leader" + + ## The annotations of the leader election configmap. + annotations: {} + + pod: + ## The annotations of the Ingress Controller pod. + annotations: {} + + ## The additional extra labels of the Ingress Controller pod. + extraLabels: {} + + ## The PriorityClass of the Ingress Controller pods. + # priorityClassName: "" + + readyStatus: + ## Enables readiness endpoint "/nginx-ready". The endpoint returns a success code when NGINX has loaded all the config after startup. + enable: true + + ## Set the port where the readiness endpoint is exposed. + port: 8081 + + ## The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. + initialDelaySeconds: 0 + + ## Enable collection of latency metrics for upstreams. Requires prometheus.create. + enableLatencyMetrics: false + + ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. + disableIPV6: false + + ## Sets the port for the HTTP `default_server` listener. + defaultHTTPListenerPort: 80 + + ## Sets the port for the HTTPS `default_server` listener. + defaultHTTPSListenerPort: 443 + + ## Configure root filesystem as read-only and add volumes for temporary data. + ## Three major releases after 3.5.x this argument will be moved to the `securityContext` section. + ## This value will not be used if `controller.securityContext` is set + readOnlyRootFilesystem: false + + ## Enable dynamic reloading of certificates + enableSSLDynamicReload: true + + ## Configure telemetry reporting options + telemetryReporting: + ## Enable telemetry reporting + enable: true + + ## Allows weight adjustments without reloading the NGINX Configuration for two-way splits in NGINX Plus. + ## May require increasing map_hash_bucket_size, map_hash_max_size, + ## variable_hash_bucket_size, and variable_hash_max_size in the ConfigMap based on the number of two-way splits. + enableWeightChangesDynamicReload: false + +rbac: + ## Configures RBAC. + create: true + +prometheus: + ## Expose NGINX or NGINX Plus metrics in the Prometheus format. + create: true + + ## Configures the port to scrape the metrics. + port: 9113 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Prometheus endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + + service: + ## Creates a ClusterIP Service to expose Prometheus metrics internally + ## Requires prometheus.create=true + create: false + + labels: + service: "nginx-ingress-prometheus-service" + + serviceMonitor: + ## Creates a serviceMonitor to expose statistics on the kubernetes pods. + create: false + + ## Kubernetes object labels to attach to the serviceMonitor object. + labels: {} + + ## A set of labels to allow the selection of endpoints for the ServiceMonitor. + selectorMatchLabels: + service: "nginx-ingress-prometheus-service" + + ## A list of endpoints allowed as part of this ServiceMonitor. + ## Matches on the name of a Service port. + endpoints: + - port: prometheus + +serviceInsight: + ## Expose NGINX Plus Service Insight endpoint. + create: false + + ## Configures the port to expose endpoint. + port: 9114 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Service Insight endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + +nginxServiceMesh: + ## Enables integration with NGINX Service Mesh. + enable: false + + ## Enables NGINX Service Mesh workload to route egress traffic through the Ingress Controller. + ## Requires nginxServiceMesh.enable + enableEgress: false + +nginxAgent: + ## Enables NGINX Agent. + enable: false + ## If nginxAgent.instanceGroup is not set the value of nginx-ingress.controller.fullname will be used + instanceGroup: "" + logLevel: "error" + ## Syslog listener which NGINX Agent uses to accept messages from App Protect WAF + syslog: + host: "127.0.0.1" + port: 1514 + napMonitoring: + collectorBufferSize: 50000 + processorBufferSize: 50000 + instanceManager: + # FQDN or IP for connecting to NGINX Instance Manager, e.g. nim.example.com + host: "" + grpcPort: 443 + sni: "" + tls: + enabled: true + skipVerify: false + ## kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and Instance Manager + secret: "" + ## nginx.org/ca secret for verification of Instance Manager TLS + caSecret: "" + ## The name of a custom ConfigMap to use instead of the one provided by default + customConfigMap: "" diff --git a/charts/f5/nginx-ingress/1.2.2/.helmignore b/charts/f5/nginx-ingress/1.2.2/.helmignore new file mode 100644 index 0000000000..c1347c2c27 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/.helmignore @@ -0,0 +1,2 @@ +# Patterns to ignore when building packages. +*.png diff --git a/charts/f5/nginx-ingress/1.2.2/Chart.yaml b/charts/f5/nginx-ingress/1.2.2/Chart.yaml new file mode 100644 index 0000000000..58f716cd31 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Ingress Controller + catalog.cattle.io/kube-version: '>= 1.23.0-0' + catalog.cattle.io/release-name: nginx-ingress +apiVersion: v2 +appVersion: 3.5.2 +description: NGINX Ingress Controller +home: https://github.com/nginxinc/kubernetes-ingress +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/charts/nginx-ingress/chart-icon.png +keywords: +- ingress +- nginx +kubeVersion: '>= 1.23.0-0' +maintainers: +- email: kubernetes@nginx.com + name: nginxinc +name: nginx-ingress +sources: +- https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/charts/nginx-ingress +type: application +version: 1.2.2 diff --git a/charts/f5/nginx-ingress/1.2.2/README.md b/charts/f5/nginx-ingress/1.2.2/README.md new file mode 100644 index 0000000000..df8acd8995 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/README.md @@ -0,0 +1,514 @@ +# NGINX Ingress Controller Helm Chart + +## Introduction + +This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. + +## Prerequisites + +**Note** All documentation should only be used with the latest stable release, indicated on +[the releases page](https://github.com/nginxinc/kubernetes-ingress/releases) of the GitHub repository. + +- A [Kubernetes Version Supported by the Ingress + Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) +- Helm 3.0+. +- If you’d like to use NGINX Plus: + - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal + by following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). + Make sure to specify the secret using one of the following parameters: + `controller.serviceAccount.imagePullSecretName` or `controller.serviceAccount.imagePullSecretsNames`. + - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following + the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). + - Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by + following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image). + - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. +- If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator [helm + chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). Make sure to install in the same namespace as the + NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will + need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single + namespace. + +## CRDs + +By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The +Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. + +If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` +set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), +the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. + +### Upgrading the CRDs + +To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl apply -f crds/ +``` + +Alternatively, CRDs can be upgraded without pulling the chart by running: + +```console +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds.yaml +``` + +In the above command, `v3.5.2` represents the version of NGINX Ingress Controller release rather than the Helm chart version. + +> **Note** +> +> The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by +> either kubectl create --save-config or kubectl apply`. +> +> Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release +> for any special upgrade procedures. + +### Uninstalling the CRDs + +To remove the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl delete -f crds/ +``` + +> **Note** +> +> This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure +> there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the +> cluster. + +## Managing the Chart via OCI Registry + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 +``` + +For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry +`myregistry.example.com`) + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +``` + +This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to +use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with +`registry-1.docker.io/nginxcharts/nginx-ingress`. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +### Edge Version + +To test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version. This +version is built from the `main` branch of the NGINX Ingress Controller repository. You can install the `edge` version +by specifying the `--version` flag with the value `0.0.0-edge`: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge +``` + +> **Warning** +> +> The `edge` version is not intended for production use. It is intended for testing and development purposes only. + +## Managing the Chart via Sources + +### Pulling the Chart + +This step is required if you're installing the chart using its sources. Additionally, the step is also required for +managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for +upgrading/deleting the CRDs. + +1. Pull the chart sources: + + ```console + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.2.2 + ``` + +2. Change your working directory to nginx-ingress: + + ```console + cd nginx-ingress + ``` + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release . +``` + +For NGINX Plus: + +```console +helm install my-release -f values-plus.yaml . +``` + +The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration +section lists the parameters that can be configured during installation. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release . +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +## Upgrading without downtime + +### Background + +In NGINX Ingress Controller version 3.1.0, [changes were introduced](https://github.com/nginxinc/kubernetes-ingress/pull/3606) +to Helm resource names, labels and annotations to fit with Helm best practices. +When using Helm to upgrade from a version prior to 3.1.0, certain resources like Deployment, DaemonSet and Service will +be recreated due to the aforementioned changes, which will result in downtime. + +Although the advisory is to update all resources in accordance with new naming convention, to avoid the downtime +please follow the steps listed in this page. + +### Upgrade Steps + +**Note** The following steps apply to both 2.x and 3.0.x releases. + +The steps you should follow depend on the Helm release name: + +{{}} + +{{%tab name="Helm release name is `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployments -n + ``` + + Copy the key=value under `Selector`, such as: + + ```shell + Selector: app=nginx-ingress-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.5.2` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: nginx-ingress-nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="nginx-ingress-nginx-ingress" + --set controller.name="" + --set fullnameOverride="nginx-ingress-nginx-ingress" + ``` + + It could look as follows: + + ```shell + helm upgrade nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="nginx-ingress-nginx-ingress" --set controller.name="" --set fullnameOverride="nginx-ingress-nginx-ingress" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set nginx-ingress-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{%tab name="Helm release name is not `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployment/daemonset -n + ``` + + Copy the key=value under ```Selector```, such as: + + ```shell + Selector: app=-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.5.2` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: -nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="-nginx-ingress" + --set controller.name="" + ``` + + It could look as follows: + + ```shell + helm upgrade test-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="test-release-nginx-ingress" --set controller.name="" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set test-release-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{}} + +## Running Multiple Ingress Controllers + +If you are running multiple Ingress Controller releases in your cluster with enabled custom resources, the releases will +share a single version of the CRDs. As a result, make sure that the Ingress Controller versions match the version of the +CRDs. Additionally, when uninstalling a release, ensure that you don’t remove the CRDs until there are no other Ingress +Controller releases running in the cluster. + +See [running multiple Ingress Controllers](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) +for more details. + +## Configuration + +The following tables lists the configurable parameters of the NGINX Ingress Controller chart and their default values. + +|Parameter | Description | Default | +| --- | --- | --- | +|`controller.name` | The name of the Ingress Controller daemonset or deployment. | Autogenerated | +|`controller.kind` | The kind of the Ingress Controller installation - deployment or daemonset. | deployment | +|`controller.annotations` | Allows for setting of `annotations` for deployment or daemonset. | {} | +|`controller.nginxplus` | Deploys the Ingress Controller for NGINX Plus. | false | +|`controller.nginxReloadTimeout` | The timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. | 60000 | +|`controller.hostNetwork` | Enables the Ingress Controller pods to use the host's network namespace. | false | +|`controller.dnsPolicy` | DNS policy for the Ingress Controller pods. | ClusterFirst | +|`controller.nginxDebug` | Enables debugging for NGINX. Uses the `nginx-debug` binary. Requires `error-log-level: debug` in the ConfigMap via `controller.config.entries`. | false | +| `controller.shareProcessNamespace` | Enables process namespace sharing. When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod. [docs](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) | false | +|`controller.logLevel` | The log level of the Ingress Controller. | 1 | +|`controller.image.digest` | The image digest of the Ingress Controller. | None | +|`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.5.2 | +|`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | +|`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | +|`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | +|`controller.config.name` | The name of the ConfigMap used by the Ingress Controller. | Autogenerated | +|`controller.config.annotations` | The annotations of the Ingress Controller configmap. | {} | +|`controller.config.entries` | The entries of the ConfigMap for customizing NGINX configuration. See [ConfigMap resource docs](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) for the list of supported ConfigMap keys. | {} | +|`controller.customPorts` | A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. | [] | +|`controller.defaultTLS.cert` | The base64-encoded TLS certificate for the default HTTPS server. **Note:** It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | "" | +|`controller.defaultTLS.key` | The base64-encoded TLS key for the default HTTPS server. **Note:** It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | "" | +|`controller.defaultTLS.secret` | The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. **Note:** Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | None | +|`controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None | +|`controller.nodeSelector` | The node selector for pod assignment for the Ingress Controller pods. | {} | +|`controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress Controller pod. | 30 | +|`controller.tolerations` | The tolerations of the Ingress Controller pods. | [] | +|`controller.affinity` | The affinity of the Ingress Controller pods. | {} | +|`controller.topologySpreadConstraints` | The topology spread constraints of the Ingress controller pods. | {} | +|`controller.env` | The additional environment variables to be set on the Ingress Controller pods. | [] | +|`controller.volumes` | The volumes of the Ingress Controller pods. | [] | +|`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] | +|`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] | +|`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | +|`controller.podSecurityContext`| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} | +|`controller.securityContext`| The SecurityContext for Ingress Controller container. | {} | +|`controller.initContainerSecurityContext`| The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} | +|`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | +|`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi | +|`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | +|`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.5.2, do not set the value to false. | true | +|`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | +|`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | +|`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | +|`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `controller.watchNamespace` and `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" | +|`controller.enableCustomResources` | Enable the custom resources. | true | +|`controller.enableOIDC` | Enable OIDC policies. | false | +|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | +|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | +|`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false | +|`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.spec` | The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. | {} | +|`controller.enableSnippets` | Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. | false | +|`controller.healthStatus` | Add a location "/nginx-health" to the default server. The location responds with the 200 status code for any request. Useful for external health-checking of the Ingress Controller. | false | +|`controller.healthStatusURI` | Sets the URI of health status location in the default server. Requires `controller.healthStatus`. | "/nginx-health" | +|`controller.nginxStatus.enable` | Enable the NGINX stub_status, or the NGINX Plus API. | true | +|`controller.nginxStatus.port` | Set the port where the NGINX stub_status or the NGINX Plus API is exposed. | 8080 | +|`controller.nginxStatus.allowCidrs` | Add IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. | 127.0.0.1,::1 | +|`controller.priorityClassName` | The PriorityClass of the Ingress Controller pods. | None | +|`controller.service.create` | Creates a service to expose the Ingress Controller pods. | true | +|`controller.service.type` | The type of service to create for the Ingress Controller. | LoadBalancer | +|`controller.service.externalTrafficPolicy` | The externalTrafficPolicy of the service. The value Local preserves the client source IP. | Local | +|`controller.service.annotations` | The annotations of the Ingress Controller service. | {} | +|`controller.service.extraLabels` | The extra labels of the service. | {} | +|`controller.service.loadBalancerIP` | The static IP address for the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | "" | +|`controller.service.externalIPs` | The list of external IPs for the Ingress Controller service. | [] | +|`controller.service.clusterIP` | The clusterIP for the Ingress Controller service, autoassigned if not specified. | "" | +|`controller.service.loadBalancerSourceRanges` | The IP ranges (CIDR) that are allowed to access the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | [] | +|`controller.service.name` | The name of the service. | Autogenerated | +|`controller.service.customPorts` | A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. | [] | +|`controller.service.httpPort.enable` | Enables the HTTP port for the Ingress Controller service. | true | +|`controller.service.httpPort.port` | The HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpPort.nodePort` | The custom NodePort for the HTTP port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpPort.targetPort` | The target port of the HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpsPort.enable` | Enables the HTTPS port for the Ingress Controller service. | true | +|`controller.service.httpsPort.port` | The HTTPS port of the Ingress Controller service. | 443 | +|`controller.service.httpsPort.nodePort` | The custom NodePort for the HTTPS port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpsPort.targetPort` | The target port of the HTTPS port of the Ingress Controller service. | 443 | +|`controller.serviceAccount.annotations` | The annotations of the Ingress Controller service account. | {} | +|`controller.serviceAccount.name` | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated | +|`controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" | +|`controller.serviceAccount.imagePullSecretsNames` | The list of secret names containing docker registry credentials. Secret must exist in the same namespace as the helm release. | [] | +|`controller.serviceMonitor.name` | The name of the serviceMonitor. | Autogenerated | +|`controller.serviceMonitor.create` | Create a ServiceMonitor custom resource. | false | +|`controller.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | "" | +|`controller.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | "" | +|`controller.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | "" | +|`controller.reportIngressStatus.enable` | Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. You must also specify the source of the external address either through an external service via `controller.reportIngressStatus.externalService`, `controller.reportIngressStatus.ingressLink` or the `external-status-address` entry in the ConfigMap via `controller.config.entries`. **Note:** `controller.config.entries.external-status-address` takes precedence over the others. | true | +|`controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated | +|`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | "" | +|`controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true | +|`controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated | +|`controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {} | +|`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} | +|`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} | +|`controller.appprotect.enable` | Enables the App Protect WAF module in the Ingress Controller. | false | +|`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false | +|`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false | +|`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 | +|`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine | +|`controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller | +|`controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true | +|`controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 | +|`controller.readyStatus.initialDelaySeconds` | The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. | 0 | +|`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false | +|`controller.minReadySeconds` | Specifies the minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. [docs](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds) | 0 | +|`controller.autoscaling.enabled` | Enables HorizontalPodAutoscaling. | false | +|`controller.autoscaling.annotations` | The annotations of the Ingress Controller HorizontalPodAutoscaler. | {} | +|`controller.autoscaling.behavior` | Behavior configuration for the HPA. | {} | +|`controller.autoscaling.minReplicas` | Minimum number of replicas for the HPA. | 1 | +|`controller.autoscaling.maxReplicas` | Maximum number of replicas for the HPA. | 3 | +|`controller.autoscaling.targetCPUUtilizationPercentage` | The target CPU utilization percentage. | 50 | +|`controller.autoscaling.targetMemoryUtilizationPercentage` | The target memory utilization percentage. | 50 | +|`controller.podDisruptionBudget.enabled` | Enables PodDisruptionBudget. | false | +|`controller.podDisruptionBudget.annotations` | The annotations of the Ingress Controller pod disruption budget | {} | +|`controller.podDisruptionBudget.minAvailable` | The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". | 0 | +|`controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 | +|`controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} | +|`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | +|`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 | +|`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 | +|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. Three major releases after 3.5.x this argument will be moved permanently to the `controller.securityContext` section. | false | +|`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true | +|`controller.telemetryReporting.enable` | Enable telemetry reporting. | true | +|`controller.enableWeightChangesDynamicReload` | Enable weight changes without reloading the NGINX configuration. May require increasing `map_hash_bucket_size`, `map_hash_max_size`, `variable_hash_bucket_size`, and `variable_hash_max_size` in the [ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) if there are many two-way splits. Requires `controller.nginxplus` | false | +|`rbac.create` | Configures RBAC. | true | +|`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | +|`prometheus.port` | Configures the port to scrape the metrics. | 9113 | +|`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http | +|`prometheus.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" | +|`prometheus.service.create` | Create a Headless service to expose prometheus metrics. Requires `prometheus.create`. | false | +|`prometheus.service.labels` | Kubernetes object labels to attach to the service object. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.create` | Create a ServiceMonitor custom resource. Requires ServiceMonitor CRD to be installed. For the latest CRD, check the latest release on the [prometheus-operator](https://github.com/prometheus-operator/prometheus-operator) GitHub repo under `example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml` | false | +|`prometheus.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | {} | +|`prometheus.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | [port: prometheus] | +|`serviceInsight.create` | Expose NGINX Plus Service Insight endpoint. | false | +|`serviceInsight.port` | Configures the port to expose endpoints. | 9114 | +|`serviceInsight.scheme` | Configures the HTTP scheme to use for connections to the Service Insight endpoint. | http | +|`serviceInsight.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Service Insight endpoint with TLS connections. | "" | +|`serviceNameOverride` | Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades. | "" | +|`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false | +|`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false | +|`nginxAgent.enable` | Enable NGINX Agent to integrate Security Monitoring and App Protect WAF modules. Requires `controller.appprotect.enable`. | false | +|`nginxAgent.instanceGroup` | Set a custom Instance Group name, shown when connected to NGINX Instance Manager. `nginx-ingress.controller.fullname` will be used if not set. | "" | +|`nginxAgent.logLevel` | Log level for NGINX Agent. | "error | +|`nginxAgent.instanceManager.host` | FQDN or IP for connecting to NGINX Ingress Controller. Required when `nginxAgent.enable` is set to `true` | "" | +|`nginxAgent.instanceManager.grpcPort` | Port for connecting to NGINX Ingress Controller. | 443 | +|`nginxAgent.instanceManager.sni` | Server Name Indication for NGINX Instance Manager. See the NGINX Agent [docs](https://docs.nginx.com/nginx-agent/configuration/encrypt-communication/) for more details. | "" | +|`nginxAgent.instanceManager.tls.enable` | Enable TLS for NGINX Instance Manager connection. | true | +|`nginxAgent.instanceManager.tls.skipVerify` | Skip certification verification for NGINX Instance Manager connection. | false | +|`nginxAgent.instanceManager.tls.caSecret` | Name of `nginx.org/ca` secret used for verification of NGINX Instance Manager TLS. | "" | +|`nginxAgent.instanceManager.tls.secret` | Name of `kubernetes.io/tls` secret with a TLS certificate and key for using mTLS between NGINX Agent and NGINX Instance Manager. See the NGINX Instance Manager [docs](https://docs.nginx.com/nginx-management-suite/admin-guides/configuration/secure-traffic/#mutual-client-certificate-auth-setup-mtls) and the NGINX Agent [docs](https://docs.nginx.com/nginx-agent/configuration/encrypt-communication/) for more details. | "" | +|`nginxAgent.syslog.host` | Address for NGINX Agent to run syslog listener. | 127.0.0.1 | +|`nginxAgent.syslog.port` | Port for NGINX Agent to run syslog listener. | 1514 | +|`nginxAgent.napMonitoring.collectorBufferSize` | Buffer size for collector. Will contain log lines and parsed log lines. | 50000 | +|`nginxAgent.napMonitoring.processorBufferSize` | Buffer size for processor. Will contain log lines and parsed log lines. | 50000 | +|`nginxAgent.customConfigMap` | The name of a custom ConfigMap to use instead of the one provided by default. | "" | + +## Notes + +- The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog + post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. +- The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service + Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. diff --git a/charts/f5/nginx-ingress/1.2.2/app-readme.md b/charts/f5/nginx-ingress/1.2.2/app-readme.md new file mode 100644 index 0000000000..0824f4c0f0 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/app-readme.md @@ -0,0 +1,15 @@ +# NGINX Ingress Controller + +The [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress) for Kubernetes provides an enterprise‑grade implementation of an Ingress controller for NGINX and NGINX Plus for Kubernetes applications. + +The Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources. The load balancer can be a software load balancer running in the cluster or a hardware or cloud load balancer running externally. Different load balancers require different Ingress controller implementations. + +In the case of NGINX, the Ingress controller is deployed in a pod along with the load balancer. + +NGINX Ingress controller works with both NGINX and NGINX Plus and supports the standard Ingress features - content-based routing and TLS/SSL termination. + +Additionally, several NGINX and NGINX Plus features are available as extensions to the Ingress resource via annotations and the ConfigMap resource. In addition to HTTP, NGINX Ingress controller supports load balancing Websocket, gRPC, TCP and UDP applications. See ConfigMap and Annotations docs to learn more about the supported features and customization options. + +As an alternative to the Ingress, NGINX Ingress controller supports the VirtualServer and VirtualServerRoute resources. They enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. + +TCP, UDP and TLS Passthrough load balancing is also supported. diff --git a/charts/f5/nginx-ingress/1.2.2/crds/appprotect.f5.com_aplogconfs.yaml b/charts/f5/nginx-ingress/1.2.2/crds/appprotect.f5.com_aplogconfs.yaml new file mode 100644 index 0000000000..53b7fb40d7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/crds/appprotect.f5.com_aplogconfs.yaml @@ -0,0 +1,80 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: aplogconfs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APLogConf + listKind: APLogConfList + plural: aplogconfs + singular: aplogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + escaping_characters: + items: + properties: + from: + type: string + to: + type: string + type: object + type: array + format: + enum: + - splunk + - arcsight + - default + - user-defined + - grpc + type: string + format_string: + type: string + list_delimiter: + type: string + list_prefix: + type: string + list_suffix: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|1[0-9]{3}|20[1-3][0-9]|204[1-8]|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.2/crds/appprotect.f5.com_appolicies.yaml b/charts/f5/nginx-ingress/1.2.2/crds/appprotect.f5.com_appolicies.yaml new file mode 100644 index 0000000000..0ca4649ce7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/crds/appprotect.f5.com_appolicies.yaml @@ -0,0 +1,2158 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: appolicies.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APPolicy + listKind: APPolicyList + plural: appolicies + singular: appolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: + properties: + action: + type: string + description: + type: string + entity: + properties: + name: + type: string + type: object + entityChanges: + properties: + type: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + modificationsReference: + properties: + link: + pattern: ^http + type: string + type: object + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: + properties: + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + - Multiple slashes + - Semicolon path parameters + - Trailing dot + - Trailing slash + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unescaped space in URL + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of cookies + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxCookies: + maximum: 100 + minimum: 1 + type: integer + maxHeaders: + maximum: 150 + minimum: 1 + type: integer + maxParams: + maximum: 5000 + minimum: 1 + type: integer + type: object + type: array + violations: + items: + properties: + alarm: + type: boolean + block: + type: boolean + description: + type: string + name: + enum: + - "VIOL_ACCESS_INVALID" + - "VIOL_ACCESS_MALFORMED" + - "VIOL_ACCESS_MISSING" + - "VIOL_ASM_COOKIE_HIJACKING" + - "VIOL_ASM_COOKIE_MODIFIED" + - "VIOL_BLACKLISTED_IP" + - "VIOL_COOKIE_EXPIRED" + - "VIOL_COOKIE_LENGTH" + - "VIOL_COOKIE_MALFORMED" + - "VIOL_COOKIE_MODIFIED" + - "VIOL_CSRF" + - "VIOL_DATA_GUARD" + - "VIOL_ENCODING" + - "VIOL_EVASION" + - "VIOL_FILETYPE" + - "VIOL_FILE_UPLOAD" + - "VIOL_FILE_UPLOAD_IN_BODY" + - "VIOL_GRAPHQL_ERROR_RESPONSE" + - "VIOL_GRAPHQL_FORMAT" + - "VIOL_GRAPHQL_INTROSPECTION_QUERY" + - "VIOL_GRAPHQL_MALFORMED" + - "VIOL_GRPC_FORMAT" + - "VIOL_GRPC_MALFORMED" + - "VIOL_GRPC_METHOD" + - "VIOL_HEADER_LENGTH" + - "VIOL_HEADER_METACHAR" + - "VIOL_HEADER_REPEATED" + - "VIOL_HTTP_PROTOCOL" + - "VIOL_HTTP_RESPONSE_STATUS" + - "VIOL_JSON_FORMAT" + - "VIOL_JSON_MALFORMED" + - "VIOL_JSON_SCHEMA" + - "VIOL_MANDATORY_HEADER" + - "VIOL_MANDATORY_PARAMETER" + - "VIOL_MANDATORY_REQUEST_BODY" + - "VIOL_METHOD" + - "VIOL_PARAMETER" + - "VIOL_PARAMETER_ARRAY_VALUE" + - "VIOL_PARAMETER_DATA_TYPE" + - "VIOL_PARAMETER_EMPTY_VALUE" + - "VIOL_PARAMETER_LOCATION" + - "VIOL_PARAMETER_MULTIPART_NULL_VALUE" + - "VIOL_PARAMETER_NAME_METACHAR" + - "VIOL_PARAMETER_NUMERIC_VALUE" + - "VIOL_PARAMETER_REPEATED" + - "VIOL_PARAMETER_STATIC_VALUE" + - "VIOL_PARAMETER_VALUE_BASE64" + - "VIOL_PARAMETER_VALUE_LENGTH" + - "VIOL_PARAMETER_VALUE_METACHAR" + - "VIOL_PARAMETER_VALUE_REGEXP" + - "VIOL_POST_DATA_LENGTH" + - "VIOL_QUERY_STRING_LENGTH" + - "VIOL_RATING_NEED_EXAMINATION" + - "VIOL_RATING_THREAT" + - "VIOL_REQUEST_LENGTH" + - "VIOL_REQUEST_MAX_LENGTH" + - "VIOL_THREAT_CAMPAIGN" + - "VIOL_URL" + - "VIOL_URL_CONTENT_TYPE" + - "VIOL_URL_LENGTH" + - "VIOL_URL_METACHAR" + - "VIOL_XML_FORMAT" + - "VIOL_XML_MALFORMED" + type: string + type: object + type: array + type: object + blockingSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + bot-defense: + properties: + mitigations: + properties: + anomalies: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - default + - detect + - ignore + type: string + name: + type: string + scoreThreshold: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: array + browsers: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + type: string + maxVersion: + maximum: 2147483647 + minimum: 0 + type: integer + minVersion: + maximum: 2147483647 + minimum: 0 + type: integer + name: + type: string + type: object + type: array + classes: + items: + properties: + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + enum: + - browser + - malicious-bot + - suspicious-browser + - trusted-bot + - unknown + - untrusted-bot + type: string + type: object + type: array + signatures: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + type: string + type: object + type: array + type: object + settings: + properties: + caseSensitiveHttpHeaders: + type: boolean + isEnabled: + type: boolean + type: object + type: object + browser-definitions: + items: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + type: array + caseInsensitive: + type: boolean + character-sets: + items: + properties: + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content + type: string + type: object + type: array + characterSetReference: + properties: + link: + pattern: ^http + type: string + type: object + cookie-settings: + properties: + maximumCookieHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + cookieReference: + properties: + link: + pattern: ^http + type: string + type: object + cookieSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + cookies: + items: + properties: + $action: + enum: + - delete + type: string + accessibleOnlyThroughTheHttpProtocol: + type: boolean + attackSignaturesCheck: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + maskValueInLogs: + type: boolean + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + wildcardOrder: + type: integer + type: object + type: array + csrf-protection: + properties: + enabled: + type: boolean + expirationTimeInSeconds: + pattern: disabled|\d+ + type: string + sslOnly: + type: boolean + type: object + csrf-urls: + items: + properties: + $action: + enum: + - delete + type: string + enforcementAction: + enum: + - verify-origin + - none + type: string + method: + enum: + - GET + - POST + - any + type: string + url: + type: string + wildcardOrder: + type: integer + type: object + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + lastCcnDigitsToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + dataGuardReference: + properties: + link: + pattern: ^http + type: string + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + enforcer-settings: + properties: + enforcerStateCookies: + properties: + httpOnlyAttribute: + type: boolean + sameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + secureAttribute: + enum: + - always + - never + type: string + type: object + type: object + filetypeReference: + properties: + link: + pattern: ^http + type: string + type: object + filetypes: + items: + properties: + $action: + enum: + - delete + type: string + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: + type: string + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlLength: + type: integer + wildcardOrder: + type: integer + type: object + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + generalReference: + properties: + link: + pattern: ^http + type: string + type: object + grpc-profiles: + items: + properties: + $action: + enum: + - delete + type: string + associateUrls: + type: boolean + attackSignaturesCheck: + type: boolean + metacharCheck: + type: boolean + decodeStringValuesAsBase64: + enum: + - disabled + - enabled + type: string + defenseAttributes: + properties: + allowUnknownFields: + type: boolean + maximumDataLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + description: + type: string + hasIdlFiles: + type: boolean + idlFiles: + items: + properties: + idlFile: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + importUrl: + type: string + isPrimary: + type: boolean + primaryIdlFileName: + type: string + type: object + type: array + metacharElementCheck: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + header-settings: + properties: + maximumHttpHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + headerReference: + properties: + link: + pattern: ^http + type: string + type: object + headerSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + headers: + items: + properties: + $action: + enum: + - delete + type: string + allowRepeatedOccurrences: + type: boolean + base64Decoding: + type: boolean + checkSignatures: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: + type: string + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlNormalization: + type: boolean + wildcardOrder: + type: integer + type: object + type: array + host-names: + items: + properties: + $action: + enum: + - delete + type: string + includeSubdomains: + type: boolean + name: + type: string + type: object + type: array + idl-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + json-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + maximumArrayLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLengthOfJSONData: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + handleJsonValuesAsParameters: + type: boolean + hasValidationFiles: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + validationFiles: + items: + properties: + importUrl: + type: string + isPrimary: + type: boolean + jsonValidationFile: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: object + type: array + type: object + type: array + json-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + jsonProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + jsonValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + methodReference: + properties: + link: + pattern: ^http + type: string + type: object + methods: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + name: + type: string + open-api-files: + items: + properties: + link: + pattern: ^http + type: string + type: object + type: array + parameterReference: + properties: + link: + pattern: ^http + type: string + type: object + parameters: + items: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + type: array + response-pages: + items: + properties: + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: string + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + grpcStatusCode: + pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ + type: string + grpcStatusMessage: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + - grpc + type: string + responseRedirectUrl: + type: string + type: object + type: array + responsePageReference: + properties: + link: + pattern: ^http + type: string + type: object + sensitive-parameters: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + sensitiveParameterReference: + properties: + link: + pattern: ^http + type: string + type: object + server-technologies: + items: + properties: + $action: + enum: + - delete + type: string + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + serverTechnologyReference: + properties: + link: + pattern: ^http + type: string + type: object + signature-requirements: + items: + properties: + $action: + enum: + - delete + type: string + tag: + type: string + type: object + type: array + signature-sets: + items: + properties: + $action: + enum: + - delete + type: string + alarm: + type: boolean + block: + type: boolean + name: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatureReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSetReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + threat-campaigns: + items: + properties: + isEnabled: + type: boolean + name: + type: string + type: object + type: array + threatCampaignReference: + properties: + link: + pattern: ^http + type: string + type: object + urlReference: + properties: + link: + pattern: ^http + type: string + type: object + urls: + items: + properties: + $action: + enum: + - delete + type: string + allowRenderingInFrames: + enum: + - never + - only-same + type: string + allowRenderingInFramesOnlyFrom: + type: string + attackSignaturesCheck: + type: boolean + clickjackingProtection: + type: boolean + description: + type: string + disallowFileUploadOfExecutables: + type: boolean + html5CrossOriginRequestsEnforcement: + properties: + allowOriginsEnforcementMode: + enum: + - replace-with + - unmodified + type: string + checkAllowedMethods: + type: boolean + crossDomainAllowedOrigin: + items: + properties: + includeSubDomains: + type: boolean + originName: + type: string + originPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + originProtocol: + enum: + - http + - http/https + - https + type: string + type: object + type: array + enforcementMode: + enum: + - disabled + - enforce + type: string + type: object + isAllowed: + type: boolean + mandatoryBody: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + metacharsOnUrlCheck: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + methodOverrides: + items: + properties: + allowed: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + type: string + type: object + type: array + methodsOverrideOnUrlCheck: + type: boolean + name: + type: string + operationId: + type: string + positionalParameters: + items: + properties: + parameter: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + urlSegmentIndex: + type: integer + type: object + type: array + protocol: + enum: + - http + - https + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlContentProfiles: + items: + properties: + contentProfile: + properties: + name: + type: string + type: object + headerName: + type: string + headerOrder: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + headerValue: + type: string + name: + type: string + type: + enum: + - apply-content-signatures + - apply-value-and-content-signatures + - disallow + - do-nothing + - form-data + - gwt + - json + - xml + - grpc + type: string + type: object + type: array + wildcardOrder: + type: integer + type: object + type: array + whitelist-ips: + items: + properties: + $action: + enum: + - delete + type: string + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + neverLogRequests: + type: boolean + type: object + type: array + whitelistIpReference: + properties: + link: + pattern: ^http + type: string + type: object + xml-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumAttributesPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumChildrenPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentSize: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumElements: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNSDeclarations: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNameLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNamespaceLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + useXmlResponsePage: + type: boolean + type: object + type: array + xml-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + xmlProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + xmlValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + graphql-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowIntrospectionQueries: + type: boolean + maximumBatchedQueries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumQueryCost: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateParsingWarnings: + type: boolean + type: object + description: + type: string + metacharElementCheck: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + responseEnforcement: + properties: + blockDisallowedPatterns: + type: boolean + disallowedPatterns: + items: + type: string + type: array + type: object + sensetiveData: + items: + properties: + parameterName: + type: string + type: object + type: array + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + name: + type: string + type: object + type: array + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.2/crds/appprotect.f5.com_apusersigs.yaml b/charts/f5/nginx-ingress/1.2.2/crds/appprotect.f5.com_apusersigs.yaml new file mode 100644 index 0000000000..34eb0784f4 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/crds/appprotect.f5.com_apusersigs.yaml @@ -0,0 +1,93 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: apusersigs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APUserSig + listKind: APUserSigList + plural: apusersigs + singular: apusersig + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APUserSig is the Schema for the apusersigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APUserSigSpec defines the desired state of APUserSig + properties: + properties: + type: string + signatures: + items: + properties: + accuracy: + enum: + - high + - medium + - low + type: string + attackType: + properties: + name: + type: string + type: object + description: + type: string + name: + type: string + references: + properties: + type: + enum: + - bugtraq + - cve + - nessus + - url + type: string + value: + type: string + type: object + risk: + enum: + - high + - medium + - low + type: string + rule: + type: string + signatureType: + enum: + - request + - response + type: string + systems: + items: + properties: + name: + type: string + type: object + type: array + type: object + type: array + tag: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.2/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/charts/f5/nginx-ingress/1.2.2/crds/appprotectdos.f5.com_apdoslogconfs.yaml new file mode 100644 index 0000000000..e23e87184b --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/crds/appprotectdos.f5.com_apdoslogconfs.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdoslogconfs.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosLogConf + listKind: APDosLogConfList + plural: apdoslogconfs + singular: apdoslogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APDosLogConf is the Schema for the APDosLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APDosLogConfSpec defines the desired state of APDosLogConf + properties: + content: + properties: + format: + enum: + - splunk + - arcsight + - user-defined + type: string + format_string: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + type: object + filter: + properties: + traffic-mitigation-stats: + enum: + - none + - all + default: all + type: string + bad-actors: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + attack-signatures: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.2/crds/appprotectdos.f5.com_apdospolicy.yaml b/charts/f5/nginx-ingress/1.2.2/crds/appprotectdos.f5.com_apdospolicy.yaml new file mode 100644 index 0000000000..a16399a1a2 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/crds/appprotectdos.f5.com_apdospolicy.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdospolicies.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosPolicy + listKind: APDosPoliciesList + plural: apdospolicies + singular: apdospolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + description: APDosPolicy is the Schema for the APDosPolicy API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + description: APDosPolicySpec defines the desired state of APDosPolicy + properties: + mitigation_mode: + enum: + - "standard" + - "conservative" + - "none" + default: "standard" + type: string + signatures: + enum: + - "on" + - "off" + default: "on" + type: string + bad_actors: + enum: + - "on" + - "off" + default: "on" + type: string + automation_tools_detection: + enum: + - "on" + - "off" + default: "on" + type: string + tls_fingerprint: + enum: + - "on" + - "off" + default: "on" + type: string + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.2/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/charts/f5/nginx-ingress/1.2.2/crds/appprotectdos.f5.com_dosprotectedresources.yaml new file mode 100644 index 0000000000..b7019df408 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/crds/appprotectdos.f5.com_dosprotectedresources.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: dosprotectedresources.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: DosProtectedResource + listKind: DosProtectedResourceList + plural: dosprotectedresources + shortNames: + - pr + singular: dosprotectedresource + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: DosProtectedResource defines a Dos protected resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DosProtectedResourceSpec defines the properties and values + a DosProtectedResource can have. + properties: + apDosMonitor: + description: 'ApDosMonitor is how NGINX App Protect DoS monitors the + stress level of the protected object. The monitor requests are sent + from localhost (127.0.0.1). Default value: URI - None, protocol + - http1, timeout - NGINX App Protect DoS default.' + properties: + protocol: + description: Protocol determines if the server listens on http1 + / http2 / grpc / websocket. The default is http1. + enum: + - http1 + - http2 + - grpc + - websocket + type: string + timeout: + description: Timeout determines how long (in seconds) should NGINX + App Protect DoS wait for a response. Default is 10 seconds for + http1/http2 and 5 seconds for grpc. + format: int64 + type: integer + uri: + description: 'URI is the destination to the desired protected + object in the nginx.conf:' + type: string + type: object + apDosPolicy: + description: ApDosPolicy is the namespace/name of a ApDosPolicy resource + type: string + dosAccessLogDest: + description: DosAccessLogDest is the network address for the access + logs + type: string + dosSecurityLog: + description: DosSecurityLog defines the security log of the DosProtectedResource. + properties: + apDosLogConf: + description: ApDosLogConf is the namespace/name of a APDosLogConf + resource + type: string + dosLogDest: + description: DosLogDest is the network address of a logging service, + can be either IP or DNS name. + type: string + enable: + description: Enable enables the security logging feature if set + to true + type: boolean + type: object + enable: + description: Enable enables the DOS feature if set to true + type: boolean + name: + description: Name is the name of protected object, max of 63 characters. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.2.2/crds/externaldns.nginx.org_dnsendpoints.yaml b/charts/f5/nginx-ingress/1.2.2/crds/externaldns.nginx.org_dnsendpoints.yaml new file mode 100644 index 0000000000..0275738afc --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/crds/externaldns.nginx.org_dnsendpoints.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: dnsendpoints.externaldns.nginx.org +spec: + group: externaldns.nginx.org + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: DNSEndpoint is the CRD wrapper for Endpoint + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec holds information about endpoints. + properties: + endpoints: + items: + description: Endpoint describes DNS Endpoint. + properties: + dnsName: + description: The hostname for the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty represents provider + specific config property. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT, MX + type: string + targets: + description: The targets the DNS service points to + items: + type: string + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus represents generation observed by the external + dns controller. + properties: + observedGeneration: + description: The generation observed by by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_globalconfigurations.yaml b/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_globalconfigurations.yaml new file mode 100644 index 0000000000..51fce137cd --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_globalconfigurations.yaml @@ -0,0 +1,106 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: globalconfigurations.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: GlobalConfiguration + listKind: GlobalConfigurationList + plural: globalconfigurations + shortNames: + - gc + singular: globalconfiguration + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_policies.yaml b/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_policies.yaml new file mode 100644 index 0000000000..de6bef324b --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_policies.yaml @@ -0,0 +1,339 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: policies.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + basicAuth: + description: |- + BasicAuth holds HTTP Basic authentication configuration + policy status: preview + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogBundle: + type: string + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + securityLogs: + items: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogBundle: + type: string + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + realm: + type: string + secret: + type: string + token: + type: string + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_transportservers.yaml b/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_transportservers.yaml new file mode 100644 index 0000000000..64ac70e949 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_transportservers.yaml @@ -0,0 +1,332 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: transportservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: TransportServer + listKind: TransportServerList + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_virtualserverroutes.yaml b/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_virtualserverroutes.yaml new file mode 100644 index 0000000000..7fde72e89a --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -0,0 +1,689 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: virtualserverroutes.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServerRoute + listKind: VirtualServerRouteList + plural: virtualserverroutes + shortNames: + - vsr + singular: virtualserverroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a + valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute + resource. + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_virtualservers.yaml b/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_virtualservers.yaml new file mode 100644 index 0000000000..1c28ddec64 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/crds/k8s.nginx.org_virtualservers.yaml @@ -0,0 +1,789 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: virtualservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServer + listKind: VirtualServerList + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual + server. + properties: + enable: + type: boolean + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: |- + ProviderSpecificProperty defines specific property + for using with ExternalDNS sub-resource. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + type: string + type: object + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal + routing. + type: boolean + listener: + description: VirtualServerListener references a custom http and/or + https listener defined in GlobalConfiguration. + properties: + http: + type: string + https: + type: string + type: object + policies: + items: + description: PolicyReference references a policy by name and an + optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + routes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. + properties: + cluster-issuer: + type: string + common-name: + type: string + duration: + type: string + issue-temp-cert: + type: boolean + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + type: object + redirect: + description: TLSRedirect defines a redirect for a TLS. + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + type: object + secret: + type: string + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerStatus defines the status for the VirtualServer + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.2.2/questions.yaml b/charts/f5/nginx-ingress/1.2.2/questions.yaml new file mode 100644 index 0000000000..b63834893b --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/questions.yaml @@ -0,0 +1,185 @@ +questions: +- variable: controller.kind + type: enum + options: + - deployment + - daemonset + default: deployment + description: "The kind of the Ingress controller installation - deployment or daemonset." + label: Installation Kind + group: "Settings" +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.nginxplus + default: false + description: "Deploys the Ingress controller for NGINX Plus." + label: Deploy NGINX Plus + type: boolean + group: "NGINX Plus" + - variable: controller.appprotect.enable + default: false + description: "Enable the App Protect module in the Ingress Controller." + label: Enable the App Protect module. + type: boolean + - variable: controller.appprotectdos.enable + default: false + description: "Enable the App Protect DoS module in the Ingress Controller." + label: Enable the App Protect DoS module. + type: boolean + - variable: controller.image.repository + default: nginx/nginx-ingress + description: "The image repository of the Ingress controller." + type: string + label: NGINX Ingress Controller Image Repository + required: true + - variable: controller.image.tag + description: "The tag of the Ingress controller image." + type: string + label: NGINX Ingress Controller Image Tag + required: true + - variable: controller.image.pullPolicy + type: enum + options: + - IfNotPresent + - Always + - Never + default: IfNotPresent + description: "The pull policy for the Ingress controller image." + label: NGINX Ingress Controller Image Pull Policy + - variable: controller.serviceAccount.imagePullSecretName + default: "" + description: "The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release." + type: string + label: Image Pull Secret Name +- variable: controller.defaultTLS.secret + default: "" + description: "The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`." + label: TLS Secret + type: string + group: "Settings" +- variable: controller.ingressClass + default: nginx + description: "A class of the Ingress controller. The Ingress controller only processes Ingress resources that belong to its class - i.e. have the annotation `[kubernetes.io/ingress.class]` equal to the class. Additionally, the Ingress controller processes Ingress resources that do not have that annotation which can be disabled by setting the [-use-ingress-class-only] flag." + label: Ingress Class + type: string + group: "Settings" + required: true + subquestions: + - variable: controller.useIngressClassOnly + default: false + description: "Ignore Ingress resources without the `[kubernetes.io/ingress.class]` annotation." + label: Use Ingress Class Only + type: boolean + group: "Settings" +- variable: controller.enableCustomResources + default: true + label: Enable Custom Resources + type: boolean + group: "Settings" + show_subquestion_if: true + subquestions: + - variable: controller.globalConfiguration.create + default: true + description: "Creates the GlobalConfiguration custom resource." + label: Create GlobalConfiguration Custom Resource + type: boolean + group: "Settings" + - variable: controller.enableOIDC + default: false + description: "Enables OIDC policies." + label: Enable OIDC policies + type: boolean + group: "Settings" + - variable: controller.enableCertManager + default: false + description: "Enables cert manager for Virtual Server resources." + label: Enable cert manager for Virtual Server resources + type: boolean + group: "Settings" + - variable: controller.enableExternalDNS + default: false + description: "Enables external-dns for Virtual Server resources." + label: Enable external-dns for Virtual Server resources + type: boolean + group: "Settings" +- variable: controller.watchNamespace + default: "" + description: "Comma-separated list of namespaces to watch for Ingress resources. By default the Ingress controller watches all namespaces." + label: Watch Namespace + type: string + group: "Settings" +- variable: controller.service.create + default: true + description: "Creates a service to expose the Ingress controller pods." + label: Create a Service + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.type + type: enum + options: + - LoadBalancer + - NodePort + default: LoadBalancer + description: "The type of service to create for the Ingress controller." + label: Type of Service +- variable: controller.service.httpPort.enable + default: true + description: "Enables the HTTP port for the Ingress controller service." + label: Enable HTTP Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpPort.port + default: 80 + description: "The HTTP port of the Ingress controller service." + label: HTTP Port + type: int + required: true +- variable: controller.service.httpsPort.enable + default: true + description: "Enables the HTTPS port for the Ingress controller service." + label: Enable HTTPS Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpsPort.port + default: 443 + description: "The HTTPS port of the Ingress controller service." + label: HTTPS Port + type: int + required: true +- variable: prometheus.create + default: false + description: "Expose NGINX or NGINX Plus metrics in the Prometheus format." + label: Enable Exposing Prometheus Metrics + type: boolean + group: "Prometheus" + show_subquestion_if: true + subquestions: + - variable: prometheus.port + default: 9113 + description: "Configures the port to scrape the metrics." + label: Prometheus Port + type: int + required: true + - variable: prometheus.scheme + default: http + description: "Configures the HTTP scheme to use for connections to the Prometheus endpoint." + label: Prometheus Scheme + type: string + required: true + - variable: prometheus.secret + default: "" + description: "The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections." + label: Prometheus Secret + type: string diff --git a/charts/f5/nginx-ingress/1.2.2/templates/NOTES.txt b/charts/f5/nginx-ingress/1.2.2/templates/NOTES.txt new file mode 100644 index 0000000000..c9a2739771 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/NOTES.txt @@ -0,0 +1,13 @@ +NGINX Ingress Controller {{ .Chart.AppVersion }} has been installed. + +For release notes for this version please see: https://docs.nginx.com/nginx-ingress-controller/releases/ + +Installation and upgrade instructions: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/ + +{{ if .Release.IsUpgrade -}} +If you are upgrading from a version of the chart that uses older Custom Resource Definitions (CRD) it is necessary to manually upgrade the CRDs as this is not managed by Helm. +To update to the latest version of the CRDs: + $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v{{ .Chart.AppVersion }}/deploy/crds.yaml + +More details on upgrading the CRDs: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/#upgrading-the-crds +{{- end -}} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/_helpers.tpl b/charts/f5/nginx-ingress/1.2.2/templates/_helpers.tpl new file mode 100644 index 0000000000..497e1f6cdb --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/_helpers.tpl @@ -0,0 +1,421 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.fullname" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified controller service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.service.name" -}} +{{- default (include "nginx-ingress.controller.fullname" .) .Values.serviceNameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nginx-ingress.labels" -}} +helm.sh/chart: {{ include "nginx-ingress.chart" . }} +{{ include "nginx-ingress.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Pod labels +*/}} +{{- define "nginx-ingress.podLabels" -}} +{{- include "nginx-ingress.selectorLabels" . }} +{{- if .Values.nginxServiceMesh.enable }} +nsm.nginx.com/enable-ingress: "true" +nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" +nsm.nginx.com/{{ .Values.controller.kind }}: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }} +agent-configuration-revision-hash: {{ include "nginx-ingress.agentConfiguration" . | sha1sum | trunc 8 | quote }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nginx-ingress.selectorLabels" -}} +{{- if .Values.controller.selectorLabels -}} +{{ toYaml .Values.controller.selectorLabels }} +{{- else -}} +app.kubernetes.io/name: {{ include "nginx-ingress.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap. +*/}} +{{- define "nginx-ingress.configName" -}} +{{- if .Values.controller.customConfigMap -}} +{{ .Values.controller.customConfigMap }} +{{- else -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.config.name -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap used for NGINX Agent. +*/}} +{{- define "nginx-ingress.agentConfigName" -}} +{{- if ne (.Values.nginxAgent.customConfigMap | default "") "" -}} +{{ .Values.nginxAgent.customConfigMap }} +{{- else -}} +{{- printf "%s-agent-config" (include "nginx-ingress.fullname" . | trunc 49 | trimSuffix "-") -}} +{{- end -}} +{{- end -}} + +{{/* +Expand leader election lock name. +*/}} +{{- define "nginx-ingress.leaderElectionName" -}} +{{- if .Values.controller.reportIngressStatus.leaderElectionLockName -}} +{{ .Values.controller.reportIngressStatus.leaderElectionLockName }} +{{- else -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "leader-election" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand service account name. +*/}} +{{- define "nginx-ingress.serviceAccountName" -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.serviceAccount.name -}} +{{- end -}} + +{{/* +Expand default TLS name. +*/}} +{{- define "nginx-ingress.defaultTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "default-server-tls" -}} +{{- end -}} + +{{/* +Expand wildcard TLS name. +*/}} +{{- define "nginx-ingress.wildcardTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "wildcard-tls" -}} +{{- end -}} + +{{- define "nginx-ingress.tag" -}} +{{- default .Chart.AppVersion .Values.controller.image.tag -}} +{{- end -}} + +{{/* +Expand image name. +*/}} +{{- define "nginx-ingress.image" -}} +{{- if .Values.controller.image.digest -}} +{{- printf "%s@%s" .Values.controller.image.repository .Values.controller.image.digest -}} +{{- else -}} +{{- printf "%s:%s" .Values.controller.image.repository (include "nginx-ingress.tag" .) -}} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.prometheus.serviceName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} +{{- end -}} + +{{/* +return if readOnlyRootFilesystem is enabled or not. +*/}} +{{- define "nginx-ingress.readOnlyRootFilesystem" -}} +{{- if or .Values.controller.readOnlyRootFilesystem (and .Values.controller.securityContext .Values.controller.securityContext.readOnlyRootFilesystem) -}} +true +{{- else -}} +false +{{- end -}} +{{- end -}} + +{{/* +Build the args for the service binary. +*/}} +{{- define "nginx-ingress.args" -}} +{{- if and .Values.controller.debug .Values.controller.debug.enable }} +- --listen=:2345 +- --headless=true +- --log=true +- --log-output=debugger,debuglineerr,gdbwire,lldbout,rpc,dap,fncall,minidump,stack +- --accept-multiclient +- --api-version=2 +- exec +- ./nginx-ingress +{{- if .Values.controller.debug.continue }} +- --continue +{{- end }} +- -- +{{- end -}} +- -nginx-plus={{ .Values.controller.nginxplus }} +- -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} +- -enable-app-protect={{ .Values.controller.appprotect.enable }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} +- -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} +{{ end }} +- -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} +{{- if .Values.controller.appprotectdos.enable }} +- -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} +- -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} +- -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} +- -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} +{{ end }} +- -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} +{{- if .Values.controller.defaultTLS.secret }} +- -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} +{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +- -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} +{{- end }} +- -ingress-class={{ .Values.controller.ingressClass.name }} +{{- if .Values.controller.watchNamespace }} +- -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchNamespaceLabel }} +- -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} +- -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} +{{- end }} +- -health-status={{ .Values.controller.healthStatus }} +- -health-status-uri={{ .Values.controller.healthStatusURI }} +- -nginx-debug={{ .Values.controller.nginxDebug }} +- -v={{ .Values.controller.logLevel }} +- -nginx-status={{ .Values.controller.nginxStatus.enable }} +{{- if .Values.controller.nginxStatus.enable }} +- -nginx-status-port={{ .Values.controller.nginxStatus.port }} +- -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} +{{- end }} +{{- if .Values.controller.reportIngressStatus.enable }} +- -report-ingress-status +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} +{{- else if .Values.controller.reportIngressStatus.externalService }} +- -external-service={{ .Values.controller.reportIngressStatus.externalService }} +{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} +- -external-service={{ include "nginx-ingress.controller.service.name" . }} +{{- end }} +{{- end }} +- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +- -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} +{{- end }} +{{- if .Values.controller.wildcardTLS.secret }} +- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} +{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} +- -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} +{{- end }} +- -enable-prometheus-metrics={{ .Values.prometheus.create }} +- -prometheus-metrics-listen-port={{ .Values.prometheus.port }} +- -prometheus-tls-secret={{ .Values.prometheus.secret }} +- -enable-service-insight={{ .Values.serviceInsight.create }} +- -service-insight-listen-port={{ .Values.serviceInsight.port }} +- -service-insight-tls-secret={{ .Values.serviceInsight.secret }} +- -enable-custom-resources={{ .Values.controller.enableCustomResources }} +- -enable-snippets={{ .Values.controller.enableSnippets }} +- -include-year={{ .Values.controller.includeYear }} +- -disable-ipv6={{ .Values.controller.disableIPV6 }} +{{- if .Values.controller.enableCustomResources }} +- -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{- if .Values.controller.enableTLSPassthrough }} +- -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{- end }} +- -enable-cert-manager={{ .Values.controller.enableCertManager }} +- -enable-oidc={{ .Values.controller.enableOIDC }} +- -enable-external-dns={{ .Values.controller.enableExternalDNS }} +- -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} +- -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} +{{- if .Values.controller.globalConfiguration.create }} +- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- end }} +- -ready-status={{ .Values.controller.readyStatus.enable }} +- -ready-status-port={{ .Values.controller.readyStatus.port }} +- -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +- -ssl-dynamic-reload={{ .Values.controller.enableSSLDynamicReload }} +- -enable-telemetry-reporting={{ .Values.controller.telemetryReporting.enable}} +- -weight-changes-dynamic-reload={{ .Values.controller.enableWeightChangesDynamicReload}} +{{- if .Values.nginxAgent.enable }} +- -agent=true +- -agent-instance-group={{ default (include "nginx-ingress.controller.fullname" .) .Values.nginxAgent.instanceGroup }} +{{- end }} +{{- end -}} + +{{/* +Volumes for controller. +*/}} +{{- define "nginx-ingress.volumes" -}} +{{- $volumesSet := "false" }} +volumes: +{{- if eq (include "nginx-ingress.volumeEntries" .) "" -}} +{{ toYaml list | printf " %s" }} +{{- else }} +{{ include "nginx-ingress.volumeEntries" . }} +{{- end -}} +{{- end -}} + +{{/* +List of volumes for controller. +*/}} +{{- define "nginx-ingress.volumeEntries" -}} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} +- name: nginx-etc + emptyDir: {} +- name: nginx-cache + emptyDir: {} +- name: nginx-lib + emptyDir: {} +- name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes }} +{{- end }} +{{- if .Values.nginxAgent.enable }} +- name: agent-conf + configMap: + name: {{ include "nginx-ingress.agentConfigName" . }} +- name: agent-dynamic + emptyDir: {} +{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} +- name: nginx-agent-tls + projected: + sources: +{{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }} + - secret: + name: {{ .Values.nginxAgent.instanceManager.tls.secret }} +{{- end }} +{{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }} + - secret: + name: {{ .Values.nginxAgent.instanceManager.tls.caSecret }} +{{- end }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Volume mounts for controller. +*/}} +{{- define "nginx-ingress.volumeMounts" -}} +{{- $volumesSet := "false" }} +volumeMounts: +{{- if eq (include "nginx-ingress.volumeMountEntries" .) "" -}} +{{ toYaml list | printf " %s" }} +{{- else }} +{{ include "nginx-ingress.volumeMountEntries" . }} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.volumeMountEntries" -}} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} +- mountPath: /etc/nginx + name: nginx-etc +- mountPath: /var/cache/nginx + name: nginx-cache +- mountPath: /var/lib/nginx + name: nginx-lib +- mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.volumeMounts }} +{{ toYaml .Values.controller.volumeMounts }} +{{- end }} +{{- if .Values.nginxAgent.enable }} +- name: agent-conf + mountPath: /etc/nginx-agent/nginx-agent.conf + subPath: nginx-agent.conf +- name: agent-dynamic + mountPath: /var/lib/nginx-agent +{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} +- name: nginx-agent-tls + mountPath: /etc/ssl/nms + readOnly: true +{{- end }} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.agentConfiguration" -}} +log: + level: {{ .Values.nginxAgent.logLevel }} + path: "" +server: + host: {{ required ".Values.nginxAgent.instanceManager.host is required when setting .Values.nginxAgent.enable to true" .Values.nginxAgent.instanceManager.host }} + grpcPort: {{ .Values.nginxAgent.instanceManager.grpcPort }} +{{- if ne (.Values.nginxAgent.instanceManager.sni | default "") "" }} + metrics: {{ .Values.nginxAgent.instanceManager.sni }} + command: {{ .Values.nginxAgent.instanceManager.sni }} +{{- end }} +{{- if .Values.nginxAgent.instanceManager.tls }} +tls: + enable: {{ .Values.nginxAgent.instanceManager.tls.enable | default true }} + skip_verify: {{ .Values.nginxAgent.instanceManager.tls.skipVerify | default false }} + {{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }} + ca: "/etc/ssl/nms/ca.crt" + {{- end }} + {{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }} + cert: "/etc/ssl/nms/tls.crt" + key: "/etc/ssl/nms/tls.key" + {{- end }} +{{- end }} +features: + - registration + - nginx-counting + - metrics-sender + - dataplane-status +extensions: + - nginx-app-protect + - nap-monitoring +nginx_app_protect: + report_interval: 15s + precompiled_publication: true +nap_monitoring: + collector_buffer_size: {{ .Values.nginxAgent.napMonitoring.collectorBufferSize }} + processor_buffer_size: {{ .Values.nginxAgent.napMonitoring.processorBufferSize }} + syslog_ip: {{ .Values.nginxAgent.syslog.host }} + syslog_port: {{ .Values.nginxAgent.syslog.port }} + +{{ end -}} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/clusterrole.yaml b/charts/f5/nginx-ingress/1.2.2/templates/clusterrole.yaml new file mode 100644 index 0000000000..a231ca820e --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/clusterrole.yaml @@ -0,0 +1,168 @@ +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "apps" + resources: + - replicasets + - daemonsets + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get +{{- if .Values.controller.reportIngressStatus.enable }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +{{- end }} +{{- if .Values.controller.appprotect.enable }} +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.appprotectdos.enable }} +- apiGroups: + - appprotectdos.f5.com + resources: + - apdospolicies + - apdoslogconfs + - dosprotectedresources + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.enableCustomResources }} +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +{{- end }} +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- apiGroups: + - cis.f5.com + resources: + - ingresslinks + verbs: + - list + - watch + - get +{{- end }} +{{- if .Values.controller.enableCertManager }} +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - list + - watch + - get + - update + - create + - delete +{{- end }} +{{- if .Values.controller.enableExternalDNS }} +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints + verbs: + - list + - watch + - get + - update + - create + - delete +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints/status + verbs: + - update +{{- end }} +{{- end}} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/clusterrolebiding.yaml b/charts/f5/nginx-ingress/1.2.2/templates/clusterrolebiding.yaml new file mode 100644 index 0000000000..ed06c48ccb --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/clusterrolebiding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "nginx-ingress.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-configmap.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-configmap.yaml new file mode 100644 index 0000000000..8f1d3e47bb --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-configmap.yaml @@ -0,0 +1,32 @@ +{{- if not .Values.controller.customConfigMap -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.configName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: +{{ toYaml (default dict .Values.controller.config.entries) | indent 2 }} +{{- end }} +--- +{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.agentConfigName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: + nginx-agent.conf: |- +{{ include "nginx-ingress.agentConfiguration" . | indent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-daemonset.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..8da65c4683 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-daemonset.yaml @@ -0,0 +1,176 @@ +{{- if eq .Values.controller.kind "daemonset" }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.podLabels" . | nindent 8 }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- include "nginx-ingress.volumes" . | indent 6 }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - name: {{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{ if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{ end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} +{{- if .Values.controller.securityContext }} + securityContext: +{{ toYaml .Values.controller.securityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- end }} +{{- include "nginx-ingress.volumeMounts" . | indent 8 }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- end }} + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + updateStrategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-deployment.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-deployment.yaml new file mode 100644 index 0000000000..c8bc8f833c --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-deployment.yaml @@ -0,0 +1,183 @@ +{{- if eq .Values.controller.kind "deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + {{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.podLabels" . | nindent 8 }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} +{{- end }} +{{- include "nginx-ingress.volumes" . | indent 6 }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - image: {{ include "nginx-ingress.image" . }} + name: {{ include "nginx-ingress.name" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{- if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{- end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} +{{- if .Values.controller.securityContext }} + securityContext: +{{ toYaml .Values.controller.securityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- end }} +{{- include "nginx-ingress.volumeMounts" . | indent 8 }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} +{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- end }} + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-globalconfiguration.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-globalconfiguration.yaml new file mode 100644 index 0000000000..9039ab0440 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-globalconfiguration.yaml @@ -0,0 +1,11 @@ +{{ if .Values.controller.globalConfiguration.create }} +apiVersion: k8s.nginx.org/v1alpha1 +kind: GlobalConfiguration +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +spec: +{{ toYaml .Values.controller.globalConfiguration.spec | indent 2 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-hpa.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-hpa.yaml new file mode 100644 index 0000000000..971aca90d3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-hpa.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.controller.autoscaling.enabled (eq .Values.controller.kind "deployment") (.Capabilities.APIVersions.Has "autoscaling/v2") -}} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "nginx-ingress.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} +{{- if .Values.controller.autoscaling.behavior }} + behavior: +{{ toYaml .Values.controller.autoscaling.behavior | indent 4 }} +{{- end }} + metrics: + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-ingress-class.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-ingress-class.yaml new file mode 100644 index 0000000000..a351d697c6 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-ingress-class.yaml @@ -0,0 +1,14 @@ +{{ if .Values.controller.ingressClass.create }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClass.name }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.ingressClass.setAsDefaultIngress }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: nginx.org/ingress-controller +{{ end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-leader-election-configmap.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-leader-election-configmap.yaml new file mode 100644 index 0000000000..440914eb3e --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-leader-election-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.leaderElectionName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.reportIngressStatus.annotations }} + annotations: +{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-pdb.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-pdb.yaml new file mode 100644 index 0000000000..1c3ddc8ae5 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.controller.podDisruptionBudget.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.podDisruptionBudget.annotations }} + annotations: +{{ toYaml .Values.controller.podDisruptionBudget.annotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} +{{- if .Values.controller.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.controller.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-prometheus-service.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-prometheus-service.yaml new file mode 100644 index 0000000000..d36514284b --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-prometheus-service.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.prometheus.create .Values.prometheus.service.create}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.prometheus.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.service.labels -}} + {{- toYaml .Values.prometheus.service.labels | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + - name: prometheus + protocol: TCP + port: {{ .Values.prometheus.port }} + targetPort: {{ .Values.prometheus.port }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-role.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-role.yaml new file mode 100644 index 0000000000..e902381775 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-role.yaml @@ -0,0 +1,56 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - {{ .Values.controller.reportIngressStatus.leaderElectionLockName }} + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-rolebiding.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-rolebiding.yaml new file mode 100644 index 0000000000..51ee528da3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-rolebiding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "nginx-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-secret.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-secret.yaml new file mode 100644 index 0000000000..f9941e8878 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.defaultTLS.secret) (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.defaultTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.defaultTLS.cert }} + tls.key: {{ .Values.controller.defaultTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-service.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-service.yaml new file mode 100644 index 0000000000..a25de94561 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-service.yaml @@ -0,0 +1,72 @@ +{{- if .Values.controller.service.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.controller.service.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.service.extraLabels }} +{{ toYaml .Values.controller.service.extraLabels | indent 4 }} +{{- end }} +{{- if .Values.controller.service.annotations }} + annotations: +{{ toYaml .Values.controller.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.controller.service.clusterIP }} + clusterIP: {{ .Values.controller.service.clusterIP }} +{{- end }} +{{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} +{{- end }} +{{- if eq .Values.controller.service.type "LoadBalancer" }} + {{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} + {{- end }} + {{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} + {{- end }} +{{- end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.controller.service.ipFamilies }} + ipFamilies: {{ .Values.controller.service.ipFamilies }} + {{- end }} + ports: +{{- if .Values.controller.service.customPorts }} +{{ toYaml .Values.controller.service.customPorts | indent 2 }} +{{ end }} +{{- if .Values.controller.service.httpPort.enable }} + - port: {{ .Values.controller.service.httpPort.port }} + targetPort: {{ .Values.controller.service.httpPort.targetPort }} + protocol: TCP + name: http + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpPort.nodePort }} + {{- end }} +{{- end }} +{{- if .Values.controller.service.httpsPort.enable }} + - port: {{ .Values.controller.service.httpsPort.port }} + targetPort: {{ .Values.controller.service.httpsPort.targetPort }} + protocol: TCP + name: https + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpsPort.nodePort }} + {{- end }} +{{- end }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} + {{- if .Values.controller.service.externalIPs }} + externalIPs: +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-serviceaccount.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..8cde4f5b01 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nginx-ingress.serviceAccountName" . }} +{{- if .Values.controller.serviceAccount.annotations }} + annotations: {{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if or .Values.controller.serviceAccount.imagePullSecretName .Values.controller.serviceAccount.imagePullSecretsNames }} +imagePullSecrets: +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretName }} +- name: {{ .Values.controller.serviceAccount.imagePullSecretName}} +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretsNames }} +{{- range .Values.controller.serviceAccount.imagePullSecretsNames }} +- name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-servicemonitor.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..e1a4268f95 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-servicemonitor.yaml @@ -0,0 +1,21 @@ +{{- if .Values.prometheus.serviceMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.serviceMonitor.labels -}} + {{- toYaml .Values.prometheus.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- if .Values.prometheus.serviceMonitor.selectorMatchLabels -}} + {{- toYaml .Values.prometheus.serviceMonitor.selectorMatchLabels | nindent 6 }} + {{- end }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + endpoints: + {{- toYaml .Values.prometheus.serviceMonitor.endpoints | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/templates/controller-wildcard-secret.yaml b/charts/f5/nginx-ingress/1.2.2/templates/controller-wildcard-secret.yaml new file mode 100644 index 0000000000..3abe16c4c3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/templates/controller-wildcard-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.wildcardTLS.secret) (and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.wildcardTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.wildcardTLS.cert }} + tls.key: {{ .Values.controller.wildcardTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.2.2/values-icp.yaml b/charts/f5/nginx-ingress/1.2.2/values-icp.yaml new file mode 100644 index 0000000000..404bbe6f67 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/values-icp.yaml @@ -0,0 +1,17 @@ +controller: + name: controller + kind: daemonset + nginxplus: true + image: + repository: mycluster.icp:8500/kube-system/nginx-plus-ingress + tag: "3.5.2" + nodeSelector: + beta.kubernetes.io/arch: "amd64" + proxy: true + terminationGracePeriodSeconds: 60 + tolerations: + - key: "dedicated" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" diff --git a/charts/f5/nginx-ingress/1.2.2/values-nsm.yaml b/charts/f5/nginx-ingress/1.2.2/values-nsm.yaml new file mode 100644 index 0000000000..47d11e0571 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/values-nsm.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + enableLatencyMetrics: true +nginxServiceMesh: + enable: true + enableEgress: true diff --git a/charts/f5/nginx-ingress/1.2.2/values-plus.yaml b/charts/f5/nginx-ingress/1.2.2/values-plus.yaml new file mode 100644 index 0000000000..c5d24f9aaa --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/values-plus.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + nginxplus: true + image: + repository: nginx-plus-ingress + tag: "3.5.2" diff --git a/charts/f5/nginx-ingress/1.2.2/values.schema.json b/charts/f5/nginx-ingress/1.2.2/values.schema.json new file mode 100644 index 0000000000..4d8f0400c7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/values.schema.json @@ -0,0 +1,2169 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "type": "object", + "default": {}, + "title": "Root Schema", + "required": [ + "controller", + "rbac", + "prometheus", + "serviceInsight", + "nginxServiceMesh" + ], + "properties": { + "controller": { + "type": "object", + "default": {}, + "title": "The Ingress Controller Helm Schema", + "required": [ + "name", + "kind", + "image" + ], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name of the Ingress Controller", + "examples": [ + "controller" + ] + }, + "kind": { + "type": "string", + "default": "", + "title": "The kind of the Ingress Controller", + "enum": [ + "deployment", + "daemonset" + ], + "examples": [ + "deployment", + "daemonset" + ] + }, + "selectorLabels": { + "type": "object", + "default": {}, + "title": "The selectorLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "nginxplus": { + "type": "boolean", + "default": false, + "title": "Deploys the Ingress Controller for NGINX Plus", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "object", + "default": {}, + "title": "Runs the container with Delve, expects a version of the IC container with dlv as the entrypoint", + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Runs the container with Delve, expects a version of the IC container with dlv as the entrypoint", + "examples": [ + false, + true + ] + }, + "continue": { + "type": "boolean", + "default": true, + "title": "Starts Delve with --continue which means that IC will not wait for a debugger attach to start", + "examples": [ + false, + true + ] + } + }, + "examples": [ + { + "enable": true, + "continue": "fatal" + } + ] + }, + "nginxReloadTimeout": { + "type": "integer", + "default": 0, + "title": "Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start", + "examples": [ + 60000 + ] + }, + "appprotect": { + "type": "object", + "default": {}, + "title": "The App Protect WAF Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect WAF module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "string", + "default": "", + "title": "The logLevel for App Protect WAF", + "enum": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ], + "examples": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ] + } + }, + "examples": [ + { + "enable": true, + "logLevel": "fatal" + } + ] + }, + "appprotectdos": { + "type": "object", + "default": {}, + "title": "The App Protect DoS Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect DoS module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "boolean", + "default": false, + "title": "debugging for App Protect DoS", + "examples": [ + false, + true + ] + }, + "maxWorkers": { + "type": "integer", + "default": 0, + "title": "Max number of nginx processes to support", + "examples": [ + 0 + ] + }, + "maxDaemons": { + "type": "integer", + "default": 0, + "title": "Max number of ADMD instances", + "examples": [ + 0 + ] + }, + "memory": { + "type": "integer", + "default": 0, + "title": "RAM memory size to consume in MB", + "examples": [ + 0 + ] + } + }, + "examples": [ + { + "enable": true, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + } + ] + }, + "hostNetwork": { + "type": "boolean", + "default": false, + "title": "The hostNetwork Schema", + "examples": [ + false, + true + ] + }, + "hostPort": { + "type": "object", + "default": {}, + "title": "The hostPort Schema", + "patternProperties": { + "^.*$": { + "anyOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + }, + { + "type": "boolean" + } + ] + } + }, + "additionalProperties": false + }, + "containerPort": { + "type": "object", + "default": {}, + "title": "The containerPort Schema", + "patternProperties": { + "^.*$": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + } + }, + "additionalProperties": false + }, + "dnsPolicy": { + "type": "string", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + }, + { + "enum": [ + "ClusterFirstWithHostNet", + "ClusterFirst", + "Default", + "None" + ] + } + ] + }, + "nginxDebug": { + "type": "boolean", + "default": false, + "title": "Enables debugging for NGINX", + "examples": [ + false, + true + ] + }, + "shareProcessNamespace": { + "type": "boolean", + "default": false, + "title": "Enables sharing of the process namespace between pods within the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "integer", + "default": 1, + "title": "The logLevel of the Ingress Controller", + "enum": [ + 0, + 1, + 2, + 3 + ], + "examples": [ + 1 + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts to expose on the NGINX Ingress Controller pod", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + }, + "examples": [ + [ + { + "name": "http", + "containerPort": 80, + "protocol": "TCP" + }, + { + "name": "https", + "containerPort": 443, + "protocol": "TCP" + } + ] + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "nginx/nginx-ingress", + "title": "The repository of the Ingress Controller", + "examples": [ + "nginx/nginx-ingress" + ] + }, + "tag": { + "type": "string", + "default": "3.5.2", + "title": "The tag of the Ingress Controller image", + "examples": [ + "3.5.2" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the Ingress Controller image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the Ingress Controller image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "nginx/nginx-ingress", + "tag": "3.5.2", + "pullPolicy": "IfNotPresent" + } + ] + }, + "lifecycle": { + "type": "object", + "default": {}, + "title": "The lifecycle Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + }, + "customConfigMap": { + "type": "string", + "default": "", + "title": "The customConfigMap Schema", + "examples": [ + "" + ] + }, + "config": { + "type": "object", + "default": {}, + "title": "The config Schema", + "required": [], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "entries": { + "type": "object", + "default": {}, + "title": "The entries Schema", + "required": [], + "properties": {}, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "name": "", + "annotations": {}, + "entries": {} + } + ] + }, + "defaultTLS": { + "type": "object", + "default": {}, + "title": "The defaultTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "wildcardTLS": { + "type": "object", + "default": {}, + "title": "The wildcardTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [ + "" + ] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [ + "" + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "nodeSelector": { + "type": "object", + "default": {}, + "title": "The nodeSelector Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + }, + "terminationGracePeriodSeconds": { + "type": "integer", + "default": 30, + "title": "The terminationGracePeriodSeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + }, + "podSecurityContext": { + "type": "object", + "default": {}, + "title": "The podSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" + }, + "securityContext": { + "type": "object", + "default": {}, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "initContainerSecurityContext": { + "type": "object", + "default": {}, + "title": "The initContainerSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "resources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "initContainerResources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "tolerations": { + "type": "array", + "default": [], + "title": "The tolerations Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + } + }, + "affinity": { + "type": "object", + "default": {}, + "title": "The affinity Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + }, + "topologySpreadConstraints": { + "type": "object", + "default": {}, + "title": "The topologySpreadConstraints Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + }, + "env": { + "type": "array", + "default": [], + "title": "The env Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + } + }, + "volumes": { + "type": "array", + "default": [], + "title": "The volumes Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "volumeMounts": { + "type": "array", + "default": [], + "title": "The volumeMounts Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + } + }, + "initContainers": { + "type": "array", + "default": [], + "title": "The initContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "minReadySeconds": { + "type": "integer", + "default": 0, + "title": "The minReadySeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + }, + "strategy": { + "type": "object", + "default": {}, + "title": "The strategy Schema", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + }, + { + "properties": { + "type": { + "type": "string", + "enum": [ + "Recreate", + "RollingUpdate", + "OnDelete" + ] + } + } + } + ] + }, + "extraContainers": { + "type": "array", + "default": [], + "title": "The extraContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "replicaCount": { + "type": "integer", + "default": 1, + "title": "The replicaCount", + "examples": [ + 1 + ] + }, + "ingressClass": { + "type": "object", + "default": {}, + "title": "The ingressClass", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": true, + "title": "The create", + "examples": [ + true + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The ingressClass name", + "examples": [ + "nginx" + ] + }, + "setAsDefaultIngress": { + "type": "boolean", + "default": false, + "title": "The setAsDefaultIngress", + "examples": [ + false + ] + } + } + }, + "watchNamespace": { + "type": "string", + "default": "", + "title": "The watchNamespace", + "examples": [ + "" + ] + }, + "watchSecretNamespace": { + "type": "string", + "default": "", + "title": "The watchSecretNamespace", + "examples": [ + "" + ] + }, + "enableCustomResources": { + "type": "boolean", + "default": false, + "title": "The enableCustomResources", + "examples": [ + true + ] + }, + "enableOIDC": { + "type": "boolean", + "default": false, + "title": "The enableOIDC", + "examples": [ + false + ] + }, + "includeYear": { + "type": "boolean", + "default": false, + "title": "The includeYear", + "examples": [ + false + ] + }, + "enableTLSPassthrough": { + "type": "boolean", + "default": false, + "title": "The enableTLSPassthrough", + "examples": [ + false + ] + }, + "tlsPassthroughPort": { + "type": "integer", + "default": 443, + "title": "The tlsPassthroughPort", + "examples": [ + 443 + ] + }, + "enableCertManager": { + "type": "boolean", + "default": false, + "title": "The enableCertManager", + "examples": [ + false + ] + }, + "enableExternalDNS": { + "type": "boolean", + "default": false, + "title": "The enableExternalDNS", + "examples": [ + false + ] + }, + "globalConfiguration": { + "type": "object", + "default": {}, + "title": "The globalConfiguration Schema", + "required": [ + "create", + "spec" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + false + ] + }, + "spec": { + "type": "object", + "default": {}, + "title": "The spec Schema", + "required": [], + "properties": { + "listeners": { + "type": "array", + "default": [], + "title": "The listeners Schema", + "items": { + "type": "object", + "default": {}, + "properties": { + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 5353 + ] + }, + "protocol": { + "type": "string", + "default": "", + "title": "The protocol", + "examples": [ + "TCP" + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The name", + "examples": [ + "dns-tcp" + ] + } + } + } + } + }, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "create": false, + "spec": {} + } + ] + }, + "enableSnippets": { + "type": "boolean", + "default": false, + "title": "The enableSnippets", + "examples": [ + false + ] + }, + "healthStatus": { + "type": "boolean", + "default": false, + "title": "The healthStatus", + "examples": [ + false + ] + }, + "healthStatusURI": { + "type": "string", + "format": "uri-reference", + "default": "/nginx-health", + "title": "The healthStatusURI Schema", + "examples": [ + "/nginx-health" + ] + }, + "nginxStatus": { + "type": "object", + "default": {}, + "title": "The nginxStatus Schema", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 8080, + "title": "The port", + "examples": [ + 8080 + ] + }, + "allowCidrs": { + "type": "string", + "default": "127.0.0.1", + "title": "The allowCidrs", + "examples": [ + "127.0.0.1" + ] + } + }, + "examples": [ + { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + } + ] + }, + "service": { + "type": "object", + "default": {}, + "title": "The service Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "type": { + "type": "string", + "default": "", + "title": "The type", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + }, + "externalTrafficPolicy": { + "type": "string", + "default": "", + "title": "The externalTrafficPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels", + "required": [], + "properties": {}, + "examples": [ + {} + ] + }, + "loadBalancerIP": { + "type": "string", + "default": "", + "title": "The loadBalancerIP", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + }, + "externalIPs": { + "type": "array", + "default": [], + "title": "The externalIPs", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + }, + "loadBalancerSourceRanges": { + "type": "array", + "default": [], + "title": "The loadBalancerSourceRanges", + "items": {}, + "examples": [ + [] + ] + }, + "allocateLoadBalancerNodePorts": { + "type": "boolean", + "default": false, + "title": "The allocateLoadBalancerNodePorts Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + }, + "ipFamilyPolicy": { + "type": "string", + "default": "", + "title": "The ipFamilyPolicy Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "examples": [ + "" + ] + }, + "ipFamilies": { + "type": "array", + "default": [], + "title": "The ipFamilies Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + }, + "httpPort": { + "type": "object", + "default": {}, + "title": "The httpPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 80 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 80 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + } + ] + }, + "httpsPort": { + "type": "object", + "default": {}, + "title": "The httpsPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 443 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 443 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + } + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts", + "items": { + "type": "object", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + } + } + }, + "examples": [ + { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "name": "", + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + } + ] + }, + "serviceAccount": { + "type": "object", + "default": {}, + "title": "The serviceAccount Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "imagePullSecretName": { + "type": "string", + "default": "", + "title": "The imagePullSecretName", + "examples": [ + "" + ] + }, + "imagePullSecretsNames": { + "type": "array", + "default": [], + "title": "The imagePullSecretName list", + "examples": [ + [] + ] + } + }, + "oneOf": [ + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "minItems": 1 + } + }, + "required": [ + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "minLength": 1 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "not": { + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + } + } + ], + "examples": [ + { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + } + ] + }, + "reportIngressStatus": { + "type": "object", + "default": {}, + "title": "The reportIngressStatus Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "externalService": { + "type": "string", + "default": "", + "title": "The externalService", + "examples": [ + "" + ] + }, + "ingressLink": { + "type": "string", + "default": "", + "title": "The ingressLink", + "examples": [ + "" + ] + }, + "enableLeaderElection": { + "type": "boolean", + "default": false, + "title": "The enableLeaderElection", + "examples": [ + true + ] + }, + "leaderElectionLockName": { + "type": "string", + "default": "", + "title": "The leaderElectionLockName", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + } + }, + "examples": [ + { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + } + ] + }, + "pod": { + "type": "object", + "default": {}, + "title": "The pod Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + }, + "examples": [ + { + "annotations": {}, + "extraLabels": {} + } + ] + }, + "priorityClassName": { + "type": "string", + "default": "", + "title": "The priorityClassName", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + }, + "podDisruptionBudget": { + "type": "object", + "default": {}, + "title": "The podDisruptionBudget Schema", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "minAvailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + }, + "maxUnavailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + } + }, + "examples": [ + { + "enable": true, + "minAvailable": 1 + }, + { + "enable": true, + "maxUnavailable": 1 + } + ] + }, + "readyStatus": { + "type": "object", + "default": {}, + "title": "The readyStatus", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 8081 + ] + }, + "initialDelaySeconds": { + "type": "integer", + "default": 0, + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + } + }, + "examples": [ + { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + } + ] + }, + "enableLatencyMetrics": { + "type": "boolean", + "default": false, + "title": "The enableLatencyMetrics", + "examples": [ + false + ] + }, + "disableIPV6": { + "type": "boolean", + "default": false, + "title": "The disableIPV6", + "examples": [ + false + ] + }, + "defaultHTTPListenerPort": { + "type": "integer", + "default": 80, + "title": "The defaultHTTPListenerPort", + "examples": [ + 80 + ] + }, + "defaultHTTPSListenerPort": { + "type": "integer", + "default": 443, + "title": "The defaultHTTPSListenerPort", + "examples": [ + 443 + ] + }, + "readOnlyRootFilesystem": { + "type": "boolean", + "default": false, + "title": "The readOnlyRootFilesystem", + "examples": [ + false + ] + }, + "enableSSLDynamicReload": { + "type": "boolean", + "default": true, + "title": "Enable dynamic certificate reloads for NGINX Plus", + "examples": [ + true + ] + }, + "telemetryReporting": { + "type": "object", + "default": {}, + "title": "Configure telemetry reporting options", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": true, + "title": "Enable telemetry reporting", + "examples": [ + true + ] + } + } + }, + "enableWeightChangesDynamicReload": { + "type": "boolean", + "default": false, + "title": "Enables weight changes without reloading for NGINX Plus", + "examples": [ + false + ] + } + }, + "examples": [ + { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "shareProcessNamespace": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.5.2", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "podSecurityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "securityContext": {}, + "initContainerSecurityContext": {}, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "tlsPassthroughPort": 443, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + } + ] + }, + "rbac": { + "type": "object", + "default": {}, + "title": "The rbac Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + true + ] + } + }, + "examples": [ + { + "create": true + } + ] + }, + "prometheus": { + "type": "object", + "default": {}, + "title": "The prometheus Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9113, + "title": "The port", + "examples": [ + 9113 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + }, + "service": { + "type": "object", + "default": {}, + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + } + }, + "serviceMonitor": { + "type": "object", + "default": {}, + "title": "The serviceMonitor Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + false + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + }, + "selectorMatchLabels": { + "type": "object", + "default": {}, + "title": "The selectorMatchLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.29.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "endpoints": { + "type": "array", + "default": [], + "title": "The endpoints", + "required": [], + "items": {} + } + }, + "examples": [ + { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": [] + } + ] + } + }, + "examples": [ + { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http" + } + ] + }, + "serviceInsight": { + "type": "object", + "default": {}, + "title": "The Service Insight Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9114, + "title": "The port", + "examples": [ + 9114 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + } + }, + "examples": [ + { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + } + ] + }, + "nginxServiceMesh": { + "type": "object", + "default": {}, + "title": "The nginxServiceMesh Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + false + ] + }, + "enableEgress": { + "type": "boolean", + "default": false, + "title": "The enableEgress", + "examples": [ + false + ] + } + }, + "examples": [ + { + "enable": false, + "enableEgress": false + } + ] + }, + "nginxAgent": { + "type": "object", + "default": { + "enable": false + }, + "title": "Configuration for NGINX Agent.", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable NGINX Agent", + "examples": [ + false + ] + }, + "instanceGroup": { + "type": "string", + "default": "", + "title": "Set the --instance-group argument for NGINX Agent", + "examples": [ + "my-instance-group" + ] + }, + "logLevel": { + "type": "string", + "default": "info", + "title": "Log level for NGINX Agent", + "enum": [ + "panic", + "fatal", + "error", + "info", + "debug", + "trace" + ], + "examples": [ + "error" + ] + }, + "instanceManager": { + "type": "object", + "default": {}, + "title": "Configuration for the connection to NGINX Instance Manager", + "examples": [], + "required": [ + "host" + ], + "properties": { + "host": { + "type": "string", + "title": "FQDN or IP for connecting to NGINX Instance Manager", + "examples": [ + "nim.example.com" + ] + }, + "grpcPort": { + "type": "integer", + "title": "Port for connecting to NGINX Instance Manager", + "default": 443, + "examples": [ + 443 + ] + }, + "sni": { + "type": "string", + "title": "Server Name Indication for NGINX Instance Manager", + "default": "", + "examples": [ + "nim.example.com" + ] + }, + "tls": { + "type": "object", + "default": {}, + "title": "TLS configuration for connection between NGINX Agent and NGINX Instance Manager", + "properties": { + "enable": { + "type": "boolean", + "default": "true", + "title": "enable TLS for NGINX Instance Manager connection" + }, + "secret": { + "type": "string", + "default": "", + "title": "kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and NGINX Instance Manager" + }, + "caSecret": { + "type": "string", + "default": "", + "title": "nginx.org/ca secret for verification of Instance Manager TLS" + }, + "skipVerify": { + "type": "boolean", + "default": "false", + "title": "skip certificate verification" + } + } + } + } + }, + "syslog": { + "type": "object", + "default": { + "host": "127.0.0.1", + "port": 1514 + }, + "title": "Syslog listener which NGINX Agent uses to accept messages from App Protect WAF", + "properties": { + "host": { + "type": "string", + "title": "Address for NGINX Agent to run syslog listener", + "default": "127.0.0.1", + "examples": [ + "127.0.0.1" + ] + }, + "port": { + "type": "integer", + "title": "Port for NGINX Agent to run syslog listener", + "default": 1514, + "examples": [ + 1514 + ] + } + } + }, + "napMonitoring": { + "type": "object", + "default": {}, + "title": "NGINX App Protect Monitoring config", + "properties": { + "collectorBufferSize": { + "type": "integer", + "default": 50000, + "title": "Buffer size for collector. Will contain log lines and parsed log lines", + "examples": [ + 50000 + ] + }, + "processorBufferSize": { + "type": "integer", + "default": 50000, + "title": "Buffer size for processor. Will contain log lines and parsed log lines", + "examples": [ + 50000 + ] + } + } + }, + "customConfigMap": { + "type": "string", + "title": "The name of a custom ConfigMap to use instead of the one provided by default", + "default": "", + "examples": [ + "my-custom-configmap" + ] + } + } + } + }, + "examples": [ + { + "controller": { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.5.2", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "podDisruptionBudget": { + "enabled": false, + "annotations": {}, + "minAvailable": 0, + "minUnavailable": 0 + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + }, + "rbac": { + "create": true + }, + "prometheus": { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http", + "service": { + "create": false, + "labels": {} + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + } + }, + "serviceInsight": { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + }, + "nginxServiceMesh": { + "enable": false, + "enableEgress": false + } + } + ] +} diff --git a/charts/f5/nginx-ingress/1.2.2/values.yaml b/charts/f5/nginx-ingress/1.2.2/values.yaml new file mode 100644 index 0000000000..8b8ff0c195 --- /dev/null +++ b/charts/f5/nginx-ingress/1.2.2/values.yaml @@ -0,0 +1,588 @@ +controller: + ## The name of the Ingress Controller daemonset or deployment. + name: controller + + ## The kind of the Ingress Controller installation - deployment or daemonset. + kind: deployment + + ## The selectorLabels used to override the default values. + selectorLabels: {} + + ## Annotations for deployments and daemonsets + annotations: {} + + ## Deploys the Ingress Controller for NGINX Plus. + nginxplus: false + + ## Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. + nginxReloadTimeout: 60000 + + ## Support for App Protect WAF + appprotect: + ## Enable the App Protect WAF module in the Ingress Controller. + enable: false + ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace + # logLevel: fatal + + ## Support for App Protect DoS + appprotectdos: + ## Enable the App Protect DoS module in the Ingress Controller. + enable: false + ## Enable debugging for App Protect DoS. + debug: false + ## Max number of nginx processes to support. + maxWorkers: 0 + ## Max number of ADMD instances. + maxDaemons: 0 + ## RAM memory size to consume in MB. + memory: 0 + + ## Enables the Ingress Controller pods to use the host's network namespace. + hostNetwork: false + + ## The hostPort configuration for the Ingress Controller pods. + hostPort: + ## Enables hostPort for the Ingress Controller pods. + enable: false + + ## The HTTP hostPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS hostPort configuration for the Ingress Controller pods. + https: 443 + + containerPort: + ## The HTTP containerPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS containerPort configuration for the Ingress Controller pods. + https: 443 + + ## DNS policy for the Ingress Controller pods + dnsPolicy: ClusterFirst + + ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. + nginxDebug: false + + ## Share process namespace between containers in the Ingress Controller pod. + shareProcessNamespace: false + + ## The log level of the Ingress Controller. + logLevel: 1 + + ## A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: [] + + image: + ## The image repository of the Ingress Controller. + repository: nginx/nginx-ingress + + ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. + # tag: "3.5.2" + ## The digest of the Ingress Controller image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the Ingress Controller image. + pullPolicy: IfNotPresent + + ## The lifecycle of the Ingress Controller pods. + lifecycle: {} + + ## The custom ConfigMap to use instead of the one provided by default + customConfigMap: "" + + config: + ## The name of the ConfigMap used by the Ingress Controller. + ## Autogenerated if not set or set to "". + # name: nginx-config + + ## The annotations of the Ingress Controller configmap. + annotations: {} + + ## The entries of the ConfigMap for customizing NGINX configuration. + entries: {} + + ## It is recommended to use your own TLS certificates and keys + defaultTLS: + ## The base64-encoded TLS certificate for the default HTTPS server. + ## Note: It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + cert: "" + + ## The base64-encoded TLS key for the default HTTPS server. + ## Note: It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + key: "" + + ## The secret with a TLS certificate and key for the default HTTPS server. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. + ## Note: Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + ## Format: / + secret: "" + + wildcardTLS: + ## The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + cert: "" + + ## The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + key: "" + + ## The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. + ## Format: / + secret: "" + + ## The node selector for pod assignment for the Ingress Controller pods. + # nodeSelector: {} + + ## The termination grace period of the Ingress Controller pod. + terminationGracePeriodSeconds: 30 + + ## HorizontalPodAutoscaling (HPA) + autoscaling: + ## Enables HorizontalPodAutoscaling. + enabled: false + ## The annotations of the Ingress Controller HorizontalPodAutoscaler. + annotations: {} + ## Minimum number of replicas for the HPA. + minReplicas: 1 + ## Maximum number of replicas for the HPA. + maxReplicas: 3 + ## The target cpu utilization percentage. + targetCPUUtilizationPercentage: 50 + ## The target memory utilization percentage. + targetMemoryUtilizationPercentage: 50 + ## Custom behavior policies + behavior: {} + + ## The resources of the Ingress Controller pods. + resources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The security context for the Ingress Controller pods. + podSecurityContext: + seccompProfile: + type: RuntimeDefault + + ## The security context for the Ingress Controller containers. + securityContext: {} # Remove curly brackets before adding values + # allowPrivilegeEscalation: true + # readOnlyRootFilesystem: true + # runAsUser: 101 #nginx + # runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # add: + # - NET_BIND_SERVICE + + ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerSecurityContext: {} + + ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerResources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The tolerations of the Ingress Controller pods. + tolerations: [] + + ## The affinity of the Ingress Controller pods. + affinity: {} + + ## The topology spread constraints of the Ingress controller pods. + # topologySpreadConstraints: {} + + ## The additional environment variables to be set on the Ingress Controller pods. + env: [] + # - name: MY_VAR + # value: myvalue + + ## The volumes of the Ingress Controller pods. + volumes: [] + # - name: extra-conf + # configMap: + # name: extra-conf + + ## The volumeMounts of the Ingress Controller pods. + volumeMounts: [] + # - name: extra-conf + # mountPath: /etc/nginx/conf.d/extra.conf + # subPath: extra.conf + + ## InitContainers for the Ingress Controller pods. + initContainers: [] + # - name: init-container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is initial setup!'] + + ## The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. + minReadySeconds: 0 + + ## Pod disruption budget for the Ingress Controller pods. + podDisruptionBudget: + ## Enables PodDisruptionBudget. + enabled: false + ## The annotations of the Ingress Controller pod disruption budget. + annotations: {} + ## The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". + # minAvailable: 1 + ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". + # maxUnavailable: 1 + + ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. + strategy: {} + + ## Extra containers for the Ingress Controller pods. + extraContainers: [] + # - name: container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is a sidecar!'] + + ## The number of replicas of the Ingress Controller deployment. + replicaCount: 1 + + ## Configures the ingress class the Ingress Controller uses. + ingressClass: + ## A class of the Ingress Controller. + + ## IngressClass resource with the name equal to the class must be deployed. Otherwise, + ## the Ingress Controller will fail to start. + ## The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. + + ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. + name: nginx + + ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. + create: true + + ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". + setAsDefaultIngress: false + + ## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". + watchNamespace: "" + + ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". + watchNamespaceLabel: "" + + ## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces. + watchSecretNamespace: "" + + ## Enable the custom resources. + enableCustomResources: true + + ## Enable OIDC policies. + enableOIDC: false + + ## Include year in log header. This parameter will be removed in release 2.7 and the year will be included by default. + includeYear: false + + ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. + enableTLSPassthrough: false + + ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough. + tlsPassthroughPort: 443 + + ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. + enableCertManager: false + + ## Enable external DNS for Virtual Server resources. Requires controller.enableCustomResources. + enableExternalDNS: false + + globalConfiguration: + ## Creates the GlobalConfiguration custom resource. Requires controller.enableCustomResources. + create: false + + ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. + spec: {} ## Ensure both curly brackets are removed when adding listeners in YAML format. + # listeners: + # - name: dns-udp + # port: 5353 + # protocol: UDP + # - name: dns-tcp + # port: 5353 + # protocol: TCP + + ## Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. + enableSnippets: false + + ## Add a location based on the value of health-status-uri to the default server. The location responds with the 200 status code for any request. + ## Useful for external health-checking of the Ingress Controller. + healthStatus: false + + ## Sets the URI of health status location in the default server. Requires controller.healthStatus. + healthStatusURI: "/nginx-health" + + nginxStatus: + ## Enable the NGINX stub_status, or the NGINX Plus API. + enable: true + + ## Set the port where the NGINX stub_status or the NGINX Plus API is exposed. + port: 8080 + + ## Add IPv4 IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. + allowCidrs: "127.0.0.1" + + service: + ## Creates a service to expose the Ingress Controller pods. + create: true + + ## The type of service to create for the Ingress Controller. + type: LoadBalancer + + ## The externalTrafficPolicy of the service. The value Local preserves the client source IP. + externalTrafficPolicy: Local + + ## The annotations of the Ingress Controller service. + annotations: {} + + ## The extra labels of the service. + extraLabels: {} + + ## The static IP address for the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerIP: "" + + ## The ClusterIP for the Ingress Controller service, autoassigned if not specified. + clusterIP: "" + + ## The list of external IPs for the Ingress Controller service. + externalIPs: [] + + ## The IP ranges (CIDR) that are allowed to access the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerSourceRanges: [] + + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + ## Dual stack preference. + ## Valid values: SingleStack, PreferDualStack, RequireDualStack + # ipFamilyPolicy: SingleStack + + ## List of IP families assigned to this service. + ## Valid values: IPv4, IPv6 + # ipFamilies: + # - IPv6 + + httpPort: + ## Enables the HTTP port for the Ingress Controller service. + enable: true + + ## The HTTP port of the Ingress Controller service. + port: 80 + + ## The custom NodePort for the HTTP port. Requires controller.service.type set to NodePort. + # nodePort: 80 + + ## The HTTP port on the POD where the Ingress Controller service is running. + targetPort: 80 + + httpsPort: + ## Enables the HTTPS port for the Ingress Controller service. + enable: true + + ## The HTTPS port of the Ingress Controller service. + port: 443 + + ## The custom NodePort for the HTTPS port. Requires controller.service.type set to NodePort. + # nodePort: 443 + + ## The HTTPS port on the POD where the Ingress Controller service is running. + targetPort: 443 + + ## A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: [] + + serviceAccount: + ## The annotations of the service account of the Ingress Controller pods. + annotations: {} + + ## The name of the service account of the Ingress Controller pods. Used for RBAC. + ## Autogenerated if not set or set to "". + # name: nginx-ingress + + ## The name of the secret containing docker registry credentials. + ## Secret must exist in the same namespace as the helm release. + imagePullSecretName: "" + + ## A list of secret names containing docker registry credentials. + ## Secrets must exist in the same namespace as the helm release. + imagePullSecretsNames: [] + + reportIngressStatus: + ## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. + ## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService, + ## controller.reportIngressStatus.ingressLink or the external-status-address entry in the ConfigMap via controller.config.entries. + ## Note: controller.config.entries.external-status-address takes precedence over the others. + enable: true + + ## Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. + ## The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ## The default is autogenerated and matches the created service (see controller.service.create). + # externalService: nginx-ingress + + ## Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. + ## The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ingressLink: "" + + ## Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. controller.reportIngressStatus.enable must be set to true. + enableLeaderElection: true + + ## Specifies the name to be used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. + leaderElectionLockName: "nginx-ingress-leader" + + ## The annotations of the leader election configmap. + annotations: {} + + pod: + ## The annotations of the Ingress Controller pod. + annotations: {} + + ## The additional extra labels of the Ingress Controller pod. + extraLabels: {} + + ## The PriorityClass of the Ingress Controller pods. + # priorityClassName: "" + + readyStatus: + ## Enables readiness endpoint "/nginx-ready". The endpoint returns a success code when NGINX has loaded all the config after startup. + enable: true + + ## Set the port where the readiness endpoint is exposed. + port: 8081 + + ## The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. + initialDelaySeconds: 0 + + ## Enable collection of latency metrics for upstreams. Requires prometheus.create. + enableLatencyMetrics: false + + ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. + disableIPV6: false + + ## Sets the port for the HTTP `default_server` listener. + defaultHTTPListenerPort: 80 + + ## Sets the port for the HTTPS `default_server` listener. + defaultHTTPSListenerPort: 443 + + ## Configure root filesystem as read-only and add volumes for temporary data. + ## Three major releases after 3.5.x this argument will be moved to the `securityContext` section. + ## This value will not be used if `controller.securityContext` is set + readOnlyRootFilesystem: false + + ## Enable dynamic reloading of certificates + enableSSLDynamicReload: true + + ## Configure telemetry reporting options + telemetryReporting: + ## Enable telemetry reporting + enable: true + + ## Allows weight adjustments without reloading the NGINX Configuration for two-way splits in NGINX Plus. + ## May require increasing map_hash_bucket_size, map_hash_max_size, + ## variable_hash_bucket_size, and variable_hash_max_size in the ConfigMap based on the number of two-way splits. + enableWeightChangesDynamicReload: false + +rbac: + ## Configures RBAC. + create: true + +prometheus: + ## Expose NGINX or NGINX Plus metrics in the Prometheus format. + create: true + + ## Configures the port to scrape the metrics. + port: 9113 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Prometheus endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + + service: + ## Creates a ClusterIP Service to expose Prometheus metrics internally + ## Requires prometheus.create=true + create: false + + labels: + service: "nginx-ingress-prometheus-service" + + serviceMonitor: + ## Creates a serviceMonitor to expose statistics on the kubernetes pods. + create: false + + ## Kubernetes object labels to attach to the serviceMonitor object. + labels: {} + + ## A set of labels to allow the selection of endpoints for the ServiceMonitor. + selectorMatchLabels: + service: "nginx-ingress-prometheus-service" + + ## A list of endpoints allowed as part of this ServiceMonitor. + ## Matches on the name of a Service port. + endpoints: + - port: prometheus + +serviceInsight: + ## Expose NGINX Plus Service Insight endpoint. + create: false + + ## Configures the port to expose endpoint. + port: 9114 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Service Insight endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + +nginxServiceMesh: + ## Enables integration with NGINX Service Mesh. + enable: false + + ## Enables NGINX Service Mesh workload to route egress traffic through the Ingress Controller. + ## Requires nginxServiceMesh.enable + enableEgress: false + +nginxAgent: + ## Enables NGINX Agent. + enable: false + ## If nginxAgent.instanceGroup is not set the value of nginx-ingress.controller.fullname will be used + instanceGroup: "" + logLevel: "error" + ## Syslog listener which NGINX Agent uses to accept messages from App Protect WAF + syslog: + host: "127.0.0.1" + port: 1514 + napMonitoring: + collectorBufferSize: 50000 + processorBufferSize: 50000 + instanceManager: + # FQDN or IP for connecting to NGINX Instance Manager, e.g. nim.example.com + host: "" + grpcPort: 443 + sni: "" + tls: + enabled: true + skipVerify: false + ## kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and Instance Manager + secret: "" + ## nginx.org/ca secret for verification of Instance Manager TLS + caSecret: "" + ## The name of a custom ConfigMap to use instead of the one provided by default + customConfigMap: "" diff --git a/charts/f5/nginx-ingress/1.3.0/.helmignore b/charts/f5/nginx-ingress/1.3.0/.helmignore new file mode 100644 index 0000000000..c1347c2c27 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/.helmignore @@ -0,0 +1,2 @@ +# Patterns to ignore when building packages. +*.png diff --git a/charts/f5/nginx-ingress/1.3.0/Chart.yaml b/charts/f5/nginx-ingress/1.3.0/Chart.yaml new file mode 100644 index 0000000000..c1c2247d2e --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NGINX Ingress Controller + catalog.cattle.io/kube-version: '>= 1.23.0-0' + catalog.cattle.io/release-name: nginx-ingress +apiVersion: v2 +appVersion: 3.6.0 +description: NGINX Ingress Controller +home: https://github.com/nginxinc/kubernetes-ingress +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/charts/nginx-ingress/chart-icon.png +keywords: +- ingress +- nginx +kubeVersion: '>= 1.23.0-0' +maintainers: +- email: kubernetes@nginx.com + name: nginxinc +name: nginx-ingress +sources: +- https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/charts/nginx-ingress +type: application +version: 1.3.0 diff --git a/charts/f5/nginx-ingress/1.3.0/README.md b/charts/f5/nginx-ingress/1.3.0/README.md new file mode 100644 index 0000000000..36ecbbdd5f --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/README.md @@ -0,0 +1,529 @@ +# NGINX Ingress Controller Helm Chart + +## Introduction + +This chart deploys NGINX Ingress Controller in your Kubernetes cluster. + +## Prerequisites + +**Note** All documentation should only be used with the latest stable release, indicated on +[the releases page](https://github.com/nginxinc/kubernetes-ingress/releases) of the GitHub repository. + +- A [Kubernetes Version Supported by the Ingress + Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) +- Helm 3.0+. +- If you’d like to use NGINX Plus: + - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal + by following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). + Make sure to specify the secret using one of the following parameters: + `controller.serviceAccount.imagePullSecretName` or `controller.serviceAccount.imagePullSecretsNames`. + - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following + the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). + - Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by + following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image). + - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. +- If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator [helm + chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). Make sure to install in the same namespace as the + NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will + need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single + namespace. + +## CRDs + +By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The +Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. + +If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` +set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), +the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. + +### Upgrading the CRDs + +To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl apply -f crds/ +``` + +Alternatively, CRDs can be upgraded without pulling the chart by running: + +```console +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds.yaml +``` + +In the above command, `v3.6.0` represents the version of NGINX Ingress Controller release rather than the Helm chart version. + +> **Note** +> +> The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by +> either kubectl create --save-config or kubectl apply`. +> +> Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release +> for any special upgrade procedures. + +### Uninstalling the CRDs + +To remove the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: + +```console +kubectl delete -f crds/ +``` + +> **Note** +> +> This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure +> there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the +> cluster. + +## Managing the Chart via OCI Registry + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 +``` + +For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry +`myregistry.example.com`) + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +``` + +This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to +use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with +`registry-1.docker.io/nginxcharts/nginx-ingress`. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +### Edge Version + +To test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version. This +version is built from the `main` branch of the NGINX Ingress Controller repository. You can install the `edge` version +by specifying the `--version` flag with the value `0.0.0-edge`: + +```console +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge +``` + +> **Warning** +> +> The `edge` version is not intended for production use. It is intended for testing and development purposes only. + +## Managing the Chart via Sources + +### Pulling the Chart + +This step is required if you're installing the chart using its sources. Additionally, the step is also required for +managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for +upgrading/deleting the CRDs. + +1. Pull the chart sources: + + ```console + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.3.0 + ``` + +2. Change your working directory to nginx-ingress: + + ```console + cd nginx-ingress + ``` + +### Installing the Chart + +To install the chart with the release name my-release (my-release is the name that you choose): + +For NGINX: + +```console +helm install my-release . +``` + +For NGINX Plus: + +```console +helm install my-release -f values-plus.yaml . +``` + +The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration +section lists the parameters that can be configured during installation. + +### Upgrading the Chart + +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). + +To upgrade the release `my-release`: + +```console +helm upgrade my-release . +``` + +### Uninstalling the Chart + +To uninstall/delete the release `my-release`: + +```console +helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the release and deletes the release. + +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). + +## Upgrading without downtime + +### Background + +In NGINX Ingress Controller version 3.1.0, [changes were introduced](https://github.com/nginxinc/kubernetes-ingress/pull/3606) +to Helm resource names, labels and annotations to fit with Helm best practices. +When using Helm to upgrade from a version prior to 3.1.0, certain resources like Deployment, DaemonSet and Service will +be recreated due to the aforementioned changes, which will result in downtime. + +Although the advisory is to update all resources in accordance with new naming convention, to avoid the downtime +please follow the steps listed in this page. + +### Upgrade Steps + +**Note** The following steps apply to both 2.x and 3.0.x releases. + +The steps you should follow depend on the Helm release name: + +{{}} + +{{%tab name="Helm release name is `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployments -n + ``` + + Copy the key=value under `Selector`, such as: + + ```shell + Selector: app=nginx-ingress-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.6.0` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: nginx-ingress-nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="nginx-ingress-nginx-ingress" + --set controller.name="" + --set fullnameOverride="nginx-ingress-nginx-ingress" + ``` + + It could look as follows: + + ```shell + helm upgrade nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="nginx-ingress-nginx-ingress" --set controller.name="" --set fullnameOverride="nginx-ingress-nginx-ingress" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set nginx-ingress-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set nginx-ingress-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{%tab name="Helm release name is not `nginx-ingress`"%}} + +1. Use `kubectl describe` on deployment/daemonset to get the `Selector` value: + + ```shell + kubectl describe deployment/daemonset -n + ``` + + Copy the key=value under ```Selector```, such as: + + ```shell + Selector: app=-nginx-ingress + ``` + +2. Checkout the latest available tag using `git checkout v3.6.0` + +3. Navigate to `/kubernates-ingress/charts/nginx-ingress` + +4. Update the `selectorLabels: {}` field in the `values.yaml` file located at `/kubernates-ingress/charts/nginx-ingress` +with the copied `Selector` value. + + ```shell + selectorLabels: {app: -nginx-ingress} + ``` + +5. Run `helm upgrade` with following arguments set: + + ```shell + --set serviceNameOverride="-nginx-ingress" + --set controller.name="" + ``` + + It could look as follows: + + ```shell + helm upgrade test-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.19.0 --set controller.kind=deployment/daemonset --set controller.nginxplus=false/true --set controller.image.pullPolicy=Always --set serviceNameOverride="test-release-nginx-ingress" --set controller.name="" -f values.yaml + ``` + +6. Once the upgrade process has finished, use `kubectl describe` on the deployment to verify the change by +reviewing its events: + + ```shell + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ScalingReplicaSet 9m11s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 101s deployment-controller Scaled up replica set test-release-nginx-ingress- to 1 + Normal ScalingReplicaSet 98s deployment-controller Scaled down replica set test-release-nginx-ingress- to 0 from 1 + ``` + +{{%/tab%}} + +{{}} + +## Running Multiple Ingress Controllers + +If you are running multiple Ingress Controller releases in your cluster with enabled custom resources, the releases will +share a single version of the CRDs. As a result, make sure that the Ingress Controller versions match the version of the +CRDs. Additionally, when uninstalling a release, ensure that you don’t remove the CRDs until there are no other Ingress +Controller releases running in the cluster. + +See [running multiple Ingress Controllers](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) +for more details. + +## Configuration + +The following tables lists the configurable parameters of the NGINX Ingress Controller chart and their default values. + +|Parameter | Description | Default | +| --- | --- | --- | +|`controller.name` | The name of the Ingress Controller daemonset or deployment. | Autogenerated | +|`controller.kind` | The kind of the Ingress Controller installation - deployment or daemonset. | deployment | +|`controller.annotations` | Allows for setting of `annotations` for deployment or daemonset. | {} | +|`controller.nginxplus` | Deploys the Ingress Controller for NGINX Plus. | false | +|`controller.nginxReloadTimeout` | The timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. | 60000 | +|`controller.hostNetwork` | Enables the Ingress Controller pods to use the host's network namespace. | false | +|`controller.dnsPolicy` | DNS policy for the Ingress Controller pods. | ClusterFirst | +|`controller.nginxDebug` | Enables debugging for NGINX. Uses the `nginx-debug` binary. Requires `error-log-level: debug` in the ConfigMap via `controller.config.entries`. | false | +| `controller.shareProcessNamespace` | Enables process namespace sharing. When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod. [docs](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) | false | +|`controller.logLevel` | The log level of the Ingress Controller. | 1 | +|`controller.image.digest` | The image digest of the Ingress Controller. | None | +|`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.6.0 | +|`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | +|`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | +|`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | +|`controller.config.name` | The name of the ConfigMap used by the Ingress Controller. | Autogenerated | +|`controller.config.annotations` | The annotations of the Ingress Controller configmap. | {} | +|`controller.config.entries` | The entries of the ConfigMap for customizing NGINX configuration. See [ConfigMap resource docs](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) for the list of supported ConfigMap keys. | {} | +|`controller.customPorts` | A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. | [] | +|`controller.defaultTLS.cert` | The base64-encoded TLS certificate for the default HTTPS server. **Note:** It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | "" | +|`controller.defaultTLS.key` | The base64-encoded TLS key for the default HTTPS server. **Note:** It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | "" | +|`controller.defaultTLS.secret` | The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. **Note:** Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. | None | +|`controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|`controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None | +|`controller.nodeSelector` | The node selector for pod assignment for the Ingress Controller pods. | {} | +|`controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress Controller pod. | 30 | +|`controller.tolerations` | The tolerations of the Ingress Controller pods. | [] | +|`controller.affinity` | The affinity of the Ingress Controller pods. | {} | +|`controller.topologySpreadConstraints` | The topology spread constraints of the Ingress controller pods. | {} | +|`controller.env` | The additional environment variables to be set on the Ingress Controller pods. | [] | +|`controller.volumes` | The volumes of the Ingress Controller pods. | [] | +|`controller.volumeMounts` | The volumeMounts of the Ingress Controller pods. | [] | +|`controller.initContainers` | InitContainers for the Ingress Controller pods. | [] | +|`controller.extraContainers` | Extra (eg. sidecar) containers for the Ingress Controller pods. | [] | +|`controller.podSecurityContext`| The SecurityContext for Ingress Controller pods. | "seccompProfile": {"type": "RuntimeDefault"} | +|`controller.securityContext`| The SecurityContext for Ingress Controller container. | {} | +|`controller.initContainerSecurityContext`| The SecurityContext for Ingress Controller init container when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | {} | +|`controller.resources` | The resources of the Ingress Controller pods. | requests: cpu=100m,memory=128Mi | +|`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi | +|`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | +|`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.6.0, do not set the value to false. | true | +|`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | +|`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | +|`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | +|`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `controller.watchNamespace` and `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" | +|`controller.enableCustomResources` | Enable the custom resources. | true | +|`controller.enableOIDC` | Enable OIDC policies. | false | +|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | +|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | +|`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false | +|`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false | +|`controller.globalConfiguration.spec` | The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. | {} | +|`controller.enableSnippets` | Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. | false | +|`controller.healthStatus` | Add a location "/nginx-health" to the default server. The location responds with the 200 status code for any request. Useful for external health-checking of the Ingress Controller. | false | +|`controller.healthStatusURI` | Sets the URI of health status location in the default server. Requires `controller.healthStatus`. | "/nginx-health" | +|`controller.nginxStatus.enable` | Enable the NGINX stub_status, or the NGINX Plus API. | true | +|`controller.nginxStatus.port` | Set the port where the NGINX stub_status or the NGINX Plus API is exposed. | 8080 | +|`controller.nginxStatus.allowCidrs` | Add IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. | 127.0.0.1,::1 | +|`controller.priorityClassName` | The PriorityClass of the Ingress Controller pods. | None | +|`controller.service.create` | Creates a service to expose the Ingress Controller pods. | true | +|`controller.service.type` | The type of service to create for the Ingress Controller. | LoadBalancer | +|`controller.service.externalTrafficPolicy` | The externalTrafficPolicy of the service. The value Local preserves the client source IP. | Local | +|`controller.service.annotations` | The annotations of the Ingress Controller service. | {} | +|`controller.service.extraLabels` | The extra labels of the service. | {} | +|`controller.service.loadBalancerIP` | The static IP address for the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | "" | +|`controller.service.externalIPs` | The list of external IPs for the Ingress Controller service. | [] | +|`controller.service.clusterIP` | The clusterIP for the Ingress Controller service, autoassigned if not specified. | "" | +|`controller.service.loadBalancerSourceRanges` | The IP ranges (CIDR) that are allowed to access the load balancer. Requires `controller.service.type` set to `LoadBalancer`. The cloud provider must support this feature. | [] | +|`controller.service.name` | The name of the service. | Autogenerated | +|`controller.service.customPorts` | A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. | [] | +|`controller.service.httpPort.enable` | Enables the HTTP port for the Ingress Controller service. | true | +|`controller.service.httpPort.port` | The HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpPort.nodePort` | The custom NodePort for the HTTP port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpPort.targetPort` | The target port of the HTTP port of the Ingress Controller service. | 80 | +|`controller.service.httpsPort.enable` | Enables the HTTPS port for the Ingress Controller service. | true | +|`controller.service.httpsPort.port` | The HTTPS port of the Ingress Controller service. | 443 | +|`controller.service.httpsPort.nodePort` | The custom NodePort for the HTTPS port. Requires `controller.service.type` set to `NodePort`. | "" | +|`controller.service.httpsPort.targetPort` | The target port of the HTTPS port of the Ingress Controller service. | 443 | +|`controller.serviceAccount.annotations` | The annotations of the Ingress Controller service account. | {} | +|`controller.serviceAccount.name` | The name of the service account of the Ingress Controller pods. Used for RBAC. | Autogenerated | +|`controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" | +|`controller.serviceAccount.imagePullSecretsNames` | The list of secret names containing docker registry credentials. Secret must exist in the same namespace as the helm release. | [] | +|`controller.serviceMonitor.name` | The name of the serviceMonitor. | Autogenerated | +|`controller.serviceMonitor.create` | Create a ServiceMonitor custom resource. | false | +|`controller.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | "" | +|`controller.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | "" | +|`controller.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | "" | +|`controller.reportIngressStatus.enable` | Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. You must also specify the source of the external address either through an external service via `controller.reportIngressStatus.externalService`, `controller.reportIngressStatus.ingressLink` or the `external-status-address` entry in the ConfigMap via `controller.config.entries`. **Note:** `controller.config.entries.external-status-address` takes precedence over the others. | true | +|`controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated | +|`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | "" | +|`controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true | +|`controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated | +|`controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {} | +|`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} | +|`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} | +|`controller.appprotect.enable` | Enables the App Protect WAF module in the Ingress Controller. | false | +|`controller.appprotect.v5` | Enables App Protect WAF v5. | false | +|`controller.appprotect.volumes` | Volumes for App Protect WAF v5. | [{"name": "app-protect-bd-config", "emptyDir": {}},{"name": "app-protect-config", "emptyDir": {}},{"name": "app-protect-bundles", "emptyDir": {}}] | +|`controller.appprotect.enforcer.host` | Host that the App Protect WAF v5 Enforcer runs on. | "127.0.0.1" | +|`controller.appprotect.enforcer.port` | Port that the App Protect WAF v5 Enforcer runs on. | 50000 | +|`controller.appprotect.enforcer.image` | The image repository of the App Protect WAF v5 Enforcer. | private-registry.nginx.com/nap/waf-enforcer | +|`controller.appprotect.enforcer.tag` | The tag of the App Protect WAF v5 Enforcer. | "5.2.0" | +|`controller.appprotect.enforcer.digest` | The digest of the App Protect WAF v5 Enforcer. Takes precedence over tag if set. | "5.2.0" | +|`controller.appprotect.enforcer.pullPolicy` | The pull policy for the App Protect WAF v5 Enforcer image. | "5.2.0" | +|`controller.appprotect.enforcer.securityContext` | The security context for App Protect WAF v5 Enforcer container. | {} | +|`controller.appprotect.configManager.image` | The image repository of the App Protect WAF v5 Configuration Manager. | private-registry.nginx.com/nap/waf-config-mgr | +|`controller.appprotect.configManager.tag` | The tag of the App Protect WAF v5 Configuration Manager. | "5.2.0" | +|`controller.appprotect.configManager.digest` | The digest of the App Protect WAF v5 Configuration Manager. Takes precedence over tag if set. | "5.2.0" | +|`controller.appprotect.configManager.pullPolicy` | The pull policy for the App Protect WAF v5 Configuration Manager image. | "5.2.0" | +|`controller.appprotect.configManager.securityContext` | The security context for App Protect WAF v5 Configuration Manager container. | {"allowPrivilegeEscalation":false,"runAsUser":101,"runAsNonRoot":true,"capabilities":{"drop":["all"]}} | +|`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false | +|`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false | +|`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 | +|`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine | +|`controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller | +|`controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true | +|`controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 | +|`controller.readyStatus.initialDelaySeconds` | The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. | 0 | +|`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false | +|`controller.minReadySeconds` | Specifies the minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. [docs](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds) | 0 | +|`controller.autoscaling.enabled` | Enables HorizontalPodAutoscaling. | false | +|`controller.autoscaling.annotations` | The annotations of the Ingress Controller HorizontalPodAutoscaler. | {} | +|`controller.autoscaling.behavior` | Behavior configuration for the HPA. | {} | +|`controller.autoscaling.minReplicas` | Minimum number of replicas for the HPA. | 1 | +|`controller.autoscaling.maxReplicas` | Maximum number of replicas for the HPA. | 3 | +|`controller.autoscaling.targetCPUUtilizationPercentage` | The target CPU utilization percentage. | 50 | +|`controller.autoscaling.targetMemoryUtilizationPercentage` | The target memory utilization percentage. | 50 | +|`controller.podDisruptionBudget.enabled` | Enables PodDisruptionBudget. | false | +|`controller.podDisruptionBudget.annotations` | The annotations of the Ingress Controller pod disruption budget | {} | +|`controller.podDisruptionBudget.minAvailable` | The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". | 0 | +|`controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 | +|`controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} | +|`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | +|`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 | +|`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 | +|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. Three major releases after 3.5.x this argument will be moved permanently to the `controller.securityContext` section. | false | +|`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true | +|`controller.telemetryReporting.enable` | Enable telemetry reporting. | true | +|`controller.enableWeightChangesDynamicReload` | Enable weight changes without reloading the NGINX configuration. May require increasing `map_hash_bucket_size`, `map_hash_max_size`, `variable_hash_bucket_size`, and `variable_hash_max_size` in the [ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) if there are many two-way splits. Requires `controller.nginxplus` | false | +|`rbac.create` | Configures RBAC. | true | +|`rbac.clusterrole.create` | Configures creation of ClusterRole. Creation can be disabled when more fine-grained control over RBAC is required. For example when controller.watchNamespace is used. | true | +|`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | +|`prometheus.port` | Configures the port to scrape the metrics. | 9113 | +|`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http | +|`prometheus.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" | +|`prometheus.service.create` | Create a Headless service to expose prometheus metrics. Requires `prometheus.create`. | false | +|`prometheus.service.labels` | Kubernetes object labels to attach to the service object. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.create` | Create a ServiceMonitor custom resource. Requires ServiceMonitor CRD to be installed. For the latest CRD, check the latest release on the [prometheus-operator](https://github.com/prometheus-operator/prometheus-operator) GitHub repo under `example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml` | false | +|`prometheus.serviceMonitor.labels` | Kubernetes object labels to attach to the serviceMonitor object. | {} | +|`prometheus.serviceMonitor.selectorMatchLabels` | A set of labels to allow the selection of endpoints for the ServiceMonitor. | {service: "nginx-ingress-prometheus-service"} | +|`prometheus.serviceMonitor.endpoints` | A list of endpoints allowed as part of this ServiceMonitor. | [port: prometheus] | +|`serviceInsight.create` | Expose NGINX Plus Service Insight endpoint. | false | +|`serviceInsight.port` | Configures the port to expose endpoints. | 9114 | +|`serviceInsight.scheme` | Configures the HTTP scheme to use for connections to the Service Insight endpoint. | http | +|`serviceInsight.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Service Insight endpoint with TLS connections. | "" | +|`serviceNameOverride` | Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades. | "" | +|`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false | +|`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false | +|`nginxAgent.enable` | Enable NGINX Agent to integrate Security Monitoring and App Protect WAF modules. Requires `controller.appprotect.enable`. | false | +|`nginxAgent.instanceGroup` | Set a custom Instance Group name, shown when connected to NGINX Instance Manager. `nginx-ingress.controller.fullname` will be used if not set. | "" | +|`nginxAgent.logLevel` | Log level for NGINX Agent. | "error | +|`nginxAgent.instanceManager.host` | FQDN or IP for connecting to NGINX Ingress Controller. Required when `nginxAgent.enable` is set to `true` | "" | +|`nginxAgent.instanceManager.grpcPort` | Port for connecting to NGINX Ingress Controller. | 443 | +|`nginxAgent.instanceManager.sni` | Server Name Indication for NGINX Instance Manager. See the NGINX Agent [docs](https://docs.nginx.com/nginx-agent/configuration/encrypt-communication/) for more details. | "" | +|`nginxAgent.instanceManager.tls.enable` | Enable TLS for NGINX Instance Manager connection. | true | +|`nginxAgent.instanceManager.tls.skipVerify` | Skip certification verification for NGINX Instance Manager connection. | false | +|`nginxAgent.instanceManager.tls.caSecret` | Name of `nginx.org/ca` secret used for verification of NGINX Instance Manager TLS. | "" | +|`nginxAgent.instanceManager.tls.secret` | Name of `kubernetes.io/tls` secret with a TLS certificate and key for using mTLS between NGINX Agent and NGINX Instance Manager. See the NGINX Instance Manager [docs](https://docs.nginx.com/nginx-management-suite/admin-guides/configuration/secure-traffic/#mutual-client-certificate-auth-setup-mtls) and the NGINX Agent [docs](https://docs.nginx.com/nginx-agent/configuration/encrypt-communication/) for more details. | "" | +|`nginxAgent.syslog.host` | Address for NGINX Agent to run syslog listener. | 127.0.0.1 | +|`nginxAgent.syslog.port` | Port for NGINX Agent to run syslog listener. | 1514 | +|`nginxAgent.napMonitoring.collectorBufferSize` | Buffer size for collector. Will contain log lines and parsed log lines. | 50000 | +|`nginxAgent.napMonitoring.processorBufferSize` | Buffer size for processor. Will contain log lines and parsed log lines. | 50000 | +|`nginxAgent.customConfigMap` | The name of a custom ConfigMap to use instead of the one provided by default. | "" | + +## Notes + +- The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog + post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. +- The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service + Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. diff --git a/charts/f5/nginx-ingress/1.3.0/app-readme.md b/charts/f5/nginx-ingress/1.3.0/app-readme.md new file mode 100644 index 0000000000..0824f4c0f0 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/app-readme.md @@ -0,0 +1,15 @@ +# NGINX Ingress Controller + +The [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress) for Kubernetes provides an enterprise‑grade implementation of an Ingress controller for NGINX and NGINX Plus for Kubernetes applications. + +The Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources. The load balancer can be a software load balancer running in the cluster or a hardware or cloud load balancer running externally. Different load balancers require different Ingress controller implementations. + +In the case of NGINX, the Ingress controller is deployed in a pod along with the load balancer. + +NGINX Ingress controller works with both NGINX and NGINX Plus and supports the standard Ingress features - content-based routing and TLS/SSL termination. + +Additionally, several NGINX and NGINX Plus features are available as extensions to the Ingress resource via annotations and the ConfigMap resource. In addition to HTTP, NGINX Ingress controller supports load balancing Websocket, gRPC, TCP and UDP applications. See ConfigMap and Annotations docs to learn more about the supported features and customization options. + +As an alternative to the Ingress, NGINX Ingress controller supports the VirtualServer and VirtualServerRoute resources. They enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. + +TCP, UDP and TLS Passthrough load balancing is also supported. diff --git a/charts/f5/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml b/charts/f5/nginx-ingress/1.3.0/crds/appprotect.f5.com_aplogconfs.yaml similarity index 100% rename from charts/f5/nginx-ingress/crds/appprotect.f5.com_aplogconfs.yaml rename to charts/f5/nginx-ingress/1.3.0/crds/appprotect.f5.com_aplogconfs.yaml diff --git a/charts/f5/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml b/charts/f5/nginx-ingress/1.3.0/crds/appprotect.f5.com_appolicies.yaml similarity index 100% rename from charts/f5/nginx-ingress/crds/appprotect.f5.com_appolicies.yaml rename to charts/f5/nginx-ingress/1.3.0/crds/appprotect.f5.com_appolicies.yaml diff --git a/charts/f5/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml b/charts/f5/nginx-ingress/1.3.0/crds/appprotect.f5.com_apusersigs.yaml similarity index 100% rename from charts/f5/nginx-ingress/crds/appprotect.f5.com_apusersigs.yaml rename to charts/f5/nginx-ingress/1.3.0/crds/appprotect.f5.com_apusersigs.yaml diff --git a/charts/f5/nginx-ingress/1.3.0/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/charts/f5/nginx-ingress/1.3.0/crds/appprotectdos.f5.com_apdoslogconfs.yaml new file mode 100644 index 0000000000..e23e87184b --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/crds/appprotectdos.f5.com_apdoslogconfs.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdoslogconfs.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosLogConf + listKind: APDosLogConfList + plural: apdoslogconfs + singular: apdoslogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APDosLogConf is the Schema for the APDosLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APDosLogConfSpec defines the desired state of APDosLogConf + properties: + content: + properties: + format: + enum: + - splunk + - arcsight + - user-defined + type: string + format_string: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + type: object + filter: + properties: + traffic-mitigation-stats: + enum: + - none + - all + default: all + type: string + bad-actors: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + attack-signatures: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.3.0/crds/appprotectdos.f5.com_apdospolicy.yaml b/charts/f5/nginx-ingress/1.3.0/crds/appprotectdos.f5.com_apdospolicy.yaml new file mode 100644 index 0000000000..a16399a1a2 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/crds/appprotectdos.f5.com_apdospolicy.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdospolicies.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosPolicy + listKind: APDosPoliciesList + plural: apdospolicies + singular: apdospolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + description: APDosPolicy is the Schema for the APDosPolicy API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + description: APDosPolicySpec defines the desired state of APDosPolicy + properties: + mitigation_mode: + enum: + - "standard" + - "conservative" + - "none" + default: "standard" + type: string + signatures: + enum: + - "on" + - "off" + default: "on" + type: string + bad_actors: + enum: + - "on" + - "off" + default: "on" + type: string + automation_tools_detection: + enum: + - "on" + - "off" + default: "on" + type: string + tls_fingerprint: + enum: + - "on" + - "off" + default: "on" + type: string + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.3.0/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/charts/f5/nginx-ingress/1.3.0/crds/appprotectdos.f5.com_dosprotectedresources.yaml new file mode 100644 index 0000000000..b7019df408 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/crds/appprotectdos.f5.com_dosprotectedresources.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: dosprotectedresources.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: DosProtectedResource + listKind: DosProtectedResourceList + plural: dosprotectedresources + shortNames: + - pr + singular: dosprotectedresource + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: DosProtectedResource defines a Dos protected resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DosProtectedResourceSpec defines the properties and values + a DosProtectedResource can have. + properties: + apDosMonitor: + description: 'ApDosMonitor is how NGINX App Protect DoS monitors the + stress level of the protected object. The monitor requests are sent + from localhost (127.0.0.1). Default value: URI - None, protocol + - http1, timeout - NGINX App Protect DoS default.' + properties: + protocol: + description: Protocol determines if the server listens on http1 + / http2 / grpc / websocket. The default is http1. + enum: + - http1 + - http2 + - grpc + - websocket + type: string + timeout: + description: Timeout determines how long (in seconds) should NGINX + App Protect DoS wait for a response. Default is 10 seconds for + http1/http2 and 5 seconds for grpc. + format: int64 + type: integer + uri: + description: 'URI is the destination to the desired protected + object in the nginx.conf:' + type: string + type: object + apDosPolicy: + description: ApDosPolicy is the namespace/name of a ApDosPolicy resource + type: string + dosAccessLogDest: + description: DosAccessLogDest is the network address for the access + logs + type: string + dosSecurityLog: + description: DosSecurityLog defines the security log of the DosProtectedResource. + properties: + apDosLogConf: + description: ApDosLogConf is the namespace/name of a APDosLogConf + resource + type: string + dosLogDest: + description: DosLogDest is the network address of a logging service, + can be either IP or DNS name. + type: string + enable: + description: Enable enables the security logging feature if set + to true + type: boolean + type: object + enable: + description: Enable enables the DOS feature if set to true + type: boolean + name: + description: Name is the name of protected object, max of 63 characters. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.3.0/crds/externaldns.nginx.org_dnsendpoints.yaml b/charts/f5/nginx-ingress/1.3.0/crds/externaldns.nginx.org_dnsendpoints.yaml new file mode 100644 index 0000000000..0275738afc --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/crds/externaldns.nginx.org_dnsendpoints.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: dnsendpoints.externaldns.nginx.org +spec: + group: externaldns.nginx.org + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: DNSEndpoint is the CRD wrapper for Endpoint + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec holds information about endpoints. + properties: + endpoints: + items: + description: Endpoint describes DNS Endpoint. + properties: + dnsName: + description: The hostname for the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty represents provider + specific config property. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT, MX + type: string + targets: + description: The targets the DNS service points to + items: + type: string + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus represents generation observed by the external + dns controller. + properties: + observedGeneration: + description: The generation observed by by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.3.0/crds/k8s.nginx.org_globalconfigurations.yaml b/charts/f5/nginx-ingress/1.3.0/crds/k8s.nginx.org_globalconfigurations.yaml new file mode 100644 index 0000000000..51fce137cd --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/crds/k8s.nginx.org_globalconfigurations.yaml @@ -0,0 +1,106 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: globalconfigurations.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: GlobalConfiguration + listKind: GlobalConfigurationList + plural: globalconfigurations + shortNames: + - gc + singular: globalconfiguration + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_policies.yaml b/charts/f5/nginx-ingress/1.3.0/crds/k8s.nginx.org_policies.yaml similarity index 100% rename from charts/f5/nginx-ingress/crds/k8s.nginx.org_policies.yaml rename to charts/f5/nginx-ingress/1.3.0/crds/k8s.nginx.org_policies.yaml diff --git a/charts/f5/nginx-ingress/1.3.0/crds/k8s.nginx.org_transportservers.yaml b/charts/f5/nginx-ingress/1.3.0/crds/k8s.nginx.org_transportservers.yaml new file mode 100644 index 0000000000..64ac70e949 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/crds/k8s.nginx.org_transportservers.yaml @@ -0,0 +1,332 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: transportservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: TransportServer + listKind: TransportServerList + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml b/charts/f5/nginx-ingress/1.3.0/crds/k8s.nginx.org_virtualserverroutes.yaml similarity index 100% rename from charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualserverroutes.yaml rename to charts/f5/nginx-ingress/1.3.0/crds/k8s.nginx.org_virtualserverroutes.yaml diff --git a/charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml b/charts/f5/nginx-ingress/1.3.0/crds/k8s.nginx.org_virtualservers.yaml similarity index 100% rename from charts/f5/nginx-ingress/crds/k8s.nginx.org_virtualservers.yaml rename to charts/f5/nginx-ingress/1.3.0/crds/k8s.nginx.org_virtualservers.yaml diff --git a/charts/f5/nginx-ingress/1.3.0/questions.yaml b/charts/f5/nginx-ingress/1.3.0/questions.yaml new file mode 100644 index 0000000000..b63834893b --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/questions.yaml @@ -0,0 +1,185 @@ +questions: +- variable: controller.kind + type: enum + options: + - deployment + - daemonset + default: deployment + description: "The kind of the Ingress controller installation - deployment or daemonset." + label: Installation Kind + group: "Settings" +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.nginxplus + default: false + description: "Deploys the Ingress controller for NGINX Plus." + label: Deploy NGINX Plus + type: boolean + group: "NGINX Plus" + - variable: controller.appprotect.enable + default: false + description: "Enable the App Protect module in the Ingress Controller." + label: Enable the App Protect module. + type: boolean + - variable: controller.appprotectdos.enable + default: false + description: "Enable the App Protect DoS module in the Ingress Controller." + label: Enable the App Protect DoS module. + type: boolean + - variable: controller.image.repository + default: nginx/nginx-ingress + description: "The image repository of the Ingress controller." + type: string + label: NGINX Ingress Controller Image Repository + required: true + - variable: controller.image.tag + description: "The tag of the Ingress controller image." + type: string + label: NGINX Ingress Controller Image Tag + required: true + - variable: controller.image.pullPolicy + type: enum + options: + - IfNotPresent + - Always + - Never + default: IfNotPresent + description: "The pull policy for the Ingress controller image." + label: NGINX Ingress Controller Image Pull Policy + - variable: controller.serviceAccount.imagePullSecretName + default: "" + description: "The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release." + type: string + label: Image Pull Secret Name +- variable: controller.defaultTLS.secret + default: "" + description: "The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`." + label: TLS Secret + type: string + group: "Settings" +- variable: controller.ingressClass + default: nginx + description: "A class of the Ingress controller. The Ingress controller only processes Ingress resources that belong to its class - i.e. have the annotation `[kubernetes.io/ingress.class]` equal to the class. Additionally, the Ingress controller processes Ingress resources that do not have that annotation which can be disabled by setting the [-use-ingress-class-only] flag." + label: Ingress Class + type: string + group: "Settings" + required: true + subquestions: + - variable: controller.useIngressClassOnly + default: false + description: "Ignore Ingress resources without the `[kubernetes.io/ingress.class]` annotation." + label: Use Ingress Class Only + type: boolean + group: "Settings" +- variable: controller.enableCustomResources + default: true + label: Enable Custom Resources + type: boolean + group: "Settings" + show_subquestion_if: true + subquestions: + - variable: controller.globalConfiguration.create + default: true + description: "Creates the GlobalConfiguration custom resource." + label: Create GlobalConfiguration Custom Resource + type: boolean + group: "Settings" + - variable: controller.enableOIDC + default: false + description: "Enables OIDC policies." + label: Enable OIDC policies + type: boolean + group: "Settings" + - variable: controller.enableCertManager + default: false + description: "Enables cert manager for Virtual Server resources." + label: Enable cert manager for Virtual Server resources + type: boolean + group: "Settings" + - variable: controller.enableExternalDNS + default: false + description: "Enables external-dns for Virtual Server resources." + label: Enable external-dns for Virtual Server resources + type: boolean + group: "Settings" +- variable: controller.watchNamespace + default: "" + description: "Comma-separated list of namespaces to watch for Ingress resources. By default the Ingress controller watches all namespaces." + label: Watch Namespace + type: string + group: "Settings" +- variable: controller.service.create + default: true + description: "Creates a service to expose the Ingress controller pods." + label: Create a Service + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.type + type: enum + options: + - LoadBalancer + - NodePort + default: LoadBalancer + description: "The type of service to create for the Ingress controller." + label: Type of Service +- variable: controller.service.httpPort.enable + default: true + description: "Enables the HTTP port for the Ingress controller service." + label: Enable HTTP Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpPort.port + default: 80 + description: "The HTTP port of the Ingress controller service." + label: HTTP Port + type: int + required: true +- variable: controller.service.httpsPort.enable + default: true + description: "Enables the HTTPS port for the Ingress controller service." + label: Enable HTTPS Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpsPort.port + default: 443 + description: "The HTTPS port of the Ingress controller service." + label: HTTPS Port + type: int + required: true +- variable: prometheus.create + default: false + description: "Expose NGINX or NGINX Plus metrics in the Prometheus format." + label: Enable Exposing Prometheus Metrics + type: boolean + group: "Prometheus" + show_subquestion_if: true + subquestions: + - variable: prometheus.port + default: 9113 + description: "Configures the port to scrape the metrics." + label: Prometheus Port + type: int + required: true + - variable: prometheus.scheme + default: http + description: "Configures the HTTP scheme to use for connections to the Prometheus endpoint." + label: Prometheus Scheme + type: string + required: true + - variable: prometheus.secret + default: "" + description: "The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections." + label: Prometheus Secret + type: string diff --git a/charts/f5/nginx-ingress/1.3.0/templates/NOTES.txt b/charts/f5/nginx-ingress/1.3.0/templates/NOTES.txt new file mode 100644 index 0000000000..c9a2739771 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/NOTES.txt @@ -0,0 +1,13 @@ +NGINX Ingress Controller {{ .Chart.AppVersion }} has been installed. + +For release notes for this version please see: https://docs.nginx.com/nginx-ingress-controller/releases/ + +Installation and upgrade instructions: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/ + +{{ if .Release.IsUpgrade -}} +If you are upgrading from a version of the chart that uses older Custom Resource Definitions (CRD) it is necessary to manually upgrade the CRDs as this is not managed by Helm. +To update to the latest version of the CRDs: + $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v{{ .Chart.AppVersion }}/deploy/crds.yaml + +More details on upgrading the CRDs: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/#upgrading-the-crds +{{- end -}} diff --git a/charts/f5/nginx-ingress/templates/_helpers.tpl b/charts/f5/nginx-ingress/1.3.0/templates/_helpers.tpl similarity index 100% rename from charts/f5/nginx-ingress/templates/_helpers.tpl rename to charts/f5/nginx-ingress/1.3.0/templates/_helpers.tpl diff --git a/charts/f5/nginx-ingress/templates/clusterrole.yaml b/charts/f5/nginx-ingress/1.3.0/templates/clusterrole.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/clusterrole.yaml rename to charts/f5/nginx-ingress/1.3.0/templates/clusterrole.yaml diff --git a/charts/f5/nginx-ingress/1.3.0/templates/clusterrolebinding.yaml b/charts/f5/nginx-ingress/1.3.0/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ed06c48ccb --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "nginx-ingress.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-configmap.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-configmap.yaml new file mode 100644 index 0000000000..8f1d3e47bb --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-configmap.yaml @@ -0,0 +1,32 @@ +{{- if not .Values.controller.customConfigMap -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.configName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: +{{ toYaml (default dict .Values.controller.config.entries) | indent 2 }} +{{- end }} +--- +{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.agentConfigName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: + nginx-agent.conf: |- +{{ include "nginx-ingress.agentConfiguration" . | indent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/templates/controller-daemonset.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-daemonset.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-daemonset.yaml rename to charts/f5/nginx-ingress/1.3.0/templates/controller-daemonset.yaml diff --git a/charts/f5/nginx-ingress/templates/controller-deployment.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-deployment.yaml similarity index 100% rename from charts/f5/nginx-ingress/templates/controller-deployment.yaml rename to charts/f5/nginx-ingress/1.3.0/templates/controller-deployment.yaml diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-globalconfiguration.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-globalconfiguration.yaml new file mode 100644 index 0000000000..9039ab0440 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-globalconfiguration.yaml @@ -0,0 +1,11 @@ +{{ if .Values.controller.globalConfiguration.create }} +apiVersion: k8s.nginx.org/v1alpha1 +kind: GlobalConfiguration +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +spec: +{{ toYaml .Values.controller.globalConfiguration.spec | indent 2 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-hpa.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-hpa.yaml new file mode 100644 index 0000000000..971aca90d3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-hpa.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.controller.autoscaling.enabled (eq .Values.controller.kind "deployment") (.Capabilities.APIVersions.Has "autoscaling/v2") -}} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "nginx-ingress.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} +{{- if .Values.controller.autoscaling.behavior }} + behavior: +{{ toYaml .Values.controller.autoscaling.behavior | indent 4 }} +{{- end }} + metrics: + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-ingress-class.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-ingress-class.yaml new file mode 100644 index 0000000000..a351d697c6 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-ingress-class.yaml @@ -0,0 +1,14 @@ +{{ if .Values.controller.ingressClass.create }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClass.name }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.ingressClass.setAsDefaultIngress }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: nginx.org/ingress-controller +{{ end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-leader-election-configmap.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-leader-election-configmap.yaml new file mode 100644 index 0000000000..440914eb3e --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-leader-election-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.leaderElectionName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.reportIngressStatus.annotations }} + annotations: +{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-pdb.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-pdb.yaml new file mode 100644 index 0000000000..1c3ddc8ae5 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.controller.podDisruptionBudget.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.podDisruptionBudget.annotations }} + annotations: +{{ toYaml .Values.controller.podDisruptionBudget.annotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} +{{- if .Values.controller.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.controller.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-prometheus-service.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-prometheus-service.yaml new file mode 100644 index 0000000000..d36514284b --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-prometheus-service.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.prometheus.create .Values.prometheus.service.create}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.prometheus.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.service.labels -}} + {{- toYaml .Values.prometheus.service.labels | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + - name: prometheus + protocol: TCP + port: {{ .Values.prometheus.port }} + targetPort: {{ .Values.prometheus.port }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-role.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-role.yaml new file mode 100644 index 0000000000..e902381775 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-role.yaml @@ -0,0 +1,56 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - {{ .Values.controller.reportIngressStatus.leaderElectionLockName }} + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-rolebinding.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..51ee528da3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "nginx-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-secret.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-secret.yaml new file mode 100644 index 0000000000..f9941e8878 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.defaultTLS.secret) (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.defaultTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.defaultTLS.cert }} + tls.key: {{ .Values.controller.defaultTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-service.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-service.yaml new file mode 100644 index 0000000000..a25de94561 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-service.yaml @@ -0,0 +1,72 @@ +{{- if .Values.controller.service.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.controller.service.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.service.extraLabels }} +{{ toYaml .Values.controller.service.extraLabels | indent 4 }} +{{- end }} +{{- if .Values.controller.service.annotations }} + annotations: +{{ toYaml .Values.controller.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.controller.service.clusterIP }} + clusterIP: {{ .Values.controller.service.clusterIP }} +{{- end }} +{{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} +{{- end }} +{{- if eq .Values.controller.service.type "LoadBalancer" }} + {{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} + {{- end }} + {{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} + {{- end }} +{{- end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.controller.service.ipFamilies }} + ipFamilies: {{ .Values.controller.service.ipFamilies }} + {{- end }} + ports: +{{- if .Values.controller.service.customPorts }} +{{ toYaml .Values.controller.service.customPorts | indent 2 }} +{{ end }} +{{- if .Values.controller.service.httpPort.enable }} + - port: {{ .Values.controller.service.httpPort.port }} + targetPort: {{ .Values.controller.service.httpPort.targetPort }} + protocol: TCP + name: http + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpPort.nodePort }} + {{- end }} +{{- end }} +{{- if .Values.controller.service.httpsPort.enable }} + - port: {{ .Values.controller.service.httpsPort.port }} + targetPort: {{ .Values.controller.service.httpsPort.targetPort }} + protocol: TCP + name: https + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpsPort.nodePort }} + {{- end }} +{{- end }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} + {{- if .Values.controller.service.externalIPs }} + externalIPs: +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-serviceaccount.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..8cde4f5b01 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nginx-ingress.serviceAccountName" . }} +{{- if .Values.controller.serviceAccount.annotations }} + annotations: {{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if or .Values.controller.serviceAccount.imagePullSecretName .Values.controller.serviceAccount.imagePullSecretsNames }} +imagePullSecrets: +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretName }} +- name: {{ .Values.controller.serviceAccount.imagePullSecretName}} +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretsNames }} +{{- range .Values.controller.serviceAccount.imagePullSecretsNames }} +- name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-servicemonitor.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..e1a4268f95 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-servicemonitor.yaml @@ -0,0 +1,21 @@ +{{- if .Values.prometheus.serviceMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.serviceMonitor.labels -}} + {{- toYaml .Values.prometheus.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- if .Values.prometheus.serviceMonitor.selectorMatchLabels -}} + {{- toYaml .Values.prometheus.serviceMonitor.selectorMatchLabels | nindent 6 }} + {{- end }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + endpoints: + {{- toYaml .Values.prometheus.serviceMonitor.endpoints | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/templates/controller-wildcard-secret.yaml b/charts/f5/nginx-ingress/1.3.0/templates/controller-wildcard-secret.yaml new file mode 100644 index 0000000000..3abe16c4c3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/templates/controller-wildcard-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.wildcardTLS.secret) (and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.wildcardTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.wildcardTLS.cert }} + tls.key: {{ .Values.controller.wildcardTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.0/values-icp.yaml b/charts/f5/nginx-ingress/1.3.0/values-icp.yaml new file mode 100644 index 0000000000..d973006e66 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/values-icp.yaml @@ -0,0 +1,17 @@ +controller: + name: controller + kind: daemonset + nginxplus: true + image: + repository: mycluster.icp:8500/kube-system/nginx-plus-ingress + tag: "3.6.0" + nodeSelector: + beta.kubernetes.io/arch: "amd64" + proxy: true + terminationGracePeriodSeconds: 60 + tolerations: + - key: "dedicated" + operator: "Exists" + effect: "NoSchedule" + - key: "CriticalAddonsOnly" + operator: "Exists" diff --git a/charts/f5/nginx-ingress/1.3.0/values-nsm.yaml b/charts/f5/nginx-ingress/1.3.0/values-nsm.yaml new file mode 100644 index 0000000000..47d11e0571 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/values-nsm.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + enableLatencyMetrics: true +nginxServiceMesh: + enable: true + enableEgress: true diff --git a/charts/f5/nginx-ingress/1.3.0/values-plus.yaml b/charts/f5/nginx-ingress/1.3.0/values-plus.yaml new file mode 100644 index 0000000000..f51a2347cb --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/values-plus.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + nginxplus: true + image: + repository: nginx-plus-ingress + tag: "3.6.0" diff --git a/charts/f5/nginx-ingress/1.3.0/values.schema.json b/charts/f5/nginx-ingress/1.3.0/values.schema.json new file mode 100644 index 0000000000..6c53cfe6b7 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/values.schema.json @@ -0,0 +1,2373 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "type": "object", + "default": {}, + "title": "Root Schema", + "required": [ + "controller", + "rbac", + "prometheus", + "serviceInsight", + "nginxServiceMesh" + ], + "properties": { + "controller": { + "type": "object", + "default": {}, + "title": "The Ingress Controller Helm Schema", + "required": [ + "name", + "kind", + "image" + ], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name of the Ingress Controller", + "examples": [ + "controller" + ] + }, + "kind": { + "type": "string", + "default": "", + "title": "The kind of the Ingress Controller", + "enum": [ + "deployment", + "daemonset" + ], + "examples": [ + "deployment", + "daemonset" + ] + }, + "selectorLabels": { + "type": "object", + "default": {}, + "title": "The selectorLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "nginxplus": { + "type": "boolean", + "default": false, + "title": "Deploys the Ingress Controller for NGINX Plus", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "object", + "default": {}, + "title": "Runs the container with Delve, expects a version of the IC container with dlv as the entrypoint", + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Runs the container with Delve, expects a version of the IC container with dlv as the entrypoint", + "examples": [ + false, + true + ] + }, + "continue": { + "type": "boolean", + "default": true, + "title": "Starts Delve with --continue which means that IC will not wait for a debugger attach to start", + "examples": [ + false, + true + ] + } + }, + "examples": [ + { + "enable": true, + "continue": "fatal" + } + ] + }, + "nginxReloadTimeout": { + "type": "integer", + "default": 0, + "title": "Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start", + "examples": [ + 60000 + ] + }, + "appprotect": { + "type": "object", + "default": {}, + "title": "The App Protect WAF Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect WAF module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "v5": { + "type": "boolean", + "default": false, + "title": "Enables App Protect WAF v5.", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "string", + "default": "", + "title": "The logLevel for App Protect WAF", + "enum": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ], + "examples": [ + "fatal", + "error", + "warn", + "info", + "debug", + "trace" + ] + }, + "volumes": { + "type": "array", + "default": [ + { + "name": "app-protect-bd-config", + "emptyDir": {} + }, + { + "name": "app-protect-config", + "emptyDir": {} + }, + { + "name": "app-protect-bundles", + "emptyDir": {} + } + ], + "title": "Volumes for App Protect WAF v5", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "enforcer": { + "type": "object", + "properties": { + "host": { + "type": "string", + "default": "127.0.0.1", + "title": "Port which the App Protect WAF v5 Enforcer process runs on", + "examples": [ + "127.0.0.1" + ] + }, + "port": { + "type": "integer", + "default": 50000, + "title": "Port which the App Protect WAF v5 Enforcer process runs on", + "examples": [ + 50000 + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "private-registry.nginx.com/nap/waf-enforcer", + "title": "The repository of the App Protect WAF v5 Enforcer image", + "examples": [ + "private-registry.nginx.com/nap/waf-enforcer" + ] + }, + "tag": { + "type": "string", + "default": "5.2.0", + "title": "The tag of the App Protect WAF v5 Enforcer image", + "examples": [ + "5.2.0" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the App Protect WAF v5 Enforcer image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the App Protect WAF v5 Enforcer image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "private-registry.nginx.com/nap/waf-enforcer", + "tag": "5.2.0", + "pullPolicy": "IfNotPresent" + } + ] + }, + "securityContext": { + "type": "object", + "default": {}, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + } + } + }, + "configManager": { + "type": "object", + "properties": { + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "private-registry.nginx.com/nap/waf-config-mgr", + "title": "The repository of the App Protect WAF v5 Config Manager image", + "examples": [ + "private-registry.nginx.com/nap/waf-config-mgr" + ] + }, + "tag": { + "type": "string", + "default": "5.2.0", + "title": "The tag of the App Protect WAF v5 Config Manager image", + "examples": [ + "5.2.0" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the App Protect WAF v5 Config Manager image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the App Protect WAF v5 Config Manager image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "private-registry.nginx.com/nap/waf-config-mgr", + "tag": "5.2.0", + "pullPolicy": "IfNotPresent" + } + ] + }, + "securityContext": { + "type": "object", + "default": { + "allowPrivilegeEscalation": false, + "runAsUser": 101, + "runAsNonRoot": true, + "capabilities": { + "drop": [ + "all" + ] + } + }, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + } + } + } + }, + "examples": [ + { + "enable": true, + "logLevel": "fatal" + } + ] + }, + "appprotectdos": { + "type": "object", + "default": {}, + "title": "The App Protect DoS Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable the App Protect DoS module in the Ingress Controller", + "examples": [ + false, + true + ] + }, + "debug": { + "type": "boolean", + "default": false, + "title": "debugging for App Protect DoS", + "examples": [ + false, + true + ] + }, + "maxWorkers": { + "type": "integer", + "default": 0, + "title": "Max number of nginx processes to support", + "examples": [ + 0 + ] + }, + "maxDaemons": { + "type": "integer", + "default": 0, + "title": "Max number of ADMD instances", + "examples": [ + 0 + ] + }, + "memory": { + "type": "integer", + "default": 0, + "title": "RAM memory size to consume in MB", + "examples": [ + 0 + ] + } + }, + "examples": [ + { + "enable": true, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + } + ] + }, + "hostNetwork": { + "type": "boolean", + "default": false, + "title": "The hostNetwork Schema", + "examples": [ + false, + true + ] + }, + "hostPort": { + "type": "object", + "default": {}, + "title": "The hostPort Schema", + "patternProperties": { + "^.*$": { + "anyOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + }, + { + "type": "boolean" + } + ] + } + }, + "additionalProperties": false + }, + "containerPort": { + "type": "object", + "default": {}, + "title": "The containerPort Schema", + "patternProperties": { + "^.*$": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + } + }, + "additionalProperties": false + }, + "dnsPolicy": { + "type": "string", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + }, + { + "enum": [ + "ClusterFirstWithHostNet", + "ClusterFirst", + "Default", + "None" + ] + } + ] + }, + "nginxDebug": { + "type": "boolean", + "default": false, + "title": "Enables debugging for NGINX", + "examples": [ + false, + true + ] + }, + "shareProcessNamespace": { + "type": "boolean", + "default": false, + "title": "Enables sharing of the process namespace between pods within the Ingress Controller", + "examples": [ + false, + true + ] + }, + "logLevel": { + "type": "integer", + "default": 1, + "title": "The logLevel of the Ingress Controller", + "enum": [ + 0, + 1, + 2, + 3 + ], + "examples": [ + 1 + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts to expose on the NGINX Ingress Controller pod", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + }, + "examples": [ + [ + { + "name": "http", + "containerPort": 80, + "protocol": "TCP" + }, + { + "name": "https", + "containerPort": 443, + "protocol": "TCP" + } + ] + ] + }, + "image": { + "type": "object", + "default": {}, + "title": "The image Schema", + "required": [ + "repository" + ], + "properties": { + "repository": { + "type": "string", + "default": "nginx/nginx-ingress", + "title": "The repository of the Ingress Controller", + "examples": [ + "nginx/nginx-ingress" + ] + }, + "tag": { + "type": "string", + "default": "3.6.0", + "title": "The tag of the Ingress Controller image", + "examples": [ + "3.6.0" + ] + }, + "digest": { + "type": "string", + "default": "", + "title": "The digest of the Ingress Controller image", + "examples": [ + "sha256:2710c264e8eaeb663cee63db37b75a1ac1709f63a130fb091c843a6c3a4dc572" + ] + }, + "pullPolicy": { + "type": "string", + "default": "IfNotPresent", + "title": "The pullPolicy for the Ingress Controller image", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + }, + { + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ], + "examples": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "examples": [ + { + "repository": "nginx/nginx-ingress", + "tag": "3.6.0", + "pullPolicy": "IfNotPresent" + } + ] + }, + "lifecycle": { + "type": "object", + "default": {}, + "title": "The lifecycle Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + }, + "customConfigMap": { + "type": "string", + "default": "", + "title": "The customConfigMap Schema", + "examples": [ + "" + ] + }, + "config": { + "type": "object", + "default": {}, + "title": "The config Schema", + "required": [], + "properties": { + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "entries": { + "type": "object", + "default": {}, + "title": "The entries Schema", + "required": [], + "properties": {}, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "name": "", + "annotations": {}, + "entries": {} + } + ] + }, + "defaultTLS": { + "type": "object", + "default": {}, + "title": "The defaultTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "wildcardTLS": { + "type": "object", + "default": {}, + "title": "The wildcardTLS Schema", + "required": [], + "properties": { + "cert": { + "type": "string", + "default": "", + "title": "The cert Schema", + "examples": [ + "" + ] + }, + "key": { + "type": "string", + "default": "", + "title": "The key Schema", + "examples": [ + "" + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret Schema", + "examples": [ + "" + ] + } + }, + "examples": [] + }, + "nodeSelector": { + "type": "object", + "default": {}, + "title": "The nodeSelector Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + }, + "terminationGracePeriodSeconds": { + "type": "integer", + "default": 30, + "title": "The terminationGracePeriodSeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + }, + "podSecurityContext": { + "type": "object", + "default": {}, + "title": "The podSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" + }, + "securityContext": { + "type": "object", + "default": {}, + "title": "The securityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "initContainerSecurityContext": { + "type": "object", + "default": {}, + "title": "The initContainerSecurityContext Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + }, + "resources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "initContainerResources": { + "type": "object", + "default": {}, + "title": "The resources Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + }, + "tolerations": { + "type": "array", + "default": [], + "title": "The tolerations Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + } + }, + "affinity": { + "type": "object", + "default": {}, + "title": "The affinity Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + }, + "topologySpreadConstraints": { + "type": "object", + "default": {}, + "title": "The topologySpreadConstraints Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + }, + "env": { + "type": "array", + "default": [], + "title": "The env Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + } + }, + "volumes": { + "type": "array", + "default": [], + "title": "The volumes Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + } + }, + "volumeMounts": { + "type": "array", + "default": [], + "title": "The volumeMounts Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + } + }, + "initContainers": { + "type": "array", + "default": [], + "title": "The initContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "minReadySeconds": { + "type": "integer", + "default": 0, + "title": "The minReadySeconds Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + }, + "strategy": { + "type": "object", + "default": {}, + "title": "The strategy Schema", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + }, + { + "properties": { + "type": { + "type": "string", + "enum": [ + "Recreate", + "RollingUpdate", + "OnDelete" + ] + } + } + } + ] + }, + "extraContainers": { + "type": "array", + "default": [], + "title": "The extraContainers Schema", + "items": { + "type": "object", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + } + }, + "replicaCount": { + "type": "integer", + "default": 1, + "title": "The replicaCount", + "examples": [ + 1 + ] + }, + "ingressClass": { + "type": "object", + "default": {}, + "title": "The ingressClass", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": true, + "title": "The create", + "examples": [ + true + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The ingressClass name", + "examples": [ + "nginx" + ] + }, + "setAsDefaultIngress": { + "type": "boolean", + "default": false, + "title": "The setAsDefaultIngress", + "examples": [ + false + ] + } + } + }, + "watchNamespace": { + "type": "string", + "default": "", + "title": "The watchNamespace", + "examples": [ + "" + ] + }, + "watchSecretNamespace": { + "type": "string", + "default": "", + "title": "The watchSecretNamespace", + "examples": [ + "" + ] + }, + "enableCustomResources": { + "type": "boolean", + "default": false, + "title": "The enableCustomResources", + "examples": [ + true + ] + }, + "enableOIDC": { + "type": "boolean", + "default": false, + "title": "The enableOIDC", + "examples": [ + false + ] + }, + "includeYear": { + "type": "boolean", + "default": false, + "title": "The includeYear", + "examples": [ + false + ] + }, + "enableTLSPassthrough": { + "type": "boolean", + "default": false, + "title": "The enableTLSPassthrough", + "examples": [ + false + ] + }, + "tlsPassthroughPort": { + "type": "integer", + "default": 443, + "title": "The tlsPassthroughPort", + "examples": [ + 443 + ] + }, + "enableCertManager": { + "type": "boolean", + "default": false, + "title": "The enableCertManager", + "examples": [ + false + ] + }, + "enableExternalDNS": { + "type": "boolean", + "default": false, + "title": "The enableExternalDNS", + "examples": [ + false + ] + }, + "globalConfiguration": { + "type": "object", + "default": {}, + "title": "The globalConfiguration Schema", + "required": [ + "create", + "spec" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + false + ] + }, + "spec": { + "type": "object", + "default": {}, + "title": "The spec Schema", + "required": [], + "properties": { + "listeners": { + "type": "array", + "default": [], + "title": "The listeners Schema", + "items": { + "type": "object", + "default": {}, + "properties": { + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 5353 + ] + }, + "protocol": { + "type": "string", + "default": "", + "title": "The protocol", + "examples": [ + "TCP" + ] + }, + "name": { + "type": "string", + "default": "", + "title": "The name", + "examples": [ + "dns-tcp" + ] + } + } + } + } + }, + "examples": [ + {} + ] + } + }, + "examples": [ + { + "create": false, + "spec": {} + } + ] + }, + "enableSnippets": { + "type": "boolean", + "default": false, + "title": "The enableSnippets", + "examples": [ + false + ] + }, + "healthStatus": { + "type": "boolean", + "default": false, + "title": "The healthStatus", + "examples": [ + false + ] + }, + "healthStatusURI": { + "type": "string", + "format": "uri-reference", + "default": "/nginx-health", + "title": "The healthStatusURI Schema", + "examples": [ + "/nginx-health" + ] + }, + "nginxStatus": { + "type": "object", + "default": {}, + "title": "The nginxStatus Schema", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 8080, + "title": "The port", + "examples": [ + 8080 + ] + }, + "allowCidrs": { + "type": "string", + "default": "127.0.0.1", + "title": "The allowCidrs", + "examples": [ + "127.0.0.1" + ] + } + }, + "examples": [ + { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + } + ] + }, + "service": { + "type": "object", + "default": {}, + "title": "The service Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "type": { + "type": "string", + "default": "", + "title": "The type", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + }, + "externalTrafficPolicy": { + "type": "string", + "default": "", + "title": "The externalTrafficPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels", + "required": [], + "properties": {}, + "examples": [ + {} + ] + }, + "loadBalancerIP": { + "type": "string", + "default": "", + "title": "The loadBalancerIP", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + }, + "externalIPs": { + "type": "array", + "default": [], + "title": "The externalIPs", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + }, + "loadBalancerSourceRanges": { + "type": "array", + "default": [], + "title": "The loadBalancerSourceRanges", + "items": {}, + "examples": [ + [] + ] + }, + "allocateLoadBalancerNodePorts": { + "type": "boolean", + "default": false, + "title": "The allocateLoadBalancerNodePorts Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + }, + "ipFamilyPolicy": { + "type": "string", + "default": "", + "title": "The ipFamilyPolicy Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "examples": [ + "" + ] + }, + "ipFamilies": { + "type": "array", + "default": [], + "title": "The ipFamilies Schema", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + }, + "httpPort": { + "type": "object", + "default": {}, + "title": "The httpPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 80 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 80 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + } + ] + }, + "httpsPort": { + "type": "object", + "default": {}, + "title": "The httpsPort", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 443 + ] + }, + "nodePort": { + "type": "integer", + "default": 0, + "title": "The nodePort", + "examples": [ + 443 + ] + }, + "targetPort": { + "type": "integer", + "default": 0, + "title": "The targetPort", + "examples": [ + 443 + ] + } + }, + "examples": [ + { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + } + ] + }, + "customPorts": { + "type": "array", + "default": [], + "title": "The customPorts", + "items": { + "type": "object", + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + } + } + }, + "examples": [ + { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "name": "", + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + } + ] + }, + "serviceAccount": { + "type": "object", + "default": {}, + "title": "The serviceAccount Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "name": { + "type": "string", + "default": "", + "title": "The name Schema", + "examples": [ + "" + ] + }, + "imagePullSecretName": { + "type": "string", + "default": "", + "title": "The imagePullSecretName", + "examples": [ + "" + ] + }, + "imagePullSecretsNames": { + "type": "array", + "default": [], + "title": "The imagePullSecretName list", + "examples": [ + [] + ] + } + }, + "oneOf": [ + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "minItems": 1 + } + }, + "required": [ + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "minLength": 1 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + }, + { + "properties": { + "imagePullSecretName": { + "maxLength": 0 + }, + "imagePullSecretsNames": { + "maxItems": 0 + } + }, + "not": { + "required": [ + "imagePullSecretName", + "imagePullSecretsNames" + ] + } + } + ], + "examples": [ + { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + } + ] + }, + "reportIngressStatus": { + "type": "object", + "default": {}, + "title": "The reportIngressStatus Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "externalService": { + "type": "string", + "default": "", + "title": "The externalService", + "examples": [ + "" + ] + }, + "ingressLink": { + "type": "string", + "default": "", + "title": "The ingressLink", + "examples": [ + "" + ] + }, + "enableLeaderElection": { + "type": "boolean", + "default": false, + "title": "The enableLeaderElection", + "examples": [ + true + ] + }, + "leaderElectionLockName": { + "type": "string", + "default": "", + "title": "The leaderElectionLockName", + "examples": [ + "" + ] + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + } + }, + "examples": [ + { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + } + ] + }, + "pod": { + "type": "object", + "default": {}, + "title": "The pod Schema", + "required": [], + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "extraLabels": { + "type": "object", + "default": {}, + "title": "The extraLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + }, + "examples": [ + { + "annotations": {}, + "extraLabels": {} + } + ] + }, + "priorityClassName": { + "type": "string", + "default": "", + "title": "The priorityClassName", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + }, + "podDisruptionBudget": { + "type": "object", + "default": {}, + "title": "The podDisruptionBudget Schema", + "required": [ + "enabled" + ], + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "The annotations Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + }, + "minAvailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + }, + "maxUnavailable": { + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + } + }, + "examples": [ + { + "enable": true, + "minAvailable": 1 + }, + { + "enable": true, + "maxUnavailable": 1 + } + ] + }, + "readyStatus": { + "type": "object", + "default": {}, + "title": "The readyStatus", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 0, + "title": "The port", + "examples": [ + 8081 + ] + }, + "initialDelaySeconds": { + "type": "integer", + "default": 0, + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + } + }, + "examples": [ + { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + } + ] + }, + "enableLatencyMetrics": { + "type": "boolean", + "default": false, + "title": "The enableLatencyMetrics", + "examples": [ + false + ] + }, + "disableIPV6": { + "type": "boolean", + "default": false, + "title": "The disableIPV6", + "examples": [ + false + ] + }, + "defaultHTTPListenerPort": { + "type": "integer", + "default": 80, + "title": "The defaultHTTPListenerPort", + "examples": [ + 80 + ] + }, + "defaultHTTPSListenerPort": { + "type": "integer", + "default": 443, + "title": "The defaultHTTPSListenerPort", + "examples": [ + 443 + ] + }, + "readOnlyRootFilesystem": { + "type": "boolean", + "default": false, + "title": "The readOnlyRootFilesystem", + "examples": [ + false + ] + }, + "enableSSLDynamicReload": { + "type": "boolean", + "default": true, + "title": "Enable dynamic certificate reloads for NGINX Plus", + "examples": [ + true + ] + }, + "telemetryReporting": { + "type": "object", + "default": {}, + "title": "Configure telemetry reporting options", + "required": [], + "properties": { + "enable": { + "type": "boolean", + "default": true, + "title": "Enable telemetry reporting", + "examples": [ + true + ] + } + } + }, + "enableWeightChangesDynamicReload": { + "type": "boolean", + "default": false, + "title": "Enables weight changes without reloading for NGINX Plus", + "examples": [ + false + ] + } + }, + "examples": [ + { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "shareProcessNamespace": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.6.0", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "podSecurityContext": { + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "securityContext": {}, + "initContainerSecurityContext": {}, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "tlsPassthroughPort": 443, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + } + ] + }, + "rbac": { + "type": "object", + "default": {}, + "title": "The rbac Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create Schema", + "examples": [ + true + ] + } + }, + "examples": [ + { + "create": true + } + ] + }, + "prometheus": { + "type": "object", + "default": {}, + "title": "The prometheus Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9113, + "title": "The port", + "examples": [ + 9113 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + }, + "service": { + "type": "object", + "default": {}, + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + } + } + }, + "serviceMonitor": { + "type": "object", + "default": {}, + "title": "The serviceMonitor Schema", + "required": [], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + false + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "The labels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + }, + "selectorMatchLabels": { + "type": "object", + "default": {}, + "title": "The selectorMatchLabels Schema", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + }, + "endpoints": { + "type": "array", + "default": [], + "title": "The endpoints", + "required": [], + "items": {} + } + }, + "examples": [ + { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": [] + } + ] + } + }, + "examples": [ + { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http" + } + ] + }, + "serviceInsight": { + "type": "object", + "default": {}, + "title": "The Service Insight Schema", + "required": [ + "create" + ], + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "The create", + "examples": [ + true + ] + }, + "port": { + "type": "integer", + "default": 9114, + "title": "The port", + "examples": [ + 9114 + ] + }, + "secret": { + "type": "string", + "default": "", + "title": "The secret", + "examples": [ + "" + ] + }, + "scheme": { + "type": "string", + "default": "http", + "title": "The scheme", + "examples": [ + "http" + ] + } + }, + "examples": [ + { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + } + ] + }, + "nginxServiceMesh": { + "type": "object", + "default": {}, + "title": "The nginxServiceMesh Schema", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "The enable", + "examples": [ + false + ] + }, + "enableEgress": { + "type": "boolean", + "default": false, + "title": "The enableEgress", + "examples": [ + false + ] + } + }, + "examples": [ + { + "enable": false, + "enableEgress": false + } + ] + }, + "nginxAgent": { + "type": "object", + "default": { + "enable": false + }, + "title": "Configuration for NGINX Agent.", + "required": [ + "enable" + ], + "properties": { + "enable": { + "type": "boolean", + "default": false, + "title": "Enable NGINX Agent", + "examples": [ + false + ] + }, + "instanceGroup": { + "type": "string", + "default": "", + "title": "Set the --instance-group argument for NGINX Agent", + "examples": [ + "my-instance-group" + ] + }, + "logLevel": { + "type": "string", + "default": "info", + "title": "Log level for NGINX Agent", + "enum": [ + "panic", + "fatal", + "error", + "info", + "debug", + "trace" + ], + "examples": [ + "error" + ] + }, + "instanceManager": { + "type": "object", + "default": {}, + "title": "Configuration for the connection to NGINX Instance Manager", + "examples": [], + "required": [ + "host" + ], + "properties": { + "host": { + "type": "string", + "title": "FQDN or IP for connecting to NGINX Instance Manager", + "examples": [ + "nim.example.com" + ] + }, + "grpcPort": { + "type": "integer", + "title": "Port for connecting to NGINX Instance Manager", + "default": 443, + "examples": [ + 443 + ] + }, + "sni": { + "type": "string", + "title": "Server Name Indication for NGINX Instance Manager", + "default": "", + "examples": [ + "nim.example.com" + ] + }, + "tls": { + "type": "object", + "default": {}, + "title": "TLS configuration for connection between NGINX Agent and NGINX Instance Manager", + "properties": { + "enable": { + "type": "boolean", + "default": "true", + "title": "enable TLS for NGINX Instance Manager connection" + }, + "secret": { + "type": "string", + "default": "", + "title": "kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and NGINX Instance Manager" + }, + "caSecret": { + "type": "string", + "default": "", + "title": "nginx.org/ca secret for verification of Instance Manager TLS" + }, + "skipVerify": { + "type": "boolean", + "default": "false", + "title": "skip certificate verification" + } + } + } + } + }, + "syslog": { + "type": "object", + "default": { + "host": "127.0.0.1", + "port": 1514 + }, + "title": "Syslog listener which NGINX Agent uses to accept messages from App Protect WAF", + "properties": { + "host": { + "type": "string", + "title": "Address for NGINX Agent to run syslog listener", + "default": "127.0.0.1", + "examples": [ + "127.0.0.1" + ] + }, + "port": { + "type": "integer", + "title": "Port for NGINX Agent to run syslog listener", + "default": 1514, + "examples": [ + 1514 + ] + } + } + }, + "napMonitoring": { + "type": "object", + "default": {}, + "title": "NGINX App Protect Monitoring config", + "properties": { + "collectorBufferSize": { + "type": "integer", + "default": 50000, + "title": "Buffer size for collector. Will contain log lines and parsed log lines", + "examples": [ + 50000 + ] + }, + "processorBufferSize": { + "type": "integer", + "default": 50000, + "title": "Buffer size for processor. Will contain log lines and parsed log lines", + "examples": [ + 50000 + ] + } + } + }, + "customConfigMap": { + "type": "string", + "title": "The name of a custom ConfigMap to use instead of the one provided by default", + "default": "", + "examples": [ + "my-custom-configmap" + ] + } + } + } + }, + "examples": [ + { + "controller": { + "name": "", + "kind": "deployment", + "nginxplus": false, + "nginxReloadTimeout": 60000, + "appprotect": { + "enable": false, + "logLevel": "fatal" + }, + "appprotectdos": { + "enable": false, + "debug": false, + "maxWorkers": 0, + "maxDaemons": 0, + "memory": 0 + }, + "hostNetwork": false, + "nginxDebug": false, + "logLevel": 1, + "customPorts": [], + "image": { + "repository": "nginx/nginx-ingress", + "tag": "3.6.0", + "digest": "", + "pullPolicy": "IfNotPresent" + }, + "lifecycle": {}, + "customConfigMap": "", + "config": { + "name": "", + "annotations": {}, + "entries": {} + }, + "defaultTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "wildcardTLS": { + "cert": "", + "key": "", + "secret": "" + }, + "nodeSelector": {}, + "terminationGracePeriodSeconds": 30, + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "initContainerResources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "affinity": {}, + "topologySpreadConstraints": {}, + "env": [], + "volumes": [], + "volumeMounts": [], + "initContainers": [], + "minReadySeconds": 0, + "strategy": {}, + "extraContainers": [], + "replicaCount": 1, + "ingressClass": "nginx", + "setAsDefaultIngress": false, + "watchNamespace": "", + "enableCustomResources": true, + "enableOIDC": false, + "includeYear": false, + "enableTLSPassthrough": false, + "enableCertManager": false, + "enableExternalDNS": false, + "globalConfiguration": { + "create": false, + "spec": {} + }, + "enableSnippets": false, + "healthStatus": false, + "healthStatusURI": "/nginx-health", + "nginxStatus": { + "enable": true, + "port": 8080, + "allowCidrs": "127.0.0.1" + }, + "service": { + "create": true, + "type": "LoadBalancer", + "externalTrafficPolicy": "Local", + "annotations": {}, + "extraLabels": {}, + "loadBalancerIP": "", + "externalIPs": [], + "loadBalancerSourceRanges": [], + "allocateLoadBalancerNodePorts": false, + "ipFamilyPolicy": "", + "ipFamilies": [], + "httpPort": { + "enable": true, + "port": 80, + "nodePort": "", + "targetPort": 80 + }, + "httpsPort": { + "enable": true, + "port": 443, + "nodePort": "", + "targetPort": 443 + }, + "customPorts": [] + }, + "serviceAccount": { + "name": "", + "imagePullSecretName": "", + "imagePullSecretsNames": [] + }, + "podDisruptionBudget": { + "enabled": false, + "annotations": {}, + "minAvailable": 0, + "minUnavailable": 0 + }, + "reportIngressStatus": { + "enable": true, + "externalService": "", + "ingressLink": "", + "enableLeaderElection": true, + "leaderElectionLockName": "", + "annotations": {} + }, + "pod": { + "annotations": {}, + "extraLabels": {} + }, + "priorityClassName": "", + "readyStatus": { + "enable": true, + "port": 8081, + "initialDelaySeconds": 0 + }, + "enableLatencyMetrics": false, + "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, + "readOnlyRootFilesystem": false + }, + "rbac": { + "create": true + }, + "prometheus": { + "create": true, + "port": 9113, + "secret": "", + "scheme": "http", + "service": { + "create": false, + "labels": {} + }, + "serviceMonitor": { + "create": false, + "labels": {}, + "selectorMatchLabels": {}, + "endpoints": {} + } + }, + "serviceInsight": { + "create": true, + "port": 9114, + "secret": "", + "scheme": "http" + }, + "nginxServiceMesh": { + "enable": false, + "enableEgress": false + } + } + ] +} diff --git a/charts/f5/nginx-ingress/1.3.0/values.yaml b/charts/f5/nginx-ingress/1.3.0/values.yaml new file mode 100644 index 0000000000..a3b888ab4c --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.0/values.yaml @@ -0,0 +1,649 @@ +controller: + ## The name of the Ingress Controller daemonset or deployment. + name: controller + + ## The kind of the Ingress Controller installation - deployment or daemonset. + kind: deployment + + ## The selectorLabels used to override the default values. + selectorLabels: {} + + ## Annotations for deployments and daemonsets + annotations: {} + + ## Deploys the Ingress Controller for NGINX Plus. + nginxplus: false + + ## Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. + nginxReloadTimeout: 60000 + + ## Support for App Protect WAF + appprotect: + ## Enable the App Protect WAF module in the Ingress Controller. + enable: false + ## Enables App Protect WAF v5. + v5: false + ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace + # logLevel: fatal + + # Volumes for App Protect WAF v5 + # Required volumes are: app-protect-bd-config, app-protect-config, and app-protect-bundles + volumes: + - name: app-protect-bd-config + emptyDir: {} + - name: app-protect-config + emptyDir: {} + - name: app-protect-bundles + emptyDir: {} + + ## Configuration for App Protect WAF v5 Enforcer + enforcer: + # Host that the App Protect WAF v5 Enforcer runs on. + # This will normally be "127.0.0.1" as the Enforcer container + # will run in the same pod as the Ingress Controller container. + host: "127.0.0.1" + # Port that the App Protect WAF v5 Enforcer runs on. + port: 50000 + image: + ## The image repository of the App Protect WAF v5 Enforcer. + repository: private-registry.nginx.com/nap/waf-enforcer + + ## The tag of the App Protect WAF v5 Enforcer image. + tag: "5.2.0" + ## The digest of the App Protect WAF v5 Enforcer image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the App Protect WAF v5 Enforcer image. + pullPolicy: IfNotPresent + securityContext: {} + + ## Configuration for App Protect WAF v5 Configuration Manager + configManager: + image: + ## The image repository of the App Protect WAF v5 Configuration Manager. + repository: private-registry.nginx.com/nap/waf-config-mgr + + ## The tag of the App Protect WAF v5 Configuration Manager image. + tag: "5.2.0" + ## The digest of the App Protect WAF v5 Configuration Manager image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the App Protect WAF v5 Configuration Manager image. + pullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - all + + ## Support for App Protect DoS + appprotectdos: + ## Enable the App Protect DoS module in the Ingress Controller. + enable: false + ## Enable debugging for App Protect DoS. + debug: false + ## Max number of nginx processes to support. + maxWorkers: 0 + ## Max number of ADMD instances. + maxDaemons: 0 + ## RAM memory size to consume in MB. + memory: 0 + + ## Enables the Ingress Controller pods to use the host's network namespace. + hostNetwork: false + + ## The hostPort configuration for the Ingress Controller pods. + hostPort: + ## Enables hostPort for the Ingress Controller pods. + enable: false + + ## The HTTP hostPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS hostPort configuration for the Ingress Controller pods. + https: 443 + + containerPort: + ## The HTTP containerPort configuration for the Ingress Controller pods. + http: 80 + + ## The HTTPS containerPort configuration for the Ingress Controller pods. + https: 443 + + ## DNS policy for the Ingress Controller pods + dnsPolicy: ClusterFirst + + ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. + nginxDebug: false + + ## Share process namespace between containers in the Ingress Controller pod. + shareProcessNamespace: false + + ## The log level of the Ingress Controller. + logLevel: 1 + + ## A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. + customPorts: [] + + image: + ## The image repository of the Ingress Controller. + repository: nginx/nginx-ingress + + ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. + # tag: "3.6.0" + ## The digest of the Ingress Controller image. + ## If digest is specified it has precedence over tag and will be used instead + # digest: "sha256:CHANGEME" + + ## The pull policy for the Ingress Controller image. + pullPolicy: IfNotPresent + + ## The lifecycle of the Ingress Controller pods. + lifecycle: {} + + ## The custom ConfigMap to use instead of the one provided by default + customConfigMap: "" + + config: + ## The name of the ConfigMap used by the Ingress Controller. + ## Autogenerated if not set or set to "". + # name: nginx-config + + ## The annotations of the Ingress Controller configmap. + annotations: {} + + ## The entries of the ConfigMap for customizing NGINX configuration. + entries: {} + + ## It is recommended to use your own TLS certificates and keys + defaultTLS: + ## The base64-encoded TLS certificate for the default HTTPS server. + ## Note: It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + cert: "" + + ## The base64-encoded TLS key for the default HTTPS server. + ## Note: It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + key: "" + + ## The secret with a TLS certificate and key for the default HTTPS server. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. + ## Note: Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. + ## Format: / + secret: "" + + wildcardTLS: + ## The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + cert: "" + + ## The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. + key: "" + + ## The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## The value must follow the following format: `/`. + ## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. + ## Format: / + secret: "" + + ## The node selector for pod assignment for the Ingress Controller pods. + # nodeSelector: {} + + ## The termination grace period of the Ingress Controller pod. + terminationGracePeriodSeconds: 30 + + ## HorizontalPodAutoscaling (HPA) + autoscaling: + ## Enables HorizontalPodAutoscaling. + enabled: false + ## The annotations of the Ingress Controller HorizontalPodAutoscaler. + annotations: {} + ## Minimum number of replicas for the HPA. + minReplicas: 1 + ## Maximum number of replicas for the HPA. + maxReplicas: 3 + ## The target cpu utilization percentage. + targetCPUUtilizationPercentage: 50 + ## The target memory utilization percentage. + targetMemoryUtilizationPercentage: 50 + ## Custom behavior policies + behavior: {} + + ## The resources of the Ingress Controller pods. + resources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The security context for the Ingress Controller pods. + podSecurityContext: + seccompProfile: + type: RuntimeDefault + + ## The security context for the Ingress Controller containers. + securityContext: + {} # Remove curly brackets before adding values + # allowPrivilegeEscalation: true + # readOnlyRootFilesystem: true + # runAsUser: 101 #nginx + # runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # add: + # - NET_BIND_SERVICE + + ## The security context for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerSecurityContext: {} + + ## The resources for the Ingress Controller init container which is used when readOnlyRootFilesystem is set to true. + initContainerResources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 1 + # memory: 1Gi + + ## The tolerations of the Ingress Controller pods. + tolerations: [] + + ## The affinity of the Ingress Controller pods. + affinity: {} + + ## The topology spread constraints of the Ingress controller pods. + # topologySpreadConstraints: {} + + ## The additional environment variables to be set on the Ingress Controller pods. + env: [] + # - name: MY_VAR + # value: myvalue + + ## The volumes of the Ingress Controller pods. + volumes: [] + # - name: extra-conf + # configMap: + # name: extra-conf + + ## The volumeMounts of the Ingress Controller pods. + volumeMounts: [] + # - name: extra-conf + # mountPath: /etc/nginx/conf.d/extra.conf + # subPath: extra.conf + + ## InitContainers for the Ingress Controller pods. + initContainers: [] + # - name: init-container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is initial setup!'] + + ## The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. + minReadySeconds: 0 + + ## Pod disruption budget for the Ingress Controller pods. + podDisruptionBudget: + ## Enables PodDisruptionBudget. + enabled: false + ## The annotations of the Ingress Controller pod disruption budget. + annotations: {} + ## The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". + # minAvailable: 1 + ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". + # maxUnavailable: 1 + + ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. + strategy: {} + + ## Extra containers for the Ingress Controller pods. + extraContainers: [] + # - name: container + # image: busybox:1.34 + # command: ['sh', '-c', 'echo this is a sidecar!'] + + ## The number of replicas of the Ingress Controller deployment. + replicaCount: 1 + + ## Configures the ingress class the Ingress Controller uses. + ingressClass: + ## A class of the Ingress Controller. + + ## IngressClass resource with the name equal to the class must be deployed. Otherwise, + ## the Ingress Controller will fail to start. + ## The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. + + ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. + name: nginx + + ## Creates a new IngressClass object with the name "controller.ingressClass.name". To use an existing IngressClass with the same name, set this value to false. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. + create: true + + ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". + setAsDefaultIngress: false + + ## Comma separated list of namespaces to watch for Ingress resources. By default, the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". + watchNamespace: "" + + ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default, the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". + watchNamespaceLabel: "" + + ## Comma separated list of namespaces to watch for Secret resources. By default, the Ingress Controller watches all namespaces. + watchSecretNamespace: "" + + ## Enable the custom resources. + enableCustomResources: true + + ## Enable OIDC policies. + enableOIDC: false + + ## Include year in log header. This parameter will be removed in release 3.7 and the year will be included by default. + includeYear: false + + ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. + enableTLSPassthrough: false + + ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough. + tlsPassthroughPort: 443 + + ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. + enableCertManager: false + + ## Enable external DNS for Virtual Server resources. Requires controller.enableCustomResources. + enableExternalDNS: false + + globalConfiguration: + ## Creates the GlobalConfiguration custom resource. Requires controller.enableCustomResources. + create: false + + ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. + spec: {} ## Ensure both curly brackets are removed when adding listeners in YAML format. + # listeners: + # - name: dns-udp + # port: 5353 + # protocol: UDP + # - name: dns-tcp + # port: 5353 + # protocol: TCP + + ## Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. + enableSnippets: false + + ## Add a location based on the value of health-status-uri to the default server. The location responds with the 200 status code for any request. + ## Useful for external health-checking of the Ingress Controller. + healthStatus: false + + ## Sets the URI of health status location in the default server. Requires controller.healthStatus. + healthStatusURI: "/nginx-health" + + nginxStatus: + ## Enable the NGINX stub_status, or the NGINX Plus API. + enable: true + + ## Set the port where the NGINX stub_status or the NGINX Plus API is exposed. + port: 8080 + + ## Add IPv4 IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. + allowCidrs: "127.0.0.1" + + service: + ## Creates a service to expose the Ingress Controller pods. + create: true + + ## The type of service to create for the Ingress Controller. + type: LoadBalancer + + ## The externalTrafficPolicy of the service. The value Local preserves the client source IP. + externalTrafficPolicy: Local + + ## The annotations of the Ingress Controller service. + annotations: {} + + ## The extra labels of the service. + extraLabels: {} + + ## The static IP address for the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerIP: "" + + ## The ClusterIP for the Ingress Controller service, autoassigned if not specified. + clusterIP: "" + + ## The list of external IPs for the Ingress Controller service. + externalIPs: [] + + ## The IP ranges (CIDR) that are allowed to access the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. + loadBalancerSourceRanges: [] + + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + + ## Dual stack preference. + ## Valid values: SingleStack, PreferDualStack, RequireDualStack + # ipFamilyPolicy: SingleStack + + ## List of IP families assigned to this service. + ## Valid values: IPv4, IPv6 + # ipFamilies: + # - IPv6 + + httpPort: + ## Enables the HTTP port for the Ingress Controller service. + enable: true + + ## The HTTP port of the Ingress Controller service. + port: 80 + + ## The custom NodePort for the HTTP port. Requires controller.service.type set to NodePort. + # nodePort: 80 + + ## The HTTP port on the POD where the Ingress Controller service is running. + targetPort: 80 + + httpsPort: + ## Enables the HTTPS port for the Ingress Controller service. + enable: true + + ## The HTTPS port of the Ingress Controller service. + port: 443 + + ## The custom NodePort for the HTTPS port. Requires controller.service.type set to NodePort. + # nodePort: 443 + + ## The HTTPS port on the POD where the Ingress Controller service is running. + targetPort: 443 + + ## A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. + customPorts: [] + + serviceAccount: + ## The annotations of the service account of the Ingress Controller pods. + annotations: {} + + ## The name of the service account of the Ingress Controller pods. Used for RBAC. + ## Autogenerated if not set or set to "". + # name: nginx-ingress + + ## The name of the secret containing docker registry credentials. + ## Secret must exist in the same namespace as the helm release. + imagePullSecretName: "" + + ## A list of secret names containing docker registry credentials. + ## Secrets must exist in the same namespace as the helm release. + imagePullSecretsNames: [] + + reportIngressStatus: + ## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. + ## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService, + ## controller.reportIngressStatus.ingressLink or the external-status-address entry in the ConfigMap via controller.config.entries. + ## Note: controller.config.entries.external-status-address takes precedence over the others. + enable: true + + ## Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. + ## The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ## The default is autogenerated and matches the created service (see controller.service.create). + # externalService: nginx-ingress + + ## Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. + ## The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. + ## controller.reportIngressStatus.enable must be set to true. + ingressLink: "" + + ## Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. controller.reportIngressStatus.enable must be set to true. + enableLeaderElection: true + + ## Specifies the name to be used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. + leaderElectionLockName: "nginx-ingress-leader" + + ## The annotations of the leader election configmap. + annotations: {} + + pod: + ## The annotations of the Ingress Controller pod. + annotations: {} + + ## The additional extra labels of the Ingress Controller pod. + extraLabels: {} + + ## The PriorityClass of the Ingress Controller pods. + # priorityClassName: "" + + readyStatus: + ## Enables readiness endpoint "/nginx-ready". The endpoint returns a success code when NGINX has loaded all the config after startup. + enable: true + + ## Set the port where the readiness endpoint is exposed. + port: 8081 + + ## The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. + initialDelaySeconds: 0 + + ## Enable collection of latency metrics for upstreams. Requires prometheus.create. + enableLatencyMetrics: false + + ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. + disableIPV6: false + + ## Sets the port for the HTTP `default_server` listener. + defaultHTTPListenerPort: 80 + + ## Sets the port for the HTTPS `default_server` listener. + defaultHTTPSListenerPort: 443 + + ## Configure root filesystem as read-only and add volumes for temporary data. + ## Three major releases after 3.5.x this argument will be moved to the `securityContext` section. + ## This value will not be used if `controller.securityContext` is set + readOnlyRootFilesystem: false + + ## Enable dynamic reloading of certificates + enableSSLDynamicReload: true + + ## Configure telemetry reporting options + telemetryReporting: + ## Enable telemetry reporting + enable: true + + ## Allows weight adjustments without reloading the NGINX Configuration for two-way splits in NGINX Plus. + ## May require increasing map_hash_bucket_size, map_hash_max_size, + ## variable_hash_bucket_size, and variable_hash_max_size in the ConfigMap based on the number of two-way splits. + enableWeightChangesDynamicReload: false + +rbac: + ## Configures RBAC. + create: true + + clusterrole: + ## Create ClusterRole + create: true + +prometheus: + ## Expose NGINX or NGINX Plus metrics in the Prometheus format. + create: true + + ## Configures the port to scrape the metrics. + port: 9113 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Prometheus endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + + service: + ## Creates a ClusterIP Service to expose Prometheus metrics internally + ## Requires prometheus.create=true + create: false + + labels: + service: "nginx-ingress-prometheus-service" + + serviceMonitor: + ## Creates a serviceMonitor to expose statistics on the kubernetes pods. + create: false + + ## Kubernetes object labels to attach to the serviceMonitor object. + labels: {} + + ## A set of labels to allow the selection of endpoints for the ServiceMonitor. + selectorMatchLabels: + service: "nginx-ingress-prometheus-service" + + ## A list of endpoints allowed as part of this ServiceMonitor. + ## Matches on the name of a Service port. + endpoints: + - port: prometheus + +serviceInsight: + ## Expose NGINX Plus Service Insight endpoint. + create: false + + ## Configures the port to expose endpoint. + port: 9114 + + ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Service Insight endpoint. + secret: "" + + ## Configures the HTTP scheme used. + scheme: http + +nginxServiceMesh: + ## Enables integration with NGINX Service Mesh. + enable: false + + ## Enables NGINX Service Mesh workload to route egress traffic through the Ingress Controller. + ## Requires nginxServiceMesh.enable + enableEgress: false + +nginxAgent: + ## Enables NGINX Agent. + enable: false + ## If nginxAgent.instanceGroup is not set the value of nginx-ingress.controller.fullname will be used + instanceGroup: "" + logLevel: "error" + ## Syslog listener which NGINX Agent uses to accept messages from App Protect WAF + syslog: + host: "127.0.0.1" + port: 1514 + napMonitoring: + collectorBufferSize: 50000 + processorBufferSize: 50000 + instanceManager: + # FQDN or IP for connecting to NGINX Instance Manager, e.g. nim.example.com + host: "" + grpcPort: 443 + sni: "" + tls: + enabled: true + skipVerify: false + ## kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and Instance Manager + secret: "" + ## nginx.org/ca secret for verification of Instance Manager TLS + caSecret: "" + ## The name of a custom ConfigMap to use instead of the one provided by default + customConfigMap: "" diff --git a/charts/f5/nginx-ingress/1.3.1/.helmignore b/charts/f5/nginx-ingress/1.3.1/.helmignore new file mode 100644 index 0000000000..c1347c2c27 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/.helmignore @@ -0,0 +1,2 @@ +# Patterns to ignore when building packages. +*.png diff --git a/charts/f5/nginx-ingress/Chart.yaml b/charts/f5/nginx-ingress/1.3.1/Chart.yaml similarity index 100% rename from charts/f5/nginx-ingress/Chart.yaml rename to charts/f5/nginx-ingress/1.3.1/Chart.yaml diff --git a/charts/f5/nginx-ingress/README.md b/charts/f5/nginx-ingress/1.3.1/README.md similarity index 100% rename from charts/f5/nginx-ingress/README.md rename to charts/f5/nginx-ingress/1.3.1/README.md diff --git a/charts/f5/nginx-ingress/1.3.1/app-readme.md b/charts/f5/nginx-ingress/1.3.1/app-readme.md new file mode 100644 index 0000000000..0824f4c0f0 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/app-readme.md @@ -0,0 +1,15 @@ +# NGINX Ingress Controller + +The [NGINX Ingress Controller](https://github.com/nginxinc/kubernetes-ingress) for Kubernetes provides an enterprise‑grade implementation of an Ingress controller for NGINX and NGINX Plus for Kubernetes applications. + +The Ingress controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources. The load balancer can be a software load balancer running in the cluster or a hardware or cloud load balancer running externally. Different load balancers require different Ingress controller implementations. + +In the case of NGINX, the Ingress controller is deployed in a pod along with the load balancer. + +NGINX Ingress controller works with both NGINX and NGINX Plus and supports the standard Ingress features - content-based routing and TLS/SSL termination. + +Additionally, several NGINX and NGINX Plus features are available as extensions to the Ingress resource via annotations and the ConfigMap resource. In addition to HTTP, NGINX Ingress controller supports load balancing Websocket, gRPC, TCP and UDP applications. See ConfigMap and Annotations docs to learn more about the supported features and customization options. + +As an alternative to the Ingress, NGINX Ingress controller supports the VirtualServer and VirtualServerRoute resources. They enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. + +TCP, UDP and TLS Passthrough load balancing is also supported. diff --git a/charts/f5/nginx-ingress/1.3.1/crds/appprotect.f5.com_aplogconfs.yaml b/charts/f5/nginx-ingress/1.3.1/crds/appprotect.f5.com_aplogconfs.yaml new file mode 100644 index 0000000000..8aacce99c3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/crds/appprotect.f5.com_aplogconfs.yaml @@ -0,0 +1,83 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: aplogconfs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APLogConf + listKind: APLogConfList + plural: aplogconfs + singular: aplogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APLogConf is the Schema for the APLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APLogConfSpec defines the desired state of APLogConf + properties: + content: + properties: + escaping_characters: + items: + properties: + from: + type: string + to: + type: string + type: object + type: array + format: + enum: + - splunk + - arcsight + - default + - user-defined + - grpc + type: string + format_string: + type: string + list_delimiter: + type: string + list_prefix: + type: string + list_suffix: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + max_request_size: + pattern: ^([1-9]|[1-9][0-9]|[1-9][0-9]{2}|[1-9][0-9]{3}|10[0-2][0-9][0-9]|[1-9]k|10k|any)$ + type: string + type: object + filter: + properties: + request_type: + enum: + - all + - illegal + - blocked + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.3.1/crds/appprotect.f5.com_appolicies.yaml b/charts/f5/nginx-ingress/1.3.1/crds/appprotect.f5.com_appolicies.yaml new file mode 100644 index 0000000000..4929c96247 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/crds/appprotect.f5.com_appolicies.yaml @@ -0,0 +1,2172 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: appolicies.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APPolicy + listKind: APPolicyList + plural: appolicies + singular: appolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APPolicyConfig is the Schema for the APPolicyconfigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APPolicySpec defines the desired state of APPolicy + properties: + modifications: + items: + properties: + action: + type: string + description: + type: string + entity: + properties: + name: + type: string + type: object + entityChanges: + properties: + type: + type: string + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + modificationsReference: + properties: + link: + pattern: ^http + type: string + type: object + policy: + description: Defines the App Protect policy + properties: + applicationLanguage: + enum: + - iso-8859-10 + - iso-8859-6 + - windows-1255 + - auto-detect + - koi8-r + - gb18030 + - iso-8859-8 + - windows-1250 + - iso-8859-9 + - windows-1252 + - iso-8859-16 + - gb2312 + - iso-8859-2 + - iso-8859-5 + - windows-1257 + - windows-1256 + - iso-8859-13 + - windows-874 + - windows-1253 + - iso-8859-3 + - euc-jp + - utf-8 + - gbk + - windows-1251 + - big5 + - iso-8859-1 + - shift_jis + - euc-kr + - iso-8859-4 + - iso-8859-7 + - iso-8859-15 + type: string + blocking-settings: + properties: + evasions: + items: + properties: + description: + enum: + - '%u decoding' + - Apache whitespace + - Bad unescape + - Bare byte decoding + - Directory traversals + - IIS backslashes + - IIS Unicode codepoints + - Multiple decoding + - Multiple slashes + - Semicolon path parameters + - Trailing dot + - Trailing slash + type: string + enabled: + type: boolean + maxDecodingPasses: + type: integer + type: object + type: array + http-protocols: + items: + properties: + description: + enum: + - Unescaped space in URL + - Unparsable request content + - Several Content-Length headers + - 'POST request with Content-Length: 0' + - Null in request + - No Host header in HTTP/1.1 request + - Multiple host headers + - Host header contains IP address + - High ASCII characters in headers + - Header name with no header value + - CRLF characters before request start + - Content length should be a positive number + - Chunked request with Content-Length header + - Check maximum number of cookies + - Check maximum number of parameters + - Check maximum number of headers + - Body in GET or HEAD requests + - Bad multipart/form-data request parsing + - Bad multipart parameters parsing + - Bad HTTP version + - Bad host header value + type: string + enabled: + type: boolean + maxCookies: + maximum: 100 + minimum: 1 + type: integer + maxHeaders: + maximum: 150 + minimum: 1 + type: integer + maxParams: + maximum: 5000 + minimum: 1 + type: integer + type: object + type: array + violations: + items: + properties: + alarm: + type: boolean + block: + type: boolean + description: + type: string + name: + enum: + - VIOL_ACCESS_INVALID + - VIOL_ACCESS_MALFORMED + - VIOL_ACCESS_MISSING + - VIOL_ACCESS_UNAUTHORIZED + - VIOL_ASM_COOKIE_HIJACKING + - VIOL_ASM_COOKIE_MODIFIED + - VIOL_BLACKLISTED_IP + - VIOL_COOKIE_EXPIRED + - VIOL_COOKIE_LENGTH + - VIOL_COOKIE_MALFORMED + - VIOL_COOKIE_MODIFIED + - VIOL_CSRF + - VIOL_DATA_GUARD + - VIOL_ENCODING + - VIOL_EVASION + - VIOL_FILE_UPLOAD + - VIOL_FILE_UPLOAD_IN_BODY + - VIOL_FILETYPE + - VIOL_GRAPHQL_ERROR_RESPONSE + - VIOL_GRAPHQL_FORMAT + - VIOL_GRAPHQL_INTROSPECTION_QUERY + - VIOL_GRAPHQL_MALFORMED + - VIOL_GRPC_FORMAT + - VIOL_GRPC_MALFORMED + - VIOL_GRPC_METHOD + - VIOL_HEADER_LENGTH + - VIOL_HEADER_METACHAR + - VIOL_HEADER_REPEATED + - VIOL_HTTP_PROTOCOL + - VIOL_HTTP_RESPONSE_STATUS + - VIOL_JSON_FORMAT + - VIOL_JSON_MALFORMED + - VIOL_JSON_SCHEMA + - VIOL_MANDATORY_HEADER + - VIOL_MANDATORY_PARAMETER + - VIOL_MANDATORY_REQUEST_BODY + - VIOL_METHOD + - VIOL_PARAMETER + - VIOL_PARAMETER_ARRAY_VALUE + - VIOL_PARAMETER_DATA_TYPE + - VIOL_PARAMETER_EMPTY_VALUE + - VIOL_PARAMETER_LOCATION + - VIOL_PARAMETER_MULTIPART_NULL_VALUE + - VIOL_PARAMETER_NAME_METACHAR + - VIOL_PARAMETER_NUMERIC_VALUE + - VIOL_PARAMETER_REPEATED + - VIOL_PARAMETER_STATIC_VALUE + - VIOL_PARAMETER_VALUE_BASE64 + - VIOL_PARAMETER_VALUE_LENGTH + - VIOL_PARAMETER_VALUE_METACHAR + - VIOL_PARAMETER_VALUE_REGEXP + - VIOL_POST_DATA_LENGTH + - VIOL_QUERY_STRING_LENGTH + - VIOL_RATING_NEED_EXAMINATION + - VIOL_RATING_THREAT + - VIOL_REQUEST_LENGTH + - VIOL_REQUEST_MAX_LENGTH + - VIOL_THREAT_CAMPAIGN + - VIOL_URL + - VIOL_URL_CONTENT_TYPE + - VIOL_URL_LENGTH + - VIOL_URL_METACHAR + - VIOL_XML_FORMAT + - VIOL_XML_MALFORMED + type: string + type: object + type: array + type: object + blockingSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + bot-defense: + properties: + mitigations: + properties: + anomalies: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - default + - detect + - ignore + type: string + name: + type: string + scoreThreshold: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + type: array + browsers: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + type: string + maxVersion: + maximum: 2147483647 + minimum: 0 + type: integer + minVersion: + maximum: 2147483647 + minimum: 0 + type: integer + name: + type: string + type: object + type: array + classes: + items: + properties: + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + enum: + - browser + - malicious-bot + - suspicious-browser + - trusted-bot + - unknown + - untrusted-bot + type: string + type: object + type: array + signatures: + items: + properties: + $action: + enum: + - delete + type: string + action: + enum: + - alarm + - block + - detect + - ignore + type: string + name: + type: string + type: object + type: array + type: object + settings: + properties: + caseSensitiveHttpHeaders: + type: boolean + isEnabled: + type: boolean + type: object + type: object + browser-definitions: + items: + properties: + $action: + enum: + - delete + type: string + isUserDefined: + type: boolean + matchRegex: + type: string + matchString: + type: string + name: + type: string + type: object + type: array + caseInsensitive: + type: boolean + character-sets: + items: + properties: + characterSet: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + characterSetType: + enum: + - gwt-content + - header + - json-content + - parameter-name + - parameter-value + - plain-text-content + - url + - xml-content + type: string + type: object + type: array + characterSetReference: + properties: + link: + pattern: ^http + type: string + type: object + cookie-settings: + properties: + maximumCookieHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + cookieReference: + properties: + link: + pattern: ^http + type: string + type: object + cookieSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + cookies: + items: + properties: + $action: + enum: + - delete + type: string + accessibleOnlyThroughTheHttpProtocol: + type: boolean + attackSignaturesCheck: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + enforcementType: + type: string + insertSameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + maskValueInLogs: + type: boolean + name: + type: string + securedOverHttpsConnection: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + wildcardOrder: + type: integer + type: object + type: array + csrf-protection: + properties: + enabled: + type: boolean + expirationTimeInSeconds: + pattern: disabled|\d+ + type: string + sslOnly: + type: boolean + type: object + csrf-urls: + items: + properties: + $action: + enum: + - delete + type: string + enforcementAction: + enum: + - verify-origin + - none + type: string + method: + enum: + - GET + - POST + - any + type: string + url: + type: string + wildcardOrder: + type: integer + type: object + type: array + data-guard: + properties: + creditCardNumbers: + type: boolean + customPatterns: + type: boolean + customPatternsList: + items: + type: string + type: array + enabled: + type: boolean + enforcementMode: + enum: + - ignore-urls-in-list + - enforce-urls-in-list + type: string + enforcementUrls: + items: + type: string + type: array + firstCustomCharactersToExpose: + type: integer + lastCcnDigitsToExpose: + type: integer + lastCustomCharactersToExpose: + type: integer + lastSsnDigitsToExpose: + type: integer + maskData: + type: boolean + usSocialSecurityNumbers: + type: boolean + type: object + dataGuardReference: + properties: + link: + pattern: ^http + type: string + type: object + description: + type: string + enablePassiveMode: + type: boolean + enforcementMode: + enum: + - transparent + - blocking + type: string + enforcer-settings: + properties: + enforcerStateCookies: + properties: + httpOnlyAttribute: + type: boolean + sameSiteAttribute: + enum: + - lax + - none + - none-value + - strict + type: string + secureAttribute: + enum: + - always + - never + type: string + type: object + type: object + filetypeReference: + properties: + link: + pattern: ^http + type: string + type: object + filetypes: + items: + properties: + $action: + enum: + - delete + type: string + allowed: + type: boolean + checkPostDataLength: + type: boolean + checkQueryStringLength: + type: boolean + checkRequestLength: + type: boolean + checkUrlLength: + type: boolean + name: + type: string + postDataLength: + type: integer + queryStringLength: + type: integer + requestLength: + type: integer + responseCheck: + type: boolean + type: + enum: + - explicit + - wildcard + type: string + urlLength: + type: integer + wildcardOrder: + type: integer + type: object + type: array + fullPath: + type: string + general: + properties: + allowedResponseCodes: + items: + format: int32 + maximum: 999 + minimum: 100 + type: integer + type: array + customXffHeaders: + items: + type: string + type: array + maskCreditCardNumbersInRequest: + type: boolean + trustXff: + type: boolean + type: object + generalReference: + properties: + link: + pattern: ^http + type: string + type: object + graphql-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowIntrospectionQueries: + type: boolean + maximumBatchedQueries: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumQueryCost: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateParsingWarnings: + type: boolean + type: object + description: + type: string + metacharElementCheck: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + responseEnforcement: + properties: + blockDisallowedPatterns: + type: boolean + disallowedPatterns: + items: + type: string + type: array + type: object + sensitiveData: + items: + properties: + parameterName: + type: string + type: object + type: array + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + grpc-profiles: + items: + properties: + $action: + enum: + - delete + type: string + associateUrls: + type: boolean + attackSignaturesCheck: + type: boolean + decodeStringValuesAsBase64: + enum: + - disabled + - enabled + type: string + defenseAttributes: + properties: + allowUnknownFields: + type: boolean + maximumDataLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + description: + type: string + hasIdlFiles: + type: boolean + idlFiles: + items: + properties: + idlFile: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + importUrl: + type: string + isPrimary: + type: boolean + primaryIdlFileName: + type: string + type: object + type: array + metacharCheck: + type: boolean + metacharElementCheck: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: object + type: array + header-settings: + properties: + maximumHttpHeaderLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + type: object + headerReference: + properties: + link: + pattern: ^http + type: string + type: object + headerSettingsReference: + properties: + link: + pattern: ^http + type: string + type: object + headers: + items: + properties: + $action: + enum: + - delete + type: string + allowRepeatedOccurrences: + type: boolean + base64Decoding: + type: boolean + checkSignatures: + type: boolean + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + htmlNormalization: + type: boolean + mandatory: + type: boolean + maskValueInLogs: + type: boolean + name: + type: string + normalizationViolations: + type: boolean + percentDecoding: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlNormalization: + type: boolean + wildcardOrder: + type: integer + type: object + type: array + host-names: + items: + properties: + $action: + enum: + - delete + type: string + includeSubdomains: + type: boolean + name: + type: string + type: object + type: array + idl-files: + items: + properties: + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + json-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + maximumArrayLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumStructureDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumTotalLengthOfJSONData: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateJSONParsingWarnings: + type: boolean + type: object + description: + type: string + handleJsonValuesAsParameters: + type: boolean + hasValidationFiles: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + validationFiles: + items: + properties: + importUrl: + type: string + isPrimary: + type: boolean + jsonValidationFile: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: object + type: array + type: object + type: array + json-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + jsonProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + jsonValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + methodReference: + properties: + link: + pattern: ^http + type: string + type: object + methods: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + name: + type: string + open-api-files: + items: + properties: + link: + pattern: ^http + type: string + type: object + type: array + parameterReference: + properties: + link: + pattern: ^http + type: string + type: object + parameters: + items: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + type: array + response-pages: + items: + properties: + ajaxActionType: + enum: + - alert-popup + - custom + - redirect + type: string + ajaxCustomContent: + type: string + ajaxEnabled: + type: boolean + ajaxPopupMessage: + type: string + ajaxRedirectUrl: + type: string + grpcStatusCode: + pattern: ABORTED|ALREADY_EXISTS|CANCELLED|DATA_LOSS|DEADLINE_EXCEEDED|FAILED_PRECONDITION|INTERNAL|INVALID_ARGUMENT|NOT_FOUND|OK|OUT_OF_RANGE|PERMISSION_DENIED|RESOURCE_EXHAUSTED|UNAUTHENTICATED|UNAVAILABLE|UNIMPLEMENTED|UNKNOWN|d+ + type: string + grpcStatusMessage: + type: string + responseActionType: + enum: + - custom + - default + - erase-cookies + - redirect + - soap-fault + type: string + responseContent: + type: string + responseHeader: + type: string + responsePageType: + enum: + - ajax + - ajax-login + - captcha + - captcha-fail + - default + - failed-login-honeypot + - failed-login-honeypot-ajax + - hijack + - leaked-credentials + - leaked-credentials-ajax + - mobile + - persistent-flow + - xml + - grpc + type: string + responseRedirectUrl: + type: string + type: object + type: array + responsePageReference: + properties: + link: + pattern: ^http + type: string + type: object + sensitive-parameters: + items: + properties: + $action: + enum: + - delete + type: string + name: + type: string + type: object + type: array + sensitiveParameterReference: + properties: + link: + pattern: ^http + type: string + type: object + server-technologies: + items: + properties: + $action: + enum: + - delete + type: string + serverTechnologyName: + enum: + - Jenkins + - SharePoint + - Oracle Application Server + - Python + - Oracle Identity Manager + - Spring Boot + - CouchDB + - SQLite + - Handlebars + - Mustache + - Prototype + - Zend + - Redis + - Underscore.js + - Ember.js + - ZURB Foundation + - ef.js + - Vue.js + - UIKit + - TYPO3 CMS + - RequireJS + - React + - MooTools + - Laravel + - GraphQL + - Google Web Toolkit + - Express.js + - CodeIgniter + - Backbone.js + - AngularJS + - JavaScript + - Nginx + - Jetty + - Joomla + - JavaServer Faces (JSF) + - Ruby + - MongoDB + - Django + - Node.js + - Citrix + - JBoss + - Elasticsearch + - Apache Struts + - XML + - PostgreSQL + - IBM DB2 + - Sybase/ASE + - CGI + - Proxy Servers + - SSI (Server Side Includes) + - Cisco + - Novell + - Macromedia JRun + - BEA Systems WebLogic Server + - Lotus Domino + - MySQL + - Oracle + - Microsoft SQL Server + - PHP + - Outlook Web Access + - Apache/NCSA HTTP Server + - Apache Tomcat + - WordPress + - Macromedia ColdFusion + - Unix/Linux + - Microsoft Windows + - ASP.NET + - Front Page Server Extensions (FPSE) + - IIS + - WebDAV + - ASP + - Java Servlets/JSP + - jQuery + type: string + type: object + type: array + serverTechnologyReference: + properties: + link: + pattern: ^http + type: string + type: object + signature-requirements: + items: + properties: + $action: + enum: + - delete + type: string + tag: + type: string + type: object + type: array + signature-sets: + items: + properties: + $action: + enum: + - delete + type: string + alarm: + type: boolean + block: + type: boolean + name: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + signature-settings: + properties: + attackSignatureFalsePositiveMode: + enum: + - detect + - detect-and-allow + - disabled + type: string + minimumAccuracyForAutoAddedSignatures: + enum: + - high + - low + - medium + type: string + type: object + signatureReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSetReference: + properties: + link: + pattern: ^http + type: string + type: object + signatureSettingReference: + properties: + link: + pattern: ^http + type: string + type: object + signatures: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + softwareVersion: + type: string + template: + properties: + name: + type: string + type: object + threat-campaigns: + items: + properties: + isEnabled: + type: boolean + name: + type: string + type: object + type: array + threatCampaignReference: + properties: + link: + pattern: ^http + type: string + type: object + urlReference: + properties: + link: + pattern: ^http + type: string + type: object + urls: + items: + properties: + $action: + enum: + - delete + type: string + allowRenderingInFrames: + enum: + - never + - only-same + type: string + allowRenderingInFramesOnlyFrom: + type: string + attackSignaturesCheck: + type: boolean + clickjackingProtection: + type: boolean + description: + type: string + disallowFileUploadOfExecutables: + type: boolean + html5CrossOriginRequestsEnforcement: + properties: + allowOriginsEnforcementMode: + enum: + - replace-with + - unmodified + type: string + checkAllowedMethods: + type: boolean + crossDomainAllowedOrigin: + items: + properties: + includeSubDomains: + type: boolean + originName: + type: string + originPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + originProtocol: + enum: + - http + - http/https + - https + type: string + type: object + type: array + enforcementMode: + enum: + - disabled + - enforce + type: string + type: object + isAllowed: + type: boolean + mandatoryBody: + type: boolean + metacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + metacharsOnUrlCheck: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + methodOverrides: + items: + properties: + allowed: + type: boolean + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + type: string + type: object + type: array + methodsOverrideOnUrlCheck: + type: boolean + name: + type: string + operationId: + type: string + positionalParameters: + items: + properties: + parameter: + properties: + $action: + enum: + - delete + type: string + allowEmptyValue: + type: boolean + allowRepeatedParameterName: + type: boolean + arraySerializationFormat: + enum: + - csv + - form + - label + - matrix + - multi + - multipart + - pipe + - ssv + - tsv + type: string + attackSignaturesCheck: + type: boolean + checkMaxValue: + type: boolean + checkMaxValueLength: + type: boolean + checkMetachars: + type: boolean + checkMinValue: + type: boolean + checkMinValueLength: + type: boolean + checkMultipleOfValue: + type: boolean + contentProfile: + properties: + name: + type: string + type: object + dataType: + enum: + - alpha-numeric + - binary + - boolean + - decimal + - email + - integer + - none + - phone + type: string + decodeValueAsBase64: + enum: + - enabled + - disabled + - required + type: string + disallowFileUploadOfExecutables: + type: boolean + enableRegularExpression: + type: boolean + exclusiveMax: + type: boolean + exclusiveMin: + type: boolean + isBase64: + type: boolean + isCookie: + type: boolean + isHeader: + type: boolean + level: + enum: + - global + - url + type: string + mandatory: + type: boolean + maximumLength: + type: integer + maximumValue: + type: integer + metacharsOnParameterValueCheck: + type: boolean + minimumLength: + type: integer + minimumValue: + type: integer + multipleOf: + type: integer + name: + type: string + nameMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + objectSerializationStyle: + type: string + parameterEnumValues: + items: + type: string + type: array + parameterLocation: + enum: + - any + - cookie + - form-data + - header + - path + - query + type: string + regularExpression: + type: string + sensitiveParameter: + type: boolean + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + staticValues: + type: string + type: + enum: + - explicit + - wildcard + type: string + url: + properties: + method: + enum: + - ACL + - BCOPY + - BDELETE + - BMOVE + - BPROPFIND + - BPROPPATCH + - CHECKIN + - CHECKOUT + - CONNECT + - COPY + - DELETE + - GET + - HEAD + - LINK + - LOCK + - MERGE + - MKCOL + - MKWORKSPACE + - MOVE + - NOTIFY + - OPTIONS + - PATCH + - POLL + - POST + - PROPFIND + - PROPPATCH + - PUT + - REPORT + - RPC_IN_DATA + - RPC_OUT_DATA + - SEARCH + - SUBSCRIBE + - TRACE + - TRACK + - UNLINK + - UNLOCK + - UNSUBSCRIBE + - VERSION_CONTROL + - X-MS-ENUMATTS + - '*' + type: string + name: + type: string + protocol: + enum: + - http + - https + type: string + type: + enum: + - explicit + - wildcard + type: string + type: object + valueMetacharOverrides: + items: + properties: + isAllowed: + type: boolean + metachar: + type: string + type: object + type: array + valueType: + enum: + - array + - auto-detect + - dynamic-content + - dynamic-parameter-name + - ignore + - json + - object + - openapi-array + - static-content + - user-input + - xml + type: string + wildcardOrder: + type: integer + type: object + urlSegmentIndex: + type: integer + type: object + type: array + protocol: + enum: + - http + - https + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + type: + enum: + - explicit + - wildcard + type: string + urlContentProfiles: + items: + properties: + contentProfile: + properties: + name: + type: string + type: object + headerName: + type: string + headerOrder: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + headerValue: + type: string + name: + type: string + type: + enum: + - apply-content-signatures + - apply-value-and-content-signatures + - disallow + - do-nothing + - form-data + - gwt + - json + - xml + - grpc + type: string + type: object + type: array + wildcardOrder: + type: integer + type: object + type: array + whitelist-ips: + items: + properties: + $action: + enum: + - delete + type: string + blockRequests: + enum: + - always + - never + - policy-default + type: string + ipAddress: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + ipMask: + pattern: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' + type: string + neverLogRequests: + type: boolean + type: object + type: array + whitelistIpReference: + properties: + link: + pattern: ^http + type: string + type: object + xml-profiles: + items: + properties: + $action: + enum: + - delete + type: string + attackSignaturesCheck: + type: boolean + defenseAttributes: + properties: + allowCDATA: + type: boolean + allowDTDs: + type: boolean + allowExternalReferences: + type: boolean + allowProcessingInstructions: + type: boolean + maximumAttributeValueLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumAttributesPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumChildrenPerElement: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentDepth: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumDocumentSize: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumElements: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNSDeclarations: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNameLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + maximumNamespaceLength: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + tolerateCloseTagShorthand: + type: boolean + tolerateLeadingWhiteSpace: + type: boolean + tolerateNumericNames: + type: boolean + type: object + description: + type: string + enableWss: + type: boolean + followSchemaLinks: + type: boolean + name: + type: string + signatureOverrides: + items: + properties: + enabled: + type: boolean + name: + type: string + signatureId: + type: integer + tag: + type: string + type: object + type: array + useXmlResponsePage: + type: boolean + type: object + type: array + xml-validation-files: + items: + properties: + $action: + enum: + - delete + type: string + contents: + type: string + fileName: + type: string + isBase64: + type: boolean + type: object + type: array + xmlProfileReference: + properties: + link: + pattern: ^http + type: string + type: object + xmlValidationFileReference: + properties: + link: + pattern: ^http + type: string + type: object + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.3.1/crds/appprotect.f5.com_apusersigs.yaml b/charts/f5/nginx-ingress/1.3.1/crds/appprotect.f5.com_apusersigs.yaml new file mode 100644 index 0000000000..6d71ed6336 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/crds/appprotect.f5.com_apusersigs.yaml @@ -0,0 +1,98 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: apusersigs.appprotect.f5.com +spec: + group: appprotect.f5.com + names: + kind: APUserSig + listKind: APUserSigList + plural: apusersigs + singular: apusersig + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APUserSig is the Schema for the apusersigs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APUserSigSpec defines the desired state of APUserSig + properties: + properties: + type: string + signatures: + items: + properties: + accuracy: + enum: + - high + - medium + - low + type: string + attackType: + properties: + name: + type: string + type: object + description: + type: string + name: + type: string + references: + properties: + type: + enum: + - bugtraq + - cve + - nessus + - url + type: string + value: + type: string + type: object + risk: + enum: + - high + - medium + - low + type: string + rule: + type: string + signatureType: + enum: + - request + - response + type: string + systems: + items: + properties: + name: + type: string + type: object + type: array + type: object + type: array + softwareVersion: + type: string + tag: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.3.1/crds/appprotectdos.f5.com_apdoslogconfs.yaml b/charts/f5/nginx-ingress/1.3.1/crds/appprotectdos.f5.com_apdoslogconfs.yaml new file mode 100644 index 0000000000..e23e87184b --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/crds/appprotectdos.f5.com_apdoslogconfs.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdoslogconfs.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosLogConf + listKind: APDosLogConfList + plural: apdoslogconfs + singular: apdoslogconf + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: APDosLogConf is the Schema for the APDosLogConfs API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: APDosLogConfSpec defines the desired state of APDosLogConf + properties: + content: + properties: + format: + enum: + - splunk + - arcsight + - user-defined + type: string + format_string: + type: string + max_message_size: + pattern: ^([1-9]|[1-5][0-9]|6[0-4])k$ + type: string + type: object + filter: + properties: + traffic-mitigation-stats: + enum: + - none + - all + default: all + type: string + bad-actors: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + attack-signatures: + pattern: ^(none|all|top ([1-9]|[1-9][0-9]|[1-9][0-9]{2,4}|100000))$ + default: top 10 + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.3.1/crds/appprotectdos.f5.com_apdospolicy.yaml b/charts/f5/nginx-ingress/1.3.1/crds/appprotectdos.f5.com_apdospolicy.yaml new file mode 100644 index 0000000000..a16399a1a2 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/crds/appprotectdos.f5.com_apdospolicy.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: apdospolicies.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: APDosPolicy + listKind: APDosPoliciesList + plural: apdospolicies + singular: apdospolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + type: object + description: APDosPolicy is the Schema for the APDosPolicy API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + description: APDosPolicySpec defines the desired state of APDosPolicy + properties: + mitigation_mode: + enum: + - "standard" + - "conservative" + - "none" + default: "standard" + type: string + signatures: + enum: + - "on" + - "off" + default: "on" + type: string + bad_actors: + enum: + - "on" + - "off" + default: "on" + type: string + automation_tools_detection: + enum: + - "on" + - "off" + default: "on" + type: string + tls_fingerprint: + enum: + - "on" + - "off" + default: "on" + type: string + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.3.1/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/charts/f5/nginx-ingress/1.3.1/crds/appprotectdos.f5.com_dosprotectedresources.yaml new file mode 100644 index 0000000000..b7019df408 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/crds/appprotectdos.f5.com_dosprotectedresources.yaml @@ -0,0 +1,103 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: dosprotectedresources.appprotectdos.f5.com +spec: + group: appprotectdos.f5.com + names: + kind: DosProtectedResource + listKind: DosProtectedResourceList + plural: dosprotectedresources + shortNames: + - pr + singular: dosprotectedresource + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: DosProtectedResource defines a Dos protected resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DosProtectedResourceSpec defines the properties and values + a DosProtectedResource can have. + properties: + apDosMonitor: + description: 'ApDosMonitor is how NGINX App Protect DoS monitors the + stress level of the protected object. The monitor requests are sent + from localhost (127.0.0.1). Default value: URI - None, protocol + - http1, timeout - NGINX App Protect DoS default.' + properties: + protocol: + description: Protocol determines if the server listens on http1 + / http2 / grpc / websocket. The default is http1. + enum: + - http1 + - http2 + - grpc + - websocket + type: string + timeout: + description: Timeout determines how long (in seconds) should NGINX + App Protect DoS wait for a response. Default is 10 seconds for + http1/http2 and 5 seconds for grpc. + format: int64 + type: integer + uri: + description: 'URI is the destination to the desired protected + object in the nginx.conf:' + type: string + type: object + apDosPolicy: + description: ApDosPolicy is the namespace/name of a ApDosPolicy resource + type: string + dosAccessLogDest: + description: DosAccessLogDest is the network address for the access + logs + type: string + dosSecurityLog: + description: DosSecurityLog defines the security log of the DosProtectedResource. + properties: + apDosLogConf: + description: ApDosLogConf is the namespace/name of a APDosLogConf + resource + type: string + dosLogDest: + description: DosLogDest is the network address of a logging service, + can be either IP or DNS name. + type: string + enable: + description: Enable enables the security logging feature if set + to true + type: boolean + type: object + enable: + description: Enable enables the DOS feature if set to true + type: boolean + name: + description: Name is the name of protected object, max of 63 characters. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/f5/nginx-ingress/1.3.1/crds/externaldns.nginx.org_dnsendpoints.yaml b/charts/f5/nginx-ingress/1.3.1/crds/externaldns.nginx.org_dnsendpoints.yaml new file mode 100644 index 0000000000..0275738afc --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/crds/externaldns.nginx.org_dnsendpoints.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: dnsendpoints.externaldns.nginx.org +spec: + group: externaldns.nginx.org + names: + kind: DNSEndpoint + listKind: DNSEndpointList + plural: dnsendpoints + singular: dnsendpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: DNSEndpoint is the CRD wrapper for Endpoint + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: DNSEndpointSpec holds information about endpoints. + properties: + endpoints: + items: + description: Endpoint describes DNS Endpoint. + properties: + dnsName: + description: The hostname for the DNS record + type: string + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: ProviderSpecificProperty represents provider + specific config property. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + description: RecordType type of record, e.g. CNAME, A, SRV, + TXT, MX + type: string + targets: + description: The targets the DNS service points to + items: + type: string + type: array + type: object + type: array + type: object + status: + description: DNSEndpointStatus represents generation observed by the external + dns controller. + properties: + observedGeneration: + description: The generation observed by by the external-dns controller. + format: int64 + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_globalconfigurations.yaml b/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_globalconfigurations.yaml new file mode 100644 index 0000000000..51fce137cd --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_globalconfigurations.yaml @@ -0,0 +1,106 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: globalconfigurations.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: GlobalConfiguration + listKind: GlobalConfigurationList + plural: globalconfigurations + shortNames: + - gc + singular: globalconfiguration + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GlobalConfiguration defines the GlobalConfiguration resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalConfigurationSpec is the spec of the GlobalConfiguration + resource. + properties: + listeners: + items: + description: Listener defines a listener. + properties: + name: + type: string + port: + type: integer + protocol: + type: string + ssl: + type: boolean + type: object + type: array + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_policies.yaml b/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_policies.yaml new file mode 100644 index 0000000000..f275d3a441 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_policies.yaml @@ -0,0 +1,360 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: policies.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + apiKey: + description: APIKey defines an API Key policy. + properties: + clientSecret: + type: string + suppliedIn: + description: SuppliedIn defines the locations API Key should be + supplied in. + properties: + header: + items: + type: string + type: array + query: + items: + type: string + type: array + type: object + type: object + basicAuth: + description: |- + BasicAuth holds HTTP Basic authentication configuration + policy status: preview + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + scale: + type: boolean + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogBundle: + type: string + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + securityLogs: + items: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogBundle: + type: string + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + realm: + type: string + secret: + type: string + token: + type: string + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + type: object + type: object + served: true + storage: false diff --git a/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_transportservers.yaml b/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_transportservers.yaml new file mode 100644 index 0000000000..64ac70e949 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_transportservers.yaml @@ -0,0 +1,332 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: transportservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: TransportServer + listKind: TransportServerList + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Current state of the TransportServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .status.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TransportServer defines the TransportServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: TransportServerSpec is the spec of the TransportServer resource. + properties: + action: + description: TransportServerAction defines an action. + properties: + pass: + type: string + type: object + host: + type: string + ingressClassName: + type: string + listener: + description: TransportServerListener defines a listener for a TransportServer. + properties: + name: + type: string + protocol: + type: string + type: object + serverSnippets: + type: string + sessionParameters: + description: SessionParameters defines session parameters. + properties: + timeout: + type: string + type: object + streamSnippets: + type: string + tls: + description: TransportServerTLS defines TransportServerTLS configuration + for a TransportServer. + properties: + secret: + type: string + type: object + upstreamParameters: + description: UpstreamParameters defines parameters for an upstream. + properties: + connectTimeout: + type: string + nextUpstream: + type: boolean + nextUpstreamTimeout: + type: string + nextUpstreamTries: + type: integer + udpRequests: + type: integer + udpResponses: + type: integer + type: object + upstreams: + items: + description: TransportServerUpstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + failTimeout: + type: string + healthCheck: + description: TransportServerHealthCheck defines the parameters + for active Upstream HealthChecks. + properties: + enable: + type: boolean + fails: + type: integer + interval: + type: string + jitter: + type: string + match: + description: TransportServerMatch defines the parameters + of a custom health check. + properties: + expect: + type: string + send: + type: string + type: object + passes: + type: integer + port: + type: integer + timeout: + type: string + type: object + loadBalancingMethod: + type: string + maxConns: + type: integer + maxFails: + type: integer + name: + type: string + port: + type: integer + service: + type: string + type: object + type: array + type: object + status: + description: TransportServerStatus defines the status for the TransportServer + resource. + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_virtualserverroutes.yaml b/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_virtualserverroutes.yaml new file mode 100644 index 0000000000..0125eef8a1 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -0,0 +1,729 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: virtualserverroutes.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServerRoute + listKind: VirtualServerRouteList + plural: virtualserverroutes + shortNames: + - vsr + singular: virtualserverroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServerRoute. If the resource has a + valid status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServerRoute defines the VirtualServerRoute resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerRouteSpec is the spec of the VirtualServerRoute + resource. + properties: + host: + type: string + ingressClassName: + type: string + subroutes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerRouteStatus defines the status for the VirtualServerRoute + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + referencedBy: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_virtualservers.yaml b/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_virtualservers.yaml new file mode 100644 index 0000000000..774449f8cc --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/crds/k8s.nginx.org_virtualservers.yaml @@ -0,0 +1,829 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + name: virtualservers.k8s.nginx.org +spec: + group: k8s.nginx.org + names: + kind: VirtualServer + listKind: VirtualServerList + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the VirtualServer. If the resource has a valid + status, it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.host + name: Host + type: string + - jsonPath: .status.externalEndpoints[*].ip + name: IP + type: string + - jsonPath: .status.externalEndpoints[*].hostname + name: ExternalHostname + priority: 1 + type: string + - jsonPath: .status.externalEndpoints[*].ports + name: Ports + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: VirtualServer defines the VirtualServer resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: VirtualServerSpec is the spec of the VirtualServer resource. + properties: + dos: + type: string + externalDNS: + description: ExternalDNS defines externaldns sub-resource of a virtual + server. + properties: + enable: + type: boolean + labels: + additionalProperties: + type: string + description: Labels stores labels defined for the Endpoint + type: object + providerSpecific: + description: ProviderSpecific stores provider specific config + items: + description: |- + ProviderSpecificProperty defines specific property + for using with ExternalDNS sub-resource. + properties: + name: + description: Name of the property + type: string + value: + description: Value of the property + type: string + type: object + type: array + recordTTL: + description: TTL for the record + format: int64 + type: integer + recordType: + type: string + type: object + gunzip: + type: boolean + host: + type: string + http-snippets: + type: string + ingressClassName: + type: string + internalRoute: + description: InternalRoute allows for the configuration of internal + routing. + type: boolean + listener: + description: VirtualServerListener references a custom http and/or + https listener defined in GlobalConfiguration. + properties: + http: + type: string + https: + type: string + type: object + policies: + items: + description: PolicyReference references a policy by name and an + optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + routes: + items: + description: Route defines a route. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the response + headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with the + add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + dos: + type: string + errorPages: + items: + description: ErrorPage defines an ErrorPage in a Route. + properties: + codes: + items: + type: integer + type: array + redirect: + description: ErrorPageRedirect defines a redirect for + an ErrorPage. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ErrorPageReturn defines a return for an ErrorPage. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + type: array + location-snippets: + type: string + matches: + items: + description: Match defines a match. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + conditions: + items: + description: Condition defines a condition in a MatchRule. + properties: + argument: + type: string + cookie: + type: string + header: + type: string + value: + type: string + variable: + type: string + type: object + type: array + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in + an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines + the request headers manipulation in an + ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP + Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines + the response headers manipulation in an + ActionProxy. + properties: + add: + items: + description: AddHeader defines an + HTTP Header with an optional Always + field to use with the add_header + NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect + in an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in + an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + path: + type: string + policies: + items: + description: PolicyReference references a policy by name and + an optional namespace. + properties: + name: + type: string + namespace: + type: string + type: object + type: array + route: + type: string + splits: + items: + description: Split defines a split. + properties: + action: + description: Action defines an action. + properties: + pass: + type: string + proxy: + description: ActionProxy defines a proxy in an Action. + properties: + requestHeaders: + description: ProxyRequestHeaders defines the request + headers manipulation in an ActionProxy. + properties: + pass: + type: boolean + set: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaders: + description: ProxyResponseHeaders defines the + response headers manipulation in an ActionProxy. + properties: + add: + items: + description: AddHeader defines an HTTP Header + with an optional Always field to use with + the add_header NGINX directive. + properties: + always: + type: boolean + name: + type: string + value: + type: string + type: object + type: array + hide: + items: + type: string + type: array + ignore: + items: + type: string + type: array + pass: + items: + type: string + type: array + type: object + rewritePath: + type: string + upstream: + type: string + type: object + redirect: + description: ActionRedirect defines a redirect in + an Action. + properties: + code: + type: integer + url: + type: string + type: object + return: + description: ActionReturn defines a return in an Action. + properties: + body: + type: string + code: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: + type: string + type: object + type: object + weight: + type: integer + type: object + type: array + type: object + type: array + server-snippets: + type: string + tls: + description: TLS defines TLS configuration for a VirtualServer. + properties: + cert-manager: + description: CertManager defines a cert manager config for a TLS. + properties: + cluster-issuer: + type: string + common-name: + type: string + duration: + type: string + issue-temp-cert: + type: boolean + issuer: + type: string + issuer-group: + type: string + issuer-kind: + type: string + renew-before: + type: string + usages: + type: string + type: object + redirect: + description: TLSRedirect defines a redirect for a TLS. + properties: + basedOn: + type: string + code: + type: integer + enable: + type: boolean + type: object + secret: + type: string + type: object + upstreams: + items: + description: Upstream defines an upstream. + properties: + backup: + type: string + backupPort: + type: integer + buffer-size: + type: string + buffering: + type: boolean + buffers: + description: UpstreamBuffers defines Buffer Configuration for + an Upstream. + properties: + number: + type: integer + size: + type: string + type: object + client-max-body-size: + type: string + connect-timeout: + type: string + fail-timeout: + type: string + healthCheck: + description: HealthCheck defines the parameters for active Upstream + HealthChecks. + properties: + connect-timeout: + type: string + enable: + type: boolean + fails: + type: integer + grpcService: + type: string + grpcStatus: + type: integer + headers: + items: + description: Header defines an HTTP Header. + properties: + name: + type: string + value: + type: string + type: object + type: array + interval: + type: string + jitter: + type: string + keepalive-time: + type: string + mandatory: + type: boolean + passes: + type: integer + path: + type: string + persistent: + type: boolean + port: + type: integer + read-timeout: + type: string + send-timeout: + type: string + statusMatch: + type: string + tls: + description: UpstreamTLS defines a TLS configuration for + an Upstream. + properties: + enable: + type: boolean + type: object + type: object + keepalive: + type: integer + lb-method: + type: string + max-conns: + type: integer + max-fails: + type: integer + name: + type: string + next-upstream: + type: string + next-upstream-timeout: + type: string + next-upstream-tries: + type: integer + ntlm: + type: boolean + port: + type: integer + queue: + description: UpstreamQueue defines Queue Configuration for an + Upstream. + properties: + size: + type: integer + timeout: + type: string + type: object + read-timeout: + type: string + send-timeout: + type: string + service: + type: string + sessionCookie: + description: SessionCookie defines the parameters for session + persistence. + properties: + domain: + type: string + enable: + type: boolean + expires: + type: string + httpOnly: + type: boolean + name: + type: string + path: + type: string + samesite: + type: string + secure: + type: boolean + type: object + slow-start: + type: string + subselector: + additionalProperties: + type: string + type: object + tls: + description: UpstreamTLS defines a TLS configuration for an + Upstream. + properties: + enable: + type: boolean + type: object + type: + type: string + use-cluster-ip: + type: boolean + type: object + type: array + type: object + status: + description: VirtualServerStatus defines the status for the VirtualServer + resource. + properties: + externalEndpoints: + items: + description: ExternalEndpoint defines the IP/ Hostname and ports + used to connect to this resource. + properties: + hostname: + type: string + ip: + type: string + ports: + type: string + type: object + type: array + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/f5/nginx-ingress/1.3.1/questions.yaml b/charts/f5/nginx-ingress/1.3.1/questions.yaml new file mode 100644 index 0000000000..b63834893b --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/questions.yaml @@ -0,0 +1,185 @@ +questions: +- variable: controller.kind + type: enum + options: + - deployment + - daemonset + default: deployment + description: "The kind of the Ingress controller installation - deployment or daemonset." + label: Installation Kind + group: "Settings" +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.nginxplus + default: false + description: "Deploys the Ingress controller for NGINX Plus." + label: Deploy NGINX Plus + type: boolean + group: "NGINX Plus" + - variable: controller.appprotect.enable + default: false + description: "Enable the App Protect module in the Ingress Controller." + label: Enable the App Protect module. + type: boolean + - variable: controller.appprotectdos.enable + default: false + description: "Enable the App Protect DoS module in the Ingress Controller." + label: Enable the App Protect DoS module. + type: boolean + - variable: controller.image.repository + default: nginx/nginx-ingress + description: "The image repository of the Ingress controller." + type: string + label: NGINX Ingress Controller Image Repository + required: true + - variable: controller.image.tag + description: "The tag of the Ingress controller image." + type: string + label: NGINX Ingress Controller Image Tag + required: true + - variable: controller.image.pullPolicy + type: enum + options: + - IfNotPresent + - Always + - Never + default: IfNotPresent + description: "The pull policy for the Ingress controller image." + label: NGINX Ingress Controller Image Pull Policy + - variable: controller.serviceAccount.imagePullSecretName + default: "" + description: "The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release." + type: string + label: Image Pull Secret Name +- variable: controller.defaultTLS.secret + default: "" + description: "The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`." + label: TLS Secret + type: string + group: "Settings" +- variable: controller.ingressClass + default: nginx + description: "A class of the Ingress controller. The Ingress controller only processes Ingress resources that belong to its class - i.e. have the annotation `[kubernetes.io/ingress.class]` equal to the class. Additionally, the Ingress controller processes Ingress resources that do not have that annotation which can be disabled by setting the [-use-ingress-class-only] flag." + label: Ingress Class + type: string + group: "Settings" + required: true + subquestions: + - variable: controller.useIngressClassOnly + default: false + description: "Ignore Ingress resources without the `[kubernetes.io/ingress.class]` annotation." + label: Use Ingress Class Only + type: boolean + group: "Settings" +- variable: controller.enableCustomResources + default: true + label: Enable Custom Resources + type: boolean + group: "Settings" + show_subquestion_if: true + subquestions: + - variable: controller.globalConfiguration.create + default: true + description: "Creates the GlobalConfiguration custom resource." + label: Create GlobalConfiguration Custom Resource + type: boolean + group: "Settings" + - variable: controller.enableOIDC + default: false + description: "Enables OIDC policies." + label: Enable OIDC policies + type: boolean + group: "Settings" + - variable: controller.enableCertManager + default: false + description: "Enables cert manager for Virtual Server resources." + label: Enable cert manager for Virtual Server resources + type: boolean + group: "Settings" + - variable: controller.enableExternalDNS + default: false + description: "Enables external-dns for Virtual Server resources." + label: Enable external-dns for Virtual Server resources + type: boolean + group: "Settings" +- variable: controller.watchNamespace + default: "" + description: "Comma-separated list of namespaces to watch for Ingress resources. By default the Ingress controller watches all namespaces." + label: Watch Namespace + type: string + group: "Settings" +- variable: controller.service.create + default: true + description: "Creates a service to expose the Ingress controller pods." + label: Create a Service + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.type + type: enum + options: + - LoadBalancer + - NodePort + default: LoadBalancer + description: "The type of service to create for the Ingress controller." + label: Type of Service +- variable: controller.service.httpPort.enable + default: true + description: "Enables the HTTP port for the Ingress controller service." + label: Enable HTTP Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpPort.port + default: 80 + description: "The HTTP port of the Ingress controller service." + label: HTTP Port + type: int + required: true +- variable: controller.service.httpsPort.enable + default: true + description: "Enables the HTTPS port for the Ingress controller service." + label: Enable HTTPS Port + type: boolean + group: "Service" + show_subquestion_if: true + subquestions: + - variable: controller.service.httpsPort.port + default: 443 + description: "The HTTPS port of the Ingress controller service." + label: HTTPS Port + type: int + required: true +- variable: prometheus.create + default: false + description: "Expose NGINX or NGINX Plus metrics in the Prometheus format." + label: Enable Exposing Prometheus Metrics + type: boolean + group: "Prometheus" + show_subquestion_if: true + subquestions: + - variable: prometheus.port + default: 9113 + description: "Configures the port to scrape the metrics." + label: Prometheus Port + type: int + required: true + - variable: prometheus.scheme + default: http + description: "Configures the HTTP scheme to use for connections to the Prometheus endpoint." + label: Prometheus Scheme + type: string + required: true + - variable: prometheus.secret + default: "" + description: "The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections." + label: Prometheus Secret + type: string diff --git a/charts/f5/nginx-ingress/1.3.1/templates/NOTES.txt b/charts/f5/nginx-ingress/1.3.1/templates/NOTES.txt new file mode 100644 index 0000000000..c9a2739771 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/NOTES.txt @@ -0,0 +1,13 @@ +NGINX Ingress Controller {{ .Chart.AppVersion }} has been installed. + +For release notes for this version please see: https://docs.nginx.com/nginx-ingress-controller/releases/ + +Installation and upgrade instructions: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/ + +{{ if .Release.IsUpgrade -}} +If you are upgrading from a version of the chart that uses older Custom Resource Definitions (CRD) it is necessary to manually upgrade the CRDs as this is not managed by Helm. +To update to the latest version of the CRDs: + $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v{{ .Chart.AppVersion }}/deploy/crds.yaml + +More details on upgrading the CRDs: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/#upgrading-the-crds +{{- end -}} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/_helpers.tpl b/charts/f5/nginx-ingress/1.3.1/templates/_helpers.tpl new file mode 100644 index 0000000000..051cd17b0d --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/_helpers.tpl @@ -0,0 +1,486 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.fullname" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified controller service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.service.name" -}} +{{- default (include "nginx-ingress.controller.fullname" .) .Values.serviceNameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "nginx-ingress.labels" -}} +helm.sh/chart: {{ include "nginx-ingress.chart" . }} +{{ include "nginx-ingress.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Pod labels +*/}} +{{- define "nginx-ingress.podLabels" -}} +{{- include "nginx-ingress.selectorLabels" . }} +{{- if .Values.nginxServiceMesh.enable }} +nsm.nginx.com/enable-ingress: "true" +nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}" +nsm.nginx.com/{{ .Values.controller.kind }}: {{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }} +agent-configuration-revision-hash: {{ include "nginx-ingress.agentConfiguration" . | sha1sum | trunc 8 | quote }} +{{- end }} +{{- if .Values.controller.pod.extraLabels }} +{{ toYaml .Values.controller.pod.extraLabels }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nginx-ingress.selectorLabels" -}} +{{- if .Values.controller.selectorLabels -}} +{{ toYaml .Values.controller.selectorLabels }} +{{- else -}} +app.kubernetes.io/name: {{ include "nginx-ingress.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap. +*/}} +{{- define "nginx-ingress.configName" -}} +{{- if .Values.controller.customConfigMap -}} +{{ .Values.controller.customConfigMap }} +{{- else -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.config.name -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the configmap used for NGINX Agent. +*/}} +{{- define "nginx-ingress.agentConfigName" -}} +{{- if ne (.Values.nginxAgent.customConfigMap | default "") "" -}} +{{ .Values.nginxAgent.customConfigMap }} +{{- else -}} +{{- printf "%s-agent-config" (include "nginx-ingress.fullname" . | trunc 49 | trimSuffix "-") -}} +{{- end -}} +{{- end -}} + +{{/* +Expand leader election lock name. +*/}} +{{- define "nginx-ingress.leaderElectionName" -}} +{{- if .Values.controller.reportIngressStatus.leaderElectionLockName -}} +{{ .Values.controller.reportIngressStatus.leaderElectionLockName }} +{{- else -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "leader-election" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand service account name. +*/}} +{{- define "nginx-ingress.serviceAccountName" -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.serviceAccount.name -}} +{{- end -}} + +{{/* +Expand default TLS name. +*/}} +{{- define "nginx-ingress.defaultTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "default-server-tls" -}} +{{- end -}} + +{{/* +Expand wildcard TLS name. +*/}} +{{- define "nginx-ingress.wildcardTLSName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "wildcard-tls" -}} +{{- end -}} + +{{- define "nginx-ingress.tag" -}} +{{- default .Chart.AppVersion .Values.controller.image.tag -}} +{{- end -}} + +{{/* +Expand image name. +*/}} +{{- define "nginx-ingress.image" -}} +{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.image "default" .Chart.AppVersion ) }} +{{- end -}} + +{{- define "nap-enforcer.image" -}} +{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.appprotect.enforcer.image "default" .Chart.AppVersion ) }} +{{- end -}} + +{{- define "nap-config-manager.image" -}} +{{ include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.appprotect.configManager.image "default" .Chart.AppVersion ) }} +{{- end -}} + +{{/* +Accepts an image struct like .Values.controller.image along with a default value to use +if the digest or tag is not set. Can be called like: +include "nginx-ingress.image-digest-or-tag" (dict "image" .Values.controller.image "default" .Chart.AppVersion +*/}} +{{- define "nginx-ingress.image-digest-or-tag" -}} +{{- if .image.digest -}} +{{- printf "%s@%s" .image.repository .image.digest -}} +{{- else -}} +{{- printf "%s:%s" .image.repository (default .default .image.tag) -}} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.prometheus.serviceName" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} +{{- end -}} + +{{/* +return if readOnlyRootFilesystem is enabled or not. +*/}} +{{- define "nginx-ingress.readOnlyRootFilesystem" -}} +{{- if or .Values.controller.readOnlyRootFilesystem (and .Values.controller.securityContext .Values.controller.securityContext.readOnlyRootFilesystem) -}} +true +{{- else -}} +false +{{- end -}} +{{- end -}} + +{{/* +Build the args for the service binary. +*/}} +{{- define "nginx-ingress.args" -}} +{{- if and .Values.controller.debug .Values.controller.debug.enable }} +- --listen=:2345 +- --headless=true +- --log=true +- --log-output=debugger,debuglineerr,gdbwire,lldbout,rpc,dap,fncall,minidump,stack +- --accept-multiclient +- --api-version=2 +- exec +- ./nginx-ingress +{{- if .Values.controller.debug.continue }} +- --continue +{{- end }} +- -- +{{- end -}} +- -nginx-plus={{ .Values.controller.nginxplus }} +- -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} +- -enable-app-protect={{ .Values.controller.appprotect.enable }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} +- -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} +{{ end }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.v5 }} +- -app-protect-enforcer-address="{{ .Values.controller.appprotect.enforcer.host | default "127.0.0.1" }}:{{ .Values.controller.appprotect.enforcer.port | default 50000 }}" +{{- end }} +- -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} +{{- if .Values.controller.appprotectdos.enable }} +- -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} +- -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} +- -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} +- -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} +{{ end }} +- -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} +{{- if .Values.controller.defaultTLS.secret }} +- -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} +{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +- -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} +{{- end }} +- -ingress-class={{ .Values.controller.ingressClass.name }} +{{- if .Values.controller.watchNamespace }} +- -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchNamespaceLabel }} +- -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} +- -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} +{{- end }} +- -health-status={{ .Values.controller.healthStatus }} +- -health-status-uri={{ .Values.controller.healthStatusURI }} +- -nginx-debug={{ .Values.controller.nginxDebug }} +- -v={{ .Values.controller.logLevel }} +- -nginx-status={{ .Values.controller.nginxStatus.enable }} +{{- if .Values.controller.nginxStatus.enable }} +- -nginx-status-port={{ .Values.controller.nginxStatus.port }} +- -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} +{{- end }} +{{- if .Values.controller.reportIngressStatus.enable }} +- -report-ingress-status +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} +{{- else if .Values.controller.reportIngressStatus.externalService }} +- -external-service={{ .Values.controller.reportIngressStatus.externalService }} +{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} +- -external-service={{ include "nginx-ingress.controller.service.name" . }} +{{- end }} +{{- end }} +- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +- -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} +{{- end }} +{{- if .Values.controller.wildcardTLS.secret }} +- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} +{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} +- -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} +{{- end }} +- -enable-prometheus-metrics={{ .Values.prometheus.create }} +- -prometheus-metrics-listen-port={{ .Values.prometheus.port }} +- -prometheus-tls-secret={{ .Values.prometheus.secret }} +- -enable-service-insight={{ .Values.serviceInsight.create }} +- -service-insight-listen-port={{ .Values.serviceInsight.port }} +- -service-insight-tls-secret={{ .Values.serviceInsight.secret }} +- -enable-custom-resources={{ .Values.controller.enableCustomResources }} +- -enable-snippets={{ .Values.controller.enableSnippets }} +- -include-year={{ .Values.controller.includeYear }} +- -disable-ipv6={{ .Values.controller.disableIPV6 }} +{{- if .Values.controller.enableCustomResources }} +- -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{- if .Values.controller.enableTLSPassthrough }} +- -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{- end }} +- -enable-cert-manager={{ .Values.controller.enableCertManager }} +- -enable-oidc={{ .Values.controller.enableOIDC }} +- -enable-external-dns={{ .Values.controller.enableExternalDNS }} +- -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} +- -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} +{{- if .Values.controller.globalConfiguration.create }} +- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- end }} +- -ready-status={{ .Values.controller.readyStatus.enable }} +- -ready-status-port={{ .Values.controller.readyStatus.port }} +- -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +- -ssl-dynamic-reload={{ .Values.controller.enableSSLDynamicReload }} +- -enable-telemetry-reporting={{ .Values.controller.telemetryReporting.enable}} +- -weight-changes-dynamic-reload={{ .Values.controller.enableWeightChangesDynamicReload}} +{{- if .Values.nginxAgent.enable }} +- -agent=true +- -agent-instance-group={{ default (include "nginx-ingress.controller.fullname" .) .Values.nginxAgent.instanceGroup }} +{{- end }} +{{- end -}} + +{{/* +Volumes for controller. +*/}} +{{- define "nginx-ingress.volumes" -}} +{{- $volumesSet := "false" }} +volumes: +{{- if eq (include "nginx-ingress.volumeEntries" .) "" -}} +{{ toYaml list | printf " %s" }} +{{- else }} +{{ include "nginx-ingress.volumeEntries" . }} +{{- end -}} +{{- end -}} + +{{/* +List of volumes for controller. +*/}} +{{- define "nginx-ingress.volumeEntries" -}} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} +- name: nginx-etc + emptyDir: {} +- name: nginx-cache + emptyDir: {} +- name: nginx-lib + emptyDir: {} +- name: nginx-log + emptyDir: {} +{{- end }} +{{- if .Values.controller.appprotect.v5 }} +{{- toYaml .Values.controller.appprotect.volumes }} +{{- end }} +{{- if .Values.controller.volumes }} +{{ toYaml .Values.controller.volumes }} +{{- end }} +{{- if .Values.nginxAgent.enable }} +- name: agent-conf + configMap: + name: {{ include "nginx-ingress.agentConfigName" . }} +- name: agent-dynamic + emptyDir: {} +{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} +- name: nginx-agent-tls + projected: + sources: +{{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }} + - secret: + name: {{ .Values.nginxAgent.instanceManager.tls.secret }} +{{- end }} +{{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }} + - secret: + name: {{ .Values.nginxAgent.instanceManager.tls.caSecret }} +{{- end }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Volume mounts for controller. +*/}} +{{- define "nginx-ingress.volumeMounts" -}} +{{- $volumesSet := "false" }} +volumeMounts: +{{- if eq (include "nginx-ingress.volumeMountEntries" .) "" -}} +{{ toYaml list | printf " %s" }} +{{- else }} +{{ include "nginx-ingress.volumeMountEntries" . }} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.volumeMountEntries" -}} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} +- mountPath: /etc/nginx + name: nginx-etc +- mountPath: /var/cache/nginx + name: nginx-cache +- mountPath: /var/lib/nginx + name: nginx-lib +- mountPath: /var/log/nginx + name: nginx-log +{{- end }} +{{- if .Values.controller.appprotect.v5 }} +- name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config +- name: app-protect-config + mountPath: /opt/app_protect/config + # app-protect-bundles is mounted so that Ingress Controller + # can verify that referenced bundles are present +- name: app-protect-bundles + mountPath: /etc/app_protect/bundles +{{- end }} +{{- if .Values.controller.volumeMounts }} +{{ toYaml .Values.controller.volumeMounts }} +{{- end }} +{{- if .Values.nginxAgent.enable }} +- name: agent-conf + mountPath: /etc/nginx-agent/nginx-agent.conf + subPath: nginx-agent.conf +- name: agent-dynamic + mountPath: /var/lib/nginx-agent +{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }} +- name: nginx-agent-tls + mountPath: /etc/ssl/nms + readOnly: true +{{- end }} +{{- end -}} +{{- end -}} + +{{- define "nginx-ingress.appprotect.v5" -}} +{{- if .Values.controller.appprotect.v5}} +- name: waf-enforcer + image: {{ include "nap-enforcer.image" . }} + imagePullPolicy: "{{ .Values.controller.appprotect.enforcer.image.pullPolicy }}" +{{- if .Values.controller.appprotect.enforcer.securityContext }} + securityContext: +{{ toYaml .Values.controller.appprotect.enforcer.securityContext | nindent 6 }} +{{- end }} + env: + - name: ENFORCER_PORT + value: "{{ .Values.controller.appprotect.enforcer.port | default 50000 }}" + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config +- name: waf-config-mgr + image: {{ include "nap-config-manager.image" . }} + imagePullPolicy: "{{ .Values.controller.appprotect.configManager.image.pullPolicy }}" +{{- if .Values.controller.appprotect.configManager.securityContext }} + securityContext: +{{ toYaml .Values.controller.appprotect.configManager.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles +{{- end}} +{{- end -}} + +{{- define "nginx-ingress.agentConfiguration" -}} +log: + level: {{ .Values.nginxAgent.logLevel }} + path: "" +server: + host: {{ required ".Values.nginxAgent.instanceManager.host is required when setting .Values.nginxAgent.enable to true" .Values.nginxAgent.instanceManager.host }} + grpcPort: {{ .Values.nginxAgent.instanceManager.grpcPort }} +{{- if ne (.Values.nginxAgent.instanceManager.sni | default "") "" }} + metrics: {{ .Values.nginxAgent.instanceManager.sni }} + command: {{ .Values.nginxAgent.instanceManager.sni }} +{{- end }} +{{- if .Values.nginxAgent.instanceManager.tls }} +tls: + enable: {{ .Values.nginxAgent.instanceManager.tls.enable | default true }} + skip_verify: {{ .Values.nginxAgent.instanceManager.tls.skipVerify | default false }} + {{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }} + ca: "/etc/ssl/nms/ca.crt" + {{- end }} + {{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }} + cert: "/etc/ssl/nms/tls.crt" + key: "/etc/ssl/nms/tls.key" + {{- end }} +{{- end }} +features: + - registration + - nginx-counting + - metrics-sender + - dataplane-status +extensions: + - nginx-app-protect + - nap-monitoring +nginx_app_protect: + report_interval: 15s + precompiled_publication: true +nap_monitoring: + collector_buffer_size: {{ .Values.nginxAgent.napMonitoring.collectorBufferSize }} + processor_buffer_size: {{ .Values.nginxAgent.napMonitoring.processorBufferSize }} + syslog_ip: {{ .Values.nginxAgent.syslog.host }} + syslog_port: {{ .Values.nginxAgent.syslog.port }} + +{{ end -}} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/clusterrole.yaml b/charts/f5/nginx-ingress/1.3.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..42566f9e47 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/clusterrole.yaml @@ -0,0 +1,169 @@ +{{- if and .Values.rbac.create .Values.rbac.clusterrole.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - namespaces + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "apps" + resources: + - replicasets + - daemonsets + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list +{{- if .Values.controller.reportIngressStatus.enable }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +{{- end }} +{{- if .Values.controller.appprotect.enable }} +- apiGroups: + - appprotect.f5.com + resources: + - appolicies + - aplogconfs + - apusersigs + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.appprotectdos.enable }} +- apiGroups: + - appprotectdos.f5.com + resources: + - apdospolicies + - apdoslogconfs + - dosprotectedresources + verbs: + - get + - watch + - list +{{- end }} +{{- if .Values.controller.enableCustomResources }} +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers + - virtualserverroutes + - globalconfigurations + - transportservers + - policies + verbs: + - list + - watch + - get +- apiGroups: + - k8s.nginx.org + resources: + - virtualservers/status + - virtualserverroutes/status + - policies/status + - transportservers/status + verbs: + - update +{{- end }} +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- apiGroups: + - cis.f5.com + resources: + - ingresslinks + verbs: + - list + - watch + - get +{{- end }} +{{- if .Values.controller.enableCertManager }} +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - list + - watch + - get + - update + - create + - delete +{{- end }} +{{- if .Values.controller.enableExternalDNS }} +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints + verbs: + - list + - watch + - get + - update + - create + - delete +- apiGroups: + - externaldns.nginx.org + resources: + - dnsendpoints/status + verbs: + - update +{{- end }} +{{- end}} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/clusterrolebinding.yaml b/charts/f5/nginx-ingress/1.3.1/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ed06c48ccb --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "nginx-ingress.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-configmap.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-configmap.yaml new file mode 100644 index 0000000000..8f1d3e47bb --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-configmap.yaml @@ -0,0 +1,32 @@ +{{- if not .Values.controller.customConfigMap -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.configName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: +{{ toYaml (default dict .Values.controller.config.entries) | indent 2 }} +{{- end }} +--- +{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.agentConfigName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.config.annotations }} + annotations: +{{ toYaml .Values.controller.config.annotations | indent 4 }} +{{- end }} +data: + nginx-agent.conf: |- +{{ include "nginx-ingress.agentConfiguration" . | indent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-daemonset.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..268f127f85 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-daemonset.yaml @@ -0,0 +1,179 @@ +{{- if eq .Values.controller.kind "daemonset" }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.podLabels" . | nindent 8 }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- include "nginx-ingress.volumes" . | indent 6 }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - name: {{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{ if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{ end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} +{{- if .Values.controller.securityContext }} + securityContext: +{{ toYaml .Values.controller.securityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- end }} +{{- include "nginx-ingress.volumeMounts" . | indent 8 }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} + +{{- include "nginx-ingress.appprotect.v5" . | nindent 6 }} + +{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- end }} + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + updateStrategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-deployment.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-deployment.yaml new file mode 100644 index 0000000000..95bf3bb165 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-deployment.yaml @@ -0,0 +1,186 @@ +{{- if eq .Values.controller.kind "deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} +{{- end }} +spec: + {{- if not .Values.controller.autoscaling.enabled }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "nginx-ingress.podLabels" . | nindent 8 }} +{{- if or .Values.prometheus.create .Values.controller.pod.annotations }} + annotations: +{{- if .Values.prometheus.create }} + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.prometheus.port }}" + prometheus.io/scheme: "{{ .Values.prometheus.scheme }}" +{{- end }} +{{- if .Values.controller.pod.annotations }} +{{ toYaml .Values.controller.pod.annotations | indent 8 }} +{{- end }} +{{- end }} + spec: +{{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 6 }} +{{- end }} +{{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} +{{- end }} +{{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} +{{- end }} +{{- include "nginx-ingress.volumes" . | indent 6 }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} + serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: true + securityContext: +{{ toYaml .Values.controller.podSecurityContext | indent 8 }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if .Values.controller.shareProcessNamespace }} + shareProcessNamespace: true + {{- end }} + containers: + - image: {{ include "nginx-ingress.image" . }} + name: {{ include "nginx-ingress.name" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" +{{- if .Values.controller.lifecycle }} + lifecycle: +{{ toYaml .Values.controller.lifecycle | indent 10 }} +{{- end }} + ports: +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if and $.Values.controller.hostPort.enable (index $.Values.controller.hostPort $key) }} + hostPort: {{ index $.Values.controller.hostPort $key }} + {{- end }} +{{- end }} +{{- if .Values.controller.customPorts }} +{{ toYaml .Values.controller.customPorts | indent 8 }} +{{- end }} +{{- if .Values.prometheus.create }} + - name: prometheus + containerPort: {{ .Values.prometheus.port }} +{{- end }} +{{- if .Values.serviceInsight.create }} + - name: service-insight + containerPort: {{ .Values.serviceInsight.port }} +{{- end }} +{{- if .Values.controller.readyStatus.enable }} + - name: readiness-port + containerPort: {{ .Values.controller.readyStatus.port }} + readinessProbe: + httpGet: + path: /nginx-ready + port: readiness-port + periodSeconds: 1 + initialDelaySeconds: {{ .Values.controller.readyStatus.initialDelaySeconds }} +{{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} +{{- if .Values.controller.securityContext }} + securityContext: +{{ toYaml .Values.controller.securityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: {{ .Values.controller.readOnlyRootFilesystem }} + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE +{{- end }} +{{- include "nginx-ingress.volumeMounts" . | indent 8 }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- if .Values.controller.env }} +{{ toYaml .Values.controller.env | indent 8 }} +{{- end }} +{{- if .Values.nginxServiceMesh.enable }} + - name: POD_SERVICEACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +{{- end }} + args: +{{- include "nginx-ingress.args" . | nindent 10 }} +{{- if .Values.controller.extraContainers }} + {{ toYaml .Values.controller.extraContainers | nindent 6 }} +{{- end }} + +{{- include "nginx-ingress.appprotect.v5" . | nindent 6 }} + +{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.initContainers }} + initContainers: +{{- end }} +{{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }} + - name: init-{{ include "nginx-ingress.name" . }} + image: {{ include "nginx-ingress.image" . }} + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] +{{- if .Values.controller.initContainerResources }} + resources: +{{ toYaml .Values.controller.initContainerResources | indent 10 }} +{{- end }} +{{- if .Values.controller.initContainerSecurityContext }} + securityContext: +{{ toYaml .Values.controller.initContainerSecurityContext | indent 10 }} +{{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- end }} + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc +{{- end }} +{{- if .Values.controller.initContainers }} +{{ toYaml .Values.controller.initContainers | indent 6 }} +{{- end }} +{{- if .Values.controller.strategy }} + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} +{{- end }} +{{- if .Values.controller.minReadySeconds }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-globalconfiguration.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-globalconfiguration.yaml new file mode 100644 index 0000000000..9039ab0440 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-globalconfiguration.yaml @@ -0,0 +1,11 @@ +{{ if .Values.controller.globalConfiguration.create }} +apiVersion: k8s.nginx.org/v1alpha1 +kind: GlobalConfiguration +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +spec: +{{ toYaml .Values.controller.globalConfiguration.spec | indent 2 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-hpa.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-hpa.yaml new file mode 100644 index 0000000000..971aca90d3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-hpa.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.controller.autoscaling.enabled (eq .Values.controller.kind "deployment") (.Capabilities.APIVersions.Has "autoscaling/v2") -}} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "nginx-ingress.controller.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} +{{- if .Values.controller.autoscaling.behavior }} + behavior: +{{ toYaml .Values.controller.autoscaling.behavior | indent 4 }} +{{- end }} + metrics: + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-ingress-class.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-ingress-class.yaml new file mode 100644 index 0000000000..a351d697c6 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-ingress-class.yaml @@ -0,0 +1,14 @@ +{{ if .Values.controller.ingressClass.create }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClass.name }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.ingressClass.setAsDefaultIngress }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: nginx.org/ingress-controller +{{ end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-leader-election-configmap.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-leader-election-configmap.yaml new file mode 100644 index 0000000000..440914eb3e --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-leader-election-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nginx-ingress.leaderElectionName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.reportIngressStatus.annotations }} + annotations: +{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-pdb.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-pdb.yaml new file mode 100644 index 0000000000..1c3ddc8ae5 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-pdb.yaml @@ -0,0 +1,23 @@ +{{- if .Values.controller.podDisruptionBudget.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.podDisruptionBudget.annotations }} + annotations: +{{ toYaml .Values.controller.podDisruptionBudget.annotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} +{{- if .Values.controller.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.controller.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-prometheus-service.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-prometheus-service.yaml new file mode 100644 index 0000000000..d36514284b --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-prometheus-service.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.prometheus.create .Values.prometheus.service.create}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.prometheus.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.service.labels -}} + {{- toYaml .Values.prometheus.service.labels | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + - name: prometheus + protocol: TCP + port: {{ .Values.prometheus.port }} + targetPort: {{ .Values.prometheus.port }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-role.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-role.yaml new file mode 100644 index 0000000000..e902381775 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-role.yaml @@ -0,0 +1,56 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - {{ .Values.controller.reportIngressStatus.leaderElectionLockName }} + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-rolebinding.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..51ee528da3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "nginx-ingress.fullname" . }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "nginx-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "nginx-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-secret.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-secret.yaml new file mode 100644 index 0000000000..f9941e8878 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.defaultTLS.secret) (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.defaultTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.defaultTLS.cert }} + tls.key: {{ .Values.controller.defaultTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-service.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-service.yaml new file mode 100644 index 0000000000..a25de94561 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-service.yaml @@ -0,0 +1,72 @@ +{{- if .Values.controller.service.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "nginx-ingress.controller.service.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.service.extraLabels }} +{{ toYaml .Values.controller.service.extraLabels | indent 4 }} +{{- end }} +{{- if .Values.controller.service.annotations }} + annotations: +{{ toYaml .Values.controller.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.controller.service.clusterIP }} + clusterIP: {{ .Values.controller.service.clusterIP }} +{{- end }} +{{- if or (eq .Values.controller.service.type "LoadBalancer") (eq .Values.controller.service.type "NodePort") }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} +{{- end }} +{{- if eq .Values.controller.service.type "LoadBalancer" }} + {{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }} + {{- end }} + {{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} + {{- end }} +{{- end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.controller.service.ipFamilies }} + ipFamilies: {{ .Values.controller.service.ipFamilies }} + {{- end }} + ports: +{{- if .Values.controller.service.customPorts }} +{{ toYaml .Values.controller.service.customPorts | indent 2 }} +{{ end }} +{{- if .Values.controller.service.httpPort.enable }} + - port: {{ .Values.controller.service.httpPort.port }} + targetPort: {{ .Values.controller.service.httpPort.targetPort }} + protocol: TCP + name: http + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpPort.nodePort }} + {{- end }} +{{- end }} +{{- if .Values.controller.service.httpsPort.enable }} + - port: {{ .Values.controller.service.httpsPort.port }} + targetPort: {{ .Values.controller.service.httpsPort.targetPort }} + protocol: TCP + name: https + {{- if eq .Values.controller.service.type "NodePort" }} + nodePort: {{ .Values.controller.service.httpsPort.nodePort }} + {{- end }} +{{- end }} + selector: + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} + {{- if .Values.controller.service.externalIPs }} + externalIPs: +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} + {{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-serviceaccount.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..8cde4f5b01 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nginx-ingress.serviceAccountName" . }} +{{- if .Values.controller.serviceAccount.annotations }} + annotations: {{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if or .Values.controller.serviceAccount.imagePullSecretName .Values.controller.serviceAccount.imagePullSecretsNames }} +imagePullSecrets: +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretName }} +- name: {{ .Values.controller.serviceAccount.imagePullSecretName}} +{{- end }} + +{{- if .Values.controller.serviceAccount.imagePullSecretsNames }} +{{- range .Values.controller.serviceAccount.imagePullSecretsNames }} +- name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-servicemonitor.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..e1a4268f95 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-servicemonitor.yaml @@ -0,0 +1,21 @@ +{{- if .Values.prometheus.serviceMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "nginx-ingress.controller.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.prometheus.serviceMonitor.labels -}} + {{- toYaml .Values.prometheus.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- if .Values.prometheus.serviceMonitor.selectorMatchLabels -}} + {{- toYaml .Values.prometheus.serviceMonitor.selectorMatchLabels | nindent 6 }} + {{- end }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} + endpoints: + {{- toYaml .Values.prometheus.serviceMonitor.endpoints | nindent 4 }} +{{- end }} diff --git a/charts/f5/nginx-ingress/1.3.1/templates/controller-wildcard-secret.yaml b/charts/f5/nginx-ingress/1.3.1/templates/controller-wildcard-secret.yaml new file mode 100644 index 0000000000..3abe16c4c3 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/templates/controller-wildcard-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (not .Values.controller.wildcardTLS.secret) (and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nginx-ingress.wildcardTLSName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.controller.wildcardTLS.cert }} + tls.key: {{ .Values.controller.wildcardTLS.key }} +{{- end }} diff --git a/charts/f5/nginx-ingress/values-icp.yaml b/charts/f5/nginx-ingress/1.3.1/values-icp.yaml similarity index 100% rename from charts/f5/nginx-ingress/values-icp.yaml rename to charts/f5/nginx-ingress/1.3.1/values-icp.yaml diff --git a/charts/f5/nginx-ingress/1.3.1/values-nsm.yaml b/charts/f5/nginx-ingress/1.3.1/values-nsm.yaml new file mode 100644 index 0000000000..47d11e0571 --- /dev/null +++ b/charts/f5/nginx-ingress/1.3.1/values-nsm.yaml @@ -0,0 +1,6 @@ +controller: + name: controller + enableLatencyMetrics: true +nginxServiceMesh: + enable: true + enableEgress: true diff --git a/charts/f5/nginx-ingress/values-plus.yaml b/charts/f5/nginx-ingress/1.3.1/values-plus.yaml similarity index 100% rename from charts/f5/nginx-ingress/values-plus.yaml rename to charts/f5/nginx-ingress/1.3.1/values-plus.yaml diff --git a/charts/f5/nginx-ingress/values.schema.json b/charts/f5/nginx-ingress/1.3.1/values.schema.json similarity index 100% rename from charts/f5/nginx-ingress/values.schema.json rename to charts/f5/nginx-ingress/1.3.1/values.schema.json diff --git a/charts/f5/nginx-ingress/values.yaml b/charts/f5/nginx-ingress/1.3.1/values.yaml similarity index 100% rename from charts/f5/nginx-ingress/values.yaml rename to charts/f5/nginx-ingress/1.3.1/values.yaml diff --git a/charts/fairwinds/polaris/5.11.1/CHANGELOG.md b/charts/fairwinds/polaris/5.11.1/CHANGELOG.md new file mode 100644 index 0000000000..f9b7fbfc9a --- /dev/null +++ b/charts/fairwinds/polaris/5.11.1/CHANGELOG.md @@ -0,0 +1,69 @@ +# Changelog + +All notable changes to this Helm chart will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this chart adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## 5.11.1 +* set kubeVersion in the chart manifest + +## 5.9.0 +* Update Polaris version to 8.0 + +## 5.8.2 +* Fix webhook annotations reference + +## 5.8.1 +* Fix cert manager apiVersion override + +## 5.7.6 +* Patch bump for updating charts CI +## 5.7.4 +Added addition exemptions +* https://github.com/FairwindsOps/charts/issues/1059 + +## 5.5.1 +### Added +RBAC permission to get and list ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings. These permissions are required by new RBAC related checks: +* https://github.com/FairwindsOps/polaris/pull/820 +* https://github.com/FairwindsOps/polaris/pull/823 + +## 5.5.0 +### Added +Refactor container securityContext into `values.yaml` for added flexibility (i.e seccomp profiles). + +## 4.2.1 + +### Added +Support `ingressClassName` in Ingress object. + +## 1.0.0 +Updated to Polaris 1.0. + +In addition to changes needed for Polaris 1.0, there are some chart changes: +* RBAC has been simplified to remove duplication +* `config` now uses the built-in Polaris config by default +* `ingress` is now attached to the dashboard values +* only a single `image` is specified for the entire chart + +## 0.6.0 + +### Fixed + +* The validating webhook pod no longer crashes when using a Helm release name other than _polaris_ ([Polaris issue #211](https://github.com/FairwindsOps/polaris/issues/211)) Note that upgrading the Helm release will return the error: + + ``` + UPGRADE FAILED + Error: kind Secret with the name "polaris-webhook" already exists in the cluster and wasn't defined in the previous release. Before upgrading, please either delete the resource from the cluster or remove it from the chart + ``` +Delete the _polaris-webhook_ secret from the namespace where Polaris is installed, and the Helm upgrade will succeed. When the Polaris webhook pod restarts it will populate the _polaris-webhook_ secret. +* The Polaris dashboard and webhook pods now restart when the ConfigMap has been changed. + +### Changed + +* The Secret used by the Polaris webhook is now named _polaris-webhook_ instead of using the Helm release name. This has been done to match the static secret name that the Polaris webhook pod populates. + +### Added + +* This changelog has been added to help track updates to this Helm chart. diff --git a/charts/fairwinds/polaris/5.11.1/Chart.yaml b/charts/fairwinds/polaris/5.11.1/Chart.yaml new file mode 100644 index 0000000000..f99ff6cb40 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.1/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris +apiVersion: v1 +appVersion: "8.4" +description: Validation of best practices in your Kubernetes clusters +icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: robertb@fairwinds.com + name: rbren +name: polaris +version: 5.11.1 diff --git a/charts/fairwinds/polaris/5.11.1/README.md b/charts/fairwinds/polaris/5.11.1/README.md new file mode 100644 index 0000000000..497f7f8ff4 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.1/README.md @@ -0,0 +1,105 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. | +| configUrl | string | `nil` | Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. configUrl: https://example.com/config.yaml | +| additionExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` | +| image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo | +| image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion | +| image.pullPolicy | string | `"Always"` | Image pull policy | +| image.pullSecrets | list | `[]` | Image pull secrets | +| rbac.enabled | bool | `true` | Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `nil` | The name of the service account to use. | +| templateOnly | bool | `false` | Outputs Namespace names, used with `helm template` | +| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` | +| dashboard.enable | bool | `true` | Whether to run the dashboard. | +| dashboard.port | int | `8080` | Port that the dashboard will run from. | +| dashboard.listeningAddress | string | `nil` | Dashboard listerning address. | +| dashboard.replicas | int | `2` | Number of replicas to run. | +| dashboard.logLevel | string | `"Info"` | Set the logging level for the Dashboard command | +| dashboard.podAdditionalLabels | object | `{}` | Custom additional labels on dashboard pods. | +| dashboard.resources | object | `{"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the dashboard | +| dashboard.extraContainers | list | `[]` | allows injecting additional containers. | +| dashboard.service.type | string | `"ClusterIP"` | Service Type | +| dashboard.service.annotations | object | `{}` | Service annotations | +| dashboard.service.targetPort | string | `nil` | Service targetport, defaults to dashboard.port | +| dashboard.service.loadBalancerSourceRanges | list | `[]` | List of allowed CIDR values | +| dashboard.nodeSelector | object | `{}` | Dashboard pod nodeSelector | +| dashboard.tolerations | list | `[]` | Dashboard pod tolerations | +| dashboard.affinity | object | `{}` | Dashboard pods affinity | +| dashboard.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Dashboard pods topologySpreadConstraints | +| dashboard.ingress.enabled | bool | `false` | Whether to enable ingress to the dashboard | +| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. | +| dashboard.ingress.hosts | list | `[]` | Web ingress hostnames | +| dashboard.ingress.annotations | object | `{}` | Web ingress annotations | +| dashboard.ingress.tls | list | `[]` | Ingress TLS configuration | +| dashboard.ingress.defaultBackendEnabled | bool | `false` | DefaultBackend is required by GKE container native load balancer, set to true for this use case | +| dashboard.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| dashboard.disallowExemptions | bool | `false` | Disallow any exemption | +| dashboard.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| dashboard.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| dashboard.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | securityContext to apply to the dashboard container | +| webhook.enable | bool | `false` | Whether to run the webhook | +| webhook.validate | bool | `true` | Enables the Validating Webhook, to reject resources with issues | +| webhook.mutate | bool | `false` | Enables the Mutating Webhook, to modify resources with issues | +| webhook.replicas | int | `2` | Number of replicas | +| webhook.nodeSelector | object | `{}` | Webhook pod nodeSelector | +| webhook.tolerations | list | `[]` | Webhook pod tolerations | +| webhook.affinity | object | `{}` | Webhook pods affinity | +| webhook.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Webhook pods topologySpreadConstraints | +| webhook.certManager.apiVersion | string | `""` | Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. | +| webhook.caBundle | string | `nil` | CA Bundle to use for Validating Webhook instead of cert-manager | +| webhook.secretName | string | `nil` | Name of the secret containing a TLS certificate to use if cert-manager is not used. | +| webhook.failurePolicy | string | `"Fail"` | failurePolicy for the ValidatingWebhookConfiguration | +| webhook.matchPolicy | string | `"Exact"` | matchPolicy for the ValidatingWebhookConfiguration | +| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}` | namespaceSelector for the ValidatingWebhookConfiguration | +| webhook.objectSelector | object | `{}` | objectSelector for the ValidatingWebhookConfiguration | +| webhook.rules | list | `[]` | An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.mutatingRules | list | `[]` | An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.defaultRules | list | `[{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}]` | An array of rules for common types for the ValidatingWebhookConfiguration | +| webhook.podAdditionalLabels | object | `{}` | Custom additional labels on webhook pods. | +| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the webhook. | +| webhook.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| webhook.disallowExemptions | bool | `false` | Disallow any exemption | +| webhook.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| webhook.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| webhook.mutatingConfigurationAnnotations | object | `{}` | | +| webhook.validatingConfigurationAnnotations | object | `{}` | | +| audit.enable | bool | `false` | Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. | +| audit.cleanup | bool | `false` | Whether to delete the namespace once the audit is finished. | +| audit.outputURL | string | `""` | A URL which will receive a POST request with audit results. | diff --git a/charts/fairwinds/polaris/README.md.gotmpl b/charts/fairwinds/polaris/5.11.1/README.md.gotmpl similarity index 100% rename from charts/fairwinds/polaris/README.md.gotmpl rename to charts/fairwinds/polaris/5.11.1/README.md.gotmpl diff --git a/charts/fairwinds/polaris/ci/merge-values.yaml b/charts/fairwinds/polaris/5.11.1/ci/merge-values.yaml similarity index 100% rename from charts/fairwinds/polaris/ci/merge-values.yaml rename to charts/fairwinds/polaris/5.11.1/ci/merge-values.yaml diff --git a/charts/fairwinds/polaris/ci/test-values-2.yaml b/charts/fairwinds/polaris/5.11.1/ci/test-values-2.yaml similarity index 100% rename from charts/fairwinds/polaris/ci/test-values-2.yaml rename to charts/fairwinds/polaris/5.11.1/ci/test-values-2.yaml diff --git a/charts/fairwinds/polaris/5.11.1/ci/test-values.yaml b/charts/fairwinds/polaris/5.11.1/ci/test-values.yaml new file mode 100644 index 0000000000..cf152ccb70 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.1/ci/test-values.yaml @@ -0,0 +1,15 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true + mutatingConfigurationAnnotations: + test: mutate + validatingConfigurationAnnotations: + test: validate + certManager: + apiVersion: cert-manager.io/v1 diff --git a/charts/fairwinds/polaris/templates/0-namespace.yaml b/charts/fairwinds/polaris/5.11.1/templates/0-namespace.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/0-namespace.yaml rename to charts/fairwinds/polaris/5.11.1/templates/0-namespace.yaml diff --git a/charts/fairwinds/polaris/templates/NOTES.txt b/charts/fairwinds/polaris/5.11.1/templates/NOTES.txt similarity index 100% rename from charts/fairwinds/polaris/templates/NOTES.txt rename to charts/fairwinds/polaris/5.11.1/templates/NOTES.txt diff --git a/charts/fairwinds/polaris/templates/_helpers.tpl b/charts/fairwinds/polaris/5.11.1/templates/_helpers.tpl similarity index 100% rename from charts/fairwinds/polaris/templates/_helpers.tpl rename to charts/fairwinds/polaris/5.11.1/templates/_helpers.tpl diff --git a/charts/fairwinds/polaris/templates/audit.job.yaml b/charts/fairwinds/polaris/5.11.1/templates/audit.job.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/audit.job.yaml rename to charts/fairwinds/polaris/5.11.1/templates/audit.job.yaml diff --git a/charts/fairwinds/polaris/templates/audit.rbac.yaml b/charts/fairwinds/polaris/5.11.1/templates/audit.rbac.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/audit.rbac.yaml rename to charts/fairwinds/polaris/5.11.1/templates/audit.rbac.yaml diff --git a/charts/fairwinds/polaris/5.11.1/templates/configmap.yaml b/charts/fairwinds/polaris/5.11.1/templates/configmap.yaml new file mode 100644 index 0000000000..ba72dec1a0 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.1/templates/configmap.yaml @@ -0,0 +1,22 @@ +{{- if not .Values.configUrl }} +{{- with .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "polaris.fullname" $ }} + {{- if $.Values.templateOnly }} + namespace: {{ $.Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" $ | nindent 4 }} +data: + config.yaml: | + {{- range $key, $value := . }} + {{ $key }}: + {{- toYaml $value | nindent 6 }} + {{- if and (eq $key "exemptions") ($.Values.additionalExemptions) }} + {{- toYaml $.Values.additionalExemptions | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.11.1/templates/dashboard.deployment.yaml b/charts/fairwinds/polaris/5.11.1/templates/dashboard.deployment.yaml new file mode 100644 index 0000000000..1742bd5633 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.1/templates/dashboard.deployment.yaml @@ -0,0 +1,130 @@ +{{- if .Values.dashboard.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: dashboard +spec: + replicas: {{.Values.dashboard.replicas}} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: dashboard + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: dashboard + {{- with .Values.dashboard.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.config }} + volumes: + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + {{- if .Values.dashboard.priorityClassName }} + priorityClassName: {{ .Values.dashboard.priorityClassName | quote }} + {{- end }} + containers: + - command: + - polaris + - dashboard + {{- if .Values.configUrl }} + - --config + - {{ .Values.configUrl | quote }} + {{- else }} + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- end }} + {{- with .Values.dashboard.basePath }} + - --base-path + - {{ . }} + {{- end }} + {{- with .Values.dashboard.port }} + - --port + - {{ . | quote }} + {{- end }} + {{- if .Values.dashboard.listeningAddress }} + - --listening-address + - {{ .Values.dashboard.listeningAddress }} + {{- end }} + {{- if .Values.dashboard.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.dashboard.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.dashboard.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + {{- if .Values.dashboard.logLevel }} + - --log-level + - {{ .Values.dashboard.logLevel | quote }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: dashboard + ports: + - containerPort: {{ .Values.dashboard.port }} + livenessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + readinessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + resources: + {{- toYaml .Values.dashboard.resources | nindent 10 }} + {{- with .Values.dashboard.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if not .Values.configUrl }} + {{- with .Values.config }} + volumeMounts: + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.dashboard.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ template "polaris.serviceAccountName" . }} + nodeSelector: + {{- with .Values.dashboard.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.dashboard.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.dashboard.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.dashboard.topologySpreadConstraints | indent 6 }} + {{- end }} +{{- if .Values.dashboard.affinity }} + affinity: +{{ toYaml .Values.dashboard.affinity | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/dashboard.service.yaml b/charts/fairwinds/polaris/5.11.1/templates/dashboard.service.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/dashboard.service.yaml rename to charts/fairwinds/polaris/5.11.1/templates/dashboard.service.yaml diff --git a/charts/fairwinds/polaris/5.11.1/templates/ingress.yaml b/charts/fairwinds/polaris/5.11.1/templates/ingress.yaml new file mode 100644 index 0000000000..d0cdd308f2 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.1/templates/ingress.yaml @@ -0,0 +1,53 @@ +{{- if .Values.dashboard.ingress.enabled -}} +{{ $serviceName := printf "%s-dashboard" (include "polaris.fullname" .) -}} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + annotations: + {{- range $key, $value := .Values.dashboard.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "polaris.name" . }} + helm.sh/chart: {{ include "polaris.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: polaris +spec: +{{- if and (.Values.dashboard.ingress.ingressClassName) (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }} +{{- end }} +{{- if .Values.dashboard.ingress.defaultBackendEnabled }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: 80 +{{- end }} + rules: + {{- range .Values.dashboard.ingress.hosts }} + - host: {{ . }} + http: + paths: + {{- if not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + {{- else }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: / + pathType: Prefix + {{- end }} + {{- end -}} +{{- if .Values.dashboard.ingress.tls }} + tls: +{{ toYaml .Values.dashboard.ingress.tls | indent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/mutate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.11.1/templates/mutate-webhook.configuration.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/mutate-webhook.configuration.yaml rename to charts/fairwinds/polaris/5.11.1/templates/mutate-webhook.configuration.yaml diff --git a/charts/fairwinds/polaris/templates/rbac.yaml b/charts/fairwinds/polaris/5.11.1/templates/rbac.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/rbac.yaml rename to charts/fairwinds/polaris/5.11.1/templates/rbac.yaml diff --git a/charts/fairwinds/polaris/templates/serviceaccount.yaml b/charts/fairwinds/polaris/5.11.1/templates/serviceaccount.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/serviceaccount.yaml rename to charts/fairwinds/polaris/5.11.1/templates/serviceaccount.yaml diff --git a/charts/fairwinds/polaris/templates/validate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.11.1/templates/validate-webhook.configuration.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/validate-webhook.configuration.yaml rename to charts/fairwinds/polaris/5.11.1/templates/validate-webhook.configuration.yaml diff --git a/charts/fairwinds/polaris/templates/webhook.cert.yaml b/charts/fairwinds/polaris/5.11.1/templates/webhook.cert.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/webhook.cert.yaml rename to charts/fairwinds/polaris/5.11.1/templates/webhook.cert.yaml diff --git a/charts/fairwinds/polaris/5.11.1/templates/webhook.deployment.yaml b/charts/fairwinds/polaris/5.11.1/templates/webhook.deployment.yaml new file mode 100644 index 0000000000..cce1092abd --- /dev/null +++ b/charts/fairwinds/polaris/5.11.1/templates/webhook.deployment.yaml @@ -0,0 +1,132 @@ +{{- if .Values.webhook.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: webhook +spec: + replicas: {{ .Values.webhook.replicas }} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: webhook + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: webhook + {{- with .Values.webhook.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: webhook + command: + - polaris + - webhook + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- if .Values.webhook.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.webhook.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.webhook.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + - --validate={{ .Values.webhook.validate }} + - --mutate={{ .Values.webhook.mutate }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + ports: + - containerPort: 9876 + # These are fairly useless readiness/liveness probes for now + # Follow this issue for potential improvements: + # https://github.com/kubernetes-sigs/controller-runtime/issues/356 + livenessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.webhook.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: secret + mountPath: /opt/cert/ + readOnly: true + - name: cr-logs + mountPath: /tmp/ + readOnly: false + serviceAccountName: {{ include "polaris.fullname" . }} + {{- if .Values.webhook.priorityClassName }} + priorityClassName: {{ .Values.webhook.priorityClassName | quote }} + {{- end }} + nodeSelector: + {{- with .Values.webhook.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.webhook.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.webhook.affinity }} + affinity: +{{ toYaml .Values.webhook.affinity | indent 8 }} +{{- end }} +{{- if .Values.webhook.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.webhook.topologySpreadConstraints | indent 6 }} + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + - name: secret + secret: + {{- with .Values.webhook.secretName }} + secretName: {{ . }} + {{- else }} + secretName: {{ include "polaris.fullname" . }} + {{- end }} + - name: cr-logs + emptyDir: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/webhook.service.yaml b/charts/fairwinds/polaris/5.11.1/templates/webhook.service.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/webhook.service.yaml rename to charts/fairwinds/polaris/5.11.1/templates/webhook.service.yaml diff --git a/charts/fairwinds/polaris/5.11.1/values.yaml b/charts/fairwinds/polaris/5.11.1/values.yaml new file mode 100644 index 0000000000..3f9b653828 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.1/values.yaml @@ -0,0 +1,248 @@ +# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. +config: null + +# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. +# configUrl: https://example.com/config.yaml +configUrl: null + +# additionExemptions -- List of additional exemptions to append to the exemptions given in `config` +additionExemptions: null + + +image: + # image.repository -- Image repo + repository: quay.io/fairwinds/polaris + # image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion + tag: "" + # image.pullPolicy -- Image pull policy + pullPolicy: Always + # image.pullSecrets -- Image pull secrets + pullSecrets: [] + +rbac: + # rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created + enabled: true + +serviceAccount: + # serviceAccount.create -- Specifies whether a service account should be created + create: true + # serviceAccount.name -- The name of the service account to use. + name: + +# templateOnly -- Outputs Namespace names, used with `helm template` +templateOnly: false + +dashboard: + # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` + basePath: null + # dashboard.enable -- Whether to run the dashboard. + enable: true + # dashboard.port -- Port that the dashboard will run from. + port: 8080 + # dashboard.listeningAddress -- Dashboard listerning address. + listeningAddress: + # dashboard.replicas -- Number of replicas to run. + replicas: 2 + # dashboard.logLevel -- Set the logging level for the Dashboard command + logLevel: Info + # dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods. + podAdditionalLabels: {} + # dashboard.resources -- Requests and limits for the dashboard + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 150m + memory: 512Mi + # dashboard.extraContainers -- allows injecting additional containers. + extraContainers: [] + # extraContainers: + # - name: oauth-proxy + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + # args: + # - --upstream=http://127.0.0.1:8080 + # - --http-address=0.0.0.0:8081 + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # resources: {} + service: + # dashboard.service.type -- Service Type + type: ClusterIP + # dashboard.service.annotations -- Service annotations + annotations: {} + # dashboard.service.targetPort -- Service targetport, defaults to dashboard.port + targetPort: + # dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values + loadBalancerSourceRanges: [] + # dashboard.nodeSelector -- Dashboard pod nodeSelector + nodeSelector: {} + # dashboard.tolerations -- Dashboard pod tolerations + tolerations: [] + # dashboard.affinity -- Dashboard pods affinity + affinity: {} + # dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + ingress: + # dashboard.ingress.enabled -- Whether to enable ingress to the dashboard + enabled: false + # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. + ingressClassName: + # dashboard.ingress.hosts -- Web ingress hostnames + hosts: [] + # dashboard.ingress.annotations -- Web ingress annotations + annotations: {} + # dashboard.ingress.tls -- Ingress TLS configuration + tls: [] + # dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case + defaultBackendEnabled: false + # dashboard.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # dashboard.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + # dashboard.containerSecurityContext -- securityContext to apply to the dashboard container + containerSecurityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + +webhook: + # webhook.enable -- Whether to run the webhook + enable: false + # webhook.validate -- Enables the Validating Webhook, to reject resources with issues + validate: true + # webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues + mutate: false + # webhook.replicas -- Number of replicas + replicas: 2 + # webhook.nodeSelector -- Webhook pod nodeSelector + nodeSelector: {} + # webhook.tolerations -- Webhook pod tolerations + tolerations: [] + # webhook.affinity -- Webhook pods affinity + affinity: {} + # webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + certManager: + # -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. + apiVersion: "" + # webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager + caBundle: null + # webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used. + secretName: null + # webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration + failurePolicy: Fail + # webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration + matchPolicy: Exact + # webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + # webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration + objectSelector: {} + # webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + rules: [] + # webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + mutatingRules: [] + # webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration + defaultRules: + - apiGroups: + - apps + apiVersions: + - v1 + - v1beta1 + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - daemonsets + - deployments + - statefulsets + scope: Namespaced + - apiGroups: + - batch + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - jobs + - cronjobs + scope: Namespaced + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - replicationcontrollers + scope: Namespaced + # webhook.podAdditionalLabels -- Custom additional labels on webhook pods. + podAdditionalLabels: {} + # webhook.resources -- Requests and limits for the webhook. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 100m + memory: 128Mi + # webhook.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # webhook.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + mutatingConfigurationAnnotations: {} + validatingConfigurationAnnotations: {} + +audit: + # audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. + enable: false + # audit.cleanup -- Whether to delete the namespace once the audit is finished. + cleanup: false + # audit.outputURL -- A URL which will receive a POST request with audit results. + outputURL: "" diff --git a/charts/fairwinds/polaris/5.11.2/CHANGELOG.md b/charts/fairwinds/polaris/5.11.2/CHANGELOG.md new file mode 100644 index 0000000000..f9b7fbfc9a --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/CHANGELOG.md @@ -0,0 +1,69 @@ +# Changelog + +All notable changes to this Helm chart will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this chart adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## 5.11.1 +* set kubeVersion in the chart manifest + +## 5.9.0 +* Update Polaris version to 8.0 + +## 5.8.2 +* Fix webhook annotations reference + +## 5.8.1 +* Fix cert manager apiVersion override + +## 5.7.6 +* Patch bump for updating charts CI +## 5.7.4 +Added addition exemptions +* https://github.com/FairwindsOps/charts/issues/1059 + +## 5.5.1 +### Added +RBAC permission to get and list ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings. These permissions are required by new RBAC related checks: +* https://github.com/FairwindsOps/polaris/pull/820 +* https://github.com/FairwindsOps/polaris/pull/823 + +## 5.5.0 +### Added +Refactor container securityContext into `values.yaml` for added flexibility (i.e seccomp profiles). + +## 4.2.1 + +### Added +Support `ingressClassName` in Ingress object. + +## 1.0.0 +Updated to Polaris 1.0. + +In addition to changes needed for Polaris 1.0, there are some chart changes: +* RBAC has been simplified to remove duplication +* `config` now uses the built-in Polaris config by default +* `ingress` is now attached to the dashboard values +* only a single `image` is specified for the entire chart + +## 0.6.0 + +### Fixed + +* The validating webhook pod no longer crashes when using a Helm release name other than _polaris_ ([Polaris issue #211](https://github.com/FairwindsOps/polaris/issues/211)) Note that upgrading the Helm release will return the error: + + ``` + UPGRADE FAILED + Error: kind Secret with the name "polaris-webhook" already exists in the cluster and wasn't defined in the previous release. Before upgrading, please either delete the resource from the cluster or remove it from the chart + ``` +Delete the _polaris-webhook_ secret from the namespace where Polaris is installed, and the Helm upgrade will succeed. When the Polaris webhook pod restarts it will populate the _polaris-webhook_ secret. +* The Polaris dashboard and webhook pods now restart when the ConfigMap has been changed. + +### Changed + +* The Secret used by the Polaris webhook is now named _polaris-webhook_ instead of using the Helm release name. This has been done to match the static secret name that the Polaris webhook pod populates. + +### Added + +* This changelog has been added to help track updates to this Helm chart. diff --git a/charts/fairwinds/polaris/5.11.2/Chart.yaml b/charts/fairwinds/polaris/5.11.2/Chart.yaml new file mode 100644 index 0000000000..2ef5d776ac --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris +apiVersion: v1 +appVersion: "8.4" +description: Validation of best practices in your Kubernetes clusters +icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: robertb@fairwinds.com + name: rbren +name: polaris +version: 5.11.2 diff --git a/charts/fairwinds/polaris/5.11.2/README.md b/charts/fairwinds/polaris/5.11.2/README.md new file mode 100644 index 0000000000..497f7f8ff4 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/README.md @@ -0,0 +1,105 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. | +| configUrl | string | `nil` | Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. configUrl: https://example.com/config.yaml | +| additionExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` | +| image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo | +| image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion | +| image.pullPolicy | string | `"Always"` | Image pull policy | +| image.pullSecrets | list | `[]` | Image pull secrets | +| rbac.enabled | bool | `true` | Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `nil` | The name of the service account to use. | +| templateOnly | bool | `false` | Outputs Namespace names, used with `helm template` | +| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` | +| dashboard.enable | bool | `true` | Whether to run the dashboard. | +| dashboard.port | int | `8080` | Port that the dashboard will run from. | +| dashboard.listeningAddress | string | `nil` | Dashboard listerning address. | +| dashboard.replicas | int | `2` | Number of replicas to run. | +| dashboard.logLevel | string | `"Info"` | Set the logging level for the Dashboard command | +| dashboard.podAdditionalLabels | object | `{}` | Custom additional labels on dashboard pods. | +| dashboard.resources | object | `{"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the dashboard | +| dashboard.extraContainers | list | `[]` | allows injecting additional containers. | +| dashboard.service.type | string | `"ClusterIP"` | Service Type | +| dashboard.service.annotations | object | `{}` | Service annotations | +| dashboard.service.targetPort | string | `nil` | Service targetport, defaults to dashboard.port | +| dashboard.service.loadBalancerSourceRanges | list | `[]` | List of allowed CIDR values | +| dashboard.nodeSelector | object | `{}` | Dashboard pod nodeSelector | +| dashboard.tolerations | list | `[]` | Dashboard pod tolerations | +| dashboard.affinity | object | `{}` | Dashboard pods affinity | +| dashboard.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Dashboard pods topologySpreadConstraints | +| dashboard.ingress.enabled | bool | `false` | Whether to enable ingress to the dashboard | +| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. | +| dashboard.ingress.hosts | list | `[]` | Web ingress hostnames | +| dashboard.ingress.annotations | object | `{}` | Web ingress annotations | +| dashboard.ingress.tls | list | `[]` | Ingress TLS configuration | +| dashboard.ingress.defaultBackendEnabled | bool | `false` | DefaultBackend is required by GKE container native load balancer, set to true for this use case | +| dashboard.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| dashboard.disallowExemptions | bool | `false` | Disallow any exemption | +| dashboard.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| dashboard.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| dashboard.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | securityContext to apply to the dashboard container | +| webhook.enable | bool | `false` | Whether to run the webhook | +| webhook.validate | bool | `true` | Enables the Validating Webhook, to reject resources with issues | +| webhook.mutate | bool | `false` | Enables the Mutating Webhook, to modify resources with issues | +| webhook.replicas | int | `2` | Number of replicas | +| webhook.nodeSelector | object | `{}` | Webhook pod nodeSelector | +| webhook.tolerations | list | `[]` | Webhook pod tolerations | +| webhook.affinity | object | `{}` | Webhook pods affinity | +| webhook.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Webhook pods topologySpreadConstraints | +| webhook.certManager.apiVersion | string | `""` | Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. | +| webhook.caBundle | string | `nil` | CA Bundle to use for Validating Webhook instead of cert-manager | +| webhook.secretName | string | `nil` | Name of the secret containing a TLS certificate to use if cert-manager is not used. | +| webhook.failurePolicy | string | `"Fail"` | failurePolicy for the ValidatingWebhookConfiguration | +| webhook.matchPolicy | string | `"Exact"` | matchPolicy for the ValidatingWebhookConfiguration | +| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}` | namespaceSelector for the ValidatingWebhookConfiguration | +| webhook.objectSelector | object | `{}` | objectSelector for the ValidatingWebhookConfiguration | +| webhook.rules | list | `[]` | An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.mutatingRules | list | `[]` | An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.defaultRules | list | `[{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}]` | An array of rules for common types for the ValidatingWebhookConfiguration | +| webhook.podAdditionalLabels | object | `{}` | Custom additional labels on webhook pods. | +| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the webhook. | +| webhook.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| webhook.disallowExemptions | bool | `false` | Disallow any exemption | +| webhook.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| webhook.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| webhook.mutatingConfigurationAnnotations | object | `{}` | | +| webhook.validatingConfigurationAnnotations | object | `{}` | | +| audit.enable | bool | `false` | Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. | +| audit.cleanup | bool | `false` | Whether to delete the namespace once the audit is finished. | +| audit.outputURL | string | `""` | A URL which will receive a POST request with audit results. | diff --git a/charts/fairwinds/polaris/5.11.2/README.md.gotmpl b/charts/fairwinds/polaris/5.11.2/README.md.gotmpl new file mode 100644 index 0000000000..f932a33c09 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/README.md.gotmpl @@ -0,0 +1,35 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + + +{{ template "chart.valuesSection" . }} diff --git a/charts/fairwinds/polaris/5.11.2/ci/merge-values.yaml b/charts/fairwinds/polaris/5.11.2/ci/merge-values.yaml new file mode 100644 index 0000000000..221896283b --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/ci/merge-values.yaml @@ -0,0 +1,66 @@ +# Based upon https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml +nameOverride: polaris + +config: + checks: + # reliability + deploymentMissingReplicas: warning + priorityClassNotSet: ignore + tagNotSpecified: danger + pullPolicyNotAlways: warning + readinessProbeMissing: warning + livenessProbeMissing: warning + metadataAndNameMismatched: ignore + pdbDisruptionsIsZero: warning + missingPodDisruptionBudget: ignore + topologySpreadConstraint: warning + + # efficiency + cpuRequestsMissing: warning + cpuLimitsMissing: warning + memoryRequestsMissing: warning + memoryLimitsMissing: warning + # security + automountServiceAccountToken: ignore + hostIPCSet: danger + hostPIDSet: danger + linuxHardening: warning + missingNetworkPolicy: ignore + notReadOnlyRootFilesystem: warning + privilegeEscalationAllowed: danger + runAsRootAllowed: danger + runAsPrivileged: danger + dangerousCapabilities: danger + insecureCapabilities: warning + hostNetworkSet: danger + hostPortSet: warning + tlsSettingsMissing: warning + # These are initially warning and will later be promoted to danger. + sensitiveContainerEnvVar: warning + sensitiveConfigmapContent: warning + clusterrolePodExecAttach: warning + rolePodExecAttach: warning + clusterrolebindingPodExecAttach: warning + rolebindingClusterRolePodExecAttach: warning + rolebindingRolePodExecAttach: warning + clusterrolebindingClusterAdmin: warning + rolebindingClusterAdminClusterRole: warning + rolebindingClusterAdminRole: warning + + mutations: + - pullPolicyNotAlways + + exemptions: + - namespace: kube-system + controllerNames: + - coredns + rules: + - automountServiceAccountToken + - missingNetworkPolicy + +additionalExemptions: + - namespace: foo + containerName: + - bar + rules: + - privilegeEscalationAllowed diff --git a/charts/fairwinds/polaris/5.11.2/ci/test-values-2.yaml b/charts/fairwinds/polaris/5.11.2/ci/test-values-2.yaml new file mode 100644 index 0000000000..b07ed8b09d --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/ci/test-values-2.yaml @@ -0,0 +1,9 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true diff --git a/charts/fairwinds/polaris/5.11.2/ci/test-values.yaml b/charts/fairwinds/polaris/5.11.2/ci/test-values.yaml new file mode 100644 index 0000000000..cf152ccb70 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/ci/test-values.yaml @@ -0,0 +1,15 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true + mutatingConfigurationAnnotations: + test: mutate + validatingConfigurationAnnotations: + test: validate + certManager: + apiVersion: cert-manager.io/v1 diff --git a/charts/fairwinds/polaris/5.11.2/templates/0-namespace.yaml b/charts/fairwinds/polaris/5.11.2/templates/0-namespace.yaml new file mode 100644 index 0000000000..83e3751bb1 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/0-namespace.yaml @@ -0,0 +1,6 @@ +{{- if .Values.templateOnly -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.11.2/templates/NOTES.txt b/charts/fairwinds/polaris/5.11.2/templates/NOTES.txt new file mode 100644 index 0000000000..96560d753f --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/NOTES.txt @@ -0,0 +1,19 @@ +** Please be patient while the chart is being deployed ** + +Enjoy Polaris and smooth sailing! + +{{- if contains "ClusterIP" .Values.dashboard.service.type }} + +{{- if .Values.webhook.enable }} +The webhook is now running. Any resources that violate Polaris policy will be rejected. +{{- end }} + +{{- if .Values.dashboard.enable }} +To view the dashboard execute this command: + +kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80 + +Then open http://localhost:8080 in your browser. +{{- end }} + +{{- end }} diff --git a/charts/fairwinds/polaris/5.11.2/templates/_helpers.tpl b/charts/fairwinds/polaris/5.11.2/templates/_helpers.tpl new file mode 100644 index 0000000000..90b62b4611 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "polaris.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "polaris.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "polaris.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Standard labels +*/}} +{{- define "polaris.labels" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/component: dashboard +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ template "polaris.name" . }} +app.kubernetes.io/part-of: {{ template "polaris.name" . }} +app.kubernetes.io/version: "{{ .Chart.Version }}" +helm.sh/chart: {{ include "polaris.chart" . }} +{{- end -}} +{{- end -}} + +{{/* +Standard selector +*/}} +{{- define "polaris.selectors" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/name: {{ include "polaris.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Name of the service account to use +*/}} +{{- define "polaris.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "polaris.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.11.2/templates/audit.job.yaml b/charts/fairwinds/polaris/5.11.2/templates/audit.job.yaml new file mode 100644 index 0000000000..ae6451b25b --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/audit.job.yaml @@ -0,0 +1,80 @@ +{{- if .Values.audit.enable -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + {{- end }} + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: audit +spec: + template: + spec: + serviceAccountName: {{ include "polaris.fullname" . }} + restartPolicy: Never + containers: + - command: + - polaris + - audit + - --output-url + - {{ required "Must set audit.outputURL in values if you enable the audit job." .Values.audit.outputURL }} + - --output-file + - /tmp/results/done + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + image: '{{.Values.image.repository}}:{{ .Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: audit + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: results + mountPath: /tmp/results + {{- if .Values.audit.cleanup }} + - name: cleanup + image: gcr.io/heptio-images/namespace-deleter:v0.0.2 + imagePullPolicy: Always + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: results + mountPath: /tmp/results + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" . }} + {{- end }} + - name: results +{{- end -}} diff --git a/charts/fairwinds/polaris/5.11.2/templates/audit.rbac.yaml b/charts/fairwinds/polaris/5.11.2/templates/audit.rbac.yaml new file mode 100644 index 0000000000..4e0987a296 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/audit.rbac.yaml @@ -0,0 +1,38 @@ +{{- if .Values.audit.cleanup }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +rules: + - apiGroups: + - '' + resources: + - namespaces + resourceNames: + - {{ .Release.Namespace }} + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "polaris.fullname" . }}-audit-cleanup +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.11.2/templates/configmap.yaml b/charts/fairwinds/polaris/5.11.2/templates/configmap.yaml new file mode 100644 index 0000000000..ba72dec1a0 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/configmap.yaml @@ -0,0 +1,22 @@ +{{- if not .Values.configUrl }} +{{- with .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "polaris.fullname" $ }} + {{- if $.Values.templateOnly }} + namespace: {{ $.Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" $ | nindent 4 }} +data: + config.yaml: | + {{- range $key, $value := . }} + {{ $key }}: + {{- toYaml $value | nindent 6 }} + {{- if and (eq $key "exemptions") ($.Values.additionalExemptions) }} + {{- toYaml $.Values.additionalExemptions | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.11.2/templates/dashboard.deployment.yaml b/charts/fairwinds/polaris/5.11.2/templates/dashboard.deployment.yaml new file mode 100644 index 0000000000..1742bd5633 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/dashboard.deployment.yaml @@ -0,0 +1,130 @@ +{{- if .Values.dashboard.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: dashboard +spec: + replicas: {{.Values.dashboard.replicas}} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: dashboard + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: dashboard + {{- with .Values.dashboard.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.config }} + volumes: + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + {{- if .Values.dashboard.priorityClassName }} + priorityClassName: {{ .Values.dashboard.priorityClassName | quote }} + {{- end }} + containers: + - command: + - polaris + - dashboard + {{- if .Values.configUrl }} + - --config + - {{ .Values.configUrl | quote }} + {{- else }} + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- end }} + {{- with .Values.dashboard.basePath }} + - --base-path + - {{ . }} + {{- end }} + {{- with .Values.dashboard.port }} + - --port + - {{ . | quote }} + {{- end }} + {{- if .Values.dashboard.listeningAddress }} + - --listening-address + - {{ .Values.dashboard.listeningAddress }} + {{- end }} + {{- if .Values.dashboard.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.dashboard.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.dashboard.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + {{- if .Values.dashboard.logLevel }} + - --log-level + - {{ .Values.dashboard.logLevel | quote }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: dashboard + ports: + - containerPort: {{ .Values.dashboard.port }} + livenessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + readinessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + resources: + {{- toYaml .Values.dashboard.resources | nindent 10 }} + {{- with .Values.dashboard.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if not .Values.configUrl }} + {{- with .Values.config }} + volumeMounts: + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.dashboard.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ template "polaris.serviceAccountName" . }} + nodeSelector: + {{- with .Values.dashboard.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.dashboard.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.dashboard.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.dashboard.topologySpreadConstraints | indent 6 }} + {{- end }} +{{- if .Values.dashboard.affinity }} + affinity: +{{ toYaml .Values.dashboard.affinity | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.11.2/templates/dashboard.service.yaml b/charts/fairwinds/polaris/5.11.2/templates/dashboard.service.yaml new file mode 100644 index 0000000000..fc95843216 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/dashboard.service.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.dashboard.enable .Values.dashboard.service -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.dashboard.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + ports: + - name: http-dashboard + port: 80 + protocol: TCP + targetPort: {{ .Values.dashboard.service.targetPort | default .Values.dashboard.port }} + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: dashboard + type: {{ .Values.dashboard.service.type }} +{{- if .Values.dashboard.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.dashboard.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.11.2/templates/ingress.yaml b/charts/fairwinds/polaris/5.11.2/templates/ingress.yaml new file mode 100644 index 0000000000..d0cdd308f2 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/ingress.yaml @@ -0,0 +1,53 @@ +{{- if .Values.dashboard.ingress.enabled -}} +{{ $serviceName := printf "%s-dashboard" (include "polaris.fullname" .) -}} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + annotations: + {{- range $key, $value := .Values.dashboard.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "polaris.name" . }} + helm.sh/chart: {{ include "polaris.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: polaris +spec: +{{- if and (.Values.dashboard.ingress.ingressClassName) (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }} +{{- end }} +{{- if .Values.dashboard.ingress.defaultBackendEnabled }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: 80 +{{- end }} + rules: + {{- range .Values.dashboard.ingress.hosts }} + - host: {{ . }} + http: + paths: + {{- if not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + {{- else }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: / + pathType: Prefix + {{- end }} + {{- end -}} +{{- if .Values.dashboard.ingress.tls }} + tls: +{{ toYaml .Values.dashboard.ingress.tls | indent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.11.2/templates/mutate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.11.2/templates/mutate-webhook.configuration.yaml new file mode 100644 index 0000000000..ba53030fd8 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/mutate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.mutate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: polaris-mutate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /mutate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.mutatingRules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.11.2/templates/rbac.yaml b/charts/fairwinds/polaris/5.11.2/templates/rbac.yaml new file mode 100644 index 0000000000..56a186183c --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/rbac.yaml @@ -0,0 +1,67 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-view + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + # required by controller-runtime code doing a cluster wide lookup + # when it seems namespace would suffice + - apiGroups: + - '' + resources: + - 'nodes' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'monitoring.coreos.com' + resources: + - 'prometheuses' + - 'alertmanagers' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - 'clusterroles' + - 'clusterrolebindings' + - 'roles' + - 'rolebindings' + verbs: + - 'get' + - 'list' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "polaris.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.11.2/templates/serviceaccount.yaml b/charts/fairwinds/polaris/5.11.2/templates/serviceaccount.yaml new file mode 100644 index 0000000000..b2a2427260 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +{{- if .Values.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.11.2/templates/validate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.11.2/templates/validate-webhook.configuration.yaml new file mode 100644 index 0000000000..3b536f4327 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/validate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.validate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: polaris-validate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /validate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.rules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.11.2/templates/webhook.cert.yaml b/charts/fairwinds/polaris/5.11.2/templates/webhook.cert.yaml new file mode 100644 index 0000000000..fc264ad8dd --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/webhook.cert.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.webhook.enable (not .Values.webhook.secretName) -}} +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Certificate +metadata: + name: {{ include "polaris.fullname" . }}-cert + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + commonName: {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }} + - {{ include "polaris.fullname" . }}-webhook + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + issuerRef: + kind: Issuer + name: {{ include "polaris.fullname" . }}-selfsigned + secretName: {{ include "polaris.fullname" . }} +--- +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Issuer +metadata: + name: {{ include "polaris.fullname" . }}-selfsigned + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + selfSigned: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.11.2/templates/webhook.deployment.yaml b/charts/fairwinds/polaris/5.11.2/templates/webhook.deployment.yaml new file mode 100644 index 0000000000..cce1092abd --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/webhook.deployment.yaml @@ -0,0 +1,132 @@ +{{- if .Values.webhook.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: webhook +spec: + replicas: {{ .Values.webhook.replicas }} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: webhook + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: webhook + {{- with .Values.webhook.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: webhook + command: + - polaris + - webhook + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- if .Values.webhook.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.webhook.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.webhook.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + - --validate={{ .Values.webhook.validate }} + - --mutate={{ .Values.webhook.mutate }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + ports: + - containerPort: 9876 + # These are fairly useless readiness/liveness probes for now + # Follow this issue for potential improvements: + # https://github.com/kubernetes-sigs/controller-runtime/issues/356 + livenessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.webhook.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: secret + mountPath: /opt/cert/ + readOnly: true + - name: cr-logs + mountPath: /tmp/ + readOnly: false + serviceAccountName: {{ include "polaris.fullname" . }} + {{- if .Values.webhook.priorityClassName }} + priorityClassName: {{ .Values.webhook.priorityClassName | quote }} + {{- end }} + nodeSelector: + {{- with .Values.webhook.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.webhook.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.webhook.affinity }} + affinity: +{{ toYaml .Values.webhook.affinity | indent 8 }} +{{- end }} +{{- if .Values.webhook.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.webhook.topologySpreadConstraints | indent 6 }} + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + - name: secret + secret: + {{- with .Values.webhook.secretName }} + secretName: {{ . }} + {{- else }} + secretName: {{ include "polaris.fullname" . }} + {{- end }} + - name: cr-logs + emptyDir: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.11.2/templates/webhook.service.yaml b/charts/fairwinds/polaris/5.11.2/templates/webhook.service.yaml new file mode 100644 index 0000000000..1e34f5361c --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/templates/webhook.service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.webhook.enable -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: 9876 + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: webhook + type: ClusterIP +{{- end -}} diff --git a/charts/fairwinds/polaris/5.11.2/values.yaml b/charts/fairwinds/polaris/5.11.2/values.yaml new file mode 100644 index 0000000000..3f9b653828 --- /dev/null +++ b/charts/fairwinds/polaris/5.11.2/values.yaml @@ -0,0 +1,248 @@ +# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. +config: null + +# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. +# configUrl: https://example.com/config.yaml +configUrl: null + +# additionExemptions -- List of additional exemptions to append to the exemptions given in `config` +additionExemptions: null + + +image: + # image.repository -- Image repo + repository: quay.io/fairwinds/polaris + # image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion + tag: "" + # image.pullPolicy -- Image pull policy + pullPolicy: Always + # image.pullSecrets -- Image pull secrets + pullSecrets: [] + +rbac: + # rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created + enabled: true + +serviceAccount: + # serviceAccount.create -- Specifies whether a service account should be created + create: true + # serviceAccount.name -- The name of the service account to use. + name: + +# templateOnly -- Outputs Namespace names, used with `helm template` +templateOnly: false + +dashboard: + # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` + basePath: null + # dashboard.enable -- Whether to run the dashboard. + enable: true + # dashboard.port -- Port that the dashboard will run from. + port: 8080 + # dashboard.listeningAddress -- Dashboard listerning address. + listeningAddress: + # dashboard.replicas -- Number of replicas to run. + replicas: 2 + # dashboard.logLevel -- Set the logging level for the Dashboard command + logLevel: Info + # dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods. + podAdditionalLabels: {} + # dashboard.resources -- Requests and limits for the dashboard + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 150m + memory: 512Mi + # dashboard.extraContainers -- allows injecting additional containers. + extraContainers: [] + # extraContainers: + # - name: oauth-proxy + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + # args: + # - --upstream=http://127.0.0.1:8080 + # - --http-address=0.0.0.0:8081 + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # resources: {} + service: + # dashboard.service.type -- Service Type + type: ClusterIP + # dashboard.service.annotations -- Service annotations + annotations: {} + # dashboard.service.targetPort -- Service targetport, defaults to dashboard.port + targetPort: + # dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values + loadBalancerSourceRanges: [] + # dashboard.nodeSelector -- Dashboard pod nodeSelector + nodeSelector: {} + # dashboard.tolerations -- Dashboard pod tolerations + tolerations: [] + # dashboard.affinity -- Dashboard pods affinity + affinity: {} + # dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + ingress: + # dashboard.ingress.enabled -- Whether to enable ingress to the dashboard + enabled: false + # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. + ingressClassName: + # dashboard.ingress.hosts -- Web ingress hostnames + hosts: [] + # dashboard.ingress.annotations -- Web ingress annotations + annotations: {} + # dashboard.ingress.tls -- Ingress TLS configuration + tls: [] + # dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case + defaultBackendEnabled: false + # dashboard.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # dashboard.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + # dashboard.containerSecurityContext -- securityContext to apply to the dashboard container + containerSecurityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + +webhook: + # webhook.enable -- Whether to run the webhook + enable: false + # webhook.validate -- Enables the Validating Webhook, to reject resources with issues + validate: true + # webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues + mutate: false + # webhook.replicas -- Number of replicas + replicas: 2 + # webhook.nodeSelector -- Webhook pod nodeSelector + nodeSelector: {} + # webhook.tolerations -- Webhook pod tolerations + tolerations: [] + # webhook.affinity -- Webhook pods affinity + affinity: {} + # webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + certManager: + # -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. + apiVersion: "" + # webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager + caBundle: null + # webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used. + secretName: null + # webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration + failurePolicy: Fail + # webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration + matchPolicy: Exact + # webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + # webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration + objectSelector: {} + # webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + rules: [] + # webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + mutatingRules: [] + # webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration + defaultRules: + - apiGroups: + - apps + apiVersions: + - v1 + - v1beta1 + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - daemonsets + - deployments + - statefulsets + scope: Namespaced + - apiGroups: + - batch + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - jobs + - cronjobs + scope: Namespaced + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - replicationcontrollers + scope: Namespaced + # webhook.podAdditionalLabels -- Custom additional labels on webhook pods. + podAdditionalLabels: {} + # webhook.resources -- Requests and limits for the webhook. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 100m + memory: 128Mi + # webhook.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # webhook.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + mutatingConfigurationAnnotations: {} + validatingConfigurationAnnotations: {} + +audit: + # audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. + enable: false + # audit.cleanup -- Whether to delete the namespace once the audit is finished. + cleanup: false + # audit.outputURL -- A URL which will receive a POST request with audit results. + outputURL: "" diff --git a/charts/fairwinds/polaris/5.12.0/CHANGELOG.md b/charts/fairwinds/polaris/5.12.0/CHANGELOG.md new file mode 100644 index 0000000000..f9b7fbfc9a --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/CHANGELOG.md @@ -0,0 +1,69 @@ +# Changelog + +All notable changes to this Helm chart will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this chart adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## 5.11.1 +* set kubeVersion in the chart manifest + +## 5.9.0 +* Update Polaris version to 8.0 + +## 5.8.2 +* Fix webhook annotations reference + +## 5.8.1 +* Fix cert manager apiVersion override + +## 5.7.6 +* Patch bump for updating charts CI +## 5.7.4 +Added addition exemptions +* https://github.com/FairwindsOps/charts/issues/1059 + +## 5.5.1 +### Added +RBAC permission to get and list ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings. These permissions are required by new RBAC related checks: +* https://github.com/FairwindsOps/polaris/pull/820 +* https://github.com/FairwindsOps/polaris/pull/823 + +## 5.5.0 +### Added +Refactor container securityContext into `values.yaml` for added flexibility (i.e seccomp profiles). + +## 4.2.1 + +### Added +Support `ingressClassName` in Ingress object. + +## 1.0.0 +Updated to Polaris 1.0. + +In addition to changes needed for Polaris 1.0, there are some chart changes: +* RBAC has been simplified to remove duplication +* `config` now uses the built-in Polaris config by default +* `ingress` is now attached to the dashboard values +* only a single `image` is specified for the entire chart + +## 0.6.0 + +### Fixed + +* The validating webhook pod no longer crashes when using a Helm release name other than _polaris_ ([Polaris issue #211](https://github.com/FairwindsOps/polaris/issues/211)) Note that upgrading the Helm release will return the error: + + ``` + UPGRADE FAILED + Error: kind Secret with the name "polaris-webhook" already exists in the cluster and wasn't defined in the previous release. Before upgrading, please either delete the resource from the cluster or remove it from the chart + ``` +Delete the _polaris-webhook_ secret from the namespace where Polaris is installed, and the Helm upgrade will succeed. When the Polaris webhook pod restarts it will populate the _polaris-webhook_ secret. +* The Polaris dashboard and webhook pods now restart when the ConfigMap has been changed. + +### Changed + +* The Secret used by the Polaris webhook is now named _polaris-webhook_ instead of using the Helm release name. This has been done to match the static secret name that the Polaris webhook pod populates. + +### Added + +* This changelog has been added to help track updates to this Helm chart. diff --git a/charts/fairwinds/polaris/5.12.0/Chart.yaml b/charts/fairwinds/polaris/5.12.0/Chart.yaml new file mode 100644 index 0000000000..9b46540890 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris +apiVersion: v1 +appVersion: "8.4" +description: Validation of best practices in your Kubernetes clusters +icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: robertb@fairwinds.com + name: rbren +name: polaris +version: 5.12.0 diff --git a/charts/fairwinds/polaris/5.12.0/README.md b/charts/fairwinds/polaris/5.12.0/README.md new file mode 100644 index 0000000000..a2fbbf5338 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/README.md @@ -0,0 +1,107 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. | +| configUrl | string | `nil` | Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. configUrl: https://example.com/config.yaml | +| additionExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` | +| image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo | +| image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion | +| image.pullPolicy | string | `"Always"` | Image pull policy | +| image.pullSecrets | list | `[]` | Image pull secrets | +| rbac.enabled | bool | `true` | Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `nil` | The name of the service account to use. | +| templateOnly | bool | `false` | Outputs Namespace names, used with `helm template` | +| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` | +| dashboard.enable | bool | `true` | Whether to run the dashboard. | +| dashboard.port | int | `8080` | Port that the dashboard will run from. | +| dashboard.listeningAddress | string | `nil` | Dashboard listerning address. | +| dashboard.replicas | int | `2` | Number of replicas to run. | +| dashboard.logLevel | string | `"Info"` | Set the logging level for the Dashboard command | +| dashboard.podAdditionalLabels | object | `{}` | Custom additional labels on dashboard pods. | +| dashboard.deploymentAnnotations | object | `{}` | Custom additional annotations on dashboard Deployment. | +| dashboard.resources | object | `{"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the dashboard | +| dashboard.extraContainers | list | `[]` | allows injecting additional containers. | +| dashboard.service.type | string | `"ClusterIP"` | Service Type | +| dashboard.service.annotations | object | `{}` | Service annotations | +| dashboard.service.targetPort | string | `nil` | Service targetport, defaults to dashboard.port | +| dashboard.service.loadBalancerSourceRanges | list | `[]` | List of allowed CIDR values | +| dashboard.nodeSelector | object | `{}` | Dashboard pod nodeSelector | +| dashboard.tolerations | list | `[]` | Dashboard pod tolerations | +| dashboard.affinity | object | `{}` | Dashboard pods affinity | +| dashboard.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Dashboard pods topologySpreadConstraints | +| dashboard.ingress.enabled | bool | `false` | Whether to enable ingress to the dashboard | +| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. | +| dashboard.ingress.hosts | list | `[]` | Web ingress hostnames | +| dashboard.ingress.annotations | object | `{}` | Web ingress annotations | +| dashboard.ingress.tls | list | `[]` | Ingress TLS configuration | +| dashboard.ingress.defaultBackendEnabled | bool | `false` | DefaultBackend is required by GKE container native load balancer, set to true for this use case | +| dashboard.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| dashboard.disallowExemptions | bool | `false` | Disallow any exemption | +| dashboard.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| dashboard.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| dashboard.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | securityContext to apply to the dashboard container | +| webhook.enable | bool | `false` | Whether to run the webhook | +| webhook.validate | bool | `true` | Enables the Validating Webhook, to reject resources with issues | +| webhook.mutate | bool | `false` | Enables the Mutating Webhook, to modify resources with issues | +| webhook.replicas | int | `2` | Number of replicas | +| webhook.nodeSelector | object | `{}` | Webhook pod nodeSelector | +| webhook.tolerations | list | `[]` | Webhook pod tolerations | +| webhook.affinity | object | `{}` | Webhook pods affinity | +| webhook.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Webhook pods topologySpreadConstraints | +| webhook.certManager.apiVersion | string | `""` | Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. | +| webhook.caBundle | string | `nil` | CA Bundle to use for Validating Webhook instead of cert-manager | +| webhook.secretName | string | `nil` | Name of the secret containing a TLS certificate to use if cert-manager is not used. | +| webhook.failurePolicy | string | `"Fail"` | failurePolicy for the ValidatingWebhookConfiguration | +| webhook.matchPolicy | string | `"Exact"` | matchPolicy for the ValidatingWebhookConfiguration | +| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}` | namespaceSelector for the ValidatingWebhookConfiguration | +| webhook.objectSelector | object | `{}` | objectSelector for the ValidatingWebhookConfiguration | +| webhook.rules | list | `[]` | An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.mutatingRules | list | `[]` | An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.defaultRules | list | `[{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}]` | An array of rules for common types for the ValidatingWebhookConfiguration | +| webhook.podAdditionalLabels | object | `{}` | Custom additional labels on webhook pods. | +| webhook.deploymentAnnotations | object | `{}` | Custom additional annotations on webhook Deployment. | +| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the webhook. | +| webhook.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| webhook.disallowExemptions | bool | `false` | Disallow any exemption | +| webhook.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| webhook.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| webhook.mutatingConfigurationAnnotations | object | `{}` | | +| webhook.validatingConfigurationAnnotations | object | `{}` | | +| audit.enable | bool | `false` | Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. | +| audit.cleanup | bool | `false` | Whether to delete the namespace once the audit is finished. | +| audit.outputURL | string | `""` | A URL which will receive a POST request with audit results. | diff --git a/charts/fairwinds/polaris/5.12.0/README.md.gotmpl b/charts/fairwinds/polaris/5.12.0/README.md.gotmpl new file mode 100644 index 0000000000..f932a33c09 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/README.md.gotmpl @@ -0,0 +1,35 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + + +{{ template "chart.valuesSection" . }} diff --git a/charts/fairwinds/polaris/5.12.0/ci/merge-values.yaml b/charts/fairwinds/polaris/5.12.0/ci/merge-values.yaml new file mode 100644 index 0000000000..221896283b --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/ci/merge-values.yaml @@ -0,0 +1,66 @@ +# Based upon https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml +nameOverride: polaris + +config: + checks: + # reliability + deploymentMissingReplicas: warning + priorityClassNotSet: ignore + tagNotSpecified: danger + pullPolicyNotAlways: warning + readinessProbeMissing: warning + livenessProbeMissing: warning + metadataAndNameMismatched: ignore + pdbDisruptionsIsZero: warning + missingPodDisruptionBudget: ignore + topologySpreadConstraint: warning + + # efficiency + cpuRequestsMissing: warning + cpuLimitsMissing: warning + memoryRequestsMissing: warning + memoryLimitsMissing: warning + # security + automountServiceAccountToken: ignore + hostIPCSet: danger + hostPIDSet: danger + linuxHardening: warning + missingNetworkPolicy: ignore + notReadOnlyRootFilesystem: warning + privilegeEscalationAllowed: danger + runAsRootAllowed: danger + runAsPrivileged: danger + dangerousCapabilities: danger + insecureCapabilities: warning + hostNetworkSet: danger + hostPortSet: warning + tlsSettingsMissing: warning + # These are initially warning and will later be promoted to danger. + sensitiveContainerEnvVar: warning + sensitiveConfigmapContent: warning + clusterrolePodExecAttach: warning + rolePodExecAttach: warning + clusterrolebindingPodExecAttach: warning + rolebindingClusterRolePodExecAttach: warning + rolebindingRolePodExecAttach: warning + clusterrolebindingClusterAdmin: warning + rolebindingClusterAdminClusterRole: warning + rolebindingClusterAdminRole: warning + + mutations: + - pullPolicyNotAlways + + exemptions: + - namespace: kube-system + controllerNames: + - coredns + rules: + - automountServiceAccountToken + - missingNetworkPolicy + +additionalExemptions: + - namespace: foo + containerName: + - bar + rules: + - privilegeEscalationAllowed diff --git a/charts/fairwinds/polaris/5.12.0/ci/test-values-2.yaml b/charts/fairwinds/polaris/5.12.0/ci/test-values-2.yaml new file mode 100644 index 0000000000..b07ed8b09d --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/ci/test-values-2.yaml @@ -0,0 +1,9 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true diff --git a/charts/fairwinds/polaris/ci/test-values.yaml b/charts/fairwinds/polaris/5.12.0/ci/test-values.yaml similarity index 100% rename from charts/fairwinds/polaris/ci/test-values.yaml rename to charts/fairwinds/polaris/5.12.0/ci/test-values.yaml diff --git a/charts/fairwinds/polaris/5.12.0/templates/0-namespace.yaml b/charts/fairwinds/polaris/5.12.0/templates/0-namespace.yaml new file mode 100644 index 0000000000..83e3751bb1 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/0-namespace.yaml @@ -0,0 +1,6 @@ +{{- if .Values.templateOnly -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.0/templates/NOTES.txt b/charts/fairwinds/polaris/5.12.0/templates/NOTES.txt new file mode 100644 index 0000000000..96560d753f --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/NOTES.txt @@ -0,0 +1,19 @@ +** Please be patient while the chart is being deployed ** + +Enjoy Polaris and smooth sailing! + +{{- if contains "ClusterIP" .Values.dashboard.service.type }} + +{{- if .Values.webhook.enable }} +The webhook is now running. Any resources that violate Polaris policy will be rejected. +{{- end }} + +{{- if .Values.dashboard.enable }} +To view the dashboard execute this command: + +kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80 + +Then open http://localhost:8080 in your browser. +{{- end }} + +{{- end }} diff --git a/charts/fairwinds/polaris/5.12.0/templates/_helpers.tpl b/charts/fairwinds/polaris/5.12.0/templates/_helpers.tpl new file mode 100644 index 0000000000..90b62b4611 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "polaris.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "polaris.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "polaris.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Standard labels +*/}} +{{- define "polaris.labels" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/component: dashboard +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ template "polaris.name" . }} +app.kubernetes.io/part-of: {{ template "polaris.name" . }} +app.kubernetes.io/version: "{{ .Chart.Version }}" +helm.sh/chart: {{ include "polaris.chart" . }} +{{- end -}} +{{- end -}} + +{{/* +Standard selector +*/}} +{{- define "polaris.selectors" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/name: {{ include "polaris.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Name of the service account to use +*/}} +{{- define "polaris.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "polaris.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.0/templates/audit.job.yaml b/charts/fairwinds/polaris/5.12.0/templates/audit.job.yaml new file mode 100644 index 0000000000..ae6451b25b --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/audit.job.yaml @@ -0,0 +1,80 @@ +{{- if .Values.audit.enable -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + {{- end }} + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: audit +spec: + template: + spec: + serviceAccountName: {{ include "polaris.fullname" . }} + restartPolicy: Never + containers: + - command: + - polaris + - audit + - --output-url + - {{ required "Must set audit.outputURL in values if you enable the audit job." .Values.audit.outputURL }} + - --output-file + - /tmp/results/done + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + image: '{{.Values.image.repository}}:{{ .Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: audit + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: results + mountPath: /tmp/results + {{- if .Values.audit.cleanup }} + - name: cleanup + image: gcr.io/heptio-images/namespace-deleter:v0.0.2 + imagePullPolicy: Always + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: results + mountPath: /tmp/results + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" . }} + {{- end }} + - name: results +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.0/templates/audit.rbac.yaml b/charts/fairwinds/polaris/5.12.0/templates/audit.rbac.yaml new file mode 100644 index 0000000000..4e0987a296 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/audit.rbac.yaml @@ -0,0 +1,38 @@ +{{- if .Values.audit.cleanup }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +rules: + - apiGroups: + - '' + resources: + - namespaces + resourceNames: + - {{ .Release.Namespace }} + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "polaris.fullname" . }}-audit-cleanup +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.0/templates/configmap.yaml b/charts/fairwinds/polaris/5.12.0/templates/configmap.yaml new file mode 100644 index 0000000000..ba72dec1a0 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/configmap.yaml @@ -0,0 +1,22 @@ +{{- if not .Values.configUrl }} +{{- with .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "polaris.fullname" $ }} + {{- if $.Values.templateOnly }} + namespace: {{ $.Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" $ | nindent 4 }} +data: + config.yaml: | + {{- range $key, $value := . }} + {{ $key }}: + {{- toYaml $value | nindent 6 }} + {{- if and (eq $key "exemptions") ($.Values.additionalExemptions) }} + {{- toYaml $.Values.additionalExemptions | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/templates/dashboard.deployment.yaml b/charts/fairwinds/polaris/5.12.0/templates/dashboard.deployment.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/dashboard.deployment.yaml rename to charts/fairwinds/polaris/5.12.0/templates/dashboard.deployment.yaml diff --git a/charts/fairwinds/polaris/5.12.0/templates/dashboard.service.yaml b/charts/fairwinds/polaris/5.12.0/templates/dashboard.service.yaml new file mode 100644 index 0000000000..fc95843216 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/dashboard.service.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.dashboard.enable .Values.dashboard.service -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.dashboard.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + ports: + - name: http-dashboard + port: 80 + protocol: TCP + targetPort: {{ .Values.dashboard.service.targetPort | default .Values.dashboard.port }} + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: dashboard + type: {{ .Values.dashboard.service.type }} +{{- if .Values.dashboard.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.dashboard.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.0/templates/ingress.yaml b/charts/fairwinds/polaris/5.12.0/templates/ingress.yaml new file mode 100644 index 0000000000..d0cdd308f2 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/ingress.yaml @@ -0,0 +1,53 @@ +{{- if .Values.dashboard.ingress.enabled -}} +{{ $serviceName := printf "%s-dashboard" (include "polaris.fullname" .) -}} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + annotations: + {{- range $key, $value := .Values.dashboard.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "polaris.name" . }} + helm.sh/chart: {{ include "polaris.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: polaris +spec: +{{- if and (.Values.dashboard.ingress.ingressClassName) (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }} +{{- end }} +{{- if .Values.dashboard.ingress.defaultBackendEnabled }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: 80 +{{- end }} + rules: + {{- range .Values.dashboard.ingress.hosts }} + - host: {{ . }} + http: + paths: + {{- if not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + {{- else }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: / + pathType: Prefix + {{- end }} + {{- end -}} +{{- if .Values.dashboard.ingress.tls }} + tls: +{{ toYaml .Values.dashboard.ingress.tls | indent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.0/templates/mutate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.12.0/templates/mutate-webhook.configuration.yaml new file mode 100644 index 0000000000..ba53030fd8 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/mutate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.mutate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: polaris-mutate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /mutate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.mutatingRules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.0/templates/rbac.yaml b/charts/fairwinds/polaris/5.12.0/templates/rbac.yaml new file mode 100644 index 0000000000..56a186183c --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/rbac.yaml @@ -0,0 +1,67 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-view + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + # required by controller-runtime code doing a cluster wide lookup + # when it seems namespace would suffice + - apiGroups: + - '' + resources: + - 'nodes' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'monitoring.coreos.com' + resources: + - 'prometheuses' + - 'alertmanagers' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - 'clusterroles' + - 'clusterrolebindings' + - 'roles' + - 'rolebindings' + verbs: + - 'get' + - 'list' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "polaris.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.12.0/templates/serviceaccount.yaml b/charts/fairwinds/polaris/5.12.0/templates/serviceaccount.yaml new file mode 100644 index 0000000000..b2a2427260 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +{{- if .Values.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.12.0/templates/validate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.12.0/templates/validate-webhook.configuration.yaml new file mode 100644 index 0000000000..3b536f4327 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/validate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.validate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: polaris-validate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /validate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.rules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.0/templates/webhook.cert.yaml b/charts/fairwinds/polaris/5.12.0/templates/webhook.cert.yaml new file mode 100644 index 0000000000..fc264ad8dd --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/webhook.cert.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.webhook.enable (not .Values.webhook.secretName) -}} +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Certificate +metadata: + name: {{ include "polaris.fullname" . }}-cert + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + commonName: {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }} + - {{ include "polaris.fullname" . }}-webhook + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + issuerRef: + kind: Issuer + name: {{ include "polaris.fullname" . }}-selfsigned + secretName: {{ include "polaris.fullname" . }} +--- +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Issuer +metadata: + name: {{ include "polaris.fullname" . }}-selfsigned + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + selfSigned: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.0/templates/webhook.deployment.yaml b/charts/fairwinds/polaris/5.12.0/templates/webhook.deployment.yaml new file mode 100644 index 0000000000..1e085c5fc4 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/webhook.deployment.yaml @@ -0,0 +1,136 @@ +{{- if .Values.webhook.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: webhook + {{- with .Values.webhook.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.webhook.replicas }} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: webhook + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: webhook + {{- with .Values.webhook.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: webhook + command: + - polaris + - webhook + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- if .Values.webhook.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.webhook.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.webhook.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + - --validate={{ .Values.webhook.validate }} + - --mutate={{ .Values.webhook.mutate }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + ports: + - containerPort: 9876 + # These are fairly useless readiness/liveness probes for now + # Follow this issue for potential improvements: + # https://github.com/kubernetes-sigs/controller-runtime/issues/356 + livenessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.webhook.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: secret + mountPath: /opt/cert/ + readOnly: true + - name: cr-logs + mountPath: /tmp/ + readOnly: false + serviceAccountName: {{ include "polaris.fullname" . }} + {{- if .Values.webhook.priorityClassName }} + priorityClassName: {{ .Values.webhook.priorityClassName | quote }} + {{- end }} + nodeSelector: + {{- with .Values.webhook.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.webhook.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.webhook.affinity }} + affinity: +{{ toYaml .Values.webhook.affinity | indent 8 }} +{{- end }} +{{- if .Values.webhook.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.webhook.topologySpreadConstraints | indent 6 }} + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + - name: secret + secret: + {{- with .Values.webhook.secretName }} + secretName: {{ . }} + {{- else }} + secretName: {{ include "polaris.fullname" . }} + {{- end }} + - name: cr-logs + emptyDir: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.0/templates/webhook.service.yaml b/charts/fairwinds/polaris/5.12.0/templates/webhook.service.yaml new file mode 100644 index 0000000000..1e34f5361c --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/templates/webhook.service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.webhook.enable -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: 9876 + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: webhook + type: ClusterIP +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.0/values.yaml b/charts/fairwinds/polaris/5.12.0/values.yaml new file mode 100644 index 0000000000..f86788d2ff --- /dev/null +++ b/charts/fairwinds/polaris/5.12.0/values.yaml @@ -0,0 +1,252 @@ +# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. +config: null + +# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. +# configUrl: https://example.com/config.yaml +configUrl: null + +# additionExemptions -- List of additional exemptions to append to the exemptions given in `config` +additionExemptions: null + + +image: + # image.repository -- Image repo + repository: quay.io/fairwinds/polaris + # image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion + tag: "" + # image.pullPolicy -- Image pull policy + pullPolicy: Always + # image.pullSecrets -- Image pull secrets + pullSecrets: [] + +rbac: + # rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created + enabled: true + +serviceAccount: + # serviceAccount.create -- Specifies whether a service account should be created + create: true + # serviceAccount.name -- The name of the service account to use. + name: + +# templateOnly -- Outputs Namespace names, used with `helm template` +templateOnly: false + +dashboard: + # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` + basePath: null + # dashboard.enable -- Whether to run the dashboard. + enable: true + # dashboard.port -- Port that the dashboard will run from. + port: 8080 + # dashboard.listeningAddress -- Dashboard listerning address. + listeningAddress: + # dashboard.replicas -- Number of replicas to run. + replicas: 2 + # dashboard.logLevel -- Set the logging level for the Dashboard command + logLevel: Info + # dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods. + podAdditionalLabels: {} + # dashboard.deploymentAnnotations -- Custom additional annotations on dashboard Deployment. + deploymentAnnotations: {} + # dashboard.resources -- Requests and limits for the dashboard + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 150m + memory: 512Mi + # dashboard.extraContainers -- allows injecting additional containers. + extraContainers: [] + # extraContainers: + # - name: oauth-proxy + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + # args: + # - --upstream=http://127.0.0.1:8080 + # - --http-address=0.0.0.0:8081 + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # resources: {} + service: + # dashboard.service.type -- Service Type + type: ClusterIP + # dashboard.service.annotations -- Service annotations + annotations: {} + # dashboard.service.targetPort -- Service targetport, defaults to dashboard.port + targetPort: + # dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values + loadBalancerSourceRanges: [] + # dashboard.nodeSelector -- Dashboard pod nodeSelector + nodeSelector: {} + # dashboard.tolerations -- Dashboard pod tolerations + tolerations: [] + # dashboard.affinity -- Dashboard pods affinity + affinity: {} + # dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + ingress: + # dashboard.ingress.enabled -- Whether to enable ingress to the dashboard + enabled: false + # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. + ingressClassName: + # dashboard.ingress.hosts -- Web ingress hostnames + hosts: [] + # dashboard.ingress.annotations -- Web ingress annotations + annotations: {} + # dashboard.ingress.tls -- Ingress TLS configuration + tls: [] + # dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case + defaultBackendEnabled: false + # dashboard.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # dashboard.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + # dashboard.containerSecurityContext -- securityContext to apply to the dashboard container + containerSecurityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + +webhook: + # webhook.enable -- Whether to run the webhook + enable: false + # webhook.validate -- Enables the Validating Webhook, to reject resources with issues + validate: true + # webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues + mutate: false + # webhook.replicas -- Number of replicas + replicas: 2 + # webhook.nodeSelector -- Webhook pod nodeSelector + nodeSelector: {} + # webhook.tolerations -- Webhook pod tolerations + tolerations: [] + # webhook.affinity -- Webhook pods affinity + affinity: {} + # webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + certManager: + # -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. + apiVersion: "" + # webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager + caBundle: null + # webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used. + secretName: null + # webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration + failurePolicy: Fail + # webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration + matchPolicy: Exact + # webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + # webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration + objectSelector: {} + # webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + rules: [] + # webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + mutatingRules: [] + # webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration + defaultRules: + - apiGroups: + - apps + apiVersions: + - v1 + - v1beta1 + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - daemonsets + - deployments + - statefulsets + scope: Namespaced + - apiGroups: + - batch + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - jobs + - cronjobs + scope: Namespaced + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - replicationcontrollers + scope: Namespaced + # webhook.podAdditionalLabels -- Custom additional labels on webhook pods. + podAdditionalLabels: {} + # webhook.deploymentAnnotations -- Custom additional annotations on webhook Deployment. + deploymentAnnotations: {} + # webhook.resources -- Requests and limits for the webhook. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 100m + memory: 128Mi + # webhook.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # webhook.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + mutatingConfigurationAnnotations: {} + validatingConfigurationAnnotations: {} + +audit: + # audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. + enable: false + # audit.cleanup -- Whether to delete the namespace once the audit is finished. + cleanup: false + # audit.outputURL -- A URL which will receive a POST request with audit results. + outputURL: "" diff --git a/charts/fairwinds/polaris/5.12.1/CHANGELOG.md b/charts/fairwinds/polaris/5.12.1/CHANGELOG.md new file mode 100644 index 0000000000..f9b7fbfc9a --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/CHANGELOG.md @@ -0,0 +1,69 @@ +# Changelog + +All notable changes to this Helm chart will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this chart adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## 5.11.1 +* set kubeVersion in the chart manifest + +## 5.9.0 +* Update Polaris version to 8.0 + +## 5.8.2 +* Fix webhook annotations reference + +## 5.8.1 +* Fix cert manager apiVersion override + +## 5.7.6 +* Patch bump for updating charts CI +## 5.7.4 +Added addition exemptions +* https://github.com/FairwindsOps/charts/issues/1059 + +## 5.5.1 +### Added +RBAC permission to get and list ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings. These permissions are required by new RBAC related checks: +* https://github.com/FairwindsOps/polaris/pull/820 +* https://github.com/FairwindsOps/polaris/pull/823 + +## 5.5.0 +### Added +Refactor container securityContext into `values.yaml` for added flexibility (i.e seccomp profiles). + +## 4.2.1 + +### Added +Support `ingressClassName` in Ingress object. + +## 1.0.0 +Updated to Polaris 1.0. + +In addition to changes needed for Polaris 1.0, there are some chart changes: +* RBAC has been simplified to remove duplication +* `config` now uses the built-in Polaris config by default +* `ingress` is now attached to the dashboard values +* only a single `image` is specified for the entire chart + +## 0.6.0 + +### Fixed + +* The validating webhook pod no longer crashes when using a Helm release name other than _polaris_ ([Polaris issue #211](https://github.com/FairwindsOps/polaris/issues/211)) Note that upgrading the Helm release will return the error: + + ``` + UPGRADE FAILED + Error: kind Secret with the name "polaris-webhook" already exists in the cluster and wasn't defined in the previous release. Before upgrading, please either delete the resource from the cluster or remove it from the chart + ``` +Delete the _polaris-webhook_ secret from the namespace where Polaris is installed, and the Helm upgrade will succeed. When the Polaris webhook pod restarts it will populate the _polaris-webhook_ secret. +* The Polaris dashboard and webhook pods now restart when the ConfigMap has been changed. + +### Changed + +* The Secret used by the Polaris webhook is now named _polaris-webhook_ instead of using the Helm release name. This has been done to match the static secret name that the Polaris webhook pod populates. + +### Added + +* This changelog has been added to help track updates to this Helm chart. diff --git a/charts/fairwinds/polaris/5.12.1/Chart.yaml b/charts/fairwinds/polaris/5.12.1/Chart.yaml new file mode 100644 index 0000000000..bac4f18a1d --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris +apiVersion: v1 +appVersion: "8.4" +description: Validation of best practices in your Kubernetes clusters +icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: robertb@fairwinds.com + name: rbren +name: polaris +version: 5.12.1 diff --git a/charts/fairwinds/polaris/5.12.1/README.md b/charts/fairwinds/polaris/5.12.1/README.md new file mode 100644 index 0000000000..5e9ed04528 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/README.md @@ -0,0 +1,107 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. | +| configUrl | string | `nil` | Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. configUrl: https://example.com/config.yaml | +| additionalExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` | +| image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo | +| image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion | +| image.pullPolicy | string | `"Always"` | Image pull policy | +| image.pullSecrets | list | `[]` | Image pull secrets | +| rbac.enabled | bool | `true` | Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `nil` | The name of the service account to use. | +| templateOnly | bool | `false` | Outputs Namespace names, used with `helm template` | +| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` | +| dashboard.enable | bool | `true` | Whether to run the dashboard. | +| dashboard.port | int | `8080` | Port that the dashboard will run from. | +| dashboard.listeningAddress | string | `nil` | Dashboard listerning address. | +| dashboard.replicas | int | `2` | Number of replicas to run. | +| dashboard.logLevel | string | `"Info"` | Set the logging level for the Dashboard command | +| dashboard.podAdditionalLabels | object | `{}` | Custom additional labels on dashboard pods. | +| dashboard.deploymentAnnotations | object | `{}` | Custom additional annotations on dashboard Deployment. | +| dashboard.resources | object | `{"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the dashboard | +| dashboard.extraContainers | list | `[]` | allows injecting additional containers. | +| dashboard.service.type | string | `"ClusterIP"` | Service Type | +| dashboard.service.annotations | object | `{}` | Service annotations | +| dashboard.service.targetPort | string | `nil` | Service targetport, defaults to dashboard.port | +| dashboard.service.loadBalancerSourceRanges | list | `[]` | List of allowed CIDR values | +| dashboard.nodeSelector | object | `{}` | Dashboard pod nodeSelector | +| dashboard.tolerations | list | `[]` | Dashboard pod tolerations | +| dashboard.affinity | object | `{}` | Dashboard pods affinity | +| dashboard.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Dashboard pods topologySpreadConstraints | +| dashboard.ingress.enabled | bool | `false` | Whether to enable ingress to the dashboard | +| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. | +| dashboard.ingress.hosts | list | `[]` | Web ingress hostnames | +| dashboard.ingress.annotations | object | `{}` | Web ingress annotations | +| dashboard.ingress.tls | list | `[]` | Ingress TLS configuration | +| dashboard.ingress.defaultBackendEnabled | bool | `false` | DefaultBackend is required by GKE container native load balancer, set to true for this use case | +| dashboard.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| dashboard.disallowExemptions | bool | `false` | Disallow any exemption | +| dashboard.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| dashboard.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| dashboard.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | securityContext to apply to the dashboard container | +| webhook.enable | bool | `false` | Whether to run the webhook | +| webhook.validate | bool | `true` | Enables the Validating Webhook, to reject resources with issues | +| webhook.mutate | bool | `false` | Enables the Mutating Webhook, to modify resources with issues | +| webhook.replicas | int | `2` | Number of replicas | +| webhook.nodeSelector | object | `{}` | Webhook pod nodeSelector | +| webhook.tolerations | list | `[]` | Webhook pod tolerations | +| webhook.affinity | object | `{}` | Webhook pods affinity | +| webhook.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Webhook pods topologySpreadConstraints | +| webhook.certManager.apiVersion | string | `""` | Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. | +| webhook.caBundle | string | `nil` | CA Bundle to use for Validating Webhook instead of cert-manager | +| webhook.secretName | string | `nil` | Name of the secret containing a TLS certificate to use if cert-manager is not used. | +| webhook.failurePolicy | string | `"Fail"` | failurePolicy for the ValidatingWebhookConfiguration | +| webhook.matchPolicy | string | `"Exact"` | matchPolicy for the ValidatingWebhookConfiguration | +| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}` | namespaceSelector for the ValidatingWebhookConfiguration | +| webhook.objectSelector | object | `{}` | objectSelector for the ValidatingWebhookConfiguration | +| webhook.rules | list | `[]` | An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.mutatingRules | list | `[]` | An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.defaultRules | list | `[{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}]` | An array of rules for common types for the ValidatingWebhookConfiguration | +| webhook.podAdditionalLabels | object | `{}` | Custom additional labels on webhook pods. | +| webhook.deploymentAnnotations | object | `{}` | Custom additional annotations on webhook Deployment. | +| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the webhook. | +| webhook.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| webhook.disallowExemptions | bool | `false` | Disallow any exemption | +| webhook.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| webhook.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| webhook.mutatingConfigurationAnnotations | object | `{}` | | +| webhook.validatingConfigurationAnnotations | object | `{}` | | +| audit.enable | bool | `false` | Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. | +| audit.cleanup | bool | `false` | Whether to delete the namespace once the audit is finished. | +| audit.outputURL | string | `""` | A URL which will receive a POST request with audit results. | diff --git a/charts/fairwinds/polaris/5.12.1/README.md.gotmpl b/charts/fairwinds/polaris/5.12.1/README.md.gotmpl new file mode 100644 index 0000000000..f932a33c09 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/README.md.gotmpl @@ -0,0 +1,35 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + + +{{ template "chart.valuesSection" . }} diff --git a/charts/fairwinds/polaris/5.12.1/ci/merge-values.yaml b/charts/fairwinds/polaris/5.12.1/ci/merge-values.yaml new file mode 100644 index 0000000000..221896283b --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/ci/merge-values.yaml @@ -0,0 +1,66 @@ +# Based upon https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml +nameOverride: polaris + +config: + checks: + # reliability + deploymentMissingReplicas: warning + priorityClassNotSet: ignore + tagNotSpecified: danger + pullPolicyNotAlways: warning + readinessProbeMissing: warning + livenessProbeMissing: warning + metadataAndNameMismatched: ignore + pdbDisruptionsIsZero: warning + missingPodDisruptionBudget: ignore + topologySpreadConstraint: warning + + # efficiency + cpuRequestsMissing: warning + cpuLimitsMissing: warning + memoryRequestsMissing: warning + memoryLimitsMissing: warning + # security + automountServiceAccountToken: ignore + hostIPCSet: danger + hostPIDSet: danger + linuxHardening: warning + missingNetworkPolicy: ignore + notReadOnlyRootFilesystem: warning + privilegeEscalationAllowed: danger + runAsRootAllowed: danger + runAsPrivileged: danger + dangerousCapabilities: danger + insecureCapabilities: warning + hostNetworkSet: danger + hostPortSet: warning + tlsSettingsMissing: warning + # These are initially warning and will later be promoted to danger. + sensitiveContainerEnvVar: warning + sensitiveConfigmapContent: warning + clusterrolePodExecAttach: warning + rolePodExecAttach: warning + clusterrolebindingPodExecAttach: warning + rolebindingClusterRolePodExecAttach: warning + rolebindingRolePodExecAttach: warning + clusterrolebindingClusterAdmin: warning + rolebindingClusterAdminClusterRole: warning + rolebindingClusterAdminRole: warning + + mutations: + - pullPolicyNotAlways + + exemptions: + - namespace: kube-system + controllerNames: + - coredns + rules: + - automountServiceAccountToken + - missingNetworkPolicy + +additionalExemptions: + - namespace: foo + containerName: + - bar + rules: + - privilegeEscalationAllowed diff --git a/charts/fairwinds/polaris/5.12.1/ci/test-values-2.yaml b/charts/fairwinds/polaris/5.12.1/ci/test-values-2.yaml new file mode 100644 index 0000000000..b07ed8b09d --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/ci/test-values-2.yaml @@ -0,0 +1,9 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true diff --git a/charts/fairwinds/polaris/5.12.1/ci/test-values.yaml b/charts/fairwinds/polaris/5.12.1/ci/test-values.yaml new file mode 100644 index 0000000000..bb647450b9 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/ci/test-values.yaml @@ -0,0 +1,19 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com + deploymentAnnotations: + foo: bar +webhook: + enabled: true + mutate: true + mutatingConfigurationAnnotations: + test: mutate + validatingConfigurationAnnotations: + test: validate + certManager: + apiVersion: cert-manager.io/v1 + deploymentAnnotations: + foo: bar diff --git a/charts/fairwinds/polaris/5.12.1/templates/0-namespace.yaml b/charts/fairwinds/polaris/5.12.1/templates/0-namespace.yaml new file mode 100644 index 0000000000..83e3751bb1 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/0-namespace.yaml @@ -0,0 +1,6 @@ +{{- if .Values.templateOnly -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.1/templates/NOTES.txt b/charts/fairwinds/polaris/5.12.1/templates/NOTES.txt new file mode 100644 index 0000000000..96560d753f --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/NOTES.txt @@ -0,0 +1,19 @@ +** Please be patient while the chart is being deployed ** + +Enjoy Polaris and smooth sailing! + +{{- if contains "ClusterIP" .Values.dashboard.service.type }} + +{{- if .Values.webhook.enable }} +The webhook is now running. Any resources that violate Polaris policy will be rejected. +{{- end }} + +{{- if .Values.dashboard.enable }} +To view the dashboard execute this command: + +kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80 + +Then open http://localhost:8080 in your browser. +{{- end }} + +{{- end }} diff --git a/charts/fairwinds/polaris/5.12.1/templates/_helpers.tpl b/charts/fairwinds/polaris/5.12.1/templates/_helpers.tpl new file mode 100644 index 0000000000..90b62b4611 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "polaris.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "polaris.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "polaris.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Standard labels +*/}} +{{- define "polaris.labels" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/component: dashboard +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ template "polaris.name" . }} +app.kubernetes.io/part-of: {{ template "polaris.name" . }} +app.kubernetes.io/version: "{{ .Chart.Version }}" +helm.sh/chart: {{ include "polaris.chart" . }} +{{- end -}} +{{- end -}} + +{{/* +Standard selector +*/}} +{{- define "polaris.selectors" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/name: {{ include "polaris.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Name of the service account to use +*/}} +{{- define "polaris.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "polaris.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.1/templates/audit.job.yaml b/charts/fairwinds/polaris/5.12.1/templates/audit.job.yaml new file mode 100644 index 0000000000..ae6451b25b --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/audit.job.yaml @@ -0,0 +1,80 @@ +{{- if .Values.audit.enable -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + {{- end }} + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: audit +spec: + template: + spec: + serviceAccountName: {{ include "polaris.fullname" . }} + restartPolicy: Never + containers: + - command: + - polaris + - audit + - --output-url + - {{ required "Must set audit.outputURL in values if you enable the audit job." .Values.audit.outputURL }} + - --output-file + - /tmp/results/done + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + image: '{{.Values.image.repository}}:{{ .Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: audit + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: results + mountPath: /tmp/results + {{- if .Values.audit.cleanup }} + - name: cleanup + image: gcr.io/heptio-images/namespace-deleter:v0.0.2 + imagePullPolicy: Always + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: results + mountPath: /tmp/results + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" . }} + {{- end }} + - name: results +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.1/templates/audit.rbac.yaml b/charts/fairwinds/polaris/5.12.1/templates/audit.rbac.yaml new file mode 100644 index 0000000000..4e0987a296 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/audit.rbac.yaml @@ -0,0 +1,38 @@ +{{- if .Values.audit.cleanup }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +rules: + - apiGroups: + - '' + resources: + - namespaces + resourceNames: + - {{ .Release.Namespace }} + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "polaris.fullname" . }}-audit-cleanup +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.1/templates/configmap.yaml b/charts/fairwinds/polaris/5.12.1/templates/configmap.yaml new file mode 100644 index 0000000000..ba72dec1a0 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/configmap.yaml @@ -0,0 +1,22 @@ +{{- if not .Values.configUrl }} +{{- with .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "polaris.fullname" $ }} + {{- if $.Values.templateOnly }} + namespace: {{ $.Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" $ | nindent 4 }} +data: + config.yaml: | + {{- range $key, $value := . }} + {{ $key }}: + {{- toYaml $value | nindent 6 }} + {{- if and (eq $key "exemptions") ($.Values.additionalExemptions) }} + {{- toYaml $.Values.additionalExemptions | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.12.1/templates/dashboard.deployment.yaml b/charts/fairwinds/polaris/5.12.1/templates/dashboard.deployment.yaml new file mode 100644 index 0000000000..74041dec4d --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/dashboard.deployment.yaml @@ -0,0 +1,134 @@ +{{- if .Values.dashboard.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: dashboard + {{- with .Values.dashboard.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{.Values.dashboard.replicas}} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: dashboard + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: dashboard + {{- with .Values.dashboard.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.config }} + volumes: + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + {{- if .Values.dashboard.priorityClassName }} + priorityClassName: {{ .Values.dashboard.priorityClassName | quote }} + {{- end }} + containers: + - command: + - polaris + - dashboard + {{- if .Values.configUrl }} + - --config + - {{ .Values.configUrl | quote }} + {{- else }} + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- end }} + {{- with .Values.dashboard.basePath }} + - --base-path + - {{ . }} + {{- end }} + {{- with .Values.dashboard.port }} + - --port + - {{ . | quote }} + {{- end }} + {{- if .Values.dashboard.listeningAddress }} + - --listening-address + - {{ .Values.dashboard.listeningAddress }} + {{- end }} + {{- if .Values.dashboard.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.dashboard.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.dashboard.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + {{- if .Values.dashboard.logLevel }} + - --log-level + - {{ .Values.dashboard.logLevel | quote }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: dashboard + ports: + - containerPort: {{ .Values.dashboard.port }} + livenessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + readinessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + resources: + {{- toYaml .Values.dashboard.resources | nindent 10 }} + {{- with .Values.dashboard.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if not .Values.configUrl }} + {{- with .Values.config }} + volumeMounts: + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.dashboard.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ template "polaris.serviceAccountName" . }} + nodeSelector: + {{- with .Values.dashboard.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.dashboard.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.dashboard.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.dashboard.topologySpreadConstraints | indent 6 }} + {{- end }} +{{- if .Values.dashboard.affinity }} + affinity: +{{ toYaml .Values.dashboard.affinity | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.1/templates/dashboard.service.yaml b/charts/fairwinds/polaris/5.12.1/templates/dashboard.service.yaml new file mode 100644 index 0000000000..fc95843216 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/dashboard.service.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.dashboard.enable .Values.dashboard.service -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.dashboard.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + ports: + - name: http-dashboard + port: 80 + protocol: TCP + targetPort: {{ .Values.dashboard.service.targetPort | default .Values.dashboard.port }} + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: dashboard + type: {{ .Values.dashboard.service.type }} +{{- if .Values.dashboard.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.dashboard.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.1/templates/ingress.yaml b/charts/fairwinds/polaris/5.12.1/templates/ingress.yaml new file mode 100644 index 0000000000..d0cdd308f2 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/ingress.yaml @@ -0,0 +1,53 @@ +{{- if .Values.dashboard.ingress.enabled -}} +{{ $serviceName := printf "%s-dashboard" (include "polaris.fullname" .) -}} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + annotations: + {{- range $key, $value := .Values.dashboard.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "polaris.name" . }} + helm.sh/chart: {{ include "polaris.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: polaris +spec: +{{- if and (.Values.dashboard.ingress.ingressClassName) (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }} +{{- end }} +{{- if .Values.dashboard.ingress.defaultBackendEnabled }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: 80 +{{- end }} + rules: + {{- range .Values.dashboard.ingress.hosts }} + - host: {{ . }} + http: + paths: + {{- if not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + {{- else }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: / + pathType: Prefix + {{- end }} + {{- end -}} +{{- if .Values.dashboard.ingress.tls }} + tls: +{{ toYaml .Values.dashboard.ingress.tls | indent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.1/templates/mutate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.12.1/templates/mutate-webhook.configuration.yaml new file mode 100644 index 0000000000..ba53030fd8 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/mutate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.mutate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: polaris-mutate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /mutate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.mutatingRules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.1/templates/rbac.yaml b/charts/fairwinds/polaris/5.12.1/templates/rbac.yaml new file mode 100644 index 0000000000..56a186183c --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/rbac.yaml @@ -0,0 +1,67 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-view + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + # required by controller-runtime code doing a cluster wide lookup + # when it seems namespace would suffice + - apiGroups: + - '' + resources: + - 'nodes' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'monitoring.coreos.com' + resources: + - 'prometheuses' + - 'alertmanagers' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - 'clusterroles' + - 'clusterrolebindings' + - 'roles' + - 'rolebindings' + verbs: + - 'get' + - 'list' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "polaris.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.12.1/templates/serviceaccount.yaml b/charts/fairwinds/polaris/5.12.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..b2a2427260 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +{{- if .Values.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.12.1/templates/validate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.12.1/templates/validate-webhook.configuration.yaml new file mode 100644 index 0000000000..3b536f4327 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/validate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.validate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: polaris-validate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /validate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.rules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.1/templates/webhook.cert.yaml b/charts/fairwinds/polaris/5.12.1/templates/webhook.cert.yaml new file mode 100644 index 0000000000..fc264ad8dd --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/webhook.cert.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.webhook.enable (not .Values.webhook.secretName) -}} +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Certificate +metadata: + name: {{ include "polaris.fullname" . }}-cert + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + commonName: {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }} + - {{ include "polaris.fullname" . }}-webhook + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + issuerRef: + kind: Issuer + name: {{ include "polaris.fullname" . }}-selfsigned + secretName: {{ include "polaris.fullname" . }} +--- +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Issuer +metadata: + name: {{ include "polaris.fullname" . }}-selfsigned + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + selfSigned: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.1/templates/webhook.deployment.yaml b/charts/fairwinds/polaris/5.12.1/templates/webhook.deployment.yaml new file mode 100644 index 0000000000..1e085c5fc4 --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/webhook.deployment.yaml @@ -0,0 +1,136 @@ +{{- if .Values.webhook.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: webhook + {{- with .Values.webhook.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.webhook.replicas }} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: webhook + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: webhook + {{- with .Values.webhook.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: webhook + command: + - polaris + - webhook + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- if .Values.webhook.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.webhook.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.webhook.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + - --validate={{ .Values.webhook.validate }} + - --mutate={{ .Values.webhook.mutate }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + ports: + - containerPort: 9876 + # These are fairly useless readiness/liveness probes for now + # Follow this issue for potential improvements: + # https://github.com/kubernetes-sigs/controller-runtime/issues/356 + livenessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.webhook.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: secret + mountPath: /opt/cert/ + readOnly: true + - name: cr-logs + mountPath: /tmp/ + readOnly: false + serviceAccountName: {{ include "polaris.fullname" . }} + {{- if .Values.webhook.priorityClassName }} + priorityClassName: {{ .Values.webhook.priorityClassName | quote }} + {{- end }} + nodeSelector: + {{- with .Values.webhook.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.webhook.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.webhook.affinity }} + affinity: +{{ toYaml .Values.webhook.affinity | indent 8 }} +{{- end }} +{{- if .Values.webhook.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.webhook.topologySpreadConstraints | indent 6 }} + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + - name: secret + secret: + {{- with .Values.webhook.secretName }} + secretName: {{ . }} + {{- else }} + secretName: {{ include "polaris.fullname" . }} + {{- end }} + - name: cr-logs + emptyDir: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.1/templates/webhook.service.yaml b/charts/fairwinds/polaris/5.12.1/templates/webhook.service.yaml new file mode 100644 index 0000000000..1e34f5361c --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/templates/webhook.service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.webhook.enable -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: 9876 + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: webhook + type: ClusterIP +{{- end -}} diff --git a/charts/fairwinds/polaris/5.12.1/values.yaml b/charts/fairwinds/polaris/5.12.1/values.yaml new file mode 100644 index 0000000000..024462a6fd --- /dev/null +++ b/charts/fairwinds/polaris/5.12.1/values.yaml @@ -0,0 +1,252 @@ +# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. +config: null + +# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. +# configUrl: https://example.com/config.yaml +configUrl: null + +# additionalExemptions -- List of additional exemptions to append to the exemptions given in `config` +additionalExemptions: null + + +image: + # image.repository -- Image repo + repository: quay.io/fairwinds/polaris + # image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion + tag: "" + # image.pullPolicy -- Image pull policy + pullPolicy: Always + # image.pullSecrets -- Image pull secrets + pullSecrets: [] + +rbac: + # rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created + enabled: true + +serviceAccount: + # serviceAccount.create -- Specifies whether a service account should be created + create: true + # serviceAccount.name -- The name of the service account to use. + name: + +# templateOnly -- Outputs Namespace names, used with `helm template` +templateOnly: false + +dashboard: + # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` + basePath: null + # dashboard.enable -- Whether to run the dashboard. + enable: true + # dashboard.port -- Port that the dashboard will run from. + port: 8080 + # dashboard.listeningAddress -- Dashboard listerning address. + listeningAddress: + # dashboard.replicas -- Number of replicas to run. + replicas: 2 + # dashboard.logLevel -- Set the logging level for the Dashboard command + logLevel: Info + # dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods. + podAdditionalLabels: {} + # dashboard.deploymentAnnotations -- Custom additional annotations on dashboard Deployment. + deploymentAnnotations: {} + # dashboard.resources -- Requests and limits for the dashboard + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 150m + memory: 512Mi + # dashboard.extraContainers -- allows injecting additional containers. + extraContainers: [] + # extraContainers: + # - name: oauth-proxy + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + # args: + # - --upstream=http://127.0.0.1:8080 + # - --http-address=0.0.0.0:8081 + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # resources: {} + service: + # dashboard.service.type -- Service Type + type: ClusterIP + # dashboard.service.annotations -- Service annotations + annotations: {} + # dashboard.service.targetPort -- Service targetport, defaults to dashboard.port + targetPort: + # dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values + loadBalancerSourceRanges: [] + # dashboard.nodeSelector -- Dashboard pod nodeSelector + nodeSelector: {} + # dashboard.tolerations -- Dashboard pod tolerations + tolerations: [] + # dashboard.affinity -- Dashboard pods affinity + affinity: {} + # dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + ingress: + # dashboard.ingress.enabled -- Whether to enable ingress to the dashboard + enabled: false + # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. + ingressClassName: + # dashboard.ingress.hosts -- Web ingress hostnames + hosts: [] + # dashboard.ingress.annotations -- Web ingress annotations + annotations: {} + # dashboard.ingress.tls -- Ingress TLS configuration + tls: [] + # dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case + defaultBackendEnabled: false + # dashboard.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # dashboard.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + # dashboard.containerSecurityContext -- securityContext to apply to the dashboard container + containerSecurityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + +webhook: + # webhook.enable -- Whether to run the webhook + enable: false + # webhook.validate -- Enables the Validating Webhook, to reject resources with issues + validate: true + # webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues + mutate: false + # webhook.replicas -- Number of replicas + replicas: 2 + # webhook.nodeSelector -- Webhook pod nodeSelector + nodeSelector: {} + # webhook.tolerations -- Webhook pod tolerations + tolerations: [] + # webhook.affinity -- Webhook pods affinity + affinity: {} + # webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + certManager: + # -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. + apiVersion: "" + # webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager + caBundle: null + # webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used. + secretName: null + # webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration + failurePolicy: Fail + # webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration + matchPolicy: Exact + # webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + # webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration + objectSelector: {} + # webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + rules: [] + # webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + mutatingRules: [] + # webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration + defaultRules: + - apiGroups: + - apps + apiVersions: + - v1 + - v1beta1 + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - daemonsets + - deployments + - statefulsets + scope: Namespaced + - apiGroups: + - batch + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - jobs + - cronjobs + scope: Namespaced + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - replicationcontrollers + scope: Namespaced + # webhook.podAdditionalLabels -- Custom additional labels on webhook pods. + podAdditionalLabels: {} + # webhook.deploymentAnnotations -- Custom additional annotations on webhook Deployment. + deploymentAnnotations: {} + # webhook.resources -- Requests and limits for the webhook. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 100m + memory: 128Mi + # webhook.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # webhook.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + mutatingConfigurationAnnotations: {} + validatingConfigurationAnnotations: {} + +audit: + # audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. + enable: false + # audit.cleanup -- Whether to delete the namespace once the audit is finished. + cleanup: false + # audit.outputURL -- A URL which will receive a POST request with audit results. + outputURL: "" diff --git a/charts/fairwinds/polaris/5.13.0/CHANGELOG.md b/charts/fairwinds/polaris/5.13.0/CHANGELOG.md new file mode 100644 index 0000000000..fe37c8ed49 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/CHANGELOG.md @@ -0,0 +1,72 @@ +# Changelog + +All notable changes to this Helm chart will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this chart adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## 5.13.0 +* Update Polaris to 8.5.0 + +## 5.11.1 +* set kubeVersion in the chart manifest + +## 5.9.0 +* Update Polaris version to 8.0 + +## 5.8.2 +* Fix webhook annotations reference + +## 5.8.1 +* Fix cert manager apiVersion override + +## 5.7.6 +* Patch bump for updating charts CI +## 5.7.4 +Added addition exemptions +* https://github.com/FairwindsOps/charts/issues/1059 + +## 5.5.1 +### Added +RBAC permission to get and list ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings. These permissions are required by new RBAC related checks: +* https://github.com/FairwindsOps/polaris/pull/820 +* https://github.com/FairwindsOps/polaris/pull/823 + +## 5.5.0 +### Added +Refactor container securityContext into `values.yaml` for added flexibility (i.e seccomp profiles). + +## 4.2.1 + +### Added +Support `ingressClassName` in Ingress object. + +## 1.0.0 +Updated to Polaris 1.0. + +In addition to changes needed for Polaris 1.0, there are some chart changes: +* RBAC has been simplified to remove duplication +* `config` now uses the built-in Polaris config by default +* `ingress` is now attached to the dashboard values +* only a single `image` is specified for the entire chart + +## 0.6.0 + +### Fixed + +* The validating webhook pod no longer crashes when using a Helm release name other than _polaris_ ([Polaris issue #211](https://github.com/FairwindsOps/polaris/issues/211)) Note that upgrading the Helm release will return the error: + + ``` + UPGRADE FAILED + Error: kind Secret with the name "polaris-webhook" already exists in the cluster and wasn't defined in the previous release. Before upgrading, please either delete the resource from the cluster or remove it from the chart + ``` +Delete the _polaris-webhook_ secret from the namespace where Polaris is installed, and the Helm upgrade will succeed. When the Polaris webhook pod restarts it will populate the _polaris-webhook_ secret. +* The Polaris dashboard and webhook pods now restart when the ConfigMap has been changed. + +### Changed + +* The Secret used by the Polaris webhook is now named _polaris-webhook_ instead of using the Helm release name. This has been done to match the static secret name that the Polaris webhook pod populates. + +### Added + +* This changelog has been added to help track updates to this Helm chart. diff --git a/charts/fairwinds/polaris/5.13.0/Chart.yaml b/charts/fairwinds/polaris/5.13.0/Chart.yaml new file mode 100644 index 0000000000..f3551a4fdc --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris +apiVersion: v1 +appVersion: "8.5" +description: Validation of best practices in your Kubernetes clusters +icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: robertb@fairwinds.com + name: rbren +name: polaris +version: 5.13.0 diff --git a/charts/fairwinds/polaris/5.13.0/README.md b/charts/fairwinds/polaris/5.13.0/README.md new file mode 100644 index 0000000000..5e9ed04528 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/README.md @@ -0,0 +1,107 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. | +| configUrl | string | `nil` | Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. configUrl: https://example.com/config.yaml | +| additionalExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` | +| image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo | +| image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion | +| image.pullPolicy | string | `"Always"` | Image pull policy | +| image.pullSecrets | list | `[]` | Image pull secrets | +| rbac.enabled | bool | `true` | Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `nil` | The name of the service account to use. | +| templateOnly | bool | `false` | Outputs Namespace names, used with `helm template` | +| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` | +| dashboard.enable | bool | `true` | Whether to run the dashboard. | +| dashboard.port | int | `8080` | Port that the dashboard will run from. | +| dashboard.listeningAddress | string | `nil` | Dashboard listerning address. | +| dashboard.replicas | int | `2` | Number of replicas to run. | +| dashboard.logLevel | string | `"Info"` | Set the logging level for the Dashboard command | +| dashboard.podAdditionalLabels | object | `{}` | Custom additional labels on dashboard pods. | +| dashboard.deploymentAnnotations | object | `{}` | Custom additional annotations on dashboard Deployment. | +| dashboard.resources | object | `{"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the dashboard | +| dashboard.extraContainers | list | `[]` | allows injecting additional containers. | +| dashboard.service.type | string | `"ClusterIP"` | Service Type | +| dashboard.service.annotations | object | `{}` | Service annotations | +| dashboard.service.targetPort | string | `nil` | Service targetport, defaults to dashboard.port | +| dashboard.service.loadBalancerSourceRanges | list | `[]` | List of allowed CIDR values | +| dashboard.nodeSelector | object | `{}` | Dashboard pod nodeSelector | +| dashboard.tolerations | list | `[]` | Dashboard pod tolerations | +| dashboard.affinity | object | `{}` | Dashboard pods affinity | +| dashboard.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Dashboard pods topologySpreadConstraints | +| dashboard.ingress.enabled | bool | `false` | Whether to enable ingress to the dashboard | +| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. | +| dashboard.ingress.hosts | list | `[]` | Web ingress hostnames | +| dashboard.ingress.annotations | object | `{}` | Web ingress annotations | +| dashboard.ingress.tls | list | `[]` | Ingress TLS configuration | +| dashboard.ingress.defaultBackendEnabled | bool | `false` | DefaultBackend is required by GKE container native load balancer, set to true for this use case | +| dashboard.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| dashboard.disallowExemptions | bool | `false` | Disallow any exemption | +| dashboard.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| dashboard.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| dashboard.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | securityContext to apply to the dashboard container | +| webhook.enable | bool | `false` | Whether to run the webhook | +| webhook.validate | bool | `true` | Enables the Validating Webhook, to reject resources with issues | +| webhook.mutate | bool | `false` | Enables the Mutating Webhook, to modify resources with issues | +| webhook.replicas | int | `2` | Number of replicas | +| webhook.nodeSelector | object | `{}` | Webhook pod nodeSelector | +| webhook.tolerations | list | `[]` | Webhook pod tolerations | +| webhook.affinity | object | `{}` | Webhook pods affinity | +| webhook.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Webhook pods topologySpreadConstraints | +| webhook.certManager.apiVersion | string | `""` | Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. | +| webhook.caBundle | string | `nil` | CA Bundle to use for Validating Webhook instead of cert-manager | +| webhook.secretName | string | `nil` | Name of the secret containing a TLS certificate to use if cert-manager is not used. | +| webhook.failurePolicy | string | `"Fail"` | failurePolicy for the ValidatingWebhookConfiguration | +| webhook.matchPolicy | string | `"Exact"` | matchPolicy for the ValidatingWebhookConfiguration | +| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}` | namespaceSelector for the ValidatingWebhookConfiguration | +| webhook.objectSelector | object | `{}` | objectSelector for the ValidatingWebhookConfiguration | +| webhook.rules | list | `[]` | An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.mutatingRules | list | `[]` | An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.defaultRules | list | `[{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}]` | An array of rules for common types for the ValidatingWebhookConfiguration | +| webhook.podAdditionalLabels | object | `{}` | Custom additional labels on webhook pods. | +| webhook.deploymentAnnotations | object | `{}` | Custom additional annotations on webhook Deployment. | +| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the webhook. | +| webhook.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| webhook.disallowExemptions | bool | `false` | Disallow any exemption | +| webhook.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| webhook.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| webhook.mutatingConfigurationAnnotations | object | `{}` | | +| webhook.validatingConfigurationAnnotations | object | `{}` | | +| audit.enable | bool | `false` | Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. | +| audit.cleanup | bool | `false` | Whether to delete the namespace once the audit is finished. | +| audit.outputURL | string | `""` | A URL which will receive a POST request with audit results. | diff --git a/charts/fairwinds/polaris/5.13.0/README.md.gotmpl b/charts/fairwinds/polaris/5.13.0/README.md.gotmpl new file mode 100644 index 0000000000..f932a33c09 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/README.md.gotmpl @@ -0,0 +1,35 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + + +{{ template "chart.valuesSection" . }} diff --git a/charts/fairwinds/polaris/5.13.0/ci/merge-values.yaml b/charts/fairwinds/polaris/5.13.0/ci/merge-values.yaml new file mode 100644 index 0000000000..221896283b --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/ci/merge-values.yaml @@ -0,0 +1,66 @@ +# Based upon https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml +nameOverride: polaris + +config: + checks: + # reliability + deploymentMissingReplicas: warning + priorityClassNotSet: ignore + tagNotSpecified: danger + pullPolicyNotAlways: warning + readinessProbeMissing: warning + livenessProbeMissing: warning + metadataAndNameMismatched: ignore + pdbDisruptionsIsZero: warning + missingPodDisruptionBudget: ignore + topologySpreadConstraint: warning + + # efficiency + cpuRequestsMissing: warning + cpuLimitsMissing: warning + memoryRequestsMissing: warning + memoryLimitsMissing: warning + # security + automountServiceAccountToken: ignore + hostIPCSet: danger + hostPIDSet: danger + linuxHardening: warning + missingNetworkPolicy: ignore + notReadOnlyRootFilesystem: warning + privilegeEscalationAllowed: danger + runAsRootAllowed: danger + runAsPrivileged: danger + dangerousCapabilities: danger + insecureCapabilities: warning + hostNetworkSet: danger + hostPortSet: warning + tlsSettingsMissing: warning + # These are initially warning and will later be promoted to danger. + sensitiveContainerEnvVar: warning + sensitiveConfigmapContent: warning + clusterrolePodExecAttach: warning + rolePodExecAttach: warning + clusterrolebindingPodExecAttach: warning + rolebindingClusterRolePodExecAttach: warning + rolebindingRolePodExecAttach: warning + clusterrolebindingClusterAdmin: warning + rolebindingClusterAdminClusterRole: warning + rolebindingClusterAdminRole: warning + + mutations: + - pullPolicyNotAlways + + exemptions: + - namespace: kube-system + controllerNames: + - coredns + rules: + - automountServiceAccountToken + - missingNetworkPolicy + +additionalExemptions: + - namespace: foo + containerName: + - bar + rules: + - privilegeEscalationAllowed diff --git a/charts/fairwinds/polaris/5.13.0/ci/test-values-2.yaml b/charts/fairwinds/polaris/5.13.0/ci/test-values-2.yaml new file mode 100644 index 0000000000..b07ed8b09d --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/ci/test-values-2.yaml @@ -0,0 +1,9 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true diff --git a/charts/fairwinds/polaris/5.13.0/ci/test-values.yaml b/charts/fairwinds/polaris/5.13.0/ci/test-values.yaml new file mode 100644 index 0000000000..bb647450b9 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/ci/test-values.yaml @@ -0,0 +1,19 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com + deploymentAnnotations: + foo: bar +webhook: + enabled: true + mutate: true + mutatingConfigurationAnnotations: + test: mutate + validatingConfigurationAnnotations: + test: validate + certManager: + apiVersion: cert-manager.io/v1 + deploymentAnnotations: + foo: bar diff --git a/charts/fairwinds/polaris/5.13.0/templates/0-namespace.yaml b/charts/fairwinds/polaris/5.13.0/templates/0-namespace.yaml new file mode 100644 index 0000000000..83e3751bb1 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/0-namespace.yaml @@ -0,0 +1,6 @@ +{{- if .Values.templateOnly -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.13.0/templates/NOTES.txt b/charts/fairwinds/polaris/5.13.0/templates/NOTES.txt new file mode 100644 index 0000000000..96560d753f --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/NOTES.txt @@ -0,0 +1,19 @@ +** Please be patient while the chart is being deployed ** + +Enjoy Polaris and smooth sailing! + +{{- if contains "ClusterIP" .Values.dashboard.service.type }} + +{{- if .Values.webhook.enable }} +The webhook is now running. Any resources that violate Polaris policy will be rejected. +{{- end }} + +{{- if .Values.dashboard.enable }} +To view the dashboard execute this command: + +kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80 + +Then open http://localhost:8080 in your browser. +{{- end }} + +{{- end }} diff --git a/charts/fairwinds/polaris/5.13.0/templates/_helpers.tpl b/charts/fairwinds/polaris/5.13.0/templates/_helpers.tpl new file mode 100644 index 0000000000..90b62b4611 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "polaris.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "polaris.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "polaris.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Standard labels +*/}} +{{- define "polaris.labels" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/component: dashboard +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ template "polaris.name" . }} +app.kubernetes.io/part-of: {{ template "polaris.name" . }} +app.kubernetes.io/version: "{{ .Chart.Version }}" +helm.sh/chart: {{ include "polaris.chart" . }} +{{- end -}} +{{- end -}} + +{{/* +Standard selector +*/}} +{{- define "polaris.selectors" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/name: {{ include "polaris.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Name of the service account to use +*/}} +{{- define "polaris.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "polaris.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.13.0/templates/audit.job.yaml b/charts/fairwinds/polaris/5.13.0/templates/audit.job.yaml new file mode 100644 index 0000000000..ae6451b25b --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/audit.job.yaml @@ -0,0 +1,80 @@ +{{- if .Values.audit.enable -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + {{- end }} + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: audit +spec: + template: + spec: + serviceAccountName: {{ include "polaris.fullname" . }} + restartPolicy: Never + containers: + - command: + - polaris + - audit + - --output-url + - {{ required "Must set audit.outputURL in values if you enable the audit job." .Values.audit.outputURL }} + - --output-file + - /tmp/results/done + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + image: '{{.Values.image.repository}}:{{ .Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: audit + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: results + mountPath: /tmp/results + {{- if .Values.audit.cleanup }} + - name: cleanup + image: gcr.io/heptio-images/namespace-deleter:v0.0.2 + imagePullPolicy: Always + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: results + mountPath: /tmp/results + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" . }} + {{- end }} + - name: results +{{- end -}} diff --git a/charts/fairwinds/polaris/5.13.0/templates/audit.rbac.yaml b/charts/fairwinds/polaris/5.13.0/templates/audit.rbac.yaml new file mode 100644 index 0000000000..4e0987a296 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/audit.rbac.yaml @@ -0,0 +1,38 @@ +{{- if .Values.audit.cleanup }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +rules: + - apiGroups: + - '' + resources: + - namespaces + resourceNames: + - {{ .Release.Namespace }} + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "polaris.fullname" . }}-audit-cleanup +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.13.0/templates/configmap.yaml b/charts/fairwinds/polaris/5.13.0/templates/configmap.yaml new file mode 100644 index 0000000000..ba72dec1a0 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/configmap.yaml @@ -0,0 +1,22 @@ +{{- if not .Values.configUrl }} +{{- with .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "polaris.fullname" $ }} + {{- if $.Values.templateOnly }} + namespace: {{ $.Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" $ | nindent 4 }} +data: + config.yaml: | + {{- range $key, $value := . }} + {{ $key }}: + {{- toYaml $value | nindent 6 }} + {{- if and (eq $key "exemptions") ($.Values.additionalExemptions) }} + {{- toYaml $.Values.additionalExemptions | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.13.0/templates/dashboard.deployment.yaml b/charts/fairwinds/polaris/5.13.0/templates/dashboard.deployment.yaml new file mode 100644 index 0000000000..74041dec4d --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/dashboard.deployment.yaml @@ -0,0 +1,134 @@ +{{- if .Values.dashboard.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: dashboard + {{- with .Values.dashboard.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{.Values.dashboard.replicas}} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: dashboard + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: dashboard + {{- with .Values.dashboard.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.config }} + volumes: + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + {{- if .Values.dashboard.priorityClassName }} + priorityClassName: {{ .Values.dashboard.priorityClassName | quote }} + {{- end }} + containers: + - command: + - polaris + - dashboard + {{- if .Values.configUrl }} + - --config + - {{ .Values.configUrl | quote }} + {{- else }} + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- end }} + {{- with .Values.dashboard.basePath }} + - --base-path + - {{ . }} + {{- end }} + {{- with .Values.dashboard.port }} + - --port + - {{ . | quote }} + {{- end }} + {{- if .Values.dashboard.listeningAddress }} + - --listening-address + - {{ .Values.dashboard.listeningAddress }} + {{- end }} + {{- if .Values.dashboard.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.dashboard.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.dashboard.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + {{- if .Values.dashboard.logLevel }} + - --log-level + - {{ .Values.dashboard.logLevel | quote }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: dashboard + ports: + - containerPort: {{ .Values.dashboard.port }} + livenessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + readinessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + resources: + {{- toYaml .Values.dashboard.resources | nindent 10 }} + {{- with .Values.dashboard.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if not .Values.configUrl }} + {{- with .Values.config }} + volumeMounts: + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.dashboard.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ template "polaris.serviceAccountName" . }} + nodeSelector: + {{- with .Values.dashboard.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.dashboard.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.dashboard.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.dashboard.topologySpreadConstraints | indent 6 }} + {{- end }} +{{- if .Values.dashboard.affinity }} + affinity: +{{ toYaml .Values.dashboard.affinity | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.13.0/templates/dashboard.service.yaml b/charts/fairwinds/polaris/5.13.0/templates/dashboard.service.yaml new file mode 100644 index 0000000000..fc95843216 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/dashboard.service.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.dashboard.enable .Values.dashboard.service -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.dashboard.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + ports: + - name: http-dashboard + port: 80 + protocol: TCP + targetPort: {{ .Values.dashboard.service.targetPort | default .Values.dashboard.port }} + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: dashboard + type: {{ .Values.dashboard.service.type }} +{{- if .Values.dashboard.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.dashboard.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.13.0/templates/ingress.yaml b/charts/fairwinds/polaris/5.13.0/templates/ingress.yaml new file mode 100644 index 0000000000..d0cdd308f2 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/ingress.yaml @@ -0,0 +1,53 @@ +{{- if .Values.dashboard.ingress.enabled -}} +{{ $serviceName := printf "%s-dashboard" (include "polaris.fullname" .) -}} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + annotations: + {{- range $key, $value := .Values.dashboard.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "polaris.name" . }} + helm.sh/chart: {{ include "polaris.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: polaris +spec: +{{- if and (.Values.dashboard.ingress.ingressClassName) (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }} +{{- end }} +{{- if .Values.dashboard.ingress.defaultBackendEnabled }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: 80 +{{- end }} + rules: + {{- range .Values.dashboard.ingress.hosts }} + - host: {{ . }} + http: + paths: + {{- if not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + {{- else }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: / + pathType: Prefix + {{- end }} + {{- end -}} +{{- if .Values.dashboard.ingress.tls }} + tls: +{{ toYaml .Values.dashboard.ingress.tls | indent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.13.0/templates/mutate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.13.0/templates/mutate-webhook.configuration.yaml new file mode 100644 index 0000000000..ba53030fd8 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/mutate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.mutate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: polaris-mutate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /mutate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.mutatingRules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.13.0/templates/rbac.yaml b/charts/fairwinds/polaris/5.13.0/templates/rbac.yaml new file mode 100644 index 0000000000..56a186183c --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/rbac.yaml @@ -0,0 +1,67 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-view + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + # required by controller-runtime code doing a cluster wide lookup + # when it seems namespace would suffice + - apiGroups: + - '' + resources: + - 'nodes' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'monitoring.coreos.com' + resources: + - 'prometheuses' + - 'alertmanagers' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - 'clusterroles' + - 'clusterrolebindings' + - 'roles' + - 'rolebindings' + verbs: + - 'get' + - 'list' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "polaris.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.13.0/templates/serviceaccount.yaml b/charts/fairwinds/polaris/5.13.0/templates/serviceaccount.yaml new file mode 100644 index 0000000000..b2a2427260 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +{{- if .Values.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.13.0/templates/validate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.13.0/templates/validate-webhook.configuration.yaml new file mode 100644 index 0000000000..3b536f4327 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/validate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.validate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: polaris-validate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /validate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.rules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.13.0/templates/webhook.cert.yaml b/charts/fairwinds/polaris/5.13.0/templates/webhook.cert.yaml new file mode 100644 index 0000000000..fc264ad8dd --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/webhook.cert.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.webhook.enable (not .Values.webhook.secretName) -}} +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Certificate +metadata: + name: {{ include "polaris.fullname" . }}-cert + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + commonName: {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }} + - {{ include "polaris.fullname" . }}-webhook + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + issuerRef: + kind: Issuer + name: {{ include "polaris.fullname" . }}-selfsigned + secretName: {{ include "polaris.fullname" . }} +--- +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Issuer +metadata: + name: {{ include "polaris.fullname" . }}-selfsigned + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + selfSigned: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.13.0/templates/webhook.deployment.yaml b/charts/fairwinds/polaris/5.13.0/templates/webhook.deployment.yaml new file mode 100644 index 0000000000..1e085c5fc4 --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/webhook.deployment.yaml @@ -0,0 +1,136 @@ +{{- if .Values.webhook.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: webhook + {{- with .Values.webhook.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.webhook.replicas }} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: webhook + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: webhook + {{- with .Values.webhook.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: webhook + command: + - polaris + - webhook + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- if .Values.webhook.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.webhook.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.webhook.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + - --validate={{ .Values.webhook.validate }} + - --mutate={{ .Values.webhook.mutate }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + ports: + - containerPort: 9876 + # These are fairly useless readiness/liveness probes for now + # Follow this issue for potential improvements: + # https://github.com/kubernetes-sigs/controller-runtime/issues/356 + livenessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.webhook.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: secret + mountPath: /opt/cert/ + readOnly: true + - name: cr-logs + mountPath: /tmp/ + readOnly: false + serviceAccountName: {{ include "polaris.fullname" . }} + {{- if .Values.webhook.priorityClassName }} + priorityClassName: {{ .Values.webhook.priorityClassName | quote }} + {{- end }} + nodeSelector: + {{- with .Values.webhook.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.webhook.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.webhook.affinity }} + affinity: +{{ toYaml .Values.webhook.affinity | indent 8 }} +{{- end }} +{{- if .Values.webhook.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.webhook.topologySpreadConstraints | indent 6 }} + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + - name: secret + secret: + {{- with .Values.webhook.secretName }} + secretName: {{ . }} + {{- else }} + secretName: {{ include "polaris.fullname" . }} + {{- end }} + - name: cr-logs + emptyDir: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.13.0/templates/webhook.service.yaml b/charts/fairwinds/polaris/5.13.0/templates/webhook.service.yaml new file mode 100644 index 0000000000..1e34f5361c --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/templates/webhook.service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.webhook.enable -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: 9876 + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: webhook + type: ClusterIP +{{- end -}} diff --git a/charts/fairwinds/polaris/5.13.0/values.yaml b/charts/fairwinds/polaris/5.13.0/values.yaml new file mode 100644 index 0000000000..024462a6fd --- /dev/null +++ b/charts/fairwinds/polaris/5.13.0/values.yaml @@ -0,0 +1,252 @@ +# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. +config: null + +# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. +# configUrl: https://example.com/config.yaml +configUrl: null + +# additionalExemptions -- List of additional exemptions to append to the exemptions given in `config` +additionalExemptions: null + + +image: + # image.repository -- Image repo + repository: quay.io/fairwinds/polaris + # image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion + tag: "" + # image.pullPolicy -- Image pull policy + pullPolicy: Always + # image.pullSecrets -- Image pull secrets + pullSecrets: [] + +rbac: + # rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created + enabled: true + +serviceAccount: + # serviceAccount.create -- Specifies whether a service account should be created + create: true + # serviceAccount.name -- The name of the service account to use. + name: + +# templateOnly -- Outputs Namespace names, used with `helm template` +templateOnly: false + +dashboard: + # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` + basePath: null + # dashboard.enable -- Whether to run the dashboard. + enable: true + # dashboard.port -- Port that the dashboard will run from. + port: 8080 + # dashboard.listeningAddress -- Dashboard listerning address. + listeningAddress: + # dashboard.replicas -- Number of replicas to run. + replicas: 2 + # dashboard.logLevel -- Set the logging level for the Dashboard command + logLevel: Info + # dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods. + podAdditionalLabels: {} + # dashboard.deploymentAnnotations -- Custom additional annotations on dashboard Deployment. + deploymentAnnotations: {} + # dashboard.resources -- Requests and limits for the dashboard + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 150m + memory: 512Mi + # dashboard.extraContainers -- allows injecting additional containers. + extraContainers: [] + # extraContainers: + # - name: oauth-proxy + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + # args: + # - --upstream=http://127.0.0.1:8080 + # - --http-address=0.0.0.0:8081 + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # resources: {} + service: + # dashboard.service.type -- Service Type + type: ClusterIP + # dashboard.service.annotations -- Service annotations + annotations: {} + # dashboard.service.targetPort -- Service targetport, defaults to dashboard.port + targetPort: + # dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values + loadBalancerSourceRanges: [] + # dashboard.nodeSelector -- Dashboard pod nodeSelector + nodeSelector: {} + # dashboard.tolerations -- Dashboard pod tolerations + tolerations: [] + # dashboard.affinity -- Dashboard pods affinity + affinity: {} + # dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + ingress: + # dashboard.ingress.enabled -- Whether to enable ingress to the dashboard + enabled: false + # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. + ingressClassName: + # dashboard.ingress.hosts -- Web ingress hostnames + hosts: [] + # dashboard.ingress.annotations -- Web ingress annotations + annotations: {} + # dashboard.ingress.tls -- Ingress TLS configuration + tls: [] + # dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case + defaultBackendEnabled: false + # dashboard.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # dashboard.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + # dashboard.containerSecurityContext -- securityContext to apply to the dashboard container + containerSecurityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + +webhook: + # webhook.enable -- Whether to run the webhook + enable: false + # webhook.validate -- Enables the Validating Webhook, to reject resources with issues + validate: true + # webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues + mutate: false + # webhook.replicas -- Number of replicas + replicas: 2 + # webhook.nodeSelector -- Webhook pod nodeSelector + nodeSelector: {} + # webhook.tolerations -- Webhook pod tolerations + tolerations: [] + # webhook.affinity -- Webhook pods affinity + affinity: {} + # webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + certManager: + # -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. + apiVersion: "" + # webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager + caBundle: null + # webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used. + secretName: null + # webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration + failurePolicy: Fail + # webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration + matchPolicy: Exact + # webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + # webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration + objectSelector: {} + # webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + rules: [] + # webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + mutatingRules: [] + # webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration + defaultRules: + - apiGroups: + - apps + apiVersions: + - v1 + - v1beta1 + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - daemonsets + - deployments + - statefulsets + scope: Namespaced + - apiGroups: + - batch + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - jobs + - cronjobs + scope: Namespaced + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - replicationcontrollers + scope: Namespaced + # webhook.podAdditionalLabels -- Custom additional labels on webhook pods. + podAdditionalLabels: {} + # webhook.deploymentAnnotations -- Custom additional annotations on webhook Deployment. + deploymentAnnotations: {} + # webhook.resources -- Requests and limits for the webhook. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 100m + memory: 128Mi + # webhook.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # webhook.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + mutatingConfigurationAnnotations: {} + validatingConfigurationAnnotations: {} + +audit: + # audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. + enable: false + # audit.cleanup -- Whether to delete the namespace once the audit is finished. + cleanup: false + # audit.outputURL -- A URL which will receive a POST request with audit results. + outputURL: "" diff --git a/charts/fairwinds/polaris/5.14.0/CHANGELOG.md b/charts/fairwinds/polaris/5.14.0/CHANGELOG.md new file mode 100644 index 0000000000..fe37c8ed49 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/CHANGELOG.md @@ -0,0 +1,72 @@ +# Changelog + +All notable changes to this Helm chart will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this chart adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## 5.13.0 +* Update Polaris to 8.5.0 + +## 5.11.1 +* set kubeVersion in the chart manifest + +## 5.9.0 +* Update Polaris version to 8.0 + +## 5.8.2 +* Fix webhook annotations reference + +## 5.8.1 +* Fix cert manager apiVersion override + +## 5.7.6 +* Patch bump for updating charts CI +## 5.7.4 +Added addition exemptions +* https://github.com/FairwindsOps/charts/issues/1059 + +## 5.5.1 +### Added +RBAC permission to get and list ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings. These permissions are required by new RBAC related checks: +* https://github.com/FairwindsOps/polaris/pull/820 +* https://github.com/FairwindsOps/polaris/pull/823 + +## 5.5.0 +### Added +Refactor container securityContext into `values.yaml` for added flexibility (i.e seccomp profiles). + +## 4.2.1 + +### Added +Support `ingressClassName` in Ingress object. + +## 1.0.0 +Updated to Polaris 1.0. + +In addition to changes needed for Polaris 1.0, there are some chart changes: +* RBAC has been simplified to remove duplication +* `config` now uses the built-in Polaris config by default +* `ingress` is now attached to the dashboard values +* only a single `image` is specified for the entire chart + +## 0.6.0 + +### Fixed + +* The validating webhook pod no longer crashes when using a Helm release name other than _polaris_ ([Polaris issue #211](https://github.com/FairwindsOps/polaris/issues/211)) Note that upgrading the Helm release will return the error: + + ``` + UPGRADE FAILED + Error: kind Secret with the name "polaris-webhook" already exists in the cluster and wasn't defined in the previous release. Before upgrading, please either delete the resource from the cluster or remove it from the chart + ``` +Delete the _polaris-webhook_ secret from the namespace where Polaris is installed, and the Helm upgrade will succeed. When the Polaris webhook pod restarts it will populate the _polaris-webhook_ secret. +* The Polaris dashboard and webhook pods now restart when the ConfigMap has been changed. + +### Changed + +* The Secret used by the Polaris webhook is now named _polaris-webhook_ instead of using the Helm release name. This has been done to match the static secret name that the Polaris webhook pod populates. + +### Added + +* This changelog has been added to help track updates to this Helm chart. diff --git a/charts/fairwinds/polaris/5.14.0/Chart.yaml b/charts/fairwinds/polaris/5.14.0/Chart.yaml new file mode 100644 index 0000000000..71a4031866 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris +apiVersion: v1 +appVersion: "8.5" +description: Validation of best practices in your Kubernetes clusters +icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: robertb@fairwinds.com + name: rbren +name: polaris +version: 5.14.0 diff --git a/charts/fairwinds/polaris/5.14.0/README.md b/charts/fairwinds/polaris/5.14.0/README.md new file mode 100644 index 0000000000..b4e0a2948e --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/README.md @@ -0,0 +1,108 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. | +| configUrl | string | `nil` | Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. configUrl: https://example.com/config.yaml | +| additionalExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` | +| image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo | +| image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion | +| image.pullPolicy | string | `"Always"` | Image pull policy | +| image.pullSecrets | list | `[]` | Image pull secrets | +| rbac.enabled | bool | `true` | Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `nil` | The name of the service account to use. | +| templateOnly | bool | `false` | Outputs Namespace names, used with `helm template` | +| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` | +| dashboard.enable | bool | `true` | Whether to run the dashboard. | +| dashboard.port | int | `8080` | Port that the dashboard will run from. | +| dashboard.listeningAddress | string | `nil` | Dashboard listerning address. | +| dashboard.replicas | int | `2` | Number of replicas to run. | +| dashboard.logLevel | string | `"Info"` | Set the logging level for the Dashboard command | +| dashboard.podAdditionalLabels | object | `{}` | Custom additional labels on dashboard pods. | +| dashboard.deploymentAnnotations | object | `{}` | Custom additional annotations on dashboard Deployment. | +| dashboard.resources | object | `{"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the dashboard | +| dashboard.extraContainers | list | `[]` | allows injecting additional containers. | +| dashboard.service.type | string | `"ClusterIP"` | Service Type | +| dashboard.service.annotations | object | `{}` | Service annotations | +| dashboard.service.targetPort | string | `nil` | Service targetport, defaults to dashboard.port | +| dashboard.service.loadBalancerSourceRanges | list | `[]` | List of allowed CIDR values | +| dashboard.nodeSelector | object | `{}` | Dashboard pod nodeSelector | +| dashboard.tolerations | list | `[]` | Dashboard pod tolerations | +| dashboard.affinity | object | `{}` | Dashboard pods affinity | +| dashboard.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Dashboard pods topologySpreadConstraints | +| dashboard.ingress.enabled | bool | `false` | Whether to enable ingress to the dashboard | +| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. | +| dashboard.ingress.hosts | list | `[]` | Web ingress hostnames | +| dashboard.ingress.annotations | object | `{}` | Web ingress annotations | +| dashboard.ingress.tls | list | `[]` | Ingress TLS configuration | +| dashboard.ingress.defaultBackendEnabled | bool | `false` | DefaultBackend is required by GKE container native load balancer, set to true for this use case | +| dashboard.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| dashboard.disallowExemptions | bool | `false` | Disallow any exemption | +| dashboard.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| dashboard.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| dashboard.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | securityContext to apply to the dashboard container | +| webhook.enable | bool | `false` | Whether to run the webhook | +| webhook.validate | bool | `true` | Enables the Validating Webhook, to reject resources with issues | +| webhook.mutate | bool | `false` | Enables the Mutating Webhook, to modify resources with issues | +| webhook.replicas | int | `2` | Number of replicas | +| webhook.logLevel | string | `"info"` | Set the logging level for the Webhook command | +| webhook.nodeSelector | object | `{}` | Webhook pod nodeSelector | +| webhook.tolerations | list | `[]` | Webhook pod tolerations | +| webhook.affinity | object | `{}` | Webhook pods affinity | +| webhook.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Webhook pods topologySpreadConstraints | +| webhook.certManager.apiVersion | string | `""` | Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. | +| webhook.caBundle | string | `nil` | CA Bundle to use for Validating Webhook instead of cert-manager | +| webhook.secretName | string | `nil` | Name of the secret containing a TLS certificate to use if cert-manager is not used. | +| webhook.failurePolicy | string | `"Fail"` | failurePolicy for the ValidatingWebhookConfiguration | +| webhook.matchPolicy | string | `"Exact"` | matchPolicy for the ValidatingWebhookConfiguration | +| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}` | namespaceSelector for the ValidatingWebhookConfiguration | +| webhook.objectSelector | object | `{}` | objectSelector for the ValidatingWebhookConfiguration | +| webhook.rules | list | `[]` | An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.mutatingRules | list | `[]` | An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.defaultRules | list | `[{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}]` | An array of rules for common types for the ValidatingWebhookConfiguration | +| webhook.podAdditionalLabels | object | `{}` | Custom additional labels on webhook pods. | +| webhook.deploymentAnnotations | object | `{}` | Custom additional annotations on webhook Deployment. | +| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the webhook. | +| webhook.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| webhook.disallowExemptions | bool | `false` | Disallow any exemption | +| webhook.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| webhook.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| webhook.mutatingConfigurationAnnotations | object | `{}` | | +| webhook.validatingConfigurationAnnotations | object | `{}` | | +| audit.enable | bool | `false` | Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. | +| audit.cleanup | bool | `false` | Whether to delete the namespace once the audit is finished. | +| audit.outputURL | string | `""` | A URL which will receive a POST request with audit results. | diff --git a/charts/fairwinds/polaris/5.14.0/README.md.gotmpl b/charts/fairwinds/polaris/5.14.0/README.md.gotmpl new file mode 100644 index 0000000000..f932a33c09 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/README.md.gotmpl @@ -0,0 +1,35 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + + +{{ template "chart.valuesSection" . }} diff --git a/charts/fairwinds/polaris/5.14.0/ci/merge-values.yaml b/charts/fairwinds/polaris/5.14.0/ci/merge-values.yaml new file mode 100644 index 0000000000..221896283b --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/ci/merge-values.yaml @@ -0,0 +1,66 @@ +# Based upon https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml +nameOverride: polaris + +config: + checks: + # reliability + deploymentMissingReplicas: warning + priorityClassNotSet: ignore + tagNotSpecified: danger + pullPolicyNotAlways: warning + readinessProbeMissing: warning + livenessProbeMissing: warning + metadataAndNameMismatched: ignore + pdbDisruptionsIsZero: warning + missingPodDisruptionBudget: ignore + topologySpreadConstraint: warning + + # efficiency + cpuRequestsMissing: warning + cpuLimitsMissing: warning + memoryRequestsMissing: warning + memoryLimitsMissing: warning + # security + automountServiceAccountToken: ignore + hostIPCSet: danger + hostPIDSet: danger + linuxHardening: warning + missingNetworkPolicy: ignore + notReadOnlyRootFilesystem: warning + privilegeEscalationAllowed: danger + runAsRootAllowed: danger + runAsPrivileged: danger + dangerousCapabilities: danger + insecureCapabilities: warning + hostNetworkSet: danger + hostPortSet: warning + tlsSettingsMissing: warning + # These are initially warning and will later be promoted to danger. + sensitiveContainerEnvVar: warning + sensitiveConfigmapContent: warning + clusterrolePodExecAttach: warning + rolePodExecAttach: warning + clusterrolebindingPodExecAttach: warning + rolebindingClusterRolePodExecAttach: warning + rolebindingRolePodExecAttach: warning + clusterrolebindingClusterAdmin: warning + rolebindingClusterAdminClusterRole: warning + rolebindingClusterAdminRole: warning + + mutations: + - pullPolicyNotAlways + + exemptions: + - namespace: kube-system + controllerNames: + - coredns + rules: + - automountServiceAccountToken + - missingNetworkPolicy + +additionalExemptions: + - namespace: foo + containerName: + - bar + rules: + - privilegeEscalationAllowed diff --git a/charts/fairwinds/polaris/5.14.0/ci/test-values-2.yaml b/charts/fairwinds/polaris/5.14.0/ci/test-values-2.yaml new file mode 100644 index 0000000000..b07ed8b09d --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/ci/test-values-2.yaml @@ -0,0 +1,9 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true diff --git a/charts/fairwinds/polaris/5.14.0/ci/test-values.yaml b/charts/fairwinds/polaris/5.14.0/ci/test-values.yaml new file mode 100644 index 0000000000..bb647450b9 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/ci/test-values.yaml @@ -0,0 +1,19 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com + deploymentAnnotations: + foo: bar +webhook: + enabled: true + mutate: true + mutatingConfigurationAnnotations: + test: mutate + validatingConfigurationAnnotations: + test: validate + certManager: + apiVersion: cert-manager.io/v1 + deploymentAnnotations: + foo: bar diff --git a/charts/fairwinds/polaris/5.14.0/templates/0-namespace.yaml b/charts/fairwinds/polaris/5.14.0/templates/0-namespace.yaml new file mode 100644 index 0000000000..83e3751bb1 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/0-namespace.yaml @@ -0,0 +1,6 @@ +{{- if .Values.templateOnly -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.14.0/templates/NOTES.txt b/charts/fairwinds/polaris/5.14.0/templates/NOTES.txt new file mode 100644 index 0000000000..96560d753f --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/NOTES.txt @@ -0,0 +1,19 @@ +** Please be patient while the chart is being deployed ** + +Enjoy Polaris and smooth sailing! + +{{- if contains "ClusterIP" .Values.dashboard.service.type }} + +{{- if .Values.webhook.enable }} +The webhook is now running. Any resources that violate Polaris policy will be rejected. +{{- end }} + +{{- if .Values.dashboard.enable }} +To view the dashboard execute this command: + +kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80 + +Then open http://localhost:8080 in your browser. +{{- end }} + +{{- end }} diff --git a/charts/fairwinds/polaris/5.14.0/templates/_helpers.tpl b/charts/fairwinds/polaris/5.14.0/templates/_helpers.tpl new file mode 100644 index 0000000000..90b62b4611 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "polaris.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "polaris.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "polaris.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Standard labels +*/}} +{{- define "polaris.labels" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/component: dashboard +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ template "polaris.name" . }} +app.kubernetes.io/part-of: {{ template "polaris.name" . }} +app.kubernetes.io/version: "{{ .Chart.Version }}" +helm.sh/chart: {{ include "polaris.chart" . }} +{{- end -}} +{{- end -}} + +{{/* +Standard selector +*/}} +{{- define "polaris.selectors" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/name: {{ include "polaris.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Name of the service account to use +*/}} +{{- define "polaris.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "polaris.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.14.0/templates/audit.job.yaml b/charts/fairwinds/polaris/5.14.0/templates/audit.job.yaml new file mode 100644 index 0000000000..ae6451b25b --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/audit.job.yaml @@ -0,0 +1,80 @@ +{{- if .Values.audit.enable -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + {{- end }} + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: audit +spec: + template: + spec: + serviceAccountName: {{ include "polaris.fullname" . }} + restartPolicy: Never + containers: + - command: + - polaris + - audit + - --output-url + - {{ required "Must set audit.outputURL in values if you enable the audit job." .Values.audit.outputURL }} + - --output-file + - /tmp/results/done + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + image: '{{.Values.image.repository}}:{{ .Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: audit + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: results + mountPath: /tmp/results + {{- if .Values.audit.cleanup }} + - name: cleanup + image: gcr.io/heptio-images/namespace-deleter:v0.0.2 + imagePullPolicy: Always + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: results + mountPath: /tmp/results + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" . }} + {{- end }} + - name: results +{{- end -}} diff --git a/charts/fairwinds/polaris/5.14.0/templates/audit.rbac.yaml b/charts/fairwinds/polaris/5.14.0/templates/audit.rbac.yaml new file mode 100644 index 0000000000..4e0987a296 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/audit.rbac.yaml @@ -0,0 +1,38 @@ +{{- if .Values.audit.cleanup }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +rules: + - apiGroups: + - '' + resources: + - namespaces + resourceNames: + - {{ .Release.Namespace }} + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "polaris.fullname" . }}-audit-cleanup +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.14.0/templates/configmap.yaml b/charts/fairwinds/polaris/5.14.0/templates/configmap.yaml new file mode 100644 index 0000000000..ba72dec1a0 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/configmap.yaml @@ -0,0 +1,22 @@ +{{- if not .Values.configUrl }} +{{- with .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "polaris.fullname" $ }} + {{- if $.Values.templateOnly }} + namespace: {{ $.Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" $ | nindent 4 }} +data: + config.yaml: | + {{- range $key, $value := . }} + {{ $key }}: + {{- toYaml $value | nindent 6 }} + {{- if and (eq $key "exemptions") ($.Values.additionalExemptions) }} + {{- toYaml $.Values.additionalExemptions | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.14.0/templates/dashboard.deployment.yaml b/charts/fairwinds/polaris/5.14.0/templates/dashboard.deployment.yaml new file mode 100644 index 0000000000..74041dec4d --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/dashboard.deployment.yaml @@ -0,0 +1,134 @@ +{{- if .Values.dashboard.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: dashboard + {{- with .Values.dashboard.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{.Values.dashboard.replicas}} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: dashboard + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: dashboard + {{- with .Values.dashboard.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.config }} + volumes: + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + {{- if .Values.dashboard.priorityClassName }} + priorityClassName: {{ .Values.dashboard.priorityClassName | quote }} + {{- end }} + containers: + - command: + - polaris + - dashboard + {{- if .Values.configUrl }} + - --config + - {{ .Values.configUrl | quote }} + {{- else }} + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- end }} + {{- with .Values.dashboard.basePath }} + - --base-path + - {{ . }} + {{- end }} + {{- with .Values.dashboard.port }} + - --port + - {{ . | quote }} + {{- end }} + {{- if .Values.dashboard.listeningAddress }} + - --listening-address + - {{ .Values.dashboard.listeningAddress }} + {{- end }} + {{- if .Values.dashboard.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.dashboard.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.dashboard.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + {{- if .Values.dashboard.logLevel }} + - --log-level + - {{ .Values.dashboard.logLevel | quote }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: dashboard + ports: + - containerPort: {{ .Values.dashboard.port }} + livenessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + readinessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + resources: + {{- toYaml .Values.dashboard.resources | nindent 10 }} + {{- with .Values.dashboard.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if not .Values.configUrl }} + {{- with .Values.config }} + volumeMounts: + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.dashboard.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ template "polaris.serviceAccountName" . }} + nodeSelector: + {{- with .Values.dashboard.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.dashboard.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.dashboard.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.dashboard.topologySpreadConstraints | indent 6 }} + {{- end }} +{{- if .Values.dashboard.affinity }} + affinity: +{{ toYaml .Values.dashboard.affinity | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.14.0/templates/dashboard.service.yaml b/charts/fairwinds/polaris/5.14.0/templates/dashboard.service.yaml new file mode 100644 index 0000000000..fc95843216 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/dashboard.service.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.dashboard.enable .Values.dashboard.service -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.dashboard.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + ports: + - name: http-dashboard + port: 80 + protocol: TCP + targetPort: {{ .Values.dashboard.service.targetPort | default .Values.dashboard.port }} + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: dashboard + type: {{ .Values.dashboard.service.type }} +{{- if .Values.dashboard.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.dashboard.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.14.0/templates/ingress.yaml b/charts/fairwinds/polaris/5.14.0/templates/ingress.yaml new file mode 100644 index 0000000000..d0cdd308f2 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/ingress.yaml @@ -0,0 +1,53 @@ +{{- if .Values.dashboard.ingress.enabled -}} +{{ $serviceName := printf "%s-dashboard" (include "polaris.fullname" .) -}} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + annotations: + {{- range $key, $value := .Values.dashboard.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "polaris.name" . }} + helm.sh/chart: {{ include "polaris.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: polaris +spec: +{{- if and (.Values.dashboard.ingress.ingressClassName) (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }} +{{- end }} +{{- if .Values.dashboard.ingress.defaultBackendEnabled }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: 80 +{{- end }} + rules: + {{- range .Values.dashboard.ingress.hosts }} + - host: {{ . }} + http: + paths: + {{- if not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + {{- else }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: / + pathType: Prefix + {{- end }} + {{- end -}} +{{- if .Values.dashboard.ingress.tls }} + tls: +{{ toYaml .Values.dashboard.ingress.tls | indent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.14.0/templates/mutate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.14.0/templates/mutate-webhook.configuration.yaml new file mode 100644 index 0000000000..ba53030fd8 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/mutate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.mutate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: polaris-mutate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /mutate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.mutatingRules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.14.0/templates/rbac.yaml b/charts/fairwinds/polaris/5.14.0/templates/rbac.yaml new file mode 100644 index 0000000000..56a186183c --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/rbac.yaml @@ -0,0 +1,67 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-view + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + # required by controller-runtime code doing a cluster wide lookup + # when it seems namespace would suffice + - apiGroups: + - '' + resources: + - 'nodes' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'monitoring.coreos.com' + resources: + - 'prometheuses' + - 'alertmanagers' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - 'clusterroles' + - 'clusterrolebindings' + - 'roles' + - 'rolebindings' + verbs: + - 'get' + - 'list' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "polaris.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.14.0/templates/serviceaccount.yaml b/charts/fairwinds/polaris/5.14.0/templates/serviceaccount.yaml new file mode 100644 index 0000000000..b2a2427260 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +{{- if .Values.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.14.0/templates/validate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.14.0/templates/validate-webhook.configuration.yaml new file mode 100644 index 0000000000..3b536f4327 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/validate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.validate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: polaris-validate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /validate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.rules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.14.0/templates/webhook.cert.yaml b/charts/fairwinds/polaris/5.14.0/templates/webhook.cert.yaml new file mode 100644 index 0000000000..fc264ad8dd --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/webhook.cert.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.webhook.enable (not .Values.webhook.secretName) -}} +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Certificate +metadata: + name: {{ include "polaris.fullname" . }}-cert + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + commonName: {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }} + - {{ include "polaris.fullname" . }}-webhook + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + issuerRef: + kind: Issuer + name: {{ include "polaris.fullname" . }}-selfsigned + secretName: {{ include "polaris.fullname" . }} +--- +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Issuer +metadata: + name: {{ include "polaris.fullname" . }}-selfsigned + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + selfSigned: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/webhook.deployment.yaml b/charts/fairwinds/polaris/5.14.0/templates/webhook.deployment.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/webhook.deployment.yaml rename to charts/fairwinds/polaris/5.14.0/templates/webhook.deployment.yaml diff --git a/charts/fairwinds/polaris/5.14.0/templates/webhook.service.yaml b/charts/fairwinds/polaris/5.14.0/templates/webhook.service.yaml new file mode 100644 index 0000000000..1e34f5361c --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/templates/webhook.service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.webhook.enable -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: 9876 + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: webhook + type: ClusterIP +{{- end -}} diff --git a/charts/fairwinds/polaris/5.14.0/values.yaml b/charts/fairwinds/polaris/5.14.0/values.yaml new file mode 100644 index 0000000000..cd84618280 --- /dev/null +++ b/charts/fairwinds/polaris/5.14.0/values.yaml @@ -0,0 +1,254 @@ +# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. +config: null + +# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. +# configUrl: https://example.com/config.yaml +configUrl: null + +# additionalExemptions -- List of additional exemptions to append to the exemptions given in `config` +additionalExemptions: null + + +image: + # image.repository -- Image repo + repository: quay.io/fairwinds/polaris + # image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion + tag: "" + # image.pullPolicy -- Image pull policy + pullPolicy: Always + # image.pullSecrets -- Image pull secrets + pullSecrets: [] + +rbac: + # rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created + enabled: true + +serviceAccount: + # serviceAccount.create -- Specifies whether a service account should be created + create: true + # serviceAccount.name -- The name of the service account to use. + name: + +# templateOnly -- Outputs Namespace names, used with `helm template` +templateOnly: false + +dashboard: + # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` + basePath: null + # dashboard.enable -- Whether to run the dashboard. + enable: true + # dashboard.port -- Port that the dashboard will run from. + port: 8080 + # dashboard.listeningAddress -- Dashboard listerning address. + listeningAddress: + # dashboard.replicas -- Number of replicas to run. + replicas: 2 + # dashboard.logLevel -- Set the logging level for the Dashboard command + logLevel: Info + # dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods. + podAdditionalLabels: {} + # dashboard.deploymentAnnotations -- Custom additional annotations on dashboard Deployment. + deploymentAnnotations: {} + # dashboard.resources -- Requests and limits for the dashboard + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 150m + memory: 512Mi + # dashboard.extraContainers -- allows injecting additional containers. + extraContainers: [] + # extraContainers: + # - name: oauth-proxy + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + # args: + # - --upstream=http://127.0.0.1:8080 + # - --http-address=0.0.0.0:8081 + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # resources: {} + service: + # dashboard.service.type -- Service Type + type: ClusterIP + # dashboard.service.annotations -- Service annotations + annotations: {} + # dashboard.service.targetPort -- Service targetport, defaults to dashboard.port + targetPort: + # dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values + loadBalancerSourceRanges: [] + # dashboard.nodeSelector -- Dashboard pod nodeSelector + nodeSelector: {} + # dashboard.tolerations -- Dashboard pod tolerations + tolerations: [] + # dashboard.affinity -- Dashboard pods affinity + affinity: {} + # dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + ingress: + # dashboard.ingress.enabled -- Whether to enable ingress to the dashboard + enabled: false + # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. + ingressClassName: + # dashboard.ingress.hosts -- Web ingress hostnames + hosts: [] + # dashboard.ingress.annotations -- Web ingress annotations + annotations: {} + # dashboard.ingress.tls -- Ingress TLS configuration + tls: [] + # dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case + defaultBackendEnabled: false + # dashboard.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # dashboard.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + # dashboard.containerSecurityContext -- securityContext to apply to the dashboard container + containerSecurityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + +webhook: + # webhook.enable -- Whether to run the webhook + enable: false + # webhook.validate -- Enables the Validating Webhook, to reject resources with issues + validate: true + # webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues + mutate: false + # webhook.replicas -- Number of replicas + replicas: 2 + # webhook.logLevel -- Set the logging level for the Webhook command + logLevel: info + # webhook.nodeSelector -- Webhook pod nodeSelector + nodeSelector: {} + # webhook.tolerations -- Webhook pod tolerations + tolerations: [] + # webhook.affinity -- Webhook pods affinity + affinity: {} + # webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + certManager: + # -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. + apiVersion: "" + # webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager + caBundle: null + # webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used. + secretName: null + # webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration + failurePolicy: Fail + # webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration + matchPolicy: Exact + # webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + # webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration + objectSelector: {} + # webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + rules: [] + # webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + mutatingRules: [] + # webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration + defaultRules: + - apiGroups: + - apps + apiVersions: + - v1 + - v1beta1 + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - daemonsets + - deployments + - statefulsets + scope: Namespaced + - apiGroups: + - batch + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - jobs + - cronjobs + scope: Namespaced + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - replicationcontrollers + scope: Namespaced + # webhook.podAdditionalLabels -- Custom additional labels on webhook pods. + podAdditionalLabels: {} + # webhook.deploymentAnnotations -- Custom additional annotations on webhook Deployment. + deploymentAnnotations: {} + # webhook.resources -- Requests and limits for the webhook. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 100m + memory: 128Mi + # webhook.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # webhook.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + mutatingConfigurationAnnotations: {} + validatingConfigurationAnnotations: {} + +audit: + # audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. + enable: false + # audit.cleanup -- Whether to delete the namespace once the audit is finished. + cleanup: false + # audit.outputURL -- A URL which will receive a POST request with audit results. + outputURL: "" diff --git a/charts/fairwinds/polaris/5.15.0/CHANGELOG.md b/charts/fairwinds/polaris/5.15.0/CHANGELOG.md new file mode 100644 index 0000000000..96c659ed5a --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/CHANGELOG.md @@ -0,0 +1,76 @@ +# Changelog + +All notable changes to this Helm chart will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this chart adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## 5.15.0 + +* Support `string` type of `config` value + +## 5.13.0 +* Update Polaris to 8.5.0 + +## 5.11.1 +* set kubeVersion in the chart manifest + +## 5.9.0 +* Update Polaris version to 8.0 + +## 5.8.2 +* Fix webhook annotations reference + +## 5.8.1 +* Fix cert manager apiVersion override + +## 5.7.6 +* Patch bump for updating charts CI +## 5.7.4 +Added addition exemptions +* https://github.com/FairwindsOps/charts/issues/1059 + +## 5.5.1 +### Added +RBAC permission to get and list ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings. These permissions are required by new RBAC related checks: +* https://github.com/FairwindsOps/polaris/pull/820 +* https://github.com/FairwindsOps/polaris/pull/823 + +## 5.5.0 +### Added +Refactor container securityContext into `values.yaml` for added flexibility (i.e seccomp profiles). + +## 4.2.1 + +### Added +Support `ingressClassName` in Ingress object. + +## 1.0.0 +Updated to Polaris 1.0. + +In addition to changes needed for Polaris 1.0, there are some chart changes: +* RBAC has been simplified to remove duplication +* `config` now uses the built-in Polaris config by default +* `ingress` is now attached to the dashboard values +* only a single `image` is specified for the entire chart + +## 0.6.0 + +### Fixed + +* The validating webhook pod no longer crashes when using a Helm release name other than _polaris_ ([Polaris issue #211](https://github.com/FairwindsOps/polaris/issues/211)) Note that upgrading the Helm release will return the error: + + ``` + UPGRADE FAILED + Error: kind Secret with the name "polaris-webhook" already exists in the cluster and wasn't defined in the previous release. Before upgrading, please either delete the resource from the cluster or remove it from the chart + ``` +Delete the _polaris-webhook_ secret from the namespace where Polaris is installed, and the Helm upgrade will succeed. When the Polaris webhook pod restarts it will populate the _polaris-webhook_ secret. +* The Polaris dashboard and webhook pods now restart when the ConfigMap has been changed. + +### Changed + +* The Secret used by the Polaris webhook is now named _polaris-webhook_ instead of using the Helm release name. This has been done to match the static secret name that the Polaris webhook pod populates. + +### Added + +* This changelog has been added to help track updates to this Helm chart. diff --git a/charts/fairwinds/polaris/5.15.0/Chart.yaml b/charts/fairwinds/polaris/5.15.0/Chart.yaml new file mode 100644 index 0000000000..847456f5f7 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris +apiVersion: v1 +appVersion: "8.5" +description: Validation of best practices in your Kubernetes clusters +icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: robertb@fairwinds.com + name: rbren +name: polaris +version: 5.15.0 diff --git a/charts/fairwinds/polaris/5.15.0/README.md b/charts/fairwinds/polaris/5.15.0/README.md new file mode 100644 index 0000000000..b4e0a2948e --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/README.md @@ -0,0 +1,108 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. | +| configUrl | string | `nil` | Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. configUrl: https://example.com/config.yaml | +| additionalExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` | +| image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo | +| image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion | +| image.pullPolicy | string | `"Always"` | Image pull policy | +| image.pullSecrets | list | `[]` | Image pull secrets | +| rbac.enabled | bool | `true` | Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `nil` | The name of the service account to use. | +| templateOnly | bool | `false` | Outputs Namespace names, used with `helm template` | +| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` | +| dashboard.enable | bool | `true` | Whether to run the dashboard. | +| dashboard.port | int | `8080` | Port that the dashboard will run from. | +| dashboard.listeningAddress | string | `nil` | Dashboard listerning address. | +| dashboard.replicas | int | `2` | Number of replicas to run. | +| dashboard.logLevel | string | `"Info"` | Set the logging level for the Dashboard command | +| dashboard.podAdditionalLabels | object | `{}` | Custom additional labels on dashboard pods. | +| dashboard.deploymentAnnotations | object | `{}` | Custom additional annotations on dashboard Deployment. | +| dashboard.resources | object | `{"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the dashboard | +| dashboard.extraContainers | list | `[]` | allows injecting additional containers. | +| dashboard.service.type | string | `"ClusterIP"` | Service Type | +| dashboard.service.annotations | object | `{}` | Service annotations | +| dashboard.service.targetPort | string | `nil` | Service targetport, defaults to dashboard.port | +| dashboard.service.loadBalancerSourceRanges | list | `[]` | List of allowed CIDR values | +| dashboard.nodeSelector | object | `{}` | Dashboard pod nodeSelector | +| dashboard.tolerations | list | `[]` | Dashboard pod tolerations | +| dashboard.affinity | object | `{}` | Dashboard pods affinity | +| dashboard.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Dashboard pods topologySpreadConstraints | +| dashboard.ingress.enabled | bool | `false` | Whether to enable ingress to the dashboard | +| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. | +| dashboard.ingress.hosts | list | `[]` | Web ingress hostnames | +| dashboard.ingress.annotations | object | `{}` | Web ingress annotations | +| dashboard.ingress.tls | list | `[]` | Ingress TLS configuration | +| dashboard.ingress.defaultBackendEnabled | bool | `false` | DefaultBackend is required by GKE container native load balancer, set to true for this use case | +| dashboard.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| dashboard.disallowExemptions | bool | `false` | Disallow any exemption | +| dashboard.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| dashboard.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| dashboard.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | securityContext to apply to the dashboard container | +| webhook.enable | bool | `false` | Whether to run the webhook | +| webhook.validate | bool | `true` | Enables the Validating Webhook, to reject resources with issues | +| webhook.mutate | bool | `false` | Enables the Mutating Webhook, to modify resources with issues | +| webhook.replicas | int | `2` | Number of replicas | +| webhook.logLevel | string | `"info"` | Set the logging level for the Webhook command | +| webhook.nodeSelector | object | `{}` | Webhook pod nodeSelector | +| webhook.tolerations | list | `[]` | Webhook pod tolerations | +| webhook.affinity | object | `{}` | Webhook pods affinity | +| webhook.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Webhook pods topologySpreadConstraints | +| webhook.certManager.apiVersion | string | `""` | Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. | +| webhook.caBundle | string | `nil` | CA Bundle to use for Validating Webhook instead of cert-manager | +| webhook.secretName | string | `nil` | Name of the secret containing a TLS certificate to use if cert-manager is not used. | +| webhook.failurePolicy | string | `"Fail"` | failurePolicy for the ValidatingWebhookConfiguration | +| webhook.matchPolicy | string | `"Exact"` | matchPolicy for the ValidatingWebhookConfiguration | +| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}` | namespaceSelector for the ValidatingWebhookConfiguration | +| webhook.objectSelector | object | `{}` | objectSelector for the ValidatingWebhookConfiguration | +| webhook.rules | list | `[]` | An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.mutatingRules | list | `[]` | An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.defaultRules | list | `[{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}]` | An array of rules for common types for the ValidatingWebhookConfiguration | +| webhook.podAdditionalLabels | object | `{}` | Custom additional labels on webhook pods. | +| webhook.deploymentAnnotations | object | `{}` | Custom additional annotations on webhook Deployment. | +| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the webhook. | +| webhook.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| webhook.disallowExemptions | bool | `false` | Disallow any exemption | +| webhook.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| webhook.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| webhook.mutatingConfigurationAnnotations | object | `{}` | | +| webhook.validatingConfigurationAnnotations | object | `{}` | | +| audit.enable | bool | `false` | Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. | +| audit.cleanup | bool | `false` | Whether to delete the namespace once the audit is finished. | +| audit.outputURL | string | `""` | A URL which will receive a POST request with audit results. | diff --git a/charts/fairwinds/polaris/5.15.0/README.md.gotmpl b/charts/fairwinds/polaris/5.15.0/README.md.gotmpl new file mode 100644 index 0000000000..f932a33c09 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/README.md.gotmpl @@ -0,0 +1,35 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + + +{{ template "chart.valuesSection" . }} diff --git a/charts/fairwinds/polaris/5.15.0/ci/merge-values.yaml b/charts/fairwinds/polaris/5.15.0/ci/merge-values.yaml new file mode 100644 index 0000000000..221896283b --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/ci/merge-values.yaml @@ -0,0 +1,66 @@ +# Based upon https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml +nameOverride: polaris + +config: + checks: + # reliability + deploymentMissingReplicas: warning + priorityClassNotSet: ignore + tagNotSpecified: danger + pullPolicyNotAlways: warning + readinessProbeMissing: warning + livenessProbeMissing: warning + metadataAndNameMismatched: ignore + pdbDisruptionsIsZero: warning + missingPodDisruptionBudget: ignore + topologySpreadConstraint: warning + + # efficiency + cpuRequestsMissing: warning + cpuLimitsMissing: warning + memoryRequestsMissing: warning + memoryLimitsMissing: warning + # security + automountServiceAccountToken: ignore + hostIPCSet: danger + hostPIDSet: danger + linuxHardening: warning + missingNetworkPolicy: ignore + notReadOnlyRootFilesystem: warning + privilegeEscalationAllowed: danger + runAsRootAllowed: danger + runAsPrivileged: danger + dangerousCapabilities: danger + insecureCapabilities: warning + hostNetworkSet: danger + hostPortSet: warning + tlsSettingsMissing: warning + # These are initially warning and will later be promoted to danger. + sensitiveContainerEnvVar: warning + sensitiveConfigmapContent: warning + clusterrolePodExecAttach: warning + rolePodExecAttach: warning + clusterrolebindingPodExecAttach: warning + rolebindingClusterRolePodExecAttach: warning + rolebindingRolePodExecAttach: warning + clusterrolebindingClusterAdmin: warning + rolebindingClusterAdminClusterRole: warning + rolebindingClusterAdminRole: warning + + mutations: + - pullPolicyNotAlways + + exemptions: + - namespace: kube-system + controllerNames: + - coredns + rules: + - automountServiceAccountToken + - missingNetworkPolicy + +additionalExemptions: + - namespace: foo + containerName: + - bar + rules: + - privilegeEscalationAllowed diff --git a/charts/fairwinds/polaris/5.15.0/ci/test-values-2.yaml b/charts/fairwinds/polaris/5.15.0/ci/test-values-2.yaml new file mode 100644 index 0000000000..b07ed8b09d --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/ci/test-values-2.yaml @@ -0,0 +1,9 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true diff --git a/charts/fairwinds/polaris/5.15.0/ci/test-values.yaml b/charts/fairwinds/polaris/5.15.0/ci/test-values.yaml new file mode 100644 index 0000000000..bb647450b9 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/ci/test-values.yaml @@ -0,0 +1,19 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com + deploymentAnnotations: + foo: bar +webhook: + enabled: true + mutate: true + mutatingConfigurationAnnotations: + test: mutate + validatingConfigurationAnnotations: + test: validate + certManager: + apiVersion: cert-manager.io/v1 + deploymentAnnotations: + foo: bar diff --git a/charts/fairwinds/polaris/5.15.0/templates/0-namespace.yaml b/charts/fairwinds/polaris/5.15.0/templates/0-namespace.yaml new file mode 100644 index 0000000000..83e3751bb1 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/0-namespace.yaml @@ -0,0 +1,6 @@ +{{- if .Values.templateOnly -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.15.0/templates/NOTES.txt b/charts/fairwinds/polaris/5.15.0/templates/NOTES.txt new file mode 100644 index 0000000000..96560d753f --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/NOTES.txt @@ -0,0 +1,19 @@ +** Please be patient while the chart is being deployed ** + +Enjoy Polaris and smooth sailing! + +{{- if contains "ClusterIP" .Values.dashboard.service.type }} + +{{- if .Values.webhook.enable }} +The webhook is now running. Any resources that violate Polaris policy will be rejected. +{{- end }} + +{{- if .Values.dashboard.enable }} +To view the dashboard execute this command: + +kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80 + +Then open http://localhost:8080 in your browser. +{{- end }} + +{{- end }} diff --git a/charts/fairwinds/polaris/5.15.0/templates/_helpers.tpl b/charts/fairwinds/polaris/5.15.0/templates/_helpers.tpl new file mode 100644 index 0000000000..90b62b4611 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "polaris.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "polaris.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "polaris.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Standard labels +*/}} +{{- define "polaris.labels" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/component: dashboard +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ template "polaris.name" . }} +app.kubernetes.io/part-of: {{ template "polaris.name" . }} +app.kubernetes.io/version: "{{ .Chart.Version }}" +helm.sh/chart: {{ include "polaris.chart" . }} +{{- end -}} +{{- end -}} + +{{/* +Standard selector +*/}} +{{- define "polaris.selectors" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/name: {{ include "polaris.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Name of the service account to use +*/}} +{{- define "polaris.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "polaris.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.15.0/templates/audit.job.yaml b/charts/fairwinds/polaris/5.15.0/templates/audit.job.yaml new file mode 100644 index 0000000000..ae6451b25b --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/audit.job.yaml @@ -0,0 +1,80 @@ +{{- if .Values.audit.enable -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + {{- end }} + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: audit +spec: + template: + spec: + serviceAccountName: {{ include "polaris.fullname" . }} + restartPolicy: Never + containers: + - command: + - polaris + - audit + - --output-url + - {{ required "Must set audit.outputURL in values if you enable the audit job." .Values.audit.outputURL }} + - --output-file + - /tmp/results/done + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + image: '{{.Values.image.repository}}:{{ .Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: audit + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: results + mountPath: /tmp/results + {{- if .Values.audit.cleanup }} + - name: cleanup + image: gcr.io/heptio-images/namespace-deleter:v0.0.2 + imagePullPolicy: Always + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: results + mountPath: /tmp/results + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" . }} + {{- end }} + - name: results +{{- end -}} diff --git a/charts/fairwinds/polaris/5.15.0/templates/audit.rbac.yaml b/charts/fairwinds/polaris/5.15.0/templates/audit.rbac.yaml new file mode 100644 index 0000000000..4e0987a296 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/audit.rbac.yaml @@ -0,0 +1,38 @@ +{{- if .Values.audit.cleanup }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +rules: + - apiGroups: + - '' + resources: + - namespaces + resourceNames: + - {{ .Release.Namespace }} + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "polaris.fullname" . }}-audit-cleanup +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/configmap.yaml b/charts/fairwinds/polaris/5.15.0/templates/configmap.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/configmap.yaml rename to charts/fairwinds/polaris/5.15.0/templates/configmap.yaml diff --git a/charts/fairwinds/polaris/5.15.0/templates/dashboard.deployment.yaml b/charts/fairwinds/polaris/5.15.0/templates/dashboard.deployment.yaml new file mode 100644 index 0000000000..74041dec4d --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/dashboard.deployment.yaml @@ -0,0 +1,134 @@ +{{- if .Values.dashboard.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: dashboard + {{- with .Values.dashboard.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{.Values.dashboard.replicas}} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: dashboard + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: dashboard + {{- with .Values.dashboard.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.config }} + volumes: + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + {{- if .Values.dashboard.priorityClassName }} + priorityClassName: {{ .Values.dashboard.priorityClassName | quote }} + {{- end }} + containers: + - command: + - polaris + - dashboard + {{- if .Values.configUrl }} + - --config + - {{ .Values.configUrl | quote }} + {{- else }} + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- end }} + {{- with .Values.dashboard.basePath }} + - --base-path + - {{ . }} + {{- end }} + {{- with .Values.dashboard.port }} + - --port + - {{ . | quote }} + {{- end }} + {{- if .Values.dashboard.listeningAddress }} + - --listening-address + - {{ .Values.dashboard.listeningAddress }} + {{- end }} + {{- if .Values.dashboard.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.dashboard.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.dashboard.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + {{- if .Values.dashboard.logLevel }} + - --log-level + - {{ .Values.dashboard.logLevel | quote }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: dashboard + ports: + - containerPort: {{ .Values.dashboard.port }} + livenessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + readinessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + resources: + {{- toYaml .Values.dashboard.resources | nindent 10 }} + {{- with .Values.dashboard.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if not .Values.configUrl }} + {{- with .Values.config }} + volumeMounts: + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.dashboard.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ template "polaris.serviceAccountName" . }} + nodeSelector: + {{- with .Values.dashboard.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.dashboard.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.dashboard.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.dashboard.topologySpreadConstraints | indent 6 }} + {{- end }} +{{- if .Values.dashboard.affinity }} + affinity: +{{ toYaml .Values.dashboard.affinity | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.15.0/templates/dashboard.service.yaml b/charts/fairwinds/polaris/5.15.0/templates/dashboard.service.yaml new file mode 100644 index 0000000000..fc95843216 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/dashboard.service.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.dashboard.enable .Values.dashboard.service -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.dashboard.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + ports: + - name: http-dashboard + port: 80 + protocol: TCP + targetPort: {{ .Values.dashboard.service.targetPort | default .Values.dashboard.port }} + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: dashboard + type: {{ .Values.dashboard.service.type }} +{{- if .Values.dashboard.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.dashboard.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.15.0/templates/ingress.yaml b/charts/fairwinds/polaris/5.15.0/templates/ingress.yaml new file mode 100644 index 0000000000..d0cdd308f2 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/ingress.yaml @@ -0,0 +1,53 @@ +{{- if .Values.dashboard.ingress.enabled -}} +{{ $serviceName := printf "%s-dashboard" (include "polaris.fullname" .) -}} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + annotations: + {{- range $key, $value := .Values.dashboard.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "polaris.name" . }} + helm.sh/chart: {{ include "polaris.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: polaris +spec: +{{- if and (.Values.dashboard.ingress.ingressClassName) (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }} +{{- end }} +{{- if .Values.dashboard.ingress.defaultBackendEnabled }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: 80 +{{- end }} + rules: + {{- range .Values.dashboard.ingress.hosts }} + - host: {{ . }} + http: + paths: + {{- if not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + {{- else }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: / + pathType: Prefix + {{- end }} + {{- end -}} +{{- if .Values.dashboard.ingress.tls }} + tls: +{{ toYaml .Values.dashboard.ingress.tls | indent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.15.0/templates/mutate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.15.0/templates/mutate-webhook.configuration.yaml new file mode 100644 index 0000000000..ba53030fd8 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/mutate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.mutate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: polaris-mutate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /mutate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.mutatingRules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.15.0/templates/rbac.yaml b/charts/fairwinds/polaris/5.15.0/templates/rbac.yaml new file mode 100644 index 0000000000..56a186183c --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/rbac.yaml @@ -0,0 +1,67 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-view + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + # required by controller-runtime code doing a cluster wide lookup + # when it seems namespace would suffice + - apiGroups: + - '' + resources: + - 'nodes' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'monitoring.coreos.com' + resources: + - 'prometheuses' + - 'alertmanagers' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - 'clusterroles' + - 'clusterrolebindings' + - 'roles' + - 'rolebindings' + verbs: + - 'get' + - 'list' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "polaris.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.15.0/templates/serviceaccount.yaml b/charts/fairwinds/polaris/5.15.0/templates/serviceaccount.yaml new file mode 100644 index 0000000000..b2a2427260 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +{{- if .Values.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.15.0/templates/validate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.15.0/templates/validate-webhook.configuration.yaml new file mode 100644 index 0000000000..3b536f4327 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/validate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.validate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: polaris-validate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /validate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.rules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.15.0/templates/webhook.cert.yaml b/charts/fairwinds/polaris/5.15.0/templates/webhook.cert.yaml new file mode 100644 index 0000000000..fc264ad8dd --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/webhook.cert.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.webhook.enable (not .Values.webhook.secretName) -}} +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Certificate +metadata: + name: {{ include "polaris.fullname" . }}-cert + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + commonName: {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }} + - {{ include "polaris.fullname" . }}-webhook + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + issuerRef: + kind: Issuer + name: {{ include "polaris.fullname" . }}-selfsigned + secretName: {{ include "polaris.fullname" . }} +--- +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Issuer +metadata: + name: {{ include "polaris.fullname" . }}-selfsigned + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + selfSigned: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.15.0/templates/webhook.deployment.yaml b/charts/fairwinds/polaris/5.15.0/templates/webhook.deployment.yaml new file mode 100644 index 0000000000..dc8c6fe5e0 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/webhook.deployment.yaml @@ -0,0 +1,139 @@ +{{- if .Values.webhook.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: webhook + {{- with .Values.webhook.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.webhook.replicas }} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: webhook + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: webhook + {{- with .Values.webhook.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: webhook + command: + - polaris + - webhook + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- if .Values.webhook.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.webhook.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.webhook.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + - --validate={{ .Values.webhook.validate }} + - --mutate={{ .Values.webhook.mutate }} + {{- if .Values.webhook.logLevel }} + - --log-level={{ .Values.webhook.logLevel }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + ports: + - containerPort: 9876 + # These are fairly useless readiness/liveness probes for now + # Follow this issue for potential improvements: + # https://github.com/kubernetes-sigs/controller-runtime/issues/356 + livenessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.webhook.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: secret + mountPath: /opt/cert/ + readOnly: true + - name: cr-logs + mountPath: /tmp/ + readOnly: false + serviceAccountName: {{ include "polaris.fullname" . }} + {{- if .Values.webhook.priorityClassName }} + priorityClassName: {{ .Values.webhook.priorityClassName | quote }} + {{- end }} + nodeSelector: + {{- with .Values.webhook.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.webhook.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.webhook.affinity }} + affinity: +{{ toYaml .Values.webhook.affinity | indent 8 }} +{{- end }} +{{- if .Values.webhook.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.webhook.topologySpreadConstraints | indent 6 }} + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + - name: secret + secret: + {{- with .Values.webhook.secretName }} + secretName: {{ . }} + {{- else }} + secretName: {{ include "polaris.fullname" . }} + {{- end }} + - name: cr-logs + emptyDir: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.15.0/templates/webhook.service.yaml b/charts/fairwinds/polaris/5.15.0/templates/webhook.service.yaml new file mode 100644 index 0000000000..1e34f5361c --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/templates/webhook.service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.webhook.enable -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: 9876 + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: webhook + type: ClusterIP +{{- end -}} diff --git a/charts/fairwinds/polaris/5.15.0/values.yaml b/charts/fairwinds/polaris/5.15.0/values.yaml new file mode 100644 index 0000000000..cd84618280 --- /dev/null +++ b/charts/fairwinds/polaris/5.15.0/values.yaml @@ -0,0 +1,254 @@ +# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. +config: null + +# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. +# configUrl: https://example.com/config.yaml +configUrl: null + +# additionalExemptions -- List of additional exemptions to append to the exemptions given in `config` +additionalExemptions: null + + +image: + # image.repository -- Image repo + repository: quay.io/fairwinds/polaris + # image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion + tag: "" + # image.pullPolicy -- Image pull policy + pullPolicy: Always + # image.pullSecrets -- Image pull secrets + pullSecrets: [] + +rbac: + # rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created + enabled: true + +serviceAccount: + # serviceAccount.create -- Specifies whether a service account should be created + create: true + # serviceAccount.name -- The name of the service account to use. + name: + +# templateOnly -- Outputs Namespace names, used with `helm template` +templateOnly: false + +dashboard: + # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` + basePath: null + # dashboard.enable -- Whether to run the dashboard. + enable: true + # dashboard.port -- Port that the dashboard will run from. + port: 8080 + # dashboard.listeningAddress -- Dashboard listerning address. + listeningAddress: + # dashboard.replicas -- Number of replicas to run. + replicas: 2 + # dashboard.logLevel -- Set the logging level for the Dashboard command + logLevel: Info + # dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods. + podAdditionalLabels: {} + # dashboard.deploymentAnnotations -- Custom additional annotations on dashboard Deployment. + deploymentAnnotations: {} + # dashboard.resources -- Requests and limits for the dashboard + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 150m + memory: 512Mi + # dashboard.extraContainers -- allows injecting additional containers. + extraContainers: [] + # extraContainers: + # - name: oauth-proxy + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + # args: + # - --upstream=http://127.0.0.1:8080 + # - --http-address=0.0.0.0:8081 + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # resources: {} + service: + # dashboard.service.type -- Service Type + type: ClusterIP + # dashboard.service.annotations -- Service annotations + annotations: {} + # dashboard.service.targetPort -- Service targetport, defaults to dashboard.port + targetPort: + # dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values + loadBalancerSourceRanges: [] + # dashboard.nodeSelector -- Dashboard pod nodeSelector + nodeSelector: {} + # dashboard.tolerations -- Dashboard pod tolerations + tolerations: [] + # dashboard.affinity -- Dashboard pods affinity + affinity: {} + # dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + ingress: + # dashboard.ingress.enabled -- Whether to enable ingress to the dashboard + enabled: false + # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. + ingressClassName: + # dashboard.ingress.hosts -- Web ingress hostnames + hosts: [] + # dashboard.ingress.annotations -- Web ingress annotations + annotations: {} + # dashboard.ingress.tls -- Ingress TLS configuration + tls: [] + # dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case + defaultBackendEnabled: false + # dashboard.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # dashboard.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + # dashboard.containerSecurityContext -- securityContext to apply to the dashboard container + containerSecurityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + +webhook: + # webhook.enable -- Whether to run the webhook + enable: false + # webhook.validate -- Enables the Validating Webhook, to reject resources with issues + validate: true + # webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues + mutate: false + # webhook.replicas -- Number of replicas + replicas: 2 + # webhook.logLevel -- Set the logging level for the Webhook command + logLevel: info + # webhook.nodeSelector -- Webhook pod nodeSelector + nodeSelector: {} + # webhook.tolerations -- Webhook pod tolerations + tolerations: [] + # webhook.affinity -- Webhook pods affinity + affinity: {} + # webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + certManager: + # -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. + apiVersion: "" + # webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager + caBundle: null + # webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used. + secretName: null + # webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration + failurePolicy: Fail + # webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration + matchPolicy: Exact + # webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + # webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration + objectSelector: {} + # webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + rules: [] + # webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + mutatingRules: [] + # webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration + defaultRules: + - apiGroups: + - apps + apiVersions: + - v1 + - v1beta1 + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - daemonsets + - deployments + - statefulsets + scope: Namespaced + - apiGroups: + - batch + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - jobs + - cronjobs + scope: Namespaced + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - replicationcontrollers + scope: Namespaced + # webhook.podAdditionalLabels -- Custom additional labels on webhook pods. + podAdditionalLabels: {} + # webhook.deploymentAnnotations -- Custom additional annotations on webhook Deployment. + deploymentAnnotations: {} + # webhook.resources -- Requests and limits for the webhook. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 100m + memory: 128Mi + # webhook.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # webhook.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + mutatingConfigurationAnnotations: {} + validatingConfigurationAnnotations: {} + +audit: + # audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. + enable: false + # audit.cleanup -- Whether to delete the namespace once the audit is finished. + cleanup: false + # audit.outputURL -- A URL which will receive a POST request with audit results. + outputURL: "" diff --git a/charts/fairwinds/polaris/5.16.0/CHANGELOG.md b/charts/fairwinds/polaris/5.16.0/CHANGELOG.md new file mode 100644 index 0000000000..581cee468d --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/CHANGELOG.md @@ -0,0 +1,79 @@ +# Changelog + +All notable changes to this Helm chart will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this chart adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## 5.16.0 +* Added default PDBs for both the webhook and the dashboard + +## 5.15.0 + +* Support `string` type of `config` value + +## 5.13.0 +* Update Polaris to 8.5.0 + +## 5.11.1 +* set kubeVersion in the chart manifest + +## 5.9.0 +* Update Polaris version to 8.0 + +## 5.8.2 +* Fix webhook annotations reference + +## 5.8.1 +* Fix cert manager apiVersion override + +## 5.7.6 +* Patch bump for updating charts CI +## 5.7.4 +Added addition exemptions +* https://github.com/FairwindsOps/charts/issues/1059 + +## 5.5.1 +### Added +RBAC permission to get and list ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings. These permissions are required by new RBAC related checks: +* https://github.com/FairwindsOps/polaris/pull/820 +* https://github.com/FairwindsOps/polaris/pull/823 + +## 5.5.0 +### Added +Refactor container securityContext into `values.yaml` for added flexibility (i.e seccomp profiles). + +## 4.2.1 + +### Added +Support `ingressClassName` in Ingress object. + +## 1.0.0 +Updated to Polaris 1.0. + +In addition to changes needed for Polaris 1.0, there are some chart changes: +* RBAC has been simplified to remove duplication +* `config` now uses the built-in Polaris config by default +* `ingress` is now attached to the dashboard values +* only a single `image` is specified for the entire chart + +## 0.6.0 + +### Fixed + +* The validating webhook pod no longer crashes when using a Helm release name other than _polaris_ ([Polaris issue #211](https://github.com/FairwindsOps/polaris/issues/211)) Note that upgrading the Helm release will return the error: + + ``` + UPGRADE FAILED + Error: kind Secret with the name "polaris-webhook" already exists in the cluster and wasn't defined in the previous release. Before upgrading, please either delete the resource from the cluster or remove it from the chart + ``` +Delete the _polaris-webhook_ secret from the namespace where Polaris is installed, and the Helm upgrade will succeed. When the Polaris webhook pod restarts it will populate the _polaris-webhook_ secret. +* The Polaris dashboard and webhook pods now restart when the ConfigMap has been changed. + +### Changed + +* The Secret used by the Polaris webhook is now named _polaris-webhook_ instead of using the Helm release name. This has been done to match the static secret name that the Polaris webhook pod populates. + +### Added + +* This changelog has been added to help track updates to this Helm chart. diff --git a/charts/fairwinds/polaris/5.16.0/Chart.yaml b/charts/fairwinds/polaris/5.16.0/Chart.yaml new file mode 100644 index 0000000000..a786df4e76 --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris +apiVersion: v1 +appVersion: "8.5" +description: Validation of best practices in your Kubernetes clusters +icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: robertb@fairwinds.com + name: rbren +name: polaris +version: 5.16.0 diff --git a/charts/fairwinds/polaris/5.16.0/README.md b/charts/fairwinds/polaris/5.16.0/README.md new file mode 100644 index 0000000000..3c6637a1bf --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/README.md @@ -0,0 +1,110 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. | +| configUrl | string | `nil` | Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. configUrl: https://example.com/config.yaml | +| additionalExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` | +| image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo | +| image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion | +| image.pullPolicy | string | `"Always"` | Image pull policy | +| image.pullSecrets | list | `[]` | Image pull secrets | +| rbac.enabled | bool | `true` | Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `nil` | The name of the service account to use. | +| templateOnly | bool | `false` | Outputs Namespace names, used with `helm template` | +| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` | +| dashboard.enable | bool | `true` | Whether to run the dashboard. | +| dashboard.port | int | `8080` | Port that the dashboard will run from. | +| dashboard.listeningAddress | string | `nil` | Dashboard listerning address. | +| dashboard.replicas | int | `2` | Number of replicas to run. | +| dashboard.logLevel | string | `"Info"` | Set the logging level for the Dashboard command | +| dashboard.podAdditionalLabels | object | `{}` | Custom additional labels on dashboard pods. | +| dashboard.deploymentAnnotations | object | `{}` | Custom additional annotations on dashboard Deployment. | +| dashboard.resources | object | `{"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the dashboard | +| dashboard.extraContainers | list | `[]` | allows injecting additional containers. | +| dashboard.service.type | string | `"ClusterIP"` | Service Type | +| dashboard.service.annotations | object | `{}` | Service annotations | +| dashboard.service.targetPort | string | `nil` | Service targetport, defaults to dashboard.port | +| dashboard.service.loadBalancerSourceRanges | list | `[]` | List of allowed CIDR values | +| dashboard.nodeSelector | object | `{}` | Dashboard pod nodeSelector | +| dashboard.tolerations | list | `[]` | Dashboard pod tolerations | +| dashboard.affinity | object | `{}` | Dashboard pods affinity | +| dashboard.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Dashboard pods topologySpreadConstraints | +| dashboard.ingress.enabled | bool | `false` | Whether to enable ingress to the dashboard | +| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. | +| dashboard.ingress.hosts | list | `[]` | Web ingress hostnames | +| dashboard.ingress.annotations | object | `{}` | Web ingress annotations | +| dashboard.ingress.tls | list | `[]` | Ingress TLS configuration | +| dashboard.ingress.defaultBackendEnabled | bool | `false` | DefaultBackend is required by GKE container native load balancer, set to true for this use case | +| dashboard.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| dashboard.disallowExemptions | bool | `false` | Disallow any exemption | +| dashboard.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| dashboard.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| dashboard.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | securityContext to apply to the dashboard container | +| dashboard.pdb.enable | bool | `true` | If true, enables a PDB for the dashboard | +| webhook.enable | bool | `false` | Whether to run the webhook | +| webhook.validate | bool | `true` | Enables the Validating Webhook, to reject resources with issues | +| webhook.mutate | bool | `false` | Enables the Mutating Webhook, to modify resources with issues | +| webhook.replicas | int | `2` | Number of replicas | +| webhook.logLevel | string | `"info"` | Set the logging level for the Webhook command | +| webhook.nodeSelector | object | `{}` | Webhook pod nodeSelector | +| webhook.tolerations | list | `[]` | Webhook pod tolerations | +| webhook.affinity | object | `{}` | Webhook pods affinity | +| webhook.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Webhook pods topologySpreadConstraints | +| webhook.certManager.apiVersion | string | `""` | Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. | +| webhook.caBundle | string | `nil` | CA Bundle to use for Validating Webhook instead of cert-manager | +| webhook.secretName | string | `nil` | Name of the secret containing a TLS certificate to use if cert-manager is not used. | +| webhook.failurePolicy | string | `"Fail"` | failurePolicy for the ValidatingWebhookConfiguration | +| webhook.matchPolicy | string | `"Exact"` | matchPolicy for the ValidatingWebhookConfiguration | +| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}` | namespaceSelector for the ValidatingWebhookConfiguration | +| webhook.objectSelector | object | `{}` | objectSelector for the ValidatingWebhookConfiguration | +| webhook.rules | list | `[]` | An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.mutatingRules | list | `[]` | An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.defaultRules | list | `[{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}]` | An array of rules for common types for the ValidatingWebhookConfiguration | +| webhook.podAdditionalLabels | object | `{}` | Custom additional labels on webhook pods. | +| webhook.deploymentAnnotations | object | `{}` | Custom additional annotations on webhook Deployment. | +| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the webhook. | +| webhook.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| webhook.disallowExemptions | bool | `false` | Disallow any exemption | +| webhook.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| webhook.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| webhook.mutatingConfigurationAnnotations | object | `{}` | | +| webhook.validatingConfigurationAnnotations | object | `{}` | | +| webhook.pdb.enable | bool | `true` | If true, enables a PDB for the webhook | +| audit.enable | bool | `false` | Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. | +| audit.cleanup | bool | `false` | Whether to delete the namespace once the audit is finished. | +| audit.outputURL | string | `""` | A URL which will receive a POST request with audit results. | diff --git a/charts/fairwinds/polaris/5.16.0/README.md.gotmpl b/charts/fairwinds/polaris/5.16.0/README.md.gotmpl new file mode 100644 index 0000000000..f932a33c09 --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/README.md.gotmpl @@ -0,0 +1,35 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + + +{{ template "chart.valuesSection" . }} diff --git a/charts/fairwinds/polaris/5.16.0/ci/merge-values.yaml b/charts/fairwinds/polaris/5.16.0/ci/merge-values.yaml new file mode 100644 index 0000000000..221896283b --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/ci/merge-values.yaml @@ -0,0 +1,66 @@ +# Based upon https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml +nameOverride: polaris + +config: + checks: + # reliability + deploymentMissingReplicas: warning + priorityClassNotSet: ignore + tagNotSpecified: danger + pullPolicyNotAlways: warning + readinessProbeMissing: warning + livenessProbeMissing: warning + metadataAndNameMismatched: ignore + pdbDisruptionsIsZero: warning + missingPodDisruptionBudget: ignore + topologySpreadConstraint: warning + + # efficiency + cpuRequestsMissing: warning + cpuLimitsMissing: warning + memoryRequestsMissing: warning + memoryLimitsMissing: warning + # security + automountServiceAccountToken: ignore + hostIPCSet: danger + hostPIDSet: danger + linuxHardening: warning + missingNetworkPolicy: ignore + notReadOnlyRootFilesystem: warning + privilegeEscalationAllowed: danger + runAsRootAllowed: danger + runAsPrivileged: danger + dangerousCapabilities: danger + insecureCapabilities: warning + hostNetworkSet: danger + hostPortSet: warning + tlsSettingsMissing: warning + # These are initially warning and will later be promoted to danger. + sensitiveContainerEnvVar: warning + sensitiveConfigmapContent: warning + clusterrolePodExecAttach: warning + rolePodExecAttach: warning + clusterrolebindingPodExecAttach: warning + rolebindingClusterRolePodExecAttach: warning + rolebindingRolePodExecAttach: warning + clusterrolebindingClusterAdmin: warning + rolebindingClusterAdminClusterRole: warning + rolebindingClusterAdminRole: warning + + mutations: + - pullPolicyNotAlways + + exemptions: + - namespace: kube-system + controllerNames: + - coredns + rules: + - automountServiceAccountToken + - missingNetworkPolicy + +additionalExemptions: + - namespace: foo + containerName: + - bar + rules: + - privilegeEscalationAllowed diff --git a/charts/fairwinds/polaris/5.16.0/ci/test-values-2.yaml b/charts/fairwinds/polaris/5.16.0/ci/test-values-2.yaml new file mode 100644 index 0000000000..b07ed8b09d --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/ci/test-values-2.yaml @@ -0,0 +1,9 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true diff --git a/charts/fairwinds/polaris/5.16.0/ci/test-values.yaml b/charts/fairwinds/polaris/5.16.0/ci/test-values.yaml new file mode 100644 index 0000000000..bb647450b9 --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/ci/test-values.yaml @@ -0,0 +1,19 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com + deploymentAnnotations: + foo: bar +webhook: + enabled: true + mutate: true + mutatingConfigurationAnnotations: + test: mutate + validatingConfigurationAnnotations: + test: validate + certManager: + apiVersion: cert-manager.io/v1 + deploymentAnnotations: + foo: bar diff --git a/charts/fairwinds/polaris/5.16.0/templates/0-namespace.yaml b/charts/fairwinds/polaris/5.16.0/templates/0-namespace.yaml new file mode 100644 index 0000000000..83e3751bb1 --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/0-namespace.yaml @@ -0,0 +1,6 @@ +{{- if .Values.templateOnly -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.16.0/templates/NOTES.txt b/charts/fairwinds/polaris/5.16.0/templates/NOTES.txt new file mode 100644 index 0000000000..96560d753f --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/NOTES.txt @@ -0,0 +1,19 @@ +** Please be patient while the chart is being deployed ** + +Enjoy Polaris and smooth sailing! + +{{- if contains "ClusterIP" .Values.dashboard.service.type }} + +{{- if .Values.webhook.enable }} +The webhook is now running. Any resources that violate Polaris policy will be rejected. +{{- end }} + +{{- if .Values.dashboard.enable }} +To view the dashboard execute this command: + +kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80 + +Then open http://localhost:8080 in your browser. +{{- end }} + +{{- end }} diff --git a/charts/fairwinds/polaris/5.16.0/templates/_helpers.tpl b/charts/fairwinds/polaris/5.16.0/templates/_helpers.tpl new file mode 100644 index 0000000000..90b62b4611 --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "polaris.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "polaris.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "polaris.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Standard labels +*/}} +{{- define "polaris.labels" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/component: dashboard +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ template "polaris.name" . }} +app.kubernetes.io/part-of: {{ template "polaris.name" . }} +app.kubernetes.io/version: "{{ .Chart.Version }}" +helm.sh/chart: {{ include "polaris.chart" . }} +{{- end -}} +{{- end -}} + +{{/* +Standard selector +*/}} +{{- define "polaris.selectors" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/name: {{ include "polaris.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Name of the service account to use +*/}} +{{- define "polaris.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "polaris.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.16.0/templates/audit.job.yaml b/charts/fairwinds/polaris/5.16.0/templates/audit.job.yaml new file mode 100644 index 0000000000..ae6451b25b --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/audit.job.yaml @@ -0,0 +1,80 @@ +{{- if .Values.audit.enable -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + {{- end }} + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: audit +spec: + template: + spec: + serviceAccountName: {{ include "polaris.fullname" . }} + restartPolicy: Never + containers: + - command: + - polaris + - audit + - --output-url + - {{ required "Must set audit.outputURL in values if you enable the audit job." .Values.audit.outputURL }} + - --output-file + - /tmp/results/done + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + image: '{{.Values.image.repository}}:{{ .Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: audit + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: results + mountPath: /tmp/results + {{- if .Values.audit.cleanup }} + - name: cleanup + image: gcr.io/heptio-images/namespace-deleter:v0.0.2 + imagePullPolicy: Always + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: results + mountPath: /tmp/results + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" . }} + {{- end }} + - name: results +{{- end -}} diff --git a/charts/fairwinds/polaris/5.16.0/templates/audit.rbac.yaml b/charts/fairwinds/polaris/5.16.0/templates/audit.rbac.yaml new file mode 100644 index 0000000000..4e0987a296 --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/audit.rbac.yaml @@ -0,0 +1,38 @@ +{{- if .Values.audit.cleanup }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +rules: + - apiGroups: + - '' + resources: + - namespaces + resourceNames: + - {{ .Release.Namespace }} + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "polaris.fullname" . }}-audit-cleanup +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.16.0/templates/configmap.yaml b/charts/fairwinds/polaris/5.16.0/templates/configmap.yaml new file mode 100644 index 0000000000..e4fd9ec68a --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/configmap.yaml @@ -0,0 +1,27 @@ +{{- if not .Values.configUrl }} +{{- with .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "polaris.fullname" $ }} + {{- if $.Values.templateOnly }} + namespace: {{ $.Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" $ | nindent 4 }} +data: + config.yaml: | + {{- if kindIs "map" . }} + {{- range $key, $value := . }} + {{ $key }}: + {{- toYaml $value | nindent 6 }} + {{- if and (eq $key "exemptions") ($.Values.additionalExemptions) }} + {{- toYaml $.Values.additionalExemptions | nindent 6 }} + {{- end }} + {{- end }} + {{- end }} + {{- if kindIs "string" . }} + {{- . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.16.0/templates/dashboard.deployment.yaml b/charts/fairwinds/polaris/5.16.0/templates/dashboard.deployment.yaml new file mode 100644 index 0000000000..74041dec4d --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/dashboard.deployment.yaml @@ -0,0 +1,134 @@ +{{- if .Values.dashboard.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: dashboard + {{- with .Values.dashboard.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{.Values.dashboard.replicas}} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: dashboard + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: dashboard + {{- with .Values.dashboard.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.config }} + volumes: + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + {{- if .Values.dashboard.priorityClassName }} + priorityClassName: {{ .Values.dashboard.priorityClassName | quote }} + {{- end }} + containers: + - command: + - polaris + - dashboard + {{- if .Values.configUrl }} + - --config + - {{ .Values.configUrl | quote }} + {{- else }} + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- end }} + {{- with .Values.dashboard.basePath }} + - --base-path + - {{ . }} + {{- end }} + {{- with .Values.dashboard.port }} + - --port + - {{ . | quote }} + {{- end }} + {{- if .Values.dashboard.listeningAddress }} + - --listening-address + - {{ .Values.dashboard.listeningAddress }} + {{- end }} + {{- if .Values.dashboard.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.dashboard.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.dashboard.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + {{- if .Values.dashboard.logLevel }} + - --log-level + - {{ .Values.dashboard.logLevel | quote }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: dashboard + ports: + - containerPort: {{ .Values.dashboard.port }} + livenessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + readinessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + resources: + {{- toYaml .Values.dashboard.resources | nindent 10 }} + {{- with .Values.dashboard.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if not .Values.configUrl }} + {{- with .Values.config }} + volumeMounts: + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.dashboard.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ template "polaris.serviceAccountName" . }} + nodeSelector: + {{- with .Values.dashboard.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.dashboard.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.dashboard.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.dashboard.topologySpreadConstraints | indent 6 }} + {{- end }} +{{- if .Values.dashboard.affinity }} + affinity: +{{ toYaml .Values.dashboard.affinity | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/dashboard.pdb.yaml b/charts/fairwinds/polaris/5.16.0/templates/dashboard.pdb.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/dashboard.pdb.yaml rename to charts/fairwinds/polaris/5.16.0/templates/dashboard.pdb.yaml diff --git a/charts/fairwinds/polaris/5.16.0/templates/dashboard.service.yaml b/charts/fairwinds/polaris/5.16.0/templates/dashboard.service.yaml new file mode 100644 index 0000000000..fc95843216 --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/dashboard.service.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.dashboard.enable .Values.dashboard.service -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.dashboard.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + ports: + - name: http-dashboard + port: 80 + protocol: TCP + targetPort: {{ .Values.dashboard.service.targetPort | default .Values.dashboard.port }} + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: dashboard + type: {{ .Values.dashboard.service.type }} +{{- if .Values.dashboard.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.dashboard.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.16.0/templates/ingress.yaml b/charts/fairwinds/polaris/5.16.0/templates/ingress.yaml new file mode 100644 index 0000000000..d0cdd308f2 --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/ingress.yaml @@ -0,0 +1,53 @@ +{{- if .Values.dashboard.ingress.enabled -}} +{{ $serviceName := printf "%s-dashboard" (include "polaris.fullname" .) -}} +{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + annotations: + {{- range $key, $value := .Values.dashboard.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "polaris.name" . }} + helm.sh/chart: {{ include "polaris.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: polaris +spec: +{{- if and (.Values.dashboard.ingress.ingressClassName) (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }} +{{- end }} +{{- if .Values.dashboard.ingress.defaultBackendEnabled }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: 80 +{{- end }} + rules: + {{- range .Values.dashboard.ingress.hosts }} + - host: {{ . }} + http: + paths: + {{- if not ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + {{- else }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: / + pathType: Prefix + {{- end }} + {{- end -}} +{{- if .Values.dashboard.ingress.tls }} + tls: +{{ toYaml .Values.dashboard.ingress.tls | indent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.16.0/templates/mutate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.16.0/templates/mutate-webhook.configuration.yaml new file mode 100644 index 0000000000..ba53030fd8 --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/mutate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.mutate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: polaris-mutate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /mutate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.mutatingRules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.16.0/templates/rbac.yaml b/charts/fairwinds/polaris/5.16.0/templates/rbac.yaml new file mode 100644 index 0000000000..56a186183c --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/rbac.yaml @@ -0,0 +1,67 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-view + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + # required by controller-runtime code doing a cluster wide lookup + # when it seems namespace would suffice + - apiGroups: + - '' + resources: + - 'nodes' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'monitoring.coreos.com' + resources: + - 'prometheuses' + - 'alertmanagers' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - 'clusterroles' + - 'clusterrolebindings' + - 'roles' + - 'rolebindings' + verbs: + - 'get' + - 'list' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "polaris.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.16.0/templates/serviceaccount.yaml b/charts/fairwinds/polaris/5.16.0/templates/serviceaccount.yaml new file mode 100644 index 0000000000..b2a2427260 --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +{{- if .Values.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.16.0/templates/validate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.16.0/templates/validate-webhook.configuration.yaml new file mode 100644 index 0000000000..3b536f4327 --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/validate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.validate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: polaris-validate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /validate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.rules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.16.0/templates/webhook.cert.yaml b/charts/fairwinds/polaris/5.16.0/templates/webhook.cert.yaml new file mode 100644 index 0000000000..fc264ad8dd --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/webhook.cert.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.webhook.enable (not .Values.webhook.secretName) -}} +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Certificate +metadata: + name: {{ include "polaris.fullname" . }}-cert + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + commonName: {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }} + - {{ include "polaris.fullname" . }}-webhook + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + issuerRef: + kind: Issuer + name: {{ include "polaris.fullname" . }}-selfsigned + secretName: {{ include "polaris.fullname" . }} +--- +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Issuer +metadata: + name: {{ include "polaris.fullname" . }}-selfsigned + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + selfSigned: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.16.0/templates/webhook.deployment.yaml b/charts/fairwinds/polaris/5.16.0/templates/webhook.deployment.yaml new file mode 100644 index 0000000000..dc8c6fe5e0 --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/webhook.deployment.yaml @@ -0,0 +1,139 @@ +{{- if .Values.webhook.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: webhook + {{- with .Values.webhook.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.webhook.replicas }} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: webhook + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: webhook + {{- with .Values.webhook.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: webhook + command: + - polaris + - webhook + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- if .Values.webhook.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.webhook.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.webhook.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + - --validate={{ .Values.webhook.validate }} + - --mutate={{ .Values.webhook.mutate }} + {{- if .Values.webhook.logLevel }} + - --log-level={{ .Values.webhook.logLevel }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + ports: + - containerPort: 9876 + # These are fairly useless readiness/liveness probes for now + # Follow this issue for potential improvements: + # https://github.com/kubernetes-sigs/controller-runtime/issues/356 + livenessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.webhook.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: secret + mountPath: /opt/cert/ + readOnly: true + - name: cr-logs + mountPath: /tmp/ + readOnly: false + serviceAccountName: {{ include "polaris.fullname" . }} + {{- if .Values.webhook.priorityClassName }} + priorityClassName: {{ .Values.webhook.priorityClassName | quote }} + {{- end }} + nodeSelector: + {{- with .Values.webhook.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.webhook.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.webhook.affinity }} + affinity: +{{ toYaml .Values.webhook.affinity | indent 8 }} +{{- end }} +{{- if .Values.webhook.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.webhook.topologySpreadConstraints | indent 6 }} + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + - name: secret + secret: + {{- with .Values.webhook.secretName }} + secretName: {{ . }} + {{- else }} + secretName: {{ include "polaris.fullname" . }} + {{- end }} + - name: cr-logs + emptyDir: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/webhook.pdb.yaml b/charts/fairwinds/polaris/5.16.0/templates/webhook.pdb.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/webhook.pdb.yaml rename to charts/fairwinds/polaris/5.16.0/templates/webhook.pdb.yaml diff --git a/charts/fairwinds/polaris/5.16.0/templates/webhook.service.yaml b/charts/fairwinds/polaris/5.16.0/templates/webhook.service.yaml new file mode 100644 index 0000000000..1e34f5361c --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/templates/webhook.service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.webhook.enable -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: 9876 + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: webhook + type: ClusterIP +{{- end -}} diff --git a/charts/fairwinds/polaris/5.16.0/values.yaml b/charts/fairwinds/polaris/5.16.0/values.yaml new file mode 100644 index 0000000000..27d2f4100e --- /dev/null +++ b/charts/fairwinds/polaris/5.16.0/values.yaml @@ -0,0 +1,260 @@ +# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. +config: null + +# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. +# configUrl: https://example.com/config.yaml +configUrl: null + +# additionalExemptions -- List of additional exemptions to append to the exemptions given in `config` +additionalExemptions: null + + +image: + # image.repository -- Image repo + repository: quay.io/fairwinds/polaris + # image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion + tag: "" + # image.pullPolicy -- Image pull policy + pullPolicy: Always + # image.pullSecrets -- Image pull secrets + pullSecrets: [] + +rbac: + # rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created + enabled: true + +serviceAccount: + # serviceAccount.create -- Specifies whether a service account should be created + create: true + # serviceAccount.name -- The name of the service account to use. + name: + +# templateOnly -- Outputs Namespace names, used with `helm template` +templateOnly: false + +dashboard: + # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` + basePath: null + # dashboard.enable -- Whether to run the dashboard. + enable: true + # dashboard.port -- Port that the dashboard will run from. + port: 8080 + # dashboard.listeningAddress -- Dashboard listerning address. + listeningAddress: + # dashboard.replicas -- Number of replicas to run. + replicas: 2 + # dashboard.logLevel -- Set the logging level for the Dashboard command + logLevel: Info + # dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods. + podAdditionalLabels: {} + # dashboard.deploymentAnnotations -- Custom additional annotations on dashboard Deployment. + deploymentAnnotations: {} + # dashboard.resources -- Requests and limits for the dashboard + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 150m + memory: 512Mi + # dashboard.extraContainers -- allows injecting additional containers. + extraContainers: [] + # extraContainers: + # - name: oauth-proxy + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + # args: + # - --upstream=http://127.0.0.1:8080 + # - --http-address=0.0.0.0:8081 + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # resources: {} + service: + # dashboard.service.type -- Service Type + type: ClusterIP + # dashboard.service.annotations -- Service annotations + annotations: {} + # dashboard.service.targetPort -- Service targetport, defaults to dashboard.port + targetPort: + # dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values + loadBalancerSourceRanges: [] + # dashboard.nodeSelector -- Dashboard pod nodeSelector + nodeSelector: {} + # dashboard.tolerations -- Dashboard pod tolerations + tolerations: [] + # dashboard.affinity -- Dashboard pods affinity + affinity: {} + # dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + ingress: + # dashboard.ingress.enabled -- Whether to enable ingress to the dashboard + enabled: false + # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. + ingressClassName: + # dashboard.ingress.hosts -- Web ingress hostnames + hosts: [] + # dashboard.ingress.annotations -- Web ingress annotations + annotations: {} + # dashboard.ingress.tls -- Ingress TLS configuration + tls: [] + # dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case + defaultBackendEnabled: false + # dashboard.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # dashboard.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + # dashboard.containerSecurityContext -- securityContext to apply to the dashboard container + containerSecurityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + pdb: + # -- If true, enables a PDB for the dashboard + enable: true + +webhook: + # webhook.enable -- Whether to run the webhook + enable: false + # webhook.validate -- Enables the Validating Webhook, to reject resources with issues + validate: true + # webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues + mutate: false + # webhook.replicas -- Number of replicas + replicas: 2 + # webhook.logLevel -- Set the logging level for the Webhook command + logLevel: info + # webhook.nodeSelector -- Webhook pod nodeSelector + nodeSelector: {} + # webhook.tolerations -- Webhook pod tolerations + tolerations: [] + # webhook.affinity -- Webhook pods affinity + affinity: {} + # webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + certManager: + # -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. + apiVersion: "" + # webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager + caBundle: null + # webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used. + secretName: null + # webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration + failurePolicy: Fail + # webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration + matchPolicy: Exact + # webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + # webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration + objectSelector: {} + # webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + rules: [] + # webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + mutatingRules: [] + # webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration + defaultRules: + - apiGroups: + - apps + apiVersions: + - v1 + - v1beta1 + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - daemonsets + - deployments + - statefulsets + scope: Namespaced + - apiGroups: + - batch + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - jobs + - cronjobs + scope: Namespaced + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - replicationcontrollers + scope: Namespaced + # webhook.podAdditionalLabels -- Custom additional labels on webhook pods. + podAdditionalLabels: {} + # webhook.deploymentAnnotations -- Custom additional annotations on webhook Deployment. + deploymentAnnotations: {} + # webhook.resources -- Requests and limits for the webhook. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 100m + memory: 128Mi + # webhook.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # webhook.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + mutatingConfigurationAnnotations: {} + validatingConfigurationAnnotations: {} + pdb: + # -- If true, enables a PDB for the webhook + enable: true + +audit: + # audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. + enable: false + # audit.cleanup -- Whether to delete the namespace once the audit is finished. + cleanup: false + # audit.outputURL -- A URL which will receive a POST request with audit results. + outputURL: "" diff --git a/charts/fairwinds/polaris/CHANGELOG.md b/charts/fairwinds/polaris/5.17.0/CHANGELOG.md similarity index 100% rename from charts/fairwinds/polaris/CHANGELOG.md rename to charts/fairwinds/polaris/5.17.0/CHANGELOG.md diff --git a/charts/fairwinds/polaris/5.17.0/Chart.yaml b/charts/fairwinds/polaris/5.17.0/Chart.yaml new file mode 100644 index 0000000000..b525554ae2 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Fairwinds Polaris + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/release-name: polaris +apiVersion: v1 +appVersion: "8.5" +description: Validation of best practices in your Kubernetes clusters +icon: https://polaris.docs.fairwinds.com/img/polaris-logo.png +kubeVersion: '>= 1.22.0-0' +maintainers: +- email: robertb@fairwinds.com + name: rbren +name: polaris +version: 5.17.0 diff --git a/charts/fairwinds/polaris/5.17.0/README.md b/charts/fairwinds/polaris/5.17.0/README.md new file mode 100644 index 0000000000..3c6637a1bf --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/README.md @@ -0,0 +1,110 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| config | string | `nil` | The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. | +| configUrl | string | `nil` | Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. configUrl: https://example.com/config.yaml | +| additionalExemptions | string | `nil` | List of additional exemptions to append to the exemptions given in `config` | +| image.repository | string | `"quay.io/fairwinds/polaris"` | Image repo | +| image.tag | string | `""` | The Polaris Image tag to use. Defaults to the Chart's AppVersion | +| image.pullPolicy | string | `"Always"` | Image pull policy | +| image.pullSecrets | list | `[]` | Image pull secrets | +| rbac.enabled | bool | `true` | Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `nil` | The name of the service account to use. | +| templateOnly | bool | `false` | Outputs Namespace names, used with `helm template` | +| dashboard.basePath | string | `nil` | Path on which the dashboard is served. Defaults to `/` | +| dashboard.enable | bool | `true` | Whether to run the dashboard. | +| dashboard.port | int | `8080` | Port that the dashboard will run from. | +| dashboard.listeningAddress | string | `nil` | Dashboard listerning address. | +| dashboard.replicas | int | `2` | Number of replicas to run. | +| dashboard.logLevel | string | `"Info"` | Set the logging level for the Dashboard command | +| dashboard.podAdditionalLabels | object | `{}` | Custom additional labels on dashboard pods. | +| dashboard.deploymentAnnotations | object | `{}` | Custom additional annotations on dashboard Deployment. | +| dashboard.resources | object | `{"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the dashboard | +| dashboard.extraContainers | list | `[]` | allows injecting additional containers. | +| dashboard.service.type | string | `"ClusterIP"` | Service Type | +| dashboard.service.annotations | object | `{}` | Service annotations | +| dashboard.service.targetPort | string | `nil` | Service targetport, defaults to dashboard.port | +| dashboard.service.loadBalancerSourceRanges | list | `[]` | List of allowed CIDR values | +| dashboard.nodeSelector | object | `{}` | Dashboard pod nodeSelector | +| dashboard.tolerations | list | `[]` | Dashboard pod tolerations | +| dashboard.affinity | object | `{}` | Dashboard pods affinity | +| dashboard.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"dashboard"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Dashboard pods topologySpreadConstraints | +| dashboard.ingress.enabled | bool | `false` | Whether to enable ingress to the dashboard | +| dashboard.ingress.ingressClassName | string | `nil` | From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. | +| dashboard.ingress.hosts | list | `[]` | Web ingress hostnames | +| dashboard.ingress.annotations | object | `{}` | Web ingress annotations | +| dashboard.ingress.tls | list | `[]` | Ingress TLS configuration | +| dashboard.ingress.defaultBackendEnabled | bool | `false` | DefaultBackend is required by GKE container native load balancer, set to true for this use case | +| dashboard.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| dashboard.disallowExemptions | bool | `false` | Disallow any exemption | +| dashboard.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| dashboard.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| dashboard.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | securityContext to apply to the dashboard container | +| dashboard.pdb.enable | bool | `true` | If true, enables a PDB for the dashboard | +| webhook.enable | bool | `false` | Whether to run the webhook | +| webhook.validate | bool | `true` | Enables the Validating Webhook, to reject resources with issues | +| webhook.mutate | bool | `false` | Enables the Mutating Webhook, to modify resources with issues | +| webhook.replicas | int | `2` | Number of replicas | +| webhook.logLevel | string | `"info"` | Set the logging level for the Webhook command | +| webhook.nodeSelector | object | `{}` | Webhook pod nodeSelector | +| webhook.tolerations | list | `[]` | Webhook pod tolerations | +| webhook.affinity | object | `{}` | Webhook pods affinity | +| webhook.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"component":"webhook"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Webhook pods topologySpreadConstraints | +| webhook.certManager.apiVersion | string | `""` | Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. | +| webhook.caBundle | string | `nil` | CA Bundle to use for Validating Webhook instead of cert-manager | +| webhook.secretName | string | `nil` | Name of the secret containing a TLS certificate to use if cert-manager is not used. | +| webhook.failurePolicy | string | `"Fail"` | failurePolicy for the ValidatingWebhookConfiguration | +| webhook.matchPolicy | string | `"Exact"` | matchPolicy for the ValidatingWebhookConfiguration | +| webhook.namespaceSelector | object | `{"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]}` | namespaceSelector for the ValidatingWebhookConfiguration | +| webhook.objectSelector | object | `{}` | objectSelector for the ValidatingWebhookConfiguration | +| webhook.rules | list | `[]` | An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.mutatingRules | list | `[]` | An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. | +| webhook.defaultRules | list | `[{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}]` | An array of rules for common types for the ValidatingWebhookConfiguration | +| webhook.podAdditionalLabels | object | `{}` | Custom additional labels on webhook pods. | +| webhook.deploymentAnnotations | object | `{}` | Custom additional annotations on webhook Deployment. | +| webhook.resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Requests and limits for the webhook. | +| webhook.priorityClassName | string | `nil` | Priority Class name to be used in deployment if provided. | +| webhook.disallowExemptions | bool | `false` | Disallow any exemption | +| webhook.disallowConfigExemptions | bool | `false` | Disallow exemptions that are configured in the config file | +| webhook.disallowAnnotationExemptions | bool | `false` | Disallow exemptions that are configured via annotations | +| webhook.mutatingConfigurationAnnotations | object | `{}` | | +| webhook.validatingConfigurationAnnotations | object | `{}` | | +| webhook.pdb.enable | bool | `true` | If true, enables a PDB for the webhook | +| audit.enable | bool | `false` | Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. | +| audit.cleanup | bool | `false` | Whether to delete the namespace once the audit is finished. | +| audit.outputURL | string | `""` | A URL which will receive a POST request with audit results. | diff --git a/charts/fairwinds/polaris/5.17.0/README.md.gotmpl b/charts/fairwinds/polaris/5.17.0/README.md.gotmpl new file mode 100644 index 0000000000..f932a33c09 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/README.md.gotmpl @@ -0,0 +1,35 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + + +{{ template "chart.valuesSection" . }} diff --git a/charts/fairwinds/polaris/5.17.0/ci/merge-values.yaml b/charts/fairwinds/polaris/5.17.0/ci/merge-values.yaml new file mode 100644 index 0000000000..221896283b --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/ci/merge-values.yaml @@ -0,0 +1,66 @@ +# Based upon https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml +nameOverride: polaris + +config: + checks: + # reliability + deploymentMissingReplicas: warning + priorityClassNotSet: ignore + tagNotSpecified: danger + pullPolicyNotAlways: warning + readinessProbeMissing: warning + livenessProbeMissing: warning + metadataAndNameMismatched: ignore + pdbDisruptionsIsZero: warning + missingPodDisruptionBudget: ignore + topologySpreadConstraint: warning + + # efficiency + cpuRequestsMissing: warning + cpuLimitsMissing: warning + memoryRequestsMissing: warning + memoryLimitsMissing: warning + # security + automountServiceAccountToken: ignore + hostIPCSet: danger + hostPIDSet: danger + linuxHardening: warning + missingNetworkPolicy: ignore + notReadOnlyRootFilesystem: warning + privilegeEscalationAllowed: danger + runAsRootAllowed: danger + runAsPrivileged: danger + dangerousCapabilities: danger + insecureCapabilities: warning + hostNetworkSet: danger + hostPortSet: warning + tlsSettingsMissing: warning + # These are initially warning and will later be promoted to danger. + sensitiveContainerEnvVar: warning + sensitiveConfigmapContent: warning + clusterrolePodExecAttach: warning + rolePodExecAttach: warning + clusterrolebindingPodExecAttach: warning + rolebindingClusterRolePodExecAttach: warning + rolebindingRolePodExecAttach: warning + clusterrolebindingClusterAdmin: warning + rolebindingClusterAdminClusterRole: warning + rolebindingClusterAdminRole: warning + + mutations: + - pullPolicyNotAlways + + exemptions: + - namespace: kube-system + controllerNames: + - coredns + rules: + - automountServiceAccountToken + - missingNetworkPolicy + +additionalExemptions: + - namespace: foo + containerName: + - bar + rules: + - privilegeEscalationAllowed diff --git a/charts/fairwinds/polaris/5.17.0/ci/test-values-2.yaml b/charts/fairwinds/polaris/5.17.0/ci/test-values-2.yaml new file mode 100644 index 0000000000..b07ed8b09d --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/ci/test-values-2.yaml @@ -0,0 +1,9 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true diff --git a/charts/fairwinds/polaris/5.17.0/ci/test-values.yaml b/charts/fairwinds/polaris/5.17.0/ci/test-values.yaml new file mode 100644 index 0000000000..bb647450b9 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/ci/test-values.yaml @@ -0,0 +1,19 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com + deploymentAnnotations: + foo: bar +webhook: + enabled: true + mutate: true + mutatingConfigurationAnnotations: + test: mutate + validatingConfigurationAnnotations: + test: validate + certManager: + apiVersion: cert-manager.io/v1 + deploymentAnnotations: + foo: bar diff --git a/charts/fairwinds/polaris/5.17.0/templates/0-namespace.yaml b/charts/fairwinds/polaris/5.17.0/templates/0-namespace.yaml new file mode 100644 index 0000000000..83e3751bb1 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/0-namespace.yaml @@ -0,0 +1,6 @@ +{{- if .Values.templateOnly -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.0/templates/NOTES.txt b/charts/fairwinds/polaris/5.17.0/templates/NOTES.txt new file mode 100644 index 0000000000..96560d753f --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/NOTES.txt @@ -0,0 +1,19 @@ +** Please be patient while the chart is being deployed ** + +Enjoy Polaris and smooth sailing! + +{{- if contains "ClusterIP" .Values.dashboard.service.type }} + +{{- if .Values.webhook.enable }} +The webhook is now running. Any resources that violate Polaris policy will be rejected. +{{- end }} + +{{- if .Values.dashboard.enable }} +To view the dashboard execute this command: + +kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80 + +Then open http://localhost:8080 in your browser. +{{- end }} + +{{- end }} diff --git a/charts/fairwinds/polaris/5.17.0/templates/_helpers.tpl b/charts/fairwinds/polaris/5.17.0/templates/_helpers.tpl new file mode 100644 index 0000000000..90b62b4611 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "polaris.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "polaris.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "polaris.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Standard labels +*/}} +{{- define "polaris.labels" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/component: dashboard +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ template "polaris.name" . }} +app.kubernetes.io/part-of: {{ template "polaris.name" . }} +app.kubernetes.io/version: "{{ .Chart.Version }}" +helm.sh/chart: {{ include "polaris.chart" . }} +{{- end -}} +{{- end -}} + +{{/* +Standard selector +*/}} +{{- define "polaris.selectors" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/name: {{ include "polaris.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Name of the service account to use +*/}} +{{- define "polaris.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "polaris.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.0/templates/audit.job.yaml b/charts/fairwinds/polaris/5.17.0/templates/audit.job.yaml new file mode 100644 index 0000000000..ae6451b25b --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/audit.job.yaml @@ -0,0 +1,80 @@ +{{- if .Values.audit.enable -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + {{- end }} + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: audit +spec: + template: + spec: + serviceAccountName: {{ include "polaris.fullname" . }} + restartPolicy: Never + containers: + - command: + - polaris + - audit + - --output-url + - {{ required "Must set audit.outputURL in values if you enable the audit job." .Values.audit.outputURL }} + - --output-file + - /tmp/results/done + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + image: '{{.Values.image.repository}}:{{ .Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: audit + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: results + mountPath: /tmp/results + {{- if .Values.audit.cleanup }} + - name: cleanup + image: gcr.io/heptio-images/namespace-deleter:v0.0.2 + imagePullPolicy: Always + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: results + mountPath: /tmp/results + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" . }} + {{- end }} + - name: results +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.0/templates/audit.rbac.yaml b/charts/fairwinds/polaris/5.17.0/templates/audit.rbac.yaml new file mode 100644 index 0000000000..4e0987a296 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/audit.rbac.yaml @@ -0,0 +1,38 @@ +{{- if .Values.audit.cleanup }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +rules: + - apiGroups: + - '' + resources: + - namespaces + resourceNames: + - {{ .Release.Namespace }} + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "polaris.fullname" . }}-audit-cleanup +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.0/templates/configmap.yaml b/charts/fairwinds/polaris/5.17.0/templates/configmap.yaml new file mode 100644 index 0000000000..e4fd9ec68a --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/configmap.yaml @@ -0,0 +1,27 @@ +{{- if not .Values.configUrl }} +{{- with .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "polaris.fullname" $ }} + {{- if $.Values.templateOnly }} + namespace: {{ $.Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" $ | nindent 4 }} +data: + config.yaml: | + {{- if kindIs "map" . }} + {{- range $key, $value := . }} + {{ $key }}: + {{- toYaml $value | nindent 6 }} + {{- if and (eq $key "exemptions") ($.Values.additionalExemptions) }} + {{- toYaml $.Values.additionalExemptions | nindent 6 }} + {{- end }} + {{- end }} + {{- end }} + {{- if kindIs "string" . }} + {{- . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.17.0/templates/dashboard.deployment.yaml b/charts/fairwinds/polaris/5.17.0/templates/dashboard.deployment.yaml new file mode 100644 index 0000000000..74041dec4d --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/dashboard.deployment.yaml @@ -0,0 +1,134 @@ +{{- if .Values.dashboard.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: dashboard + {{- with .Values.dashboard.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{.Values.dashboard.replicas}} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: dashboard + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: dashboard + {{- with .Values.dashboard.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.config }} + volumes: + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + {{- if .Values.dashboard.priorityClassName }} + priorityClassName: {{ .Values.dashboard.priorityClassName | quote }} + {{- end }} + containers: + - command: + - polaris + - dashboard + {{- if .Values.configUrl }} + - --config + - {{ .Values.configUrl | quote }} + {{- else }} + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- end }} + {{- with .Values.dashboard.basePath }} + - --base-path + - {{ . }} + {{- end }} + {{- with .Values.dashboard.port }} + - --port + - {{ . | quote }} + {{- end }} + {{- if .Values.dashboard.listeningAddress }} + - --listening-address + - {{ .Values.dashboard.listeningAddress }} + {{- end }} + {{- if .Values.dashboard.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.dashboard.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.dashboard.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + {{- if .Values.dashboard.logLevel }} + - --log-level + - {{ .Values.dashboard.logLevel | quote }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: dashboard + ports: + - containerPort: {{ .Values.dashboard.port }} + livenessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + readinessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + resources: + {{- toYaml .Values.dashboard.resources | nindent 10 }} + {{- with .Values.dashboard.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if not .Values.configUrl }} + {{- with .Values.config }} + volumeMounts: + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.dashboard.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ template "polaris.serviceAccountName" . }} + nodeSelector: + {{- with .Values.dashboard.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.dashboard.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.dashboard.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.dashboard.topologySpreadConstraints | indent 6 }} + {{- end }} +{{- if .Values.dashboard.affinity }} + affinity: +{{ toYaml .Values.dashboard.affinity | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.0/templates/dashboard.pdb.yaml b/charts/fairwinds/polaris/5.17.0/templates/dashboard.pdb.yaml new file mode 100644 index 0000000000..08ad5f3721 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/dashboard.pdb.yaml @@ -0,0 +1,20 @@ +{{- if .Values.dashboard.pdb }} +{{- if and .Values.dashboard.enable .Values.dashboard.pdb.enable -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: dashboard +spec: + maxUnavailable: 1 + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: dashboard +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.17.0/templates/dashboard.service.yaml b/charts/fairwinds/polaris/5.17.0/templates/dashboard.service.yaml new file mode 100644 index 0000000000..fc95843216 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/dashboard.service.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.dashboard.enable .Values.dashboard.service -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.dashboard.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + ports: + - name: http-dashboard + port: 80 + protocol: TCP + targetPort: {{ .Values.dashboard.service.targetPort | default .Values.dashboard.port }} + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: dashboard + type: {{ .Values.dashboard.service.type }} +{{- if .Values.dashboard.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.dashboard.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/templates/ingress.yaml b/charts/fairwinds/polaris/5.17.0/templates/ingress.yaml similarity index 100% rename from charts/fairwinds/polaris/templates/ingress.yaml rename to charts/fairwinds/polaris/5.17.0/templates/ingress.yaml diff --git a/charts/fairwinds/polaris/5.17.0/templates/mutate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.17.0/templates/mutate-webhook.configuration.yaml new file mode 100644 index 0000000000..ba53030fd8 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/mutate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.mutate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: polaris-mutate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /mutate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.mutatingRules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.0/templates/rbac.yaml b/charts/fairwinds/polaris/5.17.0/templates/rbac.yaml new file mode 100644 index 0000000000..56a186183c --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/rbac.yaml @@ -0,0 +1,67 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-view + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + # required by controller-runtime code doing a cluster wide lookup + # when it seems namespace would suffice + - apiGroups: + - '' + resources: + - 'nodes' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'monitoring.coreos.com' + resources: + - 'prometheuses' + - 'alertmanagers' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - 'clusterroles' + - 'clusterrolebindings' + - 'roles' + - 'rolebindings' + verbs: + - 'get' + - 'list' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "polaris.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.17.0/templates/serviceaccount.yaml b/charts/fairwinds/polaris/5.17.0/templates/serviceaccount.yaml new file mode 100644 index 0000000000..b2a2427260 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +{{- if .Values.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.17.0/templates/validate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.17.0/templates/validate-webhook.configuration.yaml new file mode 100644 index 0000000000..3b536f4327 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/validate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.validate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: polaris-validate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /validate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.rules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.0/templates/webhook.cert.yaml b/charts/fairwinds/polaris/5.17.0/templates/webhook.cert.yaml new file mode 100644 index 0000000000..fc264ad8dd --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/webhook.cert.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.webhook.enable (not .Values.webhook.secretName) -}} +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Certificate +metadata: + name: {{ include "polaris.fullname" . }}-cert + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + commonName: {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }} + - {{ include "polaris.fullname" . }}-webhook + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + issuerRef: + kind: Issuer + name: {{ include "polaris.fullname" . }}-selfsigned + secretName: {{ include "polaris.fullname" . }} +--- +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Issuer +metadata: + name: {{ include "polaris.fullname" . }}-selfsigned + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + selfSigned: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.0/templates/webhook.deployment.yaml b/charts/fairwinds/polaris/5.17.0/templates/webhook.deployment.yaml new file mode 100644 index 0000000000..dc8c6fe5e0 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/webhook.deployment.yaml @@ -0,0 +1,139 @@ +{{- if .Values.webhook.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: webhook + {{- with .Values.webhook.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.webhook.replicas }} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: webhook + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: webhook + {{- with .Values.webhook.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: webhook + command: + - polaris + - webhook + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- if .Values.webhook.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.webhook.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.webhook.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + - --validate={{ .Values.webhook.validate }} + - --mutate={{ .Values.webhook.mutate }} + {{- if .Values.webhook.logLevel }} + - --log-level={{ .Values.webhook.logLevel }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + ports: + - containerPort: 9876 + # These are fairly useless readiness/liveness probes for now + # Follow this issue for potential improvements: + # https://github.com/kubernetes-sigs/controller-runtime/issues/356 + livenessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.webhook.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: secret + mountPath: /opt/cert/ + readOnly: true + - name: cr-logs + mountPath: /tmp/ + readOnly: false + serviceAccountName: {{ include "polaris.fullname" . }} + {{- if .Values.webhook.priorityClassName }} + priorityClassName: {{ .Values.webhook.priorityClassName | quote }} + {{- end }} + nodeSelector: + {{- with .Values.webhook.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.webhook.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.webhook.affinity }} + affinity: +{{ toYaml .Values.webhook.affinity | indent 8 }} +{{- end }} +{{- if .Values.webhook.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.webhook.topologySpreadConstraints | indent 6 }} + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + - name: secret + secret: + {{- with .Values.webhook.secretName }} + secretName: {{ . }} + {{- else }} + secretName: {{ include "polaris.fullname" . }} + {{- end }} + - name: cr-logs + emptyDir: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.0/templates/webhook.pdb.yaml b/charts/fairwinds/polaris/5.17.0/templates/webhook.pdb.yaml new file mode 100644 index 0000000000..4b83f11ca5 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/webhook.pdb.yaml @@ -0,0 +1,20 @@ +{{- if .Values.webhook.pdb }} +{{- if and .Values.webhook.enable .Values.webhook.pdb.enable -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: webhook +spec: + maxUnavailable: 1 + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: webhook +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.17.0/templates/webhook.service.yaml b/charts/fairwinds/polaris/5.17.0/templates/webhook.service.yaml new file mode 100644 index 0000000000..1e34f5361c --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/templates/webhook.service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.webhook.enable -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: 9876 + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: webhook + type: ClusterIP +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.0/values.yaml b/charts/fairwinds/polaris/5.17.0/values.yaml new file mode 100644 index 0000000000..27d2f4100e --- /dev/null +++ b/charts/fairwinds/polaris/5.17.0/values.yaml @@ -0,0 +1,260 @@ +# config -- The [polaris configuration](https://github.com/FairwindsOps/polaris#configuration). If not provided then the [default](https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml) config from Polaris is used. +config: null + +# configUrl -- Use a config from an accessible URL source. NOTE: `config` & `configUrl` are mutually exclusive. Setting `configURL` will take precedence over `config`. Only one may be used. +# configUrl: https://example.com/config.yaml +configUrl: null + +# additionalExemptions -- List of additional exemptions to append to the exemptions given in `config` +additionalExemptions: null + + +image: + # image.repository -- Image repo + repository: quay.io/fairwinds/polaris + # image.tag -- The Polaris Image tag to use. Defaults to the Chart's AppVersion + tag: "" + # image.pullPolicy -- Image pull policy + pullPolicy: Always + # image.pullSecrets -- Image pull secrets + pullSecrets: [] + +rbac: + # rbac.enabled -- Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created + enabled: true + +serviceAccount: + # serviceAccount.create -- Specifies whether a service account should be created + create: true + # serviceAccount.name -- The name of the service account to use. + name: + +# templateOnly -- Outputs Namespace names, used with `helm template` +templateOnly: false + +dashboard: + # dashboard.basePath -- Path on which the dashboard is served. Defaults to `/` + basePath: null + # dashboard.enable -- Whether to run the dashboard. + enable: true + # dashboard.port -- Port that the dashboard will run from. + port: 8080 + # dashboard.listeningAddress -- Dashboard listerning address. + listeningAddress: + # dashboard.replicas -- Number of replicas to run. + replicas: 2 + # dashboard.logLevel -- Set the logging level for the Dashboard command + logLevel: Info + # dashboard.podAdditionalLabels -- Custom additional labels on dashboard pods. + podAdditionalLabels: {} + # dashboard.deploymentAnnotations -- Custom additional annotations on dashboard Deployment. + deploymentAnnotations: {} + # dashboard.resources -- Requests and limits for the dashboard + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 150m + memory: 512Mi + # dashboard.extraContainers -- allows injecting additional containers. + extraContainers: [] + # extraContainers: + # - name: oauth-proxy + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + # args: + # - --upstream=http://127.0.0.1:8080 + # - --http-address=0.0.0.0:8081 + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # resources: {} + service: + # dashboard.service.type -- Service Type + type: ClusterIP + # dashboard.service.annotations -- Service annotations + annotations: {} + # dashboard.service.targetPort -- Service targetport, defaults to dashboard.port + targetPort: + # dashboard.service.loadBalancerSourceRanges -- List of allowed CIDR values + loadBalancerSourceRanges: [] + # dashboard.nodeSelector -- Dashboard pod nodeSelector + nodeSelector: {} + # dashboard.tolerations -- Dashboard pod tolerations + tolerations: [] + # dashboard.affinity -- Dashboard pods affinity + affinity: {} + # dashboard.topologySpreadConstraints -- Dashboard pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: dashboard + ingress: + # dashboard.ingress.enabled -- Whether to enable ingress to the dashboard + enabled: false + # dashboard.ingress.ingressClassName -- From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation. + ingressClassName: + # dashboard.ingress.hosts -- Web ingress hostnames + hosts: [] + # dashboard.ingress.annotations -- Web ingress annotations + annotations: {} + # dashboard.ingress.tls -- Ingress TLS configuration + tls: [] + # dashboard.ingress.defaultBackendEnabled -- DefaultBackend is required by GKE container native load balancer, set to true for this use case + defaultBackendEnabled: false + # dashboard.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # dashboard.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # dashboard.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # dashboard.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + # dashboard.containerSecurityContext -- securityContext to apply to the dashboard container + containerSecurityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + pdb: + # -- If true, enables a PDB for the dashboard + enable: true + +webhook: + # webhook.enable -- Whether to run the webhook + enable: false + # webhook.validate -- Enables the Validating Webhook, to reject resources with issues + validate: true + # webhook.mutate -- Enables the Mutating Webhook, to modify resources with issues + mutate: false + # webhook.replicas -- Number of replicas + replicas: 2 + # webhook.logLevel -- Set the logging level for the Webhook command + logLevel: info + # webhook.nodeSelector -- Webhook pod nodeSelector + nodeSelector: {} + # webhook.tolerations -- Webhook pod tolerations + tolerations: [] + # webhook.affinity -- Webhook pods affinity + affinity: {} + # webhook.topologySpreadConstraints -- Webhook pods topologySpreadConstraints + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + component: webhook + certManager: + # -- Allows overriding .Capabilities.APIVersions with a specified version. Useful for GitOps. + apiVersion: "" + # webhook.caBundle -- CA Bundle to use for Validating Webhook instead of cert-manager + caBundle: null + # webhook.secretName -- Name of the secret containing a TLS certificate to use if cert-manager is not used. + secretName: null + # webhook.failurePolicy -- failurePolicy for the ValidatingWebhookConfiguration + failurePolicy: Fail + # webhook.matchPolicy -- matchPolicy for the ValidatingWebhookConfiguration + matchPolicy: Exact + # webhook.namespaceSelector -- namespaceSelector for the ValidatingWebhookConfiguration + namespaceSelector: + matchExpressions: + - key: control-plane + operator: DoesNotExist + # webhook.objectSelector -- objectSelector for the ValidatingWebhookConfiguration + objectSelector: {} + # webhook.rules -- An array of additional rules for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + rules: [] + # webhook.mutatingRules -- An array of additional rules for the MutatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope. + mutatingRules: [] + # webhook.defaultRules -- An array of rules for common types for the ValidatingWebhookConfiguration + defaultRules: + - apiGroups: + - apps + apiVersions: + - v1 + - v1beta1 + - v1beta2 + operations: + - CREATE + - UPDATE + resources: + - daemonsets + - deployments + - statefulsets + scope: Namespaced + - apiGroups: + - batch + apiVersions: + - v1 + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - jobs + - cronjobs + scope: Namespaced + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + - replicationcontrollers + scope: Namespaced + # webhook.podAdditionalLabels -- Custom additional labels on webhook pods. + podAdditionalLabels: {} + # webhook.deploymentAnnotations -- Custom additional annotations on webhook Deployment. + deploymentAnnotations: {} + # webhook.resources -- Requests and limits for the webhook. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 100m + memory: 128Mi + # webhook.priorityClassName -- Priority Class name to be used in deployment if provided. + priorityClassName: + # webhook.disallowExemptions -- Disallow any exemption + disallowExemptions: false + # webhook.disallowConfigExemptions -- Disallow exemptions that are configured in the config file + disallowConfigExemptions: false + # webhook.disallowAnnotationExemptions -- Disallow exemptions that are configured via annotations + disallowAnnotationExemptions: false + mutatingConfigurationAnnotations: {} + validatingConfigurationAnnotations: {} + pdb: + # -- If true, enables a PDB for the webhook + enable: true + +audit: + # audit.enable -- Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others. + enable: false + # audit.cleanup -- Whether to delete the namespace once the audit is finished. + cleanup: false + # audit.outputURL -- A URL which will receive a POST request with audit results. + outputURL: "" diff --git a/charts/fairwinds/polaris/5.17.1/CHANGELOG.md b/charts/fairwinds/polaris/5.17.1/CHANGELOG.md new file mode 100644 index 0000000000..4e18536ce6 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/CHANGELOG.md @@ -0,0 +1,82 @@ +# Changelog + +All notable changes to this Helm chart will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this chart adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## 5.17.0 +* Removed the switch for networking apiVersion and default to networking/v1 + +## 5.16.0 +* Added default PDBs for both the webhook and the dashboard + +## 5.15.0 + +* Support `string` type of `config` value + +## 5.13.0 +* Update Polaris to 8.5.0 + +## 5.11.1 +* set kubeVersion in the chart manifest + +## 5.9.0 +* Update Polaris version to 8.0 + +## 5.8.2 +* Fix webhook annotations reference + +## 5.8.1 +* Fix cert manager apiVersion override + +## 5.7.6 +* Patch bump for updating charts CI +## 5.7.4 +Added addition exemptions +* https://github.com/FairwindsOps/charts/issues/1059 + +## 5.5.1 +### Added +RBAC permission to get and list ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings. These permissions are required by new RBAC related checks: +* https://github.com/FairwindsOps/polaris/pull/820 +* https://github.com/FairwindsOps/polaris/pull/823 + +## 5.5.0 +### Added +Refactor container securityContext into `values.yaml` for added flexibility (i.e seccomp profiles). + +## 4.2.1 + +### Added +Support `ingressClassName` in Ingress object. + +## 1.0.0 +Updated to Polaris 1.0. + +In addition to changes needed for Polaris 1.0, there are some chart changes: +* RBAC has been simplified to remove duplication +* `config` now uses the built-in Polaris config by default +* `ingress` is now attached to the dashboard values +* only a single `image` is specified for the entire chart + +## 0.6.0 + +### Fixed + +* The validating webhook pod no longer crashes when using a Helm release name other than _polaris_ ([Polaris issue #211](https://github.com/FairwindsOps/polaris/issues/211)) Note that upgrading the Helm release will return the error: + + ``` + UPGRADE FAILED + Error: kind Secret with the name "polaris-webhook" already exists in the cluster and wasn't defined in the previous release. Before upgrading, please either delete the resource from the cluster or remove it from the chart + ``` +Delete the _polaris-webhook_ secret from the namespace where Polaris is installed, and the Helm upgrade will succeed. When the Polaris webhook pod restarts it will populate the _polaris-webhook_ secret. +* The Polaris dashboard and webhook pods now restart when the ConfigMap has been changed. + +### Changed + +* The Secret used by the Polaris webhook is now named _polaris-webhook_ instead of using the Helm release name. This has been done to match the static secret name that the Polaris webhook pod populates. + +### Added + +* This changelog has been added to help track updates to this Helm chart. diff --git a/charts/fairwinds/polaris/Chart.yaml b/charts/fairwinds/polaris/5.17.1/Chart.yaml similarity index 100% rename from charts/fairwinds/polaris/Chart.yaml rename to charts/fairwinds/polaris/5.17.1/Chart.yaml diff --git a/charts/fairwinds/polaris/README.md b/charts/fairwinds/polaris/5.17.1/README.md similarity index 100% rename from charts/fairwinds/polaris/README.md rename to charts/fairwinds/polaris/5.17.1/README.md diff --git a/charts/fairwinds/polaris/5.17.1/README.md.gotmpl b/charts/fairwinds/polaris/5.17.1/README.md.gotmpl new file mode 100644 index 0000000000..f932a33c09 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/README.md.gotmpl @@ -0,0 +1,35 @@ +# Polaris + +[Polaris](https://github.com/FairwindsOps/polaris) +is a tool for auditing and enforcing best practices in Kubernetes. + +## Installation +We recommend installing polaris in its own namespace. + +### Dashboard +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris +``` + +### Webhook + +A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work. + +If you don't use cert-manager, you'll need to: +* Supply a CA Bundle with the `webhook.caBundle` +* Create a TLS secret in your cluster with a valid certificate that uses that CA +* Pass the name of that secret with the `webhook.secretName` parameter. + +``` +helm repo add fairwinds-stable https://charts.fairwinds.com/stable +helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false +``` + +## A Note on Chart Version 0.10.0+ + +Due to the [deprecation](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) of various `extensions/v1beta1` API's, +the 0.10.0 version of this chart will only work on kubernetes 1.14.0+ + + +{{ template "chart.valuesSection" . }} diff --git a/charts/fairwinds/polaris/5.17.1/ci/merge-values.yaml b/charts/fairwinds/polaris/5.17.1/ci/merge-values.yaml new file mode 100644 index 0000000000..221896283b --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/ci/merge-values.yaml @@ -0,0 +1,66 @@ +# Based upon https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml +nameOverride: polaris + +config: + checks: + # reliability + deploymentMissingReplicas: warning + priorityClassNotSet: ignore + tagNotSpecified: danger + pullPolicyNotAlways: warning + readinessProbeMissing: warning + livenessProbeMissing: warning + metadataAndNameMismatched: ignore + pdbDisruptionsIsZero: warning + missingPodDisruptionBudget: ignore + topologySpreadConstraint: warning + + # efficiency + cpuRequestsMissing: warning + cpuLimitsMissing: warning + memoryRequestsMissing: warning + memoryLimitsMissing: warning + # security + automountServiceAccountToken: ignore + hostIPCSet: danger + hostPIDSet: danger + linuxHardening: warning + missingNetworkPolicy: ignore + notReadOnlyRootFilesystem: warning + privilegeEscalationAllowed: danger + runAsRootAllowed: danger + runAsPrivileged: danger + dangerousCapabilities: danger + insecureCapabilities: warning + hostNetworkSet: danger + hostPortSet: warning + tlsSettingsMissing: warning + # These are initially warning and will later be promoted to danger. + sensitiveContainerEnvVar: warning + sensitiveConfigmapContent: warning + clusterrolePodExecAttach: warning + rolePodExecAttach: warning + clusterrolebindingPodExecAttach: warning + rolebindingClusterRolePodExecAttach: warning + rolebindingRolePodExecAttach: warning + clusterrolebindingClusterAdmin: warning + rolebindingClusterAdminClusterRole: warning + rolebindingClusterAdminRole: warning + + mutations: + - pullPolicyNotAlways + + exemptions: + - namespace: kube-system + controllerNames: + - coredns + rules: + - automountServiceAccountToken + - missingNetworkPolicy + +additionalExemptions: + - namespace: foo + containerName: + - bar + rules: + - privilegeEscalationAllowed diff --git a/charts/fairwinds/polaris/5.17.1/ci/test-values-2.yaml b/charts/fairwinds/polaris/5.17.1/ci/test-values-2.yaml new file mode 100644 index 0000000000..b07ed8b09d --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/ci/test-values-2.yaml @@ -0,0 +1,9 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com +webhook: + enabled: true + mutate: true diff --git a/charts/fairwinds/polaris/5.17.1/ci/test-values.yaml b/charts/fairwinds/polaris/5.17.1/ci/test-values.yaml new file mode 100644 index 0000000000..bb647450b9 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/ci/test-values.yaml @@ -0,0 +1,19 @@ +dashboard: + ingress: + enabled: true + ingressClassName: ingress + hosts: + - foo.com + deploymentAnnotations: + foo: bar +webhook: + enabled: true + mutate: true + mutatingConfigurationAnnotations: + test: mutate + validatingConfigurationAnnotations: + test: validate + certManager: + apiVersion: cert-manager.io/v1 + deploymentAnnotations: + foo: bar diff --git a/charts/fairwinds/polaris/5.17.1/templates/0-namespace.yaml b/charts/fairwinds/polaris/5.17.1/templates/0-namespace.yaml new file mode 100644 index 0000000000..83e3751bb1 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/0-namespace.yaml @@ -0,0 +1,6 @@ +{{- if .Values.templateOnly -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.1/templates/NOTES.txt b/charts/fairwinds/polaris/5.17.1/templates/NOTES.txt new file mode 100644 index 0000000000..96560d753f --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/NOTES.txt @@ -0,0 +1,19 @@ +** Please be patient while the chart is being deployed ** + +Enjoy Polaris and smooth sailing! + +{{- if contains "ClusterIP" .Values.dashboard.service.type }} + +{{- if .Values.webhook.enable }} +The webhook is now running. Any resources that violate Polaris policy will be rejected. +{{- end }} + +{{- if .Values.dashboard.enable }} +To view the dashboard execute this command: + +kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80 + +Then open http://localhost:8080 in your browser. +{{- end }} + +{{- end }} diff --git a/charts/fairwinds/polaris/5.17.1/templates/_helpers.tpl b/charts/fairwinds/polaris/5.17.1/templates/_helpers.tpl new file mode 100644 index 0000000000..90b62b4611 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "polaris.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "polaris.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "polaris.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Standard labels +*/}} +{{- define "polaris.labels" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/component: dashboard +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ template "polaris.name" . }} +app.kubernetes.io/part-of: {{ template "polaris.name" . }} +app.kubernetes.io/version: "{{ .Chart.Version }}" +helm.sh/chart: {{ include "polaris.chart" . }} +{{- end -}} +{{- end -}} + +{{/* +Standard selector +*/}} +{{- define "polaris.selectors" -}} +app: {{ include "polaris.name" . }} +{{- if not .Values.templateOnly }} +app.kubernetes.io/name: {{ include "polaris.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} + +{{/* +Name of the service account to use +*/}} +{{- define "polaris.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "polaris.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.1/templates/audit.job.yaml b/charts/fairwinds/polaris/5.17.1/templates/audit.job.yaml new file mode 100644 index 0000000000..ae6451b25b --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/audit.job.yaml @@ -0,0 +1,80 @@ +{{- if .Values.audit.enable -}} +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + {{- end }} + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: audit +spec: + template: + spec: + serviceAccountName: {{ include "polaris.fullname" . }} + restartPolicy: Never + containers: + - command: + - polaris + - audit + - --output-url + - {{ required "Must set audit.outputURL in values if you enable the audit job." .Values.audit.outputURL }} + - --output-file + - /tmp/results/done + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + image: '{{.Values.image.repository}}:{{ .Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: audit + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: results + mountPath: /tmp/results + {{- if .Values.audit.cleanup }} + - name: cleanup + image: gcr.io/heptio-images/namespace-deleter:v0.0.2 + imagePullPolicy: Always + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: results + mountPath: /tmp/results + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" . }} + {{- end }} + - name: results +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.1/templates/audit.rbac.yaml b/charts/fairwinds/polaris/5.17.1/templates/audit.rbac.yaml new file mode 100644 index 0000000000..4e0987a296 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/audit.rbac.yaml @@ -0,0 +1,38 @@ +{{- if .Values.audit.cleanup }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +rules: + - apiGroups: + - '' + resources: + - namespaces + resourceNames: + - {{ .Release.Namespace }} + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-audit-cleanup + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + app: polaris +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "polaris.fullname" . }}-audit-cleanup +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.1/templates/configmap.yaml b/charts/fairwinds/polaris/5.17.1/templates/configmap.yaml new file mode 100644 index 0000000000..e4fd9ec68a --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/configmap.yaml @@ -0,0 +1,27 @@ +{{- if not .Values.configUrl }} +{{- with .Values.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "polaris.fullname" $ }} + {{- if $.Values.templateOnly }} + namespace: {{ $.Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" $ | nindent 4 }} +data: + config.yaml: | + {{- if kindIs "map" . }} + {{- range $key, $value := . }} + {{ $key }}: + {{- toYaml $value | nindent 6 }} + {{- if and (eq $key "exemptions") ($.Values.additionalExemptions) }} + {{- toYaml $.Values.additionalExemptions | nindent 6 }} + {{- end }} + {{- end }} + {{- end }} + {{- if kindIs "string" . }} + {{- . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.17.1/templates/dashboard.deployment.yaml b/charts/fairwinds/polaris/5.17.1/templates/dashboard.deployment.yaml new file mode 100644 index 0000000000..74041dec4d --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/dashboard.deployment.yaml @@ -0,0 +1,134 @@ +{{- if .Values.dashboard.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: dashboard + {{- with .Values.dashboard.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{.Values.dashboard.replicas}} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: dashboard + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: dashboard + {{- with .Values.dashboard.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.config }} + volumes: + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + {{- if .Values.dashboard.priorityClassName }} + priorityClassName: {{ .Values.dashboard.priorityClassName | quote }} + {{- end }} + containers: + - command: + - polaris + - dashboard + {{- if .Values.configUrl }} + - --config + - {{ .Values.configUrl | quote }} + {{- else }} + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- end }} + {{- with .Values.dashboard.basePath }} + - --base-path + - {{ . }} + {{- end }} + {{- with .Values.dashboard.port }} + - --port + - {{ . | quote }} + {{- end }} + {{- if .Values.dashboard.listeningAddress }} + - --listening-address + - {{ .Values.dashboard.listeningAddress }} + {{- end }} + {{- if .Values.dashboard.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.dashboard.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.dashboard.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + {{- if .Values.dashboard.logLevel }} + - --log-level + - {{ .Values.dashboard.logLevel | quote }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + name: dashboard + ports: + - containerPort: {{ .Values.dashboard.port }} + livenessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + readinessProbe: + httpGet: + path: {{.Values.dashboard.basePath | default "/" }}health + port: {{ .Values.dashboard.port }} + initialDelaySeconds: 5 + periodSeconds: 20 + resources: + {{- toYaml .Values.dashboard.resources | nindent 10 }} + {{- with .Values.dashboard.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if not .Values.configUrl }} + {{- with .Values.config }} + volumeMounts: + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + {{- end }} + {{- with .Values.dashboard.extraContainers }} + {{- toYaml . | nindent 6 }} + {{- end }} + serviceAccountName: {{ template "polaris.serviceAccountName" . }} + nodeSelector: + {{- with .Values.dashboard.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.dashboard.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.dashboard.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.dashboard.topologySpreadConstraints | indent 6 }} + {{- end }} +{{- if .Values.dashboard.affinity }} + affinity: +{{ toYaml .Values.dashboard.affinity | indent 8 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.1/templates/dashboard.pdb.yaml b/charts/fairwinds/polaris/5.17.1/templates/dashboard.pdb.yaml new file mode 100644 index 0000000000..08ad5f3721 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/dashboard.pdb.yaml @@ -0,0 +1,20 @@ +{{- if .Values.dashboard.pdb }} +{{- if and .Values.dashboard.enable .Values.dashboard.pdb.enable -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: dashboard +spec: + maxUnavailable: 1 + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: dashboard +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.17.1/templates/dashboard.service.yaml b/charts/fairwinds/polaris/5.17.1/templates/dashboard.service.yaml new file mode 100644 index 0000000000..fc95843216 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/dashboard.service.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.dashboard.enable .Values.dashboard.service -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-dashboard + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.dashboard.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + ports: + - name: http-dashboard + port: 80 + protocol: TCP + targetPort: {{ .Values.dashboard.service.targetPort | default .Values.dashboard.port }} + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: dashboard + type: {{ .Values.dashboard.service.type }} +{{- if .Values.dashboard.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.dashboard.service.loadBalancerSourceRanges | nindent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.1/templates/ingress.yaml b/charts/fairwinds/polaris/5.17.1/templates/ingress.yaml new file mode 100644 index 0000000000..92318bde96 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/ingress.yaml @@ -0,0 +1,41 @@ +{{- if .Values.dashboard.ingress.enabled -}} +{{ $serviceName := printf "%s-dashboard" (include "polaris.fullname" .) -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + {{- range $key, $value := .Values.dashboard.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + app.kubernetes.io/name: {{ include "polaris.name" . }} + helm.sh/chart: {{ include "polaris.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + name: polaris +spec: + ingressClassName: {{ .Values.dashboard.ingress.ingressClassName }} +{{- if .Values.dashboard.ingress.defaultBackendEnabled }} + defaultBackend: + service: + name: {{ $serviceName }} + port: + number: 80 +{{- end }} + rules: + {{- range .Values.dashboard.ingress.hosts }} + - host: {{ . }} + http: + paths: + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: / + pathType: Prefix + {{- end -}} +{{- if .Values.dashboard.ingress.tls }} + tls: +{{ toYaml .Values.dashboard.ingress.tls | indent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.1/templates/mutate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.17.1/templates/mutate-webhook.configuration.yaml new file mode 100644 index 0000000000..ba53030fd8 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/mutate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.mutate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: polaris-mutate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /mutate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.mutatingRules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.1/templates/rbac.yaml b/charts/fairwinds/polaris/5.17.1/templates/rbac.yaml new file mode 100644 index 0000000000..56a186183c --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/rbac.yaml @@ -0,0 +1,67 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }}-view + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +rules: + # required by controller-runtime code doing a cluster wide lookup + # when it seems namespace would suffice + - apiGroups: + - '' + resources: + - 'nodes' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'monitoring.coreos.com' + resources: + - 'prometheuses' + - 'alertmanagers' + verbs: + - 'get' + - 'list' + - apiGroups: + - 'rbac.authorization.k8s.io' + resources: + - 'clusterroles' + - 'clusterrolebindings' + - 'roles' + - 'rolebindings' + verbs: + - 'get' + - 'list' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "polaris.fullname" . }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "polaris.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "polaris.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.17.1/templates/serviceaccount.yaml b/charts/fairwinds/polaris/5.17.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..b2a2427260 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "polaris.fullname" . }} + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +{{- if .Values.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.17.1/templates/validate-webhook.configuration.yaml b/charts/fairwinds/polaris/5.17.1/templates/validate-webhook.configuration.yaml new file mode 100644 index 0000000000..3b536f4327 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/validate-webhook.configuration.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.webhook.enable .Values.webhook.validate -}} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: polaris-validate-webhook + annotations: + {{- if not .Values.webhook.secretName }} + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "polaris.fullname" . }}-cert + {{- end }} + {{- range $key, $value := .Values.webhook.validatingConfigurationAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.webhook.caBundle }} + caBundle: {{ .Values.webhook.caBundle | quote }} + {{- end }} + service: + name: {{ include "polaris.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /validate + port: 443 + failurePolicy: {{ .Values.webhook.failurePolicy }} + matchPolicy: {{ .Values.webhook.matchPolicy }} + name: polaris.fairwinds.com + namespaceSelector: + {{ .Values.webhook.namespaceSelector | toYaml | nindent 4 }} + objectSelector: + {{ .Values.webhook.objectSelector | toYaml | nindent 4 }} + rules: + {{- concat .Values.webhook.rules .Values.webhook.defaultRules | toYaml | nindent 2 }} + sideEffects: None + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.1/templates/webhook.cert.yaml b/charts/fairwinds/polaris/5.17.1/templates/webhook.cert.yaml new file mode 100644 index 0000000000..fc264ad8dd --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/webhook.cert.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.webhook.enable (not .Values.webhook.secretName) -}} +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Certificate +metadata: + name: {{ include "polaris.fullname" . }}-cert + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + commonName: {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }} + - {{ include "polaris.fullname" . }}-webhook + - {{ include "polaris.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} + issuerRef: + kind: Issuer + name: {{ include "polaris.fullname" . }}-selfsigned + secretName: {{ include "polaris.fullname" . }} +--- +{{- if .Values.webhook.certManager.apiVersion }} +apiVersion: {{ .Values.webhook.certManager.apiVersion }} +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} +apiVersion: cert-manager.io/v1 +{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1alpha2" }} +apiVersion: cert-manager.io/v1alpha2 +{{- else }} +apiVersion: cert-manager.io/v1alpha1 +{{- end }} +kind: Issuer +metadata: + name: {{ include "polaris.fullname" . }}-selfsigned + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + selfSigned: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.1/templates/webhook.deployment.yaml b/charts/fairwinds/polaris/5.17.1/templates/webhook.deployment.yaml new file mode 100644 index 0000000000..dc8c6fe5e0 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/webhook.deployment.yaml @@ -0,0 +1,139 @@ +{{- if .Values.webhook.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: webhook + {{- with .Values.webhook.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.webhook.replicas }} + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: webhook + template: + metadata: + {{- with .Values.config }} + annotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") $ | sha256sum }}' + {{- end }} + labels: + {{- include "polaris.selectors" . | nindent 8 }} + component: webhook + {{- with .Values.webhook.podAdditionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: webhook + command: + - polaris + - webhook + {{- with .Values.config }} + - --config + - /opt/app/config.yaml + {{- end }} + {{- if .Values.webhook.disallowExemptions }} + - --disallow-exemptions + {{- end }} + {{- if .Values.webhook.disallowConfigExemptions }} + - --disallow-config-exemptions + {{- end }} + {{- if .Values.webhook.disallowAnnotationExemptions }} + - --disallow-annotation-exemptions + {{- end }} + - --validate={{ .Values.webhook.validate }} + - --mutate={{ .Values.webhook.mutate }} + {{- if .Values.webhook.logLevel }} + - --log-level={{ .Values.webhook.logLevel }} + {{- end }} + image: '{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion }}' + imagePullPolicy: '{{.Values.image.pullPolicy}}' + ports: + - containerPort: 9876 + # These are fairly useless readiness/liveness probes for now + # Follow this issue for potential improvements: + # https://github.com/kubernetes-sigs/controller-runtime/issues/356 + livenessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - sh + - -c + - ps -ef | grep polaris + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.webhook.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- with .Values.config }} + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + readOnly: true + {{- end }} + - name: secret + mountPath: /opt/cert/ + readOnly: true + - name: cr-logs + mountPath: /tmp/ + readOnly: false + serviceAccountName: {{ include "polaris.fullname" . }} + {{- if .Values.webhook.priorityClassName }} + priorityClassName: {{ .Values.webhook.priorityClassName | quote }} + {{- end }} + nodeSelector: + {{- with .Values.webhook.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + tolerations: + {{- with .Values.webhook.tolerations }} +{{ toYaml . | indent 6 }} + {{- end }} +{{- if .Values.webhook.affinity }} + affinity: +{{ toYaml .Values.webhook.affinity | indent 8 }} +{{- end }} +{{- if .Values.webhook.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.webhook.topologySpreadConstraints | indent 6 }} + {{- end }} + volumes: + {{- with .Values.config }} + - name: config + configMap: + name: {{ include "polaris.fullname" $ }} + {{- end }} + - name: secret + secret: + {{- with .Values.webhook.secretName }} + secretName: {{ . }} + {{- else }} + secretName: {{ include "polaris.fullname" . }} + {{- end }} + - name: cr-logs + emptyDir: {} +{{- end -}} diff --git a/charts/fairwinds/polaris/5.17.1/templates/webhook.pdb.yaml b/charts/fairwinds/polaris/5.17.1/templates/webhook.pdb.yaml new file mode 100644 index 0000000000..4b83f11ca5 --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/webhook.pdb.yaml @@ -0,0 +1,20 @@ +{{- if .Values.webhook.pdb }} +{{- if and .Values.webhook.enable .Values.webhook.pdb.enable -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} + component: webhook +spec: + maxUnavailable: 1 + selector: + matchLabels: + {{- include "polaris.selectors" . | nindent 6 }} + component: webhook +{{- end }} +{{- end }} diff --git a/charts/fairwinds/polaris/5.17.1/templates/webhook.service.yaml b/charts/fairwinds/polaris/5.17.1/templates/webhook.service.yaml new file mode 100644 index 0000000000..1e34f5361c --- /dev/null +++ b/charts/fairwinds/polaris/5.17.1/templates/webhook.service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.webhook.enable -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "polaris.fullname" . }}-webhook + {{- if .Values.templateOnly }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "polaris.labels" . | nindent 4 }} +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: 9876 + selector: + {{- include "polaris.selectors" . | nindent 4 }} + component: webhook + type: ClusterIP +{{- end -}} diff --git a/charts/fairwinds/polaris/values.yaml b/charts/fairwinds/polaris/5.17.1/values.yaml similarity index 100% rename from charts/fairwinds/polaris/values.yaml rename to charts/fairwinds/polaris/5.17.1/values.yaml diff --git a/charts/gluu/gluu/5.0.18/Chart.yaml b/charts/gluu/gluu/5.0.18/Chart.yaml new file mode 100644 index 0000000000..650be6a065 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/Chart.yaml @@ -0,0 +1,102 @@ +annotations: + artifacthub.io/changes: | + - Chart 5.0.18 official release + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.0.14_dev + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.0.14_dev + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.0.14_dev + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.0.14_dev + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.0.14_dev + - name: opendj + image: gluufederation/opendj:5.0.0_dev + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.0.14_dev + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.0.14_dev + - name: casa + image: ghcr.io/gluufederation/flex/casa:5.0.0_dev + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:1.0.14_dev + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu +apiVersion: v2 +appVersion: 5.0.0 +dependencies: +- condition: global.config.enabled + name: config + repository: file://./charts/config + version: 5.0.18 +- condition: global.config-api.enabled + name: config-api + repository: file://./charts/config-api + version: 5.0.18 +- condition: global.opendj.enabled + name: opendj + repository: file://./charts/opendj + version: 5.0.18 +- condition: global.auth-server.enabled + name: auth-server + repository: file://./charts/auth-server + version: 5.0.18 +- condition: global.admin-ui.enabled + name: admin-ui + repository: file://./charts/admin-ui + version: 5.0.18 +- condition: global.fido2.enabled + name: fido2 + repository: file://./charts/fido2 + version: 5.0.18 +- condition: global.scim.enabled + name: scim + repository: file://./charts/scim + version: 5.0.18 +- condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: file://./charts/nginx-ingress + version: 5.0.18 +- condition: global.oxshibboleth.enabled + name: oxshibboleth + repository: file://./charts/oxshibboleth + version: 5.0.18 +- condition: global.oxpassport.enabled + name: oxpassport + repository: file://./charts/oxpassport + version: 5.0.18 +- condition: global.casa.enabled + name: casa + repository: file://./charts/casa + version: 5.0.18 +- condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: file://./charts/auth-server-key-rotation + version: 5.0.18 +- condition: global.persistence.enabled + name: persistence + repository: file://./charts/persistence + version: 5.0.18 +- condition: global.istio.ingress + name: cn-istio-ingress + repository: file://./charts/cn-istio-ingress + version: 5.0.18 +description: Gluu Access and Identity Management +home: https://www.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: moabu +name: gluu +sources: +- https://gluu.org/docs/gluu-server +- https://github.com/GluuFederation/flex/flex-cn-setup +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/README.md b/charts/gluu/gluu/5.0.18/README.md new file mode 100644 index 0000000000..19eb8acaa3 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/README.md @@ -0,0 +1,605 @@ +# gluu + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | admin-ui | 5.0.18 | +| | auth-server | 5.0.18 | +| | auth-server-key-rotation | 5.0.18 | +| | casa | 5.0.18 | +| | cn-istio-ingress | 5.0.18 | +| | config | 5.0.18 | +| | config-api | 5.0.18 | +| | fido2 | 5.0.18 | +| | nginx-ingress | 5.0.18 | +| | opendj | 5.0.18 | +| | oxpassport | 5.0.18 | +| | oxshibboleth | 5.0.18 | +| | persistence | 5.0.18 | +| | scim | 5.0.18 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"1.0.14-1"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| admin-ui.dnsConfig | object | `{}` | Add custom dns config | +| admin-ui.dnsPolicy | string | `""` | Add custom dns policy | +| admin-ui.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| admin-ui.hpa.behavior | object | `{}` | Scaling Policies | +| admin-ui.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | +| admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | +| admin-ui.image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| admin-ui.replicas | int | `1` | Service replica number. | +| admin-ui.resources | object | `{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}}` | Resource specs. | +| admin-ui.resources.limits.cpu | string | `"2000m"` | CPU limit. | +| admin-ui.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| admin-ui.resources.requests.cpu | string | `"2000m"` | CPU request. | +| admin-ui.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| admin-ui.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| admin-ui.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| admin-ui.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.0.14-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.0.14-1"},"keysLife":48,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/casa","tag":"5.0.0-13"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. | +| casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| casa.dnsConfig | object | `{}` | Add custom dns config | +| casa.dnsPolicy | string | `""` | Add custom dns policy | +| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| casa.hpa.behavior | object | `{}` | Scaling Policies | +| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| casa.image.pullSecrets | list | `[]` | Image Pull Secrets | +| casa.image.repository | string | `"ghcr.io/gluufederation/flex/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"5.0.0-13"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| casa.readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| casa.replicas | int | `1` | Service replica number. | +| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| casa.resources.limits.cpu | string | `"500m"` | CPU limit. | +| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| casa.resources.requests.cpu | string | `"500m"` | CPU request. | +| casa.resources.requests.memory | string | `"500Mi"` | Memory request. | +| casa.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.0.14-1"},"ldapPassword":"P@ssw0rds","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.0.14-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| config-api.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) username. This user is used during initialization only. | +| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| config.configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| config.configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbSchema | string | `""` | Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.lbAddr | string | `""` | Load balancer address for AWS if the FQDN is not registered. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpenDJ is used for persistence. | +| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.0.14-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}},"auth-server-key-rotation":{"enabled":false},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnDocumentStoreType":"LOCAL","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true}},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"lbIp":"22.22.22.22","licenseSsa":"","nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"oxpassport":{"enabled":false,"oxPassportServiceName":"oxpassport"},"oxshibboleth":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""},"enabled":false,"oxShibbolethServiceName":"oxshibboleth"},"persistence":{"enabled":true},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | +| global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | +| global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `false` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level | +| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.auth-server.ingress | object | `{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.auth-server.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| global.auth-server.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. | +| global.auth-server.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. | +| global.auth-server.ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| global.auth-server.ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| global.auth-server.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| global.auth-server.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| global.auth-server.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| global.auth-server.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| global.auth-server.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.casa.appLoggers | object | `{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.casa.appLoggers.casaLogLevel | string | `"INFO"` | casa.log level | +| global.casa.appLoggers.casaLogTarget | string | `"STDOUT"` | casa.log target | +| global.casa.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO | +| global.casa.appLoggers.timerLogLevel | string | `"INFO"` | casa timer log level | +| global.casa.appLoggers.timerLogTarget | string | `"FILE"` | casa timer log target | +| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. | +| global.casa.enabled | bool | `true` | Boolean flag to enable/disable the casa chart. | +| global.casa.ingress | object | `{"casaEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.casa.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnDocumentStoreType | string | `"LOCAL"` | Document store type to use for shibboleth files LOCAL. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. | +| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G | +| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G | +| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. | +| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. | +| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | +| global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. | +| global.cnPrometheusPort | string | `""` | Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. | +| global.config-api.adminUiAppLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | +| global.config-api.adminUiAppLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | +| global.config-api.adminUiAppLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | +| global.config-api.adminUiAppLoggers.adminUiLogTarget | string | `"FILE"` | config-api admin-ui plugin log level | +| global.config-api.adminUiAppLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers.ldapStatsLogLevel | string | `"INFO"` | config-api_persistence_ldap_statistics.log level | +| global.config-api.appLoggers.ldapStatsLogTarget | string | `"FILE"` | config-api_persistence_ldap_statistics.log target | +| global.config-api.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | config-api_persistence_duration.log level | +| global.config-api.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | config-api_persistence_duration.log target | +| global.config-api.appLoggers.persistenceLogLevel | string | `"INFO"` | config-api_persistence.log level | +| global.config-api.appLoggers.persistenceLogTarget | string | `"FILE"` | config-api_persistence.log target | +| global.config-api.appLoggers.scriptLogLevel | string | `"INFO"` | config-api_script.log level | +| global.config-api.appLoggers.scriptLogTarget | string | `"FILE"` | config-api_script.log target | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config-api.ingress | object | `{"configApiEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes | +| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | +| global.fido2.appLoggers | object | `{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | fido2_persistence_duration.log level | +| global.fido2.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | fido2_persistence_duration.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.appLoggers.scriptLogLevel | string | `"INFO"` | fido2_script.log level | +| global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fido2.ingress | object | `{"fido2ConfigEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side-cars with Gluu services. | +| global.istio.gateways | list | `[]` | Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. | +| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. | +| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | +| global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | +| global.licenseSsa | string | `""` | Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | +| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | +| global.oxpassport.enabled | bool | `false` | Boolean flag to enable/disable passport chart | +| global.oxpassport.oxPassportServiceName | string | `"oxpassport"` | Name of the oxPassport service. Please keep it as default. | +| global.oxshibboleth.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" Targets are "STDOUT" and "FILE" | +| global.oxshibboleth.appLoggers.auditStatsLogLevel | string | `"INFO"` | idp-audit.log level | +| global.oxshibboleth.appLoggers.auditStatsLogTarget | string | `"FILE"` | idp-audit.log target | +| global.oxshibboleth.appLoggers.consentAuditLogLevel | string | `"INFO"` | idp-consent-audit.log level | +| global.oxshibboleth.appLoggers.consentAuditLogTarget | string | `"FILE"` | idp-consent-audit.log target | +| global.oxshibboleth.appLoggers.idpLogLevel | string | `"INFO"` | idp-process.log level | +| global.oxshibboleth.appLoggers.idpLogTarget | string | `"STDOUT"` | idp-process.log target | +| global.oxshibboleth.appLoggers.ldapLogLevel | string | `""` | https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration The below are very noisy logs and are better left untouched | +| global.oxshibboleth.appLoggers.scriptLogLevel | string | `"INFO"` | idp-script.log level | +| global.oxshibboleth.appLoggers.scriptLogTarget | string | `"FILE"` | idp-script.log target | +| global.oxshibboleth.enabled | bool | `false` | Boolean flag to enable/disable the oxShibbboleth chart. | +| global.oxshibboleth.oxShibbolethServiceName | string | `"oxshibboleth"` | Name of the oxShibboleth service. Please keep it as default. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO | +| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level | +| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.ingress | object | `{"scimConfigEnabled":false,"scimEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.scim.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| global.scim.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: fsType: "" kind: "" pool: "" storageAccountType: "" type: "" | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"ldap":{"backup":{"fullSchedule":""}},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| nginx-ingress.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedRegisterAdditionalAnnotations | object | `{}` | Auth server protected register ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedRegisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedTokenAdditionalAnnotations | object | `{}` | Auth server protected token ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| nginx-ingress.ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| nginx-ingress.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| nginx-ingress.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| nginx-ingress.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0-12"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.dnsConfig | object | `{}` | Add custom dns config | +| opendj.dnsPolicy | string | `""` | Add custom dns policy | +| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| opendj.hpa.behavior | object | `{}` | Scaling Policies | +| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | +| opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| opendj.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| opendj.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size | +| opendj.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.replicas | int | `1` | Service replica number. | +| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. | +| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. | +| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| opendj.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxpassport | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxpassport","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu interface to Passport.js to support social login and inbound identity. | +| oxpassport.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxpassport.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxpassport.dnsConfig | object | `{}` | Add custom dns config | +| oxpassport.dnsPolicy | string | `""` | Add custom dns policy | +| oxpassport.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxpassport.hpa.behavior | object | `{}` | Scaling Policies | +| oxpassport.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxpassport.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxpassport.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxpassport.image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| oxpassport.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| oxpassport.livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| oxpassport.livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| oxpassport.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| oxpassport.readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| oxpassport.readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| oxpassport.replicas | int | `1` | Service replica number | +| oxpassport.resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| oxpassport.resources.limits.cpu | string | `"700m"` | CPU limit. | +| oxpassport.resources.limits.memory | string | `"900Mi"` | Memory limit. | +| oxpassport.resources.requests.cpu | string | `"700m"` | CPU request. | +| oxpassport.resources.requests.memory | string | `"900Mi"` | Memory request. | +| oxpassport.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| oxpassport.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxpassport.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxpassport.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxpassport.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxpassport.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxshibboleth | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxshibboleth","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Shibboleth project for the Gluu Server's SAML IDP functionality. | +| oxshibboleth.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxshibboleth.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxshibboleth.dnsConfig | object | `{}` | Add custom dns config | +| oxshibboleth.dnsPolicy | string | `""` | Add custom dns policy | +| oxshibboleth.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxshibboleth.hpa.behavior | object | `{}` | Scaling Policies | +| oxshibboleth.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxshibboleth.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxshibboleth.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxshibboleth.image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| oxshibboleth.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| oxshibboleth.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxshibboleth if needed. https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py | +| oxshibboleth.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| oxshibboleth.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| oxshibboleth.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| oxshibboleth.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| oxshibboleth.replicas | int | `1` | Service replica number. | +| oxshibboleth.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| oxshibboleth.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| oxshibboleth.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| oxshibboleth.resources.requests.cpu | string | `"1000m"` | CPU request. | +| oxshibboleth.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| oxshibboleth.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| oxshibboleth.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxshibboleth.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxshibboleth.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxshibboleth.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxshibboleth.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.0.14-1"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.0.14-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/app-readme.md b/charts/gluu/gluu/5.0.18/app-readme.md similarity index 100% rename from charts/gluu/gluu/app-readme.md rename to charts/gluu/gluu/5.0.18/app-readme.md diff --git a/charts/gluu/gluu/charts/fido2/.helmignore b/charts/gluu/gluu/5.0.18/charts/admin-ui/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/fido2/.helmignore rename to charts/gluu/gluu/5.0.18/charts/admin-ui/.helmignore diff --git a/charts/gluu/gluu/5.0.18/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/admin-ui/Chart.yaml new file mode 100644 index 0000000000..d340ad6b78 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Admin GUI. Requires license. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +- GUI +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: admin-ui +sources: +- https://github.com/GluuFederation/docker-gluu-admin-ui +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/admin-ui +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/admin-ui/README.md b/charts/gluu/gluu/5.0.18/charts/admin-ui/README.md new file mode 100644 index 0000000000..640293c365 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/admin-ui/README.md @@ -0,0 +1,59 @@ +# admin-ui + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Admin GUI. Requires license. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. | +| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/admin-ui/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/admin-ui/templates/_helpers.tpl rename to charts/gluu/gluu/5.0.18/charts/admin-ui/templates/_helpers.tpl diff --git a/charts/gluu/gluu/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.0.18/charts/admin-ui/templates/admin-ui-destination-rules.yaml similarity index 100% rename from charts/gluu/gluu/charts/admin-ui/templates/admin-ui-destination-rules.yaml rename to charts/gluu/gluu/5.0.18/charts/admin-ui/templates/admin-ui-destination-rules.yaml diff --git a/charts/gluu/gluu/charts/admin-ui/templates/admin-ui-pdb.yaml b/charts/gluu/gluu/5.0.18/charts/admin-ui/templates/admin-ui-pdb.yaml similarity index 100% rename from charts/gluu/gluu/charts/admin-ui/templates/admin-ui-pdb.yaml rename to charts/gluu/gluu/5.0.18/charts/admin-ui/templates/admin-ui-pdb.yaml diff --git a/charts/gluu/gluu/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.0.18/charts/admin-ui/templates/admin-ui-virtual-services.yaml similarity index 100% rename from charts/gluu/gluu/charts/admin-ui/templates/admin-ui-virtual-services.yaml rename to charts/gluu/gluu/5.0.18/charts/admin-ui/templates/admin-ui-virtual-services.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.0.18/charts/admin-ui/templates/deployment.yml new file mode 100644 index 0000000000..9a173cad98 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/admin-ui/templates/deployment.yml @@ -0,0 +1,175 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "admin-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + template: + metadata: + labels: + APP_NAME: admin-ui + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "admin-ui.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "admin-ui.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "admin-ui.usr-envs" . | indent 12 }} + {{- include "admin-ui.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: /etc/jans/conf/ssa + name: license-ssa + subPath: ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: license-ssa + secret: + secretName: {{ .Release.Name }}-license-ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.0.18/charts/admin-ui/templates/hpa.yaml similarity index 100% rename from charts/gluu/gluu/charts/admin-ui/templates/hpa.yaml rename to charts/gluu/gluu/5.0.18/charts/admin-ui/templates/hpa.yaml diff --git a/charts/gluu/gluu/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.0.18/charts/admin-ui/templates/service.yml similarity index 100% rename from charts/gluu/gluu/charts/admin-ui/templates/service.yml rename to charts/gluu/gluu/5.0.18/charts/admin-ui/templates/service.yml diff --git a/charts/gluu/gluu/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.18/charts/admin-ui/templates/user-custom-secret-envs.yaml similarity index 100% rename from charts/gluu/gluu/charts/admin-ui/templates/user-custom-secret-envs.yaml rename to charts/gluu/gluu/5.0.18/charts/admin-ui/templates/user-custom-secret-envs.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.0.18/charts/admin-ui/values.yaml new file mode 100644 index 0000000000..d9e245a6f4 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/admin-ui/values.yaml @@ -0,0 +1,88 @@ +# -- Admin GUI. Requires license. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the admin ui port within the admin service. Please keep it as default. + name: http-admin-ui + # -- Port of the admin ui service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the admin ui if needed. +livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the admin ui if needed. +readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/charts/kc-scheduler/.helmignore b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/kc-scheduler/.helmignore rename to charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/.helmignore diff --git a/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 0000000000..a586f4d803 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Responsible for regenerating auth-keys per x hours +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Auth keys Rotation +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server-key-rotation +sources: +- https://github.com/JanssenProject/docker-jans-certmanager +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server-key-rotation +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/README.md new file mode 100644 index 0000000000..b201f594fa --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/README.md @@ -0,0 +1,49 @@ +# auth-server-key-rotation + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| lifecycle | object | `{}` | | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/auth-server-key-rotation/templates/_helpers.tpl rename to charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/templates/_helpers.tpl diff --git a/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 0000000000..5b5dd7da69 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,129 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "0 */{{ .Values.keysLife }} * * *" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 16 }} + volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + restartPolicy: Never + diff --git a/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 0000000000..4b1f6ff076 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.fullname" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml rename to charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 0000000000..21eea0f4f6 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,55 @@ + +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.0.18/charts/auth-server/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/nginx-ingress/.helmignore rename to charts/gluu/gluu/5.0.18/charts/auth-server/.helmignore diff --git a/charts/gluu/gluu/5.0.18/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server/Chart.yaml new file mode 100644 index 0000000000..abd39cc055 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization + Server--this is the main Internet facing component of Gluu. It's the service that + returns tokens, JWT's and identity assertions. This service must be Internet facing. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Autherization +- OpenID +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server +sources: +- https://github.com/JanssenProject/jans-auth-server +- https://github.com/JanssenProject/docker-jans-auth-server +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/auth-server/README.md b/charts/gluu/gluu/5.0.18/charts/auth-server/README.md new file mode 100644 index 0000000000..a596f7980a --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/auth-server/README.md @@ -0,0 +1,61 @@ +# auth-server + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.18/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 0000000000..2712f9870a --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "auth-server.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "auth-server.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server/templates/auth-server-destination-rules.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server/templates/auth-server-destination-rules.yaml rename to charts/gluu/gluu/5.0.18/charts/auth-server/templates/auth-server-destination-rules.yaml diff --git a/charts/gluu/gluu/charts/auth-server/templates/auth-server-pdb.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server/templates/auth-server-pdb.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server/templates/auth-server-pdb.yaml rename to charts/gluu/gluu/5.0.18/charts/auth-server/templates/auth-server-pdb.yaml diff --git a/charts/gluu/gluu/charts/auth-server/templates/auth-server-protected-virtual-services.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server/templates/auth-server-protected-virtual-services.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server/templates/auth-server-protected-virtual-services.yaml rename to charts/gluu/gluu/5.0.18/charts/auth-server/templates/auth-server-protected-virtual-services.yaml diff --git a/charts/gluu/gluu/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server/templates/auth-server-virtual-services.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server/templates/auth-server-virtual-services.yaml rename to charts/gluu/gluu/5.0.18/charts/auth-server/templates/auth-server-virtual-services.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.0.18/charts/auth-server/templates/deployment.yml new file mode 100644 index 0000000000..000efa42ec --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/auth-server/templates/deployment.yml @@ -0,0 +1,264 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "auth-server.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "auth-server.usr-envs" . | indent 12 }} + {{- include "auth-server.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server/templates/hpa.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server/templates/hpa.yaml rename to charts/gluu/gluu/5.0.18/charts/auth-server/templates/hpa.yaml diff --git a/charts/gluu/gluu/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.0.18/charts/auth-server/templates/service.yml similarity index 100% rename from charts/gluu/gluu/charts/auth-server/templates/service.yml rename to charts/gluu/gluu/5.0.18/charts/auth-server/templates/service.yml diff --git a/charts/gluu/gluu/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server/templates/user-custom-secret-envs.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server/templates/user-custom-secret-envs.yaml rename to charts/gluu/gluu/5.0.18/charts/auth-server/templates/user-custom-secret-envs.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/auth-server/values.yaml b/charts/gluu/gluu/5.0.18/charts/auth-server/values.yaml new file mode 100644 index 0000000000..fefc029b1c --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/auth-server/values.yaml @@ -0,0 +1,93 @@ + +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/charts/casa/.helmignore b/charts/gluu/gluu/5.0.18/charts/casa/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/casa/.helmignore rename to charts/gluu/gluu/5.0.18/charts/casa/.helmignore diff --git a/charts/gluu/gluu/5.0.18/charts/casa/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/casa/Chart.yaml new file mode 100644 index 0000000000..f1f05e7bf3 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/casa/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu Casa ("Casa") is a self-service web portal for end-users to manage + authentication and authorization preferences for their account in a Gluu Server. +home: https://gluu.org/docs/casa/ +icon: https://casa.gluu.org/wp-content/themes/gluucasa/casafavicon.ico +keywords: +- casa +- 2FA +- passwordless +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: casa +sources: +- https://gluu.org/docs/casa/ +- https://github.com/GluuFederation/docker-casa +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/casa +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/casa/README.md b/charts/gluu/gluu/5.0.18/charts/casa/README.md new file mode 100644 index 0000000000..6c01447b7f --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/casa/README.md @@ -0,0 +1,66 @@ +# casa + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/casa"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. | +| service.port | int | `8080` | Port of the casa service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.18/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/casa/templates/_helpers.tpl new file mode 100644 index 0000000000..4fc7d069e4 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/casa/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "casa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "casa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "casa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "casa.labels" -}} +app: {{ .Release.Name }}-{{ include "casa.name" . }} +helm.sh/chart: {{ include "casa.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "casa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "casa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "casa.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "casa.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "casa.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "casa.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.0.18/charts/casa/templates/casa-destination-rules.yaml similarity index 100% rename from charts/gluu/gluu/charts/casa/templates/casa-destination-rules.yaml rename to charts/gluu/gluu/5.0.18/charts/casa/templates/casa-destination-rules.yaml diff --git a/charts/gluu/gluu/charts/casa/templates/casa-pdb.yaml b/charts/gluu/gluu/5.0.18/charts/casa/templates/casa-pdb.yaml similarity index 100% rename from charts/gluu/gluu/charts/casa/templates/casa-pdb.yaml rename to charts/gluu/gluu/5.0.18/charts/casa/templates/casa-pdb.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.0.18/charts/casa/templates/casa-virtual-services.yaml new file mode 100644 index 0000000000..b3d7659499 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/casa/templates/casa-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.casa.ingress.casaEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-casa + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-casa + match: + - uri: + prefix: /casa + route: + - destination: + host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.18/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.0.18/charts/casa/templates/deployment.yaml new file mode 100644 index 0000000000..185693f5ce --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/casa/templates/deployment.yaml @@ -0,0 +1,178 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "casa.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: casa + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "casa.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "casa.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "casa.usr-envs" . | indent 12 }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.0.18/charts/casa/templates/hpa.yaml similarity index 100% rename from charts/gluu/gluu/charts/casa/templates/hpa.yaml rename to charts/gluu/gluu/5.0.18/charts/casa/templates/hpa.yaml diff --git a/charts/gluu/gluu/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.0.18/charts/casa/templates/service.yaml similarity index 100% rename from charts/gluu/gluu/charts/casa/templates/service.yaml rename to charts/gluu/gluu/5.0.18/charts/casa/templates/service.yaml diff --git a/charts/gluu/gluu/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.18/charts/casa/templates/user-custom-secret-envs.yaml similarity index 100% rename from charts/gluu/gluu/charts/casa/templates/user-custom-secret-envs.yaml rename to charts/gluu/gluu/5.0.18/charts/casa/templates/user-custom-secret-envs.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/casa/values.yaml b/charts/gluu/gluu/5.0.18/charts/casa/values.yaml new file mode 100644 index 0000000000..37c37c7b58 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/casa/values.yaml @@ -0,0 +1,105 @@ +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/casa + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the casa service. Please keep it as default. + port: 8080 + # -- The name of the casa port within the casa service. Please keep it as default. + name: http-casa + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for casa if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the casa if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/cn-istio-ingress/.helmignore rename to charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/.helmignore diff --git a/charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/Chart.yaml new file mode 100644 index 0000000000..205b351e4c --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Istio Gateway +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- istio +- gateway +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: cn-istio-ingress +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/cn-istio-ingress +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/README.md new file mode 100644 index 0000000000..ba1614989e --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/README.md @@ -0,0 +1,25 @@ +# cn-istio-ingress + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Istio Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/cn-istio-ingress/templates/_helpers.tpl rename to charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/templates/_helpers.tpl diff --git a/charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/templates/gateway.yaml new file mode 100644 index 0000000000..12a9700134 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/templates/gateway.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Release.Name }}-global-gtw + namespace: {{ .Release.Namespace }} +{{- if .Values.global.istio.additionalLabels }} + labels: +{{ toYaml .Values.global.istio.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.istio.additionalAnnotations }} + annotations: +{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + istio: ingressgateway + servers: + # admin-ui + - port: + number: 80 + name: http-admin-ui + protocol: HTTP + hosts: + - {{ .Values.global.fqdn }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - {{ .Values.global.fqdn }} + tls: + mode: SIMPLE # enable https on this port + credentialName: tls-certificate # fetch cert from k8s secret + \ No newline at end of file diff --git a/charts/gluu/gluu/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/cn-istio-ingress/values.yaml rename to charts/gluu/gluu/5.0.18/charts/cn-istio-ingress/values.yaml diff --git a/charts/gluu/gluu/charts/opendj/.helmignore b/charts/gluu/gluu/5.0.18/charts/config-api/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/opendj/.helmignore rename to charts/gluu/gluu/5.0.18/charts/config-api/.helmignore diff --git a/charts/gluu/gluu/5.0.18/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/config-api/Chart.yaml new file mode 100644 index 0000000000..e117fe0e06 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Jans Config Api endpoints can be used to configure jans-auth-server, + which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server + (AS) +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config-api +sources: +- https://github.com/JanssenProject/jans/jans-config-api +- https://github.com/JanssenProject/jans/docker-jans-config-api +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config-api +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/config-api/README.md b/charts/gluu/gluu/5.0.18/charts/config-api/README.md new file mode 100644 index 0000000000..21677dcab9 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config-api/README.md @@ -0,0 +1,65 @@ +# config-api + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.18/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/config-api/templates/_helpers.tpl new file mode 100644 index 0000000000..a32d54db37 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "config-api.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "config-api.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.0.18/charts/config-api/templates/config-api-destination-rules.yaml similarity index 100% rename from charts/gluu/gluu/charts/config-api/templates/config-api-destination-rules.yaml rename to charts/gluu/gluu/5.0.18/charts/config-api/templates/config-api-destination-rules.yaml diff --git a/charts/gluu/gluu/charts/config-api/templates/config-api-pdb.yaml b/charts/gluu/gluu/5.0.18/charts/config-api/templates/config-api-pdb.yaml similarity index 100% rename from charts/gluu/gluu/charts/config-api/templates/config-api-pdb.yaml rename to charts/gluu/gluu/5.0.18/charts/config-api/templates/config-api-pdb.yaml diff --git a/charts/gluu/gluu/charts/config-api/templates/config-api-virtual-services.yaml b/charts/gluu/gluu/5.0.18/charts/config-api/templates/config-api-virtual-services.yaml similarity index 100% rename from charts/gluu/gluu/charts/config-api/templates/config-api-virtual-services.yaml rename to charts/gluu/gluu/5.0.18/charts/config-api/templates/config-api-virtual-services.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.0.18/charts/config-api/templates/deployment.yaml new file mode 100644 index 0000000000..b6e221ab2b --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config-api/templates/deployment.yaml @@ -0,0 +1,167 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "config-api.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "config-api.usr-envs" . | indent 12 }} + {{- include "config-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - containerPort: 9444 + - containerPort: 8074 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + diff --git a/charts/gluu/gluu/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.0.18/charts/config-api/templates/hpa.yaml similarity index 100% rename from charts/gluu/gluu/charts/config-api/templates/hpa.yaml rename to charts/gluu/gluu/5.0.18/charts/config-api/templates/hpa.yaml diff --git a/charts/gluu/gluu/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.0.18/charts/config-api/templates/service.yaml similarity index 100% rename from charts/gluu/gluu/charts/config-api/templates/service.yaml rename to charts/gluu/gluu/5.0.18/charts/config-api/templates/service.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/config-api/values.yaml b/charts/gluu/gluu/5.0.18/charts/config-api/values.yaml new file mode 100644 index 0000000000..f1d755d61d --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config-api/values.yaml @@ -0,0 +1,102 @@ + +# -- Gluu Admin UI. This shouldn't be internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/charts/config/.helmignore b/charts/gluu/gluu/5.0.18/charts/config/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/config/.helmignore rename to charts/gluu/gluu/5.0.18/charts/config/.helmignore diff --git a/charts/gluu/gluu/5.0.18/charts/config/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/config/Chart.yaml new file mode 100644 index 0000000000..ae57428f02 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Configuration parameters for setup and initial configuration secret and + config layers used by Gluu services. +home: https://gluu.org/docs/gluu-server/reference/container-configs/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- secrets +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config +sources: +- https://gluu.org/docs/gluu-server/reference/container-configs/ +- https://github.com/JanssenProject/jans/docker-jans-configurator +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/config/README.md b/charts/gluu/gluu/5.0.18/charts/config/README.md new file mode 100644 index 0000000000..58b0754343 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config/README.md @@ -0,0 +1,105 @@ +# config + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnAwsAccessKeyId | string | `""` | | +| configmap.cnAwsDefaultRegion | string | `"us-west-1"` | | +| configmap.cnAwsProfile | string | `"gluu"` | | +| configmap.cnAwsSecretAccessKey | string | `""` | | +| configmap.cnAwsSecretsEndpointUrl | string | `""` | | +| configmap.cnAwsSecretsNamePrefix | string | `"gluu"` | | +| configmap.cnAwsSecretsReplicaRegions | list | `[]` | | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| lifecycle | object | `{}` | | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.18/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/config/templates/_helpers.tpl new file mode 100644 index 0000000000..1273a27d8b --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config/templates/_helpers.tpl @@ -0,0 +1,97 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ $newList = append $newList ("couchbase" | quote) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{- if .Values.global.opendj.enabled}} +{{ $newList = append $newList ("ldap" | quote) }} +{{- end}} +{{- if .Values.global.casa}} +{{ $newList = append $newList ("casa" | quote) }} +{{- end}} +{{- if .Values.global.fido2.enabled}} +{{ $newList = append $newList ("fido2" | quote) }} +{{- end}} +{{- if .Values.global.scim.enabled}} +{{ $newList = append $newList ("scim" | quote) }} +{{- end}} +{{ toJson $newList }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.0.18/charts/config/templates/clusterrolebinding.yaml similarity index 100% rename from charts/gluu/gluu/charts/config/templates/clusterrolebinding.yaml rename to charts/gluu/gluu/5.0.18/charts/config/templates/clusterrolebinding.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.0.18/charts/config/templates/configmaps.yaml new file mode 100644 index 0000000000..219baa19d9 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config/templates/configmaps.yaml @@ -0,0 +1,431 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + # Port used by Prometheus JMX agent + CN_PROMETHEUS_PORT: {{ .Values.global.cnPrometheusPort | quote }} + CN_DISTRIBUTION: {{ .Values.global.distribution | quote }} + {{ if .Values.global.cnObExtSigningJwksUri }} + CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }} + CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }} + CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }} + # force the AS to use a specific signing key + CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }} + {{- end }} + {{ if or (eq .Values.global.configAdapterName "google") (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + {{- end }} + {{ if eq .Values.global.cnPersistenceType "spanner" }} + # [google_spanner_envs] Envs related to using Google Cloud Spanner + CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }} + CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }} + # [google_spanner_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.configAdapterName "google") }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnGoogleSecretVersionId | quote }} + CN_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + # [aws_envs] Envs related to using AWS + {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} + CN_AWS_SECRETS_ENDPOINT_URL: {{ .Values.configmap.cnAwsSecretsEndpointUrl }} + {{- end }} + CN_AWS_SECRETS_PREFIX: {{ .Values.configmap.cnAwsSecretsNamePrefix }} + CN_AWS_SECRETS_REPLICA_FILE: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + AWS_DEFAULT_REGION: {{ .Values.configmap.cnAwsDefaultRegion }} + AWS_SHARED_CREDENTIALS_FILE: {{ .Values.global.cnAwsSharedCredentialsFile }} + AWS_CONFIG_FILE: {{ .Values.global.cnAwsConfigFile }} + #AWS_PROFILE + # [aws_envs] END + {{- end }} + CN_SQL_DB_SCHEMA: {{ .Values.configmap.cnSqlDbSchema | quote }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.global.cnDocumentStoreType | quote }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is ldap or hybrid + {{- if .Values.configmap.cnLdapUrl }} + CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }} + {{- else }} + CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }} + {{- end }} + {{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is couchbase or hybrid + CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }} + CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }} + CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }} + CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }} + CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }} + {{- end }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + {{- if .Values.global.isFqdnRegistered }} + CN_SSL_CERT_FROM_SECRETS: "false" + {{- else }} + CN_SSL_CERT_FROM_SECRETS: "true" + {{- end }} + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }} + # must the same as the opendj service name + CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service + CN_HYBRID_MAPPING: {{ .Values.configmap.cnPersistenceHybridMapping | quote }} + {{- end }} + # Auto enable installation of some services + CN_PASSPORT_ENABLED: {{ .Values.global.oxpassport.enabled | quote }} + {{- if .Values.global.oxshibboleth.enabled }} + CN_SAML_ENABLED: {{ .Values.global.oxshibboleth.enabled | quote }} + {{- end }} + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.istio.enabled }} + CN_COUCHBASE_TRUSTSTORE_ENABLE: "false" + CN_LDAP_USE_SSL: "false" + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + # ADMIN-UI + ADMIN_UI_JWKS: {{ cat "http://" ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080/jans-auth/restv1/jwks" | quote | nospace }} + CN_CONFIG_API_PLUGINS: "admin-ui,scim,fido2,user-mgt" + CN_ADMIN_UI_PLUGIN_LOGGERS: {{ index .Values "global" "config-api" "adminUiAppLoggers" + | toJson + | replace "adminUiLogTarget" "admin_ui_log_target" + | replace "adminUiLogLevel" "admin_ui_log_level" + | replace "adminUiAuditLogTarget" "admin_ui_audit_log_target" + | replace "adminUiAuditLogLevel" "admin_ui_audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.casa.enabled }} + # CASA + GLUU_CASA_APP_LOGGERS: {{ .Values.global.casa + | toJson + | replace "casaLogTarget" "casa_log_target" + | replace "casaLogLevel" "casa_log_level" + | replace "timerLogTarget" "timer_log_target" + | replace "timerLogLevel" "timer_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if gluu secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from gluu secrets + """ + ssl_cert = None + ssl_key = None + if core_cli.read_namespaced_secret(secret_name, namespace): + ssl_cert = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_cert'] + ssl_key = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_key'] + + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert and key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error("No certificate or key was found in secrets.") + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Gluu Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.gluu.org") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/config/templates/license-secrets.yaml b/charts/gluu/gluu/5.0.18/charts/config/templates/license-secrets.yaml new file mode 100644 index 0000000000..0cf764a03c --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config/templates/license-secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-license-ssa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ssa: {{ required "global.licenseSsa is required in chart values. This is a base64 string provided by Gluu to activate your license." .Values.global.licenseSsa }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.0.18/charts/config/templates/load-init-config.yml new file mode 100644 index 0000000000..2a503fd2b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config/templates/load-init-config.yml @@ -0,0 +1,135 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + - name: {{ include "config.fullname" . }}-mount-gen-file + secret: + secretName: {{ include "config.fullname" . }}-gen-json-file + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + - mountPath: /app/db/generate.json + name: {{ include "config.fullname" . }}-mount-gen-file + subPath: generate.json + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} + {{- else }} + /app/scripts/entrypoint.sh load + {{- end }} + /usr/bin/python3 /scripts/tls_generator.py + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.0.18/charts/config/templates/ob-secrets.yaml similarity index 100% rename from charts/gluu/gluu/charts/config/templates/ob-secrets.yaml rename to charts/gluu/gluu/5.0.18/charts/config/templates/ob-secrets.yaml diff --git a/charts/gluu/gluu/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.0.18/charts/config/templates/rolebinding.yaml similarity index 100% rename from charts/gluu/gluu/charts/config/templates/rolebinding.yaml rename to charts/gluu/gluu/5.0.18/charts/config/templates/rolebinding.yaml diff --git a/charts/gluu/gluu/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.0.18/charts/config/templates/roles.yaml similarity index 100% rename from charts/gluu/gluu/charts/config/templates/roles.yaml rename to charts/gluu/gluu/5.0.18/charts/config/templates/roles.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.0.18/charts/config/templates/secrets.yaml new file mode 100644 index 0000000000..dab9a6dc86 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config/templates/secrets.yaml @@ -0,0 +1,127 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config.fullname" . }}-gen-json-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + generate.json: |- + { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_pw": {{ .Values.adminPassword | quote }}, + "ldap_pw": {{ .Values.ldapPassword | quote }}, + "redis_pw": {{ .Values.redisPassword | quote }}, + "email": {{ .Values.email | quote }}, + "org_name": {{ .Values.orgName | quote }}, + {{ if eq .Values.global.cnPersistenceType "sql" }} + "sql_pw": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "couchbase_pw": {{ .Values.configmap.cnCouchbasePassword | quote }}, + "couchbase_superuser_pw": {{ .Values.configmap.cnCouchbaseSuperUserPassword | quote }}, + {{- end }} + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }} + } + +{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} +{{- if not .Values.global.istio.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-crt + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }} +{{- end }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-aws-config-creds + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + aws_shared_credential_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }} + aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }} + aws_config_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + region = {{ .Values.configmap.cnAwsDefaultRegion }} + aws_secrets_replica_regions: |- + {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-google-sa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-cron-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} diff --git a/charts/gluu/gluu/charts/config/templates/service.yaml b/charts/gluu/gluu/5.0.18/charts/config/templates/service.yaml similarity index 100% rename from charts/gluu/gluu/charts/config/templates/service.yaml rename to charts/gluu/gluu/5.0.18/charts/config/templates/service.yaml diff --git a/charts/gluu/gluu/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.0.18/charts/config/templates/user-custom-envs.yaml similarity index 100% rename from charts/gluu/gluu/charts/config/templates/user-custom-envs.yaml rename to charts/gluu/gluu/5.0.18/charts/config/templates/user-custom-envs.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/config/values.yaml b/charts/gluu/gluu/5.0.18/charts/config/values.yaml new file mode 100644 index 0000000000..4501dceb3f --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/config/values.yaml @@ -0,0 +1,179 @@ + +# Required environment variables for generating Gluu server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in the secrets. + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: support@gluu.org +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- LDAP admin password if OpennDJ is used for persistence. +ldapPassword: P@ssw0rds +# -- Organization name. Used for certificate creation. +orgName: Gluu +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/charts/scim/.helmignore b/charts/gluu/gluu/5.0.18/charts/fido2/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/scim/.helmignore rename to charts/gluu/gluu/5.0.18/charts/fido2/.helmignore diff --git a/charts/gluu/gluu/5.0.18/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/fido2/Chart.yaml new file mode 100644 index 0000000000..b33e6ea91f --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/fido2/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging + common devices to authenticate to online services in both mobile and desktop environments. +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- fido2 +- u2f +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: fido2 +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/JanssenProject/jans/jans-fido2 +- https://github.com/JanssenProject/jans/docker-jans-fido2 +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/fido2 +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/fido2/README.md b/charts/gluu/gluu/5.0.18/charts/fido2/README.md new file mode 100644 index 0000000000..c582d8451d --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/fido2/README.md @@ -0,0 +1,62 @@ +# fido2 + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.18/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/fido2/templates/_helpers.tpl new file mode 100644 index 0000000000..10484b1e97 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "fido2.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "fido2.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.0.18/charts/fido2/templates/deployment.yml new file mode 100644 index 0000000000..95b4ef77d1 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/fido2/templates/deployment.yml @@ -0,0 +1,176 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "fido2.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "fido2.usr-envs" . | indent 12 }} + {{- include "fido2.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.0.18/charts/fido2/templates/fido2-destination-rules.yaml similarity index 100% rename from charts/gluu/gluu/charts/fido2/templates/fido2-destination-rules.yaml rename to charts/gluu/gluu/5.0.18/charts/fido2/templates/fido2-destination-rules.yaml diff --git a/charts/gluu/gluu/charts/fido2/templates/fido2-pdb.yaml b/charts/gluu/gluu/5.0.18/charts/fido2/templates/fido2-pdb.yaml similarity index 100% rename from charts/gluu/gluu/charts/fido2/templates/fido2-pdb.yaml rename to charts/gluu/gluu/5.0.18/charts/fido2/templates/fido2-pdb.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.0.18/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 0000000000..88a91a994b --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.fido2.ingress.fido2ConfigEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.0.18/charts/fido2/templates/hpa.yaml similarity index 100% rename from charts/gluu/gluu/charts/fido2/templates/hpa.yaml rename to charts/gluu/gluu/5.0.18/charts/fido2/templates/hpa.yaml diff --git a/charts/gluu/gluu/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.0.18/charts/fido2/templates/service.yml similarity index 100% rename from charts/gluu/gluu/charts/fido2/templates/service.yml rename to charts/gluu/gluu/5.0.18/charts/fido2/templates/service.yml diff --git a/charts/gluu/gluu/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.18/charts/fido2/templates/user-custom-secret-envs.yaml similarity index 100% rename from charts/gluu/gluu/charts/fido2/templates/user-custom-secret-envs.yaml rename to charts/gluu/gluu/5.0.18/charts/fido2/templates/user-custom-secret-envs.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/fido2/values.yaml b/charts/gluu/gluu/5.0.18/charts/fido2/values.yaml new file mode 100644 index 0000000000..48f7ef6d43 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/fido2/values.yaml @@ -0,0 +1,91 @@ + +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/haproxy/haproxy/.helmignore b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/.helmignore similarity index 100% rename from charts/haproxy/haproxy/.helmignore rename to charts/gluu/gluu/5.0.18/charts/nginx-ingress/.helmignore diff --git a/charts/gluu/gluu/5.0.18/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/Chart.yaml new file mode 100644 index 0000000000..3be9d36dab --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Nginx ingress definitions chart +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- nginx +- ingress +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://kubernetes.io/docs/concepts/services-networking/ingress/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/nginx-ingress +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/README.md new file mode 100644 index 0000000000..f1ee855073 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/README.md @@ -0,0 +1,62 @@ +# nginx-ingress + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress | object | `{"additionalAnnotations":{"kubernetes.io/ingress.class":"nginx"},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress.additionalAnnotations | object | `{"kubernetes.io/ingress.class":"nginx"}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| ingress.additionalAnnotations."kubernetes.io/ingress.class" | string | `"nginx"` | Required annotation below. Use kubernetes.io/ingress.class: "public" for microk8s. | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken | +| ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | +| ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | +| ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| ingress.scimConfigLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.scimLabels | object | `{}` | scim config ingress resource labels. key app is taken | +| ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| ingress.uma2ConfigLabels | object | `{}` | uma 2 config ingress resource labels. key app is taken | +| ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| nameOverride | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/nginx-ingress/templates/_helpers.tpl rename to charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/_helpers.tpl diff --git a/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/admin-ui-ingress.yaml new file mode 100644 index 0000000000..b8b0a827c6 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/admin-ui-ingress.yaml @@ -0,0 +1,53 @@ +{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.adminUiLabels }} +{{ toYaml .Values.ingress.adminUiLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.ingress.adminUiAdditionalAnnotations }} +{{ toYaml .Values.ingress.adminUiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml new file mode 100644 index 0000000000..9b84fe4f8e --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml @@ -0,0 +1,115 @@ +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedTokenLabels }} +{{ toYaml .Values.ingress.authServerProtectedTokenLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedTokenAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedTokenAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedRegisterLabels }} +{{ toYaml .Values.ingress.authServerProtectedRegisterLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedRegisterAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedRegisterAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/casa-ingress.yaml b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/casa-ingress.yaml new file mode 100644 index 0000000000..9f13970efb --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/casa-ingress.yaml @@ -0,0 +1,54 @@ +{{ if .Values.global.casa.ingress.casaEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-casa + labels: + app: {{ $fullName }}-casa +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.casaLabels }} +{{ toYaml .Values.ingress.casaLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "casa-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.casaAdditionalAnnotations }} +{{ toYaml .Values.ingress.casaAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /casa + pathType: Prefix + backend: + service: + name: {{ .Values.global.casa.casaServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/nginx-ingress/templates/certificate.yaml b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/certificate.yaml similarity index 100% rename from charts/gluu/gluu/charts/nginx-ingress/templates/certificate.yaml rename to charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/certificate.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 0000000000..848ca121e5 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,681 @@ +{{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.openidConfigLabels }} +{{ toYaml .Values.ingress.openidConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/openid-configuration /jans-auth/.well-known/openid-configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if .Values.ingress.openidAdditionalAnnotations }} +{{ toYaml .Values.ingress.openidAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-device-code + labels: + app: {{ $fullName }}-device-code +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.deviceCodeLabels }} +{{ toYaml .Values.ingress.deviceCodeLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /device-code /jans-auth/device_authorization.htm$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/device_authorization.htm +{{- if .Values.ingress.deviceCodeAdditionalAnnotations }} +{{ toYaml .Values.ingress.deviceCodeAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /device-code + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-firebase-messaging + labels: + app: {{ $fullName }}-firebase-messaging +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.firebaseMessagingLabels }} +{{ toYaml .Values.ingress.firebaseMessagingLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /firebase-messaging-sw.js /jans-auth/firebase-messaging-sw.js$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/firebase-messaging-sw.js +{{- if .Values.ingress.firebaseMessagingAdditionalAnnotations }} +{{ toYaml .Values.ingress.firebaseMessagingAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /firebase-messaging-sw.js + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.uma2ConfigLabels }} +{{ toYaml .Values.ingress.uma2ConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/uma2-configuration /jans-auth/restv1/uma2-configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if .Values.ingress.uma2AdditionalAnnotations }} +{{ toYaml .Values.ingress.uma2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webfingerLabels }} +{{ toYaml .Values.ingress.webfingerLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/webfinger /jans-auth/.well-known/webfinger$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if .Values.ingress.webfingerAdditionalAnnotations }} +{{ toYaml .Values.ingress.webfingerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webdiscoveryLabels }} +{{ toYaml .Values.ingress.webdiscoveryLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/simple-web-discovery /jans-auth/.well-known/simple-web-discovery$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if .Values.ingress.webdiscoveryAdditionalAnnotations }} +{{ toYaml .Values.ingress.webdiscoveryAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{- if .Values.global.scim.ingress.scimConfigEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimConfigLabels }} +{{ toYaml .Values.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/scim-configuration /jans-scim/restv1/scim-configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{- if .Values.global.scim.ingress.scimEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimLabels }} +{{ toYaml .Values.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "config-api" "ingress" "configApiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-config-api + labels: + app: {{ $fullName }}-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.configApiLabels }} +{{ toYaml .Values.ingress.configApiLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.configApiAdditionalAnnotations }} +{{ toYaml .Values.ingress.configApiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.u2fConfigLabels }} +{{ toYaml .Values.ingress.u2fConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/fido-configuration /jans-auth/restv1/fido-configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if .Values.ingress.u2fAdditionalAnnotations }} +{{ toYaml .Values.ingress.u2fAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2ConfigLabels }} +{{ toYaml .Values.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/fido2-configuration /jans-fido2/restv1/configuration$1 break;" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerLabels }} +{{ toYaml .Values.ingress.authServerLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + diff --git a/charts/gluu/gluu/5.0.18/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/values.yaml new file mode 100644 index 0000000000..0d2487e888 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/nginx-ingress/values.yaml @@ -0,0 +1,77 @@ + +# -- Nginx ingress definitions chart +ingress: + enabled: true + # -- Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. + legacy: false + path: / + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma 2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- scim config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable all fido2 endpoints + fido2Enabled: false + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- Auth server config ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: + # -- Required annotation below. Use kubernetes.io/ingress.class: "public" for microk8s. + kubernetes.io/ingress.class: "nginx" + hosts: + - demoexample.gluu.org + tls: + - secretName: tls-certificate # DON'T change + hosts: + - demoexample.gluu.org +nameOverride: "" +fullnameOverride: "" diff --git a/charts/gluu/gluu/5.0.18/charts/opendj/.helmignore b/charts/gluu/gluu/5.0.18/charts/opendj/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.18/charts/opendj/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/opendj/Chart.yaml new file mode 100644 index 0000000000..a21e14d2a1 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/opendj/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OpenDJ is a directory server which implements a wide range of Lightweight + Directory Access Protocol and related standards, including full compliance with + LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in + Java, OpenDJ offers multi-master replication, access control, and many extensions. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- LDAP +- OpenDJ +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: opendj +sources: +- https://github.com/GluuFederation/docker-opendj +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/opendj +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/opendj/README.md b/charts/gluu/gluu/5.0.18/charts/opendj/README.md new file mode 100644 index 0000000000..e1409e8ec9 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/opendj/README.md @@ -0,0 +1,74 @@ +# opendj + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle.preStop.exec.command[0] | string | `"/bin/sh"` | | +| lifecycle.preStop.exec.command[1] | string | `"-c"` | | +| lifecycle.preStop.exec.command[2] | string | `"python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| openDjVolumeMounts.config.mountPath | string | `"/opt/opendj/config"` | | +| openDjVolumeMounts.config.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.db.mountPath | string | `"/opt/opendj/db"` | | +| openDjVolumeMounts.db.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.flag.mountPath | string | `"/flag"` | | +| openDjVolumeMounts.flag.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.ldif.mountPath | string | `"/opt/opendj/ldif"` | | +| openDjVolumeMounts.ldif.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.logs.mountPath | string | `"/opt/opendj/logs"` | | +| openDjVolumeMounts.logs.name | string | `"opendj-volume"` | | +| persistence.accessModes | string | `"ReadWriteOnce"` | | +| persistence.size | string | `"5Gi"` | OpenDJ volume size | +| persistence.type | string | `"DirectoryOrCreate"` | | +| ports | object | `{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}}` | servicePorts values used in StatefulSet container | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1500m"` | CPU limit. | +| resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1500m"` | CPU request. | +| resources.requests.memory | string | `"2000Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/opendj/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/opendj/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/opendj/templates/_helpers.tpl rename to charts/gluu/gluu/5.0.18/charts/opendj/templates/_helpers.tpl diff --git a/charts/gluu/gluu/5.0.18/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.18/charts/opendj/templates/cronjobs.yaml new file mode 100644 index 0000000000..930d6f0679 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/opendj/templates/cronjobs.yaml @@ -0,0 +1,95 @@ +{{- if .Values.backup.enabled }} +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "opendj.fullname" . }}-backup +spec: + schedule: {{ .Values.backup.cronJobSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "opendj.fullname" . }}-backup + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + ports: + {{- range $key, $value := .Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + env: + - name: LDAP_HOST + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_host + - name: LDAP_PORT + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_port + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_site_binddn + - name: LDAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-ldap-cron-pass + key: password + # while true; do sleep 60; ldaplog=$(cat /opt/opendj/logs/server.out); startedstr="The Directory Server has started successfully"; if [ -z "${ldaplog##*$startedstr*}" ]; then break; fi; echo "Waiting for opendj server to start"; done + command: + - /bin/sh + - -c + - | + # ========= + # FUNCTIONS + # ========= + + set_java_args() { + # not sure if we can omit `-server` safely + local java_args="-server" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${GLUU_MAX_RAM_PERCENTAGE} ${GLUU_JAVA_OPTIONS}" + # set the env var so it is loaded by `start-ds` script + export OPENDJ_JAVA_ARGS=${java_args} + } + + # ========== + # ENTRYPOINT + # ========== + + mkdir -p /opt/opendj/locks + + export JAVA_VERSION=$(java -version 2>&1 | awk -F '[\"_]' 'NR==1{print $2}') + + python3 /app/scripts/wait.py + + if [ ! -f /deploy/touched ]; then + python3 /app/scripts/entrypoint.py + touch /deploy/touched + fi + # run OpenDJ server + set_java_args + exec /opt/opendj/bin/start-ds -N & + sleep 300 + RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) + LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + restartPolicy: Never +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/opendj/templates/hpa.yaml b/charts/gluu/gluu/5.0.18/charts/opendj/templates/hpa.yaml similarity index 100% rename from charts/gluu/gluu/charts/opendj/templates/hpa.yaml rename to charts/gluu/gluu/5.0.18/charts/opendj/templates/hpa.yaml diff --git a/charts/gluu/gluu/charts/opendj/templates/opendj-destination-rules.yaml b/charts/gluu/gluu/5.0.18/charts/opendj/templates/opendj-destination-rules.yaml similarity index 100% rename from charts/gluu/gluu/charts/opendj/templates/opendj-destination-rules.yaml rename to charts/gluu/gluu/5.0.18/charts/opendj/templates/opendj-destination-rules.yaml diff --git a/charts/gluu/gluu/charts/opendj/templates/opendj-pdb.yaml b/charts/gluu/gluu/5.0.18/charts/opendj/templates/opendj-pdb.yaml similarity index 100% rename from charts/gluu/gluu/charts/opendj/templates/opendj-pdb.yaml rename to charts/gluu/gluu/5.0.18/charts/opendj/templates/opendj-pdb.yaml diff --git a/charts/gluu/gluu/charts/opendj/templates/service.yaml b/charts/gluu/gluu/5.0.18/charts/opendj/templates/service.yaml similarity index 100% rename from charts/gluu/gluu/charts/opendj/templates/service.yaml rename to charts/gluu/gluu/5.0.18/charts/opendj/templates/service.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/5.0.18/charts/opendj/templates/statefulset.yaml new file mode 100644 index 0000000000..91556cfa02 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/opendj/templates/statefulset.yaml @@ -0,0 +1,131 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "opendj.fullname" $ }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: {{ include "opendj.name" $ }} + serviceName: {{ include "opendj.name" $ }} + replicas: {{ $.Values.replicas }} + template: + metadata: + labels: + app: {{ include "opendj.name" $ }} + {{- if $.Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + securityContext: + runAsUser: 1000 + runAsNonRoot: true + initContainers: + - command: + - /bin/sh + - -c + - ls -l /opt/opendj; /bin/chown -R 1000:1000 /opt/opendj || echo "did not work"; ls -l /opt/opendj; sleep 5 + image: busybox:latest + imagePullPolicy: Always + name: change-folders-ownership + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{- with $.Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ $.Values.dnsPolicy | quote }} + {{- with $.Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with $.Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "opendj.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "opendj.name" $ }} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + {{- include "opendj.usr-envs" $ | indent 12 }} + {{- include "opendj.usr-secret-envs" $ | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + envFrom: + - configMapRef: + name: {{ $.Release.Name }}-config-cm + {{ if $.Values.global.usrEnvs.secret }} + - secretRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + {{ if $.Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + ports: + {{- range $key, $value := $.Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + livenessProbe: +{{- toYaml $.Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml $.Values.readinessProbe | nindent 10 }} + {{- if or (eq $.Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if $.Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: opendj-volume + spec: + accessModes: + - {{ $.Values.persistence.accessModes }} + resources: + requests: + storage: {{ $.Values.persistence.size }} + {{- if eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath" }} + storageClassName: standard + {{- else }} + storageClassName: {{ include "opendj.fullname" $ | quote }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/charts/opendj/templates/storageclass.yaml b/charts/gluu/gluu/5.0.18/charts/opendj/templates/storageclass.yaml similarity index 100% rename from charts/gluu/gluu/charts/opendj/templates/storageclass.yaml rename to charts/gluu/gluu/5.0.18/charts/opendj/templates/storageclass.yaml diff --git a/charts/gluu/gluu/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.18/charts/opendj/templates/user-custom-secret-envs.yaml similarity index 100% rename from charts/gluu/gluu/charts/opendj/templates/user-custom-secret-envs.yaml rename to charts/gluu/gluu/5.0.18/charts/opendj/templates/user-custom-secret-envs.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/opendj/values.yaml b/charts/gluu/gluu/5.0.18/charts/opendj/values.yaml new file mode 100644 index 0000000000..53101ad9b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/opendj/values.yaml @@ -0,0 +1,138 @@ + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +persistence: + # -- OpenDJ volume size + size: 5Gi + accessModes: ReadWriteOnce + type: DirectoryOrCreate +# -- servicePorts values used in StatefulSet container +ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi +# -- Configure the liveness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] +nameOverride: "" +fullnameOverride: "" +# VolumeMounts for StatefulSet +# opendj-init vm +openDjVolumeMounts: + config: + mountPath: /opt/opendj/config + name: opendj-volume + ldif: + mountPath: /opt/opendj/ldif + name: opendj-volume + logs: + mountPath: /opt/opendj/logs + name: opendj-volume + db: + mountPath: /opt/opendj/db + name: opendj-volume + flag: + mountPath: /flag + name: opendj-volume + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/oxpassport/.helmignore b/charts/gluu/gluu/5.0.18/charts/oxpassport/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxpassport/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.18/charts/oxpassport/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/oxpassport/Chart.yaml new file mode 100644 index 0000000000..ddbcf74b5f --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxpassport/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu interface to Passport.js to support social login and inbound identity. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Passport.js +- Inbound Identity +- Social login +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxpassport +sources: +- https://github.com/GluuFederation/gluu-passport +- https://github.com/GluuFederation/docker-oxpassport +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxpassport +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/oxpassport/README.md b/charts/gluu/gluu/5.0.18/charts/oxpassport/README.md new file mode 100644 index 0000000000..8af973da00 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxpassport/README.md @@ -0,0 +1,67 @@ +# oxpassport + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu interface to Passport.js to support social login and inbound identity. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number | +| resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"700m"` | CPU limit. | +| resources.limits.memory | string | `"900Mi"` | Memory limit. | +| resources.requests.cpu | string | `"700m"` | CPU request. | +| resources.requests.memory | string | `"900Mi"` | Memory request. | +| service.name | string | `"http-passport"` | The name of the oxPassport port within the oxPassport service. Please keep it as default. | +| service.port | int | `8090` | Port of the oxPassport service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/_helpers.tpl new file mode 100644 index 0000000000..1f9d4b7464 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxpassport.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxpassport.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxpassport.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxpassport.labels" -}} +app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +helm.sh/chart: {{ include "oxpassport.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxpassport.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxpassport.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "oxpassport.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "oxpassport.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/deployment.yaml b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/deployment.yaml new file mode 100644 index 0000000000..8ab9d9a2f2 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/deployment.yaml @@ -0,0 +1,183 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "oxpassport.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "oxpassport.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxpassport.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: PASSPORT_LOG_LEVEL + value: "info" + {{- include "oxpassport.usr-envs" . | indent 12 }} + {{- include "oxpassport.usr-secret-envs" . | indent 12 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/hpa.yaml b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/hpa.yaml new file mode 100644 index 0000000000..0764e19e39 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxpassport.fullname" . }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "oxpassport.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/oxpassport-destination-rules.yaml b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/oxpassport-destination-rules.yaml new file mode 100644 index 0000000000..238c976d17 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/oxpassport-destination-rules.yaml @@ -0,0 +1,21 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxpassport-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/oxpassport-pdb.yaml b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/oxpassport-pdb.yaml new file mode 100644 index 0000000000..8ebcdc7172 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/oxpassport-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "oxpassport.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/oxpassport-virtual-services.yaml b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/oxpassport-virtual-services.yaml new file mode 100644 index 0000000000..6c2416b84c --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/oxpassport-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-passport + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-passport + match: + - uri: + prefix: "/passport" + route: + - destination: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8090 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/service.yaml b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/service.yaml new file mode 100644 index 0000000000..b4fda32852 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxpassport.oxPassportServiceName }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..47ed7cd162 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxpassport/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/oxpassport/values.yaml b/charts/gluu/gluu/5.0.18/charts/oxpassport/values.yaml new file mode 100644 index 0000000000..b7b06d82d7 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxpassport/values.yaml @@ -0,0 +1,103 @@ + +# -- Gluu interface to Passport.js to support social login and inbound identity. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi +service: + # -- Port of the oxPassport service. Please keep it as default. + port: 8090 + # -- The name of the oxPassport port within the oxPassport service. Please keep it as default. + name: http-passport + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for oxPassport if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the oxPassport if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/oxshibboleth/.helmignore b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.18/charts/oxshibboleth/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/Chart.yaml new file mode 100644 index 0000000000..8ef9abc11c --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Shibboleth project for the Gluu Server's SAML IDP functionality. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SAML +- Shibboleth +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxshibboleth +sources: +- https://github.com/GluuFederation/oxShibboleth +- https://github.com/GluuFederation/docker-oxshibboleth +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxshibboleth +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/oxshibboleth/README.md b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/README.md new file mode 100644 index 0000000000..8175b49bbc --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/README.md @@ -0,0 +1,68 @@ +# oxshibboleth + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Shibboleth project for the Gluu Server's SAML IDP functionality. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the oxShibboleth if needed. | +| livenessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxshibboleth if needed. | +| readinessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-oxshib"` | Port of the oxShibboleth service. Please keep it as default. | +| service.port | int | `8080` | The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| service.targetPort | int | `8080` | | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/_helpers.tpl new file mode 100644 index 0000000000..a9a1a94b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/_helpers.tpl @@ -0,0 +1,144 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxshibboleth.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxshibboleth.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxshibboleth.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxshibboleth.labels" -}} +app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +helm.sh/chart: {{ include "oxshibboleth.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxshibboleth.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxshibboleth.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create GLUU_JAVA_OPTIONS ENV for passing detailed logs +*/}} +{{- define "oxshibboleth.detailedLogs"}} +{{ $ldap := "" }} +{{ $messages := "" }} +{{ $encryption := "" }} +{{ $opensaml := "" }} +{{ $props := "" }} +{{ $httpclient := "" }} +{{ $spring := "" }} +{{ $container := "" }} +{{ $xmlsec := "" }} + +{{- if .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} +{{ $ldap = printf "-Didp.loglevel.ldap=%s " .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} +{{ $messages = printf "-Didp.loglevel.messages=%s " .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} +{{ $encryption = printf "-Didp.loglevel.encryption=%s " .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} +{{ $opensaml = printf "-Didp.loglevel.opensaml=%s " .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.propsLogLevel }} +{{ $props = printf "-Didp.loglevel.props=%s " .Values.global.oxshibboleth.appLoggers.propsLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} +{{ $httpclient = printf "-Didp.loglevel.httpclient=%s " .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.springLogLevel }} +{{ $spring = printf "-Didp.loglevel.spring=%s " .Values.global.oxshibboleth.appLoggers.springLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.containerLogLevel }} +{{ $container = printf "-Didp.loglevel.container=%s " .Values.global.oxshibboleth.appLoggers.containerLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} +{{ $xmlsec = printf "-Didp.loglevel.xmlsec=%s " .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} +{{- end}} + +{{ $detailLogs := printf "%s%s%s%s%s%s%s%s%s" $ldap $messages $encryption $opensaml $props $httpclient $spring $container $xmlsec }} +{{ $detailLogs | trimSuffix " " | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "oxshibboleth.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "oxshibboleth.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/hpa.yaml b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/hpa.yaml new file mode 100644 index 0000000000..3d4c0597ff --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxshibboleth.fullname" . }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "oxshibboleth.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml new file mode 100644 index 0000000000..8478504b68 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxshibboleth-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml new file mode 100644 index 0000000000..a8c99410cf --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "oxshibboleth.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml new file mode 100644 index 0000000000..5f89fa5c2c --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-oxshibbioleth + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw + http: + - name: {{ .Release.Name }}-istio-oxshibbioleth + match: + - uri: + prefix: /idp + route: + - destination: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/service.yaml b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/service.yaml new file mode 100644 index 0000000000..4781774752 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- else }} + clusterIP: None + {{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/statefulset.yaml b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/statefulset.yaml new file mode 100644 index 0000000000..17bb8379e6 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/statefulset.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "oxshibboleth.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + serviceName: oxshibboleth + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: oxshibboleth + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "oxshibboleth.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxshibboleth.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "oxshibboleth.usr-envs" . | indent 12 }} + {{- include "oxshibboleth.usr-secret-envs" . | indent 12 }} + - name: GLUU_JAVA_OPTIONS + value: {{ include "oxshibboleth.detailedLogs" . | trim }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..fd6e4e0aaa --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/oxshibboleth/values.yaml b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/values.yaml new file mode 100644 index 0000000000..224291fdc4 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/oxshibboleth/values.yaml @@ -0,0 +1,102 @@ + +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. + port: 8080 + targetPort: 8080 + # -- Port of the oxShibboleth service. Please keep it as default. + name: http-oxshib + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for the oxShibboleth if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the oxshibboleth if needed. +readinessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/charts/persistence/.helmignore b/charts/gluu/gluu/5.0.18/charts/persistence/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/persistence/.helmignore rename to charts/gluu/gluu/5.0.18/charts/persistence/.helmignore diff --git a/charts/gluu/gluu/5.0.18/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/persistence/Chart.yaml new file mode 100644 index 0000000000..1482d1b8a3 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/persistence/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Job to generate data and initial config for Gluu Server persistence layer. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- persistence prep +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: persistence +sources: +- https://github.com/JanssenProject/jans/docker-jans-persistence-loader +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/persistence +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/persistence/README.md b/charts/gluu/gluu/5.0.18/charts/persistence/README.md new file mode 100644 index 0000000000..75ca5a54ee --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/persistence/README.md @@ -0,0 +1,52 @@ +# persistence + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Job to generate data and initial config for Gluu Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| lifecycle | object | `{}` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/persistence/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/persistence/templates/_helpers.tpl rename to charts/gluu/gluu/5.0.18/charts/persistence/templates/_helpers.tpl diff --git a/charts/gluu/gluu/5.0.18/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.0.18/charts/persistence/templates/jobs.yml new file mode 100644 index 0000000000..151d0e2ab8 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/persistence/templates/jobs.yml @@ -0,0 +1,128 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if .Values.global.istio.enabled }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + /app/scripts/entrypoint.sh + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} diff --git a/charts/gluu/gluu/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.0.18/charts/persistence/templates/service.yaml similarity index 100% rename from charts/gluu/gluu/charts/persistence/templates/service.yaml rename to charts/gluu/gluu/5.0.18/charts/persistence/templates/service.yaml diff --git a/charts/gluu/gluu/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.18/charts/persistence/templates/user-custom-secret-envs.yaml similarity index 100% rename from charts/gluu/gluu/charts/persistence/templates/user-custom-secret-envs.yaml rename to charts/gluu/gluu/5.0.18/charts/persistence/templates/user-custom-secret-envs.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/persistence/values.yaml b/charts/gluu/gluu/5.0.18/charts/persistence/values.yaml new file mode 100644 index 0000000000..546249a325 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/persistence/values.yaml @@ -0,0 +1,54 @@ + +# -- Job to generate data and initial config for Gluu Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/persistence + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/scim/.helmignore b/charts/gluu/gluu/5.0.18/charts/scim/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.18/charts/scim/Chart.yaml b/charts/gluu/gluu/5.0.18/charts/scim/Chart.yaml new file mode 100644 index 0000000000..a38cb2ecd1 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/scim/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: System for Cross-domain Identity Management (SCIM) version 2.0 +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SCIM +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: scim +sources: +- https://github.com/JanssenProject/jans/jans-scim +- https://github.com/JanssenProject/jans/docker-jans-scim +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/scim +type: application +version: 5.0.18 diff --git a/charts/gluu/gluu/5.0.18/charts/scim/README.md b/charts/gluu/gluu/5.0.18/charts/scim/README.md new file mode 100644 index 0000000000..27723b3983 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/scim/README.md @@ -0,0 +1,61 @@ +# scim + +![Version: 5.0.18](https://img.shields.io/badge/Version-5.0.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.0.14-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.18/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/charts/scim/templates/_helpers.tpl new file mode 100644 index 0000000000..04b66d5afd --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/scim/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "scim.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "scim.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.0.18/charts/scim/templates/deployment.yml new file mode 100644 index 0000000000..7e1022a958 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/scim/templates/deployment.yml @@ -0,0 +1,174 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "scim.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "scim.usr-envs" . | indent 12 }} + {{- include "scim.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.0.18/charts/scim/templates/hpa.yaml similarity index 100% rename from charts/gluu/gluu/charts/scim/templates/hpa.yaml rename to charts/gluu/gluu/5.0.18/charts/scim/templates/hpa.yaml diff --git a/charts/gluu/gluu/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.0.18/charts/scim/templates/scim-destination-rules.yaml similarity index 100% rename from charts/gluu/gluu/charts/scim/templates/scim-destination-rules.yaml rename to charts/gluu/gluu/5.0.18/charts/scim/templates/scim-destination-rules.yaml diff --git a/charts/gluu/gluu/charts/scim/templates/scim-pdb.yaml b/charts/gluu/gluu/5.0.18/charts/scim/templates/scim-pdb.yaml similarity index 100% rename from charts/gluu/gluu/charts/scim/templates/scim-pdb.yaml rename to charts/gluu/gluu/5.0.18/charts/scim/templates/scim-pdb.yaml diff --git a/charts/gluu/gluu/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.0.18/charts/scim/templates/scim-virtual-services.yaml similarity index 100% rename from charts/gluu/gluu/charts/scim/templates/scim-virtual-services.yaml rename to charts/gluu/gluu/5.0.18/charts/scim/templates/scim-virtual-services.yaml diff --git a/charts/gluu/gluu/charts/scim/templates/service.yml b/charts/gluu/gluu/5.0.18/charts/scim/templates/service.yml similarity index 100% rename from charts/gluu/gluu/charts/scim/templates/service.yml rename to charts/gluu/gluu/5.0.18/charts/scim/templates/service.yml diff --git a/charts/gluu/gluu/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.18/charts/scim/templates/user-custom-secret-envs.yaml similarity index 100% rename from charts/gluu/gluu/charts/scim/templates/user-custom-secret-envs.yaml rename to charts/gluu/gluu/5.0.18/charts/scim/templates/user-custom-secret-envs.yaml diff --git a/charts/gluu/gluu/5.0.18/charts/scim/values.yaml b/charts/gluu/gluu/5.0.18/charts/scim/values.yaml new file mode 100644 index 0000000000..e2734e1cfa --- /dev/null +++ b/charts/gluu/gluu/5.0.18/charts/scim/values.yaml @@ -0,0 +1,90 @@ + +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/openbanking-values.yaml b/charts/gluu/gluu/5.0.18/openbanking-values.yaml new file mode 100644 index 0000000000..9adc810808 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/openbanking-values.yaml @@ -0,0 +1,700 @@ +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.14_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.14_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.14_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: true + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token . Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + ingress: + # -- Enable casa endpoints /casa + casaEnabled: true + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Load balancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled. + enabled: false + # -- Gluu distributions supported are: default|openbanking. + distribution: openbanking + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.14_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/questions.yaml b/charts/gluu/gluu/5.0.18/questions.yaml similarity index 100% rename from charts/gluu/gluu/questions.yaml rename to charts/gluu/gluu/5.0.18/questions.yaml diff --git a/charts/gluu/gluu/templates/_helpers.tpl b/charts/gluu/gluu/5.0.18/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/templates/_helpers.tpl rename to charts/gluu/gluu/5.0.18/templates/_helpers.tpl diff --git a/charts/gluu/gluu/5.0.18/values.schema.json b/charts/gluu/gluu/5.0.18/values.schema.json new file mode 100644 index 0000000000..11b96aa7cb --- /dev/null +++ b/charts/gluu/gluu/5.0.18/values.schema.json @@ -0,0 +1,2872 @@ +{ + "$schema":"https://json-schema.org/draft/2020-12/schema#", + "type":"object", + "properties":{ + "admin-ui":{ + "description":"Admin GUI for configuration of the auth-server", + "type":"object", + "properties":{ + + } + }, + "auth-server":{ + "description":"OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type":"object", + "properties":{ + + } + }, + "auth-server-key-rotation":{ + "description":"Responsible for regenerating auth-keys per x hours", + "type":"object", + "properties":{ + + } + }, + "casa":{ + "description":"Gluu Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.", + "type":"object", + "properties":{ + + } + } + }, + "config":{ + "description":"Configuration parameters for setup and initial configuration secret annd config layers used by Gluu services.", + "type":"object", + "properties":{ + "adminPass":{ + "description":"Admin password to login to the UI", + "$ref":"#/definitions/password" + }, + "city":{ + "description":"City of the company or individual. Used in generating the self-signed certificate", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "configmap":{ + "description":"Configuration parameters mapped to envs in a ConfigMap", + "type":"object", + "properties":{ + "cnSqlDbDialect":{ + "description":"SQL dialect", + "type":"string", + "pattern":"^(mysql)$" + }, + "cnSqlDbHost":{ + "description":"SQL server address or ip", + "anyOf":[ + { + "$ref":"#/definitions/url-pattern" + }, + { + "$ref":"#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort":{ + "description":"SQL server port", + "type":"integer" + }, + "cnSqlDbName":{ + "description":"SQL server database name for Jans", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbUser":{ + "description":"SQL database Jans username", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbTimezone":{ + "description":"SQL database timezone", + "type":"string", + "pattern":"^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqldbUserPassword":{ + "description":"Password for user config.configmap.cnSqlDbUser.", + "$ref":"#/definitions/password" + }, + "cnCacheType":{ + "description":"Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type":"string", + "pattern":"^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnConfigKubernetesConfigMap":{ + "description":"The name of the ConfigMap that will hold the configuration layer", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseBucketPrefix":{ + "description":"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseCrt":{ + "description":"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnCouchbaseIndexNumReplica":{ + "description":"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.", + "type":"integer" + }, + "cnCouchbasePass":{ + "description":"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUser":{ + "description":"The Couchbase super user (admin) user name. This user is used during initialization only.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseSuperUserPass":{ + "description":"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUserPassFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type":"string", + "pattern":".*couchbase_superuser_password\\b.*" + }, + "cnCouchbaseUrl":{ + "description":"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnCouchbaseUser":{ + "description":"Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerServiceAccount":{ + "description":"Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId":{ + "description":"Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"" + }, + "cnGoogleSpannerInstanceId":{ + "description":"Google Spanner ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^([a-z0-9\\-])*$" + }, + "cnGoogleSpannerDatabaseId":{ + "description":"Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^[a-z0-9\\-]*$" + }, + "cnGoogleSecretVersionId":{ + "description":"Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnGoogleSecretNamePrefix":{ + "description":"Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase":{ + "description":"Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref":"#/definitions/password" + }, + "cnLdapUrl":{ + "description":"OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.", + "type":"string", + "pattern":"^[a-z0-9-:]+$" + }, + "cnMaxRamPercent":{ + "description":"Value passed to Java option -XX:MaxRAMPercentage", + "type":"string", + "pattern":"^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode":{ + "description":"SCIM protection mode OAUTH|TEST|UMA", + "type":"string", + "pattern":"^(OAUTH|TEST|UMA)$" + }, + "cnPersistenceHybridMapping":{ + "description":"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type":"string" + }, + "cnRedisSentinelGroup":{ + "description":"Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisSslTruststore":{ + "description":"Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisType":{ + "description":"Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string", + "pattern":"^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl":{ + "description":"Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref":"#/definitions/url-pattern" + }, + "cnRedisUseSsl":{ + "description":"Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"boolean" + }, + "cnSecretKubernetesSecret":{ + "description":"Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "lbAddr":{ + "description":"Loadbalancer address for AWS if the FQDN is not registered.", + "$ref":"#/definitions/url-pattern" + } + } + }, + "countryCode":{ + "description":"Country code. Used for certificate creation.", + "type":"string", + "pattern":"^[A-Z]+$" + }, + "email":{ + "description":"Email address of the administrator usually. Used for certificate creation.", + "$ref":"#/definitions/email-format" + }, + "image":{ + "type":"object", + "properties":{ + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "ldapPassword":{ + "description":"LDAP admin password if OpennDJ is used for persistence.", + "$ref":"#/definitions/password" + }, + "orgName":{ + "description":"Organization name. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "redisPassword":{ + "description":"Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref":"#/definitions/password" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "state":{ + "description":"State code. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + } + } + }, + "config-api":{ + "description":"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type":"object", + "properties":{ + + } + }, + "fido2":{ + "description":"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type":"object", + "properties":{ + + } + }, + "global":{ + "description":"Parameters used globally across all services helm charts.", + "type":"object", + "properties":{ + "licenseSsa":{ + "description":"Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "alb":{ + "type":"object", + "properties":{ + "ingress":{ + "description":"Activates ALB ingress", + "type":"boolean" + } + } + }, + "auth-server":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type":"boolean" + }, + "authServerServiceName":{ + "description":"Name of the auth-server service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-auth.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-auth.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget":{ + "description":"http_request_response target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "httpLogLevel":{ + "description":"http_request_response level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-auth_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-auth_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-auth_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-auth_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-auth_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-auth_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-auth_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-auth_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget":{ + "description":"jans-auth_audit.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "auditStatsLogLevel":{ + "description":"jans-auth_audit.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "authServerEnabled":{ + "description":"Enable Auth server endpoints /jans-auth", + "type":"boolean" + }, + "openidConfigEnabled":{ + "description":"Enable endpoint /.well-known/openid-configuration", + "type":"boolean" + }, + "deviceCodeEnabled":{ + "description":"Enable endpoint /device-code", + "type":"boolean" + }, + "firebaseMessagingEnabled":{ + "description":"Enable endpoint /firebase-messaging-sw.js", + "type":"boolean" + }, + "uma2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/uma2-configuration", + "type":"boolean" + }, + "webfingerEnabled":{ + "description":"Enable endpoint /.well-known/webfinger", + "type":"boolean" + }, + "webdiscoveryEnabled":{ + "description":"Enable endpoint /.well-known/simple-web-discovery", + "type":"boolean" + }, + "u2fConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido-configuration", + "type":"boolean" + }, + "authServerProtectedToken":{ + "description":"Enable mTLS on Auth server endpoint /jans-auth/restv1/token", + "type":"boolean" + }, + "authServerProtectedRegister":{ + "description":"Enable mTLS onn Auth server endpoint /jans-auth/restv1/register", + "type":"boolean" + } + } + } + + } + }, + "admin-ui":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable admin-ui chart. You should never set this to false.", + "type":"boolean" + }, + "adminUiServiceName":{ + "description":"Name of the admin service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "adminUiEnabled":{ + "description":"Enable Admin UI endpoints.", + "type":"boolean" + } + } + } + } + }, + + "auth-server-key-rotation":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type":"boolean" + } + } + }, + "awsStorageType":{ + "description":"Volume stroage type if using AWS volumes.", + "type":"string", + "pattern":"^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType":{ + "description":"Volume storage type if using Azure disks.", + "type":"string", + "pattern":"^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind":{ + "description":"Azure storage kind if using Azure disks", + "type":"string", + "pattern":"^(Managed)$" + }, + "cloud":{ + "type":"object", + "properties":{ + "testEnviroment":{ + "description":"Boolean flag if enabled will strip resources requests and limits from all services.", + "type":"boolean" + } + } + }, + "cnPersistenceType":{ + "description":"Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner.", + "type":"string", + "pattern":"^(ldap|couchbase|hybrid|sql|spanner)$" + }, + "cnDocumentStoreType":{ + "description":"Document store type to use for shibboleth files LOCAL.", + "type":"string", + "pattern":"^(LOCAL)$" + }, + "cnObExtSigningJwksUri":{ + "description":"Open banking external signing jwks uri. Used in SSA Validation.", + "type":"string" + }, + "cnObExtSigningJwksCrt":{ + "description":"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey":{ + "description":"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase":{ + "description":"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias":{ + "description":"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObStaticSigningKeyKid":{ + "description":"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObTransportCrt":{ + "description":"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey":{ + "description":"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase":{ + "description":"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias":{ + "description":"Open banking transport Alias used inside the JVM.", + "type":"string" + }, + "cnObTransportTrustStore":{ + "description":"Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type":"boolean" + } + } + }, + "configAdapterName":{ + "description":"The config backend adapter that will hold Gluu configuration layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "configSecretAdapter":{ + "description":"The config backend adapter that will hold Gluu secret layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "cnGoogleApplicationCredentials":{ + "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", + "type":"string", + "pattern":".*google-credentials.json\\b.*" + }, + "casa":{ + "type":"object", + "properties":{ + "casaServiceName":{ + "description":"Name of the casa service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the casa chart.", + "type":"boolean" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "casaEnabled":{ + "description":" Enable casa endpoints /casa", + "type":"boolean" + } + } + } + } + }, + "config-api":{ + "type":"object", + "properties":{ + "configApiServerServiceName":{ + "description":"Name of the config-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the config-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "configApiLogTarget":{ + "description":"configapi.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "configApiLogLevel":{ + "description":"configapi.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "adminUiAppLoggers":{ + "type":"object", + "properties":{ + "adminUiLogTarget":{ + "description":"config-api admin-ui plugin log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiLogLevel":{ + "description":"config-api admin-ui plugin log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "adminUiAuditLogTarget":{ + "description":"config-api admin-ui plugin audit log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiAuditLogLevel":{ + "description":"config-api admin-ui plugin audit log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "configApiEnabled":{ + "description":"Enable config API endpoints /jans-config-api", + "type":"boolean" + } + } + } + + + } + }, + "fqdn":{ + "description":"Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.", + "$ref":"#/definitions/fqdn-pattern" + }, + "fido2":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the fido2 chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "fido2LogTarget":{ + "description":"fido2.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "fido2LogLevel":{ + "description":"fido2.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"fido2_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"fido2_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "fido2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido2-configuration", + "type":"boolean" + } + } + } + + } + }, + "gcePdStorageType":{ + "description":"GCE storage kind if using Google disks", + "type":"string", + "pattern":"^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered":{ + "description":"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type":"boolean" + }, + "istio":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag that enables using istio side cars with Gluu services.", + "type":"boolean" + }, + "ingress":{ + "description":"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.", + "type":"boolean" + }, + "namespace":{ + "description":"The namespace istio is deployed in. The is normally istio-system.", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + } + } + }, + "lbIp":{ + "description":"The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref":"#/definitions/ip-pattern" + }, + "nginx-ingress":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type":"boolean" + } + } + }, + "opendj":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the OpenDJ chart.", + "type":"boolean" + }, + "ldapServiceName":{ + "description":"Name of the OpenDJ service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "oxshibboleth":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled.", + "type":"boolean" + } + } + }, + "distribution":{ + "description":"Gluu distributions supported are: default|openbanking.", + "type":"string", + "pattern":"^(default|openbanking)$" + }, + "persistence":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the persistence chart.", + "type":"boolean" + } + } + }, + "oxpassport": { + "type": "object", + "properties": { + "enabled": { + "description": "Boolean flag to enable/disable the oxpassport chart.", + "type": "boolean" + }, + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "scim":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the SCIM chart.", + "type":"boolean" + }, + "scimServiceName":{ + "description":"Name of the scim service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-scim.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-scim.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-scim_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-scim_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-scim_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-scim_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-scim_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-scim_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-scim_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-scim_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "scimEnabled":{ + "description":"Enable SCIM endpoints /jans-scim", + "type":"boolean" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + } + } + } + + } + }, + "storageClass":{ + "description":"StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type":"object", + "properties":{ + "allowVolumeExpansion":{ + "type":"boolean" + }, + "allowedTopologies":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "mountOptions":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "parameters":{ + "type":"object", + "properties":{ + "fsType":{ + "type":"string" + }, + "kind":{ + "type":"string" + }, + "pool":{ + "type":"string" + }, + "storageAccountType":{ + "type":"string" + }, + "type":{ + "type":"string" + } + } + }, + "provisioner":{ + "type":"string" + }, + "reclaimPolicy":{ + "type":"string" + }, + "volumeBindingMode":{ + "type":"string" + } + } + } + } + }, + "nginx-ingress":{ + "description":"Nginx ingress definitions chart", + "type":"object", + "properties":{ + + } + }, + "opendj":{ + "description":"OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.", + "type":"object", + "properties":{ + + } + }, + "oxpassport":{ + "description":"Gluu interface to Passport.js to support social login and inbound identity.", + "type":"object", + "properties":{ + + } + }, + "oxshibboleth":{ + "description":"Shibboleth project for the Gluu Server's SAML IDP functionality.", + "type":"object", + "properties":{ + + } + }, + "persistence":{ + "description":"Job to generate data and intial config for Gluu Server persistence layer.", + "type":"object", + "properties":{ + + } + }, + "scim":{ + "description":"System for Cross-domain Identity Management (SCIM) version 2.0", + "type":"object", + "properties":{ + + } + } + , + "allOf":[ + { + "$ref":"#/definitions/admin-ui-enabled" + }, + { + "$ref":"#/definitions/auth-server-enabled" + }, + { + "$ref":"#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref":"#/definitions/casa-enabled" + }, + { + "$ref":"#/definitions/config-api-enabled" + }, + { + "$ref":"#/definitions/fido2-enabled" + }, + { + "$ref":"#/definitions/nginx-ingress-enabled" + }, + { + "$ref":"#/definitions/opendj-enabled" + }, + { + "$ref":"#/definitions/oxpassport-enabled" + }, + { + "$ref":"#/definitions/oxshibboleth-enabled" + }, + { + "$ref":"#/definitions/persistence-enabled" + }, + { + "$ref":"#/definitions/scim-enabled" + } + ], + "definitions":{ + "password":{ + "anyOf":[ + { + "type":"string", + "minLength":8, + "pattern":"", + "description":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "password-pattern":{ + "type":"string", + "minLength":6, + "pattern":"", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format":{ + "type":"string", + "format":"email" + }, + "fqdn-pattern":{ + "anyOf":[ + { + "type":"string", + "errors":{ + "pattern":"Setting not FQDN structured. Please enter a FQDN with the format demoexample.gluu.org" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "url-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors":{ + "pattern":"URL pattern is not meeting standards." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "ip-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors":{ + "pattern":"Not a valid IP." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "admin-ui-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "admin-ui":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "admin-ui":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-key-rotation-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "keysLife":{ + "description":"Auth server key rotation keys life in hours", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + }, + "required":[ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else":true + }, + "casa-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "casa":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "casa":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "config-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "config-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "config-api":{ + "required":[ + "image", + "replicas", + "resources" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "fido2-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "fido2":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "fido2":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the Fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "nginx-ingress-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "nginx-ingress":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "nginx-ingress":{ + "type":"object", + "properties":{ + "ingress":{ + "type":"object", + "required":[ + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties":{ + "adminUiLabels":{ + "description":"Admin UI ingress resource labels. key app is taken.", + "type":"object" + }, + "openidConfigLabels":{ + "description":"openid-configuration ingress resource labels. key app is taken", + "type":"object" + }, + "uma2ConfigLabels":{ + "description":"uma2 config ingress resource labels. key app is taken", + "type":"object" + }, + "webfingerLabels":{ + "description":"webfinger ingress resource labels. key app is taken", + "type":"object" + }, + "webdiscoveryLabels":{ + "description":"webdiscovery ingress resource labels. key app is taken", + "type":"object" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + }, + "scimConfigLabels":{ + "description":"SCIM config ingress resource labels. key app is taken", + "type":"object" + }, + "scimLabels":{ + "description":"SCIM ingress resource labels. key app is taken", + "type":"object" + }, + "configApiLabels":{ + "description":"configAPI ingress resource labels. key app is taken", + "type":"object" + }, + "u2fConfigLabels":{ + "description":"u2f ingress resource labels. key app is taken", + "type":"object" + }, + "fido2ConfigLabels":{ + "description":"fido2 ingress resource labels. key app is taken", + "type":"object" + }, + "authServerLabels":{ + "description":"Auth server config ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedTokenLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedRedisterLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "additionalAnnotations":{ + "description":"Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type":"object" + }, + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "path":{ + "type":"string" + }, + "tls":{ + "description":"Secret holding HTTPS CA cert and key.", + "type":"array", + "items":{ + "type":"object", + "properties":{ + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "secretName":{ + "type":"string", + "pattern":"^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else":true + }, + "opendj-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "opendj":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "opendj":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "persistence":{ + "type":"object", + "properties":{ + "size":{ + "description":"OpenDJ volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + }, + "ports":{ + "type":"object", + "properties":{ + "tcp-admin":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldap":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldaps":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-repl":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "udp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "oxpassport-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxpassport":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxpassport":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "oxshibboleth-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxshibboleth":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxshibboleth":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxShibbolethServiceName":{ + "description":"Name of the oxShibboleth service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "persistence-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "persistence":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "persistence":{ + "required":[ + "image", + "resources" + ], + "type":"object", + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "scim-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "scim":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "scim":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "scimServiceName":{ + "description":"Name of the SCIM service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + } + } +} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.18/values.yaml b/charts/gluu/gluu/5.0.18/values.yaml new file mode 100644 index 0000000000..423198b421 --- /dev/null +++ b/charts/gluu/gluu/5.0.18/values.yaml @@ -0,0 +1,1754 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +installer-settings: + currentVersion: "" + acceptLicense: "" + namespace: "" + releaseName: "" + nginxIngress: + releaseName: "" + namespace: "" + nodes: + names: "" + zones: "" + ips: "" + images: + edit: "" + aws: + lbType: "" + arn: + enabled: "" + arnAcmCert: "" + vpcCidr: "0.0.0.0/0" + couchbase: + clusterName: "" + namespace: "" + lowResourceInstall: "" + install: "" + customFileOverride: "" + backup: + incrementalSchedule: "" + fullSchedule: "" + retentionTime: "" + storageSize: "" + # Couchbase cert related keys + subjectAlternativeName: "" + commonName: "" + # Couchbase cluster yaml generator keys + totalNumberOfExpectedUsers: "" + totalNumberOfExpectedTransactionsPerSec: "" + volumeType: "" + volumeProvisionStrategy: "" + ldap: + backup: + fullSchedule: "" + postgres: + install: "" + namespace: "" + sql: + install: "" + namespace: "" + google: + useSecretManager: "" + redis: + install: "" + namespace: "" + openbanking: + hasCnObTransportTrustStore: false + cnObTransportTrustStoreP12password: "" + confirmSettings: false + +# -- Admin GUI for configuration of the auth-server +admin-ui: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2000m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 2000m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for the admin ui if needed. + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the admin ui if needed. + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/auth-server + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/certmanager + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +casa: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/casa + # -- Image tag to use for deploying. + tag: 5.0.0-13 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + # -- Configure the liveness healthcheck for casa if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). + cnSqlDbSchema: "" + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) username. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/configurator + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- LDAP admin password if OpenDJ is used for persistence. + ldapPassword: P@ssw0rds + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + # -- CE to CN Migration section + migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/config-api + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/fido2 + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + # -- Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. + licenseSsa: "" + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: false + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- casa.log target + casaLogTarget: "STDOUT" + # -- casa.log level + casaLogLevel: "INFO" + # -- casa timer log target + timerLogTarget: "FILE" + # -- casa timer log level + timerLogLevel: "INFO" + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable casa endpoints /casa + casaEnabled: false + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. + cnAwsSharedCredentialsFile: /etc/jans/conf/aws_shared_credential_file + # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. + cnAwsConfigFile: /etc/jans/conf/aws_config_file + # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. + cnAwsSecretsReplicaRegionsFile: /etc/jans/conf/aws_secrets_replica_regions + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- config-api_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- fido2_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- fido2_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- fido2_script.log target + scriptLogTarget: "FILE" + # -- fido2_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. + gateways: [ ] + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + # log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" + # Targets are "STDOUT" and "FILE" + appLoggers: + # -- idp-process.log target + idpLogTarget: "STDOUT" + # -- idp-process.log level + idpLogLevel: "INFO" + # -- idp-script.log target + scriptLogTarget: "FILE" + # -- idp-script.log level + scriptLogLevel: "INFO" + # -- idp-audit.log target + auditStatsLogTarget: "FILE" + # -- idp-audit.log level + auditStatsLogLevel: "INFO" + # -- idp-consent-audit.log target + consentAuditLogTarget: "FILE" + # -- idp-consent-audit.log level + consentAuditLogLevel: "INFO" + # -- https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration + # The below are very noisy logs and are better left untouched + ldapLogLevel: "" + messagesLogLevel: "" + encryptionLogLevel: "" + opensamlLogLevel: "" + propsLogLevel: "" + httpclientLogLevel: "" + springLogLevel: "" + containerLogLevel: "" + xmlsecLogLevel: "" + # -- Gluu distributions supported are: default|openbanking. + distribution: default + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + +# -- Nginx ingress definitions chart +nginx-ingress: + certManager: + # Enable deploying a certificate that uses dns01 challenge instead of passing an annotation nginx-ingress.ingress.additionalAnnotations for nginx http01 challenge. + certificate: + enabled: false + issuerKind: ClusterIssuer + # Issuer name which you will create manually. Can be letsencrypt-production. + issuerName: "" + issuerGroup: cert-manager.io + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +opendj: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure ldap backup cronjob + backup: + enabled: true + cronJobSchedule: "*/59 * * * *" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + + persistence: + # -- OpenDJ volume size + size: 5Gi + ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu interface to Passport.js to support social login and inbound identity. +oxpassport: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi + # -- Configure the liveness healthcheck for oxPassport if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the oxPassport if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +oxshibboleth: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for oxshibboleth if needed. + # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/scim + # -- Image tag to use for deploying. + tag: 1.0.14-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.19/Chart.yaml b/charts/gluu/gluu/5.0.19/Chart.yaml new file mode 100644 index 0000000000..da541c287b --- /dev/null +++ b/charts/gluu/gluu/5.0.19/Chart.yaml @@ -0,0 +1,102 @@ +annotations: + artifacthub.io/changes: | + - Chart 5.0.19 official release + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.0.15_dev + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.0.15_dev + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.0.15_dev + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.0.15_dev + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.0.15_dev + - name: opendj + image: gluufederation/opendj:5.0.0_dev + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.0.15_dev + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.0.15_dev + - name: casa + image: ghcr.io/gluufederation/flex/casa:5.0.0_dev + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:1.0.15_dev + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu +apiVersion: v2 +appVersion: 5.0.0 +dependencies: +- condition: global.config.enabled + name: config + repository: file://./charts/config + version: 5.0.19 +- condition: global.config-api.enabled + name: config-api + repository: file://./charts/config-api + version: 5.0.19 +- condition: global.opendj.enabled + name: opendj + repository: file://./charts/opendj + version: 5.0.19 +- condition: global.auth-server.enabled + name: auth-server + repository: file://./charts/auth-server + version: 5.0.19 +- condition: global.admin-ui.enabled + name: admin-ui + repository: file://./charts/admin-ui + version: 5.0.19 +- condition: global.fido2.enabled + name: fido2 + repository: file://./charts/fido2 + version: 5.0.19 +- condition: global.scim.enabled + name: scim + repository: file://./charts/scim + version: 5.0.19 +- condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: file://./charts/nginx-ingress + version: 5.0.19 +- condition: global.oxshibboleth.enabled + name: oxshibboleth + repository: file://./charts/oxshibboleth + version: 5.0.19 +- condition: global.oxpassport.enabled + name: oxpassport + repository: file://./charts/oxpassport + version: 5.0.19 +- condition: global.casa.enabled + name: casa + repository: file://./charts/casa + version: 5.0.19 +- condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: file://./charts/auth-server-key-rotation + version: 5.0.19 +- condition: global.persistence.enabled + name: persistence + repository: file://./charts/persistence + version: 5.0.19 +- condition: global.istio.ingress + name: cn-istio-ingress + repository: file://./charts/cn-istio-ingress + version: 5.0.19 +description: Gluu Access and Identity Management +home: https://www.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: moabu +name: gluu +sources: +- https://gluu.org/docs/gluu-server +- https://github.com/GluuFederation/flex/flex-cn-setup +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/README.md b/charts/gluu/gluu/5.0.19/README.md new file mode 100644 index 0000000000..33891aa402 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/README.md @@ -0,0 +1,605 @@ +# gluu + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | admin-ui | 5.0.19 | +| | auth-server | 5.0.19 | +| | auth-server-key-rotation | 5.0.19 | +| | casa | 5.0.19 | +| | cn-istio-ingress | 5.0.19 | +| | config | 5.0.19 | +| | config-api | 5.0.19 | +| | fido2 | 5.0.19 | +| | nginx-ingress | 5.0.19 | +| | opendj | 5.0.19 | +| | oxpassport | 5.0.19 | +| | oxshibboleth | 5.0.19 | +| | persistence | 5.0.19 | +| | scim | 5.0.19 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"1.0.15-1"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| admin-ui.dnsConfig | object | `{}` | Add custom dns config | +| admin-ui.dnsPolicy | string | `""` | Add custom dns policy | +| admin-ui.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| admin-ui.hpa.behavior | object | `{}` | Scaling Policies | +| admin-ui.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | +| admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | +| admin-ui.image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| admin-ui.replicas | int | `1` | Service replica number. | +| admin-ui.resources | object | `{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}}` | Resource specs. | +| admin-ui.resources.limits.cpu | string | `"2000m"` | CPU limit. | +| admin-ui.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| admin-ui.resources.requests.cpu | string | `"2000m"` | CPU request. | +| admin-ui.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| admin-ui.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| admin-ui.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| admin-ui.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.0.15-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.0.15-1"},"keysLife":48,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/casa","tag":"5.0.0-14"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. | +| casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| casa.dnsConfig | object | `{}` | Add custom dns config | +| casa.dnsPolicy | string | `""` | Add custom dns policy | +| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| casa.hpa.behavior | object | `{}` | Scaling Policies | +| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| casa.image.pullSecrets | list | `[]` | Image Pull Secrets | +| casa.image.repository | string | `"ghcr.io/gluufederation/flex/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"5.0.0-14"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| casa.readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| casa.replicas | int | `1` | Service replica number. | +| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| casa.resources.limits.cpu | string | `"500m"` | CPU limit. | +| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| casa.resources.requests.cpu | string | `"500m"` | CPU request. | +| casa.resources.requests.memory | string | `"500Mi"` | Memory request. | +| casa.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.0.15-1"},"ldapPassword":"P@ssw0rds","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.0.15-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| config-api.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) username. This user is used during initialization only. | +| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| config.configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| config.configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbSchema | string | `""` | Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.lbAddr | string | `""` | Load balancer address for AWS if the FQDN is not registered. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpenDJ is used for persistence. | +| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.0.15-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}},"auth-server-key-rotation":{"enabled":false},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnDocumentStoreType":"LOCAL","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true}},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"lbIp":"22.22.22.22","licenseSsa":"","nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"oxpassport":{"enabled":false,"oxPassportServiceName":"oxpassport"},"oxshibboleth":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""},"enabled":false,"oxShibbolethServiceName":"oxshibboleth"},"persistence":{"enabled":true},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | +| global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | +| global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `false` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level | +| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.auth-server.ingress | object | `{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.auth-server.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| global.auth-server.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. | +| global.auth-server.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. | +| global.auth-server.ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| global.auth-server.ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| global.auth-server.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| global.auth-server.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| global.auth-server.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| global.auth-server.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| global.auth-server.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.casa.appLoggers | object | `{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.casa.appLoggers.casaLogLevel | string | `"INFO"` | casa.log level | +| global.casa.appLoggers.casaLogTarget | string | `"STDOUT"` | casa.log target | +| global.casa.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO | +| global.casa.appLoggers.timerLogLevel | string | `"INFO"` | casa timer log level | +| global.casa.appLoggers.timerLogTarget | string | `"FILE"` | casa timer log target | +| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. | +| global.casa.enabled | bool | `true` | Boolean flag to enable/disable the casa chart. | +| global.casa.ingress | object | `{"casaEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.casa.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnDocumentStoreType | string | `"LOCAL"` | Document store type to use for shibboleth files LOCAL. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. | +| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G | +| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G | +| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. | +| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. | +| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | +| global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. | +| global.cnPrometheusPort | string | `""` | Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. | +| global.config-api.adminUiAppLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | +| global.config-api.adminUiAppLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | +| global.config-api.adminUiAppLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | +| global.config-api.adminUiAppLoggers.adminUiLogTarget | string | `"FILE"` | config-api admin-ui plugin log level | +| global.config-api.adminUiAppLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers.ldapStatsLogLevel | string | `"INFO"` | config-api_persistence_ldap_statistics.log level | +| global.config-api.appLoggers.ldapStatsLogTarget | string | `"FILE"` | config-api_persistence_ldap_statistics.log target | +| global.config-api.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | config-api_persistence_duration.log level | +| global.config-api.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | config-api_persistence_duration.log target | +| global.config-api.appLoggers.persistenceLogLevel | string | `"INFO"` | config-api_persistence.log level | +| global.config-api.appLoggers.persistenceLogTarget | string | `"FILE"` | config-api_persistence.log target | +| global.config-api.appLoggers.scriptLogLevel | string | `"INFO"` | config-api_script.log level | +| global.config-api.appLoggers.scriptLogTarget | string | `"FILE"` | config-api_script.log target | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config-api.ingress | object | `{"configApiEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes | +| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | +| global.fido2.appLoggers | object | `{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | fido2_persistence_duration.log level | +| global.fido2.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | fido2_persistence_duration.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.appLoggers.scriptLogLevel | string | `"INFO"` | fido2_script.log level | +| global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fido2.ingress | object | `{"fido2ConfigEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side-cars with Gluu services. | +| global.istio.gateways | list | `[]` | Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. | +| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. | +| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | +| global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | +| global.licenseSsa | string | `""` | Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | +| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | +| global.oxpassport.enabled | bool | `false` | Boolean flag to enable/disable passport chart | +| global.oxpassport.oxPassportServiceName | string | `"oxpassport"` | Name of the oxPassport service. Please keep it as default. | +| global.oxshibboleth.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" Targets are "STDOUT" and "FILE" | +| global.oxshibboleth.appLoggers.auditStatsLogLevel | string | `"INFO"` | idp-audit.log level | +| global.oxshibboleth.appLoggers.auditStatsLogTarget | string | `"FILE"` | idp-audit.log target | +| global.oxshibboleth.appLoggers.consentAuditLogLevel | string | `"INFO"` | idp-consent-audit.log level | +| global.oxshibboleth.appLoggers.consentAuditLogTarget | string | `"FILE"` | idp-consent-audit.log target | +| global.oxshibboleth.appLoggers.idpLogLevel | string | `"INFO"` | idp-process.log level | +| global.oxshibboleth.appLoggers.idpLogTarget | string | `"STDOUT"` | idp-process.log target | +| global.oxshibboleth.appLoggers.ldapLogLevel | string | `""` | https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration The below are very noisy logs and are better left untouched | +| global.oxshibboleth.appLoggers.scriptLogLevel | string | `"INFO"` | idp-script.log level | +| global.oxshibboleth.appLoggers.scriptLogTarget | string | `"FILE"` | idp-script.log target | +| global.oxshibboleth.enabled | bool | `false` | Boolean flag to enable/disable the oxShibbboleth chart. | +| global.oxshibboleth.oxShibbolethServiceName | string | `"oxshibboleth"` | Name of the oxShibboleth service. Please keep it as default. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO | +| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level | +| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.ingress | object | `{"scimConfigEnabled":false,"scimEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.scim.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| global.scim.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: fsType: "" kind: "" pool: "" storageAccountType: "" type: "" | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"ldap":{"backup":{"fullSchedule":""}},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| nginx-ingress.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedRegisterAdditionalAnnotations | object | `{}` | Auth server protected register ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedRegisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedTokenAdditionalAnnotations | object | `{}` | Auth server protected token ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| nginx-ingress.ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| nginx-ingress.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| nginx-ingress.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| nginx-ingress.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0-12"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.dnsConfig | object | `{}` | Add custom dns config | +| opendj.dnsPolicy | string | `""` | Add custom dns policy | +| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| opendj.hpa.behavior | object | `{}` | Scaling Policies | +| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | +| opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| opendj.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| opendj.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size | +| opendj.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.replicas | int | `1` | Service replica number. | +| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. | +| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. | +| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| opendj.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxpassport | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxpassport","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu interface to Passport.js to support social login and inbound identity. | +| oxpassport.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxpassport.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxpassport.dnsConfig | object | `{}` | Add custom dns config | +| oxpassport.dnsPolicy | string | `""` | Add custom dns policy | +| oxpassport.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxpassport.hpa.behavior | object | `{}` | Scaling Policies | +| oxpassport.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxpassport.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxpassport.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxpassport.image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| oxpassport.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| oxpassport.livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| oxpassport.livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| oxpassport.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| oxpassport.readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| oxpassport.readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| oxpassport.replicas | int | `1` | Service replica number | +| oxpassport.resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| oxpassport.resources.limits.cpu | string | `"700m"` | CPU limit. | +| oxpassport.resources.limits.memory | string | `"900Mi"` | Memory limit. | +| oxpassport.resources.requests.cpu | string | `"700m"` | CPU request. | +| oxpassport.resources.requests.memory | string | `"900Mi"` | Memory request. | +| oxpassport.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| oxpassport.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxpassport.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxpassport.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxpassport.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxpassport.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxshibboleth | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxshibboleth","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Shibboleth project for the Gluu Server's SAML IDP functionality. | +| oxshibboleth.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxshibboleth.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxshibboleth.dnsConfig | object | `{}` | Add custom dns config | +| oxshibboleth.dnsPolicy | string | `""` | Add custom dns policy | +| oxshibboleth.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxshibboleth.hpa.behavior | object | `{}` | Scaling Policies | +| oxshibboleth.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxshibboleth.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxshibboleth.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxshibboleth.image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| oxshibboleth.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| oxshibboleth.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxshibboleth if needed. https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py | +| oxshibboleth.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| oxshibboleth.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| oxshibboleth.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| oxshibboleth.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| oxshibboleth.replicas | int | `1` | Service replica number. | +| oxshibboleth.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| oxshibboleth.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| oxshibboleth.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| oxshibboleth.resources.requests.cpu | string | `"1000m"` | CPU request. | +| oxshibboleth.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| oxshibboleth.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| oxshibboleth.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxshibboleth.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxshibboleth.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxshibboleth.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxshibboleth.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.0.15-1"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.0.15-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/app-readme.md b/charts/gluu/gluu/5.0.19/app-readme.md new file mode 100644 index 0000000000..b2148c4c1e --- /dev/null +++ b/charts/gluu/gluu/5.0.19/app-readme.md @@ -0,0 +1,38 @@ +## Tutorial + +For a full walkthrough of the Gluu Flex Server on Rancher, please see the [Gluu Server on Rancher Tutorial](https://docs.gluu.org/stable/admin/recipes/getting-started-rancher/). + +## Introduction +The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions. + +Common use cases include: + +- Single sign-on (SSO) +- Mobile authentication +- API access management +- Two-factor authentication (2FA) +- Customer identity and access management (CIAM) +- Identity federation + +### Free Open Source Software +The Gluu Server is a FOSS platform for IAM. + +### Open Web Standards +The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management: + +- OAuth 2.0 +- OpenID Connect +- User Managed Access 2.0 (UMA) +- System for Cross-domain Identity Management (SCIM) +- FIDO Universal 2nd Factor (U2F) +- FIDO 2.0 / WebAuthn +- Lightweight Directory Access Protocol (LDAP) +- Remote Authentication Dial-In User Service (RADIUS) + +### Important notes for installation: +- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image. + +### Quick install on Rancher UI with Docker single node +- Install the nginx-ingress-controller chart. +- Install the OpenEBS chart. +- Install Gluu chart and specify your persistence as ldap. \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/admin-ui/.helmignore b/charts/gluu/gluu/5.0.19/charts/admin-ui/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.19/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/admin-ui/Chart.yaml new file mode 100644 index 0000000000..239fada001 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Admin GUI. Requires license. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +- GUI +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: admin-ui +sources: +- https://github.com/GluuFederation/docker-gluu-admin-ui +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/admin-ui +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/admin-ui/README.md b/charts/gluu/gluu/5.0.19/charts/admin-ui/README.md new file mode 100644 index 0000000000..ed6cf70c8b --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/admin-ui/README.md @@ -0,0 +1,59 @@ +# admin-ui + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Admin GUI. Requires license. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. | +| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/_helpers.tpl new file mode 100644 index 0000000000..3fa0c5985e --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "admin-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "admin-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "admin-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "admin-ui.labels" -}} +app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +helm.sh/chart: {{ include "admin-ui.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "admin-ui.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "admin-ui.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "admin-ui.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "admin-ui.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/admin-ui-destination-rules.yaml new file mode 100644 index 0000000000..ecf4699b22 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/admin-ui-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-admin-ui-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/admin-ui-pdb.yaml b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/admin-ui-pdb.yaml new file mode 100644 index 0000000000..5d81cf14be --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/admin-ui-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "admin-ui.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/admin-ui-virtual-services.yaml new file mode 100644 index 0000000000..2b0fc58df1 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/admin-ui-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "admin-ui" "ingress" "adminUiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-admin-ui + namespace: {{.Release.Namespace}} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/admin" + route: + - destination: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/deployment.yml new file mode 100644 index 0000000000..9a173cad98 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/deployment.yml @@ -0,0 +1,175 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "admin-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + template: + metadata: + labels: + APP_NAME: admin-ui + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "admin-ui.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "admin-ui.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "admin-ui.usr-envs" . | indent 12 }} + {{- include "admin-ui.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: /etc/jans/conf/ssa + name: license-ssa + subPath: ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: license-ssa + secret: + secretName: {{ .Release.Name }}-license-ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/hpa.yaml new file mode 100644 index 0000000000..4720b2c49b --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "admin-ui.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/service.yml new file mode 100644 index 0000000000..54b311c2e2 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..02fd969b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/admin-ui/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.0.19/charts/admin-ui/values.yaml new file mode 100644 index 0000000000..4a6e13aa9d --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/admin-ui/values.yaml @@ -0,0 +1,88 @@ +# -- Admin GUI. Requires license. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the admin ui port within the admin service. Please keep it as default. + name: http-admin-ui + # -- Port of the admin ui service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the admin ui if needed. +livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the admin ui if needed. +readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/.helmignore b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 0000000000..382f7d008a --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Responsible for regenerating auth-keys per x hours +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Auth keys Rotation +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server-key-rotation +sources: +- https://github.com/JanssenProject/docker-jans-certmanager +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server-key-rotation +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/README.md new file mode 100644 index 0000000000..9b293592cd --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/README.md @@ -0,0 +1,49 @@ +# auth-server-key-rotation + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| lifecycle | object | `{}` | | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 0000000000..e76631f29c --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 0000000000..5b5dd7da69 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,129 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "0 */{{ .Values.keysLife }} * * *" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 16 }} + volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + restartPolicy: Never + diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 0000000000..4b1f6ff076 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.fullname" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..5ed268ebb5 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 0000000000..89b9d6601f --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,55 @@ + +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/.helmignore b/charts/gluu/gluu/5.0.19/charts/auth-server/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server/Chart.yaml new file mode 100644 index 0000000000..1fe8f9dc9e --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization + Server--this is the main Internet facing component of Gluu. It's the service that + returns tokens, JWT's and identity assertions. This service must be Internet facing. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Autherization +- OpenID +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server +sources: +- https://github.com/JanssenProject/jans-auth-server +- https://github.com/JanssenProject/docker-jans-auth-server +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/README.md b/charts/gluu/gluu/5.0.19/charts/auth-server/README.md new file mode 100644 index 0000000000..045bb7f51b --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/README.md @@ -0,0 +1,61 @@ +# auth-server + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 0000000000..2712f9870a --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "auth-server.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "auth-server.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 0000000000..708ce616c6 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/templates/auth-server-pdb.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/auth-server-pdb.yaml new file mode 100644 index 0000000000..5ca61a6255 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/auth-server-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "auth-server.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/templates/auth-server-protected-virtual-services.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/auth-server-protected-virtual-services.yaml new file mode 100644 index 0000000000..522f6757b4 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/auth-server-protected-virtual-services.yaml @@ -0,0 +1,53 @@ +{{- if .Values.global.istio.ingress }} +# NEEDS WORK TO ALLOW CLIENT SIDE AUTHENTICATION. THIS IS MERELY A PLACEHOLDER +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server-protected-endpoints + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-token" + match: + - uri: + prefix: "/jans-auth/restv1/token" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-register" + match: + - uri: + prefix: "/jans-auth/restv1/register" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 0000000000..55cc397244 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,137 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/jans-auth/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} + - name: "{{ .Release.Name }}-istio-device-code" + match: + - uri: + prefix: "/device-code" + rewrite: + uri: "/jans-auth/device_authorization.htm" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} + - name: "{{ .Release.Name }}-istio-firebase-messaging" + match: + - uri: + prefix: "/firebase-messaging-sw.js" + rewrite: + uri: "/jans-auth/firebase-messaging-sw.js" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/jans-auth/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/jans-auth/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/jans-auth/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/jans-auth/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/deployment.yml new file mode 100644 index 0000000000..000efa42ec --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/deployment.yml @@ -0,0 +1,264 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "auth-server.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "auth-server.usr-envs" . | indent 12 }} + {{- include "auth-server.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/hpa.yaml new file mode 100644 index 0000000000..7a35d43381 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/service.yml new file mode 100644 index 0000000000..07b0de5897 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..19b24ab92c --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/auth-server/values.yaml b/charts/gluu/gluu/5.0.19/charts/auth-server/values.yaml new file mode 100644 index 0000000000..39f7637da9 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/auth-server/values.yaml @@ -0,0 +1,93 @@ + +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/charts/saml/.helmignore b/charts/gluu/gluu/5.0.19/charts/casa/.helmignore similarity index 100% rename from charts/gluu/gluu/charts/saml/.helmignore rename to charts/gluu/gluu/5.0.19/charts/casa/.helmignore diff --git a/charts/gluu/gluu/5.0.19/charts/casa/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/casa/Chart.yaml new file mode 100644 index 0000000000..5c2ba35c92 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/casa/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu Casa ("Casa") is a self-service web portal for end-users to manage + authentication and authorization preferences for their account in a Gluu Server. +home: https://gluu.org/docs/casa/ +icon: https://casa.gluu.org/wp-content/themes/gluucasa/casafavicon.ico +keywords: +- casa +- 2FA +- passwordless +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: casa +sources: +- https://gluu.org/docs/casa/ +- https://github.com/GluuFederation/docker-casa +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/casa +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/casa/README.md b/charts/gluu/gluu/5.0.19/charts/casa/README.md new file mode 100644 index 0000000000..6e56f4b9e7 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/casa/README.md @@ -0,0 +1,66 @@ +# casa + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/casa"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. | +| service.port | int | `8080` | Port of the casa service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/casa/templates/_helpers.tpl new file mode 100644 index 0000000000..4fc7d069e4 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/casa/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "casa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "casa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "casa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "casa.labels" -}} +app: {{ .Release.Name }}-{{ include "casa.name" . }} +helm.sh/chart: {{ include "casa.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "casa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "casa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "casa.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "casa.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "casa.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "casa.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.0.19/charts/casa/templates/casa-destination-rules.yaml new file mode 100644 index 0000000000..eb2e5eaa61 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/casa/templates/casa-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-casa-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/casa/templates/casa-pdb.yaml b/charts/gluu/gluu/5.0.19/charts/casa/templates/casa-pdb.yaml new file mode 100644 index 0000000000..54ad15de59 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/casa/templates/casa-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "casa.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.0.19/charts/casa/templates/casa-virtual-services.yaml new file mode 100644 index 0000000000..b3d7659499 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/casa/templates/casa-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.casa.ingress.casaEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-casa + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-casa + match: + - uri: + prefix: /casa + route: + - destination: + host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.0.19/charts/casa/templates/deployment.yaml new file mode 100644 index 0000000000..185693f5ce --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/casa/templates/deployment.yaml @@ -0,0 +1,178 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "casa.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: casa + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "casa.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "casa.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "casa.usr-envs" . | indent 12 }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.0.19/charts/casa/templates/hpa.yaml new file mode 100644 index 0000000000..0d292fd3fd --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/casa/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "casa.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.0.19/charts/casa/templates/service.yaml new file mode 100644 index 0000000000..e736cc014a --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/casa/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.casa.casaServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.19/charts/casa/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8a71e1ea8f --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/casa/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/casa/values.yaml b/charts/gluu/gluu/5.0.19/charts/casa/values.yaml new file mode 100644 index 0000000000..37c37c7b58 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/casa/values.yaml @@ -0,0 +1,105 @@ +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/casa + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the casa service. Please keep it as default. + port: 8080 + # -- The name of the casa port within the casa service. Please keep it as default. + name: http-casa + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for casa if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the casa if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/Chart.yaml new file mode 100644 index 0000000000..1cea687a8d --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Istio Gateway +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- istio +- gateway +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: cn-istio-ingress +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/cn-istio-ingress +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/README.md new file mode 100644 index 0000000000..64c165f467 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/README.md @@ -0,0 +1,25 @@ +# cn-istio-ingress + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Istio Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..75a5dee781 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "istio.labels" -}} +helm.sh/chart: {{ include "istio.chart" . }} +{{ include "istio.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "istio.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "istio.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/templates/gateway.yaml new file mode 100644 index 0000000000..12a9700134 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/templates/gateway.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Release.Name }}-global-gtw + namespace: {{ .Release.Namespace }} +{{- if .Values.global.istio.additionalLabels }} + labels: +{{ toYaml .Values.global.istio.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.istio.additionalAnnotations }} + annotations: +{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + istio: ingressgateway + servers: + # admin-ui + - port: + number: 80 + name: http-admin-ui + protocol: HTTP + hosts: + - {{ .Values.global.fqdn }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - {{ .Values.global.fqdn }} + tls: + mode: SIMPLE # enable https on this port + credentialName: tls-certificate # fetch cert from k8s secret + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/values.yaml new file mode 100644 index 0000000000..645a121318 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/cn-istio-ingress/values.yaml @@ -0,0 +1,4 @@ +# Default values for istio. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + diff --git a/charts/gluu/gluu/5.0.19/charts/config-api/.helmignore b/charts/gluu/gluu/5.0.19/charts/config-api/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.19/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/config-api/Chart.yaml new file mode 100644 index 0000000000..f4fee2ebf2 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Jans Config Api endpoints can be used to configure jans-auth-server, + which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server + (AS) +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config-api +sources: +- https://github.com/JanssenProject/jans/jans-config-api +- https://github.com/JanssenProject/jans/docker-jans-config-api +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config-api +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/config-api/README.md b/charts/gluu/gluu/5.0.19/charts/config-api/README.md new file mode 100644 index 0000000000..65b84087f8 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config-api/README.md @@ -0,0 +1,65 @@ +# config-api + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/config-api/templates/_helpers.tpl new file mode 100644 index 0000000000..a32d54db37 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "config-api.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "config-api.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.0.19/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 0000000000..255fac7282 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/config-api/templates/config-api-pdb.yaml b/charts/gluu/gluu/5.0.19/charts/config-api/templates/config-api-pdb.yaml new file mode 100644 index 0000000000..2153d9a39c --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config-api/templates/config-api-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "config-api.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/config-api/templates/config-api-virtual-services.yaml b/charts/gluu/gluu/5.0.19/charts/config-api/templates/config-api-virtual-services.yaml new file mode 100644 index 0000000000..49bd94283f --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config-api/templates/config-api-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "config-api" "ingress" "configApiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-config-api + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-config-api + match: + - uri: + prefix: /jans-config-api + route: + - destination: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8074 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.0.19/charts/config-api/templates/deployment.yaml new file mode 100644 index 0000000000..b6e221ab2b --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config-api/templates/deployment.yaml @@ -0,0 +1,167 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "config-api.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "config-api.usr-envs" . | indent 12 }} + {{- include "config-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - containerPort: 9444 + - containerPort: 8074 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + diff --git a/charts/gluu/gluu/5.0.19/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.0.19/charts/config-api/templates/hpa.yaml new file mode 100644 index 0000000000..aed5352e74 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config-api/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.0.19/charts/config-api/templates/service.yaml new file mode 100644 index 0000000000..1782cc7e9d --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config-api/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/config-api/values.yaml b/charts/gluu/gluu/5.0.19/charts/config-api/values.yaml new file mode 100644 index 0000000000..2233d0d0a3 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config-api/values.yaml @@ -0,0 +1,102 @@ + +# -- Gluu Admin UI. This shouldn't be internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.19/charts/config/.helmignore b/charts/gluu/gluu/5.0.19/charts/config/.helmignore new file mode 100644 index 0000000000..b8204d7442 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/gluu/gluu/5.0.19/charts/config/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/config/Chart.yaml new file mode 100644 index 0000000000..642228409d --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Configuration parameters for setup and initial configuration secret and + config layers used by Gluu services. +home: https://gluu.org/docs/gluu-server/reference/container-configs/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- secrets +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config +sources: +- https://gluu.org/docs/gluu-server/reference/container-configs/ +- https://github.com/JanssenProject/jans/docker-jans-configurator +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/config/README.md b/charts/gluu/gluu/5.0.19/charts/config/README.md new file mode 100644 index 0000000000..dc8d91d109 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/README.md @@ -0,0 +1,105 @@ +# config + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnAwsAccessKeyId | string | `""` | | +| configmap.cnAwsDefaultRegion | string | `"us-west-1"` | | +| configmap.cnAwsProfile | string | `"gluu"` | | +| configmap.cnAwsSecretAccessKey | string | `""` | | +| configmap.cnAwsSecretsEndpointUrl | string | `""` | | +| configmap.cnAwsSecretsNamePrefix | string | `"gluu"` | | +| configmap.cnAwsSecretsReplicaRegions | list | `[]` | | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| lifecycle | object | `{}` | | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/config/templates/_helpers.tpl new file mode 100644 index 0000000000..1273a27d8b --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/templates/_helpers.tpl @@ -0,0 +1,97 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ $newList = append $newList ("couchbase" | quote) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{- if .Values.global.opendj.enabled}} +{{ $newList = append $newList ("ldap" | quote) }} +{{- end}} +{{- if .Values.global.casa}} +{{ $newList = append $newList ("casa" | quote) }} +{{- end}} +{{- if .Values.global.fido2.enabled}} +{{ $newList = append $newList ("fido2" | quote) }} +{{- end}} +{{- if .Values.global.scim.enabled}} +{{ $newList = append $newList ("scim" | quote) }} +{{- end}} +{{ toJson $newList }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.0.19/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ce43044f50 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.0.19/charts/config/templates/configmaps.yaml new file mode 100644 index 0000000000..fc15f42b6b --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/templates/configmaps.yaml @@ -0,0 +1,433 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + # Port used by Prometheus JMX agent + CN_PROMETHEUS_PORT: {{ .Values.global.cnPrometheusPort | quote }} + CN_DISTRIBUTION: {{ .Values.global.distribution | quote }} + {{ if .Values.global.cnObExtSigningJwksUri }} + CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }} + CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }} + CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }} + # force the AS to use a specific signing key + CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }} + {{- end }} + {{ if or (eq .Values.global.configAdapterName "google") (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + {{- end }} + {{ if eq .Values.global.cnPersistenceType "spanner" }} + # [google_spanner_envs] Envs related to using Google Cloud Spanner + CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }} + CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }} + # [google_spanner_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.configAdapterName "google") }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnGoogleSecretVersionId | quote }} + CN_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + # [aws_envs] Envs related to using AWS + {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} + CN_AWS_SECRETS_ENDPOINT_URL: {{ .Values.configmap.cnAwsSecretsEndpointUrl }} + {{- end }} + CN_AWS_SECRETS_PREFIX: {{ .Values.configmap.cnAwsSecretsNamePrefix }} + CN_AWS_SECRETS_REPLICA_FILE: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + AWS_DEFAULT_REGION: {{ .Values.configmap.cnAwsDefaultRegion }} + AWS_SHARED_CREDENTIALS_FILE: {{ .Values.global.cnAwsSharedCredentialsFile }} + AWS_CONFIG_FILE: {{ .Values.global.cnAwsConfigFile }} + #AWS_PROFILE + # [aws_envs] END + {{- end }} + CN_SQL_DB_SCHEMA: {{ .Values.configmap.cnSqlDbSchema | quote }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.global.cnDocumentStoreType | quote }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is ldap or hybrid + {{- if .Values.configmap.cnLdapUrl }} + CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }} + {{- else }} + CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }} + {{- end }} + {{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is couchbase or hybrid + CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }} + CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }} + CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }} + CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }} + CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }} + {{- end }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + {{- if .Values.global.isFqdnRegistered }} + CN_SSL_CERT_FROM_SECRETS: "false" + {{- else }} + CN_SSL_CERT_FROM_SECRETS: "true" + {{- end }} + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }} + # must the same as the opendj service name + CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service + CN_HYBRID_MAPPING: {{ .Values.configmap.cnPersistenceHybridMapping | quote }} + {{- end }} + # Auto enable installation of some services + CN_PASSPORT_ENABLED: {{ .Values.global.oxpassport.enabled | quote }} + {{- if .Values.global.oxshibboleth.enabled }} + CN_SAML_ENABLED: {{ .Values.global.oxshibboleth.enabled | quote }} + {{- end }} + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.istio.enabled }} + CN_COUCHBASE_TRUSTSTORE_ENABLE: "false" + CN_LDAP_USE_SSL: "false" + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + # ADMIN-UI + ADMIN_UI_JWKS: {{ cat "http://" ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080/jans-auth/restv1/jwks" | quote | nospace }} + CN_CONFIG_API_PLUGINS: "admin-ui,scim,fido2,user-mgt" + CN_ADMIN_UI_PLUGIN_LOGGERS: {{ index .Values "global" "config-api" "adminUiAppLoggers" + | toJson + | replace "adminUiLogTarget" "admin_ui_log_target" + | replace "adminUiLogLevel" "admin_ui_log_level" + | replace "adminUiAuditLogTarget" "admin_ui_audit_log_target" + | replace "adminUiAuditLogLevel" "admin_ui_audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.casa.enabled }} + # CASA + GLUU_CASA_APP_LOGGERS: {{ .Values.global.casa + | toJson + | replace "casaLogTarget" "casa_log_target" + | replace "casaLogLevel" "casa_log_level" + | replace "timerLogTarget" "timer_log_target" + | replace "timerLogLevel" "timer_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + # delete Duo script (https://github.com/GluuFederation/flex/issues/1120) by disabling the feature + CN_DUO_ENABLED: "false" +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if gluu secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from gluu secrets + """ + ssl_cert = None + ssl_key = None + if core_cli.read_namespaced_secret(secret_name, namespace): + ssl_cert = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_cert'] + ssl_key = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_key'] + + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert and key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error("No certificate or key was found in secrets.") + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Gluu Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.gluu.org") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/config/templates/license-secrets.yaml b/charts/gluu/gluu/5.0.19/charts/config/templates/license-secrets.yaml new file mode 100644 index 0000000000..0cf764a03c --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/templates/license-secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-license-ssa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ssa: {{ required "global.licenseSsa is required in chart values. This is a base64 string provided by Gluu to activate your license." .Values.global.licenseSsa }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.0.19/charts/config/templates/load-init-config.yml new file mode 100644 index 0000000000..2a503fd2b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/templates/load-init-config.yml @@ -0,0 +1,135 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + - name: {{ include "config.fullname" . }}-mount-gen-file + secret: + secretName: {{ include "config.fullname" . }}-gen-json-file + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + - mountPath: /app/db/generate.json + name: {{ include "config.fullname" . }}-mount-gen-file + subPath: generate.json + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} + {{- else }} + /app/scripts/entrypoint.sh load + {{- end }} + /usr/bin/python3 /scripts/tls_generator.py + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.0.19/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.0.19/charts/config/templates/ob-secrets.yaml new file mode 100644 index 0000000000..cdb1f90415 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/templates/ob-secrets.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.cnObExtSigningJwksCrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }} + {{ if .Values.global.cnObExtSigningJwksKey }} + ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportCrt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport.crt: {{ .Values.global.cnObTransportCrt }} + {{ if .Values.global.cnObTransportKey }} + ob-transport.key: {{ .Values.global.cnObTransportKey }} + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportTrustStore }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-truststore + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.0.19/charts/config/templates/rolebinding.yaml new file mode 100644 index 0000000000..7a58fd6095 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.0.19/charts/config/templates/roles.yaml new file mode 100644 index 0000000000..ef3d0c7083 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/templates/roles.yaml @@ -0,0 +1,19 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/gluu/gluu/5.0.19/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.0.19/charts/config/templates/secrets.yaml new file mode 100644 index 0000000000..dab9a6dc86 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/templates/secrets.yaml @@ -0,0 +1,127 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config.fullname" . }}-gen-json-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + generate.json: |- + { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_pw": {{ .Values.adminPassword | quote }}, + "ldap_pw": {{ .Values.ldapPassword | quote }}, + "redis_pw": {{ .Values.redisPassword | quote }}, + "email": {{ .Values.email | quote }}, + "org_name": {{ .Values.orgName | quote }}, + {{ if eq .Values.global.cnPersistenceType "sql" }} + "sql_pw": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "couchbase_pw": {{ .Values.configmap.cnCouchbasePassword | quote }}, + "couchbase_superuser_pw": {{ .Values.configmap.cnCouchbaseSuperUserPassword | quote }}, + {{- end }} + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }} + } + +{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} +{{- if not .Values.global.istio.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-crt + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }} +{{- end }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-aws-config-creds + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + aws_shared_credential_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }} + aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }} + aws_config_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + region = {{ .Values.configmap.cnAwsDefaultRegion }} + aws_secrets_replica_regions: |- + {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-google-sa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-cron-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} diff --git a/charts/gluu/gluu/5.0.19/charts/config/templates/service.yaml b/charts/gluu/gluu/5.0.19/charts/config/templates/service.yaml new file mode 100644 index 0000000000..da5dedf891 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.0.19/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 0000000000..35b4fa8cb0 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,64 @@ +{{ if .Values.global.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val | quote }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.0.19/charts/config/values.yaml b/charts/gluu/gluu/5.0.19/charts/config/values.yaml new file mode 100644 index 0000000000..d245a67878 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/config/values.yaml @@ -0,0 +1,179 @@ + +# Required environment variables for generating Gluu server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in the secrets. + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: support@gluu.org +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- LDAP admin password if OpennDJ is used for persistence. +ldapPassword: P@ssw0rds +# -- Organization name. Used for certificate creation. +orgName: Gluu +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.19/charts/fido2/.helmignore b/charts/gluu/gluu/5.0.19/charts/fido2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.19/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/fido2/Chart.yaml new file mode 100644 index 0000000000..ff95c87b03 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/fido2/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging + common devices to authenticate to online services in both mobile and desktop environments. +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- fido2 +- u2f +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: fido2 +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/JanssenProject/jans/jans-fido2 +- https://github.com/JanssenProject/jans/docker-jans-fido2 +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/fido2 +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/fido2/README.md b/charts/gluu/gluu/5.0.19/charts/fido2/README.md new file mode 100644 index 0000000000..234759baf3 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/fido2/README.md @@ -0,0 +1,62 @@ +# fido2 + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/fido2/templates/_helpers.tpl new file mode 100644 index 0000000000..10484b1e97 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "fido2.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "fido2.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.0.19/charts/fido2/templates/deployment.yml new file mode 100644 index 0000000000..95b4ef77d1 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/fido2/templates/deployment.yml @@ -0,0 +1,176 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "fido2.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "fido2.usr-envs" . | indent 12 }} + {{- include "fido2.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.0.19/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 0000000000..2457647e8a --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/fido2/templates/fido2-pdb.yaml b/charts/gluu/gluu/5.0.19/charts/fido2/templates/fido2-pdb.yaml new file mode 100644 index 0000000000..ebc9ce8dc8 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/fido2/templates/fido2-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "fido2.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.0.19/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 0000000000..88a91a994b --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.fido2.ingress.fido2ConfigEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.0.19/charts/fido2/templates/hpa.yaml new file mode 100644 index 0000000000..a4f1362a7b --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/fido2/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.0.19/charts/fido2/templates/service.yml new file mode 100644 index 0000000000..de91e893b3 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/fido2/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.19/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..e2139ba45f --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/fido2/values.yaml b/charts/gluu/gluu/5.0.19/charts/fido2/values.yaml new file mode 100644 index 0000000000..3e41844185 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/fido2/values.yaml @@ -0,0 +1,91 @@ + +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.19/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.19/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/Chart.yaml new file mode 100644 index 0000000000..b7b9b7770e --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Nginx ingress definitions chart +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- nginx +- ingress +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://kubernetes.io/docs/concepts/services-networking/ingress/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/nginx-ingress +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/README.md new file mode 100644 index 0000000000..fdb8699245 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/README.md @@ -0,0 +1,62 @@ +# nginx-ingress + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress | object | `{"additionalAnnotations":{"kubernetes.io/ingress.class":"nginx"},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress.additionalAnnotations | object | `{"kubernetes.io/ingress.class":"nginx"}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| ingress.additionalAnnotations."kubernetes.io/ingress.class" | string | `"nginx"` | Required annotation below. Use kubernetes.io/ingress.class: "public" for microk8s. | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken | +| ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | +| ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | +| ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| ingress.scimConfigLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.scimLabels | object | `{}` | scim config ingress resource labels. key app is taken | +| ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| ingress.uma2ConfigLabels | object | `{}` | uma 2 config ingress resource labels. key app is taken | +| ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| nameOverride | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..7b38455692 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/admin-ui-ingress.yaml new file mode 100644 index 0000000000..b8b0a827c6 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/admin-ui-ingress.yaml @@ -0,0 +1,53 @@ +{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.adminUiLabels }} +{{ toYaml .Values.ingress.adminUiLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.ingress.adminUiAdditionalAnnotations }} +{{ toYaml .Values.ingress.adminUiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml new file mode 100644 index 0000000000..9b84fe4f8e --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml @@ -0,0 +1,115 @@ +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedTokenLabels }} +{{ toYaml .Values.ingress.authServerProtectedTokenLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedTokenAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedTokenAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedRegisterLabels }} +{{ toYaml .Values.ingress.authServerProtectedRegisterLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedRegisterAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedRegisterAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/casa-ingress.yaml b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/casa-ingress.yaml new file mode 100644 index 0000000000..9f13970efb --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/casa-ingress.yaml @@ -0,0 +1,54 @@ +{{ if .Values.global.casa.ingress.casaEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-casa + labels: + app: {{ $fullName }}-casa +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.casaLabels }} +{{ toYaml .Values.ingress.casaLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "casa-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.casaAdditionalAnnotations }} +{{ toYaml .Values.ingress.casaAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /casa + pathType: Prefix + backend: + service: + name: {{ .Values.global.casa.casaServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/certificate.yaml b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/certificate.yaml new file mode 100644 index 0000000000..6cfb84f431 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/certificate.yaml @@ -0,0 +1,18 @@ +{{- if .Values.certManager.certificate.enabled }} + {{- $domain := (required "Domain is required in chartValues when certManager is enabled" .Values.global.fqdn) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + {{- range .Values.ingress.tls }} + secretName: {{ .secretName }} + {{- end }} + dnsNames: + - {{ quote $domain }} + issuerRef: + name: {{ required "nginx-ingress.certManager.certificate.issuerName is required in chart values" .Values.certManager.certificate.issuerName }} + kind: {{ required "nginx-ingress.certManager.certificate.issuerKind is required in chart values" .Values.certManager.certificate.issuerKind }} + group: {{ required "nginx-ingress.certManager.certificate.issuerGroup is required in chart values" .Values.certManager.certificate.issuerGroup }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 0000000000..5f7e83b4c0 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,672 @@ +{{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.openidConfigLabels }} +{{ toYaml .Values.ingress.openidConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if .Values.ingress.openidAdditionalAnnotations }} +{{ toYaml .Values.ingress.openidAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-device-code + labels: + app: {{ $fullName }}-device-code +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.deviceCodeLabels }} +{{ toYaml .Values.ingress.deviceCodeLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/device_authorization.htm +{{- if .Values.ingress.deviceCodeAdditionalAnnotations }} +{{ toYaml .Values.ingress.deviceCodeAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /device-code + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-firebase-messaging + labels: + app: {{ $fullName }}-firebase-messaging +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.firebaseMessagingLabels }} +{{ toYaml .Values.ingress.firebaseMessagingLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/firebase-messaging-sw.js +{{- if .Values.ingress.firebaseMessagingAdditionalAnnotations }} +{{ toYaml .Values.ingress.firebaseMessagingAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /firebase-messaging-sw.js + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.uma2ConfigLabels }} +{{ toYaml .Values.ingress.uma2ConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if .Values.ingress.uma2AdditionalAnnotations }} +{{ toYaml .Values.ingress.uma2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webfingerLabels }} +{{ toYaml .Values.ingress.webfingerLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if .Values.ingress.webfingerAdditionalAnnotations }} +{{ toYaml .Values.ingress.webfingerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webdiscoveryLabels }} +{{ toYaml .Values.ingress.webdiscoveryLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if .Values.ingress.webdiscoveryAdditionalAnnotations }} +{{ toYaml .Values.ingress.webdiscoveryAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{- if .Values.global.scim.ingress.scimConfigEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimConfigLabels }} +{{ toYaml .Values.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{- if .Values.global.scim.ingress.scimEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimLabels }} +{{ toYaml .Values.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "config-api" "ingress" "configApiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-config-api + labels: + app: {{ $fullName }}-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.configApiLabels }} +{{ toYaml .Values.ingress.configApiLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.configApiAdditionalAnnotations }} +{{ toYaml .Values.ingress.configApiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.u2fConfigLabels }} +{{ toYaml .Values.ingress.u2fConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if .Values.ingress.u2fAdditionalAnnotations }} +{{ toYaml .Values.ingress.u2fAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2ConfigLabels }} +{{ toYaml .Values.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerLabels }} +{{ toYaml .Values.ingress.authServerLabels | indent 4 }} +{{- end }} + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + diff --git a/charts/gluu/gluu/5.0.19/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/values.yaml new file mode 100644 index 0000000000..0d2487e888 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/nginx-ingress/values.yaml @@ -0,0 +1,77 @@ + +# -- Nginx ingress definitions chart +ingress: + enabled: true + # -- Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. + legacy: false + path: / + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma 2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- scim config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable all fido2 endpoints + fido2Enabled: false + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- Auth server config ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: + # -- Required annotation below. Use kubernetes.io/ingress.class: "public" for microk8s. + kubernetes.io/ingress.class: "nginx" + hosts: + - demoexample.gluu.org + tls: + - secretName: tls-certificate # DON'T change + hosts: + - demoexample.gluu.org +nameOverride: "" +fullnameOverride: "" diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/.helmignore b/charts/gluu/gluu/5.0.19/charts/opendj/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/opendj/Chart.yaml new file mode 100644 index 0000000000..38a5eb49d3 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OpenDJ is a directory server which implements a wide range of Lightweight + Directory Access Protocol and related standards, including full compliance with + LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in + Java, OpenDJ offers multi-master replication, access control, and many extensions. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- LDAP +- OpenDJ +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: opendj +sources: +- https://github.com/GluuFederation/docker-opendj +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/opendj +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/README.md b/charts/gluu/gluu/5.0.19/charts/opendj/README.md new file mode 100644 index 0000000000..7de150473e --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/README.md @@ -0,0 +1,74 @@ +# opendj + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-14"` | Image tag to use for deploying. | +| lifecycle.preStop.exec.command[0] | string | `"/bin/sh"` | | +| lifecycle.preStop.exec.command[1] | string | `"-c"` | | +| lifecycle.preStop.exec.command[2] | string | `"python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| openDjVolumeMounts.config.mountPath | string | `"/opt/opendj/config"` | | +| openDjVolumeMounts.config.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.db.mountPath | string | `"/opt/opendj/db"` | | +| openDjVolumeMounts.db.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.flag.mountPath | string | `"/flag"` | | +| openDjVolumeMounts.flag.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.ldif.mountPath | string | `"/opt/opendj/ldif"` | | +| openDjVolumeMounts.ldif.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.logs.mountPath | string | `"/opt/opendj/logs"` | | +| openDjVolumeMounts.logs.name | string | `"opendj-volume"` | | +| persistence.accessModes | string | `"ReadWriteOnce"` | | +| persistence.size | string | `"5Gi"` | OpenDJ volume size | +| persistence.type | string | `"DirectoryOrCreate"` | | +| ports | object | `{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}}` | servicePorts values used in StatefulSet container | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1500m"` | CPU limit. | +| resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1500m"` | CPU request. | +| resources.requests.memory | string | `"2000Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/opendj/templates/_helpers.tpl new file mode 100644 index 0000000000..ecab10b753 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opendj.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opendj.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opendj.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "opendj.labels" -}} +app: {{ .Release.Name }}-{{ include "opendj.name" . }} +helm.sh/chart: {{ include "opendj.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "opendj.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "opendj.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "opendj.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "opendj.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.19/charts/opendj/templates/cronjobs.yaml new file mode 100644 index 0000000000..930d6f0679 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/templates/cronjobs.yaml @@ -0,0 +1,95 @@ +{{- if .Values.backup.enabled }} +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "opendj.fullname" . }}-backup +spec: + schedule: {{ .Values.backup.cronJobSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "opendj.fullname" . }}-backup + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + ports: + {{- range $key, $value := .Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + env: + - name: LDAP_HOST + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_host + - name: LDAP_PORT + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_port + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_site_binddn + - name: LDAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-ldap-cron-pass + key: password + # while true; do sleep 60; ldaplog=$(cat /opt/opendj/logs/server.out); startedstr="The Directory Server has started successfully"; if [ -z "${ldaplog##*$startedstr*}" ]; then break; fi; echo "Waiting for opendj server to start"; done + command: + - /bin/sh + - -c + - | + # ========= + # FUNCTIONS + # ========= + + set_java_args() { + # not sure if we can omit `-server` safely + local java_args="-server" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${GLUU_MAX_RAM_PERCENTAGE} ${GLUU_JAVA_OPTIONS}" + # set the env var so it is loaded by `start-ds` script + export OPENDJ_JAVA_ARGS=${java_args} + } + + # ========== + # ENTRYPOINT + # ========== + + mkdir -p /opt/opendj/locks + + export JAVA_VERSION=$(java -version 2>&1 | awk -F '[\"_]' 'NR==1{print $2}') + + python3 /app/scripts/wait.py + + if [ ! -f /deploy/touched ]; then + python3 /app/scripts/entrypoint.py + touch /deploy/touched + fi + # run OpenDJ server + set_java_args + exec /opt/opendj/bin/start-ds -N & + sleep 300 + RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) + LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + restartPolicy: Never +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/templates/hpa.yaml b/charts/gluu/gluu/5.0.19/charts/opendj/templates/hpa.yaml new file mode 100644 index 0000000000..157ea310b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "opendj.fullname" . }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "opendj.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/templates/opendj-destination-rules.yaml b/charts/gluu/gluu/5.0.19/charts/opendj/templates/opendj-destination-rules.yaml new file mode 100644 index 0000000000..a6a8f56849 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/templates/opendj-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-ldap-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.opendj.ldapServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/templates/opendj-pdb.yaml b/charts/gluu/gluu/5.0.19/charts/opendj/templates/opendj-pdb.yaml new file mode 100644 index 0000000000..1615c4ac29 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/templates/opendj-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "opendj.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/templates/service.yaml b/charts/gluu/gluu/5.0.19/charts/opendj/templates/service.yaml new file mode 100644 index 0000000000..ec7d0a8252 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/templates/service.yaml @@ -0,0 +1,30 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $.Values.global.opendj.ldapServiceName }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + {{- range $key, $value := $.Values.ports }} + - port: {{ $value.port }} + name: {{ $key }} + targetPort: {{ $value.targetPort }} + protocol: {{ $value.protocol}} + {{- if $value.nodePort }} + nodePort: {{ $value.nodePort }} + {{- end }} + {{- end }} + clusterIP: None + selector: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/5.0.19/charts/opendj/templates/statefulset.yaml new file mode 100644 index 0000000000..989a156b2e --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/templates/statefulset.yaml @@ -0,0 +1,96 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "opendj.fullname" $ }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: {{ include "opendj.name" $ }} + serviceName: {{ include "opendj.name" $ }} + replicas: {{ $.Values.replicas }} + template: + metadata: + labels: + app: {{ include "opendj.name" $ }} + {{- if $.Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: {{ include "opendj.name" $ }} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + {{- include "opendj.usr-envs" $ | indent 12 }} + {{- include "opendj.usr-secret-envs" $ | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + envFrom: + - configMapRef: + name: {{ $.Release.Name }}-config-cm + {{ if $.Values.global.usrEnvs.secret }} + - secretRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + {{ if $.Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + ports: + {{- range $key, $value := $.Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + livenessProbe: +{{- toYaml $.Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml $.Values.readinessProbe | nindent 10 }} + {{- if or (eq $.Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if $.Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: opendj-volume + spec: + accessModes: + - {{ $.Values.persistence.accessModes }} + resources: + requests: + storage: {{ $.Values.persistence.size }} + {{- if eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath" }} + storageClassName: standard + {{- else }} + storageClassName: {{ include "opendj.fullname" $ | quote }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/templates/storageclass.yaml b/charts/gluu/gluu/5.0.19/charts/opendj/templates/storageclass.yaml new file mode 100644 index 0000000000..d33175d10b --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/templates/storageclass.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ include "opendj.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + storage: opendj +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + # Annotation below is to keep the storage class during upgrade. Otherwise, due to the flag at line 1 which is needed, this resource will be deleted. + helm.sh/resource-policy: keep + storageclass.beta.kubernetes.io/is-default-class: "false" + {{- if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + openebs.io/cas-type: local + cas.openebs.io/config: | + - name: StorageType + value: hostpath + - name: BasePath + value: /var/local-hostpath + {{- end }} +provisioner: {{ .Values.global.storageClass.provisioner }} +{{- if and ( ne .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) ( ne .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") ( ne .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") ( ne .Values.global.storageClass.provisioner "kubernetes.io/gce-pd") ( ne .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com") ( ne .Values.global.storageClass.provisioner "openebs.io/local") ( ne .Values.global.storageClass.provisioner "kubernetes.io/azure-disk") }} +parameters: +{{ toYaml .Values.global.storageClass.parameters | indent 4 }} +{{- else }} +parameters: + {{- if eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs" }} + type: {{ .Values.global.awsStorageType }} + fsType: ext4 + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/gce-pd" }} + type: {{ .Values.global.gcePdStorageType }} + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/azure-disk" }} + storageAccountType: {{ .Values.global.azureStorageAccountType }} + kind: {{ .Values.global.azureStorageKind }} + {{- else if eq .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com" }} + {{- else if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + {{- else }} + pool: default + fsType: ext4 + {{- end }} +{{- end }} +allowVolumeExpansion: {{ .Values.global.storageClass.allowVolumeExpansion }} +volumeBindingMode: {{ .Values.global.storageClass.volumeBindingMode }} +reclaimPolicy: {{ .Values.global.storageClass.reclaimPolicy }} +mountOptions: {{ .Values.global.storageClass.mountOptions | toJson }} +allowedTopologies: {{ .Values.global.storageClass.allowedTopologies | toJson }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.19/charts/opendj/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8fcf989cd5 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/opendj/values.yaml b/charts/gluu/gluu/5.0.19/charts/opendj/values.yaml new file mode 100644 index 0000000000..c7746d6615 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/opendj/values.yaml @@ -0,0 +1,138 @@ + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-14 + # -- Image Pull Secrets + pullSecrets: [ ] +persistence: + # -- OpenDJ volume size + size: 5Gi + accessModes: ReadWriteOnce + type: DirectoryOrCreate +# -- servicePorts values used in StatefulSet container +ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi +# -- Configure the liveness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] +nameOverride: "" +fullnameOverride: "" +# VolumeMounts for StatefulSet +# opendj-init vm +openDjVolumeMounts: + config: + mountPath: /opt/opendj/config + name: opendj-volume + ldif: + mountPath: /opt/opendj/ldif + name: opendj-volume + logs: + mountPath: /opt/opendj/logs + name: opendj-volume + db: + mountPath: /opt/opendj/db + name: opendj-volume + flag: + mountPath: /flag + name: opendj-volume + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/oxpassport/.helmignore b/charts/gluu/gluu/5.0.19/charts/oxpassport/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxpassport/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.19/charts/oxpassport/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/oxpassport/Chart.yaml new file mode 100644 index 0000000000..0b10facc22 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxpassport/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu interface to Passport.js to support social login and inbound identity. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Passport.js +- Inbound Identity +- Social login +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxpassport +sources: +- https://github.com/GluuFederation/gluu-passport +- https://github.com/GluuFederation/docker-oxpassport +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxpassport +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/oxpassport/README.md b/charts/gluu/gluu/5.0.19/charts/oxpassport/README.md new file mode 100644 index 0000000000..f976b56578 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxpassport/README.md @@ -0,0 +1,67 @@ +# oxpassport + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu interface to Passport.js to support social login and inbound identity. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number | +| resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"700m"` | CPU limit. | +| resources.limits.memory | string | `"900Mi"` | Memory limit. | +| resources.requests.cpu | string | `"700m"` | CPU request. | +| resources.requests.memory | string | `"900Mi"` | Memory request. | +| service.name | string | `"http-passport"` | The name of the oxPassport port within the oxPassport service. Please keep it as default. | +| service.port | int | `8090` | Port of the oxPassport service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/_helpers.tpl new file mode 100644 index 0000000000..1f9d4b7464 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxpassport.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxpassport.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxpassport.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxpassport.labels" -}} +app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +helm.sh/chart: {{ include "oxpassport.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxpassport.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxpassport.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "oxpassport.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "oxpassport.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/deployment.yaml b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/deployment.yaml new file mode 100644 index 0000000000..8ab9d9a2f2 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/deployment.yaml @@ -0,0 +1,183 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "oxpassport.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "oxpassport.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxpassport.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: PASSPORT_LOG_LEVEL + value: "info" + {{- include "oxpassport.usr-envs" . | indent 12 }} + {{- include "oxpassport.usr-secret-envs" . | indent 12 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/hpa.yaml b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/hpa.yaml new file mode 100644 index 0000000000..0764e19e39 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxpassport.fullname" . }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "oxpassport.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/oxpassport-destination-rules.yaml b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/oxpassport-destination-rules.yaml new file mode 100644 index 0000000000..238c976d17 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/oxpassport-destination-rules.yaml @@ -0,0 +1,21 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxpassport-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/oxpassport-pdb.yaml b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/oxpassport-pdb.yaml new file mode 100644 index 0000000000..8ebcdc7172 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/oxpassport-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "oxpassport.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/oxpassport-virtual-services.yaml b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/oxpassport-virtual-services.yaml new file mode 100644 index 0000000000..6c2416b84c --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/oxpassport-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-passport + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-passport + match: + - uri: + prefix: "/passport" + route: + - destination: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8090 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/service.yaml b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/service.yaml new file mode 100644 index 0000000000..b4fda32852 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxpassport.oxPassportServiceName }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..47ed7cd162 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxpassport/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/oxpassport/values.yaml b/charts/gluu/gluu/5.0.19/charts/oxpassport/values.yaml new file mode 100644 index 0000000000..b7b06d82d7 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxpassport/values.yaml @@ -0,0 +1,103 @@ + +# -- Gluu interface to Passport.js to support social login and inbound identity. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi +service: + # -- Port of the oxPassport service. Please keep it as default. + port: 8090 + # -- The name of the oxPassport port within the oxPassport service. Please keep it as default. + name: http-passport + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for oxPassport if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the oxPassport if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/oxshibboleth/.helmignore b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.19/charts/oxshibboleth/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/Chart.yaml new file mode 100644 index 0000000000..9a8b093e4c --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Shibboleth project for the Gluu Server's SAML IDP functionality. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SAML +- Shibboleth +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxshibboleth +sources: +- https://github.com/GluuFederation/oxShibboleth +- https://github.com/GluuFederation/docker-oxshibboleth +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxshibboleth +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/oxshibboleth/README.md b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/README.md new file mode 100644 index 0000000000..e45e912c6c --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/README.md @@ -0,0 +1,68 @@ +# oxshibboleth + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Shibboleth project for the Gluu Server's SAML IDP functionality. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the oxShibboleth if needed. | +| livenessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxshibboleth if needed. | +| readinessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-oxshib"` | Port of the oxShibboleth service. Please keep it as default. | +| service.port | int | `8080` | The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| service.targetPort | int | `8080` | | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/_helpers.tpl new file mode 100644 index 0000000000..a9a1a94b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/_helpers.tpl @@ -0,0 +1,144 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxshibboleth.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxshibboleth.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxshibboleth.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxshibboleth.labels" -}} +app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +helm.sh/chart: {{ include "oxshibboleth.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxshibboleth.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxshibboleth.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create GLUU_JAVA_OPTIONS ENV for passing detailed logs +*/}} +{{- define "oxshibboleth.detailedLogs"}} +{{ $ldap := "" }} +{{ $messages := "" }} +{{ $encryption := "" }} +{{ $opensaml := "" }} +{{ $props := "" }} +{{ $httpclient := "" }} +{{ $spring := "" }} +{{ $container := "" }} +{{ $xmlsec := "" }} + +{{- if .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} +{{ $ldap = printf "-Didp.loglevel.ldap=%s " .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} +{{ $messages = printf "-Didp.loglevel.messages=%s " .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} +{{ $encryption = printf "-Didp.loglevel.encryption=%s " .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} +{{ $opensaml = printf "-Didp.loglevel.opensaml=%s " .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.propsLogLevel }} +{{ $props = printf "-Didp.loglevel.props=%s " .Values.global.oxshibboleth.appLoggers.propsLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} +{{ $httpclient = printf "-Didp.loglevel.httpclient=%s " .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.springLogLevel }} +{{ $spring = printf "-Didp.loglevel.spring=%s " .Values.global.oxshibboleth.appLoggers.springLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.containerLogLevel }} +{{ $container = printf "-Didp.loglevel.container=%s " .Values.global.oxshibboleth.appLoggers.containerLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} +{{ $xmlsec = printf "-Didp.loglevel.xmlsec=%s " .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} +{{- end}} + +{{ $detailLogs := printf "%s%s%s%s%s%s%s%s%s" $ldap $messages $encryption $opensaml $props $httpclient $spring $container $xmlsec }} +{{ $detailLogs | trimSuffix " " | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "oxshibboleth.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "oxshibboleth.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/hpa.yaml b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/hpa.yaml new file mode 100644 index 0000000000..3d4c0597ff --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxshibboleth.fullname" . }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "oxshibboleth.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml new file mode 100644 index 0000000000..8478504b68 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxshibboleth-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml new file mode 100644 index 0000000000..a8c99410cf --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "oxshibboleth.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml new file mode 100644 index 0000000000..5f89fa5c2c --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-oxshibbioleth + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw + http: + - name: {{ .Release.Name }}-istio-oxshibbioleth + match: + - uri: + prefix: /idp + route: + - destination: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/service.yaml b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/service.yaml new file mode 100644 index 0000000000..4781774752 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- else }} + clusterIP: None + {{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/statefulset.yaml b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/statefulset.yaml new file mode 100644 index 0000000000..17bb8379e6 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/statefulset.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "oxshibboleth.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + serviceName: oxshibboleth + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: oxshibboleth + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "oxshibboleth.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxshibboleth.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "oxshibboleth.usr-envs" . | indent 12 }} + {{- include "oxshibboleth.usr-secret-envs" . | indent 12 }} + - name: GLUU_JAVA_OPTIONS + value: {{ include "oxshibboleth.detailedLogs" . | trim }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..fd6e4e0aaa --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/oxshibboleth/values.yaml b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/values.yaml new file mode 100644 index 0000000000..224291fdc4 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/oxshibboleth/values.yaml @@ -0,0 +1,102 @@ + +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. + port: 8080 + targetPort: 8080 + # -- Port of the oxShibboleth service. Please keep it as default. + name: http-oxshib + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for the oxShibboleth if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the oxshibboleth if needed. +readinessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/persistence/.helmignore b/charts/gluu/gluu/5.0.19/charts/persistence/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.19/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/persistence/Chart.yaml new file mode 100644 index 0000000000..7a227435ec --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/persistence/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Job to generate data and initial config for Gluu Server persistence layer. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- persistence prep +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: persistence +sources: +- https://github.com/JanssenProject/jans/docker-jans-persistence-loader +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/persistence +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/persistence/README.md b/charts/gluu/gluu/5.0.19/charts/persistence/README.md new file mode 100644 index 0000000000..e06df34ea3 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/persistence/README.md @@ -0,0 +1,52 @@ +# persistence + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Job to generate data and initial config for Gluu Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| lifecycle | object | `{}` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/persistence/templates/_helpers.tpl new file mode 100644 index 0000000000..bf0a313b23 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.0.19/charts/persistence/templates/jobs.yml new file mode 100644 index 0000000000..151d0e2ab8 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/persistence/templates/jobs.yml @@ -0,0 +1,128 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if .Values.global.istio.enabled }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + /app/scripts/entrypoint.sh + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.0.19/charts/persistence/templates/service.yaml new file mode 100644 index 0000000000..b266650a69 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/persistence/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.19/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..29c8651b84 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/persistence/values.yaml b/charts/gluu/gluu/5.0.19/charts/persistence/values.yaml new file mode 100644 index 0000000000..21398ea85c --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/persistence/values.yaml @@ -0,0 +1,54 @@ + +# -- Job to generate data and initial config for Gluu Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/persistence + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/scim/.helmignore b/charts/gluu/gluu/5.0.19/charts/scim/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.19/charts/scim/Chart.yaml b/charts/gluu/gluu/5.0.19/charts/scim/Chart.yaml new file mode 100644 index 0000000000..b9a090e09c --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/scim/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: System for Cross-domain Identity Management (SCIM) version 2.0 +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SCIM +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: scim +sources: +- https://github.com/JanssenProject/jans/jans-scim +- https://github.com/JanssenProject/jans/docker-jans-scim +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/scim +type: application +version: 5.0.19 diff --git a/charts/gluu/gluu/5.0.19/charts/scim/README.md b/charts/gluu/gluu/5.0.19/charts/scim/README.md new file mode 100644 index 0000000000..291fd459f3 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/scim/README.md @@ -0,0 +1,61 @@ +# scim + +![Version: 5.0.19](https://img.shields.io/badge/Version-5.0.19-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.0.15-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.19/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/charts/scim/templates/_helpers.tpl new file mode 100644 index 0000000000..04b66d5afd --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/scim/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "scim.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "scim.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.0.19/charts/scim/templates/deployment.yml new file mode 100644 index 0000000000..7e1022a958 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/scim/templates/deployment.yml @@ -0,0 +1,174 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "scim.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "scim.usr-envs" . | indent 12 }} + {{- include "scim.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.0.19/charts/scim/templates/hpa.yaml new file mode 100644 index 0000000000..d3ba580d6f --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/scim/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.0.19/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 0000000000..fc26343bdf --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/scim/templates/scim-pdb.yaml b/charts/gluu/gluu/5.0.19/charts/scim/templates/scim-pdb.yaml new file mode 100644 index 0000000000..d700490a85 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/scim/templates/scim-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "scim.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.0.19/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 0000000000..14fafd1d46 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.scim.ingress.scimConfigEnabled }} + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /jans-scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.scim.ingress.scimEnabled }} + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/jans-scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/scim/templates/service.yml b/charts/gluu/gluu/5.0.19/charts/scim/templates/service.yml new file mode 100644 index 0000000000..a585ea31b9 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/scim/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.19/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.19/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..d9f83a46e1 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/charts/scim/values.yaml b/charts/gluu/gluu/5.0.19/charts/scim/values.yaml new file mode 100644 index 0000000000..84f476ac29 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/charts/scim/values.yaml @@ -0,0 +1,90 @@ + +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/openbanking-values.yaml b/charts/gluu/gluu/5.0.19/openbanking-values.yaml new file mode 100644 index 0000000000..5054fca7c8 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/openbanking-values.yaml @@ -0,0 +1,700 @@ +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.15_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.15_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.15_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: true + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token . Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + ingress: + # -- Enable casa endpoints /casa + casaEnabled: true + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Load balancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled. + enabled: false + # -- Gluu distributions supported are: default|openbanking. + distribution: openbanking + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.15_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.19/questions.yaml b/charts/gluu/gluu/5.0.19/questions.yaml new file mode 100644 index 0000000000..237575ec1b --- /dev/null +++ b/charts/gluu/gluu/5.0.19/questions.yaml @@ -0,0 +1,1209 @@ +questions: +# ================== +# License SSA group +# ================== +- variable: global.licenseSsa + default: "" + required: true + type: string + label: License SSA + description: "Before initiating the setup, please contact Gluu to obtain a valid license or trial license. Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded." + group: "License SSA" + +# ================== +# Distribution group +# ================== +- variable: global.distribution + default: "openbanking" + required: true + type: enum + label: Gluu Distribution + description: "Gluu Distribution. Openbanking only contains Config-API and the Auth Server customized for Openbanking industry." + group: "Global Settings" + options: + - "default" + - "openbanking" + +# ======================== +# OpenBanking Distribution +# ======================== +- variable: global.cnObExtSigningJwksUri + required: true + default: "https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks" + description: "Open banking external signing jwks uri. Used in SSA Validation." + type: hostname + group: "OpenBanking Distribution" + label: Openbanking external signing JWKS URI + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObExtSigningJwksCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS certificate authority string + - variable: global.cnObExtSigningJwksKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS key string + - variable: global.cnObExtSigningJwksKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: password + label: Open banking external signing jwks AS key passphrase + min_length: 6 + - variable: global.cnObExtSigningAlias + default: "XkwIzWy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking external signing AS Alias +- variable: global.cnObStaticSigningKeyKid + default: "Wy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking signing AS kid + show_if: "global.distribution=openbanking" +- variable: global.cnObTransportAlias + default: "" + required: false + group: "OpenBanking Distribution" + description: "Open banking transport Alias used inside the JVM." + type: string + label: Open banking transport Alias used inside the JVM. + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObTransportCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport crt + - variable: global.cnObTransportKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport key + - variable: global.cnObTransportKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64." + type: password + label: Open banking AS transport key passphrase + min_length: 6 + - variable: global.cnObTransportTrustStore + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking external signing jwks AS certificate authority string + +# ======================= +# Optional Services group +# ======================= +- variable: global.admin-ui.enabled + default: false + type: boolean + group: "Optional Services" + required: false + label: Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. This requires a license agreement with Gluu. + show_if: "global.distribution=default" + show_subquestion_if: true +- variable: global.auth-server-key-rotation.enabled + default: true + type: boolean + group: "Optional Services" + required: true + label: Enable Auth key rotation cronjob. Disable this if using the OB distribution. + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: auth-server-key-rotation.keysLife + default: 48 + description: "Auth server key rotation keys life in hours." + type: int + label: Key life +- variable: global.fido2.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable Fido2 + description: "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments." +- variable: global.config-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ConfigAPI + description: "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)." +- variable: global.casa.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Casa + description: "Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server." +- variable: global.scim.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable SCIM + description: "System for Cross-domain Identity Management (SCIM) version 2.0" + +# ====================== +# Test environment group +# ====================== +- variable: global.cloud.testEnviroment + default: false + type: boolean + group: "Test Environment" + required: true + label: Test environment + description: "Boolean flag if enabled will strip resources requests and limits from all services." + +# ================= +# Persistence group +# ================= +- variable: global.cnPersistenceType + default: "sql" + required: true + type: enum + group: "Persistence" + label: Gluu Persistence backend + description: "Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner" + options: + - "ldap" + - "couchbase" + - "hybrid" + - "spanner" + - "sql" +# LDAP +- variable: global.opendj.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable installation of OpenDJ + description: "Boolean flag to enable/disable the OpenDJ chart." + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnLdapUrl + default: "opendj:1636" + type: hostname + group: "Persistence" + required: true + label: OpenDJ remote URL + description: "OpenDJ remote URL. This must be resolvable by the pods" + show_if: "global.opendj.enabled=false&&global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnPersistenceHybridMapping + default: "{}" + required: false + type: enum + group: "Persistence" + label: Gluu Persistence LDAP mapping + description: "Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`." + options: + - "default" + - "user" + - "site" + - "cache" + - "token" + - "session" + show_if: "global.cnPersistenceType=hybrid" +# SQL +- variable: config.configmap.cnSqlDbDialect + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu SQL Database dialect + description: "SQL database dialect. `mysql` or `pgsql`." + options: + - "pgsql" + - "mysql" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbHost + default: "postgresql.default.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: SQL database host uri + description: "SQL database host uri" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbPort + default: 5432 + required: false + type: int + group: "Persistence" + label: SQL database port + description: "SQL database port" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbUser + default: "gluu" + group: "Persistence" + description: "SQL database username" + type: string + label: SQL database username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqldbUserPassword + default: "Test1234#" + group: "Persistence" + description: "SQL password" + type: password + label: SQL password + + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbName + default: "gluu" + group: "Persistence" + description: "SQL database name" + type: string + label: SQL database name + show_if: "global.cnPersistenceType=sql" +# Spanner +- variable: config.configmap.cnGoogleSpannerInstanceId + default: "" + group: "Persistence" + description: "The google spanner instance ID" + type: string + label: Google Spanner Instance ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSpannerDatabaseId + default: "" + group: "Persistence" + description: "The google spanner database ID" + type: string + label: Google Spanner Database ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + group: "Persistence" + description: "The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner." + type: multiline + label: Google Spanner Service Account json + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleProjectId + default: "" + group: "Persistence" + description: "The Google Project ID" + type: string + label: Google Project ID + show_if: "global.cnPersistenceType=spanner" +#Couchbase +- variable: config.configmap.cnCouchbaseCrt + default: "" + group: "Persistence" + description: "Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required." + type: multiline + label: Couchbase certificate authority string + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUrl + default: "gluu.cbns.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: Couchbase host uri + description: "Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseBucketPrefix + default: "gluu" + type: string + description: "The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu." + group: "Persistence" + required: true + label: The prefix of Couchbase buckets + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseIndexNumReplica + default: 0 + type: int + description: "The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1." + group: "Persistence" + required: true + label: The number of replicas per index created + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUser + default: "admin" + group: "Persistence" + description: "he Couchbase super user (admin) user name. This user is used during initialization only." + type: string + label: The Couchbase super user (admin) user name. + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUserPassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + type: password + label: Couchbase password for the super users + + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUser + default: "gluu" + group: "Persistence" + description: "Couchbase restricted user, used in Gluu operations with Couchbase. Used only when global.cnPersistenceType is hybrid or couchbase." + type: string + label: Couchbase restricted username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbasePassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ." + type: password + label: Couchbase password for the restricted user + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" + +# ============================== +# StorageClass and volume group +# ============================== +- variable: global.storageClass.provisioner + default: "microk8s.io/hostpath" + type: string + group: "Volumes" + required: true + label: StorageClass provisioner + show_if: "global.cnPersistenceType=ldap" + subquestions: + - variable: global.storageClass.allowVolumeExpansion + default: true + type: boolean + group: "Volumes" + required: true + label: StorageClass Volume expansion + - variable: global.storageClass.reclaimPolicy + default: "Retain" + type: enum + group: "Volumes" + required: true + label: StorageClass reclaimPolicy + options: + - "Delete" + - "Retain" + - variable: global.storageClass.volumeBindingMode + default: "WaitForFirstConsumer" + type: enum + group: "Volumes" + required: true + options: + - "WaitForFirstConsumer" + - "Immediate" + label: StorageClass volumeBindingMode + +# =========== +# Cache group +# =========== +- variable: config.configmap.cnCacheType + default: "NATIVE_PERSISTENCE" + required: true + type: enum + group: "Cache" + label: Gluu Cache + description: "Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` ." + options: + - "NATIVE_PERSISTENCE" + - "IN_MEMORY" + - "REDIS" + show_subquestion_if: "REDIS" + subquestions: + - variable: config.configmap.cnRedisType + default: "STANDALONE" + type: enum + group: "Cache" + required: false + label: Redix service type + description: "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + options: + - "STANDALONE" + - "CLUSTER" + - variable: config.redisPassword + default: "Test1234#" + type: password + group: "Cache" + required: false + label: Redis admin password + description: "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`." + + - variable: config.configmap.cnRedisUrl + default: "redis.redis.svc.cluster.local:6379" + required: false + type: hostname + group: "Cache" + label: Redis URL + description: "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + +# ================== +# Configuration group +# ================== +- variable: global.fqdn + default: "demoexample.gluu.org" + required: true + type: hostname + group: "Configuration" + label: Gluu Installation FQDN + description: "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services." +- variable: global.countryCode + default: "US" + required: true + type: string + group: "Configuration" + label: Country code + description: "Country code. Used for certificate creation." +- variable: config.state + default: "TX" + required: true + type: string + group: "Configuration" + label: State code + description: "State code. Used for certificate creation." +- variable: config.city + default: "Austin" + required: true + type: string + group: "Configuration" + label: City + description: "City. Used for certificate creation." +- variable: config.email + default: "support@gluu.org" + required: true + type: string + group: "Configuration" + label: Email + description: "Email address of the administrator usually. Used for certificate creation." +- variable: config.orgName + default: "Gluu" + required: true + type: string + group: "Configuration" + label: Organization + description: "Organization name. Used for certificate creation." +- variable: config.adminPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: Admin UI password + description: "Admin password to log in to the UI." + +- variable: config.ldapPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: LDAP password + description: "LDAP admin password if OpenDJ is used for persistence" + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" + +- variable: global.isFqdnRegistered + default: true + required: true + type: boolean + group: "Configuration" + label: Is the FQDN globally resolvable + description: "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically." +- variable: config.migration.enabled + default: false + required: true + type: boolean + group: "Configuration" + label: Migration from Gluu CE + description: "Boolean flag to enable migration from CE" + show_subquestion_if: true + subquestions: + - variable: config.migration.migrationDataFormat + default: "ldif" + type: enum + group: "Configuration" + required: false + label: Migration data-format + description: "Migration data-format depending on persistence backend." + options: + - "ldif" + - "couchbase+json" + - "spanner+avro" + - "postgresql+json" + - "mysql+json" + - variable: config.migration.migrationDir + default: "/ce-migration" + required: false + type: string + group: "Configuration" + label: Migration Directory + description: "Directory holding all migration files" + +# Configmap +- variable: global.configAdapterName + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu configuration backend + description: "The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + +# Secret +- variable: global.configSecretAdapter + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu secret backend + description: "The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + + +# Google +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + type: string + group: "Configuration" + required: true + label: Service account base64 encoded + description: "Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleProjectId + default: "" + type: string + group: "Configuration" + required: true + label: Project ID + description: "Project id of the Google project the secret manager belongs to" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretVersionId + default: "latest" + type: string + group: "Configuration" + required: true + label: Secrets version + description: "Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in Google Secret Manager. Defaults to gluu" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +# AWS +- variable: config.configmap.cnAwsAccessKeyId + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Account Access Key ID + description: "AWS Access key id that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretAccessKey + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Secret Access Key + description: "AWS Secret Access key that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in AWS Secrets Manager. Defaults to gluu" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsProfile + default: "gluu" + type: string + group: "Configuration" + required: true + label: AWS named profile + description: "The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsDefaultRegion + default: "us-west-1" + type: string + group: "Configuration" + required: true + label: Default region + description: "The default AWS Region to use, for example, `us-west-1` or `us-west-2`" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsEndpointUrl + default: "" + type: string + group: "Configuration" + required: false + label: Secrets Manager Endpoint URL + description: "The URL of AWS secretsmanager service. If omitted, it will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + + +# =========================== +# Ingress group(Istio, NGINX) +# =========================== + +# =========== +# Istio group +# =========== +- variable: global.istio.enabled + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio side cars with Gluu services." + label: Use Istio side cars + show_subquestion_if: true + subquestions: + - variable: global.istio.ingress + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Use Istio Ingress + - variable: global.istio.namespace + default: "istio-system" + type: string + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Istio namespace + - variable: config.configmap.lbAddr + default: "" + group: "Istio" + description: "Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# NGINX group +# =========== +- variable: config.configmap.lbAddr + default: "" + group: "NGINX" + show_if: "global.istio.ingress=false&&global.isFqdnRegistered=false" + description: "loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# Ingress group +# =========== +- variable: global.admin-ui.ingress.adminUiEnabled + default: false + type: boolean + group: "Ingress" + required: false + description: "Enable Admin UI endpoints." + label: Enable Admin UI endpoints + subquestions: + # auth-server + - variable: global.auth-server.ingress.authServerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable Auth server endpoints /jans-auth" + label: Enable Auth server endpoints /jans-auth + - variable: global.auth-server.ingress.openidConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/openid-configuration" + label: Enable endpoint /.well-known/openid-configuration + - variable: global.auth-server.ingress.deviceCodeEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /device-code" + label: Enable endpoint /device-code + - variable: global.auth-server.ingress.firebaseMessagingEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /firebase-messaging-sw.js" + label: Enable endpoint /firebase-messaging-sw.js + - variable: global.auth-server.ingress.uma2ConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/uma2-configuration" + label: Enable endpoint /.well-known/uma2-configuration + - variable: global.auth-server.ingress.webfingerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/webfinger" + label: Enable endpoint /.well-known/webfinger + - variable: global.auth-server.ingress.webdiscoveryEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/simple-web-discovery" + label: Enable endpoint /.well-known/simple-web-discovery + - variable: global.auth-server.ingress.u2fConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/fido-configuration" + label: Enable endpoint /.well-known/fido-configuration + # config-api + - variable: global.config-api.ingress.configApiEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable config API endpoints /jans-config-api" + label: Enable config API endpoints /jans-config-api + +#fido2 +- variable: global.fido2.ingress.fido2ConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.fido2.enabled=true" + required: true + description: "Enable endpoint /.well-known/fido2-configuration. Enable this!" + label: Enable endpoint /.well-known/fido2-configuration +#Casa +- variable: global.casa.ingress.casaEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.casa.enabled=true" + required: true + description: "Enable endpoint /casa. Enable this!" + label: Enable endpoint /casa Enable this! +#auth-server OB +- variable: global.auth-server.ingress.authServerProtectedToken + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/token" + label: Enable mTLS on Auth server endpoint /jans-auth/restv1/token +- variable: global.auth-server.ingress.authServerProtectedRegister + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/register" + label: Enable mTLS onn Auth server endpoint /jans-auth/restv1/register +# scim +- variable: global.scim.ingress.scimConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable endpoint /.well-known/scim-configuration. Enable this!" + label: Enable endpoint /.well-known/scim-configuration. Enable this! +- variable: global.scim.ingress.scimEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable SCIM endpoints /jans-scim. Enable this!" + label: Enable SCIM endpoints /jans-scim. Enable this! + +# ============ +# Images group +# ============ +# AuthServer +- variable: auth-server.image.repository + required: true + type: string + default: "janssenproject/auth-server" + description: "The Auth Server Image repository" + label: Auth Server image repo + group: "Images" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server Image pull policy" + label: Auth Server imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server image tag + group: "Images" + show_if: "global.auth-server.enabled=true" +# AdminUI +- variable: admin-ui.image.repository + required: true + type: string + default: "gluufederation/admin-ui" + description: "The AdminUI Image repository" + label: The AdminUI Image repository + group: "Images" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The AdminUI Image pull policy" + label: AdminUI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The AdminUI Image tag" + label: AdminUI image tag + group: "Images" + show_if: "global.admin-ui.enabled=true" +# AuthServer KeyRotation +- variable: auth-server-key-rotation.image.repository + required: true + type: string + default: "janssenproject/certmanager" + description: "The Auth Server KeyRotation Image repository" + label: Auth Server KeyRotation image repo + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server KeyRotation Image pull policy" + label: Auth Server KeyRotation imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server KeyRotation image tag + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +# Casa +- variable: casa.image.repository + required: true + type: string + default: "gluufederation/casa" + description: "The Casa Image repository" + label: Casa image repo + group: "Images" + show_if: "global.casa.enabled=true" +- variable: casa.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Casa Image pull policy" + label: Casa imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.casa.enabled=true" +- variable: casa.image.tag + required: true + type: string + default: "5.0.0-4" + description: "The Casa Image tag" + label: Casa image tag + group: "Images" + show_if: "global.casa.enabled=true" +# Configurator +- variable: config.image.repository + required: true + type: string + default: "janssenproject/configurator" + description: "The Configurator Image repository" + label: Configurator image repo + group: "Images" + show_if: "global.config.enabled=true" +- variable: config.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Configurator Image pull policy" + label: Configurator imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config.enabled=true" +- variable: config.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Configurator Image tag" + label: Configurator image tag + group: "Images" + show_if: "global.config.enabled=true" +# ConfigAPI +- variable: config-api.image.repository + required: true + type: string + default: "janssenproject/config-api" + description: "The ConfigAPI Image repository" + label: ConfigAPI image repo + group: "Images" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ConfigAPI Image pull policy" + label: ConfigAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The ConfigAPI Image tag" + label: ConfigAPI image tag + group: "Images" + show_if: "global.config-api.enabled=true" +# Fido2 +- variable: fido2.image.repository + required: true + type: string + default: "janssenproject/fido2" + description: "The Fido2 Image repository" + label: Fido2 image repo + group: "Images" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Fido2 Image pull policy" + label: Fido2 imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Fido2 Image tag" + label: Fido2 image tag + group: "Images" + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.image.repository + required: true + type: string + default: "gluufederation/opendj" + description: "The OpenDJ Image repository" + label: OpenDJ image repo + group: "Images" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The OpenDJ Image pull policy" + label: OpenDJ imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.tag + required: true + type: string + default: "5.0.0_dev" + description: "The OpenDJ Image tag" + label: OpenDJ image tag + group: "Images" + show_if: "global.opendj.enabled=true" +# Persistence +- variable: persistence.image.repository + required: true + type: string + default: "janssenproject/persistence-loader" + description: "The Persistence Image repository" + label: Persistence image repo + group: "Images" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Persistence Image pull policy" + label: Persistence imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Persistence Image tag" + label: Persistence image tag + group: "Images" + show_if: "global.persistence.enabled=true" +# SCIM +- variable: scim.image.repository + required: true + type: string + default: "janssenproject/scim" + description: "The SCIM Image repository" + label: SCIM image repo + group: "Images" + show_if: "global.scim.enabled=true" +- variable: scim.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The SCIM Image pull policy" + label: SCIM imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.scim.enabled=true" +- variable: scim.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The SCIM Image tag" + label: SCIM image tag + group: "Images" + show_if: "global.scim.enabled=true" + +# ============== +# Replicas group +# ============== +# AuthServer +- variable: auth-server.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Auth-server Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# Casa +- variable: casa.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Casa Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# ConfigAPI +- variable: config-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ConfigAPI Replicas + description: "Service replica number." + show_if: "global.config-api.enabled=true" +# AdminUi +- variable: admin-ui.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Admin UI Replicas + description: "Service replica number." + show_if: "global.admin-ui.enabled=true" +# Fido2 +- variable: fido2.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Fido2 Replicas + description: "Service replica number." + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: OpenDJ Replicas + description: "Service replica number." + show_if: "global.opendj.enabled=true" +# SCIM +- variable: scim.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: SCIM Replicas + description: "Service replica number." + show_if: "global.scim.enabled=true" + diff --git a/charts/gluu/gluu/5.0.19/templates/_helpers.tpl b/charts/gluu/gluu/5.0.19/templates/_helpers.tpl new file mode 100644 index 0000000000..c5b8d3d303 --- /dev/null +++ b/charts/gluu/gluu/5.0.19/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.19/values.schema.json b/charts/gluu/gluu/5.0.19/values.schema.json new file mode 100644 index 0000000000..11b96aa7cb --- /dev/null +++ b/charts/gluu/gluu/5.0.19/values.schema.json @@ -0,0 +1,2872 @@ +{ + "$schema":"https://json-schema.org/draft/2020-12/schema#", + "type":"object", + "properties":{ + "admin-ui":{ + "description":"Admin GUI for configuration of the auth-server", + "type":"object", + "properties":{ + + } + }, + "auth-server":{ + "description":"OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type":"object", + "properties":{ + + } + }, + "auth-server-key-rotation":{ + "description":"Responsible for regenerating auth-keys per x hours", + "type":"object", + "properties":{ + + } + }, + "casa":{ + "description":"Gluu Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.", + "type":"object", + "properties":{ + + } + } + }, + "config":{ + "description":"Configuration parameters for setup and initial configuration secret annd config layers used by Gluu services.", + "type":"object", + "properties":{ + "adminPass":{ + "description":"Admin password to login to the UI", + "$ref":"#/definitions/password" + }, + "city":{ + "description":"City of the company or individual. Used in generating the self-signed certificate", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "configmap":{ + "description":"Configuration parameters mapped to envs in a ConfigMap", + "type":"object", + "properties":{ + "cnSqlDbDialect":{ + "description":"SQL dialect", + "type":"string", + "pattern":"^(mysql)$" + }, + "cnSqlDbHost":{ + "description":"SQL server address or ip", + "anyOf":[ + { + "$ref":"#/definitions/url-pattern" + }, + { + "$ref":"#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort":{ + "description":"SQL server port", + "type":"integer" + }, + "cnSqlDbName":{ + "description":"SQL server database name for Jans", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbUser":{ + "description":"SQL database Jans username", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbTimezone":{ + "description":"SQL database timezone", + "type":"string", + "pattern":"^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqldbUserPassword":{ + "description":"Password for user config.configmap.cnSqlDbUser.", + "$ref":"#/definitions/password" + }, + "cnCacheType":{ + "description":"Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type":"string", + "pattern":"^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnConfigKubernetesConfigMap":{ + "description":"The name of the ConfigMap that will hold the configuration layer", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseBucketPrefix":{ + "description":"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseCrt":{ + "description":"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnCouchbaseIndexNumReplica":{ + "description":"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.", + "type":"integer" + }, + "cnCouchbasePass":{ + "description":"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUser":{ + "description":"The Couchbase super user (admin) user name. This user is used during initialization only.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseSuperUserPass":{ + "description":"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUserPassFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type":"string", + "pattern":".*couchbase_superuser_password\\b.*" + }, + "cnCouchbaseUrl":{ + "description":"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnCouchbaseUser":{ + "description":"Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerServiceAccount":{ + "description":"Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId":{ + "description":"Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"" + }, + "cnGoogleSpannerInstanceId":{ + "description":"Google Spanner ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^([a-z0-9\\-])*$" + }, + "cnGoogleSpannerDatabaseId":{ + "description":"Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^[a-z0-9\\-]*$" + }, + "cnGoogleSecretVersionId":{ + "description":"Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnGoogleSecretNamePrefix":{ + "description":"Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase":{ + "description":"Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref":"#/definitions/password" + }, + "cnLdapUrl":{ + "description":"OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.", + "type":"string", + "pattern":"^[a-z0-9-:]+$" + }, + "cnMaxRamPercent":{ + "description":"Value passed to Java option -XX:MaxRAMPercentage", + "type":"string", + "pattern":"^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode":{ + "description":"SCIM protection mode OAUTH|TEST|UMA", + "type":"string", + "pattern":"^(OAUTH|TEST|UMA)$" + }, + "cnPersistenceHybridMapping":{ + "description":"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type":"string" + }, + "cnRedisSentinelGroup":{ + "description":"Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisSslTruststore":{ + "description":"Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisType":{ + "description":"Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string", + "pattern":"^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl":{ + "description":"Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref":"#/definitions/url-pattern" + }, + "cnRedisUseSsl":{ + "description":"Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"boolean" + }, + "cnSecretKubernetesSecret":{ + "description":"Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "lbAddr":{ + "description":"Loadbalancer address for AWS if the FQDN is not registered.", + "$ref":"#/definitions/url-pattern" + } + } + }, + "countryCode":{ + "description":"Country code. Used for certificate creation.", + "type":"string", + "pattern":"^[A-Z]+$" + }, + "email":{ + "description":"Email address of the administrator usually. Used for certificate creation.", + "$ref":"#/definitions/email-format" + }, + "image":{ + "type":"object", + "properties":{ + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "ldapPassword":{ + "description":"LDAP admin password if OpennDJ is used for persistence.", + "$ref":"#/definitions/password" + }, + "orgName":{ + "description":"Organization name. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "redisPassword":{ + "description":"Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref":"#/definitions/password" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "state":{ + "description":"State code. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + } + } + }, + "config-api":{ + "description":"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type":"object", + "properties":{ + + } + }, + "fido2":{ + "description":"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type":"object", + "properties":{ + + } + }, + "global":{ + "description":"Parameters used globally across all services helm charts.", + "type":"object", + "properties":{ + "licenseSsa":{ + "description":"Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "alb":{ + "type":"object", + "properties":{ + "ingress":{ + "description":"Activates ALB ingress", + "type":"boolean" + } + } + }, + "auth-server":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type":"boolean" + }, + "authServerServiceName":{ + "description":"Name of the auth-server service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-auth.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-auth.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget":{ + "description":"http_request_response target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "httpLogLevel":{ + "description":"http_request_response level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-auth_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-auth_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-auth_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-auth_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-auth_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-auth_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-auth_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-auth_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget":{ + "description":"jans-auth_audit.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "auditStatsLogLevel":{ + "description":"jans-auth_audit.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "authServerEnabled":{ + "description":"Enable Auth server endpoints /jans-auth", + "type":"boolean" + }, + "openidConfigEnabled":{ + "description":"Enable endpoint /.well-known/openid-configuration", + "type":"boolean" + }, + "deviceCodeEnabled":{ + "description":"Enable endpoint /device-code", + "type":"boolean" + }, + "firebaseMessagingEnabled":{ + "description":"Enable endpoint /firebase-messaging-sw.js", + "type":"boolean" + }, + "uma2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/uma2-configuration", + "type":"boolean" + }, + "webfingerEnabled":{ + "description":"Enable endpoint /.well-known/webfinger", + "type":"boolean" + }, + "webdiscoveryEnabled":{ + "description":"Enable endpoint /.well-known/simple-web-discovery", + "type":"boolean" + }, + "u2fConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido-configuration", + "type":"boolean" + }, + "authServerProtectedToken":{ + "description":"Enable mTLS on Auth server endpoint /jans-auth/restv1/token", + "type":"boolean" + }, + "authServerProtectedRegister":{ + "description":"Enable mTLS onn Auth server endpoint /jans-auth/restv1/register", + "type":"boolean" + } + } + } + + } + }, + "admin-ui":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable admin-ui chart. You should never set this to false.", + "type":"boolean" + }, + "adminUiServiceName":{ + "description":"Name of the admin service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "adminUiEnabled":{ + "description":"Enable Admin UI endpoints.", + "type":"boolean" + } + } + } + } + }, + + "auth-server-key-rotation":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type":"boolean" + } + } + }, + "awsStorageType":{ + "description":"Volume stroage type if using AWS volumes.", + "type":"string", + "pattern":"^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType":{ + "description":"Volume storage type if using Azure disks.", + "type":"string", + "pattern":"^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind":{ + "description":"Azure storage kind if using Azure disks", + "type":"string", + "pattern":"^(Managed)$" + }, + "cloud":{ + "type":"object", + "properties":{ + "testEnviroment":{ + "description":"Boolean flag if enabled will strip resources requests and limits from all services.", + "type":"boolean" + } + } + }, + "cnPersistenceType":{ + "description":"Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner.", + "type":"string", + "pattern":"^(ldap|couchbase|hybrid|sql|spanner)$" + }, + "cnDocumentStoreType":{ + "description":"Document store type to use for shibboleth files LOCAL.", + "type":"string", + "pattern":"^(LOCAL)$" + }, + "cnObExtSigningJwksUri":{ + "description":"Open banking external signing jwks uri. Used in SSA Validation.", + "type":"string" + }, + "cnObExtSigningJwksCrt":{ + "description":"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey":{ + "description":"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase":{ + "description":"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias":{ + "description":"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObStaticSigningKeyKid":{ + "description":"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObTransportCrt":{ + "description":"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey":{ + "description":"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase":{ + "description":"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias":{ + "description":"Open banking transport Alias used inside the JVM.", + "type":"string" + }, + "cnObTransportTrustStore":{ + "description":"Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type":"boolean" + } + } + }, + "configAdapterName":{ + "description":"The config backend adapter that will hold Gluu configuration layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "configSecretAdapter":{ + "description":"The config backend adapter that will hold Gluu secret layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "cnGoogleApplicationCredentials":{ + "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", + "type":"string", + "pattern":".*google-credentials.json\\b.*" + }, + "casa":{ + "type":"object", + "properties":{ + "casaServiceName":{ + "description":"Name of the casa service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the casa chart.", + "type":"boolean" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "casaEnabled":{ + "description":" Enable casa endpoints /casa", + "type":"boolean" + } + } + } + } + }, + "config-api":{ + "type":"object", + "properties":{ + "configApiServerServiceName":{ + "description":"Name of the config-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the config-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "configApiLogTarget":{ + "description":"configapi.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "configApiLogLevel":{ + "description":"configapi.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "adminUiAppLoggers":{ + "type":"object", + "properties":{ + "adminUiLogTarget":{ + "description":"config-api admin-ui plugin log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiLogLevel":{ + "description":"config-api admin-ui plugin log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "adminUiAuditLogTarget":{ + "description":"config-api admin-ui plugin audit log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiAuditLogLevel":{ + "description":"config-api admin-ui plugin audit log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "configApiEnabled":{ + "description":"Enable config API endpoints /jans-config-api", + "type":"boolean" + } + } + } + + + } + }, + "fqdn":{ + "description":"Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.", + "$ref":"#/definitions/fqdn-pattern" + }, + "fido2":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the fido2 chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "fido2LogTarget":{ + "description":"fido2.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "fido2LogLevel":{ + "description":"fido2.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"fido2_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"fido2_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "fido2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido2-configuration", + "type":"boolean" + } + } + } + + } + }, + "gcePdStorageType":{ + "description":"GCE storage kind if using Google disks", + "type":"string", + "pattern":"^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered":{ + "description":"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type":"boolean" + }, + "istio":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag that enables using istio side cars with Gluu services.", + "type":"boolean" + }, + "ingress":{ + "description":"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.", + "type":"boolean" + }, + "namespace":{ + "description":"The namespace istio is deployed in. The is normally istio-system.", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + } + } + }, + "lbIp":{ + "description":"The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref":"#/definitions/ip-pattern" + }, + "nginx-ingress":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type":"boolean" + } + } + }, + "opendj":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the OpenDJ chart.", + "type":"boolean" + }, + "ldapServiceName":{ + "description":"Name of the OpenDJ service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "oxshibboleth":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled.", + "type":"boolean" + } + } + }, + "distribution":{ + "description":"Gluu distributions supported are: default|openbanking.", + "type":"string", + "pattern":"^(default|openbanking)$" + }, + "persistence":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the persistence chart.", + "type":"boolean" + } + } + }, + "oxpassport": { + "type": "object", + "properties": { + "enabled": { + "description": "Boolean flag to enable/disable the oxpassport chart.", + "type": "boolean" + }, + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "scim":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the SCIM chart.", + "type":"boolean" + }, + "scimServiceName":{ + "description":"Name of the scim service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-scim.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-scim.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-scim_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-scim_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-scim_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-scim_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-scim_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-scim_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-scim_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-scim_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "scimEnabled":{ + "description":"Enable SCIM endpoints /jans-scim", + "type":"boolean" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + } + } + } + + } + }, + "storageClass":{ + "description":"StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type":"object", + "properties":{ + "allowVolumeExpansion":{ + "type":"boolean" + }, + "allowedTopologies":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "mountOptions":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "parameters":{ + "type":"object", + "properties":{ + "fsType":{ + "type":"string" + }, + "kind":{ + "type":"string" + }, + "pool":{ + "type":"string" + }, + "storageAccountType":{ + "type":"string" + }, + "type":{ + "type":"string" + } + } + }, + "provisioner":{ + "type":"string" + }, + "reclaimPolicy":{ + "type":"string" + }, + "volumeBindingMode":{ + "type":"string" + } + } + } + } + }, + "nginx-ingress":{ + "description":"Nginx ingress definitions chart", + "type":"object", + "properties":{ + + } + }, + "opendj":{ + "description":"OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.", + "type":"object", + "properties":{ + + } + }, + "oxpassport":{ + "description":"Gluu interface to Passport.js to support social login and inbound identity.", + "type":"object", + "properties":{ + + } + }, + "oxshibboleth":{ + "description":"Shibboleth project for the Gluu Server's SAML IDP functionality.", + "type":"object", + "properties":{ + + } + }, + "persistence":{ + "description":"Job to generate data and intial config for Gluu Server persistence layer.", + "type":"object", + "properties":{ + + } + }, + "scim":{ + "description":"System for Cross-domain Identity Management (SCIM) version 2.0", + "type":"object", + "properties":{ + + } + } + , + "allOf":[ + { + "$ref":"#/definitions/admin-ui-enabled" + }, + { + "$ref":"#/definitions/auth-server-enabled" + }, + { + "$ref":"#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref":"#/definitions/casa-enabled" + }, + { + "$ref":"#/definitions/config-api-enabled" + }, + { + "$ref":"#/definitions/fido2-enabled" + }, + { + "$ref":"#/definitions/nginx-ingress-enabled" + }, + { + "$ref":"#/definitions/opendj-enabled" + }, + { + "$ref":"#/definitions/oxpassport-enabled" + }, + { + "$ref":"#/definitions/oxshibboleth-enabled" + }, + { + "$ref":"#/definitions/persistence-enabled" + }, + { + "$ref":"#/definitions/scim-enabled" + } + ], + "definitions":{ + "password":{ + "anyOf":[ + { + "type":"string", + "minLength":8, + "pattern":"", + "description":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "password-pattern":{ + "type":"string", + "minLength":6, + "pattern":"", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format":{ + "type":"string", + "format":"email" + }, + "fqdn-pattern":{ + "anyOf":[ + { + "type":"string", + "errors":{ + "pattern":"Setting not FQDN structured. Please enter a FQDN with the format demoexample.gluu.org" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "url-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors":{ + "pattern":"URL pattern is not meeting standards." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "ip-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors":{ + "pattern":"Not a valid IP." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "admin-ui-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "admin-ui":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "admin-ui":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-key-rotation-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "keysLife":{ + "description":"Auth server key rotation keys life in hours", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + }, + "required":[ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else":true + }, + "casa-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "casa":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "casa":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "config-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "config-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "config-api":{ + "required":[ + "image", + "replicas", + "resources" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "fido2-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "fido2":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "fido2":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the Fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "nginx-ingress-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "nginx-ingress":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "nginx-ingress":{ + "type":"object", + "properties":{ + "ingress":{ + "type":"object", + "required":[ + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties":{ + "adminUiLabels":{ + "description":"Admin UI ingress resource labels. key app is taken.", + "type":"object" + }, + "openidConfigLabels":{ + "description":"openid-configuration ingress resource labels. key app is taken", + "type":"object" + }, + "uma2ConfigLabels":{ + "description":"uma2 config ingress resource labels. key app is taken", + "type":"object" + }, + "webfingerLabels":{ + "description":"webfinger ingress resource labels. key app is taken", + "type":"object" + }, + "webdiscoveryLabels":{ + "description":"webdiscovery ingress resource labels. key app is taken", + "type":"object" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + }, + "scimConfigLabels":{ + "description":"SCIM config ingress resource labels. key app is taken", + "type":"object" + }, + "scimLabels":{ + "description":"SCIM ingress resource labels. key app is taken", + "type":"object" + }, + "configApiLabels":{ + "description":"configAPI ingress resource labels. key app is taken", + "type":"object" + }, + "u2fConfigLabels":{ + "description":"u2f ingress resource labels. key app is taken", + "type":"object" + }, + "fido2ConfigLabels":{ + "description":"fido2 ingress resource labels. key app is taken", + "type":"object" + }, + "authServerLabels":{ + "description":"Auth server config ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedTokenLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedRedisterLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "additionalAnnotations":{ + "description":"Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type":"object" + }, + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "path":{ + "type":"string" + }, + "tls":{ + "description":"Secret holding HTTPS CA cert and key.", + "type":"array", + "items":{ + "type":"object", + "properties":{ + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "secretName":{ + "type":"string", + "pattern":"^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else":true + }, + "opendj-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "opendj":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "opendj":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "persistence":{ + "type":"object", + "properties":{ + "size":{ + "description":"OpenDJ volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + }, + "ports":{ + "type":"object", + "properties":{ + "tcp-admin":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldap":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldaps":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-repl":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "udp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "oxpassport-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxpassport":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxpassport":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "oxshibboleth-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxshibboleth":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxshibboleth":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxShibbolethServiceName":{ + "description":"Name of the oxShibboleth service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "persistence-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "persistence":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "persistence":{ + "required":[ + "image", + "resources" + ], + "type":"object", + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "scim-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "scim":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "scim":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "scimServiceName":{ + "description":"Name of the SCIM service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + } + } +} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.19/values.yaml b/charts/gluu/gluu/5.0.19/values.yaml new file mode 100644 index 0000000000..9dd5fb276c --- /dev/null +++ b/charts/gluu/gluu/5.0.19/values.yaml @@ -0,0 +1,1754 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +installer-settings: + currentVersion: "" + acceptLicense: "" + namespace: "" + releaseName: "" + nginxIngress: + releaseName: "" + namespace: "" + nodes: + names: "" + zones: "" + ips: "" + images: + edit: "" + aws: + lbType: "" + arn: + enabled: "" + arnAcmCert: "" + vpcCidr: "0.0.0.0/0" + couchbase: + clusterName: "" + namespace: "" + lowResourceInstall: "" + install: "" + customFileOverride: "" + backup: + incrementalSchedule: "" + fullSchedule: "" + retentionTime: "" + storageSize: "" + # Couchbase cert related keys + subjectAlternativeName: "" + commonName: "" + # Couchbase cluster yaml generator keys + totalNumberOfExpectedUsers: "" + totalNumberOfExpectedTransactionsPerSec: "" + volumeType: "" + volumeProvisionStrategy: "" + ldap: + backup: + fullSchedule: "" + postgres: + install: "" + namespace: "" + sql: + install: "" + namespace: "" + google: + useSecretManager: "" + redis: + install: "" + namespace: "" + openbanking: + hasCnObTransportTrustStore: false + cnObTransportTrustStoreP12password: "" + confirmSettings: false + +# -- Admin GUI for configuration of the auth-server +admin-ui: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2000m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 2000m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for the admin ui if needed. + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the admin ui if needed. + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/auth-server + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/certmanager + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +casa: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/casa + # -- Image tag to use for deploying. + tag: 5.0.0-14 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + # -- Configure the liveness healthcheck for casa if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). + cnSqlDbSchema: "" + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) username. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/configurator + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- LDAP admin password if OpenDJ is used for persistence. + ldapPassword: P@ssw0rds + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + # -- CE to CN Migration section + migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/config-api + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/fido2 + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + # -- Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. + licenseSsa: "" + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: false + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- casa.log target + casaLogTarget: "STDOUT" + # -- casa.log level + casaLogLevel: "INFO" + # -- casa timer log target + timerLogTarget: "FILE" + # -- casa timer log level + timerLogLevel: "INFO" + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable casa endpoints /casa + casaEnabled: false + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. + cnAwsSharedCredentialsFile: /etc/jans/conf/aws_shared_credential_file + # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. + cnAwsConfigFile: /etc/jans/conf/aws_config_file + # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. + cnAwsSecretsReplicaRegionsFile: /etc/jans/conf/aws_secrets_replica_regions + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- config-api_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- fido2_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- fido2_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- fido2_script.log target + scriptLogTarget: "FILE" + # -- fido2_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. + gateways: [ ] + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + # log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" + # Targets are "STDOUT" and "FILE" + appLoggers: + # -- idp-process.log target + idpLogTarget: "STDOUT" + # -- idp-process.log level + idpLogLevel: "INFO" + # -- idp-script.log target + scriptLogTarget: "FILE" + # -- idp-script.log level + scriptLogLevel: "INFO" + # -- idp-audit.log target + auditStatsLogTarget: "FILE" + # -- idp-audit.log level + auditStatsLogLevel: "INFO" + # -- idp-consent-audit.log target + consentAuditLogTarget: "FILE" + # -- idp-consent-audit.log level + consentAuditLogLevel: "INFO" + # -- https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration + # The below are very noisy logs and are better left untouched + ldapLogLevel: "" + messagesLogLevel: "" + encryptionLogLevel: "" + opensamlLogLevel: "" + propsLogLevel: "" + httpclientLogLevel: "" + springLogLevel: "" + containerLogLevel: "" + xmlsecLogLevel: "" + # -- Gluu distributions supported are: default|openbanking. + distribution: default + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + +# -- Nginx ingress definitions chart +nginx-ingress: + certManager: + # Enable deploying a certificate that uses dns01 challenge instead of passing an annotation nginx-ingress.ingress.additionalAnnotations for nginx http01 challenge. + certificate: + enabled: false + issuerKind: ClusterIssuer + # Issuer name which you will create manually. Can be letsencrypt-production. + issuerName: "" + issuerGroup: cert-manager.io + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +opendj: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure ldap backup cronjob + backup: + enabled: true + cronJobSchedule: "*/59 * * * *" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + + persistence: + # -- OpenDJ volume size + size: 5Gi + ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu interface to Passport.js to support social login and inbound identity. +oxpassport: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi + # -- Configure the liveness healthcheck for oxPassport if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the oxPassport if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +oxshibboleth: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for oxshibboleth if needed. + # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/scim + # -- Image tag to use for deploying. + tag: 1.0.15-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.20/Chart.yaml b/charts/gluu/gluu/5.0.20/Chart.yaml new file mode 100644 index 0000000000..6b6a151f81 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/Chart.yaml @@ -0,0 +1,102 @@ +annotations: + artifacthub.io/changes: | + - Chart 5.0.20 release + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.0.16-1 + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.0.16-1 + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.0.16-1 + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.0.16-1 + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.0.16-1 + - name: opendj + image: gluufederation/opendj:5.0.0_dev + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.0.16-1 + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.0.16-1 + - name: casa + image: ghcr.io/gluufederation/flex/casa:5.0.0_dev + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:1.0.16-1 + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu +apiVersion: v2 +appVersion: 5.0.0 +dependencies: +- condition: global.config.enabled + name: config + repository: file://./charts/config + version: 5.0.20 +- condition: global.config-api.enabled + name: config-api + repository: file://./charts/config-api + version: 5.0.20 +- condition: global.opendj.enabled + name: opendj + repository: file://./charts/opendj + version: 5.0.20 +- condition: global.auth-server.enabled + name: auth-server + repository: file://./charts/auth-server + version: 5.0.20 +- condition: global.admin-ui.enabled + name: admin-ui + repository: file://./charts/admin-ui + version: 5.0.20 +- condition: global.fido2.enabled + name: fido2 + repository: file://./charts/fido2 + version: 5.0.20 +- condition: global.scim.enabled + name: scim + repository: file://./charts/scim + version: 5.0.20 +- condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: file://./charts/nginx-ingress + version: 5.0.20 +- condition: global.oxshibboleth.enabled + name: oxshibboleth + repository: file://./charts/oxshibboleth + version: 5.0.20 +- condition: global.oxpassport.enabled + name: oxpassport + repository: file://./charts/oxpassport + version: 5.0.20 +- condition: global.casa.enabled + name: casa + repository: file://./charts/casa + version: 5.0.20 +- condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: file://./charts/auth-server-key-rotation + version: 5.0.20 +- condition: global.persistence.enabled + name: persistence + repository: file://./charts/persistence + version: 5.0.20 +- condition: global.istio.ingress + name: cn-istio-ingress + repository: file://./charts/cn-istio-ingress + version: 5.0.20 +description: Gluu Access and Identity Management +home: https://www.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: moabu +name: gluu +sources: +- https://gluu.org/docs/gluu-server +- https://github.com/GluuFederation/flex/flex-cn-setup +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/README.md b/charts/gluu/gluu/5.0.20/README.md new file mode 100644 index 0000000000..e56e9c1639 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/README.md @@ -0,0 +1,605 @@ +# gluu + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | admin-ui | 5.0.20 | +| | auth-server | 5.0.20 | +| | auth-server-key-rotation | 5.0.20 | +| | casa | 5.0.20 | +| | cn-istio-ingress | 5.0.20 | +| | config | 5.0.20 | +| | config-api | 5.0.20 | +| | fido2 | 5.0.20 | +| | nginx-ingress | 5.0.20 | +| | opendj | 5.0.20 | +| | oxpassport | 5.0.20 | +| | oxshibboleth | 5.0.20 | +| | persistence | 5.0.20 | +| | scim | 5.0.20 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"1.0.16-1"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| admin-ui.dnsConfig | object | `{}` | Add custom dns config | +| admin-ui.dnsPolicy | string | `""` | Add custom dns policy | +| admin-ui.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| admin-ui.hpa.behavior | object | `{}` | Scaling Policies | +| admin-ui.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | +| admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | +| admin-ui.image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| admin-ui.replicas | int | `1` | Service replica number. | +| admin-ui.resources | object | `{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}}` | Resource specs. | +| admin-ui.resources.limits.cpu | string | `"2000m"` | CPU limit. | +| admin-ui.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| admin-ui.resources.requests.cpu | string | `"2000m"` | CPU request. | +| admin-ui.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| admin-ui.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| admin-ui.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| admin-ui.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.0.16-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.0.16-1"},"keysLife":48,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/casa","tag":"5.0.0-15"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. | +| casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| casa.dnsConfig | object | `{}` | Add custom dns config | +| casa.dnsPolicy | string | `""` | Add custom dns policy | +| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| casa.hpa.behavior | object | `{}` | Scaling Policies | +| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| casa.image.pullSecrets | list | `[]` | Image Pull Secrets | +| casa.image.repository | string | `"ghcr.io/gluufederation/flex/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"5.0.0-15"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| casa.readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| casa.replicas | int | `1` | Service replica number. | +| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| casa.resources.limits.cpu | string | `"500m"` | CPU limit. | +| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| casa.resources.requests.cpu | string | `"500m"` | CPU request. | +| casa.resources.requests.memory | string | `"500Mi"` | Memory request. | +| casa.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.0.16-1"},"ldapPassword":"P@ssw0rds","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.0.16-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| config-api.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) username. This user is used during initialization only. | +| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| config.configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| config.configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbSchema | string | `""` | Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.lbAddr | string | `""` | Load balancer address for AWS if the FQDN is not registered. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpenDJ is used for persistence. | +| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.0.16-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}},"auth-server-key-rotation":{"enabled":false},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnDocumentStoreType":"LOCAL","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true}},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"lbIp":"22.22.22.22","licenseSsa":"","nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"oxpassport":{"enabled":false,"oxPassportServiceName":"oxpassport"},"oxshibboleth":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""},"enabled":false,"oxShibbolethServiceName":"oxshibboleth"},"persistence":{"enabled":true},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | +| global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | +| global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `false` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level | +| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.auth-server.ingress | object | `{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.auth-server.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| global.auth-server.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. | +| global.auth-server.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. | +| global.auth-server.ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| global.auth-server.ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| global.auth-server.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| global.auth-server.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| global.auth-server.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| global.auth-server.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| global.auth-server.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.casa.appLoggers | object | `{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.casa.appLoggers.casaLogLevel | string | `"INFO"` | casa.log level | +| global.casa.appLoggers.casaLogTarget | string | `"STDOUT"` | casa.log target | +| global.casa.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO | +| global.casa.appLoggers.timerLogLevel | string | `"INFO"` | casa timer log level | +| global.casa.appLoggers.timerLogTarget | string | `"FILE"` | casa timer log target | +| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. | +| global.casa.enabled | bool | `true` | Boolean flag to enable/disable the casa chart. | +| global.casa.ingress | object | `{"casaEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.casa.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnDocumentStoreType | string | `"LOCAL"` | Document store type to use for shibboleth files LOCAL. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. | +| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G | +| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G | +| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. | +| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. | +| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | +| global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. | +| global.cnPrometheusPort | string | `""` | Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. | +| global.config-api.adminUiAppLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | +| global.config-api.adminUiAppLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | +| global.config-api.adminUiAppLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | +| global.config-api.adminUiAppLoggers.adminUiLogTarget | string | `"FILE"` | config-api admin-ui plugin log level | +| global.config-api.adminUiAppLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers.ldapStatsLogLevel | string | `"INFO"` | config-api_persistence_ldap_statistics.log level | +| global.config-api.appLoggers.ldapStatsLogTarget | string | `"FILE"` | config-api_persistence_ldap_statistics.log target | +| global.config-api.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | config-api_persistence_duration.log level | +| global.config-api.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | config-api_persistence_duration.log target | +| global.config-api.appLoggers.persistenceLogLevel | string | `"INFO"` | config-api_persistence.log level | +| global.config-api.appLoggers.persistenceLogTarget | string | `"FILE"` | config-api_persistence.log target | +| global.config-api.appLoggers.scriptLogLevel | string | `"INFO"` | config-api_script.log level | +| global.config-api.appLoggers.scriptLogTarget | string | `"FILE"` | config-api_script.log target | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config-api.ingress | object | `{"configApiEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes | +| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | +| global.fido2.appLoggers | object | `{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | fido2_persistence_duration.log level | +| global.fido2.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | fido2_persistence_duration.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.appLoggers.scriptLogLevel | string | `"INFO"` | fido2_script.log level | +| global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fido2.ingress | object | `{"fido2ConfigEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side-cars with Gluu services. | +| global.istio.gateways | list | `[]` | Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. | +| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. | +| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | +| global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | +| global.licenseSsa | string | `""` | Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | +| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | +| global.oxpassport.enabled | bool | `false` | Boolean flag to enable/disable passport chart | +| global.oxpassport.oxPassportServiceName | string | `"oxpassport"` | Name of the oxPassport service. Please keep it as default. | +| global.oxshibboleth.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" Targets are "STDOUT" and "FILE" | +| global.oxshibboleth.appLoggers.auditStatsLogLevel | string | `"INFO"` | idp-audit.log level | +| global.oxshibboleth.appLoggers.auditStatsLogTarget | string | `"FILE"` | idp-audit.log target | +| global.oxshibboleth.appLoggers.consentAuditLogLevel | string | `"INFO"` | idp-consent-audit.log level | +| global.oxshibboleth.appLoggers.consentAuditLogTarget | string | `"FILE"` | idp-consent-audit.log target | +| global.oxshibboleth.appLoggers.idpLogLevel | string | `"INFO"` | idp-process.log level | +| global.oxshibboleth.appLoggers.idpLogTarget | string | `"STDOUT"` | idp-process.log target | +| global.oxshibboleth.appLoggers.ldapLogLevel | string | `""` | https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration The below are very noisy logs and are better left untouched | +| global.oxshibboleth.appLoggers.scriptLogLevel | string | `"INFO"` | idp-script.log level | +| global.oxshibboleth.appLoggers.scriptLogTarget | string | `"FILE"` | idp-script.log target | +| global.oxshibboleth.enabled | bool | `false` | Boolean flag to enable/disable the oxShibbboleth chart. | +| global.oxshibboleth.oxShibbolethServiceName | string | `"oxshibboleth"` | Name of the oxShibboleth service. Please keep it as default. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO | +| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level | +| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.ingress | object | `{"scimConfigEnabled":false,"scimEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.scim.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| global.scim.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: fsType: "" kind: "" pool: "" storageAccountType: "" type: "" | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"ldap":{"backup":{"fullSchedule":""}},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| nginx-ingress.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedRegisterAdditionalAnnotations | object | `{}` | Auth server protected register ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedRegisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedTokenAdditionalAnnotations | object | `{}` | Auth server protected token ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| nginx-ingress.ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| nginx-ingress.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| nginx-ingress.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| nginx-ingress.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0-12"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.dnsConfig | object | `{}` | Add custom dns config | +| opendj.dnsPolicy | string | `""` | Add custom dns policy | +| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| opendj.hpa.behavior | object | `{}` | Scaling Policies | +| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | +| opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| opendj.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| opendj.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size | +| opendj.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.replicas | int | `1` | Service replica number. | +| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. | +| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. | +| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| opendj.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxpassport | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxpassport","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu interface to Passport.js to support social login and inbound identity. | +| oxpassport.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxpassport.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxpassport.dnsConfig | object | `{}` | Add custom dns config | +| oxpassport.dnsPolicy | string | `""` | Add custom dns policy | +| oxpassport.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxpassport.hpa.behavior | object | `{}` | Scaling Policies | +| oxpassport.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxpassport.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxpassport.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxpassport.image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| oxpassport.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| oxpassport.livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| oxpassport.livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| oxpassport.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| oxpassport.readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| oxpassport.readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| oxpassport.replicas | int | `1` | Service replica number | +| oxpassport.resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| oxpassport.resources.limits.cpu | string | `"700m"` | CPU limit. | +| oxpassport.resources.limits.memory | string | `"900Mi"` | Memory limit. | +| oxpassport.resources.requests.cpu | string | `"700m"` | CPU request. | +| oxpassport.resources.requests.memory | string | `"900Mi"` | Memory request. | +| oxpassport.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| oxpassport.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxpassport.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxpassport.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxpassport.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxpassport.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxshibboleth | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxshibboleth","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Shibboleth project for the Gluu Server's SAML IDP functionality. | +| oxshibboleth.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxshibboleth.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxshibboleth.dnsConfig | object | `{}` | Add custom dns config | +| oxshibboleth.dnsPolicy | string | `""` | Add custom dns policy | +| oxshibboleth.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxshibboleth.hpa.behavior | object | `{}` | Scaling Policies | +| oxshibboleth.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxshibboleth.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxshibboleth.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxshibboleth.image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| oxshibboleth.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| oxshibboleth.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxshibboleth if needed. https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py | +| oxshibboleth.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| oxshibboleth.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| oxshibboleth.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| oxshibboleth.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| oxshibboleth.replicas | int | `1` | Service replica number. | +| oxshibboleth.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| oxshibboleth.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| oxshibboleth.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| oxshibboleth.resources.requests.cpu | string | `"1000m"` | CPU request. | +| oxshibboleth.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| oxshibboleth.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| oxshibboleth.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxshibboleth.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxshibboleth.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxshibboleth.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxshibboleth.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.0.16-1"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.0.16-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/app-readme.md b/charts/gluu/gluu/5.0.20/app-readme.md new file mode 100644 index 0000000000..b2148c4c1e --- /dev/null +++ b/charts/gluu/gluu/5.0.20/app-readme.md @@ -0,0 +1,38 @@ +## Tutorial + +For a full walkthrough of the Gluu Flex Server on Rancher, please see the [Gluu Server on Rancher Tutorial](https://docs.gluu.org/stable/admin/recipes/getting-started-rancher/). + +## Introduction +The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions. + +Common use cases include: + +- Single sign-on (SSO) +- Mobile authentication +- API access management +- Two-factor authentication (2FA) +- Customer identity and access management (CIAM) +- Identity federation + +### Free Open Source Software +The Gluu Server is a FOSS platform for IAM. + +### Open Web Standards +The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management: + +- OAuth 2.0 +- OpenID Connect +- User Managed Access 2.0 (UMA) +- System for Cross-domain Identity Management (SCIM) +- FIDO Universal 2nd Factor (U2F) +- FIDO 2.0 / WebAuthn +- Lightweight Directory Access Protocol (LDAP) +- Remote Authentication Dial-In User Service (RADIUS) + +### Important notes for installation: +- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image. + +### Quick install on Rancher UI with Docker single node +- Install the nginx-ingress-controller chart. +- Install the OpenEBS chart. +- Install Gluu chart and specify your persistence as ldap. \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/admin-ui/.helmignore b/charts/gluu/gluu/5.0.20/charts/admin-ui/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.20/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/admin-ui/Chart.yaml new file mode 100644 index 0000000000..a65f80056a --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Admin GUI. Requires license. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +- GUI +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: admin-ui +sources: +- https://github.com/GluuFederation/docker-gluu-admin-ui +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/admin-ui +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/admin-ui/README.md b/charts/gluu/gluu/5.0.20/charts/admin-ui/README.md new file mode 100644 index 0000000000..6b08abe86c --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/admin-ui/README.md @@ -0,0 +1,59 @@ +# admin-ui + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Admin GUI. Requires license. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. | +| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/_helpers.tpl new file mode 100644 index 0000000000..3fa0c5985e --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "admin-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "admin-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "admin-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "admin-ui.labels" -}} +app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +helm.sh/chart: {{ include "admin-ui.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "admin-ui.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "admin-ui.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "admin-ui.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "admin-ui.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/admin-ui-destination-rules.yaml new file mode 100644 index 0000000000..ecf4699b22 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/admin-ui-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-admin-ui-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/admin-ui-pdb.yaml b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/admin-ui-pdb.yaml new file mode 100644 index 0000000000..5d81cf14be --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/admin-ui-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "admin-ui.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/admin-ui-virtual-services.yaml new file mode 100644 index 0000000000..2b0fc58df1 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/admin-ui-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "admin-ui" "ingress" "adminUiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-admin-ui + namespace: {{.Release.Namespace}} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/admin" + route: + - destination: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/deployment.yml new file mode 100644 index 0000000000..9a173cad98 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/deployment.yml @@ -0,0 +1,175 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "admin-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + template: + metadata: + labels: + APP_NAME: admin-ui + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "admin-ui.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "admin-ui.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "admin-ui.usr-envs" . | indent 12 }} + {{- include "admin-ui.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: /etc/jans/conf/ssa + name: license-ssa + subPath: ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: license-ssa + secret: + secretName: {{ .Release.Name }}-license-ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/hpa.yaml new file mode 100644 index 0000000000..4720b2c49b --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "admin-ui.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/service.yml new file mode 100644 index 0000000000..54b311c2e2 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..02fd969b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/admin-ui/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.0.20/charts/admin-ui/values.yaml new file mode 100644 index 0000000000..cc70dd38ac --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/admin-ui/values.yaml @@ -0,0 +1,88 @@ +# -- Admin GUI. Requires license. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the admin ui port within the admin service. Please keep it as default. + name: http-admin-ui + # -- Port of the admin ui service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the admin ui if needed. +livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the admin ui if needed. +readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/.helmignore b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 0000000000..5580c131aa --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Responsible for regenerating auth-keys per x hours +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Auth keys Rotation +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server-key-rotation +sources: +- https://github.com/JanssenProject/docker-jans-certmanager +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server-key-rotation +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/README.md new file mode 100644 index 0000000000..5b4fe7413b --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/README.md @@ -0,0 +1,49 @@ +# auth-server-key-rotation + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| lifecycle | object | `{}` | | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 0000000000..e76631f29c --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 0000000000..5b5dd7da69 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,129 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "0 */{{ .Values.keysLife }} * * *" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 16 }} + volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + restartPolicy: Never + diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 0000000000..4b1f6ff076 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.fullname" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..5ed268ebb5 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 0000000000..787af27f1e --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,55 @@ + +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/.helmignore b/charts/gluu/gluu/5.0.20/charts/auth-server/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server/Chart.yaml new file mode 100644 index 0000000000..9a975b63c5 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization + Server--this is the main Internet facing component of Gluu. It's the service that + returns tokens, JWT's and identity assertions. This service must be Internet facing. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Autherization +- OpenID +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server +sources: +- https://github.com/JanssenProject/jans-auth-server +- https://github.com/JanssenProject/docker-jans-auth-server +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/README.md b/charts/gluu/gluu/5.0.20/charts/auth-server/README.md new file mode 100644 index 0000000000..96a06a92fa --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/README.md @@ -0,0 +1,61 @@ +# auth-server + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 0000000000..2712f9870a --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "auth-server.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "auth-server.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 0000000000..708ce616c6 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/templates/auth-server-pdb.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/auth-server-pdb.yaml new file mode 100644 index 0000000000..5ca61a6255 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/auth-server-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "auth-server.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/templates/auth-server-protected-virtual-services.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/auth-server-protected-virtual-services.yaml new file mode 100644 index 0000000000..522f6757b4 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/auth-server-protected-virtual-services.yaml @@ -0,0 +1,53 @@ +{{- if .Values.global.istio.ingress }} +# NEEDS WORK TO ALLOW CLIENT SIDE AUTHENTICATION. THIS IS MERELY A PLACEHOLDER +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server-protected-endpoints + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-token" + match: + - uri: + prefix: "/jans-auth/restv1/token" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-register" + match: + - uri: + prefix: "/jans-auth/restv1/register" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 0000000000..55cc397244 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,137 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/jans-auth/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} + - name: "{{ .Release.Name }}-istio-device-code" + match: + - uri: + prefix: "/device-code" + rewrite: + uri: "/jans-auth/device_authorization.htm" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} + - name: "{{ .Release.Name }}-istio-firebase-messaging" + match: + - uri: + prefix: "/firebase-messaging-sw.js" + rewrite: + uri: "/jans-auth/firebase-messaging-sw.js" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/jans-auth/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/jans-auth/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/jans-auth/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/jans-auth/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/deployment.yml new file mode 100644 index 0000000000..000efa42ec --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/deployment.yml @@ -0,0 +1,264 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "auth-server.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "auth-server.usr-envs" . | indent 12 }} + {{- include "auth-server.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/hpa.yaml new file mode 100644 index 0000000000..7a35d43381 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/service.yml new file mode 100644 index 0000000000..07b0de5897 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..19b24ab92c --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/auth-server/values.yaml b/charts/gluu/gluu/5.0.20/charts/auth-server/values.yaml new file mode 100644 index 0000000000..2c8eff9446 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/auth-server/values.yaml @@ -0,0 +1,93 @@ + +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.20/charts/casa/.helmignore b/charts/gluu/gluu/5.0.20/charts/casa/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/casa/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.20/charts/casa/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/casa/Chart.yaml new file mode 100644 index 0000000000..5027cd386b --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/casa/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu Casa ("Casa") is a self-service web portal for end-users to manage + authentication and authorization preferences for their account in a Gluu Server. +home: https://gluu.org/docs/casa/ +icon: https://casa.gluu.org/wp-content/themes/gluucasa/casafavicon.ico +keywords: +- casa +- 2FA +- passwordless +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: casa +sources: +- https://gluu.org/docs/casa/ +- https://github.com/GluuFederation/docker-casa +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/casa +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/casa/README.md b/charts/gluu/gluu/5.0.20/charts/casa/README.md new file mode 100644 index 0000000000..3e6d92eae0 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/casa/README.md @@ -0,0 +1,66 @@ +# casa + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/casa"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. | +| service.port | int | `8080` | Port of the casa service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/casa/templates/_helpers.tpl new file mode 100644 index 0000000000..4fc7d069e4 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/casa/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "casa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "casa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "casa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "casa.labels" -}} +app: {{ .Release.Name }}-{{ include "casa.name" . }} +helm.sh/chart: {{ include "casa.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "casa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "casa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "casa.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "casa.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "casa.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "casa.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.0.20/charts/casa/templates/casa-destination-rules.yaml new file mode 100644 index 0000000000..eb2e5eaa61 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/casa/templates/casa-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-casa-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/casa/templates/casa-pdb.yaml b/charts/gluu/gluu/5.0.20/charts/casa/templates/casa-pdb.yaml new file mode 100644 index 0000000000..54ad15de59 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/casa/templates/casa-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "casa.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.0.20/charts/casa/templates/casa-virtual-services.yaml new file mode 100644 index 0000000000..b3d7659499 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/casa/templates/casa-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.casa.ingress.casaEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-casa + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-casa + match: + - uri: + prefix: /casa + route: + - destination: + host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.0.20/charts/casa/templates/deployment.yaml new file mode 100644 index 0000000000..185693f5ce --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/casa/templates/deployment.yaml @@ -0,0 +1,178 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "casa.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: casa + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "casa.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "casa.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "casa.usr-envs" . | indent 12 }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.0.20/charts/casa/templates/hpa.yaml new file mode 100644 index 0000000000..0d292fd3fd --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/casa/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "casa.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.0.20/charts/casa/templates/service.yaml new file mode 100644 index 0000000000..e736cc014a --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/casa/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.casa.casaServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.20/charts/casa/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8a71e1ea8f --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/casa/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/casa/values.yaml b/charts/gluu/gluu/5.0.20/charts/casa/values.yaml new file mode 100644 index 0000000000..37c37c7b58 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/casa/values.yaml @@ -0,0 +1,105 @@ +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/casa + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the casa service. Please keep it as default. + port: 8080 + # -- The name of the casa port within the casa service. Please keep it as default. + name: http-casa + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for casa if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the casa if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/Chart.yaml new file mode 100644 index 0000000000..e640a72fbe --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Istio Gateway +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- istio +- gateway +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: cn-istio-ingress +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/cn-istio-ingress +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/README.md new file mode 100644 index 0000000000..8949178cdb --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/README.md @@ -0,0 +1,25 @@ +# cn-istio-ingress + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Istio Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..75a5dee781 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "istio.labels" -}} +helm.sh/chart: {{ include "istio.chart" . }} +{{ include "istio.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "istio.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "istio.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/templates/gateway.yaml new file mode 100644 index 0000000000..12a9700134 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/templates/gateway.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Release.Name }}-global-gtw + namespace: {{ .Release.Namespace }} +{{- if .Values.global.istio.additionalLabels }} + labels: +{{ toYaml .Values.global.istio.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.istio.additionalAnnotations }} + annotations: +{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + istio: ingressgateway + servers: + # admin-ui + - port: + number: 80 + name: http-admin-ui + protocol: HTTP + hosts: + - {{ .Values.global.fqdn }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - {{ .Values.global.fqdn }} + tls: + mode: SIMPLE # enable https on this port + credentialName: tls-certificate # fetch cert from k8s secret + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/values.yaml new file mode 100644 index 0000000000..645a121318 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/cn-istio-ingress/values.yaml @@ -0,0 +1,4 @@ +# Default values for istio. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + diff --git a/charts/gluu/gluu/5.0.20/charts/config-api/.helmignore b/charts/gluu/gluu/5.0.20/charts/config-api/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.20/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/config-api/Chart.yaml new file mode 100644 index 0000000000..a86e3a36ad --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Jans Config Api endpoints can be used to configure jans-auth-server, + which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server + (AS) +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config-api +sources: +- https://github.com/JanssenProject/jans/jans-config-api +- https://github.com/JanssenProject/jans/docker-jans-config-api +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config-api +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/config-api/README.md b/charts/gluu/gluu/5.0.20/charts/config-api/README.md new file mode 100644 index 0000000000..b4930ddaa8 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config-api/README.md @@ -0,0 +1,65 @@ +# config-api + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/config-api/templates/_helpers.tpl new file mode 100644 index 0000000000..a32d54db37 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "config-api.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "config-api.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.0.20/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 0000000000..255fac7282 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/config-api/templates/config-api-pdb.yaml b/charts/gluu/gluu/5.0.20/charts/config-api/templates/config-api-pdb.yaml new file mode 100644 index 0000000000..2153d9a39c --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config-api/templates/config-api-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "config-api.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/config-api/templates/config-api-virtual-services.yaml b/charts/gluu/gluu/5.0.20/charts/config-api/templates/config-api-virtual-services.yaml new file mode 100644 index 0000000000..49bd94283f --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config-api/templates/config-api-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "config-api" "ingress" "configApiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-config-api + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-config-api + match: + - uri: + prefix: /jans-config-api + route: + - destination: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8074 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.0.20/charts/config-api/templates/deployment.yaml new file mode 100644 index 0000000000..b6e221ab2b --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config-api/templates/deployment.yaml @@ -0,0 +1,167 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "config-api.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "config-api.usr-envs" . | indent 12 }} + {{- include "config-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - containerPort: 9444 + - containerPort: 8074 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + diff --git a/charts/gluu/gluu/5.0.20/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.0.20/charts/config-api/templates/hpa.yaml new file mode 100644 index 0000000000..aed5352e74 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config-api/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.0.20/charts/config-api/templates/service.yaml new file mode 100644 index 0000000000..1782cc7e9d --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config-api/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/config-api/values.yaml b/charts/gluu/gluu/5.0.20/charts/config-api/values.yaml new file mode 100644 index 0000000000..c4956957ed --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config-api/values.yaml @@ -0,0 +1,102 @@ + +# -- Gluu Admin UI. This shouldn't be internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.20/charts/config/.helmignore b/charts/gluu/gluu/5.0.20/charts/config/.helmignore new file mode 100644 index 0000000000..b8204d7442 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/gluu/gluu/5.0.20/charts/config/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/config/Chart.yaml new file mode 100644 index 0000000000..364cddc842 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Configuration parameters for setup and initial configuration secret and + config layers used by Gluu services. +home: https://gluu.org/docs/gluu-server/reference/container-configs/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- secrets +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config +sources: +- https://gluu.org/docs/gluu-server/reference/container-configs/ +- https://github.com/JanssenProject/jans/docker-jans-configurator +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/config/README.md b/charts/gluu/gluu/5.0.20/charts/config/README.md new file mode 100644 index 0000000000..dcd26e3e34 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/README.md @@ -0,0 +1,105 @@ +# config + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnAwsAccessKeyId | string | `""` | | +| configmap.cnAwsDefaultRegion | string | `"us-west-1"` | | +| configmap.cnAwsProfile | string | `"gluu"` | | +| configmap.cnAwsSecretAccessKey | string | `""` | | +| configmap.cnAwsSecretsEndpointUrl | string | `""` | | +| configmap.cnAwsSecretsNamePrefix | string | `"gluu"` | | +| configmap.cnAwsSecretsReplicaRegions | list | `[]` | | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| lifecycle | object | `{}` | | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/config/templates/_helpers.tpl new file mode 100644 index 0000000000..1273a27d8b --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/templates/_helpers.tpl @@ -0,0 +1,97 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ $newList = append $newList ("couchbase" | quote) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{- if .Values.global.opendj.enabled}} +{{ $newList = append $newList ("ldap" | quote) }} +{{- end}} +{{- if .Values.global.casa}} +{{ $newList = append $newList ("casa" | quote) }} +{{- end}} +{{- if .Values.global.fido2.enabled}} +{{ $newList = append $newList ("fido2" | quote) }} +{{- end}} +{{- if .Values.global.scim.enabled}} +{{ $newList = append $newList ("scim" | quote) }} +{{- end}} +{{ toJson $newList }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.0.20/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ce43044f50 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.0.20/charts/config/templates/configmaps.yaml new file mode 100644 index 0000000000..fc15f42b6b --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/templates/configmaps.yaml @@ -0,0 +1,433 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + # Port used by Prometheus JMX agent + CN_PROMETHEUS_PORT: {{ .Values.global.cnPrometheusPort | quote }} + CN_DISTRIBUTION: {{ .Values.global.distribution | quote }} + {{ if .Values.global.cnObExtSigningJwksUri }} + CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }} + CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }} + CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }} + # force the AS to use a specific signing key + CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }} + {{- end }} + {{ if or (eq .Values.global.configAdapterName "google") (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + {{- end }} + {{ if eq .Values.global.cnPersistenceType "spanner" }} + # [google_spanner_envs] Envs related to using Google Cloud Spanner + CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }} + CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }} + # [google_spanner_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.configAdapterName "google") }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnGoogleSecretVersionId | quote }} + CN_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + # [aws_envs] Envs related to using AWS + {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} + CN_AWS_SECRETS_ENDPOINT_URL: {{ .Values.configmap.cnAwsSecretsEndpointUrl }} + {{- end }} + CN_AWS_SECRETS_PREFIX: {{ .Values.configmap.cnAwsSecretsNamePrefix }} + CN_AWS_SECRETS_REPLICA_FILE: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + AWS_DEFAULT_REGION: {{ .Values.configmap.cnAwsDefaultRegion }} + AWS_SHARED_CREDENTIALS_FILE: {{ .Values.global.cnAwsSharedCredentialsFile }} + AWS_CONFIG_FILE: {{ .Values.global.cnAwsConfigFile }} + #AWS_PROFILE + # [aws_envs] END + {{- end }} + CN_SQL_DB_SCHEMA: {{ .Values.configmap.cnSqlDbSchema | quote }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.global.cnDocumentStoreType | quote }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is ldap or hybrid + {{- if .Values.configmap.cnLdapUrl }} + CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }} + {{- else }} + CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }} + {{- end }} + {{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is couchbase or hybrid + CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }} + CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }} + CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }} + CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }} + CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }} + {{- end }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + {{- if .Values.global.isFqdnRegistered }} + CN_SSL_CERT_FROM_SECRETS: "false" + {{- else }} + CN_SSL_CERT_FROM_SECRETS: "true" + {{- end }} + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }} + # must the same as the opendj service name + CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service + CN_HYBRID_MAPPING: {{ .Values.configmap.cnPersistenceHybridMapping | quote }} + {{- end }} + # Auto enable installation of some services + CN_PASSPORT_ENABLED: {{ .Values.global.oxpassport.enabled | quote }} + {{- if .Values.global.oxshibboleth.enabled }} + CN_SAML_ENABLED: {{ .Values.global.oxshibboleth.enabled | quote }} + {{- end }} + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.istio.enabled }} + CN_COUCHBASE_TRUSTSTORE_ENABLE: "false" + CN_LDAP_USE_SSL: "false" + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + # ADMIN-UI + ADMIN_UI_JWKS: {{ cat "http://" ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080/jans-auth/restv1/jwks" | quote | nospace }} + CN_CONFIG_API_PLUGINS: "admin-ui,scim,fido2,user-mgt" + CN_ADMIN_UI_PLUGIN_LOGGERS: {{ index .Values "global" "config-api" "adminUiAppLoggers" + | toJson + | replace "adminUiLogTarget" "admin_ui_log_target" + | replace "adminUiLogLevel" "admin_ui_log_level" + | replace "adminUiAuditLogTarget" "admin_ui_audit_log_target" + | replace "adminUiAuditLogLevel" "admin_ui_audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.casa.enabled }} + # CASA + GLUU_CASA_APP_LOGGERS: {{ .Values.global.casa + | toJson + | replace "casaLogTarget" "casa_log_target" + | replace "casaLogLevel" "casa_log_level" + | replace "timerLogTarget" "timer_log_target" + | replace "timerLogLevel" "timer_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + # delete Duo script (https://github.com/GluuFederation/flex/issues/1120) by disabling the feature + CN_DUO_ENABLED: "false" +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if gluu secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from gluu secrets + """ + ssl_cert = None + ssl_key = None + if core_cli.read_namespaced_secret(secret_name, namespace): + ssl_cert = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_cert'] + ssl_key = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_key'] + + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert and key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error("No certificate or key was found in secrets.") + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Gluu Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.gluu.org") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/config/templates/license-secrets.yaml b/charts/gluu/gluu/5.0.20/charts/config/templates/license-secrets.yaml new file mode 100644 index 0000000000..0cf764a03c --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/templates/license-secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-license-ssa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ssa: {{ required "global.licenseSsa is required in chart values. This is a base64 string provided by Gluu to activate your license." .Values.global.licenseSsa }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.0.20/charts/config/templates/load-init-config.yml new file mode 100644 index 0000000000..2a503fd2b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/templates/load-init-config.yml @@ -0,0 +1,135 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + - name: {{ include "config.fullname" . }}-mount-gen-file + secret: + secretName: {{ include "config.fullname" . }}-gen-json-file + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + - mountPath: /app/db/generate.json + name: {{ include "config.fullname" . }}-mount-gen-file + subPath: generate.json + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} + {{- else }} + /app/scripts/entrypoint.sh load + {{- end }} + /usr/bin/python3 /scripts/tls_generator.py + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.0.20/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.0.20/charts/config/templates/ob-secrets.yaml new file mode 100644 index 0000000000..cdb1f90415 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/templates/ob-secrets.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.cnObExtSigningJwksCrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }} + {{ if .Values.global.cnObExtSigningJwksKey }} + ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportCrt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport.crt: {{ .Values.global.cnObTransportCrt }} + {{ if .Values.global.cnObTransportKey }} + ob-transport.key: {{ .Values.global.cnObTransportKey }} + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportTrustStore }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-truststore + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.0.20/charts/config/templates/rolebinding.yaml new file mode 100644 index 0000000000..7a58fd6095 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.0.20/charts/config/templates/roles.yaml new file mode 100644 index 0000000000..ef3d0c7083 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/templates/roles.yaml @@ -0,0 +1,19 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/gluu/gluu/5.0.20/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.0.20/charts/config/templates/secrets.yaml new file mode 100644 index 0000000000..dab9a6dc86 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/templates/secrets.yaml @@ -0,0 +1,127 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config.fullname" . }}-gen-json-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + generate.json: |- + { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_pw": {{ .Values.adminPassword | quote }}, + "ldap_pw": {{ .Values.ldapPassword | quote }}, + "redis_pw": {{ .Values.redisPassword | quote }}, + "email": {{ .Values.email | quote }}, + "org_name": {{ .Values.orgName | quote }}, + {{ if eq .Values.global.cnPersistenceType "sql" }} + "sql_pw": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "couchbase_pw": {{ .Values.configmap.cnCouchbasePassword | quote }}, + "couchbase_superuser_pw": {{ .Values.configmap.cnCouchbaseSuperUserPassword | quote }}, + {{- end }} + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }} + } + +{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} +{{- if not .Values.global.istio.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-crt + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }} +{{- end }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-aws-config-creds + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + aws_shared_credential_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }} + aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }} + aws_config_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + region = {{ .Values.configmap.cnAwsDefaultRegion }} + aws_secrets_replica_regions: |- + {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-google-sa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-cron-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} diff --git a/charts/gluu/gluu/5.0.20/charts/config/templates/service.yaml b/charts/gluu/gluu/5.0.20/charts/config/templates/service.yaml new file mode 100644 index 0000000000..da5dedf891 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.0.20/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 0000000000..35b4fa8cb0 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,64 @@ +{{ if .Values.global.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val | quote }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.0.20/charts/config/values.yaml b/charts/gluu/gluu/5.0.20/charts/config/values.yaml new file mode 100644 index 0000000000..04e98d6faf --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/config/values.yaml @@ -0,0 +1,179 @@ + +# Required environment variables for generating Gluu server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in the secrets. + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: support@gluu.org +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- LDAP admin password if OpennDJ is used for persistence. +ldapPassword: P@ssw0rds +# -- Organization name. Used for certificate creation. +orgName: Gluu +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.20/charts/fido2/.helmignore b/charts/gluu/gluu/5.0.20/charts/fido2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.20/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/fido2/Chart.yaml new file mode 100644 index 0000000000..ea0ac9c6d1 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/fido2/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging + common devices to authenticate to online services in both mobile and desktop environments. +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- fido2 +- u2f +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: fido2 +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/JanssenProject/jans/jans-fido2 +- https://github.com/JanssenProject/jans/docker-jans-fido2 +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/fido2 +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/fido2/README.md b/charts/gluu/gluu/5.0.20/charts/fido2/README.md new file mode 100644 index 0000000000..e00e0e144e --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/fido2/README.md @@ -0,0 +1,62 @@ +# fido2 + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/fido2/templates/_helpers.tpl new file mode 100644 index 0000000000..10484b1e97 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "fido2.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "fido2.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.0.20/charts/fido2/templates/deployment.yml new file mode 100644 index 0000000000..95b4ef77d1 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/fido2/templates/deployment.yml @@ -0,0 +1,176 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "fido2.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "fido2.usr-envs" . | indent 12 }} + {{- include "fido2.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.0.20/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 0000000000..2457647e8a --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/fido2/templates/fido2-pdb.yaml b/charts/gluu/gluu/5.0.20/charts/fido2/templates/fido2-pdb.yaml new file mode 100644 index 0000000000..ebc9ce8dc8 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/fido2/templates/fido2-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "fido2.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.0.20/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 0000000000..88a91a994b --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.fido2.ingress.fido2ConfigEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.0.20/charts/fido2/templates/hpa.yaml new file mode 100644 index 0000000000..a4f1362a7b --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/fido2/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.0.20/charts/fido2/templates/service.yml new file mode 100644 index 0000000000..de91e893b3 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/fido2/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.20/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..e2139ba45f --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/fido2/values.yaml b/charts/gluu/gluu/5.0.20/charts/fido2/values.yaml new file mode 100644 index 0000000000..92bb3b1e52 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/fido2/values.yaml @@ -0,0 +1,91 @@ + +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.20/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.20/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/Chart.yaml new file mode 100644 index 0000000000..8ea5f135e4 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Nginx ingress definitions chart +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- nginx +- ingress +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://kubernetes.io/docs/concepts/services-networking/ingress/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/nginx-ingress +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/README.md new file mode 100644 index 0000000000..579ec3a395 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/README.md @@ -0,0 +1,61 @@ +# nginx-ingress + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken | +| ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | +| ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | +| ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| ingress.scimConfigLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.scimLabels | object | `{}` | scim config ingress resource labels. key app is taken | +| ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| ingress.uma2ConfigLabels | object | `{}` | uma 2 config ingress resource labels. key app is taken | +| ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| nameOverride | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..7b38455692 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/admin-ui-ingress.yaml similarity index 100% rename from charts/gluu/gluu/charts/nginx-ingress/templates/admin-ui-ingress.yaml rename to charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/admin-ui-ingress.yaml diff --git a/charts/gluu/gluu/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml similarity index 100% rename from charts/gluu/gluu/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml rename to charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml diff --git a/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/casa-ingress.yaml b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/casa-ingress.yaml new file mode 100644 index 0000000000..9f13970efb --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/casa-ingress.yaml @@ -0,0 +1,54 @@ +{{ if .Values.global.casa.ingress.casaEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-casa + labels: + app: {{ $fullName }}-casa +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.casaLabels }} +{{ toYaml .Values.ingress.casaLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "casa-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.casaAdditionalAnnotations }} +{{ toYaml .Values.ingress.casaAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /casa + pathType: Prefix + backend: + service: + name: {{ .Values.global.casa.casaServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/certificate.yaml b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/certificate.yaml new file mode 100644 index 0000000000..6cfb84f431 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/certificate.yaml @@ -0,0 +1,18 @@ +{{- if .Values.certManager.certificate.enabled }} + {{- $domain := (required "Domain is required in chartValues when certManager is enabled" .Values.global.fqdn) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + {{- range .Values.ingress.tls }} + secretName: {{ .secretName }} + {{- end }} + dnsNames: + - {{ quote $domain }} + issuerRef: + name: {{ required "nginx-ingress.certManager.certificate.issuerName is required in chart values" .Values.certManager.certificate.issuerName }} + kind: {{ required "nginx-ingress.certManager.certificate.issuerKind is required in chart values" .Values.certManager.certificate.issuerKind }} + group: {{ required "nginx-ingress.certManager.certificate.issuerGroup is required in chart values" .Values.certManager.certificate.issuerGroup }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 0000000000..ddd01115c4 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,672 @@ +{{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.openidConfigLabels }} +{{ toYaml .Values.ingress.openidConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if .Values.ingress.openidAdditionalAnnotations }} +{{ toYaml .Values.ingress.openidAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-device-code + labels: + app: {{ $fullName }}-device-code +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.deviceCodeLabels }} +{{ toYaml .Values.ingress.deviceCodeLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/device_authorization.htm +{{- if .Values.ingress.deviceCodeAdditionalAnnotations }} +{{ toYaml .Values.ingress.deviceCodeAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /device-code + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-firebase-messaging + labels: + app: {{ $fullName }}-firebase-messaging +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.firebaseMessagingLabels }} +{{ toYaml .Values.ingress.firebaseMessagingLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/firebase-messaging-sw.js +{{- if .Values.ingress.firebaseMessagingAdditionalAnnotations }} +{{ toYaml .Values.ingress.firebaseMessagingAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /firebase-messaging-sw.js + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.uma2ConfigLabels }} +{{ toYaml .Values.ingress.uma2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if .Values.ingress.uma2AdditionalAnnotations }} +{{ toYaml .Values.ingress.uma2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webfingerLabels }} +{{ toYaml .Values.ingress.webfingerLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if .Values.ingress.webfingerAdditionalAnnotations }} +{{ toYaml .Values.ingress.webfingerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webdiscoveryLabels }} +{{ toYaml .Values.ingress.webdiscoveryLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if .Values.ingress.webdiscoveryAdditionalAnnotations }} +{{ toYaml .Values.ingress.webdiscoveryAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{- if .Values.global.scim.ingress.scimConfigEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimConfigLabels }} +{{ toYaml .Values.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{- if .Values.global.scim.ingress.scimEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimLabels }} +{{ toYaml .Values.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "config-api" "ingress" "configApiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-config-api + labels: + app: {{ $fullName }}-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.configApiLabels }} +{{ toYaml .Values.ingress.configApiLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.configApiAdditionalAnnotations }} +{{ toYaml .Values.ingress.configApiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.u2fConfigLabels }} +{{ toYaml .Values.ingress.u2fConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if .Values.ingress.u2fAdditionalAnnotations }} +{{ toYaml .Values.ingress.u2fAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2ConfigLabels }} +{{ toYaml .Values.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerLabels }} +{{ toYaml .Values.ingress.authServerLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + diff --git a/charts/gluu/gluu/5.0.20/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/values.yaml new file mode 100644 index 0000000000..60330b1541 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/nginx-ingress/values.yaml @@ -0,0 +1,77 @@ + +# -- Nginx ingress definitions chart +ingress: + enabled: true + # -- Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. + legacy: false + path: / + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma 2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- scim config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable all fido2 endpoints + fido2Enabled: false + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- Auth server config ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: { } + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + hosts: + - demoexample.gluu.org + tls: + - secretName: tls-certificate # DON'T change + hosts: + - demoexample.gluu.org +nameOverride: "" +fullnameOverride: "" diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/.helmignore b/charts/gluu/gluu/5.0.20/charts/opendj/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/opendj/Chart.yaml new file mode 100644 index 0000000000..b44f460fae --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OpenDJ is a directory server which implements a wide range of Lightweight + Directory Access Protocol and related standards, including full compliance with + LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in + Java, OpenDJ offers multi-master replication, access control, and many extensions. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- LDAP +- OpenDJ +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: opendj +sources: +- https://github.com/GluuFederation/docker-opendj +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/opendj +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/README.md b/charts/gluu/gluu/5.0.20/charts/opendj/README.md new file mode 100644 index 0000000000..04bdf0ee7a --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/README.md @@ -0,0 +1,74 @@ +# opendj + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-15"` | Image tag to use for deploying. | +| lifecycle.preStop.exec.command[0] | string | `"/bin/sh"` | | +| lifecycle.preStop.exec.command[1] | string | `"-c"` | | +| lifecycle.preStop.exec.command[2] | string | `"python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| openDjVolumeMounts.config.mountPath | string | `"/opt/opendj/config"` | | +| openDjVolumeMounts.config.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.db.mountPath | string | `"/opt/opendj/db"` | | +| openDjVolumeMounts.db.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.flag.mountPath | string | `"/flag"` | | +| openDjVolumeMounts.flag.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.ldif.mountPath | string | `"/opt/opendj/ldif"` | | +| openDjVolumeMounts.ldif.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.logs.mountPath | string | `"/opt/opendj/logs"` | | +| openDjVolumeMounts.logs.name | string | `"opendj-volume"` | | +| persistence.accessModes | string | `"ReadWriteOnce"` | | +| persistence.size | string | `"5Gi"` | OpenDJ volume size | +| persistence.type | string | `"DirectoryOrCreate"` | | +| ports | object | `{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}}` | servicePorts values used in StatefulSet container | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1500m"` | CPU limit. | +| resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1500m"` | CPU request. | +| resources.requests.memory | string | `"2000Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/opendj/templates/_helpers.tpl new file mode 100644 index 0000000000..ecab10b753 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opendj.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opendj.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opendj.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "opendj.labels" -}} +app: {{ .Release.Name }}-{{ include "opendj.name" . }} +helm.sh/chart: {{ include "opendj.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "opendj.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "opendj.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "opendj.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "opendj.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.20/charts/opendj/templates/cronjobs.yaml new file mode 100644 index 0000000000..930d6f0679 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/templates/cronjobs.yaml @@ -0,0 +1,95 @@ +{{- if .Values.backup.enabled }} +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "opendj.fullname" . }}-backup +spec: + schedule: {{ .Values.backup.cronJobSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "opendj.fullname" . }}-backup + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + ports: + {{- range $key, $value := .Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + env: + - name: LDAP_HOST + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_host + - name: LDAP_PORT + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_port + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_site_binddn + - name: LDAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-ldap-cron-pass + key: password + # while true; do sleep 60; ldaplog=$(cat /opt/opendj/logs/server.out); startedstr="The Directory Server has started successfully"; if [ -z "${ldaplog##*$startedstr*}" ]; then break; fi; echo "Waiting for opendj server to start"; done + command: + - /bin/sh + - -c + - | + # ========= + # FUNCTIONS + # ========= + + set_java_args() { + # not sure if we can omit `-server` safely + local java_args="-server" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${GLUU_MAX_RAM_PERCENTAGE} ${GLUU_JAVA_OPTIONS}" + # set the env var so it is loaded by `start-ds` script + export OPENDJ_JAVA_ARGS=${java_args} + } + + # ========== + # ENTRYPOINT + # ========== + + mkdir -p /opt/opendj/locks + + export JAVA_VERSION=$(java -version 2>&1 | awk -F '[\"_]' 'NR==1{print $2}') + + python3 /app/scripts/wait.py + + if [ ! -f /deploy/touched ]; then + python3 /app/scripts/entrypoint.py + touch /deploy/touched + fi + # run OpenDJ server + set_java_args + exec /opt/opendj/bin/start-ds -N & + sleep 300 + RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) + LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + restartPolicy: Never +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/templates/hpa.yaml b/charts/gluu/gluu/5.0.20/charts/opendj/templates/hpa.yaml new file mode 100644 index 0000000000..157ea310b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "opendj.fullname" . }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "opendj.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/templates/opendj-destination-rules.yaml b/charts/gluu/gluu/5.0.20/charts/opendj/templates/opendj-destination-rules.yaml new file mode 100644 index 0000000000..a6a8f56849 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/templates/opendj-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-ldap-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.opendj.ldapServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/templates/opendj-pdb.yaml b/charts/gluu/gluu/5.0.20/charts/opendj/templates/opendj-pdb.yaml new file mode 100644 index 0000000000..1615c4ac29 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/templates/opendj-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "opendj.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/templates/service.yaml b/charts/gluu/gluu/5.0.20/charts/opendj/templates/service.yaml new file mode 100644 index 0000000000..ec7d0a8252 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/templates/service.yaml @@ -0,0 +1,30 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $.Values.global.opendj.ldapServiceName }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + {{- range $key, $value := $.Values.ports }} + - port: {{ $value.port }} + name: {{ $key }} + targetPort: {{ $value.targetPort }} + protocol: {{ $value.protocol}} + {{- if $value.nodePort }} + nodePort: {{ $value.nodePort }} + {{- end }} + {{- end }} + clusterIP: None + selector: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/5.0.20/charts/opendj/templates/statefulset.yaml new file mode 100644 index 0000000000..989a156b2e --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/templates/statefulset.yaml @@ -0,0 +1,96 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "opendj.fullname" $ }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: {{ include "opendj.name" $ }} + serviceName: {{ include "opendj.name" $ }} + replicas: {{ $.Values.replicas }} + template: + metadata: + labels: + app: {{ include "opendj.name" $ }} + {{- if $.Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: {{ include "opendj.name" $ }} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + {{- include "opendj.usr-envs" $ | indent 12 }} + {{- include "opendj.usr-secret-envs" $ | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + envFrom: + - configMapRef: + name: {{ $.Release.Name }}-config-cm + {{ if $.Values.global.usrEnvs.secret }} + - secretRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + {{ if $.Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + ports: + {{- range $key, $value := $.Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + livenessProbe: +{{- toYaml $.Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml $.Values.readinessProbe | nindent 10 }} + {{- if or (eq $.Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if $.Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: opendj-volume + spec: + accessModes: + - {{ $.Values.persistence.accessModes }} + resources: + requests: + storage: {{ $.Values.persistence.size }} + {{- if eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath" }} + storageClassName: standard + {{- else }} + storageClassName: {{ include "opendj.fullname" $ | quote }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/templates/storageclass.yaml b/charts/gluu/gluu/5.0.20/charts/opendj/templates/storageclass.yaml new file mode 100644 index 0000000000..d33175d10b --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/templates/storageclass.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ include "opendj.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + storage: opendj +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + # Annotation below is to keep the storage class during upgrade. Otherwise, due to the flag at line 1 which is needed, this resource will be deleted. + helm.sh/resource-policy: keep + storageclass.beta.kubernetes.io/is-default-class: "false" + {{- if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + openebs.io/cas-type: local + cas.openebs.io/config: | + - name: StorageType + value: hostpath + - name: BasePath + value: /var/local-hostpath + {{- end }} +provisioner: {{ .Values.global.storageClass.provisioner }} +{{- if and ( ne .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) ( ne .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") ( ne .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") ( ne .Values.global.storageClass.provisioner "kubernetes.io/gce-pd") ( ne .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com") ( ne .Values.global.storageClass.provisioner "openebs.io/local") ( ne .Values.global.storageClass.provisioner "kubernetes.io/azure-disk") }} +parameters: +{{ toYaml .Values.global.storageClass.parameters | indent 4 }} +{{- else }} +parameters: + {{- if eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs" }} + type: {{ .Values.global.awsStorageType }} + fsType: ext4 + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/gce-pd" }} + type: {{ .Values.global.gcePdStorageType }} + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/azure-disk" }} + storageAccountType: {{ .Values.global.azureStorageAccountType }} + kind: {{ .Values.global.azureStorageKind }} + {{- else if eq .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com" }} + {{- else if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + {{- else }} + pool: default + fsType: ext4 + {{- end }} +{{- end }} +allowVolumeExpansion: {{ .Values.global.storageClass.allowVolumeExpansion }} +volumeBindingMode: {{ .Values.global.storageClass.volumeBindingMode }} +reclaimPolicy: {{ .Values.global.storageClass.reclaimPolicy }} +mountOptions: {{ .Values.global.storageClass.mountOptions | toJson }} +allowedTopologies: {{ .Values.global.storageClass.allowedTopologies | toJson }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.20/charts/opendj/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8fcf989cd5 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/opendj/values.yaml b/charts/gluu/gluu/5.0.20/charts/opendj/values.yaml new file mode 100644 index 0000000000..8fec7b7337 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/opendj/values.yaml @@ -0,0 +1,138 @@ + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-15 + # -- Image Pull Secrets + pullSecrets: [ ] +persistence: + # -- OpenDJ volume size + size: 5Gi + accessModes: ReadWriteOnce + type: DirectoryOrCreate +# -- servicePorts values used in StatefulSet container +ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi +# -- Configure the liveness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] +nameOverride: "" +fullnameOverride: "" +# VolumeMounts for StatefulSet +# opendj-init vm +openDjVolumeMounts: + config: + mountPath: /opt/opendj/config + name: opendj-volume + ldif: + mountPath: /opt/opendj/ldif + name: opendj-volume + logs: + mountPath: /opt/opendj/logs + name: opendj-volume + db: + mountPath: /opt/opendj/db + name: opendj-volume + flag: + mountPath: /flag + name: opendj-volume + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/oxpassport/.helmignore b/charts/gluu/gluu/5.0.20/charts/oxpassport/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxpassport/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.20/charts/oxpassport/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/oxpassport/Chart.yaml new file mode 100644 index 0000000000..47a68e0c91 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxpassport/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu interface to Passport.js to support social login and inbound identity. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Passport.js +- Inbound Identity +- Social login +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxpassport +sources: +- https://github.com/GluuFederation/gluu-passport +- https://github.com/GluuFederation/docker-oxpassport +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxpassport +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/oxpassport/README.md b/charts/gluu/gluu/5.0.20/charts/oxpassport/README.md new file mode 100644 index 0000000000..216bb760c2 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxpassport/README.md @@ -0,0 +1,67 @@ +# oxpassport + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu interface to Passport.js to support social login and inbound identity. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number | +| resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"700m"` | CPU limit. | +| resources.limits.memory | string | `"900Mi"` | Memory limit. | +| resources.requests.cpu | string | `"700m"` | CPU request. | +| resources.requests.memory | string | `"900Mi"` | Memory request. | +| service.name | string | `"http-passport"` | The name of the oxPassport port within the oxPassport service. Please keep it as default. | +| service.port | int | `8090` | Port of the oxPassport service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/_helpers.tpl new file mode 100644 index 0000000000..1f9d4b7464 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxpassport.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxpassport.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxpassport.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxpassport.labels" -}} +app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +helm.sh/chart: {{ include "oxpassport.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxpassport.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxpassport.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "oxpassport.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "oxpassport.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/deployment.yaml b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/deployment.yaml new file mode 100644 index 0000000000..8ab9d9a2f2 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/deployment.yaml @@ -0,0 +1,183 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "oxpassport.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "oxpassport.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxpassport.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: PASSPORT_LOG_LEVEL + value: "info" + {{- include "oxpassport.usr-envs" . | indent 12 }} + {{- include "oxpassport.usr-secret-envs" . | indent 12 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/hpa.yaml b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/hpa.yaml new file mode 100644 index 0000000000..0764e19e39 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxpassport.fullname" . }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "oxpassport.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/oxpassport-destination-rules.yaml b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/oxpassport-destination-rules.yaml new file mode 100644 index 0000000000..238c976d17 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/oxpassport-destination-rules.yaml @@ -0,0 +1,21 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxpassport-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/oxpassport-pdb.yaml b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/oxpassport-pdb.yaml new file mode 100644 index 0000000000..8ebcdc7172 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/oxpassport-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "oxpassport.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/oxpassport-virtual-services.yaml b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/oxpassport-virtual-services.yaml new file mode 100644 index 0000000000..6c2416b84c --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/oxpassport-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-passport + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-passport + match: + - uri: + prefix: "/passport" + route: + - destination: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8090 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/service.yaml b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/service.yaml new file mode 100644 index 0000000000..b4fda32852 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxpassport.oxPassportServiceName }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..47ed7cd162 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxpassport/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/oxpassport/values.yaml b/charts/gluu/gluu/5.0.20/charts/oxpassport/values.yaml new file mode 100644 index 0000000000..b7b06d82d7 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxpassport/values.yaml @@ -0,0 +1,103 @@ + +# -- Gluu interface to Passport.js to support social login and inbound identity. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi +service: + # -- Port of the oxPassport service. Please keep it as default. + port: 8090 + # -- The name of the oxPassport port within the oxPassport service. Please keep it as default. + name: http-passport + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for oxPassport if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the oxPassport if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/oxshibboleth/.helmignore b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.20/charts/oxshibboleth/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/Chart.yaml new file mode 100644 index 0000000000..8155a43f36 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Shibboleth project for the Gluu Server's SAML IDP functionality. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SAML +- Shibboleth +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxshibboleth +sources: +- https://github.com/GluuFederation/oxShibboleth +- https://github.com/GluuFederation/docker-oxshibboleth +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxshibboleth +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/oxshibboleth/README.md b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/README.md new file mode 100644 index 0000000000..ab6e0f9efb --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/README.md @@ -0,0 +1,68 @@ +# oxshibboleth + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Shibboleth project for the Gluu Server's SAML IDP functionality. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the oxShibboleth if needed. | +| livenessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxshibboleth if needed. | +| readinessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-oxshib"` | Port of the oxShibboleth service. Please keep it as default. | +| service.port | int | `8080` | The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| service.targetPort | int | `8080` | | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/_helpers.tpl new file mode 100644 index 0000000000..a9a1a94b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/_helpers.tpl @@ -0,0 +1,144 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxshibboleth.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxshibboleth.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxshibboleth.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxshibboleth.labels" -}} +app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +helm.sh/chart: {{ include "oxshibboleth.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxshibboleth.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxshibboleth.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create GLUU_JAVA_OPTIONS ENV for passing detailed logs +*/}} +{{- define "oxshibboleth.detailedLogs"}} +{{ $ldap := "" }} +{{ $messages := "" }} +{{ $encryption := "" }} +{{ $opensaml := "" }} +{{ $props := "" }} +{{ $httpclient := "" }} +{{ $spring := "" }} +{{ $container := "" }} +{{ $xmlsec := "" }} + +{{- if .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} +{{ $ldap = printf "-Didp.loglevel.ldap=%s " .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} +{{ $messages = printf "-Didp.loglevel.messages=%s " .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} +{{ $encryption = printf "-Didp.loglevel.encryption=%s " .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} +{{ $opensaml = printf "-Didp.loglevel.opensaml=%s " .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.propsLogLevel }} +{{ $props = printf "-Didp.loglevel.props=%s " .Values.global.oxshibboleth.appLoggers.propsLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} +{{ $httpclient = printf "-Didp.loglevel.httpclient=%s " .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.springLogLevel }} +{{ $spring = printf "-Didp.loglevel.spring=%s " .Values.global.oxshibboleth.appLoggers.springLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.containerLogLevel }} +{{ $container = printf "-Didp.loglevel.container=%s " .Values.global.oxshibboleth.appLoggers.containerLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} +{{ $xmlsec = printf "-Didp.loglevel.xmlsec=%s " .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} +{{- end}} + +{{ $detailLogs := printf "%s%s%s%s%s%s%s%s%s" $ldap $messages $encryption $opensaml $props $httpclient $spring $container $xmlsec }} +{{ $detailLogs | trimSuffix " " | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "oxshibboleth.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "oxshibboleth.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/hpa.yaml b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/hpa.yaml new file mode 100644 index 0000000000..3d4c0597ff --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxshibboleth.fullname" . }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "oxshibboleth.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml new file mode 100644 index 0000000000..8478504b68 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxshibboleth-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml new file mode 100644 index 0000000000..a8c99410cf --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "oxshibboleth.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml new file mode 100644 index 0000000000..5f89fa5c2c --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-oxshibbioleth + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw + http: + - name: {{ .Release.Name }}-istio-oxshibbioleth + match: + - uri: + prefix: /idp + route: + - destination: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/service.yaml b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/service.yaml new file mode 100644 index 0000000000..4781774752 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- else }} + clusterIP: None + {{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/statefulset.yaml b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/statefulset.yaml new file mode 100644 index 0000000000..17bb8379e6 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/statefulset.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "oxshibboleth.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + serviceName: oxshibboleth + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: oxshibboleth + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "oxshibboleth.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxshibboleth.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "oxshibboleth.usr-envs" . | indent 12 }} + {{- include "oxshibboleth.usr-secret-envs" . | indent 12 }} + - name: GLUU_JAVA_OPTIONS + value: {{ include "oxshibboleth.detailedLogs" . | trim }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..fd6e4e0aaa --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/oxshibboleth/values.yaml b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/values.yaml new file mode 100644 index 0000000000..224291fdc4 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/oxshibboleth/values.yaml @@ -0,0 +1,102 @@ + +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. + port: 8080 + targetPort: 8080 + # -- Port of the oxShibboleth service. Please keep it as default. + name: http-oxshib + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for the oxShibboleth if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the oxshibboleth if needed. +readinessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/persistence/.helmignore b/charts/gluu/gluu/5.0.20/charts/persistence/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.20/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/persistence/Chart.yaml new file mode 100644 index 0000000000..ccc23b9138 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/persistence/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Job to generate data and initial config for Gluu Server persistence layer. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- persistence prep +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: persistence +sources: +- https://github.com/JanssenProject/jans/docker-jans-persistence-loader +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/persistence +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/persistence/README.md b/charts/gluu/gluu/5.0.20/charts/persistence/README.md new file mode 100644 index 0000000000..8e041e12e3 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/persistence/README.md @@ -0,0 +1,52 @@ +# persistence + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Job to generate data and initial config for Gluu Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| lifecycle | object | `{}` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/persistence/templates/_helpers.tpl new file mode 100644 index 0000000000..bf0a313b23 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.0.20/charts/persistence/templates/jobs.yml new file mode 100644 index 0000000000..151d0e2ab8 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/persistence/templates/jobs.yml @@ -0,0 +1,128 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if .Values.global.istio.enabled }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + /app/scripts/entrypoint.sh + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.0.20/charts/persistence/templates/service.yaml new file mode 100644 index 0000000000..b266650a69 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/persistence/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.20/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..29c8651b84 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/persistence/values.yaml b/charts/gluu/gluu/5.0.20/charts/persistence/values.yaml new file mode 100644 index 0000000000..e2c4a60579 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/persistence/values.yaml @@ -0,0 +1,54 @@ + +# -- Job to generate data and initial config for Gluu Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/persistence + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/scim/.helmignore b/charts/gluu/gluu/5.0.20/charts/scim/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.20/charts/scim/Chart.yaml b/charts/gluu/gluu/5.0.20/charts/scim/Chart.yaml new file mode 100644 index 0000000000..18d2ce6f3e --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/scim/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: System for Cross-domain Identity Management (SCIM) version 2.0 +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SCIM +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: scim +sources: +- https://github.com/JanssenProject/jans/jans-scim +- https://github.com/JanssenProject/jans/docker-jans-scim +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/scim +type: application +version: 5.0.20 diff --git a/charts/gluu/gluu/5.0.20/charts/scim/README.md b/charts/gluu/gluu/5.0.20/charts/scim/README.md new file mode 100644 index 0000000000..9140722c08 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/scim/README.md @@ -0,0 +1,61 @@ +# scim + +![Version: 5.0.20](https://img.shields.io/badge/Version-5.0.20-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.0.16-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.20/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/charts/scim/templates/_helpers.tpl new file mode 100644 index 0000000000..04b66d5afd --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/scim/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "scim.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "scim.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.0.20/charts/scim/templates/deployment.yml new file mode 100644 index 0000000000..7e1022a958 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/scim/templates/deployment.yml @@ -0,0 +1,174 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "scim.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "scim.usr-envs" . | indent 12 }} + {{- include "scim.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.0.20/charts/scim/templates/hpa.yaml new file mode 100644 index 0000000000..d3ba580d6f --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/scim/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.0.20/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 0000000000..fc26343bdf --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/scim/templates/scim-pdb.yaml b/charts/gluu/gluu/5.0.20/charts/scim/templates/scim-pdb.yaml new file mode 100644 index 0000000000..d700490a85 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/scim/templates/scim-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "scim.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.0.20/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 0000000000..14fafd1d46 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.scim.ingress.scimConfigEnabled }} + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /jans-scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.scim.ingress.scimEnabled }} + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/jans-scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/scim/templates/service.yml b/charts/gluu/gluu/5.0.20/charts/scim/templates/service.yml new file mode 100644 index 0000000000..a585ea31b9 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/scim/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.20/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.20/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..d9f83a46e1 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/charts/scim/values.yaml b/charts/gluu/gluu/5.0.20/charts/scim/values.yaml new file mode 100644 index 0000000000..490bba7cd5 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/charts/scim/values.yaml @@ -0,0 +1,90 @@ + +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/openbanking-values.yaml b/charts/gluu/gluu/5.0.20/openbanking-values.yaml new file mode 100644 index 0000000000..b3e263c197 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/openbanking-values.yaml @@ -0,0 +1,700 @@ +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: true + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token . Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + ingress: + # -- Enable casa endpoints /casa + casaEnabled: true + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Load balancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled. + enabled: false + # -- Gluu distributions supported are: default|openbanking. + distribution: openbanking + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.20/questions.yaml b/charts/gluu/gluu/5.0.20/questions.yaml new file mode 100644 index 0000000000..237575ec1b --- /dev/null +++ b/charts/gluu/gluu/5.0.20/questions.yaml @@ -0,0 +1,1209 @@ +questions: +# ================== +# License SSA group +# ================== +- variable: global.licenseSsa + default: "" + required: true + type: string + label: License SSA + description: "Before initiating the setup, please contact Gluu to obtain a valid license or trial license. Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded." + group: "License SSA" + +# ================== +# Distribution group +# ================== +- variable: global.distribution + default: "openbanking" + required: true + type: enum + label: Gluu Distribution + description: "Gluu Distribution. Openbanking only contains Config-API and the Auth Server customized for Openbanking industry." + group: "Global Settings" + options: + - "default" + - "openbanking" + +# ======================== +# OpenBanking Distribution +# ======================== +- variable: global.cnObExtSigningJwksUri + required: true + default: "https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks" + description: "Open banking external signing jwks uri. Used in SSA Validation." + type: hostname + group: "OpenBanking Distribution" + label: Openbanking external signing JWKS URI + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObExtSigningJwksCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS certificate authority string + - variable: global.cnObExtSigningJwksKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS key string + - variable: global.cnObExtSigningJwksKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: password + label: Open banking external signing jwks AS key passphrase + min_length: 6 + - variable: global.cnObExtSigningAlias + default: "XkwIzWy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking external signing AS Alias +- variable: global.cnObStaticSigningKeyKid + default: "Wy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking signing AS kid + show_if: "global.distribution=openbanking" +- variable: global.cnObTransportAlias + default: "" + required: false + group: "OpenBanking Distribution" + description: "Open banking transport Alias used inside the JVM." + type: string + label: Open banking transport Alias used inside the JVM. + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObTransportCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport crt + - variable: global.cnObTransportKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport key + - variable: global.cnObTransportKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64." + type: password + label: Open banking AS transport key passphrase + min_length: 6 + - variable: global.cnObTransportTrustStore + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking external signing jwks AS certificate authority string + +# ======================= +# Optional Services group +# ======================= +- variable: global.admin-ui.enabled + default: false + type: boolean + group: "Optional Services" + required: false + label: Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. This requires a license agreement with Gluu. + show_if: "global.distribution=default" + show_subquestion_if: true +- variable: global.auth-server-key-rotation.enabled + default: true + type: boolean + group: "Optional Services" + required: true + label: Enable Auth key rotation cronjob. Disable this if using the OB distribution. + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: auth-server-key-rotation.keysLife + default: 48 + description: "Auth server key rotation keys life in hours." + type: int + label: Key life +- variable: global.fido2.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable Fido2 + description: "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments." +- variable: global.config-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ConfigAPI + description: "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)." +- variable: global.casa.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Casa + description: "Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server." +- variable: global.scim.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable SCIM + description: "System for Cross-domain Identity Management (SCIM) version 2.0" + +# ====================== +# Test environment group +# ====================== +- variable: global.cloud.testEnviroment + default: false + type: boolean + group: "Test Environment" + required: true + label: Test environment + description: "Boolean flag if enabled will strip resources requests and limits from all services." + +# ================= +# Persistence group +# ================= +- variable: global.cnPersistenceType + default: "sql" + required: true + type: enum + group: "Persistence" + label: Gluu Persistence backend + description: "Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner" + options: + - "ldap" + - "couchbase" + - "hybrid" + - "spanner" + - "sql" +# LDAP +- variable: global.opendj.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable installation of OpenDJ + description: "Boolean flag to enable/disable the OpenDJ chart." + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnLdapUrl + default: "opendj:1636" + type: hostname + group: "Persistence" + required: true + label: OpenDJ remote URL + description: "OpenDJ remote URL. This must be resolvable by the pods" + show_if: "global.opendj.enabled=false&&global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnPersistenceHybridMapping + default: "{}" + required: false + type: enum + group: "Persistence" + label: Gluu Persistence LDAP mapping + description: "Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`." + options: + - "default" + - "user" + - "site" + - "cache" + - "token" + - "session" + show_if: "global.cnPersistenceType=hybrid" +# SQL +- variable: config.configmap.cnSqlDbDialect + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu SQL Database dialect + description: "SQL database dialect. `mysql` or `pgsql`." + options: + - "pgsql" + - "mysql" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbHost + default: "postgresql.default.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: SQL database host uri + description: "SQL database host uri" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbPort + default: 5432 + required: false + type: int + group: "Persistence" + label: SQL database port + description: "SQL database port" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbUser + default: "gluu" + group: "Persistence" + description: "SQL database username" + type: string + label: SQL database username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqldbUserPassword + default: "Test1234#" + group: "Persistence" + description: "SQL password" + type: password + label: SQL password + + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbName + default: "gluu" + group: "Persistence" + description: "SQL database name" + type: string + label: SQL database name + show_if: "global.cnPersistenceType=sql" +# Spanner +- variable: config.configmap.cnGoogleSpannerInstanceId + default: "" + group: "Persistence" + description: "The google spanner instance ID" + type: string + label: Google Spanner Instance ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSpannerDatabaseId + default: "" + group: "Persistence" + description: "The google spanner database ID" + type: string + label: Google Spanner Database ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + group: "Persistence" + description: "The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner." + type: multiline + label: Google Spanner Service Account json + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleProjectId + default: "" + group: "Persistence" + description: "The Google Project ID" + type: string + label: Google Project ID + show_if: "global.cnPersistenceType=spanner" +#Couchbase +- variable: config.configmap.cnCouchbaseCrt + default: "" + group: "Persistence" + description: "Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required." + type: multiline + label: Couchbase certificate authority string + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUrl + default: "gluu.cbns.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: Couchbase host uri + description: "Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseBucketPrefix + default: "gluu" + type: string + description: "The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu." + group: "Persistence" + required: true + label: The prefix of Couchbase buckets + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseIndexNumReplica + default: 0 + type: int + description: "The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1." + group: "Persistence" + required: true + label: The number of replicas per index created + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUser + default: "admin" + group: "Persistence" + description: "he Couchbase super user (admin) user name. This user is used during initialization only." + type: string + label: The Couchbase super user (admin) user name. + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUserPassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + type: password + label: Couchbase password for the super users + + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUser + default: "gluu" + group: "Persistence" + description: "Couchbase restricted user, used in Gluu operations with Couchbase. Used only when global.cnPersistenceType is hybrid or couchbase." + type: string + label: Couchbase restricted username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbasePassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ." + type: password + label: Couchbase password for the restricted user + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" + +# ============================== +# StorageClass and volume group +# ============================== +- variable: global.storageClass.provisioner + default: "microk8s.io/hostpath" + type: string + group: "Volumes" + required: true + label: StorageClass provisioner + show_if: "global.cnPersistenceType=ldap" + subquestions: + - variable: global.storageClass.allowVolumeExpansion + default: true + type: boolean + group: "Volumes" + required: true + label: StorageClass Volume expansion + - variable: global.storageClass.reclaimPolicy + default: "Retain" + type: enum + group: "Volumes" + required: true + label: StorageClass reclaimPolicy + options: + - "Delete" + - "Retain" + - variable: global.storageClass.volumeBindingMode + default: "WaitForFirstConsumer" + type: enum + group: "Volumes" + required: true + options: + - "WaitForFirstConsumer" + - "Immediate" + label: StorageClass volumeBindingMode + +# =========== +# Cache group +# =========== +- variable: config.configmap.cnCacheType + default: "NATIVE_PERSISTENCE" + required: true + type: enum + group: "Cache" + label: Gluu Cache + description: "Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` ." + options: + - "NATIVE_PERSISTENCE" + - "IN_MEMORY" + - "REDIS" + show_subquestion_if: "REDIS" + subquestions: + - variable: config.configmap.cnRedisType + default: "STANDALONE" + type: enum + group: "Cache" + required: false + label: Redix service type + description: "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + options: + - "STANDALONE" + - "CLUSTER" + - variable: config.redisPassword + default: "Test1234#" + type: password + group: "Cache" + required: false + label: Redis admin password + description: "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`." + + - variable: config.configmap.cnRedisUrl + default: "redis.redis.svc.cluster.local:6379" + required: false + type: hostname + group: "Cache" + label: Redis URL + description: "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + +# ================== +# Configuration group +# ================== +- variable: global.fqdn + default: "demoexample.gluu.org" + required: true + type: hostname + group: "Configuration" + label: Gluu Installation FQDN + description: "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services." +- variable: global.countryCode + default: "US" + required: true + type: string + group: "Configuration" + label: Country code + description: "Country code. Used for certificate creation." +- variable: config.state + default: "TX" + required: true + type: string + group: "Configuration" + label: State code + description: "State code. Used for certificate creation." +- variable: config.city + default: "Austin" + required: true + type: string + group: "Configuration" + label: City + description: "City. Used for certificate creation." +- variable: config.email + default: "support@gluu.org" + required: true + type: string + group: "Configuration" + label: Email + description: "Email address of the administrator usually. Used for certificate creation." +- variable: config.orgName + default: "Gluu" + required: true + type: string + group: "Configuration" + label: Organization + description: "Organization name. Used for certificate creation." +- variable: config.adminPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: Admin UI password + description: "Admin password to log in to the UI." + +- variable: config.ldapPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: LDAP password + description: "LDAP admin password if OpenDJ is used for persistence" + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" + +- variable: global.isFqdnRegistered + default: true + required: true + type: boolean + group: "Configuration" + label: Is the FQDN globally resolvable + description: "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically." +- variable: config.migration.enabled + default: false + required: true + type: boolean + group: "Configuration" + label: Migration from Gluu CE + description: "Boolean flag to enable migration from CE" + show_subquestion_if: true + subquestions: + - variable: config.migration.migrationDataFormat + default: "ldif" + type: enum + group: "Configuration" + required: false + label: Migration data-format + description: "Migration data-format depending on persistence backend." + options: + - "ldif" + - "couchbase+json" + - "spanner+avro" + - "postgresql+json" + - "mysql+json" + - variable: config.migration.migrationDir + default: "/ce-migration" + required: false + type: string + group: "Configuration" + label: Migration Directory + description: "Directory holding all migration files" + +# Configmap +- variable: global.configAdapterName + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu configuration backend + description: "The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + +# Secret +- variable: global.configSecretAdapter + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu secret backend + description: "The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + + +# Google +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + type: string + group: "Configuration" + required: true + label: Service account base64 encoded + description: "Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleProjectId + default: "" + type: string + group: "Configuration" + required: true + label: Project ID + description: "Project id of the Google project the secret manager belongs to" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretVersionId + default: "latest" + type: string + group: "Configuration" + required: true + label: Secrets version + description: "Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in Google Secret Manager. Defaults to gluu" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +# AWS +- variable: config.configmap.cnAwsAccessKeyId + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Account Access Key ID + description: "AWS Access key id that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretAccessKey + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Secret Access Key + description: "AWS Secret Access key that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in AWS Secrets Manager. Defaults to gluu" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsProfile + default: "gluu" + type: string + group: "Configuration" + required: true + label: AWS named profile + description: "The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsDefaultRegion + default: "us-west-1" + type: string + group: "Configuration" + required: true + label: Default region + description: "The default AWS Region to use, for example, `us-west-1` or `us-west-2`" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsEndpointUrl + default: "" + type: string + group: "Configuration" + required: false + label: Secrets Manager Endpoint URL + description: "The URL of AWS secretsmanager service. If omitted, it will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + + +# =========================== +# Ingress group(Istio, NGINX) +# =========================== + +# =========== +# Istio group +# =========== +- variable: global.istio.enabled + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio side cars with Gluu services." + label: Use Istio side cars + show_subquestion_if: true + subquestions: + - variable: global.istio.ingress + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Use Istio Ingress + - variable: global.istio.namespace + default: "istio-system" + type: string + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Istio namespace + - variable: config.configmap.lbAddr + default: "" + group: "Istio" + description: "Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# NGINX group +# =========== +- variable: config.configmap.lbAddr + default: "" + group: "NGINX" + show_if: "global.istio.ingress=false&&global.isFqdnRegistered=false" + description: "loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# Ingress group +# =========== +- variable: global.admin-ui.ingress.adminUiEnabled + default: false + type: boolean + group: "Ingress" + required: false + description: "Enable Admin UI endpoints." + label: Enable Admin UI endpoints + subquestions: + # auth-server + - variable: global.auth-server.ingress.authServerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable Auth server endpoints /jans-auth" + label: Enable Auth server endpoints /jans-auth + - variable: global.auth-server.ingress.openidConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/openid-configuration" + label: Enable endpoint /.well-known/openid-configuration + - variable: global.auth-server.ingress.deviceCodeEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /device-code" + label: Enable endpoint /device-code + - variable: global.auth-server.ingress.firebaseMessagingEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /firebase-messaging-sw.js" + label: Enable endpoint /firebase-messaging-sw.js + - variable: global.auth-server.ingress.uma2ConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/uma2-configuration" + label: Enable endpoint /.well-known/uma2-configuration + - variable: global.auth-server.ingress.webfingerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/webfinger" + label: Enable endpoint /.well-known/webfinger + - variable: global.auth-server.ingress.webdiscoveryEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/simple-web-discovery" + label: Enable endpoint /.well-known/simple-web-discovery + - variable: global.auth-server.ingress.u2fConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/fido-configuration" + label: Enable endpoint /.well-known/fido-configuration + # config-api + - variable: global.config-api.ingress.configApiEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable config API endpoints /jans-config-api" + label: Enable config API endpoints /jans-config-api + +#fido2 +- variable: global.fido2.ingress.fido2ConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.fido2.enabled=true" + required: true + description: "Enable endpoint /.well-known/fido2-configuration. Enable this!" + label: Enable endpoint /.well-known/fido2-configuration +#Casa +- variable: global.casa.ingress.casaEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.casa.enabled=true" + required: true + description: "Enable endpoint /casa. Enable this!" + label: Enable endpoint /casa Enable this! +#auth-server OB +- variable: global.auth-server.ingress.authServerProtectedToken + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/token" + label: Enable mTLS on Auth server endpoint /jans-auth/restv1/token +- variable: global.auth-server.ingress.authServerProtectedRegister + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/register" + label: Enable mTLS onn Auth server endpoint /jans-auth/restv1/register +# scim +- variable: global.scim.ingress.scimConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable endpoint /.well-known/scim-configuration. Enable this!" + label: Enable endpoint /.well-known/scim-configuration. Enable this! +- variable: global.scim.ingress.scimEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable SCIM endpoints /jans-scim. Enable this!" + label: Enable SCIM endpoints /jans-scim. Enable this! + +# ============ +# Images group +# ============ +# AuthServer +- variable: auth-server.image.repository + required: true + type: string + default: "janssenproject/auth-server" + description: "The Auth Server Image repository" + label: Auth Server image repo + group: "Images" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server Image pull policy" + label: Auth Server imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server image tag + group: "Images" + show_if: "global.auth-server.enabled=true" +# AdminUI +- variable: admin-ui.image.repository + required: true + type: string + default: "gluufederation/admin-ui" + description: "The AdminUI Image repository" + label: The AdminUI Image repository + group: "Images" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The AdminUI Image pull policy" + label: AdminUI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The AdminUI Image tag" + label: AdminUI image tag + group: "Images" + show_if: "global.admin-ui.enabled=true" +# AuthServer KeyRotation +- variable: auth-server-key-rotation.image.repository + required: true + type: string + default: "janssenproject/certmanager" + description: "The Auth Server KeyRotation Image repository" + label: Auth Server KeyRotation image repo + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server KeyRotation Image pull policy" + label: Auth Server KeyRotation imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server KeyRotation image tag + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +# Casa +- variable: casa.image.repository + required: true + type: string + default: "gluufederation/casa" + description: "The Casa Image repository" + label: Casa image repo + group: "Images" + show_if: "global.casa.enabled=true" +- variable: casa.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Casa Image pull policy" + label: Casa imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.casa.enabled=true" +- variable: casa.image.tag + required: true + type: string + default: "5.0.0-4" + description: "The Casa Image tag" + label: Casa image tag + group: "Images" + show_if: "global.casa.enabled=true" +# Configurator +- variable: config.image.repository + required: true + type: string + default: "janssenproject/configurator" + description: "The Configurator Image repository" + label: Configurator image repo + group: "Images" + show_if: "global.config.enabled=true" +- variable: config.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Configurator Image pull policy" + label: Configurator imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config.enabled=true" +- variable: config.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Configurator Image tag" + label: Configurator image tag + group: "Images" + show_if: "global.config.enabled=true" +# ConfigAPI +- variable: config-api.image.repository + required: true + type: string + default: "janssenproject/config-api" + description: "The ConfigAPI Image repository" + label: ConfigAPI image repo + group: "Images" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ConfigAPI Image pull policy" + label: ConfigAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The ConfigAPI Image tag" + label: ConfigAPI image tag + group: "Images" + show_if: "global.config-api.enabled=true" +# Fido2 +- variable: fido2.image.repository + required: true + type: string + default: "janssenproject/fido2" + description: "The Fido2 Image repository" + label: Fido2 image repo + group: "Images" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Fido2 Image pull policy" + label: Fido2 imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Fido2 Image tag" + label: Fido2 image tag + group: "Images" + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.image.repository + required: true + type: string + default: "gluufederation/opendj" + description: "The OpenDJ Image repository" + label: OpenDJ image repo + group: "Images" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The OpenDJ Image pull policy" + label: OpenDJ imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.tag + required: true + type: string + default: "5.0.0_dev" + description: "The OpenDJ Image tag" + label: OpenDJ image tag + group: "Images" + show_if: "global.opendj.enabled=true" +# Persistence +- variable: persistence.image.repository + required: true + type: string + default: "janssenproject/persistence-loader" + description: "The Persistence Image repository" + label: Persistence image repo + group: "Images" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Persistence Image pull policy" + label: Persistence imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Persistence Image tag" + label: Persistence image tag + group: "Images" + show_if: "global.persistence.enabled=true" +# SCIM +- variable: scim.image.repository + required: true + type: string + default: "janssenproject/scim" + description: "The SCIM Image repository" + label: SCIM image repo + group: "Images" + show_if: "global.scim.enabled=true" +- variable: scim.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The SCIM Image pull policy" + label: SCIM imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.scim.enabled=true" +- variable: scim.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The SCIM Image tag" + label: SCIM image tag + group: "Images" + show_if: "global.scim.enabled=true" + +# ============== +# Replicas group +# ============== +# AuthServer +- variable: auth-server.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Auth-server Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# Casa +- variable: casa.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Casa Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# ConfigAPI +- variable: config-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ConfigAPI Replicas + description: "Service replica number." + show_if: "global.config-api.enabled=true" +# AdminUi +- variable: admin-ui.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Admin UI Replicas + description: "Service replica number." + show_if: "global.admin-ui.enabled=true" +# Fido2 +- variable: fido2.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Fido2 Replicas + description: "Service replica number." + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: OpenDJ Replicas + description: "Service replica number." + show_if: "global.opendj.enabled=true" +# SCIM +- variable: scim.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: SCIM Replicas + description: "Service replica number." + show_if: "global.scim.enabled=true" + diff --git a/charts/gluu/gluu/5.0.20/templates/_helpers.tpl b/charts/gluu/gluu/5.0.20/templates/_helpers.tpl new file mode 100644 index 0000000000..c5b8d3d303 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.20/values.schema.json b/charts/gluu/gluu/5.0.20/values.schema.json new file mode 100644 index 0000000000..11b96aa7cb --- /dev/null +++ b/charts/gluu/gluu/5.0.20/values.schema.json @@ -0,0 +1,2872 @@ +{ + "$schema":"https://json-schema.org/draft/2020-12/schema#", + "type":"object", + "properties":{ + "admin-ui":{ + "description":"Admin GUI for configuration of the auth-server", + "type":"object", + "properties":{ + + } + }, + "auth-server":{ + "description":"OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type":"object", + "properties":{ + + } + }, + "auth-server-key-rotation":{ + "description":"Responsible for regenerating auth-keys per x hours", + "type":"object", + "properties":{ + + } + }, + "casa":{ + "description":"Gluu Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.", + "type":"object", + "properties":{ + + } + } + }, + "config":{ + "description":"Configuration parameters for setup and initial configuration secret annd config layers used by Gluu services.", + "type":"object", + "properties":{ + "adminPass":{ + "description":"Admin password to login to the UI", + "$ref":"#/definitions/password" + }, + "city":{ + "description":"City of the company or individual. Used in generating the self-signed certificate", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "configmap":{ + "description":"Configuration parameters mapped to envs in a ConfigMap", + "type":"object", + "properties":{ + "cnSqlDbDialect":{ + "description":"SQL dialect", + "type":"string", + "pattern":"^(mysql)$" + }, + "cnSqlDbHost":{ + "description":"SQL server address or ip", + "anyOf":[ + { + "$ref":"#/definitions/url-pattern" + }, + { + "$ref":"#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort":{ + "description":"SQL server port", + "type":"integer" + }, + "cnSqlDbName":{ + "description":"SQL server database name for Jans", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbUser":{ + "description":"SQL database Jans username", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbTimezone":{ + "description":"SQL database timezone", + "type":"string", + "pattern":"^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqldbUserPassword":{ + "description":"Password for user config.configmap.cnSqlDbUser.", + "$ref":"#/definitions/password" + }, + "cnCacheType":{ + "description":"Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type":"string", + "pattern":"^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnConfigKubernetesConfigMap":{ + "description":"The name of the ConfigMap that will hold the configuration layer", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseBucketPrefix":{ + "description":"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseCrt":{ + "description":"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnCouchbaseIndexNumReplica":{ + "description":"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.", + "type":"integer" + }, + "cnCouchbasePass":{ + "description":"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUser":{ + "description":"The Couchbase super user (admin) user name. This user is used during initialization only.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseSuperUserPass":{ + "description":"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUserPassFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type":"string", + "pattern":".*couchbase_superuser_password\\b.*" + }, + "cnCouchbaseUrl":{ + "description":"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnCouchbaseUser":{ + "description":"Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerServiceAccount":{ + "description":"Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId":{ + "description":"Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"" + }, + "cnGoogleSpannerInstanceId":{ + "description":"Google Spanner ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^([a-z0-9\\-])*$" + }, + "cnGoogleSpannerDatabaseId":{ + "description":"Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^[a-z0-9\\-]*$" + }, + "cnGoogleSecretVersionId":{ + "description":"Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnGoogleSecretNamePrefix":{ + "description":"Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase":{ + "description":"Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref":"#/definitions/password" + }, + "cnLdapUrl":{ + "description":"OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.", + "type":"string", + "pattern":"^[a-z0-9-:]+$" + }, + "cnMaxRamPercent":{ + "description":"Value passed to Java option -XX:MaxRAMPercentage", + "type":"string", + "pattern":"^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode":{ + "description":"SCIM protection mode OAUTH|TEST|UMA", + "type":"string", + "pattern":"^(OAUTH|TEST|UMA)$" + }, + "cnPersistenceHybridMapping":{ + "description":"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type":"string" + }, + "cnRedisSentinelGroup":{ + "description":"Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisSslTruststore":{ + "description":"Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisType":{ + "description":"Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string", + "pattern":"^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl":{ + "description":"Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref":"#/definitions/url-pattern" + }, + "cnRedisUseSsl":{ + "description":"Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"boolean" + }, + "cnSecretKubernetesSecret":{ + "description":"Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "lbAddr":{ + "description":"Loadbalancer address for AWS if the FQDN is not registered.", + "$ref":"#/definitions/url-pattern" + } + } + }, + "countryCode":{ + "description":"Country code. Used for certificate creation.", + "type":"string", + "pattern":"^[A-Z]+$" + }, + "email":{ + "description":"Email address of the administrator usually. Used for certificate creation.", + "$ref":"#/definitions/email-format" + }, + "image":{ + "type":"object", + "properties":{ + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "ldapPassword":{ + "description":"LDAP admin password if OpennDJ is used for persistence.", + "$ref":"#/definitions/password" + }, + "orgName":{ + "description":"Organization name. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "redisPassword":{ + "description":"Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref":"#/definitions/password" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "state":{ + "description":"State code. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + } + } + }, + "config-api":{ + "description":"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type":"object", + "properties":{ + + } + }, + "fido2":{ + "description":"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type":"object", + "properties":{ + + } + }, + "global":{ + "description":"Parameters used globally across all services helm charts.", + "type":"object", + "properties":{ + "licenseSsa":{ + "description":"Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "alb":{ + "type":"object", + "properties":{ + "ingress":{ + "description":"Activates ALB ingress", + "type":"boolean" + } + } + }, + "auth-server":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type":"boolean" + }, + "authServerServiceName":{ + "description":"Name of the auth-server service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-auth.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-auth.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget":{ + "description":"http_request_response target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "httpLogLevel":{ + "description":"http_request_response level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-auth_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-auth_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-auth_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-auth_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-auth_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-auth_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-auth_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-auth_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget":{ + "description":"jans-auth_audit.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "auditStatsLogLevel":{ + "description":"jans-auth_audit.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "authServerEnabled":{ + "description":"Enable Auth server endpoints /jans-auth", + "type":"boolean" + }, + "openidConfigEnabled":{ + "description":"Enable endpoint /.well-known/openid-configuration", + "type":"boolean" + }, + "deviceCodeEnabled":{ + "description":"Enable endpoint /device-code", + "type":"boolean" + }, + "firebaseMessagingEnabled":{ + "description":"Enable endpoint /firebase-messaging-sw.js", + "type":"boolean" + }, + "uma2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/uma2-configuration", + "type":"boolean" + }, + "webfingerEnabled":{ + "description":"Enable endpoint /.well-known/webfinger", + "type":"boolean" + }, + "webdiscoveryEnabled":{ + "description":"Enable endpoint /.well-known/simple-web-discovery", + "type":"boolean" + }, + "u2fConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido-configuration", + "type":"boolean" + }, + "authServerProtectedToken":{ + "description":"Enable mTLS on Auth server endpoint /jans-auth/restv1/token", + "type":"boolean" + }, + "authServerProtectedRegister":{ + "description":"Enable mTLS onn Auth server endpoint /jans-auth/restv1/register", + "type":"boolean" + } + } + } + + } + }, + "admin-ui":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable admin-ui chart. You should never set this to false.", + "type":"boolean" + }, + "adminUiServiceName":{ + "description":"Name of the admin service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "adminUiEnabled":{ + "description":"Enable Admin UI endpoints.", + "type":"boolean" + } + } + } + } + }, + + "auth-server-key-rotation":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type":"boolean" + } + } + }, + "awsStorageType":{ + "description":"Volume stroage type if using AWS volumes.", + "type":"string", + "pattern":"^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType":{ + "description":"Volume storage type if using Azure disks.", + "type":"string", + "pattern":"^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind":{ + "description":"Azure storage kind if using Azure disks", + "type":"string", + "pattern":"^(Managed)$" + }, + "cloud":{ + "type":"object", + "properties":{ + "testEnviroment":{ + "description":"Boolean flag if enabled will strip resources requests and limits from all services.", + "type":"boolean" + } + } + }, + "cnPersistenceType":{ + "description":"Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner.", + "type":"string", + "pattern":"^(ldap|couchbase|hybrid|sql|spanner)$" + }, + "cnDocumentStoreType":{ + "description":"Document store type to use for shibboleth files LOCAL.", + "type":"string", + "pattern":"^(LOCAL)$" + }, + "cnObExtSigningJwksUri":{ + "description":"Open banking external signing jwks uri. Used in SSA Validation.", + "type":"string" + }, + "cnObExtSigningJwksCrt":{ + "description":"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey":{ + "description":"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase":{ + "description":"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias":{ + "description":"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObStaticSigningKeyKid":{ + "description":"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObTransportCrt":{ + "description":"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey":{ + "description":"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase":{ + "description":"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias":{ + "description":"Open banking transport Alias used inside the JVM.", + "type":"string" + }, + "cnObTransportTrustStore":{ + "description":"Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type":"boolean" + } + } + }, + "configAdapterName":{ + "description":"The config backend adapter that will hold Gluu configuration layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "configSecretAdapter":{ + "description":"The config backend adapter that will hold Gluu secret layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "cnGoogleApplicationCredentials":{ + "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", + "type":"string", + "pattern":".*google-credentials.json\\b.*" + }, + "casa":{ + "type":"object", + "properties":{ + "casaServiceName":{ + "description":"Name of the casa service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the casa chart.", + "type":"boolean" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "casaEnabled":{ + "description":" Enable casa endpoints /casa", + "type":"boolean" + } + } + } + } + }, + "config-api":{ + "type":"object", + "properties":{ + "configApiServerServiceName":{ + "description":"Name of the config-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the config-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "configApiLogTarget":{ + "description":"configapi.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "configApiLogLevel":{ + "description":"configapi.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "adminUiAppLoggers":{ + "type":"object", + "properties":{ + "adminUiLogTarget":{ + "description":"config-api admin-ui plugin log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiLogLevel":{ + "description":"config-api admin-ui plugin log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "adminUiAuditLogTarget":{ + "description":"config-api admin-ui plugin audit log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiAuditLogLevel":{ + "description":"config-api admin-ui plugin audit log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "configApiEnabled":{ + "description":"Enable config API endpoints /jans-config-api", + "type":"boolean" + } + } + } + + + } + }, + "fqdn":{ + "description":"Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.", + "$ref":"#/definitions/fqdn-pattern" + }, + "fido2":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the fido2 chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "fido2LogTarget":{ + "description":"fido2.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "fido2LogLevel":{ + "description":"fido2.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"fido2_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"fido2_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "fido2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido2-configuration", + "type":"boolean" + } + } + } + + } + }, + "gcePdStorageType":{ + "description":"GCE storage kind if using Google disks", + "type":"string", + "pattern":"^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered":{ + "description":"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type":"boolean" + }, + "istio":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag that enables using istio side cars with Gluu services.", + "type":"boolean" + }, + "ingress":{ + "description":"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.", + "type":"boolean" + }, + "namespace":{ + "description":"The namespace istio is deployed in. The is normally istio-system.", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + } + } + }, + "lbIp":{ + "description":"The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref":"#/definitions/ip-pattern" + }, + "nginx-ingress":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type":"boolean" + } + } + }, + "opendj":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the OpenDJ chart.", + "type":"boolean" + }, + "ldapServiceName":{ + "description":"Name of the OpenDJ service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "oxshibboleth":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled.", + "type":"boolean" + } + } + }, + "distribution":{ + "description":"Gluu distributions supported are: default|openbanking.", + "type":"string", + "pattern":"^(default|openbanking)$" + }, + "persistence":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the persistence chart.", + "type":"boolean" + } + } + }, + "oxpassport": { + "type": "object", + "properties": { + "enabled": { + "description": "Boolean flag to enable/disable the oxpassport chart.", + "type": "boolean" + }, + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "scim":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the SCIM chart.", + "type":"boolean" + }, + "scimServiceName":{ + "description":"Name of the scim service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-scim.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-scim.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-scim_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-scim_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-scim_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-scim_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-scim_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-scim_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-scim_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-scim_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "scimEnabled":{ + "description":"Enable SCIM endpoints /jans-scim", + "type":"boolean" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + } + } + } + + } + }, + "storageClass":{ + "description":"StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type":"object", + "properties":{ + "allowVolumeExpansion":{ + "type":"boolean" + }, + "allowedTopologies":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "mountOptions":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "parameters":{ + "type":"object", + "properties":{ + "fsType":{ + "type":"string" + }, + "kind":{ + "type":"string" + }, + "pool":{ + "type":"string" + }, + "storageAccountType":{ + "type":"string" + }, + "type":{ + "type":"string" + } + } + }, + "provisioner":{ + "type":"string" + }, + "reclaimPolicy":{ + "type":"string" + }, + "volumeBindingMode":{ + "type":"string" + } + } + } + } + }, + "nginx-ingress":{ + "description":"Nginx ingress definitions chart", + "type":"object", + "properties":{ + + } + }, + "opendj":{ + "description":"OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.", + "type":"object", + "properties":{ + + } + }, + "oxpassport":{ + "description":"Gluu interface to Passport.js to support social login and inbound identity.", + "type":"object", + "properties":{ + + } + }, + "oxshibboleth":{ + "description":"Shibboleth project for the Gluu Server's SAML IDP functionality.", + "type":"object", + "properties":{ + + } + }, + "persistence":{ + "description":"Job to generate data and intial config for Gluu Server persistence layer.", + "type":"object", + "properties":{ + + } + }, + "scim":{ + "description":"System for Cross-domain Identity Management (SCIM) version 2.0", + "type":"object", + "properties":{ + + } + } + , + "allOf":[ + { + "$ref":"#/definitions/admin-ui-enabled" + }, + { + "$ref":"#/definitions/auth-server-enabled" + }, + { + "$ref":"#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref":"#/definitions/casa-enabled" + }, + { + "$ref":"#/definitions/config-api-enabled" + }, + { + "$ref":"#/definitions/fido2-enabled" + }, + { + "$ref":"#/definitions/nginx-ingress-enabled" + }, + { + "$ref":"#/definitions/opendj-enabled" + }, + { + "$ref":"#/definitions/oxpassport-enabled" + }, + { + "$ref":"#/definitions/oxshibboleth-enabled" + }, + { + "$ref":"#/definitions/persistence-enabled" + }, + { + "$ref":"#/definitions/scim-enabled" + } + ], + "definitions":{ + "password":{ + "anyOf":[ + { + "type":"string", + "minLength":8, + "pattern":"", + "description":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "password-pattern":{ + "type":"string", + "minLength":6, + "pattern":"", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format":{ + "type":"string", + "format":"email" + }, + "fqdn-pattern":{ + "anyOf":[ + { + "type":"string", + "errors":{ + "pattern":"Setting not FQDN structured. Please enter a FQDN with the format demoexample.gluu.org" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "url-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors":{ + "pattern":"URL pattern is not meeting standards." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "ip-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors":{ + "pattern":"Not a valid IP." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "admin-ui-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "admin-ui":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "admin-ui":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-key-rotation-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "keysLife":{ + "description":"Auth server key rotation keys life in hours", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + }, + "required":[ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else":true + }, + "casa-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "casa":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "casa":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "config-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "config-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "config-api":{ + "required":[ + "image", + "replicas", + "resources" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "fido2-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "fido2":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "fido2":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the Fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "nginx-ingress-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "nginx-ingress":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "nginx-ingress":{ + "type":"object", + "properties":{ + "ingress":{ + "type":"object", + "required":[ + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties":{ + "adminUiLabels":{ + "description":"Admin UI ingress resource labels. key app is taken.", + "type":"object" + }, + "openidConfigLabels":{ + "description":"openid-configuration ingress resource labels. key app is taken", + "type":"object" + }, + "uma2ConfigLabels":{ + "description":"uma2 config ingress resource labels. key app is taken", + "type":"object" + }, + "webfingerLabels":{ + "description":"webfinger ingress resource labels. key app is taken", + "type":"object" + }, + "webdiscoveryLabels":{ + "description":"webdiscovery ingress resource labels. key app is taken", + "type":"object" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + }, + "scimConfigLabels":{ + "description":"SCIM config ingress resource labels. key app is taken", + "type":"object" + }, + "scimLabels":{ + "description":"SCIM ingress resource labels. key app is taken", + "type":"object" + }, + "configApiLabels":{ + "description":"configAPI ingress resource labels. key app is taken", + "type":"object" + }, + "u2fConfigLabels":{ + "description":"u2f ingress resource labels. key app is taken", + "type":"object" + }, + "fido2ConfigLabels":{ + "description":"fido2 ingress resource labels. key app is taken", + "type":"object" + }, + "authServerLabels":{ + "description":"Auth server config ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedTokenLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedRedisterLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "additionalAnnotations":{ + "description":"Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type":"object" + }, + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "path":{ + "type":"string" + }, + "tls":{ + "description":"Secret holding HTTPS CA cert and key.", + "type":"array", + "items":{ + "type":"object", + "properties":{ + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "secretName":{ + "type":"string", + "pattern":"^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else":true + }, + "opendj-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "opendj":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "opendj":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "persistence":{ + "type":"object", + "properties":{ + "size":{ + "description":"OpenDJ volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + }, + "ports":{ + "type":"object", + "properties":{ + "tcp-admin":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldap":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldaps":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-repl":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "udp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "oxpassport-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxpassport":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxpassport":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "oxshibboleth-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxshibboleth":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxshibboleth":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxShibbolethServiceName":{ + "description":"Name of the oxShibboleth service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "persistence-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "persistence":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "persistence":{ + "required":[ + "image", + "resources" + ], + "type":"object", + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "scim-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "scim":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "scim":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "scimServiceName":{ + "description":"Name of the SCIM service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + } + } +} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.20/values.yaml b/charts/gluu/gluu/5.0.20/values.yaml new file mode 100644 index 0000000000..79eb0dcd68 --- /dev/null +++ b/charts/gluu/gluu/5.0.20/values.yaml @@ -0,0 +1,1756 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +installer-settings: + currentVersion: "" + acceptLicense: "" + namespace: "" + releaseName: "" + nginxIngress: + releaseName: "" + namespace: "" + nodes: + names: "" + zones: "" + ips: "" + images: + edit: "" + aws: + lbType: "" + arn: + enabled: "" + arnAcmCert: "" + vpcCidr: "0.0.0.0/0" + couchbase: + clusterName: "" + namespace: "" + lowResourceInstall: "" + install: "" + customFileOverride: "" + backup: + incrementalSchedule: "" + fullSchedule: "" + retentionTime: "" + storageSize: "" + # Couchbase cert related keys + subjectAlternativeName: "" + commonName: "" + # Couchbase cluster yaml generator keys + totalNumberOfExpectedUsers: "" + totalNumberOfExpectedTransactionsPerSec: "" + volumeType: "" + volumeProvisionStrategy: "" + ldap: + backup: + fullSchedule: "" + postgres: + install: "" + namespace: "" + sql: + install: "" + namespace: "" + google: + useSecretManager: "" + redis: + install: "" + namespace: "" + openbanking: + hasCnObTransportTrustStore: false + cnObTransportTrustStoreP12password: "" + confirmSettings: false + +# -- Admin GUI for configuration of the auth-server +admin-ui: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2000m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 2000m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for the admin ui if needed. + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the admin ui if needed. + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/auth-server + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/certmanager + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +casa: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/casa + # -- Image tag to use for deploying. + tag: 5.0.0-15 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + # -- Configure the liveness healthcheck for casa if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). + cnSqlDbSchema: "" + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) username. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/configurator + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- LDAP admin password if OpenDJ is used for persistence. + ldapPassword: P@ssw0rds + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + # -- CE to CN Migration section + migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/config-api + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/fido2 + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + # -- Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. + licenseSsa: "" + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: false + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- casa.log target + casaLogTarget: "STDOUT" + # -- casa.log level + casaLogLevel: "INFO" + # -- casa timer log target + timerLogTarget: "FILE" + # -- casa timer log level + timerLogLevel: "INFO" + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable casa endpoints /casa + casaEnabled: false + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. + cnAwsSharedCredentialsFile: /etc/jans/conf/aws_shared_credential_file + # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. + cnAwsConfigFile: /etc/jans/conf/aws_config_file + # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. + cnAwsSecretsReplicaRegionsFile: /etc/jans/conf/aws_secrets_replica_regions + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- config-api_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- fido2_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- fido2_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- fido2_script.log target + scriptLogTarget: "FILE" + # -- fido2_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. + gateways: [ ] + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + # log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" + # Targets are "STDOUT" and "FILE" + appLoggers: + # -- idp-process.log target + idpLogTarget: "STDOUT" + # -- idp-process.log level + idpLogLevel: "INFO" + # -- idp-script.log target + scriptLogTarget: "FILE" + # -- idp-script.log level + scriptLogLevel: "INFO" + # -- idp-audit.log target + auditStatsLogTarget: "FILE" + # -- idp-audit.log level + auditStatsLogLevel: "INFO" + # -- idp-consent-audit.log target + consentAuditLogTarget: "FILE" + # -- idp-consent-audit.log level + consentAuditLogLevel: "INFO" + # -- https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration + # The below are very noisy logs and are better left untouched + ldapLogLevel: "" + messagesLogLevel: "" + encryptionLogLevel: "" + opensamlLogLevel: "" + propsLogLevel: "" + httpclientLogLevel: "" + springLogLevel: "" + containerLogLevel: "" + xmlsecLogLevel: "" + # -- Gluu distributions supported are: default|openbanking. + distribution: default + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + +# -- Nginx ingress definitions chart +nginx-ingress: + certManager: + # Enable deploying a certificate that uses dns01 challenge instead of passing an annotation nginx-ingress.ingress.additionalAnnotations for nginx http01 challenge. + certificate: + enabled: false + issuerKind: ClusterIssuer + # Issuer name which you will create manually. Can be letsencrypt-production. + issuerName: "" + issuerGroup: cert-manager.io + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +opendj: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure ldap backup cronjob + backup: + enabled: true + cronJobSchedule: "*/59 * * * *" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + + persistence: + # -- OpenDJ volume size + size: 5Gi + ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu interface to Passport.js to support social login and inbound identity. +oxpassport: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi + # -- Configure the liveness healthcheck for oxPassport if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the oxPassport if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +oxshibboleth: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for oxshibboleth if needed. + # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/scim + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.21/Chart.yaml b/charts/gluu/gluu/5.0.21/Chart.yaml new file mode 100644 index 0000000000..68124ce631 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/Chart.yaml @@ -0,0 +1,102 @@ +annotations: + artifacthub.io/changes: | + - Chart 5.0.21 dev release + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.0.17_dev + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.0.17_dev + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.0.17_dev + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.0.17_dev + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.0.17_dev + - name: opendj + image: gluufederation/opendj:5.0.0_dev + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.0.17_dev + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.0.17_dev + - name: casa + image: ghcr.io/gluufederation/flex/casa:5.0.0_dev + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:1.0.17_dev + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu +apiVersion: v2 +appVersion: 5.0.0 +dependencies: +- condition: global.config.enabled + name: config + repository: file://./charts/config + version: 5.0.21 +- condition: global.config-api.enabled + name: config-api + repository: file://./charts/config-api + version: 5.0.21 +- condition: global.opendj.enabled + name: opendj + repository: file://./charts/opendj + version: 5.0.21 +- condition: global.auth-server.enabled + name: auth-server + repository: file://./charts/auth-server + version: 5.0.21 +- condition: global.admin-ui.enabled + name: admin-ui + repository: file://./charts/admin-ui + version: 5.0.21 +- condition: global.fido2.enabled + name: fido2 + repository: file://./charts/fido2 + version: 5.0.21 +- condition: global.scim.enabled + name: scim + repository: file://./charts/scim + version: 5.0.21 +- condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: file://./charts/nginx-ingress + version: 5.0.21 +- condition: global.oxshibboleth.enabled + name: oxshibboleth + repository: file://./charts/oxshibboleth + version: 5.0.21 +- condition: global.oxpassport.enabled + name: oxpassport + repository: file://./charts/oxpassport + version: 5.0.21 +- condition: global.casa.enabled + name: casa + repository: file://./charts/casa + version: 5.0.21 +- condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: file://./charts/auth-server-key-rotation + version: 5.0.21 +- condition: global.persistence.enabled + name: persistence + repository: file://./charts/persistence + version: 5.0.21 +- condition: global.istio.ingress + name: cn-istio-ingress + repository: file://./charts/cn-istio-ingress + version: 5.0.21 +description: Gluu Access and Identity Management +home: https://www.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: moabu +name: gluu +sources: +- https://gluu.org/docs/gluu-server +- https://github.com/GluuFederation/flex/flex-cn-setup +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/README.md b/charts/gluu/gluu/5.0.21/README.md new file mode 100644 index 0000000000..96798a4f74 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/README.md @@ -0,0 +1,605 @@ +# gluu + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | admin-ui | 5.0.21 | +| | auth-server | 5.0.21 | +| | auth-server-key-rotation | 5.0.21 | +| | casa | 5.0.21 | +| | cn-istio-ingress | 5.0.21 | +| | config | 5.0.21 | +| | config-api | 5.0.21 | +| | fido2 | 5.0.21 | +| | nginx-ingress | 5.0.21 | +| | opendj | 5.0.21 | +| | oxpassport | 5.0.21 | +| | oxshibboleth | 5.0.21 | +| | persistence | 5.0.21 | +| | scim | 5.0.21 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"1.0.17_dev"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| admin-ui.dnsConfig | object | `{}` | Add custom dns config | +| admin-ui.dnsPolicy | string | `""` | Add custom dns policy | +| admin-ui.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| admin-ui.hpa.behavior | object | `{}` | Scaling Policies | +| admin-ui.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | +| admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | +| admin-ui.image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| admin-ui.replicas | int | `1` | Service replica number. | +| admin-ui.resources | object | `{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}}` | Resource specs. | +| admin-ui.resources.limits.cpu | string | `"2000m"` | CPU limit. | +| admin-ui.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| admin-ui.resources.requests.cpu | string | `"2000m"` | CPU request. | +| admin-ui.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| admin-ui.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| admin-ui.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| admin-ui.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.0.17_dev"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.0.17_dev"},"keysLife":48,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/casa","tag":"5.0.0-15"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. | +| casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| casa.dnsConfig | object | `{}` | Add custom dns config | +| casa.dnsPolicy | string | `""` | Add custom dns policy | +| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| casa.hpa.behavior | object | `{}` | Scaling Policies | +| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| casa.image.pullSecrets | list | `[]` | Image Pull Secrets | +| casa.image.repository | string | `"ghcr.io/gluufederation/flex/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"5.0.0-15"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| casa.readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| casa.replicas | int | `1` | Service replica number. | +| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| casa.resources.limits.cpu | string | `"500m"` | CPU limit. | +| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| casa.resources.requests.cpu | string | `"500m"` | CPU request. | +| casa.resources.requests.memory | string | `"500Mi"` | Memory request. | +| casa.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.0.17_dev"},"ldapPassword":"P@ssw0rds","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.0.17_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| config-api.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) username. This user is used during initialization only. | +| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| config.configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| config.configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbSchema | string | `""` | Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.lbAddr | string | `""` | Load balancer address for AWS if the FQDN is not registered. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpenDJ is used for persistence. | +| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.0.17_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}},"auth-server-key-rotation":{"enabled":false},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnDocumentStoreType":"LOCAL","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true}},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"lbIp":"22.22.22.22","licenseSsa":"","nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"oxpassport":{"enabled":false,"oxPassportServiceName":"oxpassport"},"oxshibboleth":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""},"enabled":false,"oxShibbolethServiceName":"oxshibboleth"},"persistence":{"enabled":true},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | +| global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | +| global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `false` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level | +| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.auth-server.ingress | object | `{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.auth-server.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| global.auth-server.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. | +| global.auth-server.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. | +| global.auth-server.ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| global.auth-server.ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| global.auth-server.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| global.auth-server.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| global.auth-server.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| global.auth-server.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| global.auth-server.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.casa.appLoggers | object | `{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.casa.appLoggers.casaLogLevel | string | `"INFO"` | casa.log level | +| global.casa.appLoggers.casaLogTarget | string | `"STDOUT"` | casa.log target | +| global.casa.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO | +| global.casa.appLoggers.timerLogLevel | string | `"INFO"` | casa timer log level | +| global.casa.appLoggers.timerLogTarget | string | `"FILE"` | casa timer log target | +| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. | +| global.casa.enabled | bool | `true` | Boolean flag to enable/disable the casa chart. | +| global.casa.ingress | object | `{"casaEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.casa.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnDocumentStoreType | string | `"LOCAL"` | Document store type to use for shibboleth files LOCAL. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. | +| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G | +| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G | +| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. | +| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. | +| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | +| global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. | +| global.cnPrometheusPort | string | `""` | Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. | +| global.config-api.adminUiAppLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | +| global.config-api.adminUiAppLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | +| global.config-api.adminUiAppLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | +| global.config-api.adminUiAppLoggers.adminUiLogTarget | string | `"FILE"` | config-api admin-ui plugin log level | +| global.config-api.adminUiAppLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers.ldapStatsLogLevel | string | `"INFO"` | config-api_persistence_ldap_statistics.log level | +| global.config-api.appLoggers.ldapStatsLogTarget | string | `"FILE"` | config-api_persistence_ldap_statistics.log target | +| global.config-api.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | config-api_persistence_duration.log level | +| global.config-api.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | config-api_persistence_duration.log target | +| global.config-api.appLoggers.persistenceLogLevel | string | `"INFO"` | config-api_persistence.log level | +| global.config-api.appLoggers.persistenceLogTarget | string | `"FILE"` | config-api_persistence.log target | +| global.config-api.appLoggers.scriptLogLevel | string | `"INFO"` | config-api_script.log level | +| global.config-api.appLoggers.scriptLogTarget | string | `"FILE"` | config-api_script.log target | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config-api.ingress | object | `{"configApiEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes | +| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | +| global.fido2.appLoggers | object | `{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | fido2_persistence_duration.log level | +| global.fido2.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | fido2_persistence_duration.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.appLoggers.scriptLogLevel | string | `"INFO"` | fido2_script.log level | +| global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fido2.ingress | object | `{"fido2ConfigEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side-cars with Gluu services. | +| global.istio.gateways | list | `[]` | Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. | +| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. | +| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | +| global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | +| global.licenseSsa | string | `""` | Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | +| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | +| global.oxpassport.enabled | bool | `false` | Boolean flag to enable/disable passport chart | +| global.oxpassport.oxPassportServiceName | string | `"oxpassport"` | Name of the oxPassport service. Please keep it as default. | +| global.oxshibboleth.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" Targets are "STDOUT" and "FILE" | +| global.oxshibboleth.appLoggers.auditStatsLogLevel | string | `"INFO"` | idp-audit.log level | +| global.oxshibboleth.appLoggers.auditStatsLogTarget | string | `"FILE"` | idp-audit.log target | +| global.oxshibboleth.appLoggers.consentAuditLogLevel | string | `"INFO"` | idp-consent-audit.log level | +| global.oxshibboleth.appLoggers.consentAuditLogTarget | string | `"FILE"` | idp-consent-audit.log target | +| global.oxshibboleth.appLoggers.idpLogLevel | string | `"INFO"` | idp-process.log level | +| global.oxshibboleth.appLoggers.idpLogTarget | string | `"STDOUT"` | idp-process.log target | +| global.oxshibboleth.appLoggers.ldapLogLevel | string | `""` | https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration The below are very noisy logs and are better left untouched | +| global.oxshibboleth.appLoggers.scriptLogLevel | string | `"INFO"` | idp-script.log level | +| global.oxshibboleth.appLoggers.scriptLogTarget | string | `"FILE"` | idp-script.log target | +| global.oxshibboleth.enabled | bool | `false` | Boolean flag to enable/disable the oxShibbboleth chart. | +| global.oxshibboleth.oxShibbolethServiceName | string | `"oxshibboleth"` | Name of the oxShibboleth service. Please keep it as default. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO | +| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level | +| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.ingress | object | `{"scimConfigEnabled":false,"scimEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.scim.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| global.scim.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: fsType: "" kind: "" pool: "" storageAccountType: "" type: "" | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"ldap":{"backup":{"fullSchedule":""}},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| nginx-ingress.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedRegisterAdditionalAnnotations | object | `{}` | Auth server protected register ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedRegisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedTokenAdditionalAnnotations | object | `{}` | Auth server protected token ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| nginx-ingress.ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| nginx-ingress.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| nginx-ingress.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| nginx-ingress.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0-12"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.dnsConfig | object | `{}` | Add custom dns config | +| opendj.dnsPolicy | string | `""` | Add custom dns policy | +| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| opendj.hpa.behavior | object | `{}` | Scaling Policies | +| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | +| opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| opendj.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| opendj.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size | +| opendj.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.replicas | int | `1` | Service replica number. | +| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. | +| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. | +| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| opendj.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxpassport | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxpassport","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu interface to Passport.js to support social login and inbound identity. | +| oxpassport.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxpassport.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxpassport.dnsConfig | object | `{}` | Add custom dns config | +| oxpassport.dnsPolicy | string | `""` | Add custom dns policy | +| oxpassport.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxpassport.hpa.behavior | object | `{}` | Scaling Policies | +| oxpassport.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxpassport.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxpassport.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxpassport.image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| oxpassport.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| oxpassport.livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| oxpassport.livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| oxpassport.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| oxpassport.readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| oxpassport.readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| oxpassport.replicas | int | `1` | Service replica number | +| oxpassport.resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| oxpassport.resources.limits.cpu | string | `"700m"` | CPU limit. | +| oxpassport.resources.limits.memory | string | `"900Mi"` | Memory limit. | +| oxpassport.resources.requests.cpu | string | `"700m"` | CPU request. | +| oxpassport.resources.requests.memory | string | `"900Mi"` | Memory request. | +| oxpassport.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| oxpassport.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxpassport.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxpassport.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxpassport.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxpassport.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxshibboleth | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxshibboleth","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Shibboleth project for the Gluu Server's SAML IDP functionality. | +| oxshibboleth.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxshibboleth.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxshibboleth.dnsConfig | object | `{}` | Add custom dns config | +| oxshibboleth.dnsPolicy | string | `""` | Add custom dns policy | +| oxshibboleth.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxshibboleth.hpa.behavior | object | `{}` | Scaling Policies | +| oxshibboleth.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxshibboleth.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxshibboleth.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxshibboleth.image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| oxshibboleth.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| oxshibboleth.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxshibboleth if needed. https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py | +| oxshibboleth.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| oxshibboleth.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| oxshibboleth.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| oxshibboleth.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| oxshibboleth.replicas | int | `1` | Service replica number. | +| oxshibboleth.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| oxshibboleth.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| oxshibboleth.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| oxshibboleth.resources.requests.cpu | string | `"1000m"` | CPU request. | +| oxshibboleth.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| oxshibboleth.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| oxshibboleth.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxshibboleth.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxshibboleth.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxshibboleth.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxshibboleth.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.0.17_dev"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.0.17_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/app-readme.md b/charts/gluu/gluu/5.0.21/app-readme.md new file mode 100644 index 0000000000..b2148c4c1e --- /dev/null +++ b/charts/gluu/gluu/5.0.21/app-readme.md @@ -0,0 +1,38 @@ +## Tutorial + +For a full walkthrough of the Gluu Flex Server on Rancher, please see the [Gluu Server on Rancher Tutorial](https://docs.gluu.org/stable/admin/recipes/getting-started-rancher/). + +## Introduction +The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions. + +Common use cases include: + +- Single sign-on (SSO) +- Mobile authentication +- API access management +- Two-factor authentication (2FA) +- Customer identity and access management (CIAM) +- Identity federation + +### Free Open Source Software +The Gluu Server is a FOSS platform for IAM. + +### Open Web Standards +The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management: + +- OAuth 2.0 +- OpenID Connect +- User Managed Access 2.0 (UMA) +- System for Cross-domain Identity Management (SCIM) +- FIDO Universal 2nd Factor (U2F) +- FIDO 2.0 / WebAuthn +- Lightweight Directory Access Protocol (LDAP) +- Remote Authentication Dial-In User Service (RADIUS) + +### Important notes for installation: +- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image. + +### Quick install on Rancher UI with Docker single node +- Install the nginx-ingress-controller chart. +- Install the OpenEBS chart. +- Install Gluu chart and specify your persistence as ldap. \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/admin-ui/.helmignore b/charts/gluu/gluu/5.0.21/charts/admin-ui/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.21/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/admin-ui/Chart.yaml new file mode 100644 index 0000000000..35c8aa837b --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Admin GUI. Requires license. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +- GUI +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: admin-ui +sources: +- https://github.com/GluuFederation/docker-gluu-admin-ui +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/admin-ui +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/admin-ui/README.md b/charts/gluu/gluu/5.0.21/charts/admin-ui/README.md new file mode 100644 index 0000000000..6864f5aa31 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/admin-ui/README.md @@ -0,0 +1,59 @@ +# admin-ui + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Admin GUI. Requires license. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. | +| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/_helpers.tpl new file mode 100644 index 0000000000..3fa0c5985e --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "admin-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "admin-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "admin-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "admin-ui.labels" -}} +app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +helm.sh/chart: {{ include "admin-ui.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "admin-ui.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "admin-ui.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "admin-ui.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "admin-ui.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/admin-ui-destination-rules.yaml new file mode 100644 index 0000000000..ecf4699b22 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/admin-ui-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-admin-ui-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/admin-ui-pdb.yaml b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/admin-ui-pdb.yaml new file mode 100644 index 0000000000..5d81cf14be --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/admin-ui-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "admin-ui.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/admin-ui-virtual-services.yaml new file mode 100644 index 0000000000..2b0fc58df1 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/admin-ui-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "admin-ui" "ingress" "adminUiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-admin-ui + namespace: {{.Release.Namespace}} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/admin" + route: + - destination: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/deployment.yml new file mode 100644 index 0000000000..9a173cad98 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/deployment.yml @@ -0,0 +1,175 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "admin-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + template: + metadata: + labels: + APP_NAME: admin-ui + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "admin-ui.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "admin-ui.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "admin-ui.usr-envs" . | indent 12 }} + {{- include "admin-ui.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: /etc/jans/conf/ssa + name: license-ssa + subPath: ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: license-ssa + secret: + secretName: {{ .Release.Name }}-license-ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/hpa.yaml new file mode 100644 index 0000000000..4720b2c49b --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "admin-ui.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/service.yml new file mode 100644 index 0000000000..54b311c2e2 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..02fd969b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/admin-ui/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.0.21/charts/admin-ui/values.yaml new file mode 100644 index 0000000000..cfae3d1041 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/admin-ui/values.yaml @@ -0,0 +1,88 @@ +# -- Admin GUI. Requires license. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the admin ui port within the admin service. Please keep it as default. + name: http-admin-ui + # -- Port of the admin ui service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the admin ui if needed. +livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the admin ui if needed. +readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/.helmignore b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 0000000000..ff88d7a554 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Responsible for regenerating auth-keys per x hours +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Auth keys Rotation +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server-key-rotation +sources: +- https://github.com/JanssenProject/docker-jans-certmanager +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server-key-rotation +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/README.md new file mode 100644 index 0000000000..2519787e9e --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/README.md @@ -0,0 +1,49 @@ +# auth-server-key-rotation + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| lifecycle | object | `{}` | | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 0000000000..e76631f29c --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 0000000000..5b5dd7da69 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,129 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "0 */{{ .Values.keysLife }} * * *" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 16 }} + volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + restartPolicy: Never + diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 0000000000..4b1f6ff076 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.fullname" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..5ed268ebb5 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 0000000000..ba40decc0b --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,55 @@ + +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/.helmignore b/charts/gluu/gluu/5.0.21/charts/auth-server/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server/Chart.yaml new file mode 100644 index 0000000000..a98dd7cf86 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization + Server--this is the main Internet facing component of Gluu. It's the service that + returns tokens, JWT's and identity assertions. This service must be Internet facing. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Autherization +- OpenID +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server +sources: +- https://github.com/JanssenProject/jans-auth-server +- https://github.com/JanssenProject/docker-jans-auth-server +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/README.md b/charts/gluu/gluu/5.0.21/charts/auth-server/README.md new file mode 100644 index 0000000000..9d5ac6eb97 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/README.md @@ -0,0 +1,61 @@ +# auth-server + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 0000000000..2712f9870a --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "auth-server.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "auth-server.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 0000000000..708ce616c6 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/templates/auth-server-pdb.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/auth-server-pdb.yaml new file mode 100644 index 0000000000..5ca61a6255 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/auth-server-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "auth-server.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/templates/auth-server-protected-virtual-services.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/auth-server-protected-virtual-services.yaml new file mode 100644 index 0000000000..522f6757b4 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/auth-server-protected-virtual-services.yaml @@ -0,0 +1,53 @@ +{{- if .Values.global.istio.ingress }} +# NEEDS WORK TO ALLOW CLIENT SIDE AUTHENTICATION. THIS IS MERELY A PLACEHOLDER +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server-protected-endpoints + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-token" + match: + - uri: + prefix: "/jans-auth/restv1/token" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-register" + match: + - uri: + prefix: "/jans-auth/restv1/register" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 0000000000..55cc397244 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,137 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/jans-auth/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} + - name: "{{ .Release.Name }}-istio-device-code" + match: + - uri: + prefix: "/device-code" + rewrite: + uri: "/jans-auth/device_authorization.htm" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} + - name: "{{ .Release.Name }}-istio-firebase-messaging" + match: + - uri: + prefix: "/firebase-messaging-sw.js" + rewrite: + uri: "/jans-auth/firebase-messaging-sw.js" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/jans-auth/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/jans-auth/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/jans-auth/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/jans-auth/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/deployment.yml new file mode 100644 index 0000000000..000efa42ec --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/deployment.yml @@ -0,0 +1,264 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "auth-server.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "auth-server.usr-envs" . | indent 12 }} + {{- include "auth-server.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/hpa.yaml new file mode 100644 index 0000000000..7a35d43381 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/service.yml new file mode 100644 index 0000000000..07b0de5897 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..19b24ab92c --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/auth-server/values.yaml b/charts/gluu/gluu/5.0.21/charts/auth-server/values.yaml new file mode 100644 index 0000000000..4bac2379f4 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/auth-server/values.yaml @@ -0,0 +1,93 @@ + +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.21/charts/casa/.helmignore b/charts/gluu/gluu/5.0.21/charts/casa/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/casa/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.21/charts/casa/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/casa/Chart.yaml new file mode 100644 index 0000000000..55c8e14ead --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/casa/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu Casa ("Casa") is a self-service web portal for end-users to manage + authentication and authorization preferences for their account in a Gluu Server. +home: https://gluu.org/docs/casa/ +icon: https://casa.gluu.org/wp-content/themes/gluucasa/casafavicon.ico +keywords: +- casa +- 2FA +- passwordless +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: casa +sources: +- https://gluu.org/docs/casa/ +- https://github.com/GluuFederation/docker-casa +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/casa +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/casa/README.md b/charts/gluu/gluu/5.0.21/charts/casa/README.md new file mode 100644 index 0000000000..da94018d35 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/casa/README.md @@ -0,0 +1,66 @@ +# casa + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/casa"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. | +| service.port | int | `8080` | Port of the casa service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/casa/templates/_helpers.tpl new file mode 100644 index 0000000000..4fc7d069e4 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/casa/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "casa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "casa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "casa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "casa.labels" -}} +app: {{ .Release.Name }}-{{ include "casa.name" . }} +helm.sh/chart: {{ include "casa.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "casa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "casa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "casa.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "casa.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "casa.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "casa.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.0.21/charts/casa/templates/casa-destination-rules.yaml new file mode 100644 index 0000000000..eb2e5eaa61 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/casa/templates/casa-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-casa-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/casa/templates/casa-pdb.yaml b/charts/gluu/gluu/5.0.21/charts/casa/templates/casa-pdb.yaml new file mode 100644 index 0000000000..54ad15de59 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/casa/templates/casa-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "casa.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.0.21/charts/casa/templates/casa-virtual-services.yaml new file mode 100644 index 0000000000..b3d7659499 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/casa/templates/casa-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.casa.ingress.casaEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-casa + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-casa + match: + - uri: + prefix: /casa + route: + - destination: + host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.0.21/charts/casa/templates/deployment.yaml new file mode 100644 index 0000000000..185693f5ce --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/casa/templates/deployment.yaml @@ -0,0 +1,178 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "casa.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: casa + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "casa.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "casa.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "casa.usr-envs" . | indent 12 }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.0.21/charts/casa/templates/hpa.yaml new file mode 100644 index 0000000000..0d292fd3fd --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/casa/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "casa.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.0.21/charts/casa/templates/service.yaml new file mode 100644 index 0000000000..e736cc014a --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/casa/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.casa.casaServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.21/charts/casa/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8a71e1ea8f --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/casa/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/casa/values.yaml b/charts/gluu/gluu/5.0.21/charts/casa/values.yaml new file mode 100644 index 0000000000..37c37c7b58 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/casa/values.yaml @@ -0,0 +1,105 @@ +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/casa + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the casa service. Please keep it as default. + port: 8080 + # -- The name of the casa port within the casa service. Please keep it as default. + name: http-casa + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for casa if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the casa if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/Chart.yaml new file mode 100644 index 0000000000..364d4d79ae --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Istio Gateway +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- istio +- gateway +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: cn-istio-ingress +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/cn-istio-ingress +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/README.md new file mode 100644 index 0000000000..2c18d5a175 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/README.md @@ -0,0 +1,25 @@ +# cn-istio-ingress + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Istio Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..75a5dee781 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "istio.labels" -}} +helm.sh/chart: {{ include "istio.chart" . }} +{{ include "istio.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "istio.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "istio.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/templates/gateway.yaml new file mode 100644 index 0000000000..12a9700134 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/templates/gateway.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Release.Name }}-global-gtw + namespace: {{ .Release.Namespace }} +{{- if .Values.global.istio.additionalLabels }} + labels: +{{ toYaml .Values.global.istio.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.istio.additionalAnnotations }} + annotations: +{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + istio: ingressgateway + servers: + # admin-ui + - port: + number: 80 + name: http-admin-ui + protocol: HTTP + hosts: + - {{ .Values.global.fqdn }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - {{ .Values.global.fqdn }} + tls: + mode: SIMPLE # enable https on this port + credentialName: tls-certificate # fetch cert from k8s secret + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/values.yaml new file mode 100644 index 0000000000..645a121318 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/cn-istio-ingress/values.yaml @@ -0,0 +1,4 @@ +# Default values for istio. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + diff --git a/charts/gluu/gluu/5.0.21/charts/config-api/.helmignore b/charts/gluu/gluu/5.0.21/charts/config-api/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.21/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/config-api/Chart.yaml new file mode 100644 index 0000000000..565c06f83e --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Jans Config Api endpoints can be used to configure jans-auth-server, + which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server + (AS) +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config-api +sources: +- https://github.com/JanssenProject/jans/jans-config-api +- https://github.com/JanssenProject/jans/docker-jans-config-api +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config-api +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/config-api/README.md b/charts/gluu/gluu/5.0.21/charts/config-api/README.md new file mode 100644 index 0000000000..0f9f8f226f --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config-api/README.md @@ -0,0 +1,65 @@ +# config-api + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/config-api/templates/_helpers.tpl new file mode 100644 index 0000000000..a32d54db37 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "config-api.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "config-api.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.0.21/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 0000000000..255fac7282 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/config-api/templates/config-api-pdb.yaml b/charts/gluu/gluu/5.0.21/charts/config-api/templates/config-api-pdb.yaml new file mode 100644 index 0000000000..2153d9a39c --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config-api/templates/config-api-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "config-api.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/config-api/templates/config-api-virtual-services.yaml b/charts/gluu/gluu/5.0.21/charts/config-api/templates/config-api-virtual-services.yaml new file mode 100644 index 0000000000..49bd94283f --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config-api/templates/config-api-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "config-api" "ingress" "configApiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-config-api + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-config-api + match: + - uri: + prefix: /jans-config-api + route: + - destination: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8074 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.0.21/charts/config-api/templates/deployment.yaml new file mode 100644 index 0000000000..b6e221ab2b --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config-api/templates/deployment.yaml @@ -0,0 +1,167 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "config-api.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "config-api.usr-envs" . | indent 12 }} + {{- include "config-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - containerPort: 9444 + - containerPort: 8074 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + diff --git a/charts/gluu/gluu/5.0.21/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.0.21/charts/config-api/templates/hpa.yaml new file mode 100644 index 0000000000..aed5352e74 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config-api/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.0.21/charts/config-api/templates/service.yaml new file mode 100644 index 0000000000..1782cc7e9d --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config-api/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/config-api/values.yaml b/charts/gluu/gluu/5.0.21/charts/config-api/values.yaml new file mode 100644 index 0000000000..c498dad8c9 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config-api/values.yaml @@ -0,0 +1,102 @@ + +# -- Gluu Admin UI. This shouldn't be internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.21/charts/config/.helmignore b/charts/gluu/gluu/5.0.21/charts/config/.helmignore new file mode 100644 index 0000000000..b8204d7442 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/gluu/gluu/5.0.21/charts/config/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/config/Chart.yaml new file mode 100644 index 0000000000..24d26e42e1 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Configuration parameters for setup and initial configuration secret and + config layers used by Gluu services. +home: https://gluu.org/docs/gluu-server/reference/container-configs/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- secrets +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config +sources: +- https://gluu.org/docs/gluu-server/reference/container-configs/ +- https://github.com/JanssenProject/jans/docker-jans-configurator +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/config/README.md b/charts/gluu/gluu/5.0.21/charts/config/README.md new file mode 100644 index 0000000000..2a0fafe708 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/README.md @@ -0,0 +1,105 @@ +# config + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnAwsAccessKeyId | string | `""` | | +| configmap.cnAwsDefaultRegion | string | `"us-west-1"` | | +| configmap.cnAwsProfile | string | `"gluu"` | | +| configmap.cnAwsSecretAccessKey | string | `""` | | +| configmap.cnAwsSecretsEndpointUrl | string | `""` | | +| configmap.cnAwsSecretsNamePrefix | string | `"gluu"` | | +| configmap.cnAwsSecretsReplicaRegions | list | `[]` | | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| lifecycle | object | `{}` | | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/config/templates/_helpers.tpl new file mode 100644 index 0000000000..1273a27d8b --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/templates/_helpers.tpl @@ -0,0 +1,97 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ $newList = append $newList ("couchbase" | quote) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{- if .Values.global.opendj.enabled}} +{{ $newList = append $newList ("ldap" | quote) }} +{{- end}} +{{- if .Values.global.casa}} +{{ $newList = append $newList ("casa" | quote) }} +{{- end}} +{{- if .Values.global.fido2.enabled}} +{{ $newList = append $newList ("fido2" | quote) }} +{{- end}} +{{- if .Values.global.scim.enabled}} +{{ $newList = append $newList ("scim" | quote) }} +{{- end}} +{{ toJson $newList }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.0.21/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ce43044f50 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.0.21/charts/config/templates/configmaps.yaml new file mode 100644 index 0000000000..fc15f42b6b --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/templates/configmaps.yaml @@ -0,0 +1,433 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + # Port used by Prometheus JMX agent + CN_PROMETHEUS_PORT: {{ .Values.global.cnPrometheusPort | quote }} + CN_DISTRIBUTION: {{ .Values.global.distribution | quote }} + {{ if .Values.global.cnObExtSigningJwksUri }} + CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }} + CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }} + CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }} + # force the AS to use a specific signing key + CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }} + {{- end }} + {{ if or (eq .Values.global.configAdapterName "google") (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + {{- end }} + {{ if eq .Values.global.cnPersistenceType "spanner" }} + # [google_spanner_envs] Envs related to using Google Cloud Spanner + CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }} + CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }} + # [google_spanner_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.configAdapterName "google") }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnGoogleSecretVersionId | quote }} + CN_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + # [aws_envs] Envs related to using AWS + {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} + CN_AWS_SECRETS_ENDPOINT_URL: {{ .Values.configmap.cnAwsSecretsEndpointUrl }} + {{- end }} + CN_AWS_SECRETS_PREFIX: {{ .Values.configmap.cnAwsSecretsNamePrefix }} + CN_AWS_SECRETS_REPLICA_FILE: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + AWS_DEFAULT_REGION: {{ .Values.configmap.cnAwsDefaultRegion }} + AWS_SHARED_CREDENTIALS_FILE: {{ .Values.global.cnAwsSharedCredentialsFile }} + AWS_CONFIG_FILE: {{ .Values.global.cnAwsConfigFile }} + #AWS_PROFILE + # [aws_envs] END + {{- end }} + CN_SQL_DB_SCHEMA: {{ .Values.configmap.cnSqlDbSchema | quote }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.global.cnDocumentStoreType | quote }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is ldap or hybrid + {{- if .Values.configmap.cnLdapUrl }} + CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }} + {{- else }} + CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }} + {{- end }} + {{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is couchbase or hybrid + CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }} + CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }} + CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }} + CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }} + CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }} + {{- end }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + {{- if .Values.global.isFqdnRegistered }} + CN_SSL_CERT_FROM_SECRETS: "false" + {{- else }} + CN_SSL_CERT_FROM_SECRETS: "true" + {{- end }} + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }} + # must the same as the opendj service name + CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service + CN_HYBRID_MAPPING: {{ .Values.configmap.cnPersistenceHybridMapping | quote }} + {{- end }} + # Auto enable installation of some services + CN_PASSPORT_ENABLED: {{ .Values.global.oxpassport.enabled | quote }} + {{- if .Values.global.oxshibboleth.enabled }} + CN_SAML_ENABLED: {{ .Values.global.oxshibboleth.enabled | quote }} + {{- end }} + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.istio.enabled }} + CN_COUCHBASE_TRUSTSTORE_ENABLE: "false" + CN_LDAP_USE_SSL: "false" + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + # ADMIN-UI + ADMIN_UI_JWKS: {{ cat "http://" ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080/jans-auth/restv1/jwks" | quote | nospace }} + CN_CONFIG_API_PLUGINS: "admin-ui,scim,fido2,user-mgt" + CN_ADMIN_UI_PLUGIN_LOGGERS: {{ index .Values "global" "config-api" "adminUiAppLoggers" + | toJson + | replace "adminUiLogTarget" "admin_ui_log_target" + | replace "adminUiLogLevel" "admin_ui_log_level" + | replace "adminUiAuditLogTarget" "admin_ui_audit_log_target" + | replace "adminUiAuditLogLevel" "admin_ui_audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.casa.enabled }} + # CASA + GLUU_CASA_APP_LOGGERS: {{ .Values.global.casa + | toJson + | replace "casaLogTarget" "casa_log_target" + | replace "casaLogLevel" "casa_log_level" + | replace "timerLogTarget" "timer_log_target" + | replace "timerLogLevel" "timer_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + # delete Duo script (https://github.com/GluuFederation/flex/issues/1120) by disabling the feature + CN_DUO_ENABLED: "false" +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if gluu secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from gluu secrets + """ + ssl_cert = None + ssl_key = None + if core_cli.read_namespaced_secret(secret_name, namespace): + ssl_cert = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_cert'] + ssl_key = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_key'] + + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert and key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error("No certificate or key was found in secrets.") + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Gluu Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.gluu.org") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/config/templates/license-secrets.yaml b/charts/gluu/gluu/5.0.21/charts/config/templates/license-secrets.yaml new file mode 100644 index 0000000000..0cf764a03c --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/templates/license-secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-license-ssa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ssa: {{ required "global.licenseSsa is required in chart values. This is a base64 string provided by Gluu to activate your license." .Values.global.licenseSsa }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.0.21/charts/config/templates/load-init-config.yml new file mode 100644 index 0000000000..2a503fd2b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/templates/load-init-config.yml @@ -0,0 +1,135 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + - name: {{ include "config.fullname" . }}-mount-gen-file + secret: + secretName: {{ include "config.fullname" . }}-gen-json-file + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + - mountPath: /app/db/generate.json + name: {{ include "config.fullname" . }}-mount-gen-file + subPath: generate.json + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} + {{- else }} + /app/scripts/entrypoint.sh load + {{- end }} + /usr/bin/python3 /scripts/tls_generator.py + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.0.21/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.0.21/charts/config/templates/ob-secrets.yaml new file mode 100644 index 0000000000..cdb1f90415 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/templates/ob-secrets.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.cnObExtSigningJwksCrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }} + {{ if .Values.global.cnObExtSigningJwksKey }} + ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportCrt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport.crt: {{ .Values.global.cnObTransportCrt }} + {{ if .Values.global.cnObTransportKey }} + ob-transport.key: {{ .Values.global.cnObTransportKey }} + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportTrustStore }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-truststore + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.0.21/charts/config/templates/rolebinding.yaml new file mode 100644 index 0000000000..7a58fd6095 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.0.21/charts/config/templates/roles.yaml new file mode 100644 index 0000000000..ef3d0c7083 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/templates/roles.yaml @@ -0,0 +1,19 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/gluu/gluu/5.0.21/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.0.21/charts/config/templates/secrets.yaml new file mode 100644 index 0000000000..dab9a6dc86 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/templates/secrets.yaml @@ -0,0 +1,127 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config.fullname" . }}-gen-json-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + generate.json: |- + { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_pw": {{ .Values.adminPassword | quote }}, + "ldap_pw": {{ .Values.ldapPassword | quote }}, + "redis_pw": {{ .Values.redisPassword | quote }}, + "email": {{ .Values.email | quote }}, + "org_name": {{ .Values.orgName | quote }}, + {{ if eq .Values.global.cnPersistenceType "sql" }} + "sql_pw": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "couchbase_pw": {{ .Values.configmap.cnCouchbasePassword | quote }}, + "couchbase_superuser_pw": {{ .Values.configmap.cnCouchbaseSuperUserPassword | quote }}, + {{- end }} + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }} + } + +{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} +{{- if not .Values.global.istio.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-crt + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }} +{{- end }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-aws-config-creds + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + aws_shared_credential_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }} + aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }} + aws_config_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + region = {{ .Values.configmap.cnAwsDefaultRegion }} + aws_secrets_replica_regions: |- + {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-google-sa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-cron-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} diff --git a/charts/gluu/gluu/5.0.21/charts/config/templates/service.yaml b/charts/gluu/gluu/5.0.21/charts/config/templates/service.yaml new file mode 100644 index 0000000000..da5dedf891 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.0.21/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 0000000000..35b4fa8cb0 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,64 @@ +{{ if .Values.global.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val | quote }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.0.21/charts/config/values.yaml b/charts/gluu/gluu/5.0.21/charts/config/values.yaml new file mode 100644 index 0000000000..d6d6218101 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/config/values.yaml @@ -0,0 +1,179 @@ + +# Required environment variables for generating Gluu server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in the secrets. + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: support@gluu.org +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- LDAP admin password if OpennDJ is used for persistence. +ldapPassword: P@ssw0rds +# -- Organization name. Used for certificate creation. +orgName: Gluu +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.21/charts/fido2/.helmignore b/charts/gluu/gluu/5.0.21/charts/fido2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.21/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/fido2/Chart.yaml new file mode 100644 index 0000000000..53eda9369a --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/fido2/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging + common devices to authenticate to online services in both mobile and desktop environments. +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- fido2 +- u2f +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: fido2 +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/JanssenProject/jans/jans-fido2 +- https://github.com/JanssenProject/jans/docker-jans-fido2 +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/fido2 +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/fido2/README.md b/charts/gluu/gluu/5.0.21/charts/fido2/README.md new file mode 100644 index 0000000000..63ffdbdb36 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/fido2/README.md @@ -0,0 +1,62 @@ +# fido2 + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/fido2/templates/_helpers.tpl new file mode 100644 index 0000000000..10484b1e97 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "fido2.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "fido2.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.0.21/charts/fido2/templates/deployment.yml new file mode 100644 index 0000000000..95b4ef77d1 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/fido2/templates/deployment.yml @@ -0,0 +1,176 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "fido2.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "fido2.usr-envs" . | indent 12 }} + {{- include "fido2.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.0.21/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 0000000000..2457647e8a --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/fido2/templates/fido2-pdb.yaml b/charts/gluu/gluu/5.0.21/charts/fido2/templates/fido2-pdb.yaml new file mode 100644 index 0000000000..ebc9ce8dc8 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/fido2/templates/fido2-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "fido2.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.0.21/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 0000000000..88a91a994b --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.fido2.ingress.fido2ConfigEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.0.21/charts/fido2/templates/hpa.yaml new file mode 100644 index 0000000000..a4f1362a7b --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/fido2/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.0.21/charts/fido2/templates/service.yml new file mode 100644 index 0000000000..de91e893b3 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/fido2/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.21/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..e2139ba45f --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/fido2/values.yaml b/charts/gluu/gluu/5.0.21/charts/fido2/values.yaml new file mode 100644 index 0000000000..5844212ebf --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/fido2/values.yaml @@ -0,0 +1,91 @@ + +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.21/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.21/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/Chart.yaml new file mode 100644 index 0000000000..1b31aac58b --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Nginx ingress definitions chart +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- nginx +- ingress +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://kubernetes.io/docs/concepts/services-networking/ingress/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/nginx-ingress +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/README.md new file mode 100644 index 0000000000..361bfbd16e --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/README.md @@ -0,0 +1,61 @@ +# nginx-ingress + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken | +| ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | +| ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | +| ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| ingress.scimConfigLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.scimLabels | object | `{}` | scim config ingress resource labels. key app is taken | +| ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| ingress.uma2ConfigLabels | object | `{}` | uma 2 config ingress resource labels. key app is taken | +| ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| nameOverride | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..7b38455692 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/admin-ui-ingress.yaml new file mode 100644 index 0000000000..1fa7a08de1 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/admin-ui-ingress.yaml @@ -0,0 +1,53 @@ +{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.adminUiLabels }} +{{ toYaml .Values.ingress.adminUiLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.ingress.adminUiAdditionalAnnotations }} +{{ toYaml .Values.ingress.adminUiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml new file mode 100644 index 0000000000..b5c482d5f6 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml @@ -0,0 +1,115 @@ +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedTokenLabels }} +{{ toYaml .Values.ingress.authServerProtectedTokenLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedTokenAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedTokenAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedRegisterLabels }} +{{ toYaml .Values.ingress.authServerProtectedRegisterLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedRegisterAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedRegisterAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/casa-ingress.yaml b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/casa-ingress.yaml new file mode 100644 index 0000000000..9f13970efb --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/casa-ingress.yaml @@ -0,0 +1,54 @@ +{{ if .Values.global.casa.ingress.casaEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-casa + labels: + app: {{ $fullName }}-casa +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.casaLabels }} +{{ toYaml .Values.ingress.casaLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "casa-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.casaAdditionalAnnotations }} +{{ toYaml .Values.ingress.casaAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /casa + pathType: Prefix + backend: + service: + name: {{ .Values.global.casa.casaServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/certificate.yaml b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/certificate.yaml new file mode 100644 index 0000000000..6cfb84f431 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/certificate.yaml @@ -0,0 +1,18 @@ +{{- if .Values.certManager.certificate.enabled }} + {{- $domain := (required "Domain is required in chartValues when certManager is enabled" .Values.global.fqdn) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + {{- range .Values.ingress.tls }} + secretName: {{ .secretName }} + {{- end }} + dnsNames: + - {{ quote $domain }} + issuerRef: + name: {{ required "nginx-ingress.certManager.certificate.issuerName is required in chart values" .Values.certManager.certificate.issuerName }} + kind: {{ required "nginx-ingress.certManager.certificate.issuerKind is required in chart values" .Values.certManager.certificate.issuerKind }} + group: {{ required "nginx-ingress.certManager.certificate.issuerGroup is required in chart values" .Values.certManager.certificate.issuerGroup }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 0000000000..ddd01115c4 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,672 @@ +{{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.openidConfigLabels }} +{{ toYaml .Values.ingress.openidConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if .Values.ingress.openidAdditionalAnnotations }} +{{ toYaml .Values.ingress.openidAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-device-code + labels: + app: {{ $fullName }}-device-code +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.deviceCodeLabels }} +{{ toYaml .Values.ingress.deviceCodeLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/device_authorization.htm +{{- if .Values.ingress.deviceCodeAdditionalAnnotations }} +{{ toYaml .Values.ingress.deviceCodeAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /device-code + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-firebase-messaging + labels: + app: {{ $fullName }}-firebase-messaging +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.firebaseMessagingLabels }} +{{ toYaml .Values.ingress.firebaseMessagingLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/firebase-messaging-sw.js +{{- if .Values.ingress.firebaseMessagingAdditionalAnnotations }} +{{ toYaml .Values.ingress.firebaseMessagingAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /firebase-messaging-sw.js + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.uma2ConfigLabels }} +{{ toYaml .Values.ingress.uma2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if .Values.ingress.uma2AdditionalAnnotations }} +{{ toYaml .Values.ingress.uma2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webfingerLabels }} +{{ toYaml .Values.ingress.webfingerLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if .Values.ingress.webfingerAdditionalAnnotations }} +{{ toYaml .Values.ingress.webfingerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webdiscoveryLabels }} +{{ toYaml .Values.ingress.webdiscoveryLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if .Values.ingress.webdiscoveryAdditionalAnnotations }} +{{ toYaml .Values.ingress.webdiscoveryAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{- if .Values.global.scim.ingress.scimConfigEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimConfigLabels }} +{{ toYaml .Values.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{- if .Values.global.scim.ingress.scimEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimLabels }} +{{ toYaml .Values.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "config-api" "ingress" "configApiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-config-api + labels: + app: {{ $fullName }}-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.configApiLabels }} +{{ toYaml .Values.ingress.configApiLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.configApiAdditionalAnnotations }} +{{ toYaml .Values.ingress.configApiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.u2fConfigLabels }} +{{ toYaml .Values.ingress.u2fConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if .Values.ingress.u2fAdditionalAnnotations }} +{{ toYaml .Values.ingress.u2fAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2ConfigLabels }} +{{ toYaml .Values.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerLabels }} +{{ toYaml .Values.ingress.authServerLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + diff --git a/charts/gluu/gluu/5.0.21/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/values.yaml new file mode 100644 index 0000000000..60330b1541 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/nginx-ingress/values.yaml @@ -0,0 +1,77 @@ + +# -- Nginx ingress definitions chart +ingress: + enabled: true + # -- Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. + legacy: false + path: / + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma 2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- scim config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable all fido2 endpoints + fido2Enabled: false + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- Auth server config ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: { } + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + hosts: + - demoexample.gluu.org + tls: + - secretName: tls-certificate # DON'T change + hosts: + - demoexample.gluu.org +nameOverride: "" +fullnameOverride: "" diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/.helmignore b/charts/gluu/gluu/5.0.21/charts/opendj/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/opendj/Chart.yaml new file mode 100644 index 0000000000..c0ea7ddbda --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OpenDJ is a directory server which implements a wide range of Lightweight + Directory Access Protocol and related standards, including full compliance with + LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in + Java, OpenDJ offers multi-master replication, access control, and many extensions. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- LDAP +- OpenDJ +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: opendj +sources: +- https://github.com/GluuFederation/docker-opendj +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/opendj +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/README.md b/charts/gluu/gluu/5.0.21/charts/opendj/README.md new file mode 100644 index 0000000000..0f515ae78d --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/README.md @@ -0,0 +1,74 @@ +# opendj + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-15"` | Image tag to use for deploying. | +| lifecycle.preStop.exec.command[0] | string | `"/bin/sh"` | | +| lifecycle.preStop.exec.command[1] | string | `"-c"` | | +| lifecycle.preStop.exec.command[2] | string | `"python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| openDjVolumeMounts.config.mountPath | string | `"/opt/opendj/config"` | | +| openDjVolumeMounts.config.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.db.mountPath | string | `"/opt/opendj/db"` | | +| openDjVolumeMounts.db.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.flag.mountPath | string | `"/flag"` | | +| openDjVolumeMounts.flag.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.ldif.mountPath | string | `"/opt/opendj/ldif"` | | +| openDjVolumeMounts.ldif.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.logs.mountPath | string | `"/opt/opendj/logs"` | | +| openDjVolumeMounts.logs.name | string | `"opendj-volume"` | | +| persistence.accessModes | string | `"ReadWriteOnce"` | | +| persistence.size | string | `"5Gi"` | OpenDJ volume size | +| persistence.type | string | `"DirectoryOrCreate"` | | +| ports | object | `{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}}` | servicePorts values used in StatefulSet container | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1500m"` | CPU limit. | +| resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1500m"` | CPU request. | +| resources.requests.memory | string | `"2000Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/opendj/templates/_helpers.tpl new file mode 100644 index 0000000000..ecab10b753 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opendj.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opendj.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opendj.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "opendj.labels" -}} +app: {{ .Release.Name }}-{{ include "opendj.name" . }} +helm.sh/chart: {{ include "opendj.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "opendj.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "opendj.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "opendj.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "opendj.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.21/charts/opendj/templates/cronjobs.yaml new file mode 100644 index 0000000000..930d6f0679 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/templates/cronjobs.yaml @@ -0,0 +1,95 @@ +{{- if .Values.backup.enabled }} +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "opendj.fullname" . }}-backup +spec: + schedule: {{ .Values.backup.cronJobSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "opendj.fullname" . }}-backup + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + ports: + {{- range $key, $value := .Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + env: + - name: LDAP_HOST + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_host + - name: LDAP_PORT + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_port + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_site_binddn + - name: LDAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-ldap-cron-pass + key: password + # while true; do sleep 60; ldaplog=$(cat /opt/opendj/logs/server.out); startedstr="The Directory Server has started successfully"; if [ -z "${ldaplog##*$startedstr*}" ]; then break; fi; echo "Waiting for opendj server to start"; done + command: + - /bin/sh + - -c + - | + # ========= + # FUNCTIONS + # ========= + + set_java_args() { + # not sure if we can omit `-server` safely + local java_args="-server" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${GLUU_MAX_RAM_PERCENTAGE} ${GLUU_JAVA_OPTIONS}" + # set the env var so it is loaded by `start-ds` script + export OPENDJ_JAVA_ARGS=${java_args} + } + + # ========== + # ENTRYPOINT + # ========== + + mkdir -p /opt/opendj/locks + + export JAVA_VERSION=$(java -version 2>&1 | awk -F '[\"_]' 'NR==1{print $2}') + + python3 /app/scripts/wait.py + + if [ ! -f /deploy/touched ]; then + python3 /app/scripts/entrypoint.py + touch /deploy/touched + fi + # run OpenDJ server + set_java_args + exec /opt/opendj/bin/start-ds -N & + sleep 300 + RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) + LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + restartPolicy: Never +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/templates/hpa.yaml b/charts/gluu/gluu/5.0.21/charts/opendj/templates/hpa.yaml new file mode 100644 index 0000000000..157ea310b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "opendj.fullname" . }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "opendj.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/templates/opendj-destination-rules.yaml b/charts/gluu/gluu/5.0.21/charts/opendj/templates/opendj-destination-rules.yaml new file mode 100644 index 0000000000..a6a8f56849 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/templates/opendj-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-ldap-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.opendj.ldapServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/templates/opendj-pdb.yaml b/charts/gluu/gluu/5.0.21/charts/opendj/templates/opendj-pdb.yaml new file mode 100644 index 0000000000..1615c4ac29 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/templates/opendj-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "opendj.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/templates/service.yaml b/charts/gluu/gluu/5.0.21/charts/opendj/templates/service.yaml new file mode 100644 index 0000000000..ec7d0a8252 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/templates/service.yaml @@ -0,0 +1,30 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $.Values.global.opendj.ldapServiceName }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + {{- range $key, $value := $.Values.ports }} + - port: {{ $value.port }} + name: {{ $key }} + targetPort: {{ $value.targetPort }} + protocol: {{ $value.protocol}} + {{- if $value.nodePort }} + nodePort: {{ $value.nodePort }} + {{- end }} + {{- end }} + clusterIP: None + selector: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/5.0.21/charts/opendj/templates/statefulset.yaml new file mode 100644 index 0000000000..989a156b2e --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/templates/statefulset.yaml @@ -0,0 +1,96 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "opendj.fullname" $ }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: {{ include "opendj.name" $ }} + serviceName: {{ include "opendj.name" $ }} + replicas: {{ $.Values.replicas }} + template: + metadata: + labels: + app: {{ include "opendj.name" $ }} + {{- if $.Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: {{ include "opendj.name" $ }} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + {{- include "opendj.usr-envs" $ | indent 12 }} + {{- include "opendj.usr-secret-envs" $ | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + envFrom: + - configMapRef: + name: {{ $.Release.Name }}-config-cm + {{ if $.Values.global.usrEnvs.secret }} + - secretRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + {{ if $.Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + ports: + {{- range $key, $value := $.Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + livenessProbe: +{{- toYaml $.Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml $.Values.readinessProbe | nindent 10 }} + {{- if or (eq $.Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if $.Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: opendj-volume + spec: + accessModes: + - {{ $.Values.persistence.accessModes }} + resources: + requests: + storage: {{ $.Values.persistence.size }} + {{- if eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath" }} + storageClassName: standard + {{- else }} + storageClassName: {{ include "opendj.fullname" $ | quote }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/templates/storageclass.yaml b/charts/gluu/gluu/5.0.21/charts/opendj/templates/storageclass.yaml new file mode 100644 index 0000000000..d33175d10b --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/templates/storageclass.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ include "opendj.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + storage: opendj +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + # Annotation below is to keep the storage class during upgrade. Otherwise, due to the flag at line 1 which is needed, this resource will be deleted. + helm.sh/resource-policy: keep + storageclass.beta.kubernetes.io/is-default-class: "false" + {{- if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + openebs.io/cas-type: local + cas.openebs.io/config: | + - name: StorageType + value: hostpath + - name: BasePath + value: /var/local-hostpath + {{- end }} +provisioner: {{ .Values.global.storageClass.provisioner }} +{{- if and ( ne .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) ( ne .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") ( ne .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") ( ne .Values.global.storageClass.provisioner "kubernetes.io/gce-pd") ( ne .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com") ( ne .Values.global.storageClass.provisioner "openebs.io/local") ( ne .Values.global.storageClass.provisioner "kubernetes.io/azure-disk") }} +parameters: +{{ toYaml .Values.global.storageClass.parameters | indent 4 }} +{{- else }} +parameters: + {{- if eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs" }} + type: {{ .Values.global.awsStorageType }} + fsType: ext4 + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/gce-pd" }} + type: {{ .Values.global.gcePdStorageType }} + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/azure-disk" }} + storageAccountType: {{ .Values.global.azureStorageAccountType }} + kind: {{ .Values.global.azureStorageKind }} + {{- else if eq .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com" }} + {{- else if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + {{- else }} + pool: default + fsType: ext4 + {{- end }} +{{- end }} +allowVolumeExpansion: {{ .Values.global.storageClass.allowVolumeExpansion }} +volumeBindingMode: {{ .Values.global.storageClass.volumeBindingMode }} +reclaimPolicy: {{ .Values.global.storageClass.reclaimPolicy }} +mountOptions: {{ .Values.global.storageClass.mountOptions | toJson }} +allowedTopologies: {{ .Values.global.storageClass.allowedTopologies | toJson }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.21/charts/opendj/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8fcf989cd5 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/opendj/values.yaml b/charts/gluu/gluu/5.0.21/charts/opendj/values.yaml new file mode 100644 index 0000000000..8fec7b7337 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/opendj/values.yaml @@ -0,0 +1,138 @@ + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-15 + # -- Image Pull Secrets + pullSecrets: [ ] +persistence: + # -- OpenDJ volume size + size: 5Gi + accessModes: ReadWriteOnce + type: DirectoryOrCreate +# -- servicePorts values used in StatefulSet container +ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi +# -- Configure the liveness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] +nameOverride: "" +fullnameOverride: "" +# VolumeMounts for StatefulSet +# opendj-init vm +openDjVolumeMounts: + config: + mountPath: /opt/opendj/config + name: opendj-volume + ldif: + mountPath: /opt/opendj/ldif + name: opendj-volume + logs: + mountPath: /opt/opendj/logs + name: opendj-volume + db: + mountPath: /opt/opendj/db + name: opendj-volume + flag: + mountPath: /flag + name: opendj-volume + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/oxpassport/.helmignore b/charts/gluu/gluu/5.0.21/charts/oxpassport/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxpassport/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.21/charts/oxpassport/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/oxpassport/Chart.yaml new file mode 100644 index 0000000000..0b2166da85 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxpassport/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu interface to Passport.js to support social login and inbound identity. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Passport.js +- Inbound Identity +- Social login +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxpassport +sources: +- https://github.com/GluuFederation/gluu-passport +- https://github.com/GluuFederation/docker-oxpassport +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxpassport +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/oxpassport/README.md b/charts/gluu/gluu/5.0.21/charts/oxpassport/README.md new file mode 100644 index 0000000000..b86599ff50 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxpassport/README.md @@ -0,0 +1,67 @@ +# oxpassport + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu interface to Passport.js to support social login and inbound identity. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number | +| resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"700m"` | CPU limit. | +| resources.limits.memory | string | `"900Mi"` | Memory limit. | +| resources.requests.cpu | string | `"700m"` | CPU request. | +| resources.requests.memory | string | `"900Mi"` | Memory request. | +| service.name | string | `"http-passport"` | The name of the oxPassport port within the oxPassport service. Please keep it as default. | +| service.port | int | `8090` | Port of the oxPassport service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/_helpers.tpl new file mode 100644 index 0000000000..1f9d4b7464 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxpassport.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxpassport.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxpassport.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxpassport.labels" -}} +app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +helm.sh/chart: {{ include "oxpassport.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxpassport.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxpassport.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "oxpassport.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "oxpassport.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/deployment.yaml b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/deployment.yaml new file mode 100644 index 0000000000..8ab9d9a2f2 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/deployment.yaml @@ -0,0 +1,183 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "oxpassport.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "oxpassport.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxpassport.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: PASSPORT_LOG_LEVEL + value: "info" + {{- include "oxpassport.usr-envs" . | indent 12 }} + {{- include "oxpassport.usr-secret-envs" . | indent 12 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/hpa.yaml b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/hpa.yaml new file mode 100644 index 0000000000..0764e19e39 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxpassport.fullname" . }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "oxpassport.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/oxpassport-destination-rules.yaml b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/oxpassport-destination-rules.yaml new file mode 100644 index 0000000000..238c976d17 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/oxpassport-destination-rules.yaml @@ -0,0 +1,21 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxpassport-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/oxpassport-pdb.yaml b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/oxpassport-pdb.yaml new file mode 100644 index 0000000000..8ebcdc7172 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/oxpassport-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "oxpassport.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/oxpassport-virtual-services.yaml b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/oxpassport-virtual-services.yaml new file mode 100644 index 0000000000..6c2416b84c --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/oxpassport-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-passport + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-passport + match: + - uri: + prefix: "/passport" + route: + - destination: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8090 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/service.yaml b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/service.yaml new file mode 100644 index 0000000000..b4fda32852 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxpassport.oxPassportServiceName }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..47ed7cd162 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxpassport/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/oxpassport/values.yaml b/charts/gluu/gluu/5.0.21/charts/oxpassport/values.yaml new file mode 100644 index 0000000000..b7b06d82d7 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxpassport/values.yaml @@ -0,0 +1,103 @@ + +# -- Gluu interface to Passport.js to support social login and inbound identity. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi +service: + # -- Port of the oxPassport service. Please keep it as default. + port: 8090 + # -- The name of the oxPassport port within the oxPassport service. Please keep it as default. + name: http-passport + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for oxPassport if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the oxPassport if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/oxshibboleth/.helmignore b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.21/charts/oxshibboleth/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/Chart.yaml new file mode 100644 index 0000000000..56af525752 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Shibboleth project for the Gluu Server's SAML IDP functionality. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SAML +- Shibboleth +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxshibboleth +sources: +- https://github.com/GluuFederation/oxShibboleth +- https://github.com/GluuFederation/docker-oxshibboleth +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxshibboleth +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/oxshibboleth/README.md b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/README.md new file mode 100644 index 0000000000..34fcf674d9 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/README.md @@ -0,0 +1,68 @@ +# oxshibboleth + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Shibboleth project for the Gluu Server's SAML IDP functionality. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the oxShibboleth if needed. | +| livenessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxshibboleth if needed. | +| readinessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-oxshib"` | Port of the oxShibboleth service. Please keep it as default. | +| service.port | int | `8080` | The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| service.targetPort | int | `8080` | | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/_helpers.tpl new file mode 100644 index 0000000000..a9a1a94b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/_helpers.tpl @@ -0,0 +1,144 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxshibboleth.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxshibboleth.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxshibboleth.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxshibboleth.labels" -}} +app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +helm.sh/chart: {{ include "oxshibboleth.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxshibboleth.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxshibboleth.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create GLUU_JAVA_OPTIONS ENV for passing detailed logs +*/}} +{{- define "oxshibboleth.detailedLogs"}} +{{ $ldap := "" }} +{{ $messages := "" }} +{{ $encryption := "" }} +{{ $opensaml := "" }} +{{ $props := "" }} +{{ $httpclient := "" }} +{{ $spring := "" }} +{{ $container := "" }} +{{ $xmlsec := "" }} + +{{- if .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} +{{ $ldap = printf "-Didp.loglevel.ldap=%s " .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} +{{ $messages = printf "-Didp.loglevel.messages=%s " .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} +{{ $encryption = printf "-Didp.loglevel.encryption=%s " .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} +{{ $opensaml = printf "-Didp.loglevel.opensaml=%s " .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.propsLogLevel }} +{{ $props = printf "-Didp.loglevel.props=%s " .Values.global.oxshibboleth.appLoggers.propsLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} +{{ $httpclient = printf "-Didp.loglevel.httpclient=%s " .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.springLogLevel }} +{{ $spring = printf "-Didp.loglevel.spring=%s " .Values.global.oxshibboleth.appLoggers.springLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.containerLogLevel }} +{{ $container = printf "-Didp.loglevel.container=%s " .Values.global.oxshibboleth.appLoggers.containerLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} +{{ $xmlsec = printf "-Didp.loglevel.xmlsec=%s " .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} +{{- end}} + +{{ $detailLogs := printf "%s%s%s%s%s%s%s%s%s" $ldap $messages $encryption $opensaml $props $httpclient $spring $container $xmlsec }} +{{ $detailLogs | trimSuffix " " | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "oxshibboleth.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "oxshibboleth.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/hpa.yaml b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/hpa.yaml new file mode 100644 index 0000000000..3d4c0597ff --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxshibboleth.fullname" . }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "oxshibboleth.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml new file mode 100644 index 0000000000..8478504b68 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxshibboleth-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml new file mode 100644 index 0000000000..a8c99410cf --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "oxshibboleth.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml new file mode 100644 index 0000000000..5f89fa5c2c --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-oxshibbioleth + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw + http: + - name: {{ .Release.Name }}-istio-oxshibbioleth + match: + - uri: + prefix: /idp + route: + - destination: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/service.yaml b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/service.yaml new file mode 100644 index 0000000000..4781774752 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- else }} + clusterIP: None + {{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/statefulset.yaml b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/statefulset.yaml new file mode 100644 index 0000000000..17bb8379e6 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/statefulset.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "oxshibboleth.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + serviceName: oxshibboleth + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: oxshibboleth + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "oxshibboleth.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxshibboleth.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "oxshibboleth.usr-envs" . | indent 12 }} + {{- include "oxshibboleth.usr-secret-envs" . | indent 12 }} + - name: GLUU_JAVA_OPTIONS + value: {{ include "oxshibboleth.detailedLogs" . | trim }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..fd6e4e0aaa --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/oxshibboleth/values.yaml b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/values.yaml new file mode 100644 index 0000000000..224291fdc4 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/oxshibboleth/values.yaml @@ -0,0 +1,102 @@ + +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. + port: 8080 + targetPort: 8080 + # -- Port of the oxShibboleth service. Please keep it as default. + name: http-oxshib + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for the oxShibboleth if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the oxshibboleth if needed. +readinessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/persistence/.helmignore b/charts/gluu/gluu/5.0.21/charts/persistence/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.21/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/persistence/Chart.yaml new file mode 100644 index 0000000000..0b7916edec --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/persistence/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Job to generate data and initial config for Gluu Server persistence layer. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- persistence prep +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: persistence +sources: +- https://github.com/JanssenProject/jans/docker-jans-persistence-loader +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/persistence +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/persistence/README.md b/charts/gluu/gluu/5.0.21/charts/persistence/README.md new file mode 100644 index 0000000000..3d55cc1c73 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/persistence/README.md @@ -0,0 +1,52 @@ +# persistence + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Job to generate data and initial config for Gluu Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| lifecycle | object | `{}` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/persistence/templates/_helpers.tpl new file mode 100644 index 0000000000..bf0a313b23 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.0.21/charts/persistence/templates/jobs.yml new file mode 100644 index 0000000000..151d0e2ab8 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/persistence/templates/jobs.yml @@ -0,0 +1,128 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if .Values.global.istio.enabled }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + /app/scripts/entrypoint.sh + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.0.21/charts/persistence/templates/service.yaml new file mode 100644 index 0000000000..b266650a69 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/persistence/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.21/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..29c8651b84 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/persistence/values.yaml b/charts/gluu/gluu/5.0.21/charts/persistence/values.yaml new file mode 100644 index 0000000000..272a2c7f4d --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/persistence/values.yaml @@ -0,0 +1,54 @@ + +# -- Job to generate data and initial config for Gluu Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/persistence + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/scim/.helmignore b/charts/gluu/gluu/5.0.21/charts/scim/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.21/charts/scim/Chart.yaml b/charts/gluu/gluu/5.0.21/charts/scim/Chart.yaml new file mode 100644 index 0000000000..285ecc47c4 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/scim/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: System for Cross-domain Identity Management (SCIM) version 2.0 +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SCIM +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: scim +sources: +- https://github.com/JanssenProject/jans/jans-scim +- https://github.com/JanssenProject/jans/docker-jans-scim +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/scim +type: application +version: 5.0.21 diff --git a/charts/gluu/gluu/5.0.21/charts/scim/README.md b/charts/gluu/gluu/5.0.21/charts/scim/README.md new file mode 100644 index 0000000000..ae6fe50227 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/scim/README.md @@ -0,0 +1,61 @@ +# scim + +![Version: 5.0.21](https://img.shields.io/badge/Version-5.0.21-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.0.17_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.21/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/charts/scim/templates/_helpers.tpl new file mode 100644 index 0000000000..04b66d5afd --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/scim/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "scim.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "scim.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.0.21/charts/scim/templates/deployment.yml new file mode 100644 index 0000000000..7e1022a958 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/scim/templates/deployment.yml @@ -0,0 +1,174 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "scim.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "scim.usr-envs" . | indent 12 }} + {{- include "scim.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.0.21/charts/scim/templates/hpa.yaml new file mode 100644 index 0000000000..d3ba580d6f --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/scim/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.0.21/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 0000000000..fc26343bdf --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/scim/templates/scim-pdb.yaml b/charts/gluu/gluu/5.0.21/charts/scim/templates/scim-pdb.yaml new file mode 100644 index 0000000000..d700490a85 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/scim/templates/scim-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "scim.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.0.21/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 0000000000..14fafd1d46 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.scim.ingress.scimConfigEnabled }} + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /jans-scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.scim.ingress.scimEnabled }} + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/jans-scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/scim/templates/service.yml b/charts/gluu/gluu/5.0.21/charts/scim/templates/service.yml new file mode 100644 index 0000000000..a585ea31b9 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/scim/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.21/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.21/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..d9f83a46e1 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/charts/scim/values.yaml b/charts/gluu/gluu/5.0.21/charts/scim/values.yaml new file mode 100644 index 0000000000..54a1978f3b --- /dev/null +++ b/charts/gluu/gluu/5.0.21/charts/scim/values.yaml @@ -0,0 +1,90 @@ + +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/openbanking-values.yaml b/charts/gluu/gluu/5.0.21/openbanking-values.yaml new file mode 100644 index 0000000000..b3e263c197 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/openbanking-values.yaml @@ -0,0 +1,700 @@ +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: true + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token . Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + ingress: + # -- Enable casa endpoints /casa + casaEnabled: true + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Load balancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled. + enabled: false + # -- Gluu distributions supported are: default|openbanking. + distribution: openbanking + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.16-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.21/questions.yaml b/charts/gluu/gluu/5.0.21/questions.yaml new file mode 100644 index 0000000000..237575ec1b --- /dev/null +++ b/charts/gluu/gluu/5.0.21/questions.yaml @@ -0,0 +1,1209 @@ +questions: +# ================== +# License SSA group +# ================== +- variable: global.licenseSsa + default: "" + required: true + type: string + label: License SSA + description: "Before initiating the setup, please contact Gluu to obtain a valid license or trial license. Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded." + group: "License SSA" + +# ================== +# Distribution group +# ================== +- variable: global.distribution + default: "openbanking" + required: true + type: enum + label: Gluu Distribution + description: "Gluu Distribution. Openbanking only contains Config-API and the Auth Server customized for Openbanking industry." + group: "Global Settings" + options: + - "default" + - "openbanking" + +# ======================== +# OpenBanking Distribution +# ======================== +- variable: global.cnObExtSigningJwksUri + required: true + default: "https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks" + description: "Open banking external signing jwks uri. Used in SSA Validation." + type: hostname + group: "OpenBanking Distribution" + label: Openbanking external signing JWKS URI + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObExtSigningJwksCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS certificate authority string + - variable: global.cnObExtSigningJwksKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS key string + - variable: global.cnObExtSigningJwksKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: password + label: Open banking external signing jwks AS key passphrase + min_length: 6 + - variable: global.cnObExtSigningAlias + default: "XkwIzWy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking external signing AS Alias +- variable: global.cnObStaticSigningKeyKid + default: "Wy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking signing AS kid + show_if: "global.distribution=openbanking" +- variable: global.cnObTransportAlias + default: "" + required: false + group: "OpenBanking Distribution" + description: "Open banking transport Alias used inside the JVM." + type: string + label: Open banking transport Alias used inside the JVM. + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObTransportCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport crt + - variable: global.cnObTransportKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport key + - variable: global.cnObTransportKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64." + type: password + label: Open banking AS transport key passphrase + min_length: 6 + - variable: global.cnObTransportTrustStore + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking external signing jwks AS certificate authority string + +# ======================= +# Optional Services group +# ======================= +- variable: global.admin-ui.enabled + default: false + type: boolean + group: "Optional Services" + required: false + label: Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. This requires a license agreement with Gluu. + show_if: "global.distribution=default" + show_subquestion_if: true +- variable: global.auth-server-key-rotation.enabled + default: true + type: boolean + group: "Optional Services" + required: true + label: Enable Auth key rotation cronjob. Disable this if using the OB distribution. + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: auth-server-key-rotation.keysLife + default: 48 + description: "Auth server key rotation keys life in hours." + type: int + label: Key life +- variable: global.fido2.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable Fido2 + description: "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments." +- variable: global.config-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ConfigAPI + description: "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)." +- variable: global.casa.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Casa + description: "Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server." +- variable: global.scim.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable SCIM + description: "System for Cross-domain Identity Management (SCIM) version 2.0" + +# ====================== +# Test environment group +# ====================== +- variable: global.cloud.testEnviroment + default: false + type: boolean + group: "Test Environment" + required: true + label: Test environment + description: "Boolean flag if enabled will strip resources requests and limits from all services." + +# ================= +# Persistence group +# ================= +- variable: global.cnPersistenceType + default: "sql" + required: true + type: enum + group: "Persistence" + label: Gluu Persistence backend + description: "Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner" + options: + - "ldap" + - "couchbase" + - "hybrid" + - "spanner" + - "sql" +# LDAP +- variable: global.opendj.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable installation of OpenDJ + description: "Boolean flag to enable/disable the OpenDJ chart." + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnLdapUrl + default: "opendj:1636" + type: hostname + group: "Persistence" + required: true + label: OpenDJ remote URL + description: "OpenDJ remote URL. This must be resolvable by the pods" + show_if: "global.opendj.enabled=false&&global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnPersistenceHybridMapping + default: "{}" + required: false + type: enum + group: "Persistence" + label: Gluu Persistence LDAP mapping + description: "Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`." + options: + - "default" + - "user" + - "site" + - "cache" + - "token" + - "session" + show_if: "global.cnPersistenceType=hybrid" +# SQL +- variable: config.configmap.cnSqlDbDialect + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu SQL Database dialect + description: "SQL database dialect. `mysql` or `pgsql`." + options: + - "pgsql" + - "mysql" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbHost + default: "postgresql.default.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: SQL database host uri + description: "SQL database host uri" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbPort + default: 5432 + required: false + type: int + group: "Persistence" + label: SQL database port + description: "SQL database port" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbUser + default: "gluu" + group: "Persistence" + description: "SQL database username" + type: string + label: SQL database username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqldbUserPassword + default: "Test1234#" + group: "Persistence" + description: "SQL password" + type: password + label: SQL password + + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbName + default: "gluu" + group: "Persistence" + description: "SQL database name" + type: string + label: SQL database name + show_if: "global.cnPersistenceType=sql" +# Spanner +- variable: config.configmap.cnGoogleSpannerInstanceId + default: "" + group: "Persistence" + description: "The google spanner instance ID" + type: string + label: Google Spanner Instance ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSpannerDatabaseId + default: "" + group: "Persistence" + description: "The google spanner database ID" + type: string + label: Google Spanner Database ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + group: "Persistence" + description: "The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner." + type: multiline + label: Google Spanner Service Account json + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleProjectId + default: "" + group: "Persistence" + description: "The Google Project ID" + type: string + label: Google Project ID + show_if: "global.cnPersistenceType=spanner" +#Couchbase +- variable: config.configmap.cnCouchbaseCrt + default: "" + group: "Persistence" + description: "Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required." + type: multiline + label: Couchbase certificate authority string + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUrl + default: "gluu.cbns.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: Couchbase host uri + description: "Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseBucketPrefix + default: "gluu" + type: string + description: "The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu." + group: "Persistence" + required: true + label: The prefix of Couchbase buckets + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseIndexNumReplica + default: 0 + type: int + description: "The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1." + group: "Persistence" + required: true + label: The number of replicas per index created + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUser + default: "admin" + group: "Persistence" + description: "he Couchbase super user (admin) user name. This user is used during initialization only." + type: string + label: The Couchbase super user (admin) user name. + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUserPassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + type: password + label: Couchbase password for the super users + + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUser + default: "gluu" + group: "Persistence" + description: "Couchbase restricted user, used in Gluu operations with Couchbase. Used only when global.cnPersistenceType is hybrid or couchbase." + type: string + label: Couchbase restricted username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbasePassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ." + type: password + label: Couchbase password for the restricted user + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" + +# ============================== +# StorageClass and volume group +# ============================== +- variable: global.storageClass.provisioner + default: "microk8s.io/hostpath" + type: string + group: "Volumes" + required: true + label: StorageClass provisioner + show_if: "global.cnPersistenceType=ldap" + subquestions: + - variable: global.storageClass.allowVolumeExpansion + default: true + type: boolean + group: "Volumes" + required: true + label: StorageClass Volume expansion + - variable: global.storageClass.reclaimPolicy + default: "Retain" + type: enum + group: "Volumes" + required: true + label: StorageClass reclaimPolicy + options: + - "Delete" + - "Retain" + - variable: global.storageClass.volumeBindingMode + default: "WaitForFirstConsumer" + type: enum + group: "Volumes" + required: true + options: + - "WaitForFirstConsumer" + - "Immediate" + label: StorageClass volumeBindingMode + +# =========== +# Cache group +# =========== +- variable: config.configmap.cnCacheType + default: "NATIVE_PERSISTENCE" + required: true + type: enum + group: "Cache" + label: Gluu Cache + description: "Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` ." + options: + - "NATIVE_PERSISTENCE" + - "IN_MEMORY" + - "REDIS" + show_subquestion_if: "REDIS" + subquestions: + - variable: config.configmap.cnRedisType + default: "STANDALONE" + type: enum + group: "Cache" + required: false + label: Redix service type + description: "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + options: + - "STANDALONE" + - "CLUSTER" + - variable: config.redisPassword + default: "Test1234#" + type: password + group: "Cache" + required: false + label: Redis admin password + description: "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`." + + - variable: config.configmap.cnRedisUrl + default: "redis.redis.svc.cluster.local:6379" + required: false + type: hostname + group: "Cache" + label: Redis URL + description: "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + +# ================== +# Configuration group +# ================== +- variable: global.fqdn + default: "demoexample.gluu.org" + required: true + type: hostname + group: "Configuration" + label: Gluu Installation FQDN + description: "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services." +- variable: global.countryCode + default: "US" + required: true + type: string + group: "Configuration" + label: Country code + description: "Country code. Used for certificate creation." +- variable: config.state + default: "TX" + required: true + type: string + group: "Configuration" + label: State code + description: "State code. Used for certificate creation." +- variable: config.city + default: "Austin" + required: true + type: string + group: "Configuration" + label: City + description: "City. Used for certificate creation." +- variable: config.email + default: "support@gluu.org" + required: true + type: string + group: "Configuration" + label: Email + description: "Email address of the administrator usually. Used for certificate creation." +- variable: config.orgName + default: "Gluu" + required: true + type: string + group: "Configuration" + label: Organization + description: "Organization name. Used for certificate creation." +- variable: config.adminPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: Admin UI password + description: "Admin password to log in to the UI." + +- variable: config.ldapPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: LDAP password + description: "LDAP admin password if OpenDJ is used for persistence" + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" + +- variable: global.isFqdnRegistered + default: true + required: true + type: boolean + group: "Configuration" + label: Is the FQDN globally resolvable + description: "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically." +- variable: config.migration.enabled + default: false + required: true + type: boolean + group: "Configuration" + label: Migration from Gluu CE + description: "Boolean flag to enable migration from CE" + show_subquestion_if: true + subquestions: + - variable: config.migration.migrationDataFormat + default: "ldif" + type: enum + group: "Configuration" + required: false + label: Migration data-format + description: "Migration data-format depending on persistence backend." + options: + - "ldif" + - "couchbase+json" + - "spanner+avro" + - "postgresql+json" + - "mysql+json" + - variable: config.migration.migrationDir + default: "/ce-migration" + required: false + type: string + group: "Configuration" + label: Migration Directory + description: "Directory holding all migration files" + +# Configmap +- variable: global.configAdapterName + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu configuration backend + description: "The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + +# Secret +- variable: global.configSecretAdapter + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu secret backend + description: "The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + + +# Google +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + type: string + group: "Configuration" + required: true + label: Service account base64 encoded + description: "Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleProjectId + default: "" + type: string + group: "Configuration" + required: true + label: Project ID + description: "Project id of the Google project the secret manager belongs to" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretVersionId + default: "latest" + type: string + group: "Configuration" + required: true + label: Secrets version + description: "Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in Google Secret Manager. Defaults to gluu" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +# AWS +- variable: config.configmap.cnAwsAccessKeyId + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Account Access Key ID + description: "AWS Access key id that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretAccessKey + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Secret Access Key + description: "AWS Secret Access key that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in AWS Secrets Manager. Defaults to gluu" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsProfile + default: "gluu" + type: string + group: "Configuration" + required: true + label: AWS named profile + description: "The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsDefaultRegion + default: "us-west-1" + type: string + group: "Configuration" + required: true + label: Default region + description: "The default AWS Region to use, for example, `us-west-1` or `us-west-2`" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsEndpointUrl + default: "" + type: string + group: "Configuration" + required: false + label: Secrets Manager Endpoint URL + description: "The URL of AWS secretsmanager service. If omitted, it will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + + +# =========================== +# Ingress group(Istio, NGINX) +# =========================== + +# =========== +# Istio group +# =========== +- variable: global.istio.enabled + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio side cars with Gluu services." + label: Use Istio side cars + show_subquestion_if: true + subquestions: + - variable: global.istio.ingress + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Use Istio Ingress + - variable: global.istio.namespace + default: "istio-system" + type: string + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Istio namespace + - variable: config.configmap.lbAddr + default: "" + group: "Istio" + description: "Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# NGINX group +# =========== +- variable: config.configmap.lbAddr + default: "" + group: "NGINX" + show_if: "global.istio.ingress=false&&global.isFqdnRegistered=false" + description: "loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# Ingress group +# =========== +- variable: global.admin-ui.ingress.adminUiEnabled + default: false + type: boolean + group: "Ingress" + required: false + description: "Enable Admin UI endpoints." + label: Enable Admin UI endpoints + subquestions: + # auth-server + - variable: global.auth-server.ingress.authServerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable Auth server endpoints /jans-auth" + label: Enable Auth server endpoints /jans-auth + - variable: global.auth-server.ingress.openidConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/openid-configuration" + label: Enable endpoint /.well-known/openid-configuration + - variable: global.auth-server.ingress.deviceCodeEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /device-code" + label: Enable endpoint /device-code + - variable: global.auth-server.ingress.firebaseMessagingEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /firebase-messaging-sw.js" + label: Enable endpoint /firebase-messaging-sw.js + - variable: global.auth-server.ingress.uma2ConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/uma2-configuration" + label: Enable endpoint /.well-known/uma2-configuration + - variable: global.auth-server.ingress.webfingerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/webfinger" + label: Enable endpoint /.well-known/webfinger + - variable: global.auth-server.ingress.webdiscoveryEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/simple-web-discovery" + label: Enable endpoint /.well-known/simple-web-discovery + - variable: global.auth-server.ingress.u2fConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/fido-configuration" + label: Enable endpoint /.well-known/fido-configuration + # config-api + - variable: global.config-api.ingress.configApiEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable config API endpoints /jans-config-api" + label: Enable config API endpoints /jans-config-api + +#fido2 +- variable: global.fido2.ingress.fido2ConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.fido2.enabled=true" + required: true + description: "Enable endpoint /.well-known/fido2-configuration. Enable this!" + label: Enable endpoint /.well-known/fido2-configuration +#Casa +- variable: global.casa.ingress.casaEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.casa.enabled=true" + required: true + description: "Enable endpoint /casa. Enable this!" + label: Enable endpoint /casa Enable this! +#auth-server OB +- variable: global.auth-server.ingress.authServerProtectedToken + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/token" + label: Enable mTLS on Auth server endpoint /jans-auth/restv1/token +- variable: global.auth-server.ingress.authServerProtectedRegister + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/register" + label: Enable mTLS onn Auth server endpoint /jans-auth/restv1/register +# scim +- variable: global.scim.ingress.scimConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable endpoint /.well-known/scim-configuration. Enable this!" + label: Enable endpoint /.well-known/scim-configuration. Enable this! +- variable: global.scim.ingress.scimEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable SCIM endpoints /jans-scim. Enable this!" + label: Enable SCIM endpoints /jans-scim. Enable this! + +# ============ +# Images group +# ============ +# AuthServer +- variable: auth-server.image.repository + required: true + type: string + default: "janssenproject/auth-server" + description: "The Auth Server Image repository" + label: Auth Server image repo + group: "Images" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server Image pull policy" + label: Auth Server imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server image tag + group: "Images" + show_if: "global.auth-server.enabled=true" +# AdminUI +- variable: admin-ui.image.repository + required: true + type: string + default: "gluufederation/admin-ui" + description: "The AdminUI Image repository" + label: The AdminUI Image repository + group: "Images" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The AdminUI Image pull policy" + label: AdminUI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The AdminUI Image tag" + label: AdminUI image tag + group: "Images" + show_if: "global.admin-ui.enabled=true" +# AuthServer KeyRotation +- variable: auth-server-key-rotation.image.repository + required: true + type: string + default: "janssenproject/certmanager" + description: "The Auth Server KeyRotation Image repository" + label: Auth Server KeyRotation image repo + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server KeyRotation Image pull policy" + label: Auth Server KeyRotation imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server KeyRotation image tag + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +# Casa +- variable: casa.image.repository + required: true + type: string + default: "gluufederation/casa" + description: "The Casa Image repository" + label: Casa image repo + group: "Images" + show_if: "global.casa.enabled=true" +- variable: casa.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Casa Image pull policy" + label: Casa imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.casa.enabled=true" +- variable: casa.image.tag + required: true + type: string + default: "5.0.0-4" + description: "The Casa Image tag" + label: Casa image tag + group: "Images" + show_if: "global.casa.enabled=true" +# Configurator +- variable: config.image.repository + required: true + type: string + default: "janssenproject/configurator" + description: "The Configurator Image repository" + label: Configurator image repo + group: "Images" + show_if: "global.config.enabled=true" +- variable: config.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Configurator Image pull policy" + label: Configurator imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config.enabled=true" +- variable: config.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Configurator Image tag" + label: Configurator image tag + group: "Images" + show_if: "global.config.enabled=true" +# ConfigAPI +- variable: config-api.image.repository + required: true + type: string + default: "janssenproject/config-api" + description: "The ConfigAPI Image repository" + label: ConfigAPI image repo + group: "Images" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ConfigAPI Image pull policy" + label: ConfigAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The ConfigAPI Image tag" + label: ConfigAPI image tag + group: "Images" + show_if: "global.config-api.enabled=true" +# Fido2 +- variable: fido2.image.repository + required: true + type: string + default: "janssenproject/fido2" + description: "The Fido2 Image repository" + label: Fido2 image repo + group: "Images" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Fido2 Image pull policy" + label: Fido2 imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Fido2 Image tag" + label: Fido2 image tag + group: "Images" + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.image.repository + required: true + type: string + default: "gluufederation/opendj" + description: "The OpenDJ Image repository" + label: OpenDJ image repo + group: "Images" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The OpenDJ Image pull policy" + label: OpenDJ imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.tag + required: true + type: string + default: "5.0.0_dev" + description: "The OpenDJ Image tag" + label: OpenDJ image tag + group: "Images" + show_if: "global.opendj.enabled=true" +# Persistence +- variable: persistence.image.repository + required: true + type: string + default: "janssenproject/persistence-loader" + description: "The Persistence Image repository" + label: Persistence image repo + group: "Images" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Persistence Image pull policy" + label: Persistence imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Persistence Image tag" + label: Persistence image tag + group: "Images" + show_if: "global.persistence.enabled=true" +# SCIM +- variable: scim.image.repository + required: true + type: string + default: "janssenproject/scim" + description: "The SCIM Image repository" + label: SCIM image repo + group: "Images" + show_if: "global.scim.enabled=true" +- variable: scim.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The SCIM Image pull policy" + label: SCIM imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.scim.enabled=true" +- variable: scim.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The SCIM Image tag" + label: SCIM image tag + group: "Images" + show_if: "global.scim.enabled=true" + +# ============== +# Replicas group +# ============== +# AuthServer +- variable: auth-server.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Auth-server Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# Casa +- variable: casa.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Casa Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# ConfigAPI +- variable: config-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ConfigAPI Replicas + description: "Service replica number." + show_if: "global.config-api.enabled=true" +# AdminUi +- variable: admin-ui.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Admin UI Replicas + description: "Service replica number." + show_if: "global.admin-ui.enabled=true" +# Fido2 +- variable: fido2.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Fido2 Replicas + description: "Service replica number." + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: OpenDJ Replicas + description: "Service replica number." + show_if: "global.opendj.enabled=true" +# SCIM +- variable: scim.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: SCIM Replicas + description: "Service replica number." + show_if: "global.scim.enabled=true" + diff --git a/charts/gluu/gluu/5.0.21/templates/_helpers.tpl b/charts/gluu/gluu/5.0.21/templates/_helpers.tpl new file mode 100644 index 0000000000..c5b8d3d303 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.21/values.schema.json b/charts/gluu/gluu/5.0.21/values.schema.json new file mode 100644 index 0000000000..11b96aa7cb --- /dev/null +++ b/charts/gluu/gluu/5.0.21/values.schema.json @@ -0,0 +1,2872 @@ +{ + "$schema":"https://json-schema.org/draft/2020-12/schema#", + "type":"object", + "properties":{ + "admin-ui":{ + "description":"Admin GUI for configuration of the auth-server", + "type":"object", + "properties":{ + + } + }, + "auth-server":{ + "description":"OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type":"object", + "properties":{ + + } + }, + "auth-server-key-rotation":{ + "description":"Responsible for regenerating auth-keys per x hours", + "type":"object", + "properties":{ + + } + }, + "casa":{ + "description":"Gluu Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.", + "type":"object", + "properties":{ + + } + } + }, + "config":{ + "description":"Configuration parameters for setup and initial configuration secret annd config layers used by Gluu services.", + "type":"object", + "properties":{ + "adminPass":{ + "description":"Admin password to login to the UI", + "$ref":"#/definitions/password" + }, + "city":{ + "description":"City of the company or individual. Used in generating the self-signed certificate", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "configmap":{ + "description":"Configuration parameters mapped to envs in a ConfigMap", + "type":"object", + "properties":{ + "cnSqlDbDialect":{ + "description":"SQL dialect", + "type":"string", + "pattern":"^(mysql)$" + }, + "cnSqlDbHost":{ + "description":"SQL server address or ip", + "anyOf":[ + { + "$ref":"#/definitions/url-pattern" + }, + { + "$ref":"#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort":{ + "description":"SQL server port", + "type":"integer" + }, + "cnSqlDbName":{ + "description":"SQL server database name for Jans", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbUser":{ + "description":"SQL database Jans username", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbTimezone":{ + "description":"SQL database timezone", + "type":"string", + "pattern":"^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqldbUserPassword":{ + "description":"Password for user config.configmap.cnSqlDbUser.", + "$ref":"#/definitions/password" + }, + "cnCacheType":{ + "description":"Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type":"string", + "pattern":"^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnConfigKubernetesConfigMap":{ + "description":"The name of the ConfigMap that will hold the configuration layer", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseBucketPrefix":{ + "description":"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseCrt":{ + "description":"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnCouchbaseIndexNumReplica":{ + "description":"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.", + "type":"integer" + }, + "cnCouchbasePass":{ + "description":"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUser":{ + "description":"The Couchbase super user (admin) user name. This user is used during initialization only.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseSuperUserPass":{ + "description":"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUserPassFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type":"string", + "pattern":".*couchbase_superuser_password\\b.*" + }, + "cnCouchbaseUrl":{ + "description":"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnCouchbaseUser":{ + "description":"Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerServiceAccount":{ + "description":"Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId":{ + "description":"Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"" + }, + "cnGoogleSpannerInstanceId":{ + "description":"Google Spanner ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^([a-z0-9\\-])*$" + }, + "cnGoogleSpannerDatabaseId":{ + "description":"Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^[a-z0-9\\-]*$" + }, + "cnGoogleSecretVersionId":{ + "description":"Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnGoogleSecretNamePrefix":{ + "description":"Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase":{ + "description":"Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref":"#/definitions/password" + }, + "cnLdapUrl":{ + "description":"OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.", + "type":"string", + "pattern":"^[a-z0-9-:]+$" + }, + "cnMaxRamPercent":{ + "description":"Value passed to Java option -XX:MaxRAMPercentage", + "type":"string", + "pattern":"^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode":{ + "description":"SCIM protection mode OAUTH|TEST|UMA", + "type":"string", + "pattern":"^(OAUTH|TEST|UMA)$" + }, + "cnPersistenceHybridMapping":{ + "description":"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type":"string" + }, + "cnRedisSentinelGroup":{ + "description":"Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisSslTruststore":{ + "description":"Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisType":{ + "description":"Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string", + "pattern":"^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl":{ + "description":"Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref":"#/definitions/url-pattern" + }, + "cnRedisUseSsl":{ + "description":"Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"boolean" + }, + "cnSecretKubernetesSecret":{ + "description":"Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "lbAddr":{ + "description":"Loadbalancer address for AWS if the FQDN is not registered.", + "$ref":"#/definitions/url-pattern" + } + } + }, + "countryCode":{ + "description":"Country code. Used for certificate creation.", + "type":"string", + "pattern":"^[A-Z]+$" + }, + "email":{ + "description":"Email address of the administrator usually. Used for certificate creation.", + "$ref":"#/definitions/email-format" + }, + "image":{ + "type":"object", + "properties":{ + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "ldapPassword":{ + "description":"LDAP admin password if OpennDJ is used for persistence.", + "$ref":"#/definitions/password" + }, + "orgName":{ + "description":"Organization name. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "redisPassword":{ + "description":"Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref":"#/definitions/password" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "state":{ + "description":"State code. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + } + } + }, + "config-api":{ + "description":"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type":"object", + "properties":{ + + } + }, + "fido2":{ + "description":"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type":"object", + "properties":{ + + } + }, + "global":{ + "description":"Parameters used globally across all services helm charts.", + "type":"object", + "properties":{ + "licenseSsa":{ + "description":"Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "alb":{ + "type":"object", + "properties":{ + "ingress":{ + "description":"Activates ALB ingress", + "type":"boolean" + } + } + }, + "auth-server":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type":"boolean" + }, + "authServerServiceName":{ + "description":"Name of the auth-server service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-auth.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-auth.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget":{ + "description":"http_request_response target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "httpLogLevel":{ + "description":"http_request_response level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-auth_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-auth_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-auth_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-auth_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-auth_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-auth_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-auth_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-auth_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget":{ + "description":"jans-auth_audit.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "auditStatsLogLevel":{ + "description":"jans-auth_audit.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "authServerEnabled":{ + "description":"Enable Auth server endpoints /jans-auth", + "type":"boolean" + }, + "openidConfigEnabled":{ + "description":"Enable endpoint /.well-known/openid-configuration", + "type":"boolean" + }, + "deviceCodeEnabled":{ + "description":"Enable endpoint /device-code", + "type":"boolean" + }, + "firebaseMessagingEnabled":{ + "description":"Enable endpoint /firebase-messaging-sw.js", + "type":"boolean" + }, + "uma2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/uma2-configuration", + "type":"boolean" + }, + "webfingerEnabled":{ + "description":"Enable endpoint /.well-known/webfinger", + "type":"boolean" + }, + "webdiscoveryEnabled":{ + "description":"Enable endpoint /.well-known/simple-web-discovery", + "type":"boolean" + }, + "u2fConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido-configuration", + "type":"boolean" + }, + "authServerProtectedToken":{ + "description":"Enable mTLS on Auth server endpoint /jans-auth/restv1/token", + "type":"boolean" + }, + "authServerProtectedRegister":{ + "description":"Enable mTLS onn Auth server endpoint /jans-auth/restv1/register", + "type":"boolean" + } + } + } + + } + }, + "admin-ui":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable admin-ui chart. You should never set this to false.", + "type":"boolean" + }, + "adminUiServiceName":{ + "description":"Name of the admin service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "adminUiEnabled":{ + "description":"Enable Admin UI endpoints.", + "type":"boolean" + } + } + } + } + }, + + "auth-server-key-rotation":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type":"boolean" + } + } + }, + "awsStorageType":{ + "description":"Volume stroage type if using AWS volumes.", + "type":"string", + "pattern":"^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType":{ + "description":"Volume storage type if using Azure disks.", + "type":"string", + "pattern":"^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind":{ + "description":"Azure storage kind if using Azure disks", + "type":"string", + "pattern":"^(Managed)$" + }, + "cloud":{ + "type":"object", + "properties":{ + "testEnviroment":{ + "description":"Boolean flag if enabled will strip resources requests and limits from all services.", + "type":"boolean" + } + } + }, + "cnPersistenceType":{ + "description":"Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner.", + "type":"string", + "pattern":"^(ldap|couchbase|hybrid|sql|spanner)$" + }, + "cnDocumentStoreType":{ + "description":"Document store type to use for shibboleth files LOCAL.", + "type":"string", + "pattern":"^(LOCAL)$" + }, + "cnObExtSigningJwksUri":{ + "description":"Open banking external signing jwks uri. Used in SSA Validation.", + "type":"string" + }, + "cnObExtSigningJwksCrt":{ + "description":"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey":{ + "description":"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase":{ + "description":"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias":{ + "description":"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObStaticSigningKeyKid":{ + "description":"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObTransportCrt":{ + "description":"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey":{ + "description":"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase":{ + "description":"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias":{ + "description":"Open banking transport Alias used inside the JVM.", + "type":"string" + }, + "cnObTransportTrustStore":{ + "description":"Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type":"boolean" + } + } + }, + "configAdapterName":{ + "description":"The config backend adapter that will hold Gluu configuration layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "configSecretAdapter":{ + "description":"The config backend adapter that will hold Gluu secret layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "cnGoogleApplicationCredentials":{ + "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", + "type":"string", + "pattern":".*google-credentials.json\\b.*" + }, + "casa":{ + "type":"object", + "properties":{ + "casaServiceName":{ + "description":"Name of the casa service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the casa chart.", + "type":"boolean" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "casaEnabled":{ + "description":" Enable casa endpoints /casa", + "type":"boolean" + } + } + } + } + }, + "config-api":{ + "type":"object", + "properties":{ + "configApiServerServiceName":{ + "description":"Name of the config-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the config-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "configApiLogTarget":{ + "description":"configapi.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "configApiLogLevel":{ + "description":"configapi.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "adminUiAppLoggers":{ + "type":"object", + "properties":{ + "adminUiLogTarget":{ + "description":"config-api admin-ui plugin log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiLogLevel":{ + "description":"config-api admin-ui plugin log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "adminUiAuditLogTarget":{ + "description":"config-api admin-ui plugin audit log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiAuditLogLevel":{ + "description":"config-api admin-ui plugin audit log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "configApiEnabled":{ + "description":"Enable config API endpoints /jans-config-api", + "type":"boolean" + } + } + } + + + } + }, + "fqdn":{ + "description":"Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.", + "$ref":"#/definitions/fqdn-pattern" + }, + "fido2":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the fido2 chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "fido2LogTarget":{ + "description":"fido2.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "fido2LogLevel":{ + "description":"fido2.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"fido2_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"fido2_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "fido2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido2-configuration", + "type":"boolean" + } + } + } + + } + }, + "gcePdStorageType":{ + "description":"GCE storage kind if using Google disks", + "type":"string", + "pattern":"^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered":{ + "description":"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type":"boolean" + }, + "istio":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag that enables using istio side cars with Gluu services.", + "type":"boolean" + }, + "ingress":{ + "description":"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.", + "type":"boolean" + }, + "namespace":{ + "description":"The namespace istio is deployed in. The is normally istio-system.", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + } + } + }, + "lbIp":{ + "description":"The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref":"#/definitions/ip-pattern" + }, + "nginx-ingress":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type":"boolean" + } + } + }, + "opendj":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the OpenDJ chart.", + "type":"boolean" + }, + "ldapServiceName":{ + "description":"Name of the OpenDJ service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "oxshibboleth":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled.", + "type":"boolean" + } + } + }, + "distribution":{ + "description":"Gluu distributions supported are: default|openbanking.", + "type":"string", + "pattern":"^(default|openbanking)$" + }, + "persistence":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the persistence chart.", + "type":"boolean" + } + } + }, + "oxpassport": { + "type": "object", + "properties": { + "enabled": { + "description": "Boolean flag to enable/disable the oxpassport chart.", + "type": "boolean" + }, + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "scim":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the SCIM chart.", + "type":"boolean" + }, + "scimServiceName":{ + "description":"Name of the scim service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-scim.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-scim.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-scim_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-scim_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-scim_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-scim_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-scim_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-scim_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-scim_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-scim_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "scimEnabled":{ + "description":"Enable SCIM endpoints /jans-scim", + "type":"boolean" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + } + } + } + + } + }, + "storageClass":{ + "description":"StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type":"object", + "properties":{ + "allowVolumeExpansion":{ + "type":"boolean" + }, + "allowedTopologies":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "mountOptions":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "parameters":{ + "type":"object", + "properties":{ + "fsType":{ + "type":"string" + }, + "kind":{ + "type":"string" + }, + "pool":{ + "type":"string" + }, + "storageAccountType":{ + "type":"string" + }, + "type":{ + "type":"string" + } + } + }, + "provisioner":{ + "type":"string" + }, + "reclaimPolicy":{ + "type":"string" + }, + "volumeBindingMode":{ + "type":"string" + } + } + } + } + }, + "nginx-ingress":{ + "description":"Nginx ingress definitions chart", + "type":"object", + "properties":{ + + } + }, + "opendj":{ + "description":"OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.", + "type":"object", + "properties":{ + + } + }, + "oxpassport":{ + "description":"Gluu interface to Passport.js to support social login and inbound identity.", + "type":"object", + "properties":{ + + } + }, + "oxshibboleth":{ + "description":"Shibboleth project for the Gluu Server's SAML IDP functionality.", + "type":"object", + "properties":{ + + } + }, + "persistence":{ + "description":"Job to generate data and intial config for Gluu Server persistence layer.", + "type":"object", + "properties":{ + + } + }, + "scim":{ + "description":"System for Cross-domain Identity Management (SCIM) version 2.0", + "type":"object", + "properties":{ + + } + } + , + "allOf":[ + { + "$ref":"#/definitions/admin-ui-enabled" + }, + { + "$ref":"#/definitions/auth-server-enabled" + }, + { + "$ref":"#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref":"#/definitions/casa-enabled" + }, + { + "$ref":"#/definitions/config-api-enabled" + }, + { + "$ref":"#/definitions/fido2-enabled" + }, + { + "$ref":"#/definitions/nginx-ingress-enabled" + }, + { + "$ref":"#/definitions/opendj-enabled" + }, + { + "$ref":"#/definitions/oxpassport-enabled" + }, + { + "$ref":"#/definitions/oxshibboleth-enabled" + }, + { + "$ref":"#/definitions/persistence-enabled" + }, + { + "$ref":"#/definitions/scim-enabled" + } + ], + "definitions":{ + "password":{ + "anyOf":[ + { + "type":"string", + "minLength":8, + "pattern":"", + "description":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "password-pattern":{ + "type":"string", + "minLength":6, + "pattern":"", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format":{ + "type":"string", + "format":"email" + }, + "fqdn-pattern":{ + "anyOf":[ + { + "type":"string", + "errors":{ + "pattern":"Setting not FQDN structured. Please enter a FQDN with the format demoexample.gluu.org" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "url-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors":{ + "pattern":"URL pattern is not meeting standards." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "ip-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors":{ + "pattern":"Not a valid IP." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "admin-ui-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "admin-ui":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "admin-ui":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-key-rotation-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "keysLife":{ + "description":"Auth server key rotation keys life in hours", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + }, + "required":[ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else":true + }, + "casa-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "casa":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "casa":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "config-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "config-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "config-api":{ + "required":[ + "image", + "replicas", + "resources" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "fido2-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "fido2":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "fido2":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the Fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "nginx-ingress-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "nginx-ingress":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "nginx-ingress":{ + "type":"object", + "properties":{ + "ingress":{ + "type":"object", + "required":[ + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties":{ + "adminUiLabels":{ + "description":"Admin UI ingress resource labels. key app is taken.", + "type":"object" + }, + "openidConfigLabels":{ + "description":"openid-configuration ingress resource labels. key app is taken", + "type":"object" + }, + "uma2ConfigLabels":{ + "description":"uma2 config ingress resource labels. key app is taken", + "type":"object" + }, + "webfingerLabels":{ + "description":"webfinger ingress resource labels. key app is taken", + "type":"object" + }, + "webdiscoveryLabels":{ + "description":"webdiscovery ingress resource labels. key app is taken", + "type":"object" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + }, + "scimConfigLabels":{ + "description":"SCIM config ingress resource labels. key app is taken", + "type":"object" + }, + "scimLabels":{ + "description":"SCIM ingress resource labels. key app is taken", + "type":"object" + }, + "configApiLabels":{ + "description":"configAPI ingress resource labels. key app is taken", + "type":"object" + }, + "u2fConfigLabels":{ + "description":"u2f ingress resource labels. key app is taken", + "type":"object" + }, + "fido2ConfigLabels":{ + "description":"fido2 ingress resource labels. key app is taken", + "type":"object" + }, + "authServerLabels":{ + "description":"Auth server config ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedTokenLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedRedisterLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "additionalAnnotations":{ + "description":"Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type":"object" + }, + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "path":{ + "type":"string" + }, + "tls":{ + "description":"Secret holding HTTPS CA cert and key.", + "type":"array", + "items":{ + "type":"object", + "properties":{ + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "secretName":{ + "type":"string", + "pattern":"^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else":true + }, + "opendj-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "opendj":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "opendj":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "persistence":{ + "type":"object", + "properties":{ + "size":{ + "description":"OpenDJ volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + }, + "ports":{ + "type":"object", + "properties":{ + "tcp-admin":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldap":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldaps":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-repl":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "udp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "oxpassport-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxpassport":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxpassport":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "oxshibboleth-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxshibboleth":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxshibboleth":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxShibbolethServiceName":{ + "description":"Name of the oxShibboleth service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "persistence-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "persistence":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "persistence":{ + "required":[ + "image", + "resources" + ], + "type":"object", + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "scim-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "scim":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "scim":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "scimServiceName":{ + "description":"Name of the SCIM service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + } + } +} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.21/values.yaml b/charts/gluu/gluu/5.0.21/values.yaml new file mode 100644 index 0000000000..6b8b0b6865 --- /dev/null +++ b/charts/gluu/gluu/5.0.21/values.yaml @@ -0,0 +1,1756 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +installer-settings: + currentVersion: "" + acceptLicense: "" + namespace: "" + releaseName: "" + nginxIngress: + releaseName: "" + namespace: "" + nodes: + names: "" + zones: "" + ips: "" + images: + edit: "" + aws: + lbType: "" + arn: + enabled: "" + arnAcmCert: "" + vpcCidr: "0.0.0.0/0" + couchbase: + clusterName: "" + namespace: "" + lowResourceInstall: "" + install: "" + customFileOverride: "" + backup: + incrementalSchedule: "" + fullSchedule: "" + retentionTime: "" + storageSize: "" + # Couchbase cert related keys + subjectAlternativeName: "" + commonName: "" + # Couchbase cluster yaml generator keys + totalNumberOfExpectedUsers: "" + totalNumberOfExpectedTransactionsPerSec: "" + volumeType: "" + volumeProvisionStrategy: "" + ldap: + backup: + fullSchedule: "" + postgres: + install: "" + namespace: "" + sql: + install: "" + namespace: "" + google: + useSecretManager: "" + redis: + install: "" + namespace: "" + openbanking: + hasCnObTransportTrustStore: false + cnObTransportTrustStoreP12password: "" + confirmSettings: false + +# -- Admin GUI for configuration of the auth-server +admin-ui: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2000m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 2000m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for the admin ui if needed. + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the admin ui if needed. + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/auth-server + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/certmanager + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +casa: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/casa + # -- Image tag to use for deploying. + tag: 5.0.0-15 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + # -- Configure the liveness healthcheck for casa if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). + cnSqlDbSchema: "" + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) username. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/configurator + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- LDAP admin password if OpenDJ is used for persistence. + ldapPassword: P@ssw0rds + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + # -- CE to CN Migration section + migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/config-api + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/fido2 + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + # -- Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. + licenseSsa: "" + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: false + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- casa.log target + casaLogTarget: "STDOUT" + # -- casa.log level + casaLogLevel: "INFO" + # -- casa timer log target + timerLogTarget: "FILE" + # -- casa timer log level + timerLogLevel: "INFO" + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable casa endpoints /casa + casaEnabled: false + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. + cnAwsSharedCredentialsFile: /etc/jans/conf/aws_shared_credential_file + # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. + cnAwsConfigFile: /etc/jans/conf/aws_config_file + # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. + cnAwsSecretsReplicaRegionsFile: /etc/jans/conf/aws_secrets_replica_regions + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- config-api_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- fido2_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- fido2_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- fido2_script.log target + scriptLogTarget: "FILE" + # -- fido2_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. + gateways: [ ] + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + # log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" + # Targets are "STDOUT" and "FILE" + appLoggers: + # -- idp-process.log target + idpLogTarget: "STDOUT" + # -- idp-process.log level + idpLogLevel: "INFO" + # -- idp-script.log target + scriptLogTarget: "FILE" + # -- idp-script.log level + scriptLogLevel: "INFO" + # -- idp-audit.log target + auditStatsLogTarget: "FILE" + # -- idp-audit.log level + auditStatsLogLevel: "INFO" + # -- idp-consent-audit.log target + consentAuditLogTarget: "FILE" + # -- idp-consent-audit.log level + consentAuditLogLevel: "INFO" + # -- https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration + # The below are very noisy logs and are better left untouched + ldapLogLevel: "" + messagesLogLevel: "" + encryptionLogLevel: "" + opensamlLogLevel: "" + propsLogLevel: "" + httpclientLogLevel: "" + springLogLevel: "" + containerLogLevel: "" + xmlsecLogLevel: "" + # -- Gluu distributions supported are: default|openbanking. + distribution: default + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + +# -- Nginx ingress definitions chart +nginx-ingress: + certManager: + # Enable deploying a certificate that uses dns01 challenge instead of passing an annotation nginx-ingress.ingress.additionalAnnotations for nginx http01 challenge. + certificate: + enabled: false + issuerKind: ClusterIssuer + # Issuer name which you will create manually. Can be letsencrypt-production. + issuerName: "" + issuerGroup: cert-manager.io + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +opendj: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure ldap backup cronjob + backup: + enabled: true + cronJobSchedule: "*/59 * * * *" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + + persistence: + # -- OpenDJ volume size + size: 5Gi + ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu interface to Passport.js to support social login and inbound identity. +oxpassport: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi + # -- Configure the liveness healthcheck for oxPassport if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the oxPassport if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +oxshibboleth: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for oxshibboleth if needed. + # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/scim + # -- Image tag to use for deploying. + tag: 1.0.17_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.22/Chart.yaml b/charts/gluu/gluu/5.0.22/Chart.yaml new file mode 100644 index 0000000000..6b69339b11 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/Chart.yaml @@ -0,0 +1,102 @@ +annotations: + artifacthub.io/changes: | + - Chart 5.0.23 dev release + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.0.19_dev + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.0.19_dev + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.0.19_dev + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.0.19_dev + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.0.19_dev + - name: opendj + image: gluufederation/opendj:5.0.0_dev + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.0.19_dev + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.0.19_dev + - name: casa + image: ghcr.io/gluufederation/flex/casa:5.0.0_dev + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:1.0.19_dev + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu +apiVersion: v2 +appVersion: 5.0.0 +dependencies: +- condition: global.config.enabled + name: config + repository: file://./charts/config + version: 5.0.22 +- condition: global.config-api.enabled + name: config-api + repository: file://./charts/config-api + version: 5.0.22 +- condition: global.opendj.enabled + name: opendj + repository: file://./charts/opendj + version: 5.0.22 +- condition: global.auth-server.enabled + name: auth-server + repository: file://./charts/auth-server + version: 5.0.22 +- condition: global.admin-ui.enabled + name: admin-ui + repository: file://./charts/admin-ui + version: 5.0.22 +- condition: global.fido2.enabled + name: fido2 + repository: file://./charts/fido2 + version: 5.0.22 +- condition: global.scim.enabled + name: scim + repository: file://./charts/scim + version: 5.0.22 +- condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: file://./charts/nginx-ingress + version: 5.0.22 +- condition: global.oxshibboleth.enabled + name: oxshibboleth + repository: file://./charts/oxshibboleth + version: 5.0.22 +- condition: global.oxpassport.enabled + name: oxpassport + repository: file://./charts/oxpassport + version: 5.0.22 +- condition: global.casa.enabled + name: casa + repository: file://./charts/casa + version: 5.0.22 +- condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: file://./charts/auth-server-key-rotation + version: 5.0.22 +- condition: global.persistence.enabled + name: persistence + repository: file://./charts/persistence + version: 5.0.22 +- condition: global.istio.ingress + name: cn-istio-ingress + repository: file://./charts/cn-istio-ingress + version: 5.0.22 +description: Gluu Access and Identity Management +home: https://www.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: moabu +name: gluu +sources: +- https://gluu.org/docs/gluu-server +- https://github.com/GluuFederation/flex/flex-cn-setup +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/README.md b/charts/gluu/gluu/5.0.22/README.md new file mode 100644 index 0000000000..14e6821362 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/README.md @@ -0,0 +1,605 @@ +# gluu + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | admin-ui | 5.0.22 | +| | auth-server | 5.0.22 | +| | auth-server-key-rotation | 5.0.22 | +| | casa | 5.0.22 | +| | cn-istio-ingress | 5.0.22 | +| | config | 5.0.22 | +| | config-api | 5.0.22 | +| | fido2 | 5.0.22 | +| | nginx-ingress | 5.0.22 | +| | opendj | 5.0.22 | +| | oxpassport | 5.0.22 | +| | oxshibboleth | 5.0.22 | +| | persistence | 5.0.22 | +| | scim | 5.0.22 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"1.0.19_dev"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| admin-ui.dnsConfig | object | `{}` | Add custom dns config | +| admin-ui.dnsPolicy | string | `""` | Add custom dns policy | +| admin-ui.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| admin-ui.hpa.behavior | object | `{}` | Scaling Policies | +| admin-ui.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | +| admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | +| admin-ui.image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| admin-ui.replicas | int | `1` | Service replica number. | +| admin-ui.resources | object | `{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}}` | Resource specs. | +| admin-ui.resources.limits.cpu | string | `"2000m"` | CPU limit. | +| admin-ui.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| admin-ui.resources.requests.cpu | string | `"2000m"` | CPU request. | +| admin-ui.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| admin-ui.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| admin-ui.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| admin-ui.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.0.19_dev"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.0.19_dev"},"keysLife":48,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/casa","tag":"5.0.0_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. | +| casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| casa.dnsConfig | object | `{}` | Add custom dns config | +| casa.dnsPolicy | string | `""` | Add custom dns policy | +| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| casa.hpa.behavior | object | `{}` | Scaling Policies | +| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| casa.image.pullSecrets | list | `[]` | Image Pull Secrets | +| casa.image.repository | string | `"ghcr.io/gluufederation/flex/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| casa.readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| casa.replicas | int | `1` | Service replica number. | +| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| casa.resources.limits.cpu | string | `"500m"` | CPU limit. | +| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| casa.resources.requests.cpu | string | `"500m"` | CPU request. | +| casa.resources.requests.memory | string | `"500Mi"` | Memory request. | +| casa.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.0.19_dev"},"ldapPassword":"P@ssw0rds","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.0.19_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| config-api.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) username. This user is used during initialization only. | +| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| config.configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| config.configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbSchema | string | `""` | Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.lbAddr | string | `""` | Load balancer address for AWS if the FQDN is not registered. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpenDJ is used for persistence. | +| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.0.19_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}},"auth-server-key-rotation":{"enabled":false},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnDocumentStoreType":"LOCAL","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true}},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"lbIp":"22.22.22.22","licenseSsa":"","nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"oxpassport":{"enabled":false,"oxPassportServiceName":"oxpassport"},"oxshibboleth":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""},"enabled":false,"oxShibbolethServiceName":"oxshibboleth"},"persistence":{"enabled":true},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | +| global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | +| global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `false` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level | +| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.auth-server.ingress | object | `{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.auth-server.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| global.auth-server.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. | +| global.auth-server.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. | +| global.auth-server.ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| global.auth-server.ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| global.auth-server.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| global.auth-server.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| global.auth-server.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| global.auth-server.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| global.auth-server.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.casa.appLoggers | object | `{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.casa.appLoggers.casaLogLevel | string | `"INFO"` | casa.log level | +| global.casa.appLoggers.casaLogTarget | string | `"STDOUT"` | casa.log target | +| global.casa.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO | +| global.casa.appLoggers.timerLogLevel | string | `"INFO"` | casa timer log level | +| global.casa.appLoggers.timerLogTarget | string | `"FILE"` | casa timer log target | +| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. | +| global.casa.enabled | bool | `true` | Boolean flag to enable/disable the casa chart. | +| global.casa.ingress | object | `{"casaEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.casa.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnDocumentStoreType | string | `"LOCAL"` | Document store type to use for shibboleth files LOCAL. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. | +| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G | +| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G | +| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. | +| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. | +| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | +| global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. | +| global.cnPrometheusPort | string | `""` | Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. | +| global.config-api.adminUiAppLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | +| global.config-api.adminUiAppLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | +| global.config-api.adminUiAppLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | +| global.config-api.adminUiAppLoggers.adminUiLogTarget | string | `"FILE"` | config-api admin-ui plugin log level | +| global.config-api.adminUiAppLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers.ldapStatsLogLevel | string | `"INFO"` | config-api_persistence_ldap_statistics.log level | +| global.config-api.appLoggers.ldapStatsLogTarget | string | `"FILE"` | config-api_persistence_ldap_statistics.log target | +| global.config-api.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | config-api_persistence_duration.log level | +| global.config-api.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | config-api_persistence_duration.log target | +| global.config-api.appLoggers.persistenceLogLevel | string | `"INFO"` | config-api_persistence.log level | +| global.config-api.appLoggers.persistenceLogTarget | string | `"FILE"` | config-api_persistence.log target | +| global.config-api.appLoggers.scriptLogLevel | string | `"INFO"` | config-api_script.log level | +| global.config-api.appLoggers.scriptLogTarget | string | `"FILE"` | config-api_script.log target | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config-api.ingress | object | `{"configApiEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes | +| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | +| global.fido2.appLoggers | object | `{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | fido2_persistence_duration.log level | +| global.fido2.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | fido2_persistence_duration.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.appLoggers.scriptLogLevel | string | `"INFO"` | fido2_script.log level | +| global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fido2.ingress | object | `{"fido2ConfigEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side-cars with Gluu services. | +| global.istio.gateways | list | `[]` | Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. | +| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. | +| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | +| global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | +| global.licenseSsa | string | `""` | Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | +| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | +| global.oxpassport.enabled | bool | `false` | Boolean flag to enable/disable passport chart | +| global.oxpassport.oxPassportServiceName | string | `"oxpassport"` | Name of the oxPassport service. Please keep it as default. | +| global.oxshibboleth.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" Targets are "STDOUT" and "FILE" | +| global.oxshibboleth.appLoggers.auditStatsLogLevel | string | `"INFO"` | idp-audit.log level | +| global.oxshibboleth.appLoggers.auditStatsLogTarget | string | `"FILE"` | idp-audit.log target | +| global.oxshibboleth.appLoggers.consentAuditLogLevel | string | `"INFO"` | idp-consent-audit.log level | +| global.oxshibboleth.appLoggers.consentAuditLogTarget | string | `"FILE"` | idp-consent-audit.log target | +| global.oxshibboleth.appLoggers.idpLogLevel | string | `"INFO"` | idp-process.log level | +| global.oxshibboleth.appLoggers.idpLogTarget | string | `"STDOUT"` | idp-process.log target | +| global.oxshibboleth.appLoggers.ldapLogLevel | string | `""` | https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration The below are very noisy logs and are better left untouched | +| global.oxshibboleth.appLoggers.scriptLogLevel | string | `"INFO"` | idp-script.log level | +| global.oxshibboleth.appLoggers.scriptLogTarget | string | `"FILE"` | idp-script.log target | +| global.oxshibboleth.enabled | bool | `false` | Boolean flag to enable/disable the oxShibbboleth chart. | +| global.oxshibboleth.oxShibbolethServiceName | string | `"oxshibboleth"` | Name of the oxShibboleth service. Please keep it as default. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO | +| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level | +| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.ingress | object | `{"scimConfigEnabled":false,"scimEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.scim.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| global.scim.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: fsType: "" kind: "" pool: "" storageAccountType: "" type: "" | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"ldap":{"backup":{"fullSchedule":""}},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| nginx-ingress.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedRegisterAdditionalAnnotations | object | `{}` | Auth server protected register ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedRegisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedTokenAdditionalAnnotations | object | `{}` | Auth server protected token ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| nginx-ingress.ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| nginx-ingress.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| nginx-ingress.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| nginx-ingress.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0_dev"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.dnsConfig | object | `{}` | Add custom dns config | +| opendj.dnsPolicy | string | `""` | Add custom dns policy | +| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| opendj.hpa.behavior | object | `{}` | Scaling Policies | +| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | +| opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| opendj.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| opendj.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size | +| opendj.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.replicas | int | `1` | Service replica number. | +| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. | +| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. | +| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| opendj.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxpassport | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxpassport","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu interface to Passport.js to support social login and inbound identity. | +| oxpassport.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxpassport.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxpassport.dnsConfig | object | `{}` | Add custom dns config | +| oxpassport.dnsPolicy | string | `""` | Add custom dns policy | +| oxpassport.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxpassport.hpa.behavior | object | `{}` | Scaling Policies | +| oxpassport.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxpassport.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxpassport.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxpassport.image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| oxpassport.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| oxpassport.livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| oxpassport.livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| oxpassport.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| oxpassport.readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| oxpassport.readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| oxpassport.replicas | int | `1` | Service replica number | +| oxpassport.resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| oxpassport.resources.limits.cpu | string | `"700m"` | CPU limit. | +| oxpassport.resources.limits.memory | string | `"900Mi"` | Memory limit. | +| oxpassport.resources.requests.cpu | string | `"700m"` | CPU request. | +| oxpassport.resources.requests.memory | string | `"900Mi"` | Memory request. | +| oxpassport.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| oxpassport.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxpassport.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxpassport.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxpassport.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxpassport.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxshibboleth | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxshibboleth","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Shibboleth project for the Gluu Server's SAML IDP functionality. | +| oxshibboleth.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxshibboleth.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxshibboleth.dnsConfig | object | `{}` | Add custom dns config | +| oxshibboleth.dnsPolicy | string | `""` | Add custom dns policy | +| oxshibboleth.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxshibboleth.hpa.behavior | object | `{}` | Scaling Policies | +| oxshibboleth.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxshibboleth.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxshibboleth.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxshibboleth.image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| oxshibboleth.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| oxshibboleth.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxshibboleth if needed. https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py | +| oxshibboleth.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| oxshibboleth.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| oxshibboleth.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| oxshibboleth.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| oxshibboleth.replicas | int | `1` | Service replica number. | +| oxshibboleth.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| oxshibboleth.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| oxshibboleth.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| oxshibboleth.resources.requests.cpu | string | `"1000m"` | CPU request. | +| oxshibboleth.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| oxshibboleth.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| oxshibboleth.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxshibboleth.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxshibboleth.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxshibboleth.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxshibboleth.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.0.19_dev"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.0.19_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/app-readme.md b/charts/gluu/gluu/5.0.22/app-readme.md new file mode 100644 index 0000000000..b2148c4c1e --- /dev/null +++ b/charts/gluu/gluu/5.0.22/app-readme.md @@ -0,0 +1,38 @@ +## Tutorial + +For a full walkthrough of the Gluu Flex Server on Rancher, please see the [Gluu Server on Rancher Tutorial](https://docs.gluu.org/stable/admin/recipes/getting-started-rancher/). + +## Introduction +The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions. + +Common use cases include: + +- Single sign-on (SSO) +- Mobile authentication +- API access management +- Two-factor authentication (2FA) +- Customer identity and access management (CIAM) +- Identity federation + +### Free Open Source Software +The Gluu Server is a FOSS platform for IAM. + +### Open Web Standards +The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management: + +- OAuth 2.0 +- OpenID Connect +- User Managed Access 2.0 (UMA) +- System for Cross-domain Identity Management (SCIM) +- FIDO Universal 2nd Factor (U2F) +- FIDO 2.0 / WebAuthn +- Lightweight Directory Access Protocol (LDAP) +- Remote Authentication Dial-In User Service (RADIUS) + +### Important notes for installation: +- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image. + +### Quick install on Rancher UI with Docker single node +- Install the nginx-ingress-controller chart. +- Install the OpenEBS chart. +- Install Gluu chart and specify your persistence as ldap. \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/admin-ui/.helmignore b/charts/gluu/gluu/5.0.22/charts/admin-ui/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.22/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/admin-ui/Chart.yaml new file mode 100644 index 0000000000..f7cb80b59d --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Admin GUI. Requires license. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +- GUI +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: admin-ui +sources: +- https://github.com/GluuFederation/docker-gluu-admin-ui +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/admin-ui +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/admin-ui/README.md b/charts/gluu/gluu/5.0.22/charts/admin-ui/README.md new file mode 100644 index 0000000000..417e4cc021 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/admin-ui/README.md @@ -0,0 +1,59 @@ +# admin-ui + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Admin GUI. Requires license. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. | +| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/_helpers.tpl new file mode 100644 index 0000000000..3fa0c5985e --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "admin-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "admin-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "admin-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "admin-ui.labels" -}} +app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +helm.sh/chart: {{ include "admin-ui.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "admin-ui.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "admin-ui.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "admin-ui.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "admin-ui.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/admin-ui-destination-rules.yaml new file mode 100644 index 0000000000..ecf4699b22 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/admin-ui-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-admin-ui-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/admin-ui-pdb.yaml b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/admin-ui-pdb.yaml new file mode 100644 index 0000000000..5d81cf14be --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/admin-ui-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "admin-ui.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/admin-ui-virtual-services.yaml new file mode 100644 index 0000000000..2b0fc58df1 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/admin-ui-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "admin-ui" "ingress" "adminUiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-admin-ui + namespace: {{.Release.Namespace}} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/admin" + route: + - destination: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/deployment.yml new file mode 100644 index 0000000000..9a173cad98 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/deployment.yml @@ -0,0 +1,175 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "admin-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + template: + metadata: + labels: + APP_NAME: admin-ui + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "admin-ui.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "admin-ui.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "admin-ui.usr-envs" . | indent 12 }} + {{- include "admin-ui.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: /etc/jans/conf/ssa + name: license-ssa + subPath: ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: license-ssa + secret: + secretName: {{ .Release.Name }}-license-ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/hpa.yaml new file mode 100644 index 0000000000..4720b2c49b --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "admin-ui.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/service.yml new file mode 100644 index 0000000000..54b311c2e2 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..02fd969b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/admin-ui/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.0.22/charts/admin-ui/values.yaml new file mode 100644 index 0000000000..23b2fa0dc3 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/admin-ui/values.yaml @@ -0,0 +1,88 @@ +# -- Admin GUI. Requires license. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the admin ui port within the admin service. Please keep it as default. + name: http-admin-ui + # -- Port of the admin ui service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the admin ui if needed. +livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the admin ui if needed. +readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/.helmignore b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 0000000000..07d41fc011 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Responsible for regenerating auth-keys per x hours +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Auth keys Rotation +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server-key-rotation +sources: +- https://github.com/JanssenProject/docker-jans-certmanager +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server-key-rotation +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/README.md new file mode 100644 index 0000000000..d2ad6536c7 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/README.md @@ -0,0 +1,49 @@ +# auth-server-key-rotation + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| lifecycle | object | `{}` | | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 0000000000..e76631f29c --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 0000000000..5b5dd7da69 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,129 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "0 */{{ .Values.keysLife }} * * *" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 16 }} + volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + restartPolicy: Never + diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 0000000000..4b1f6ff076 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.fullname" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..5ed268ebb5 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 0000000000..a4c1aa63f2 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,55 @@ + +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/.helmignore b/charts/gluu/gluu/5.0.22/charts/auth-server/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server/Chart.yaml new file mode 100644 index 0000000000..9c607baffb --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization + Server--this is the main Internet facing component of Gluu. It's the service that + returns tokens, JWT's and identity assertions. This service must be Internet facing. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Autherization +- OpenID +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server +sources: +- https://github.com/JanssenProject/jans-auth-server +- https://github.com/JanssenProject/docker-jans-auth-server +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/README.md b/charts/gluu/gluu/5.0.22/charts/auth-server/README.md new file mode 100644 index 0000000000..bbceab0bb8 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/README.md @@ -0,0 +1,61 @@ +# auth-server + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 0000000000..2712f9870a --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "auth-server.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "auth-server.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 0000000000..708ce616c6 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/templates/auth-server-pdb.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/auth-server-pdb.yaml new file mode 100644 index 0000000000..5ca61a6255 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/auth-server-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "auth-server.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/templates/auth-server-protected-virtual-services.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/auth-server-protected-virtual-services.yaml new file mode 100644 index 0000000000..522f6757b4 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/auth-server-protected-virtual-services.yaml @@ -0,0 +1,53 @@ +{{- if .Values.global.istio.ingress }} +# NEEDS WORK TO ALLOW CLIENT SIDE AUTHENTICATION. THIS IS MERELY A PLACEHOLDER +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server-protected-endpoints + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-token" + match: + - uri: + prefix: "/jans-auth/restv1/token" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-register" + match: + - uri: + prefix: "/jans-auth/restv1/register" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 0000000000..55cc397244 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,137 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/jans-auth/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} + - name: "{{ .Release.Name }}-istio-device-code" + match: + - uri: + prefix: "/device-code" + rewrite: + uri: "/jans-auth/device_authorization.htm" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} + - name: "{{ .Release.Name }}-istio-firebase-messaging" + match: + - uri: + prefix: "/firebase-messaging-sw.js" + rewrite: + uri: "/jans-auth/firebase-messaging-sw.js" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/jans-auth/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/jans-auth/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/jans-auth/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/jans-auth/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/deployment.yml new file mode 100644 index 0000000000..000efa42ec --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/deployment.yml @@ -0,0 +1,264 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "auth-server.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "auth-server.usr-envs" . | indent 12 }} + {{- include "auth-server.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/hpa.yaml new file mode 100644 index 0000000000..7a35d43381 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/service.yml new file mode 100644 index 0000000000..07b0de5897 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..19b24ab92c --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/auth-server/values.yaml b/charts/gluu/gluu/5.0.22/charts/auth-server/values.yaml new file mode 100644 index 0000000000..736c12ec8b --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/auth-server/values.yaml @@ -0,0 +1,93 @@ + +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.22/charts/casa/.helmignore b/charts/gluu/gluu/5.0.22/charts/casa/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/casa/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.22/charts/casa/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/casa/Chart.yaml new file mode 100644 index 0000000000..8cd78a6b39 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/casa/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu Casa ("Casa") is a self-service web portal for end-users to manage + authentication and authorization preferences for their account in a Gluu Server. +home: https://gluu.org/docs/casa/ +icon: https://casa.gluu.org/wp-content/themes/gluucasa/casafavicon.ico +keywords: +- casa +- 2FA +- passwordless +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: casa +sources: +- https://gluu.org/docs/casa/ +- https://github.com/GluuFederation/docker-casa +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/casa +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/casa/README.md b/charts/gluu/gluu/5.0.22/charts/casa/README.md new file mode 100644 index 0000000000..defc935d82 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/casa/README.md @@ -0,0 +1,66 @@ +# casa + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/casa"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. | +| service.port | int | `8080` | Port of the casa service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/casa/templates/_helpers.tpl new file mode 100644 index 0000000000..4fc7d069e4 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/casa/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "casa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "casa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "casa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "casa.labels" -}} +app: {{ .Release.Name }}-{{ include "casa.name" . }} +helm.sh/chart: {{ include "casa.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "casa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "casa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "casa.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "casa.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "casa.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "casa.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.0.22/charts/casa/templates/casa-destination-rules.yaml new file mode 100644 index 0000000000..eb2e5eaa61 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/casa/templates/casa-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-casa-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/casa/templates/casa-pdb.yaml b/charts/gluu/gluu/5.0.22/charts/casa/templates/casa-pdb.yaml new file mode 100644 index 0000000000..54ad15de59 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/casa/templates/casa-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "casa.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.0.22/charts/casa/templates/casa-virtual-services.yaml new file mode 100644 index 0000000000..b3d7659499 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/casa/templates/casa-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.casa.ingress.casaEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-casa + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-casa + match: + - uri: + prefix: /casa + route: + - destination: + host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.0.22/charts/casa/templates/deployment.yaml new file mode 100644 index 0000000000..185693f5ce --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/casa/templates/deployment.yaml @@ -0,0 +1,178 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "casa.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: casa + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "casa.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "casa.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "casa.usr-envs" . | indent 12 }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.0.22/charts/casa/templates/hpa.yaml new file mode 100644 index 0000000000..0d292fd3fd --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/casa/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "casa.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.0.22/charts/casa/templates/service.yaml new file mode 100644 index 0000000000..e736cc014a --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/casa/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.casa.casaServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.22/charts/casa/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8a71e1ea8f --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/casa/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/casa/values.yaml b/charts/gluu/gluu/5.0.22/charts/casa/values.yaml new file mode 100644 index 0000000000..37c37c7b58 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/casa/values.yaml @@ -0,0 +1,105 @@ +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/casa + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the casa service. Please keep it as default. + port: 8080 + # -- The name of the casa port within the casa service. Please keep it as default. + name: http-casa + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for casa if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the casa if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/Chart.yaml new file mode 100644 index 0000000000..f9d51364a1 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Istio Gateway +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- istio +- gateway +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: cn-istio-ingress +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/cn-istio-ingress +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/README.md new file mode 100644 index 0000000000..5a7e9d448b --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/README.md @@ -0,0 +1,25 @@ +# cn-istio-ingress + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Istio Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..75a5dee781 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "istio.labels" -}} +helm.sh/chart: {{ include "istio.chart" . }} +{{ include "istio.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "istio.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "istio.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/templates/gateway.yaml new file mode 100644 index 0000000000..12a9700134 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/templates/gateway.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Release.Name }}-global-gtw + namespace: {{ .Release.Namespace }} +{{- if .Values.global.istio.additionalLabels }} + labels: +{{ toYaml .Values.global.istio.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.istio.additionalAnnotations }} + annotations: +{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + istio: ingressgateway + servers: + # admin-ui + - port: + number: 80 + name: http-admin-ui + protocol: HTTP + hosts: + - {{ .Values.global.fqdn }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - {{ .Values.global.fqdn }} + tls: + mode: SIMPLE # enable https on this port + credentialName: tls-certificate # fetch cert from k8s secret + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/values.yaml new file mode 100644 index 0000000000..645a121318 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/cn-istio-ingress/values.yaml @@ -0,0 +1,4 @@ +# Default values for istio. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + diff --git a/charts/gluu/gluu/5.0.22/charts/config-api/.helmignore b/charts/gluu/gluu/5.0.22/charts/config-api/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.22/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/config-api/Chart.yaml new file mode 100644 index 0000000000..dd5f6b9dfd --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Jans Config Api endpoints can be used to configure jans-auth-server, + which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server + (AS) +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config-api +sources: +- https://github.com/JanssenProject/jans/jans-config-api +- https://github.com/JanssenProject/jans/docker-jans-config-api +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config-api +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/config-api/README.md b/charts/gluu/gluu/5.0.22/charts/config-api/README.md new file mode 100644 index 0000000000..1e588044f4 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config-api/README.md @@ -0,0 +1,65 @@ +# config-api + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/config-api/templates/_helpers.tpl new file mode 100644 index 0000000000..a32d54db37 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "config-api.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "config-api.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.0.22/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 0000000000..255fac7282 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/config-api/templates/config-api-pdb.yaml b/charts/gluu/gluu/5.0.22/charts/config-api/templates/config-api-pdb.yaml new file mode 100644 index 0000000000..2153d9a39c --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config-api/templates/config-api-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "config-api.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/config-api/templates/config-api-virtual-services.yaml b/charts/gluu/gluu/5.0.22/charts/config-api/templates/config-api-virtual-services.yaml new file mode 100644 index 0000000000..49bd94283f --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config-api/templates/config-api-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "config-api" "ingress" "configApiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-config-api + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-config-api + match: + - uri: + prefix: /jans-config-api + route: + - destination: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8074 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.0.22/charts/config-api/templates/deployment.yaml new file mode 100644 index 0000000000..b6e221ab2b --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config-api/templates/deployment.yaml @@ -0,0 +1,167 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "config-api.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "config-api.usr-envs" . | indent 12 }} + {{- include "config-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - containerPort: 9444 + - containerPort: 8074 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + diff --git a/charts/gluu/gluu/5.0.22/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.0.22/charts/config-api/templates/hpa.yaml new file mode 100644 index 0000000000..aed5352e74 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config-api/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.0.22/charts/config-api/templates/service.yaml new file mode 100644 index 0000000000..1782cc7e9d --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config-api/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/config-api/values.yaml b/charts/gluu/gluu/5.0.22/charts/config-api/values.yaml new file mode 100644 index 0000000000..ac252c71c2 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config-api/values.yaml @@ -0,0 +1,102 @@ + +# -- Gluu Admin UI. This shouldn't be internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.22/charts/config/.helmignore b/charts/gluu/gluu/5.0.22/charts/config/.helmignore new file mode 100644 index 0000000000..b8204d7442 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/gluu/gluu/5.0.22/charts/config/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/config/Chart.yaml new file mode 100644 index 0000000000..8642585990 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Configuration parameters for setup and initial configuration secret and + config layers used by Gluu services. +home: https://gluu.org/docs/gluu-server/reference/container-configs/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- secrets +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config +sources: +- https://gluu.org/docs/gluu-server/reference/container-configs/ +- https://github.com/JanssenProject/jans/docker-jans-configurator +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/config/README.md b/charts/gluu/gluu/5.0.22/charts/config/README.md new file mode 100644 index 0000000000..fef7b567e5 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/README.md @@ -0,0 +1,105 @@ +# config + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnAwsAccessKeyId | string | `""` | | +| configmap.cnAwsDefaultRegion | string | `"us-west-1"` | | +| configmap.cnAwsProfile | string | `"gluu"` | | +| configmap.cnAwsSecretAccessKey | string | `""` | | +| configmap.cnAwsSecretsEndpointUrl | string | `""` | | +| configmap.cnAwsSecretsNamePrefix | string | `"gluu"` | | +| configmap.cnAwsSecretsReplicaRegions | list | `[]` | | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| lifecycle | object | `{}` | | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/config/templates/_helpers.tpl new file mode 100644 index 0000000000..1273a27d8b --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/templates/_helpers.tpl @@ -0,0 +1,97 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ $newList = append $newList ("couchbase" | quote) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{- if .Values.global.opendj.enabled}} +{{ $newList = append $newList ("ldap" | quote) }} +{{- end}} +{{- if .Values.global.casa}} +{{ $newList = append $newList ("casa" | quote) }} +{{- end}} +{{- if .Values.global.fido2.enabled}} +{{ $newList = append $newList ("fido2" | quote) }} +{{- end}} +{{- if .Values.global.scim.enabled}} +{{ $newList = append $newList ("scim" | quote) }} +{{- end}} +{{ toJson $newList }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.0.22/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ce43044f50 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.0.22/charts/config/templates/configmaps.yaml new file mode 100644 index 0000000000..fc15f42b6b --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/templates/configmaps.yaml @@ -0,0 +1,433 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + # Port used by Prometheus JMX agent + CN_PROMETHEUS_PORT: {{ .Values.global.cnPrometheusPort | quote }} + CN_DISTRIBUTION: {{ .Values.global.distribution | quote }} + {{ if .Values.global.cnObExtSigningJwksUri }} + CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }} + CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }} + CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }} + # force the AS to use a specific signing key + CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }} + {{- end }} + {{ if or (eq .Values.global.configAdapterName "google") (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + {{- end }} + {{ if eq .Values.global.cnPersistenceType "spanner" }} + # [google_spanner_envs] Envs related to using Google Cloud Spanner + CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }} + CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }} + # [google_spanner_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.configAdapterName "google") }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnGoogleSecretVersionId | quote }} + CN_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + # [aws_envs] Envs related to using AWS + {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} + CN_AWS_SECRETS_ENDPOINT_URL: {{ .Values.configmap.cnAwsSecretsEndpointUrl }} + {{- end }} + CN_AWS_SECRETS_PREFIX: {{ .Values.configmap.cnAwsSecretsNamePrefix }} + CN_AWS_SECRETS_REPLICA_FILE: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + AWS_DEFAULT_REGION: {{ .Values.configmap.cnAwsDefaultRegion }} + AWS_SHARED_CREDENTIALS_FILE: {{ .Values.global.cnAwsSharedCredentialsFile }} + AWS_CONFIG_FILE: {{ .Values.global.cnAwsConfigFile }} + #AWS_PROFILE + # [aws_envs] END + {{- end }} + CN_SQL_DB_SCHEMA: {{ .Values.configmap.cnSqlDbSchema | quote }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.global.cnDocumentStoreType | quote }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is ldap or hybrid + {{- if .Values.configmap.cnLdapUrl }} + CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }} + {{- else }} + CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }} + {{- end }} + {{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is couchbase or hybrid + CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }} + CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }} + CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }} + CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }} + CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }} + {{- end }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + {{- if .Values.global.isFqdnRegistered }} + CN_SSL_CERT_FROM_SECRETS: "false" + {{- else }} + CN_SSL_CERT_FROM_SECRETS: "true" + {{- end }} + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }} + # must the same as the opendj service name + CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service + CN_HYBRID_MAPPING: {{ .Values.configmap.cnPersistenceHybridMapping | quote }} + {{- end }} + # Auto enable installation of some services + CN_PASSPORT_ENABLED: {{ .Values.global.oxpassport.enabled | quote }} + {{- if .Values.global.oxshibboleth.enabled }} + CN_SAML_ENABLED: {{ .Values.global.oxshibboleth.enabled | quote }} + {{- end }} + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.istio.enabled }} + CN_COUCHBASE_TRUSTSTORE_ENABLE: "false" + CN_LDAP_USE_SSL: "false" + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + # ADMIN-UI + ADMIN_UI_JWKS: {{ cat "http://" ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080/jans-auth/restv1/jwks" | quote | nospace }} + CN_CONFIG_API_PLUGINS: "admin-ui,scim,fido2,user-mgt" + CN_ADMIN_UI_PLUGIN_LOGGERS: {{ index .Values "global" "config-api" "adminUiAppLoggers" + | toJson + | replace "adminUiLogTarget" "admin_ui_log_target" + | replace "adminUiLogLevel" "admin_ui_log_level" + | replace "adminUiAuditLogTarget" "admin_ui_audit_log_target" + | replace "adminUiAuditLogLevel" "admin_ui_audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.casa.enabled }} + # CASA + GLUU_CASA_APP_LOGGERS: {{ .Values.global.casa + | toJson + | replace "casaLogTarget" "casa_log_target" + | replace "casaLogLevel" "casa_log_level" + | replace "timerLogTarget" "timer_log_target" + | replace "timerLogLevel" "timer_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + # delete Duo script (https://github.com/GluuFederation/flex/issues/1120) by disabling the feature + CN_DUO_ENABLED: "false" +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if gluu secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from gluu secrets + """ + ssl_cert = None + ssl_key = None + if core_cli.read_namespaced_secret(secret_name, namespace): + ssl_cert = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_cert'] + ssl_key = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_key'] + + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert and key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error("No certificate or key was found in secrets.") + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Gluu Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.gluu.org") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/config/templates/license-secrets.yaml b/charts/gluu/gluu/5.0.22/charts/config/templates/license-secrets.yaml new file mode 100644 index 0000000000..0cf764a03c --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/templates/license-secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-license-ssa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ssa: {{ required "global.licenseSsa is required in chart values. This is a base64 string provided by Gluu to activate your license." .Values.global.licenseSsa }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.0.22/charts/config/templates/load-init-config.yml new file mode 100644 index 0000000000..2a503fd2b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/templates/load-init-config.yml @@ -0,0 +1,135 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + - name: {{ include "config.fullname" . }}-mount-gen-file + secret: + secretName: {{ include "config.fullname" . }}-gen-json-file + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + - mountPath: /app/db/generate.json + name: {{ include "config.fullname" . }}-mount-gen-file + subPath: generate.json + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} + {{- else }} + /app/scripts/entrypoint.sh load + {{- end }} + /usr/bin/python3 /scripts/tls_generator.py + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.0.22/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.0.22/charts/config/templates/ob-secrets.yaml new file mode 100644 index 0000000000..cdb1f90415 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/templates/ob-secrets.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.cnObExtSigningJwksCrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }} + {{ if .Values.global.cnObExtSigningJwksKey }} + ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportCrt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport.crt: {{ .Values.global.cnObTransportCrt }} + {{ if .Values.global.cnObTransportKey }} + ob-transport.key: {{ .Values.global.cnObTransportKey }} + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportTrustStore }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-truststore + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.0.22/charts/config/templates/rolebinding.yaml new file mode 100644 index 0000000000..7a58fd6095 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.0.22/charts/config/templates/roles.yaml new file mode 100644 index 0000000000..ef3d0c7083 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/templates/roles.yaml @@ -0,0 +1,19 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/gluu/gluu/5.0.22/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.0.22/charts/config/templates/secrets.yaml new file mode 100644 index 0000000000..dab9a6dc86 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/templates/secrets.yaml @@ -0,0 +1,127 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config.fullname" . }}-gen-json-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + generate.json: |- + { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_pw": {{ .Values.adminPassword | quote }}, + "ldap_pw": {{ .Values.ldapPassword | quote }}, + "redis_pw": {{ .Values.redisPassword | quote }}, + "email": {{ .Values.email | quote }}, + "org_name": {{ .Values.orgName | quote }}, + {{ if eq .Values.global.cnPersistenceType "sql" }} + "sql_pw": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "couchbase_pw": {{ .Values.configmap.cnCouchbasePassword | quote }}, + "couchbase_superuser_pw": {{ .Values.configmap.cnCouchbaseSuperUserPassword | quote }}, + {{- end }} + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }} + } + +{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} +{{- if not .Values.global.istio.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-crt + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }} +{{- end }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-aws-config-creds + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + aws_shared_credential_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }} + aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }} + aws_config_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + region = {{ .Values.configmap.cnAwsDefaultRegion }} + aws_secrets_replica_regions: |- + {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-google-sa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-cron-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} diff --git a/charts/gluu/gluu/5.0.22/charts/config/templates/service.yaml b/charts/gluu/gluu/5.0.22/charts/config/templates/service.yaml new file mode 100644 index 0000000000..da5dedf891 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.0.22/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 0000000000..35b4fa8cb0 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,64 @@ +{{ if .Values.global.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val | quote }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.0.22/charts/config/values.yaml b/charts/gluu/gluu/5.0.22/charts/config/values.yaml new file mode 100644 index 0000000000..5de22c807a --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/config/values.yaml @@ -0,0 +1,179 @@ + +# Required environment variables for generating Gluu server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in the secrets. + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: support@gluu.org +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- LDAP admin password if OpennDJ is used for persistence. +ldapPassword: P@ssw0rds +# -- Organization name. Used for certificate creation. +orgName: Gluu +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.22/charts/fido2/.helmignore b/charts/gluu/gluu/5.0.22/charts/fido2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.22/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/fido2/Chart.yaml new file mode 100644 index 0000000000..8e436dca81 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/fido2/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging + common devices to authenticate to online services in both mobile and desktop environments. +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- fido2 +- u2f +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: fido2 +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/JanssenProject/jans/jans-fido2 +- https://github.com/JanssenProject/jans/docker-jans-fido2 +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/fido2 +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/fido2/README.md b/charts/gluu/gluu/5.0.22/charts/fido2/README.md new file mode 100644 index 0000000000..1b670dfa45 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/fido2/README.md @@ -0,0 +1,62 @@ +# fido2 + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/fido2/templates/_helpers.tpl new file mode 100644 index 0000000000..10484b1e97 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "fido2.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "fido2.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.0.22/charts/fido2/templates/deployment.yml new file mode 100644 index 0000000000..95b4ef77d1 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/fido2/templates/deployment.yml @@ -0,0 +1,176 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "fido2.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "fido2.usr-envs" . | indent 12 }} + {{- include "fido2.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.0.22/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 0000000000..2457647e8a --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/fido2/templates/fido2-pdb.yaml b/charts/gluu/gluu/5.0.22/charts/fido2/templates/fido2-pdb.yaml new file mode 100644 index 0000000000..ebc9ce8dc8 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/fido2/templates/fido2-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "fido2.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.0.22/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 0000000000..88a91a994b --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.fido2.ingress.fido2ConfigEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.0.22/charts/fido2/templates/hpa.yaml new file mode 100644 index 0000000000..a4f1362a7b --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/fido2/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.0.22/charts/fido2/templates/service.yml new file mode 100644 index 0000000000..de91e893b3 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/fido2/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.22/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..e2139ba45f --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/fido2/values.yaml b/charts/gluu/gluu/5.0.22/charts/fido2/values.yaml new file mode 100644 index 0000000000..52f12cc7a9 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/fido2/values.yaml @@ -0,0 +1,91 @@ + +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.22/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.22/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/Chart.yaml new file mode 100644 index 0000000000..17b2561a40 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Nginx ingress definitions chart +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- nginx +- ingress +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://kubernetes.io/docs/concepts/services-networking/ingress/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/nginx-ingress +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/README.md new file mode 100644 index 0000000000..50e7565dea --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/README.md @@ -0,0 +1,61 @@ +# nginx-ingress + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken | +| ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | +| ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | +| ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| ingress.scimConfigLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.scimLabels | object | `{}` | scim config ingress resource labels. key app is taken | +| ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| ingress.uma2ConfigLabels | object | `{}` | uma 2 config ingress resource labels. key app is taken | +| ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| nameOverride | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..7b38455692 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/admin-ui-ingress.yaml new file mode 100644 index 0000000000..1fa7a08de1 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/admin-ui-ingress.yaml @@ -0,0 +1,53 @@ +{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.adminUiLabels }} +{{ toYaml .Values.ingress.adminUiLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.ingress.adminUiAdditionalAnnotations }} +{{ toYaml .Values.ingress.adminUiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml new file mode 100644 index 0000000000..b5c482d5f6 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml @@ -0,0 +1,115 @@ +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedTokenLabels }} +{{ toYaml .Values.ingress.authServerProtectedTokenLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedTokenAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedTokenAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedRegisterLabels }} +{{ toYaml .Values.ingress.authServerProtectedRegisterLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedRegisterAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedRegisterAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/casa-ingress.yaml b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/casa-ingress.yaml new file mode 100644 index 0000000000..9f13970efb --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/casa-ingress.yaml @@ -0,0 +1,54 @@ +{{ if .Values.global.casa.ingress.casaEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-casa + labels: + app: {{ $fullName }}-casa +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.casaLabels }} +{{ toYaml .Values.ingress.casaLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "casa-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.casaAdditionalAnnotations }} +{{ toYaml .Values.ingress.casaAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /casa + pathType: Prefix + backend: + service: + name: {{ .Values.global.casa.casaServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/certificate.yaml b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/certificate.yaml new file mode 100644 index 0000000000..6cfb84f431 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/certificate.yaml @@ -0,0 +1,18 @@ +{{- if .Values.certManager.certificate.enabled }} + {{- $domain := (required "Domain is required in chartValues when certManager is enabled" .Values.global.fqdn) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + {{- range .Values.ingress.tls }} + secretName: {{ .secretName }} + {{- end }} + dnsNames: + - {{ quote $domain }} + issuerRef: + name: {{ required "nginx-ingress.certManager.certificate.issuerName is required in chart values" .Values.certManager.certificate.issuerName }} + kind: {{ required "nginx-ingress.certManager.certificate.issuerKind is required in chart values" .Values.certManager.certificate.issuerKind }} + group: {{ required "nginx-ingress.certManager.certificate.issuerGroup is required in chart values" .Values.certManager.certificate.issuerGroup }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 0000000000..ddd01115c4 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,672 @@ +{{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.openidConfigLabels }} +{{ toYaml .Values.ingress.openidConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if .Values.ingress.openidAdditionalAnnotations }} +{{ toYaml .Values.ingress.openidAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-device-code + labels: + app: {{ $fullName }}-device-code +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.deviceCodeLabels }} +{{ toYaml .Values.ingress.deviceCodeLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/device_authorization.htm +{{- if .Values.ingress.deviceCodeAdditionalAnnotations }} +{{ toYaml .Values.ingress.deviceCodeAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /device-code + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-firebase-messaging + labels: + app: {{ $fullName }}-firebase-messaging +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.firebaseMessagingLabels }} +{{ toYaml .Values.ingress.firebaseMessagingLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/firebase-messaging-sw.js +{{- if .Values.ingress.firebaseMessagingAdditionalAnnotations }} +{{ toYaml .Values.ingress.firebaseMessagingAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /firebase-messaging-sw.js + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.uma2ConfigLabels }} +{{ toYaml .Values.ingress.uma2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if .Values.ingress.uma2AdditionalAnnotations }} +{{ toYaml .Values.ingress.uma2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webfingerLabels }} +{{ toYaml .Values.ingress.webfingerLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if .Values.ingress.webfingerAdditionalAnnotations }} +{{ toYaml .Values.ingress.webfingerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webdiscoveryLabels }} +{{ toYaml .Values.ingress.webdiscoveryLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if .Values.ingress.webdiscoveryAdditionalAnnotations }} +{{ toYaml .Values.ingress.webdiscoveryAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{- if .Values.global.scim.ingress.scimConfigEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimConfigLabels }} +{{ toYaml .Values.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{- if .Values.global.scim.ingress.scimEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimLabels }} +{{ toYaml .Values.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "config-api" "ingress" "configApiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-config-api + labels: + app: {{ $fullName }}-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.configApiLabels }} +{{ toYaml .Values.ingress.configApiLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.configApiAdditionalAnnotations }} +{{ toYaml .Values.ingress.configApiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.u2fConfigLabels }} +{{ toYaml .Values.ingress.u2fConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if .Values.ingress.u2fAdditionalAnnotations }} +{{ toYaml .Values.ingress.u2fAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2ConfigLabels }} +{{ toYaml .Values.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerLabels }} +{{ toYaml .Values.ingress.authServerLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + diff --git a/charts/gluu/gluu/5.0.22/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/values.yaml new file mode 100644 index 0000000000..60330b1541 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/nginx-ingress/values.yaml @@ -0,0 +1,77 @@ + +# -- Nginx ingress definitions chart +ingress: + enabled: true + # -- Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. + legacy: false + path: / + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma 2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- scim config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable all fido2 endpoints + fido2Enabled: false + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- Auth server config ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: { } + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + hosts: + - demoexample.gluu.org + tls: + - secretName: tls-certificate # DON'T change + hosts: + - demoexample.gluu.org +nameOverride: "" +fullnameOverride: "" diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/.helmignore b/charts/gluu/gluu/5.0.22/charts/opendj/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/opendj/Chart.yaml new file mode 100644 index 0000000000..e04ba3c3f9 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OpenDJ is a directory server which implements a wide range of Lightweight + Directory Access Protocol and related standards, including full compliance with + LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in + Java, OpenDJ offers multi-master replication, access control, and many extensions. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- LDAP +- OpenDJ +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: opendj +sources: +- https://github.com/GluuFederation/docker-opendj +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/opendj +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/README.md b/charts/gluu/gluu/5.0.22/charts/opendj/README.md new file mode 100644 index 0000000000..dd98d5566b --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/README.md @@ -0,0 +1,74 @@ +# opendj + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-15"` | Image tag to use for deploying. | +| lifecycle.preStop.exec.command[0] | string | `"/bin/sh"` | | +| lifecycle.preStop.exec.command[1] | string | `"-c"` | | +| lifecycle.preStop.exec.command[2] | string | `"python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| openDjVolumeMounts.config.mountPath | string | `"/opt/opendj/config"` | | +| openDjVolumeMounts.config.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.db.mountPath | string | `"/opt/opendj/db"` | | +| openDjVolumeMounts.db.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.flag.mountPath | string | `"/flag"` | | +| openDjVolumeMounts.flag.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.ldif.mountPath | string | `"/opt/opendj/ldif"` | | +| openDjVolumeMounts.ldif.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.logs.mountPath | string | `"/opt/opendj/logs"` | | +| openDjVolumeMounts.logs.name | string | `"opendj-volume"` | | +| persistence.accessModes | string | `"ReadWriteOnce"` | | +| persistence.size | string | `"5Gi"` | OpenDJ volume size | +| persistence.type | string | `"DirectoryOrCreate"` | | +| ports | object | `{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}}` | servicePorts values used in StatefulSet container | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1500m"` | CPU limit. | +| resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1500m"` | CPU request. | +| resources.requests.memory | string | `"2000Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/opendj/templates/_helpers.tpl new file mode 100644 index 0000000000..ecab10b753 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opendj.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opendj.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opendj.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "opendj.labels" -}} +app: {{ .Release.Name }}-{{ include "opendj.name" . }} +helm.sh/chart: {{ include "opendj.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "opendj.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "opendj.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "opendj.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "opendj.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.22/charts/opendj/templates/cronjobs.yaml new file mode 100644 index 0000000000..930d6f0679 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/templates/cronjobs.yaml @@ -0,0 +1,95 @@ +{{- if .Values.backup.enabled }} +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "opendj.fullname" . }}-backup +spec: + schedule: {{ .Values.backup.cronJobSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "opendj.fullname" . }}-backup + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + ports: + {{- range $key, $value := .Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + env: + - name: LDAP_HOST + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_host + - name: LDAP_PORT + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_port + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_site_binddn + - name: LDAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-ldap-cron-pass + key: password + # while true; do sleep 60; ldaplog=$(cat /opt/opendj/logs/server.out); startedstr="The Directory Server has started successfully"; if [ -z "${ldaplog##*$startedstr*}" ]; then break; fi; echo "Waiting for opendj server to start"; done + command: + - /bin/sh + - -c + - | + # ========= + # FUNCTIONS + # ========= + + set_java_args() { + # not sure if we can omit `-server` safely + local java_args="-server" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${GLUU_MAX_RAM_PERCENTAGE} ${GLUU_JAVA_OPTIONS}" + # set the env var so it is loaded by `start-ds` script + export OPENDJ_JAVA_ARGS=${java_args} + } + + # ========== + # ENTRYPOINT + # ========== + + mkdir -p /opt/opendj/locks + + export JAVA_VERSION=$(java -version 2>&1 | awk -F '[\"_]' 'NR==1{print $2}') + + python3 /app/scripts/wait.py + + if [ ! -f /deploy/touched ]; then + python3 /app/scripts/entrypoint.py + touch /deploy/touched + fi + # run OpenDJ server + set_java_args + exec /opt/opendj/bin/start-ds -N & + sleep 300 + RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) + LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + restartPolicy: Never +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/templates/hpa.yaml b/charts/gluu/gluu/5.0.22/charts/opendj/templates/hpa.yaml new file mode 100644 index 0000000000..157ea310b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "opendj.fullname" . }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "opendj.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/templates/opendj-destination-rules.yaml b/charts/gluu/gluu/5.0.22/charts/opendj/templates/opendj-destination-rules.yaml new file mode 100644 index 0000000000..a6a8f56849 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/templates/opendj-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-ldap-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.opendj.ldapServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/templates/opendj-pdb.yaml b/charts/gluu/gluu/5.0.22/charts/opendj/templates/opendj-pdb.yaml new file mode 100644 index 0000000000..1615c4ac29 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/templates/opendj-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "opendj.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/templates/service.yaml b/charts/gluu/gluu/5.0.22/charts/opendj/templates/service.yaml new file mode 100644 index 0000000000..ec7d0a8252 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/templates/service.yaml @@ -0,0 +1,30 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $.Values.global.opendj.ldapServiceName }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + {{- range $key, $value := $.Values.ports }} + - port: {{ $value.port }} + name: {{ $key }} + targetPort: {{ $value.targetPort }} + protocol: {{ $value.protocol}} + {{- if $value.nodePort }} + nodePort: {{ $value.nodePort }} + {{- end }} + {{- end }} + clusterIP: None + selector: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/5.0.22/charts/opendj/templates/statefulset.yaml new file mode 100644 index 0000000000..989a156b2e --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/templates/statefulset.yaml @@ -0,0 +1,96 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "opendj.fullname" $ }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: {{ include "opendj.name" $ }} + serviceName: {{ include "opendj.name" $ }} + replicas: {{ $.Values.replicas }} + template: + metadata: + labels: + app: {{ include "opendj.name" $ }} + {{- if $.Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: {{ include "opendj.name" $ }} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + {{- include "opendj.usr-envs" $ | indent 12 }} + {{- include "opendj.usr-secret-envs" $ | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + envFrom: + - configMapRef: + name: {{ $.Release.Name }}-config-cm + {{ if $.Values.global.usrEnvs.secret }} + - secretRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + {{ if $.Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + ports: + {{- range $key, $value := $.Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + livenessProbe: +{{- toYaml $.Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml $.Values.readinessProbe | nindent 10 }} + {{- if or (eq $.Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if $.Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: opendj-volume + spec: + accessModes: + - {{ $.Values.persistence.accessModes }} + resources: + requests: + storage: {{ $.Values.persistence.size }} + {{- if eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath" }} + storageClassName: standard + {{- else }} + storageClassName: {{ include "opendj.fullname" $ | quote }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/templates/storageclass.yaml b/charts/gluu/gluu/5.0.22/charts/opendj/templates/storageclass.yaml new file mode 100644 index 0000000000..d33175d10b --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/templates/storageclass.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ include "opendj.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + storage: opendj +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + # Annotation below is to keep the storage class during upgrade. Otherwise, due to the flag at line 1 which is needed, this resource will be deleted. + helm.sh/resource-policy: keep + storageclass.beta.kubernetes.io/is-default-class: "false" + {{- if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + openebs.io/cas-type: local + cas.openebs.io/config: | + - name: StorageType + value: hostpath + - name: BasePath + value: /var/local-hostpath + {{- end }} +provisioner: {{ .Values.global.storageClass.provisioner }} +{{- if and ( ne .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) ( ne .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") ( ne .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") ( ne .Values.global.storageClass.provisioner "kubernetes.io/gce-pd") ( ne .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com") ( ne .Values.global.storageClass.provisioner "openebs.io/local") ( ne .Values.global.storageClass.provisioner "kubernetes.io/azure-disk") }} +parameters: +{{ toYaml .Values.global.storageClass.parameters | indent 4 }} +{{- else }} +parameters: + {{- if eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs" }} + type: {{ .Values.global.awsStorageType }} + fsType: ext4 + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/gce-pd" }} + type: {{ .Values.global.gcePdStorageType }} + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/azure-disk" }} + storageAccountType: {{ .Values.global.azureStorageAccountType }} + kind: {{ .Values.global.azureStorageKind }} + {{- else if eq .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com" }} + {{- else if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + {{- else }} + pool: default + fsType: ext4 + {{- end }} +{{- end }} +allowVolumeExpansion: {{ .Values.global.storageClass.allowVolumeExpansion }} +volumeBindingMode: {{ .Values.global.storageClass.volumeBindingMode }} +reclaimPolicy: {{ .Values.global.storageClass.reclaimPolicy }} +mountOptions: {{ .Values.global.storageClass.mountOptions | toJson }} +allowedTopologies: {{ .Values.global.storageClass.allowedTopologies | toJson }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.22/charts/opendj/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8fcf989cd5 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/opendj/values.yaml b/charts/gluu/gluu/5.0.22/charts/opendj/values.yaml new file mode 100644 index 0000000000..8fec7b7337 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/opendj/values.yaml @@ -0,0 +1,138 @@ + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-15 + # -- Image Pull Secrets + pullSecrets: [ ] +persistence: + # -- OpenDJ volume size + size: 5Gi + accessModes: ReadWriteOnce + type: DirectoryOrCreate +# -- servicePorts values used in StatefulSet container +ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi +# -- Configure the liveness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] +nameOverride: "" +fullnameOverride: "" +# VolumeMounts for StatefulSet +# opendj-init vm +openDjVolumeMounts: + config: + mountPath: /opt/opendj/config + name: opendj-volume + ldif: + mountPath: /opt/opendj/ldif + name: opendj-volume + logs: + mountPath: /opt/opendj/logs + name: opendj-volume + db: + mountPath: /opt/opendj/db + name: opendj-volume + flag: + mountPath: /flag + name: opendj-volume + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/oxpassport/.helmignore b/charts/gluu/gluu/5.0.22/charts/oxpassport/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxpassport/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.22/charts/oxpassport/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/oxpassport/Chart.yaml new file mode 100644 index 0000000000..4962e91c65 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxpassport/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu interface to Passport.js to support social login and inbound identity. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Passport.js +- Inbound Identity +- Social login +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxpassport +sources: +- https://github.com/GluuFederation/gluu-passport +- https://github.com/GluuFederation/docker-oxpassport +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxpassport +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/oxpassport/README.md b/charts/gluu/gluu/5.0.22/charts/oxpassport/README.md new file mode 100644 index 0000000000..1642424f72 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxpassport/README.md @@ -0,0 +1,67 @@ +# oxpassport + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu interface to Passport.js to support social login and inbound identity. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number | +| resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"700m"` | CPU limit. | +| resources.limits.memory | string | `"900Mi"` | Memory limit. | +| resources.requests.cpu | string | `"700m"` | CPU request. | +| resources.requests.memory | string | `"900Mi"` | Memory request. | +| service.name | string | `"http-passport"` | The name of the oxPassport port within the oxPassport service. Please keep it as default. | +| service.port | int | `8090` | Port of the oxPassport service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/_helpers.tpl new file mode 100644 index 0000000000..1f9d4b7464 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxpassport.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxpassport.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxpassport.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxpassport.labels" -}} +app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +helm.sh/chart: {{ include "oxpassport.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxpassport.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxpassport.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "oxpassport.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "oxpassport.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/deployment.yaml b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/deployment.yaml new file mode 100644 index 0000000000..8ab9d9a2f2 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/deployment.yaml @@ -0,0 +1,183 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "oxpassport.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "oxpassport.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxpassport.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: PASSPORT_LOG_LEVEL + value: "info" + {{- include "oxpassport.usr-envs" . | indent 12 }} + {{- include "oxpassport.usr-secret-envs" . | indent 12 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/hpa.yaml b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/hpa.yaml new file mode 100644 index 0000000000..0764e19e39 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxpassport.fullname" . }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "oxpassport.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/oxpassport-destination-rules.yaml b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/oxpassport-destination-rules.yaml new file mode 100644 index 0000000000..238c976d17 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/oxpassport-destination-rules.yaml @@ -0,0 +1,21 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxpassport-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/oxpassport-pdb.yaml b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/oxpassport-pdb.yaml new file mode 100644 index 0000000000..8ebcdc7172 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/oxpassport-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "oxpassport.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/oxpassport-virtual-services.yaml b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/oxpassport-virtual-services.yaml new file mode 100644 index 0000000000..6c2416b84c --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/oxpassport-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-passport + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-passport + match: + - uri: + prefix: "/passport" + route: + - destination: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8090 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/service.yaml b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/service.yaml new file mode 100644 index 0000000000..b4fda32852 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxpassport.oxPassportServiceName }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..47ed7cd162 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxpassport/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/oxpassport/values.yaml b/charts/gluu/gluu/5.0.22/charts/oxpassport/values.yaml new file mode 100644 index 0000000000..b7b06d82d7 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxpassport/values.yaml @@ -0,0 +1,103 @@ + +# -- Gluu interface to Passport.js to support social login and inbound identity. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi +service: + # -- Port of the oxPassport service. Please keep it as default. + port: 8090 + # -- The name of the oxPassport port within the oxPassport service. Please keep it as default. + name: http-passport + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for oxPassport if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the oxPassport if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/oxshibboleth/.helmignore b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.22/charts/oxshibboleth/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/Chart.yaml new file mode 100644 index 0000000000..48d439482d --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Shibboleth project for the Gluu Server's SAML IDP functionality. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SAML +- Shibboleth +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxshibboleth +sources: +- https://github.com/GluuFederation/oxShibboleth +- https://github.com/GluuFederation/docker-oxshibboleth +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxshibboleth +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/oxshibboleth/README.md b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/README.md new file mode 100644 index 0000000000..2abb6be599 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/README.md @@ -0,0 +1,68 @@ +# oxshibboleth + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Shibboleth project for the Gluu Server's SAML IDP functionality. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the oxShibboleth if needed. | +| livenessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxshibboleth if needed. | +| readinessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-oxshib"` | Port of the oxShibboleth service. Please keep it as default. | +| service.port | int | `8080` | The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| service.targetPort | int | `8080` | | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/_helpers.tpl new file mode 100644 index 0000000000..a9a1a94b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/_helpers.tpl @@ -0,0 +1,144 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxshibboleth.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxshibboleth.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxshibboleth.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxshibboleth.labels" -}} +app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +helm.sh/chart: {{ include "oxshibboleth.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxshibboleth.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxshibboleth.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create GLUU_JAVA_OPTIONS ENV for passing detailed logs +*/}} +{{- define "oxshibboleth.detailedLogs"}} +{{ $ldap := "" }} +{{ $messages := "" }} +{{ $encryption := "" }} +{{ $opensaml := "" }} +{{ $props := "" }} +{{ $httpclient := "" }} +{{ $spring := "" }} +{{ $container := "" }} +{{ $xmlsec := "" }} + +{{- if .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} +{{ $ldap = printf "-Didp.loglevel.ldap=%s " .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} +{{ $messages = printf "-Didp.loglevel.messages=%s " .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} +{{ $encryption = printf "-Didp.loglevel.encryption=%s " .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} +{{ $opensaml = printf "-Didp.loglevel.opensaml=%s " .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.propsLogLevel }} +{{ $props = printf "-Didp.loglevel.props=%s " .Values.global.oxshibboleth.appLoggers.propsLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} +{{ $httpclient = printf "-Didp.loglevel.httpclient=%s " .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.springLogLevel }} +{{ $spring = printf "-Didp.loglevel.spring=%s " .Values.global.oxshibboleth.appLoggers.springLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.containerLogLevel }} +{{ $container = printf "-Didp.loglevel.container=%s " .Values.global.oxshibboleth.appLoggers.containerLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} +{{ $xmlsec = printf "-Didp.loglevel.xmlsec=%s " .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} +{{- end}} + +{{ $detailLogs := printf "%s%s%s%s%s%s%s%s%s" $ldap $messages $encryption $opensaml $props $httpclient $spring $container $xmlsec }} +{{ $detailLogs | trimSuffix " " | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "oxshibboleth.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "oxshibboleth.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/hpa.yaml b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/hpa.yaml new file mode 100644 index 0000000000..3d4c0597ff --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxshibboleth.fullname" . }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "oxshibboleth.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml new file mode 100644 index 0000000000..8478504b68 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxshibboleth-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml new file mode 100644 index 0000000000..a8c99410cf --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "oxshibboleth.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml new file mode 100644 index 0000000000..5f89fa5c2c --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-oxshibbioleth + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw + http: + - name: {{ .Release.Name }}-istio-oxshibbioleth + match: + - uri: + prefix: /idp + route: + - destination: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/service.yaml b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/service.yaml new file mode 100644 index 0000000000..4781774752 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- else }} + clusterIP: None + {{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/statefulset.yaml b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/statefulset.yaml new file mode 100644 index 0000000000..17bb8379e6 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/statefulset.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "oxshibboleth.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + serviceName: oxshibboleth + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: oxshibboleth + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "oxshibboleth.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxshibboleth.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "oxshibboleth.usr-envs" . | indent 12 }} + {{- include "oxshibboleth.usr-secret-envs" . | indent 12 }} + - name: GLUU_JAVA_OPTIONS + value: {{ include "oxshibboleth.detailedLogs" . | trim }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..fd6e4e0aaa --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/oxshibboleth/values.yaml b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/values.yaml new file mode 100644 index 0000000000..224291fdc4 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/oxshibboleth/values.yaml @@ -0,0 +1,102 @@ + +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. + port: 8080 + targetPort: 8080 + # -- Port of the oxShibboleth service. Please keep it as default. + name: http-oxshib + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for the oxShibboleth if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the oxshibboleth if needed. +readinessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/persistence/.helmignore b/charts/gluu/gluu/5.0.22/charts/persistence/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.22/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/persistence/Chart.yaml new file mode 100644 index 0000000000..4506265d32 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/persistence/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Job to generate data and initial config for Gluu Server persistence layer. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- persistence prep +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: persistence +sources: +- https://github.com/JanssenProject/jans/docker-jans-persistence-loader +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/persistence +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/persistence/README.md b/charts/gluu/gluu/5.0.22/charts/persistence/README.md new file mode 100644 index 0000000000..f166e9670c --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/persistence/README.md @@ -0,0 +1,52 @@ +# persistence + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Job to generate data and initial config for Gluu Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| lifecycle | object | `{}` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/persistence/templates/_helpers.tpl new file mode 100644 index 0000000000..bf0a313b23 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.0.22/charts/persistence/templates/jobs.yml new file mode 100644 index 0000000000..151d0e2ab8 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/persistence/templates/jobs.yml @@ -0,0 +1,128 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if .Values.global.istio.enabled }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + /app/scripts/entrypoint.sh + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.0.22/charts/persistence/templates/service.yaml new file mode 100644 index 0000000000..b266650a69 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/persistence/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.22/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..29c8651b84 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/persistence/values.yaml b/charts/gluu/gluu/5.0.22/charts/persistence/values.yaml new file mode 100644 index 0000000000..7e9f3c441c --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/persistence/values.yaml @@ -0,0 +1,54 @@ + +# -- Job to generate data and initial config for Gluu Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/scim/.helmignore b/charts/gluu/gluu/5.0.22/charts/scim/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.22/charts/scim/Chart.yaml b/charts/gluu/gluu/5.0.22/charts/scim/Chart.yaml new file mode 100644 index 0000000000..7fc66fa513 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/scim/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: System for Cross-domain Identity Management (SCIM) version 2.0 +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SCIM +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: scim +sources: +- https://github.com/JanssenProject/jans/jans-scim +- https://github.com/JanssenProject/jans/docker-jans-scim +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/scim +type: application +version: 5.0.22 diff --git a/charts/gluu/gluu/5.0.22/charts/scim/README.md b/charts/gluu/gluu/5.0.22/charts/scim/README.md new file mode 100644 index 0000000000..e74fcfbdce --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/scim/README.md @@ -0,0 +1,61 @@ +# scim + +![Version: 5.0.22](https://img.shields.io/badge/Version-5.0.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.0.19_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.22/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/charts/scim/templates/_helpers.tpl new file mode 100644 index 0000000000..04b66d5afd --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/scim/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "scim.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "scim.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.0.22/charts/scim/templates/deployment.yml new file mode 100644 index 0000000000..7e1022a958 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/scim/templates/deployment.yml @@ -0,0 +1,174 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "scim.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "scim.usr-envs" . | indent 12 }} + {{- include "scim.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.0.22/charts/scim/templates/hpa.yaml new file mode 100644 index 0000000000..d3ba580d6f --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/scim/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.0.22/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 0000000000..fc26343bdf --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/scim/templates/scim-pdb.yaml b/charts/gluu/gluu/5.0.22/charts/scim/templates/scim-pdb.yaml new file mode 100644 index 0000000000..d700490a85 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/scim/templates/scim-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "scim.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.0.22/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 0000000000..14fafd1d46 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.scim.ingress.scimConfigEnabled }} + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /jans-scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.scim.ingress.scimEnabled }} + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/jans-scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/scim/templates/service.yml b/charts/gluu/gluu/5.0.22/charts/scim/templates/service.yml new file mode 100644 index 0000000000..a585ea31b9 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/scim/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.22/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.22/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..d9f83a46e1 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/charts/scim/values.yaml b/charts/gluu/gluu/5.0.22/charts/scim/values.yaml new file mode 100644 index 0000000000..d587af146f --- /dev/null +++ b/charts/gluu/gluu/5.0.22/charts/scim/values.yaml @@ -0,0 +1,90 @@ + +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/openbanking-values.yaml b/charts/gluu/gluu/5.0.22/openbanking-values.yaml new file mode 100644 index 0000000000..32957c91c8 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/openbanking-values.yaml @@ -0,0 +1,700 @@ +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: true + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token . Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + ingress: + # -- Enable casa endpoints /casa + casaEnabled: true + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Load balancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled. + enabled: false + # -- Gluu distributions supported are: default|openbanking. + distribution: openbanking + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.22/questions.yaml b/charts/gluu/gluu/5.0.22/questions.yaml new file mode 100644 index 0000000000..237575ec1b --- /dev/null +++ b/charts/gluu/gluu/5.0.22/questions.yaml @@ -0,0 +1,1209 @@ +questions: +# ================== +# License SSA group +# ================== +- variable: global.licenseSsa + default: "" + required: true + type: string + label: License SSA + description: "Before initiating the setup, please contact Gluu to obtain a valid license or trial license. Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded." + group: "License SSA" + +# ================== +# Distribution group +# ================== +- variable: global.distribution + default: "openbanking" + required: true + type: enum + label: Gluu Distribution + description: "Gluu Distribution. Openbanking only contains Config-API and the Auth Server customized for Openbanking industry." + group: "Global Settings" + options: + - "default" + - "openbanking" + +# ======================== +# OpenBanking Distribution +# ======================== +- variable: global.cnObExtSigningJwksUri + required: true + default: "https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks" + description: "Open banking external signing jwks uri. Used in SSA Validation." + type: hostname + group: "OpenBanking Distribution" + label: Openbanking external signing JWKS URI + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObExtSigningJwksCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS certificate authority string + - variable: global.cnObExtSigningJwksKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS key string + - variable: global.cnObExtSigningJwksKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: password + label: Open banking external signing jwks AS key passphrase + min_length: 6 + - variable: global.cnObExtSigningAlias + default: "XkwIzWy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking external signing AS Alias +- variable: global.cnObStaticSigningKeyKid + default: "Wy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking signing AS kid + show_if: "global.distribution=openbanking" +- variable: global.cnObTransportAlias + default: "" + required: false + group: "OpenBanking Distribution" + description: "Open banking transport Alias used inside the JVM." + type: string + label: Open banking transport Alias used inside the JVM. + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObTransportCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport crt + - variable: global.cnObTransportKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport key + - variable: global.cnObTransportKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64." + type: password + label: Open banking AS transport key passphrase + min_length: 6 + - variable: global.cnObTransportTrustStore + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking external signing jwks AS certificate authority string + +# ======================= +# Optional Services group +# ======================= +- variable: global.admin-ui.enabled + default: false + type: boolean + group: "Optional Services" + required: false + label: Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. This requires a license agreement with Gluu. + show_if: "global.distribution=default" + show_subquestion_if: true +- variable: global.auth-server-key-rotation.enabled + default: true + type: boolean + group: "Optional Services" + required: true + label: Enable Auth key rotation cronjob. Disable this if using the OB distribution. + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: auth-server-key-rotation.keysLife + default: 48 + description: "Auth server key rotation keys life in hours." + type: int + label: Key life +- variable: global.fido2.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable Fido2 + description: "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments." +- variable: global.config-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ConfigAPI + description: "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)." +- variable: global.casa.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Casa + description: "Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server." +- variable: global.scim.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable SCIM + description: "System for Cross-domain Identity Management (SCIM) version 2.0" + +# ====================== +# Test environment group +# ====================== +- variable: global.cloud.testEnviroment + default: false + type: boolean + group: "Test Environment" + required: true + label: Test environment + description: "Boolean flag if enabled will strip resources requests and limits from all services." + +# ================= +# Persistence group +# ================= +- variable: global.cnPersistenceType + default: "sql" + required: true + type: enum + group: "Persistence" + label: Gluu Persistence backend + description: "Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner" + options: + - "ldap" + - "couchbase" + - "hybrid" + - "spanner" + - "sql" +# LDAP +- variable: global.opendj.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable installation of OpenDJ + description: "Boolean flag to enable/disable the OpenDJ chart." + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnLdapUrl + default: "opendj:1636" + type: hostname + group: "Persistence" + required: true + label: OpenDJ remote URL + description: "OpenDJ remote URL. This must be resolvable by the pods" + show_if: "global.opendj.enabled=false&&global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnPersistenceHybridMapping + default: "{}" + required: false + type: enum + group: "Persistence" + label: Gluu Persistence LDAP mapping + description: "Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`." + options: + - "default" + - "user" + - "site" + - "cache" + - "token" + - "session" + show_if: "global.cnPersistenceType=hybrid" +# SQL +- variable: config.configmap.cnSqlDbDialect + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu SQL Database dialect + description: "SQL database dialect. `mysql` or `pgsql`." + options: + - "pgsql" + - "mysql" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbHost + default: "postgresql.default.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: SQL database host uri + description: "SQL database host uri" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbPort + default: 5432 + required: false + type: int + group: "Persistence" + label: SQL database port + description: "SQL database port" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbUser + default: "gluu" + group: "Persistence" + description: "SQL database username" + type: string + label: SQL database username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqldbUserPassword + default: "Test1234#" + group: "Persistence" + description: "SQL password" + type: password + label: SQL password + + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbName + default: "gluu" + group: "Persistence" + description: "SQL database name" + type: string + label: SQL database name + show_if: "global.cnPersistenceType=sql" +# Spanner +- variable: config.configmap.cnGoogleSpannerInstanceId + default: "" + group: "Persistence" + description: "The google spanner instance ID" + type: string + label: Google Spanner Instance ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSpannerDatabaseId + default: "" + group: "Persistence" + description: "The google spanner database ID" + type: string + label: Google Spanner Database ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + group: "Persistence" + description: "The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner." + type: multiline + label: Google Spanner Service Account json + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleProjectId + default: "" + group: "Persistence" + description: "The Google Project ID" + type: string + label: Google Project ID + show_if: "global.cnPersistenceType=spanner" +#Couchbase +- variable: config.configmap.cnCouchbaseCrt + default: "" + group: "Persistence" + description: "Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required." + type: multiline + label: Couchbase certificate authority string + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUrl + default: "gluu.cbns.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: Couchbase host uri + description: "Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseBucketPrefix + default: "gluu" + type: string + description: "The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu." + group: "Persistence" + required: true + label: The prefix of Couchbase buckets + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseIndexNumReplica + default: 0 + type: int + description: "The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1." + group: "Persistence" + required: true + label: The number of replicas per index created + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUser + default: "admin" + group: "Persistence" + description: "he Couchbase super user (admin) user name. This user is used during initialization only." + type: string + label: The Couchbase super user (admin) user name. + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUserPassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + type: password + label: Couchbase password for the super users + + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUser + default: "gluu" + group: "Persistence" + description: "Couchbase restricted user, used in Gluu operations with Couchbase. Used only when global.cnPersistenceType is hybrid or couchbase." + type: string + label: Couchbase restricted username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbasePassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ." + type: password + label: Couchbase password for the restricted user + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" + +# ============================== +# StorageClass and volume group +# ============================== +- variable: global.storageClass.provisioner + default: "microk8s.io/hostpath" + type: string + group: "Volumes" + required: true + label: StorageClass provisioner + show_if: "global.cnPersistenceType=ldap" + subquestions: + - variable: global.storageClass.allowVolumeExpansion + default: true + type: boolean + group: "Volumes" + required: true + label: StorageClass Volume expansion + - variable: global.storageClass.reclaimPolicy + default: "Retain" + type: enum + group: "Volumes" + required: true + label: StorageClass reclaimPolicy + options: + - "Delete" + - "Retain" + - variable: global.storageClass.volumeBindingMode + default: "WaitForFirstConsumer" + type: enum + group: "Volumes" + required: true + options: + - "WaitForFirstConsumer" + - "Immediate" + label: StorageClass volumeBindingMode + +# =========== +# Cache group +# =========== +- variable: config.configmap.cnCacheType + default: "NATIVE_PERSISTENCE" + required: true + type: enum + group: "Cache" + label: Gluu Cache + description: "Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` ." + options: + - "NATIVE_PERSISTENCE" + - "IN_MEMORY" + - "REDIS" + show_subquestion_if: "REDIS" + subquestions: + - variable: config.configmap.cnRedisType + default: "STANDALONE" + type: enum + group: "Cache" + required: false + label: Redix service type + description: "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + options: + - "STANDALONE" + - "CLUSTER" + - variable: config.redisPassword + default: "Test1234#" + type: password + group: "Cache" + required: false + label: Redis admin password + description: "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`." + + - variable: config.configmap.cnRedisUrl + default: "redis.redis.svc.cluster.local:6379" + required: false + type: hostname + group: "Cache" + label: Redis URL + description: "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + +# ================== +# Configuration group +# ================== +- variable: global.fqdn + default: "demoexample.gluu.org" + required: true + type: hostname + group: "Configuration" + label: Gluu Installation FQDN + description: "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services." +- variable: global.countryCode + default: "US" + required: true + type: string + group: "Configuration" + label: Country code + description: "Country code. Used for certificate creation." +- variable: config.state + default: "TX" + required: true + type: string + group: "Configuration" + label: State code + description: "State code. Used for certificate creation." +- variable: config.city + default: "Austin" + required: true + type: string + group: "Configuration" + label: City + description: "City. Used for certificate creation." +- variable: config.email + default: "support@gluu.org" + required: true + type: string + group: "Configuration" + label: Email + description: "Email address of the administrator usually. Used for certificate creation." +- variable: config.orgName + default: "Gluu" + required: true + type: string + group: "Configuration" + label: Organization + description: "Organization name. Used for certificate creation." +- variable: config.adminPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: Admin UI password + description: "Admin password to log in to the UI." + +- variable: config.ldapPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: LDAP password + description: "LDAP admin password if OpenDJ is used for persistence" + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" + +- variable: global.isFqdnRegistered + default: true + required: true + type: boolean + group: "Configuration" + label: Is the FQDN globally resolvable + description: "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically." +- variable: config.migration.enabled + default: false + required: true + type: boolean + group: "Configuration" + label: Migration from Gluu CE + description: "Boolean flag to enable migration from CE" + show_subquestion_if: true + subquestions: + - variable: config.migration.migrationDataFormat + default: "ldif" + type: enum + group: "Configuration" + required: false + label: Migration data-format + description: "Migration data-format depending on persistence backend." + options: + - "ldif" + - "couchbase+json" + - "spanner+avro" + - "postgresql+json" + - "mysql+json" + - variable: config.migration.migrationDir + default: "/ce-migration" + required: false + type: string + group: "Configuration" + label: Migration Directory + description: "Directory holding all migration files" + +# Configmap +- variable: global.configAdapterName + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu configuration backend + description: "The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + +# Secret +- variable: global.configSecretAdapter + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu secret backend + description: "The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + + +# Google +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + type: string + group: "Configuration" + required: true + label: Service account base64 encoded + description: "Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleProjectId + default: "" + type: string + group: "Configuration" + required: true + label: Project ID + description: "Project id of the Google project the secret manager belongs to" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretVersionId + default: "latest" + type: string + group: "Configuration" + required: true + label: Secrets version + description: "Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in Google Secret Manager. Defaults to gluu" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +# AWS +- variable: config.configmap.cnAwsAccessKeyId + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Account Access Key ID + description: "AWS Access key id that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretAccessKey + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Secret Access Key + description: "AWS Secret Access key that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in AWS Secrets Manager. Defaults to gluu" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsProfile + default: "gluu" + type: string + group: "Configuration" + required: true + label: AWS named profile + description: "The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsDefaultRegion + default: "us-west-1" + type: string + group: "Configuration" + required: true + label: Default region + description: "The default AWS Region to use, for example, `us-west-1` or `us-west-2`" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsEndpointUrl + default: "" + type: string + group: "Configuration" + required: false + label: Secrets Manager Endpoint URL + description: "The URL of AWS secretsmanager service. If omitted, it will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + + +# =========================== +# Ingress group(Istio, NGINX) +# =========================== + +# =========== +# Istio group +# =========== +- variable: global.istio.enabled + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio side cars with Gluu services." + label: Use Istio side cars + show_subquestion_if: true + subquestions: + - variable: global.istio.ingress + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Use Istio Ingress + - variable: global.istio.namespace + default: "istio-system" + type: string + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Istio namespace + - variable: config.configmap.lbAddr + default: "" + group: "Istio" + description: "Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# NGINX group +# =========== +- variable: config.configmap.lbAddr + default: "" + group: "NGINX" + show_if: "global.istio.ingress=false&&global.isFqdnRegistered=false" + description: "loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# Ingress group +# =========== +- variable: global.admin-ui.ingress.adminUiEnabled + default: false + type: boolean + group: "Ingress" + required: false + description: "Enable Admin UI endpoints." + label: Enable Admin UI endpoints + subquestions: + # auth-server + - variable: global.auth-server.ingress.authServerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable Auth server endpoints /jans-auth" + label: Enable Auth server endpoints /jans-auth + - variable: global.auth-server.ingress.openidConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/openid-configuration" + label: Enable endpoint /.well-known/openid-configuration + - variable: global.auth-server.ingress.deviceCodeEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /device-code" + label: Enable endpoint /device-code + - variable: global.auth-server.ingress.firebaseMessagingEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /firebase-messaging-sw.js" + label: Enable endpoint /firebase-messaging-sw.js + - variable: global.auth-server.ingress.uma2ConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/uma2-configuration" + label: Enable endpoint /.well-known/uma2-configuration + - variable: global.auth-server.ingress.webfingerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/webfinger" + label: Enable endpoint /.well-known/webfinger + - variable: global.auth-server.ingress.webdiscoveryEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/simple-web-discovery" + label: Enable endpoint /.well-known/simple-web-discovery + - variable: global.auth-server.ingress.u2fConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/fido-configuration" + label: Enable endpoint /.well-known/fido-configuration + # config-api + - variable: global.config-api.ingress.configApiEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable config API endpoints /jans-config-api" + label: Enable config API endpoints /jans-config-api + +#fido2 +- variable: global.fido2.ingress.fido2ConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.fido2.enabled=true" + required: true + description: "Enable endpoint /.well-known/fido2-configuration. Enable this!" + label: Enable endpoint /.well-known/fido2-configuration +#Casa +- variable: global.casa.ingress.casaEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.casa.enabled=true" + required: true + description: "Enable endpoint /casa. Enable this!" + label: Enable endpoint /casa Enable this! +#auth-server OB +- variable: global.auth-server.ingress.authServerProtectedToken + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/token" + label: Enable mTLS on Auth server endpoint /jans-auth/restv1/token +- variable: global.auth-server.ingress.authServerProtectedRegister + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/register" + label: Enable mTLS onn Auth server endpoint /jans-auth/restv1/register +# scim +- variable: global.scim.ingress.scimConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable endpoint /.well-known/scim-configuration. Enable this!" + label: Enable endpoint /.well-known/scim-configuration. Enable this! +- variable: global.scim.ingress.scimEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable SCIM endpoints /jans-scim. Enable this!" + label: Enable SCIM endpoints /jans-scim. Enable this! + +# ============ +# Images group +# ============ +# AuthServer +- variable: auth-server.image.repository + required: true + type: string + default: "janssenproject/auth-server" + description: "The Auth Server Image repository" + label: Auth Server image repo + group: "Images" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server Image pull policy" + label: Auth Server imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server image tag + group: "Images" + show_if: "global.auth-server.enabled=true" +# AdminUI +- variable: admin-ui.image.repository + required: true + type: string + default: "gluufederation/admin-ui" + description: "The AdminUI Image repository" + label: The AdminUI Image repository + group: "Images" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The AdminUI Image pull policy" + label: AdminUI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The AdminUI Image tag" + label: AdminUI image tag + group: "Images" + show_if: "global.admin-ui.enabled=true" +# AuthServer KeyRotation +- variable: auth-server-key-rotation.image.repository + required: true + type: string + default: "janssenproject/certmanager" + description: "The Auth Server KeyRotation Image repository" + label: Auth Server KeyRotation image repo + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server KeyRotation Image pull policy" + label: Auth Server KeyRotation imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server KeyRotation image tag + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +# Casa +- variable: casa.image.repository + required: true + type: string + default: "gluufederation/casa" + description: "The Casa Image repository" + label: Casa image repo + group: "Images" + show_if: "global.casa.enabled=true" +- variable: casa.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Casa Image pull policy" + label: Casa imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.casa.enabled=true" +- variable: casa.image.tag + required: true + type: string + default: "5.0.0-4" + description: "The Casa Image tag" + label: Casa image tag + group: "Images" + show_if: "global.casa.enabled=true" +# Configurator +- variable: config.image.repository + required: true + type: string + default: "janssenproject/configurator" + description: "The Configurator Image repository" + label: Configurator image repo + group: "Images" + show_if: "global.config.enabled=true" +- variable: config.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Configurator Image pull policy" + label: Configurator imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config.enabled=true" +- variable: config.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Configurator Image tag" + label: Configurator image tag + group: "Images" + show_if: "global.config.enabled=true" +# ConfigAPI +- variable: config-api.image.repository + required: true + type: string + default: "janssenproject/config-api" + description: "The ConfigAPI Image repository" + label: ConfigAPI image repo + group: "Images" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ConfigAPI Image pull policy" + label: ConfigAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The ConfigAPI Image tag" + label: ConfigAPI image tag + group: "Images" + show_if: "global.config-api.enabled=true" +# Fido2 +- variable: fido2.image.repository + required: true + type: string + default: "janssenproject/fido2" + description: "The Fido2 Image repository" + label: Fido2 image repo + group: "Images" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Fido2 Image pull policy" + label: Fido2 imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Fido2 Image tag" + label: Fido2 image tag + group: "Images" + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.image.repository + required: true + type: string + default: "gluufederation/opendj" + description: "The OpenDJ Image repository" + label: OpenDJ image repo + group: "Images" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The OpenDJ Image pull policy" + label: OpenDJ imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.tag + required: true + type: string + default: "5.0.0_dev" + description: "The OpenDJ Image tag" + label: OpenDJ image tag + group: "Images" + show_if: "global.opendj.enabled=true" +# Persistence +- variable: persistence.image.repository + required: true + type: string + default: "janssenproject/persistence-loader" + description: "The Persistence Image repository" + label: Persistence image repo + group: "Images" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Persistence Image pull policy" + label: Persistence imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Persistence Image tag" + label: Persistence image tag + group: "Images" + show_if: "global.persistence.enabled=true" +# SCIM +- variable: scim.image.repository + required: true + type: string + default: "janssenproject/scim" + description: "The SCIM Image repository" + label: SCIM image repo + group: "Images" + show_if: "global.scim.enabled=true" +- variable: scim.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The SCIM Image pull policy" + label: SCIM imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.scim.enabled=true" +- variable: scim.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The SCIM Image tag" + label: SCIM image tag + group: "Images" + show_if: "global.scim.enabled=true" + +# ============== +# Replicas group +# ============== +# AuthServer +- variable: auth-server.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Auth-server Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# Casa +- variable: casa.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Casa Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# ConfigAPI +- variable: config-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ConfigAPI Replicas + description: "Service replica number." + show_if: "global.config-api.enabled=true" +# AdminUi +- variable: admin-ui.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Admin UI Replicas + description: "Service replica number." + show_if: "global.admin-ui.enabled=true" +# Fido2 +- variable: fido2.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Fido2 Replicas + description: "Service replica number." + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: OpenDJ Replicas + description: "Service replica number." + show_if: "global.opendj.enabled=true" +# SCIM +- variable: scim.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: SCIM Replicas + description: "Service replica number." + show_if: "global.scim.enabled=true" + diff --git a/charts/gluu/gluu/5.0.22/templates/_helpers.tpl b/charts/gluu/gluu/5.0.22/templates/_helpers.tpl new file mode 100644 index 0000000000..c5b8d3d303 --- /dev/null +++ b/charts/gluu/gluu/5.0.22/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.22/values.schema.json b/charts/gluu/gluu/5.0.22/values.schema.json new file mode 100644 index 0000000000..11b96aa7cb --- /dev/null +++ b/charts/gluu/gluu/5.0.22/values.schema.json @@ -0,0 +1,2872 @@ +{ + "$schema":"https://json-schema.org/draft/2020-12/schema#", + "type":"object", + "properties":{ + "admin-ui":{ + "description":"Admin GUI for configuration of the auth-server", + "type":"object", + "properties":{ + + } + }, + "auth-server":{ + "description":"OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type":"object", + "properties":{ + + } + }, + "auth-server-key-rotation":{ + "description":"Responsible for regenerating auth-keys per x hours", + "type":"object", + "properties":{ + + } + }, + "casa":{ + "description":"Gluu Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.", + "type":"object", + "properties":{ + + } + } + }, + "config":{ + "description":"Configuration parameters for setup and initial configuration secret annd config layers used by Gluu services.", + "type":"object", + "properties":{ + "adminPass":{ + "description":"Admin password to login to the UI", + "$ref":"#/definitions/password" + }, + "city":{ + "description":"City of the company or individual. Used in generating the self-signed certificate", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "configmap":{ + "description":"Configuration parameters mapped to envs in a ConfigMap", + "type":"object", + "properties":{ + "cnSqlDbDialect":{ + "description":"SQL dialect", + "type":"string", + "pattern":"^(mysql)$" + }, + "cnSqlDbHost":{ + "description":"SQL server address or ip", + "anyOf":[ + { + "$ref":"#/definitions/url-pattern" + }, + { + "$ref":"#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort":{ + "description":"SQL server port", + "type":"integer" + }, + "cnSqlDbName":{ + "description":"SQL server database name for Jans", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbUser":{ + "description":"SQL database Jans username", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbTimezone":{ + "description":"SQL database timezone", + "type":"string", + "pattern":"^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqldbUserPassword":{ + "description":"Password for user config.configmap.cnSqlDbUser.", + "$ref":"#/definitions/password" + }, + "cnCacheType":{ + "description":"Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type":"string", + "pattern":"^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnConfigKubernetesConfigMap":{ + "description":"The name of the ConfigMap that will hold the configuration layer", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseBucketPrefix":{ + "description":"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseCrt":{ + "description":"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnCouchbaseIndexNumReplica":{ + "description":"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.", + "type":"integer" + }, + "cnCouchbasePass":{ + "description":"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUser":{ + "description":"The Couchbase super user (admin) user name. This user is used during initialization only.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseSuperUserPass":{ + "description":"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUserPassFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type":"string", + "pattern":".*couchbase_superuser_password\\b.*" + }, + "cnCouchbaseUrl":{ + "description":"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnCouchbaseUser":{ + "description":"Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerServiceAccount":{ + "description":"Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId":{ + "description":"Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"" + }, + "cnGoogleSpannerInstanceId":{ + "description":"Google Spanner ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^([a-z0-9\\-])*$" + }, + "cnGoogleSpannerDatabaseId":{ + "description":"Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^[a-z0-9\\-]*$" + }, + "cnGoogleSecretVersionId":{ + "description":"Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnGoogleSecretNamePrefix":{ + "description":"Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase":{ + "description":"Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref":"#/definitions/password" + }, + "cnLdapUrl":{ + "description":"OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.", + "type":"string", + "pattern":"^[a-z0-9-:]+$" + }, + "cnMaxRamPercent":{ + "description":"Value passed to Java option -XX:MaxRAMPercentage", + "type":"string", + "pattern":"^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode":{ + "description":"SCIM protection mode OAUTH|TEST|UMA", + "type":"string", + "pattern":"^(OAUTH|TEST|UMA)$" + }, + "cnPersistenceHybridMapping":{ + "description":"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type":"string" + }, + "cnRedisSentinelGroup":{ + "description":"Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisSslTruststore":{ + "description":"Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisType":{ + "description":"Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string", + "pattern":"^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl":{ + "description":"Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref":"#/definitions/url-pattern" + }, + "cnRedisUseSsl":{ + "description":"Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"boolean" + }, + "cnSecretKubernetesSecret":{ + "description":"Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "lbAddr":{ + "description":"Loadbalancer address for AWS if the FQDN is not registered.", + "$ref":"#/definitions/url-pattern" + } + } + }, + "countryCode":{ + "description":"Country code. Used for certificate creation.", + "type":"string", + "pattern":"^[A-Z]+$" + }, + "email":{ + "description":"Email address of the administrator usually. Used for certificate creation.", + "$ref":"#/definitions/email-format" + }, + "image":{ + "type":"object", + "properties":{ + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "ldapPassword":{ + "description":"LDAP admin password if OpennDJ is used for persistence.", + "$ref":"#/definitions/password" + }, + "orgName":{ + "description":"Organization name. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "redisPassword":{ + "description":"Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref":"#/definitions/password" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "state":{ + "description":"State code. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + } + } + }, + "config-api":{ + "description":"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type":"object", + "properties":{ + + } + }, + "fido2":{ + "description":"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type":"object", + "properties":{ + + } + }, + "global":{ + "description":"Parameters used globally across all services helm charts.", + "type":"object", + "properties":{ + "licenseSsa":{ + "description":"Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "alb":{ + "type":"object", + "properties":{ + "ingress":{ + "description":"Activates ALB ingress", + "type":"boolean" + } + } + }, + "auth-server":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type":"boolean" + }, + "authServerServiceName":{ + "description":"Name of the auth-server service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-auth.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-auth.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget":{ + "description":"http_request_response target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "httpLogLevel":{ + "description":"http_request_response level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-auth_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-auth_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-auth_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-auth_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-auth_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-auth_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-auth_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-auth_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget":{ + "description":"jans-auth_audit.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "auditStatsLogLevel":{ + "description":"jans-auth_audit.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "authServerEnabled":{ + "description":"Enable Auth server endpoints /jans-auth", + "type":"boolean" + }, + "openidConfigEnabled":{ + "description":"Enable endpoint /.well-known/openid-configuration", + "type":"boolean" + }, + "deviceCodeEnabled":{ + "description":"Enable endpoint /device-code", + "type":"boolean" + }, + "firebaseMessagingEnabled":{ + "description":"Enable endpoint /firebase-messaging-sw.js", + "type":"boolean" + }, + "uma2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/uma2-configuration", + "type":"boolean" + }, + "webfingerEnabled":{ + "description":"Enable endpoint /.well-known/webfinger", + "type":"boolean" + }, + "webdiscoveryEnabled":{ + "description":"Enable endpoint /.well-known/simple-web-discovery", + "type":"boolean" + }, + "u2fConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido-configuration", + "type":"boolean" + }, + "authServerProtectedToken":{ + "description":"Enable mTLS on Auth server endpoint /jans-auth/restv1/token", + "type":"boolean" + }, + "authServerProtectedRegister":{ + "description":"Enable mTLS onn Auth server endpoint /jans-auth/restv1/register", + "type":"boolean" + } + } + } + + } + }, + "admin-ui":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable admin-ui chart. You should never set this to false.", + "type":"boolean" + }, + "adminUiServiceName":{ + "description":"Name of the admin service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "adminUiEnabled":{ + "description":"Enable Admin UI endpoints.", + "type":"boolean" + } + } + } + } + }, + + "auth-server-key-rotation":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type":"boolean" + } + } + }, + "awsStorageType":{ + "description":"Volume stroage type if using AWS volumes.", + "type":"string", + "pattern":"^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType":{ + "description":"Volume storage type if using Azure disks.", + "type":"string", + "pattern":"^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind":{ + "description":"Azure storage kind if using Azure disks", + "type":"string", + "pattern":"^(Managed)$" + }, + "cloud":{ + "type":"object", + "properties":{ + "testEnviroment":{ + "description":"Boolean flag if enabled will strip resources requests and limits from all services.", + "type":"boolean" + } + } + }, + "cnPersistenceType":{ + "description":"Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner.", + "type":"string", + "pattern":"^(ldap|couchbase|hybrid|sql|spanner)$" + }, + "cnDocumentStoreType":{ + "description":"Document store type to use for shibboleth files LOCAL.", + "type":"string", + "pattern":"^(LOCAL)$" + }, + "cnObExtSigningJwksUri":{ + "description":"Open banking external signing jwks uri. Used in SSA Validation.", + "type":"string" + }, + "cnObExtSigningJwksCrt":{ + "description":"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey":{ + "description":"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase":{ + "description":"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias":{ + "description":"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObStaticSigningKeyKid":{ + "description":"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObTransportCrt":{ + "description":"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey":{ + "description":"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase":{ + "description":"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias":{ + "description":"Open banking transport Alias used inside the JVM.", + "type":"string" + }, + "cnObTransportTrustStore":{ + "description":"Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type":"boolean" + } + } + }, + "configAdapterName":{ + "description":"The config backend adapter that will hold Gluu configuration layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "configSecretAdapter":{ + "description":"The config backend adapter that will hold Gluu secret layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "cnGoogleApplicationCredentials":{ + "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", + "type":"string", + "pattern":".*google-credentials.json\\b.*" + }, + "casa":{ + "type":"object", + "properties":{ + "casaServiceName":{ + "description":"Name of the casa service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the casa chart.", + "type":"boolean" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "casaEnabled":{ + "description":" Enable casa endpoints /casa", + "type":"boolean" + } + } + } + } + }, + "config-api":{ + "type":"object", + "properties":{ + "configApiServerServiceName":{ + "description":"Name of the config-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the config-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "configApiLogTarget":{ + "description":"configapi.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "configApiLogLevel":{ + "description":"configapi.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "adminUiAppLoggers":{ + "type":"object", + "properties":{ + "adminUiLogTarget":{ + "description":"config-api admin-ui plugin log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiLogLevel":{ + "description":"config-api admin-ui plugin log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "adminUiAuditLogTarget":{ + "description":"config-api admin-ui plugin audit log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiAuditLogLevel":{ + "description":"config-api admin-ui plugin audit log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "configApiEnabled":{ + "description":"Enable config API endpoints /jans-config-api", + "type":"boolean" + } + } + } + + + } + }, + "fqdn":{ + "description":"Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.", + "$ref":"#/definitions/fqdn-pattern" + }, + "fido2":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the fido2 chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "fido2LogTarget":{ + "description":"fido2.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "fido2LogLevel":{ + "description":"fido2.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"fido2_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"fido2_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "fido2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido2-configuration", + "type":"boolean" + } + } + } + + } + }, + "gcePdStorageType":{ + "description":"GCE storage kind if using Google disks", + "type":"string", + "pattern":"^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered":{ + "description":"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type":"boolean" + }, + "istio":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag that enables using istio side cars with Gluu services.", + "type":"boolean" + }, + "ingress":{ + "description":"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.", + "type":"boolean" + }, + "namespace":{ + "description":"The namespace istio is deployed in. The is normally istio-system.", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + } + } + }, + "lbIp":{ + "description":"The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref":"#/definitions/ip-pattern" + }, + "nginx-ingress":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type":"boolean" + } + } + }, + "opendj":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the OpenDJ chart.", + "type":"boolean" + }, + "ldapServiceName":{ + "description":"Name of the OpenDJ service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "oxshibboleth":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled.", + "type":"boolean" + } + } + }, + "distribution":{ + "description":"Gluu distributions supported are: default|openbanking.", + "type":"string", + "pattern":"^(default|openbanking)$" + }, + "persistence":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the persistence chart.", + "type":"boolean" + } + } + }, + "oxpassport": { + "type": "object", + "properties": { + "enabled": { + "description": "Boolean flag to enable/disable the oxpassport chart.", + "type": "boolean" + }, + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "scim":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the SCIM chart.", + "type":"boolean" + }, + "scimServiceName":{ + "description":"Name of the scim service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-scim.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-scim.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-scim_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-scim_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-scim_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-scim_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-scim_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-scim_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-scim_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-scim_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "scimEnabled":{ + "description":"Enable SCIM endpoints /jans-scim", + "type":"boolean" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + } + } + } + + } + }, + "storageClass":{ + "description":"StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type":"object", + "properties":{ + "allowVolumeExpansion":{ + "type":"boolean" + }, + "allowedTopologies":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "mountOptions":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "parameters":{ + "type":"object", + "properties":{ + "fsType":{ + "type":"string" + }, + "kind":{ + "type":"string" + }, + "pool":{ + "type":"string" + }, + "storageAccountType":{ + "type":"string" + }, + "type":{ + "type":"string" + } + } + }, + "provisioner":{ + "type":"string" + }, + "reclaimPolicy":{ + "type":"string" + }, + "volumeBindingMode":{ + "type":"string" + } + } + } + } + }, + "nginx-ingress":{ + "description":"Nginx ingress definitions chart", + "type":"object", + "properties":{ + + } + }, + "opendj":{ + "description":"OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.", + "type":"object", + "properties":{ + + } + }, + "oxpassport":{ + "description":"Gluu interface to Passport.js to support social login and inbound identity.", + "type":"object", + "properties":{ + + } + }, + "oxshibboleth":{ + "description":"Shibboleth project for the Gluu Server's SAML IDP functionality.", + "type":"object", + "properties":{ + + } + }, + "persistence":{ + "description":"Job to generate data and intial config for Gluu Server persistence layer.", + "type":"object", + "properties":{ + + } + }, + "scim":{ + "description":"System for Cross-domain Identity Management (SCIM) version 2.0", + "type":"object", + "properties":{ + + } + } + , + "allOf":[ + { + "$ref":"#/definitions/admin-ui-enabled" + }, + { + "$ref":"#/definitions/auth-server-enabled" + }, + { + "$ref":"#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref":"#/definitions/casa-enabled" + }, + { + "$ref":"#/definitions/config-api-enabled" + }, + { + "$ref":"#/definitions/fido2-enabled" + }, + { + "$ref":"#/definitions/nginx-ingress-enabled" + }, + { + "$ref":"#/definitions/opendj-enabled" + }, + { + "$ref":"#/definitions/oxpassport-enabled" + }, + { + "$ref":"#/definitions/oxshibboleth-enabled" + }, + { + "$ref":"#/definitions/persistence-enabled" + }, + { + "$ref":"#/definitions/scim-enabled" + } + ], + "definitions":{ + "password":{ + "anyOf":[ + { + "type":"string", + "minLength":8, + "pattern":"", + "description":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "password-pattern":{ + "type":"string", + "minLength":6, + "pattern":"", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format":{ + "type":"string", + "format":"email" + }, + "fqdn-pattern":{ + "anyOf":[ + { + "type":"string", + "errors":{ + "pattern":"Setting not FQDN structured. Please enter a FQDN with the format demoexample.gluu.org" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "url-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors":{ + "pattern":"URL pattern is not meeting standards." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "ip-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors":{ + "pattern":"Not a valid IP." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "admin-ui-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "admin-ui":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "admin-ui":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-key-rotation-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "keysLife":{ + "description":"Auth server key rotation keys life in hours", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + }, + "required":[ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else":true + }, + "casa-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "casa":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "casa":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "config-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "config-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "config-api":{ + "required":[ + "image", + "replicas", + "resources" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "fido2-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "fido2":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "fido2":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the Fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "nginx-ingress-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "nginx-ingress":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "nginx-ingress":{ + "type":"object", + "properties":{ + "ingress":{ + "type":"object", + "required":[ + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties":{ + "adminUiLabels":{ + "description":"Admin UI ingress resource labels. key app is taken.", + "type":"object" + }, + "openidConfigLabels":{ + "description":"openid-configuration ingress resource labels. key app is taken", + "type":"object" + }, + "uma2ConfigLabels":{ + "description":"uma2 config ingress resource labels. key app is taken", + "type":"object" + }, + "webfingerLabels":{ + "description":"webfinger ingress resource labels. key app is taken", + "type":"object" + }, + "webdiscoveryLabels":{ + "description":"webdiscovery ingress resource labels. key app is taken", + "type":"object" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + }, + "scimConfigLabels":{ + "description":"SCIM config ingress resource labels. key app is taken", + "type":"object" + }, + "scimLabels":{ + "description":"SCIM ingress resource labels. key app is taken", + "type":"object" + }, + "configApiLabels":{ + "description":"configAPI ingress resource labels. key app is taken", + "type":"object" + }, + "u2fConfigLabels":{ + "description":"u2f ingress resource labels. key app is taken", + "type":"object" + }, + "fido2ConfigLabels":{ + "description":"fido2 ingress resource labels. key app is taken", + "type":"object" + }, + "authServerLabels":{ + "description":"Auth server config ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedTokenLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedRedisterLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "additionalAnnotations":{ + "description":"Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type":"object" + }, + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "path":{ + "type":"string" + }, + "tls":{ + "description":"Secret holding HTTPS CA cert and key.", + "type":"array", + "items":{ + "type":"object", + "properties":{ + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "secretName":{ + "type":"string", + "pattern":"^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else":true + }, + "opendj-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "opendj":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "opendj":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "persistence":{ + "type":"object", + "properties":{ + "size":{ + "description":"OpenDJ volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + }, + "ports":{ + "type":"object", + "properties":{ + "tcp-admin":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldap":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldaps":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-repl":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "udp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "oxpassport-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxpassport":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxpassport":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "oxshibboleth-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxshibboleth":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxshibboleth":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxShibbolethServiceName":{ + "description":"Name of the oxShibboleth service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "persistence-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "persistence":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "persistence":{ + "required":[ + "image", + "resources" + ], + "type":"object", + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "scim-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "scim":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "scim":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "scimServiceName":{ + "description":"Name of the SCIM service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + } + } +} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.22/values.yaml b/charts/gluu/gluu/5.0.22/values.yaml new file mode 100644 index 0000000000..b33a225f8e --- /dev/null +++ b/charts/gluu/gluu/5.0.22/values.yaml @@ -0,0 +1,1756 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +installer-settings: + currentVersion: "" + acceptLicense: "" + namespace: "" + releaseName: "" + nginxIngress: + releaseName: "" + namespace: "" + nodes: + names: "" + zones: "" + ips: "" + images: + edit: "" + aws: + lbType: "" + arn: + enabled: "" + arnAcmCert: "" + vpcCidr: "0.0.0.0/0" + couchbase: + clusterName: "" + namespace: "" + lowResourceInstall: "" + install: "" + customFileOverride: "" + backup: + incrementalSchedule: "" + fullSchedule: "" + retentionTime: "" + storageSize: "" + # Couchbase cert related keys + subjectAlternativeName: "" + commonName: "" + # Couchbase cluster yaml generator keys + totalNumberOfExpectedUsers: "" + totalNumberOfExpectedTransactionsPerSec: "" + volumeType: "" + volumeProvisionStrategy: "" + ldap: + backup: + fullSchedule: "" + postgres: + install: "" + namespace: "" + sql: + install: "" + namespace: "" + google: + useSecretManager: "" + redis: + install: "" + namespace: "" + openbanking: + hasCnObTransportTrustStore: false + cnObTransportTrustStoreP12password: "" + confirmSettings: false + +# -- Admin GUI for configuration of the auth-server +admin-ui: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2000m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 2000m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for the admin ui if needed. + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the admin ui if needed. + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/auth-server + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/certmanager + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +casa: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/casa + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + # -- Configure the liveness healthcheck for casa if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). + cnSqlDbSchema: "" + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) username. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/configurator + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- LDAP admin password if OpenDJ is used for persistence. + ldapPassword: P@ssw0rds + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + # -- CE to CN Migration section + migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/config-api + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/fido2 + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + # -- Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. + licenseSsa: "" + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: false + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- casa.log target + casaLogTarget: "STDOUT" + # -- casa.log level + casaLogLevel: "INFO" + # -- casa timer log target + timerLogTarget: "FILE" + # -- casa timer log level + timerLogLevel: "INFO" + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable casa endpoints /casa + casaEnabled: false + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. + cnAwsSharedCredentialsFile: /etc/jans/conf/aws_shared_credential_file + # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. + cnAwsConfigFile: /etc/jans/conf/aws_config_file + # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. + cnAwsSecretsReplicaRegionsFile: /etc/jans/conf/aws_secrets_replica_regions + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- config-api_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- fido2_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- fido2_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- fido2_script.log target + scriptLogTarget: "FILE" + # -- fido2_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. + gateways: [ ] + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + # log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" + # Targets are "STDOUT" and "FILE" + appLoggers: + # -- idp-process.log target + idpLogTarget: "STDOUT" + # -- idp-process.log level + idpLogLevel: "INFO" + # -- idp-script.log target + scriptLogTarget: "FILE" + # -- idp-script.log level + scriptLogLevel: "INFO" + # -- idp-audit.log target + auditStatsLogTarget: "FILE" + # -- idp-audit.log level + auditStatsLogLevel: "INFO" + # -- idp-consent-audit.log target + consentAuditLogTarget: "FILE" + # -- idp-consent-audit.log level + consentAuditLogLevel: "INFO" + # -- https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration + # The below are very noisy logs and are better left untouched + ldapLogLevel: "" + messagesLogLevel: "" + encryptionLogLevel: "" + opensamlLogLevel: "" + propsLogLevel: "" + httpclientLogLevel: "" + springLogLevel: "" + containerLogLevel: "" + xmlsecLogLevel: "" + # -- Gluu distributions supported are: default|openbanking. + distribution: default + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + +# -- Nginx ingress definitions chart +nginx-ingress: + certManager: + # Enable deploying a certificate that uses dns01 challenge instead of passing an annotation nginx-ingress.ingress.additionalAnnotations for nginx http01 challenge. + certificate: + enabled: false + issuerKind: ClusterIssuer + # Issuer name which you will create manually. Can be letsencrypt-production. + issuerName: "" + issuerGroup: cert-manager.io + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +opendj: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure ldap backup cronjob + backup: + enabled: true + cronJobSchedule: "*/59 * * * *" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] + + persistence: + # -- OpenDJ volume size + size: 5Gi + ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu interface to Passport.js to support social login and inbound identity. +oxpassport: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi + # -- Configure the liveness healthcheck for oxPassport if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the oxPassport if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +oxshibboleth: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for oxshibboleth if needed. + # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/scim + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.23/Chart.yaml b/charts/gluu/gluu/5.0.23/Chart.yaml new file mode 100644 index 0000000000..68001d7081 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/Chart.yaml @@ -0,0 +1,102 @@ +annotations: + artifacthub.io/changes: | + - Chart 5.0.23 release + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.0.19_dev + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.0.19_dev + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.0.19_dev + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.0.19_dev + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.0.19_dev + - name: opendj + image: gluufederation/opendj:5.0.0-1 + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.0.19_dev + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.0.19_dev + - name: casa + image: ghcr.io/janssenproject/jans/casa:1.0.19_dev + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:1.0.19_dev + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu +apiVersion: v2 +appVersion: 5.0.0 +dependencies: +- condition: global.config.enabled + name: config + repository: file://./charts/config + version: 5.0.23 +- condition: global.config-api.enabled + name: config-api + repository: file://./charts/config-api + version: 5.0.23 +- condition: global.opendj.enabled + name: opendj + repository: file://./charts/opendj + version: 5.0.23 +- condition: global.auth-server.enabled + name: auth-server + repository: file://./charts/auth-server + version: 5.0.23 +- condition: global.admin-ui.enabled + name: admin-ui + repository: file://./charts/admin-ui + version: 5.0.23 +- condition: global.fido2.enabled + name: fido2 + repository: file://./charts/fido2 + version: 5.0.23 +- condition: global.scim.enabled + name: scim + repository: file://./charts/scim + version: 5.0.23 +- condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: file://./charts/nginx-ingress + version: 5.0.23 +- condition: global.oxshibboleth.enabled + name: oxshibboleth + repository: file://./charts/oxshibboleth + version: 5.0.23 +- condition: global.oxpassport.enabled + name: oxpassport + repository: file://./charts/oxpassport + version: 5.0.23 +- condition: global.casa.enabled + name: casa + repository: file://./charts/casa + version: 5.0.23 +- condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: file://./charts/auth-server-key-rotation + version: 5.0.23 +- condition: global.persistence.enabled + name: persistence + repository: file://./charts/persistence + version: 5.0.23 +- condition: global.istio.ingress + name: cn-istio-ingress + repository: file://./charts/cn-istio-ingress + version: 5.0.23 +description: Gluu Access and Identity Management +home: https://www.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: moabu +name: gluu +sources: +- https://gluu.org/docs/gluu-server +- https://github.com/GluuFederation/flex/flex-cn-setup +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/README.md b/charts/gluu/gluu/5.0.23/README.md new file mode 100644 index 0000000000..502b849d96 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/README.md @@ -0,0 +1,605 @@ +# gluu + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | admin-ui | 5.0.23 | +| | auth-server | 5.0.23 | +| | auth-server-key-rotation | 5.0.23 | +| | casa | 5.0.23 | +| | cn-istio-ingress | 5.0.23 | +| | config | 5.0.23 | +| | config-api | 5.0.23 | +| | fido2 | 5.0.23 | +| | nginx-ingress | 5.0.23 | +| | opendj | 5.0.23 | +| | oxpassport | 5.0.23 | +| | oxshibboleth | 5.0.23 | +| | persistence | 5.0.23 | +| | scim | 5.0.23 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"1.0.19-1"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| admin-ui.dnsConfig | object | `{}` | Add custom dns config | +| admin-ui.dnsPolicy | string | `""` | Add custom dns policy | +| admin-ui.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| admin-ui.hpa.behavior | object | `{}` | Scaling Policies | +| admin-ui.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | +| admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | +| admin-ui.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| admin-ui.replicas | int | `1` | Service replica number. | +| admin-ui.resources | object | `{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}}` | Resource specs. | +| admin-ui.resources.limits.cpu | string | `"2000m"` | CPU limit. | +| admin-ui.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| admin-ui.resources.requests.cpu | string | `"2000m"` | CPU request. | +| admin-ui.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| admin-ui.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| admin-ui.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| admin-ui.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.0.19-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.0.19-1"},"keysLife":48,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/casa","tag":"5.0.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. | +| casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| casa.dnsConfig | object | `{}` | Add custom dns config | +| casa.dnsPolicy | string | `""` | Add custom dns policy | +| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| casa.hpa.behavior | object | `{}` | Scaling Policies | +| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| casa.image.pullSecrets | list | `[]` | Image Pull Secrets | +| casa.image.repository | string | `"ghcr.io/gluufederation/flex/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"5.0.0-1"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| casa.readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| casa.replicas | int | `1` | Service replica number. | +| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| casa.resources.limits.cpu | string | `"500m"` | CPU limit. | +| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| casa.resources.requests.cpu | string | `"500m"` | CPU request. | +| casa.resources.requests.memory | string | `"500Mi"` | Memory request. | +| casa.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.0.19-1"},"ldapPassword":"P@ssw0rds","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.0.19-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| config-api.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) username. This user is used during initialization only. | +| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| config.configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| config.configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbSchema | string | `""` | Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.lbAddr | string | `""` | Load balancer address for AWS if the FQDN is not registered. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpenDJ is used for persistence. | +| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.0.19-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}},"auth-server-key-rotation":{"enabled":false},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnDocumentStoreType":"LOCAL","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true}},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"lbIp":"22.22.22.22","licenseSsa":"","nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"oxpassport":{"enabled":false,"oxPassportServiceName":"oxpassport"},"oxshibboleth":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""},"enabled":false,"oxShibbolethServiceName":"oxshibboleth"},"persistence":{"enabled":true},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | +| global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | +| global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `false` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level | +| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.auth-server.ingress | object | `{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.auth-server.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| global.auth-server.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. | +| global.auth-server.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. | +| global.auth-server.ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| global.auth-server.ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| global.auth-server.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| global.auth-server.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| global.auth-server.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| global.auth-server.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| global.auth-server.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.casa.appLoggers | object | `{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.casa.appLoggers.casaLogLevel | string | `"INFO"` | casa.log level | +| global.casa.appLoggers.casaLogTarget | string | `"STDOUT"` | casa.log target | +| global.casa.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO | +| global.casa.appLoggers.timerLogLevel | string | `"INFO"` | casa timer log level | +| global.casa.appLoggers.timerLogTarget | string | `"FILE"` | casa timer log target | +| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. | +| global.casa.enabled | bool | `true` | Boolean flag to enable/disable the casa chart. | +| global.casa.ingress | object | `{"casaEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.casa.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnDocumentStoreType | string | `"LOCAL"` | Document store type to use for shibboleth files LOCAL. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. | +| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G | +| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G | +| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. | +| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. | +| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | +| global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. | +| global.cnPrometheusPort | string | `""` | Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. | +| global.config-api.adminUiAppLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | +| global.config-api.adminUiAppLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | +| global.config-api.adminUiAppLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | +| global.config-api.adminUiAppLoggers.adminUiLogTarget | string | `"FILE"` | config-api admin-ui plugin log level | +| global.config-api.adminUiAppLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers.ldapStatsLogLevel | string | `"INFO"` | config-api_persistence_ldap_statistics.log level | +| global.config-api.appLoggers.ldapStatsLogTarget | string | `"FILE"` | config-api_persistence_ldap_statistics.log target | +| global.config-api.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | config-api_persistence_duration.log level | +| global.config-api.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | config-api_persistence_duration.log target | +| global.config-api.appLoggers.persistenceLogLevel | string | `"INFO"` | config-api_persistence.log level | +| global.config-api.appLoggers.persistenceLogTarget | string | `"FILE"` | config-api_persistence.log target | +| global.config-api.appLoggers.scriptLogLevel | string | `"INFO"` | config-api_script.log level | +| global.config-api.appLoggers.scriptLogTarget | string | `"FILE"` | config-api_script.log target | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config-api.ingress | object | `{"configApiEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes | +| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | +| global.fido2.appLoggers | object | `{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | fido2_persistence_duration.log level | +| global.fido2.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | fido2_persistence_duration.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.appLoggers.scriptLogLevel | string | `"INFO"` | fido2_script.log level | +| global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fido2.ingress | object | `{"fido2ConfigEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side-cars with Gluu services. | +| global.istio.gateways | list | `[]` | Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. | +| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. | +| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | +| global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | +| global.licenseSsa | string | `""` | Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | +| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | +| global.oxpassport.enabled | bool | `false` | Boolean flag to enable/disable passport chart | +| global.oxpassport.oxPassportServiceName | string | `"oxpassport"` | Name of the oxPassport service. Please keep it as default. | +| global.oxshibboleth.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","consentAuditLogLevel":"INFO","consentAuditLogTarget":"FILE","containerLogLevel":"","encryptionLogLevel":"","httpclientLogLevel":"","idpLogLevel":"INFO","idpLogTarget":"STDOUT","ldapLogLevel":"","messagesLogLevel":"","opensamlLogLevel":"","propsLogLevel":"","scriptLogLevel":"INFO","scriptLogTarget":"FILE","springLogLevel":"","xmlsecLogLevel":""}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" Targets are "STDOUT" and "FILE" | +| global.oxshibboleth.appLoggers.auditStatsLogLevel | string | `"INFO"` | idp-audit.log level | +| global.oxshibboleth.appLoggers.auditStatsLogTarget | string | `"FILE"` | idp-audit.log target | +| global.oxshibboleth.appLoggers.consentAuditLogLevel | string | `"INFO"` | idp-consent-audit.log level | +| global.oxshibboleth.appLoggers.consentAuditLogTarget | string | `"FILE"` | idp-consent-audit.log target | +| global.oxshibboleth.appLoggers.idpLogLevel | string | `"INFO"` | idp-process.log level | +| global.oxshibboleth.appLoggers.idpLogTarget | string | `"STDOUT"` | idp-process.log target | +| global.oxshibboleth.appLoggers.ldapLogLevel | string | `""` | https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration The below are very noisy logs and are better left untouched | +| global.oxshibboleth.appLoggers.scriptLogLevel | string | `"INFO"` | idp-script.log level | +| global.oxshibboleth.appLoggers.scriptLogTarget | string | `"FILE"` | idp-script.log target | +| global.oxshibboleth.enabled | bool | `false` | Boolean flag to enable/disable the oxShibbboleth chart. | +| global.oxshibboleth.oxShibbolethServiceName | string | `"oxshibboleth"` | Name of the oxShibboleth service. Please keep it as default. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO | +| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level | +| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.ingress | object | `{"scimConfigEnabled":false,"scimEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.scim.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| global.scim.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: fsType: "" kind: "" pool: "" storageAccountType: "" type: "" | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"ldap":{"backup":{"fullSchedule":""}},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| nginx-ingress.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedRegisterAdditionalAnnotations | object | `{}` | Auth server protected register ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedRegisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedTokenAdditionalAnnotations | object | `{}` | Auth server protected token ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| nginx-ingress.ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| nginx-ingress.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| nginx-ingress.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| nginx-ingress.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0-1"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.dnsConfig | object | `{}` | Add custom dns config | +| opendj.dnsPolicy | string | `""` | Add custom dns policy | +| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| opendj.hpa.behavior | object | `{}` | Scaling Policies | +| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | +| opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| opendj.image.tag | string | `"5.0.0-1"` | Image tag to use for deploying. | +| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| opendj.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size | +| opendj.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.replicas | int | `1` | Service replica number. | +| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. | +| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. | +| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| opendj.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxpassport | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxpassport","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu interface to Passport.js to support social login and inbound identity. | +| oxpassport.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxpassport.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxpassport.dnsConfig | object | `{}` | Add custom dns config | +| oxpassport.dnsPolicy | string | `""` | Add custom dns policy | +| oxpassport.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxpassport.hpa.behavior | object | `{}` | Scaling Policies | +| oxpassport.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxpassport.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxpassport.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxpassport.image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| oxpassport.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| oxpassport.livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| oxpassport.livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| oxpassport.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| oxpassport.readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| oxpassport.readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| oxpassport.replicas | int | `1` | Service replica number | +| oxpassport.resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| oxpassport.resources.limits.cpu | string | `"700m"` | CPU limit. | +| oxpassport.resources.limits.memory | string | `"900Mi"` | Memory limit. | +| oxpassport.resources.requests.cpu | string | `"700m"` | CPU request. | +| oxpassport.resources.requests.memory | string | `"900Mi"` | Memory request. | +| oxpassport.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| oxpassport.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxpassport.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxpassport.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxpassport.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxpassport.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| oxshibboleth | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/oxshibboleth","tag":"5.0.0-12"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Shibboleth project for the Gluu Server's SAML IDP functionality. | +| oxshibboleth.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| oxshibboleth.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| oxshibboleth.dnsConfig | object | `{}` | Add custom dns config | +| oxshibboleth.dnsPolicy | string | `""` | Add custom dns policy | +| oxshibboleth.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| oxshibboleth.hpa.behavior | object | `{}` | Scaling Policies | +| oxshibboleth.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| oxshibboleth.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| oxshibboleth.image.pullSecrets | list | `[]` | Image Pull Secrets | +| oxshibboleth.image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| oxshibboleth.image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| oxshibboleth.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxshibboleth if needed. https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py | +| oxshibboleth.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| oxshibboleth.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| oxshibboleth.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| oxshibboleth.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| oxshibboleth.replicas | int | `1` | Service replica number. | +| oxshibboleth.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| oxshibboleth.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| oxshibboleth.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| oxshibboleth.resources.requests.cpu | string | `"1000m"` | CPU request. | +| oxshibboleth.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| oxshibboleth.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| oxshibboleth.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| oxshibboleth.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| oxshibboleth.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| oxshibboleth.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| oxshibboleth.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.0.19-1"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.0.19-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/app-readme.md b/charts/gluu/gluu/5.0.23/app-readme.md new file mode 100644 index 0000000000..b2148c4c1e --- /dev/null +++ b/charts/gluu/gluu/5.0.23/app-readme.md @@ -0,0 +1,38 @@ +## Tutorial + +For a full walkthrough of the Gluu Flex Server on Rancher, please see the [Gluu Server on Rancher Tutorial](https://docs.gluu.org/stable/admin/recipes/getting-started-rancher/). + +## Introduction +The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions. + +Common use cases include: + +- Single sign-on (SSO) +- Mobile authentication +- API access management +- Two-factor authentication (2FA) +- Customer identity and access management (CIAM) +- Identity federation + +### Free Open Source Software +The Gluu Server is a FOSS platform for IAM. + +### Open Web Standards +The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management: + +- OAuth 2.0 +- OpenID Connect +- User Managed Access 2.0 (UMA) +- System for Cross-domain Identity Management (SCIM) +- FIDO Universal 2nd Factor (U2F) +- FIDO 2.0 / WebAuthn +- Lightweight Directory Access Protocol (LDAP) +- Remote Authentication Dial-In User Service (RADIUS) + +### Important notes for installation: +- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image. + +### Quick install on Rancher UI with Docker single node +- Install the nginx-ingress-controller chart. +- Install the OpenEBS chart. +- Install Gluu chart and specify your persistence as ldap. \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/admin-ui/.helmignore b/charts/gluu/gluu/5.0.23/charts/admin-ui/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.23/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/admin-ui/Chart.yaml new file mode 100644 index 0000000000..2599dcd5bf --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Admin GUI. Requires license. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +- GUI +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: admin-ui +sources: +- https://github.com/GluuFederation/docker-gluu-admin-ui +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/admin-ui +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/admin-ui/README.md b/charts/gluu/gluu/5.0.23/charts/admin-ui/README.md new file mode 100644 index 0000000000..3a9fb99746 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/admin-ui/README.md @@ -0,0 +1,59 @@ +# admin-ui + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Admin GUI. Requires license. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. | +| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/_helpers.tpl new file mode 100644 index 0000000000..3fa0c5985e --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "admin-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "admin-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "admin-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "admin-ui.labels" -}} +app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +helm.sh/chart: {{ include "admin-ui.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "admin-ui.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "admin-ui.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "admin-ui.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "admin-ui.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/admin-ui-destination-rules.yaml new file mode 100644 index 0000000000..ecf4699b22 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/admin-ui-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-admin-ui-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/admin-ui-pdb.yaml b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/admin-ui-pdb.yaml new file mode 100644 index 0000000000..5d81cf14be --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/admin-ui-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "admin-ui.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/admin-ui-virtual-services.yaml new file mode 100644 index 0000000000..2b0fc58df1 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/admin-ui-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "admin-ui" "ingress" "adminUiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-admin-ui + namespace: {{.Release.Namespace}} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/admin" + route: + - destination: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/deployment.yml new file mode 100644 index 0000000000..9a173cad98 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/deployment.yml @@ -0,0 +1,175 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "admin-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + template: + metadata: + labels: + APP_NAME: admin-ui + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "admin-ui.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "admin-ui.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "admin-ui.usr-envs" . | indent 12 }} + {{- include "admin-ui.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: /etc/jans/conf/ssa + name: license-ssa + subPath: ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: license-ssa + secret: + secretName: {{ .Release.Name }}-license-ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/hpa.yaml new file mode 100644 index 0000000000..4720b2c49b --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "admin-ui.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/service.yml new file mode 100644 index 0000000000..54b311c2e2 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..02fd969b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/admin-ui/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.0.23/charts/admin-ui/values.yaml new file mode 100644 index 0000000000..368419ff94 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/admin-ui/values.yaml @@ -0,0 +1,88 @@ +# -- Admin GUI. Requires license. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the admin ui port within the admin service. Please keep it as default. + name: http-admin-ui + # -- Port of the admin ui service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the admin ui if needed. +livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the admin ui if needed. +readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/.helmignore b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 0000000000..1bfea05c2e --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Responsible for regenerating auth-keys per x hours +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Auth keys Rotation +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server-key-rotation +sources: +- https://github.com/JanssenProject/docker-jans-certmanager +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server-key-rotation +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/README.md new file mode 100644 index 0000000000..fd9dde0447 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/README.md @@ -0,0 +1,49 @@ +# auth-server-key-rotation + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| lifecycle | object | `{}` | | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 0000000000..e76631f29c --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 0000000000..5b5dd7da69 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,129 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "0 */{{ .Values.keysLife }} * * *" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 16 }} + volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + restartPolicy: Never + diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 0000000000..4b1f6ff076 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.fullname" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..5ed268ebb5 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 0000000000..881ce06cea --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,55 @@ + +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/.helmignore b/charts/gluu/gluu/5.0.23/charts/auth-server/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server/Chart.yaml new file mode 100644 index 0000000000..cb11d03e1c --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization + Server--this is the main Internet facing component of Gluu. It's the service that + returns tokens, JWT's and identity assertions. This service must be Internet facing. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Autherization +- OpenID +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server +sources: +- https://github.com/JanssenProject/jans-auth-server +- https://github.com/JanssenProject/docker-jans-auth-server +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/auth-server +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/README.md b/charts/gluu/gluu/5.0.23/charts/auth-server/README.md new file mode 100644 index 0000000000..d6720e5404 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/README.md @@ -0,0 +1,61 @@ +# auth-server + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 0000000000..2712f9870a --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "auth-server.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "auth-server.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 0000000000..708ce616c6 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/templates/auth-server-pdb.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/auth-server-pdb.yaml new file mode 100644 index 0000000000..5ca61a6255 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/auth-server-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "auth-server.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/templates/auth-server-protected-virtual-services.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/auth-server-protected-virtual-services.yaml new file mode 100644 index 0000000000..522f6757b4 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/auth-server-protected-virtual-services.yaml @@ -0,0 +1,53 @@ +{{- if .Values.global.istio.ingress }} +# NEEDS WORK TO ALLOW CLIENT SIDE AUTHENTICATION. THIS IS MERELY A PLACEHOLDER +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server-protected-endpoints + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-token" + match: + - uri: + prefix: "/jans-auth/restv1/token" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-register" + match: + - uri: + prefix: "/jans-auth/restv1/register" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 0000000000..55cc397244 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,137 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/jans-auth/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} + - name: "{{ .Release.Name }}-istio-device-code" + match: + - uri: + prefix: "/device-code" + rewrite: + uri: "/jans-auth/device_authorization.htm" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} + - name: "{{ .Release.Name }}-istio-firebase-messaging" + match: + - uri: + prefix: "/firebase-messaging-sw.js" + rewrite: + uri: "/jans-auth/firebase-messaging-sw.js" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/jans-auth/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/jans-auth/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/jans-auth/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/jans-auth/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/deployment.yml new file mode 100644 index 0000000000..000efa42ec --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/deployment.yml @@ -0,0 +1,264 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "auth-server.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "auth-server.usr-envs" . | indent 12 }} + {{- include "auth-server.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/hpa.yaml new file mode 100644 index 0000000000..7a35d43381 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/service.yml new file mode 100644 index 0000000000..07b0de5897 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..19b24ab92c --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/auth-server/values.yaml b/charts/gluu/gluu/5.0.23/charts/auth-server/values.yaml new file mode 100644 index 0000000000..d50b10b542 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/auth-server/values.yaml @@ -0,0 +1,93 @@ + +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.23/charts/casa/.helmignore b/charts/gluu/gluu/5.0.23/charts/casa/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/casa/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.23/charts/casa/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/casa/Chart.yaml new file mode 100644 index 0000000000..7030fca75f --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/casa/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Jans Casa ("Casa") is a self-service web portal for end-users to manage + authentication and authorization preferences for their account in a Jans Server. +home: https://gluu.org/docs/casa/ +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- casa +- 2FA +- passwordless +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: casa +sources: +- https://gluu.org/casa/ +- https://github.com/JanssenProject/jans/docker-jans-casa +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/casa/README.md b/charts/gluu/gluu/5.0.23/charts/casa/README.md new file mode 100644 index 0000000000..e291a67dbd --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/casa/README.md @@ -0,0 +1,65 @@ +# casa + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/casa"` | Image to use for deploying. | +| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. | +| service.port | int | `8080` | Port of the casa service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/casa/templates/_helpers.tpl new file mode 100644 index 0000000000..4fc7d069e4 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/casa/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "casa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "casa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "casa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "casa.labels" -}} +app: {{ .Release.Name }}-{{ include "casa.name" . }} +helm.sh/chart: {{ include "casa.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "casa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "casa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "casa.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "casa.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "casa.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "casa.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.0.23/charts/casa/templates/casa-destination-rules.yaml new file mode 100644 index 0000000000..eb2e5eaa61 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/casa/templates/casa-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-casa-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/casa/templates/casa-pdb.yaml b/charts/gluu/gluu/5.0.23/charts/casa/templates/casa-pdb.yaml new file mode 100644 index 0000000000..54ad15de59 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/casa/templates/casa-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "casa.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.0.23/charts/casa/templates/casa-virtual-services.yaml new file mode 100644 index 0000000000..b3d7659499 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/casa/templates/casa-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.casa.ingress.casaEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-casa + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-casa + match: + - uri: + prefix: /casa + route: + - destination: + host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.0.23/charts/casa/templates/deployment.yaml new file mode 100644 index 0000000000..185693f5ce --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/casa/templates/deployment.yaml @@ -0,0 +1,178 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "casa.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: casa + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "casa.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "casa.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "casa.usr-envs" . | indent 12 }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.0.23/charts/casa/templates/hpa.yaml new file mode 100644 index 0000000000..0d292fd3fd --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/casa/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "casa.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.0.23/charts/casa/templates/service.yaml new file mode 100644 index 0000000000..e736cc014a --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/casa/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.casa.casaServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.23/charts/casa/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8a71e1ea8f --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/casa/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/casa/values.yaml b/charts/gluu/gluu/5.0.23/charts/casa/values.yaml new file mode 100644 index 0000000000..f9e3245f93 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/casa/values.yaml @@ -0,0 +1,105 @@ +# -- Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/casa + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the casa service. Please keep it as default. + port: 8080 + # -- The name of the casa port within the casa service. Please keep it as default. + name: http-casa + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for casa if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the casa if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/Chart.yaml new file mode 100644 index 0000000000..669d1f0b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Istio Gateway +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- istio +- gateway +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: cn-istio-ingress +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/cn-istio-ingress +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/README.md new file mode 100644 index 0000000000..a3db544856 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/README.md @@ -0,0 +1,25 @@ +# cn-istio-ingress + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Istio Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..75a5dee781 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "istio.labels" -}} +helm.sh/chart: {{ include "istio.chart" . }} +{{ include "istio.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "istio.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "istio.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/templates/gateway.yaml new file mode 100644 index 0000000000..12a9700134 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/templates/gateway.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Release.Name }}-global-gtw + namespace: {{ .Release.Namespace }} +{{- if .Values.global.istio.additionalLabels }} + labels: +{{ toYaml .Values.global.istio.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.istio.additionalAnnotations }} + annotations: +{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + istio: ingressgateway + servers: + # admin-ui + - port: + number: 80 + name: http-admin-ui + protocol: HTTP + hosts: + - {{ .Values.global.fqdn }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - {{ .Values.global.fqdn }} + tls: + mode: SIMPLE # enable https on this port + credentialName: tls-certificate # fetch cert from k8s secret + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/values.yaml new file mode 100644 index 0000000000..645a121318 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/cn-istio-ingress/values.yaml @@ -0,0 +1,4 @@ +# Default values for istio. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + diff --git a/charts/gluu/gluu/5.0.23/charts/config-api/.helmignore b/charts/gluu/gluu/5.0.23/charts/config-api/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.23/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/config-api/Chart.yaml new file mode 100644 index 0000000000..f1e67918f2 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Jans Config Api endpoints can be used to configure jans-auth-server, + which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server + (AS) +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config-api +sources: +- https://github.com/JanssenProject/jans/jans-config-api +- https://github.com/JanssenProject/jans/docker-jans-config-api +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config-api +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/config-api/README.md b/charts/gluu/gluu/5.0.23/charts/config-api/README.md new file mode 100644 index 0000000000..1593e906c1 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config-api/README.md @@ -0,0 +1,65 @@ +# config-api + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/config-api/templates/_helpers.tpl new file mode 100644 index 0000000000..a32d54db37 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "config-api.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "config-api.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.0.23/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 0000000000..255fac7282 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/config-api/templates/config-api-pdb.yaml b/charts/gluu/gluu/5.0.23/charts/config-api/templates/config-api-pdb.yaml new file mode 100644 index 0000000000..2153d9a39c --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config-api/templates/config-api-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "config-api.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/config-api/templates/config-api-virtual-services.yaml b/charts/gluu/gluu/5.0.23/charts/config-api/templates/config-api-virtual-services.yaml new file mode 100644 index 0000000000..49bd94283f --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config-api/templates/config-api-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "config-api" "ingress" "configApiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-config-api + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-config-api + match: + - uri: + prefix: /jans-config-api + route: + - destination: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8074 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.0.23/charts/config-api/templates/deployment.yaml new file mode 100644 index 0000000000..b6e221ab2b --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config-api/templates/deployment.yaml @@ -0,0 +1,167 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "config-api.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "config-api.usr-envs" . | indent 12 }} + {{- include "config-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - containerPort: 9444 + - containerPort: 8074 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + diff --git a/charts/gluu/gluu/5.0.23/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.0.23/charts/config-api/templates/hpa.yaml new file mode 100644 index 0000000000..aed5352e74 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config-api/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.0.23/charts/config-api/templates/service.yaml new file mode 100644 index 0000000000..1782cc7e9d --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config-api/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/config-api/values.yaml b/charts/gluu/gluu/5.0.23/charts/config-api/values.yaml new file mode 100644 index 0000000000..5fad1d3c62 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config-api/values.yaml @@ -0,0 +1,102 @@ + +# -- Gluu Admin UI. This shouldn't be internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.23/charts/config/.helmignore b/charts/gluu/gluu/5.0.23/charts/config/.helmignore new file mode 100644 index 0000000000..b8204d7442 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/gluu/gluu/5.0.23/charts/config/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/config/Chart.yaml new file mode 100644 index 0000000000..0ba32040d7 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Configuration parameters for setup and initial configuration secret and + config layers used by Gluu services. +home: https://gluu.org/docs/gluu-server/reference/container-configs/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- secrets +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config +sources: +- https://gluu.org/docs/gluu-server/reference/container-configs/ +- https://github.com/JanssenProject/jans/docker-jans-configurator +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/config +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/config/README.md b/charts/gluu/gluu/5.0.23/charts/config/README.md new file mode 100644 index 0000000000..dc3567f94e --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/README.md @@ -0,0 +1,105 @@ +# config + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnAwsAccessKeyId | string | `""` | | +| configmap.cnAwsDefaultRegion | string | `"us-west-1"` | | +| configmap.cnAwsProfile | string | `"gluu"` | | +| configmap.cnAwsSecretAccessKey | string | `""` | | +| configmap.cnAwsSecretsEndpointUrl | string | `""` | | +| configmap.cnAwsSecretsNamePrefix | string | `"gluu"` | | +| configmap.cnAwsSecretsReplicaRegions | list | `[]` | | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| lifecycle | object | `{}` | | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/config/templates/_helpers.tpl new file mode 100644 index 0000000000..1273a27d8b --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/templates/_helpers.tpl @@ -0,0 +1,97 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ $newList = append $newList ("couchbase" | quote) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{- if .Values.global.opendj.enabled}} +{{ $newList = append $newList ("ldap" | quote) }} +{{- end}} +{{- if .Values.global.casa}} +{{ $newList = append $newList ("casa" | quote) }} +{{- end}} +{{- if .Values.global.fido2.enabled}} +{{ $newList = append $newList ("fido2" | quote) }} +{{- end}} +{{- if .Values.global.scim.enabled}} +{{ $newList = append $newList ("scim" | quote) }} +{{- end}} +{{ toJson $newList }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.0.23/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ce43044f50 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.0.23/charts/config/templates/configmaps.yaml new file mode 100644 index 0000000000..fc15f42b6b --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/templates/configmaps.yaml @@ -0,0 +1,433 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + # Port used by Prometheus JMX agent + CN_PROMETHEUS_PORT: {{ .Values.global.cnPrometheusPort | quote }} + CN_DISTRIBUTION: {{ .Values.global.distribution | quote }} + {{ if .Values.global.cnObExtSigningJwksUri }} + CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }} + CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }} + CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }} + # force the AS to use a specific signing key + CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }} + {{- end }} + {{ if or (eq .Values.global.configAdapterName "google") (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + {{- end }} + {{ if eq .Values.global.cnPersistenceType "spanner" }} + # [google_spanner_envs] Envs related to using Google Cloud Spanner + CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }} + CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }} + # [google_spanner_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.configAdapterName "google") }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnGoogleSecretVersionId | quote }} + CN_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + # [aws_envs] Envs related to using AWS + {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} + CN_AWS_SECRETS_ENDPOINT_URL: {{ .Values.configmap.cnAwsSecretsEndpointUrl }} + {{- end }} + CN_AWS_SECRETS_PREFIX: {{ .Values.configmap.cnAwsSecretsNamePrefix }} + CN_AWS_SECRETS_REPLICA_FILE: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + AWS_DEFAULT_REGION: {{ .Values.configmap.cnAwsDefaultRegion }} + AWS_SHARED_CREDENTIALS_FILE: {{ .Values.global.cnAwsSharedCredentialsFile }} + AWS_CONFIG_FILE: {{ .Values.global.cnAwsConfigFile }} + #AWS_PROFILE + # [aws_envs] END + {{- end }} + CN_SQL_DB_SCHEMA: {{ .Values.configmap.cnSqlDbSchema | quote }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.global.cnDocumentStoreType | quote }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is ldap or hybrid + {{- if .Values.configmap.cnLdapUrl }} + CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }} + {{- else }} + CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }} + {{- end }} + {{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is couchbase or hybrid + CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }} + CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }} + CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }} + CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }} + CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }} + {{- end }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + {{- if .Values.global.isFqdnRegistered }} + CN_SSL_CERT_FROM_SECRETS: "false" + {{- else }} + CN_SSL_CERT_FROM_SECRETS: "true" + {{- end }} + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }} + # must the same as the opendj service name + CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service + CN_HYBRID_MAPPING: {{ .Values.configmap.cnPersistenceHybridMapping | quote }} + {{- end }} + # Auto enable installation of some services + CN_PASSPORT_ENABLED: {{ .Values.global.oxpassport.enabled | quote }} + {{- if .Values.global.oxshibboleth.enabled }} + CN_SAML_ENABLED: {{ .Values.global.oxshibboleth.enabled | quote }} + {{- end }} + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.istio.enabled }} + CN_COUCHBASE_TRUSTSTORE_ENABLE: "false" + CN_LDAP_USE_SSL: "false" + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + # ADMIN-UI + ADMIN_UI_JWKS: {{ cat "http://" ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080/jans-auth/restv1/jwks" | quote | nospace }} + CN_CONFIG_API_PLUGINS: "admin-ui,scim,fido2,user-mgt" + CN_ADMIN_UI_PLUGIN_LOGGERS: {{ index .Values "global" "config-api" "adminUiAppLoggers" + | toJson + | replace "adminUiLogTarget" "admin_ui_log_target" + | replace "adminUiLogLevel" "admin_ui_log_level" + | replace "adminUiAuditLogTarget" "admin_ui_audit_log_target" + | replace "adminUiAuditLogLevel" "admin_ui_audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.casa.enabled }} + # CASA + GLUU_CASA_APP_LOGGERS: {{ .Values.global.casa + | toJson + | replace "casaLogTarget" "casa_log_target" + | replace "casaLogLevel" "casa_log_level" + | replace "timerLogTarget" "timer_log_target" + | replace "timerLogLevel" "timer_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + # delete Duo script (https://github.com/GluuFederation/flex/issues/1120) by disabling the feature + CN_DUO_ENABLED: "false" +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if gluu secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from gluu secrets + """ + ssl_cert = None + ssl_key = None + if core_cli.read_namespaced_secret(secret_name, namespace): + ssl_cert = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_cert'] + ssl_key = core_cli.read_namespaced_secret(secret_name, namespace).data['ssl_key'] + + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert and key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error("No certificate or key was found in secrets.") + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Gluu Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.gluu.org") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/config/templates/license-secrets.yaml b/charts/gluu/gluu/5.0.23/charts/config/templates/license-secrets.yaml new file mode 100644 index 0000000000..0cf764a03c --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/templates/license-secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-license-ssa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ssa: {{ required "global.licenseSsa is required in chart values. This is a base64 string provided by Gluu to activate your license." .Values.global.licenseSsa }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.0.23/charts/config/templates/load-init-config.yml new file mode 100644 index 0000000000..2a503fd2b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/templates/load-init-config.yml @@ -0,0 +1,135 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + - name: {{ include "config.fullname" . }}-mount-gen-file + secret: + secretName: {{ include "config.fullname" . }}-gen-json-file + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + - mountPath: /app/db/generate.json + name: {{ include "config.fullname" . }}-mount-gen-file + subPath: generate.json + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} + {{- else }} + /app/scripts/entrypoint.sh load + {{- end }} + /usr/bin/python3 /scripts/tls_generator.py + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.0.23/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.0.23/charts/config/templates/ob-secrets.yaml new file mode 100644 index 0000000000..cdb1f90415 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/templates/ob-secrets.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.cnObExtSigningJwksCrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }} + {{ if .Values.global.cnObExtSigningJwksKey }} + ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportCrt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport.crt: {{ .Values.global.cnObTransportCrt }} + {{ if .Values.global.cnObTransportKey }} + ob-transport.key: {{ .Values.global.cnObTransportKey }} + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportTrustStore }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-truststore + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.0.23/charts/config/templates/rolebinding.yaml new file mode 100644 index 0000000000..7a58fd6095 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.0.23/charts/config/templates/roles.yaml new file mode 100644 index 0000000000..ef3d0c7083 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/templates/roles.yaml @@ -0,0 +1,19 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/gluu/gluu/5.0.23/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.0.23/charts/config/templates/secrets.yaml new file mode 100644 index 0000000000..dab9a6dc86 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/templates/secrets.yaml @@ -0,0 +1,127 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config.fullname" . }}-gen-json-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + generate.json: |- + { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_pw": {{ .Values.adminPassword | quote }}, + "ldap_pw": {{ .Values.ldapPassword | quote }}, + "redis_pw": {{ .Values.redisPassword | quote }}, + "email": {{ .Values.email | quote }}, + "org_name": {{ .Values.orgName | quote }}, + {{ if eq .Values.global.cnPersistenceType "sql" }} + "sql_pw": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "couchbase_pw": {{ .Values.configmap.cnCouchbasePassword | quote }}, + "couchbase_superuser_pw": {{ .Values.configmap.cnCouchbaseSuperUserPassword | quote }}, + {{- end }} + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }} + } + +{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} +{{- if not .Values.global.istio.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-crt + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }} +{{- end }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-aws-config-creds + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + aws_shared_credential_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }} + aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }} + aws_config_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + region = {{ .Values.configmap.cnAwsDefaultRegion }} + aws_secrets_replica_regions: |- + {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-google-sa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-cron-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} diff --git a/charts/gluu/gluu/5.0.23/charts/config/templates/service.yaml b/charts/gluu/gluu/5.0.23/charts/config/templates/service.yaml new file mode 100644 index 0000000000..da5dedf891 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.0.23/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 0000000000..35b4fa8cb0 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,64 @@ +{{ if .Values.global.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val | quote }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.0.23/charts/config/values.yaml b/charts/gluu/gluu/5.0.23/charts/config/values.yaml new file mode 100644 index 0000000000..76717b2e5f --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/config/values.yaml @@ -0,0 +1,179 @@ + +# Required environment variables for generating Gluu server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in the secrets. + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: support@gluu.org +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- LDAP admin password if OpennDJ is used for persistence. +ldapPassword: P@ssw0rds +# -- Organization name. Used for certificate creation. +orgName: Gluu +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.23/charts/fido2/.helmignore b/charts/gluu/gluu/5.0.23/charts/fido2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.23/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/fido2/Chart.yaml new file mode 100644 index 0000000000..03c2c9ca82 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/fido2/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging + common devices to authenticate to online services in both mobile and desktop environments. +home: https://gluu.org/docs/gluu-server/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- fido2 +- u2f +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: fido2 +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/JanssenProject/jans/jans-fido2 +- https://github.com/JanssenProject/jans/docker-jans-fido2 +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/fido2 +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/fido2/README.md b/charts/gluu/gluu/5.0.23/charts/fido2/README.md new file mode 100644 index 0000000000..c6d9b0fed0 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/fido2/README.md @@ -0,0 +1,62 @@ +# fido2 + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/fido2/templates/_helpers.tpl new file mode 100644 index 0000000000..10484b1e97 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "fido2.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "fido2.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.0.23/charts/fido2/templates/deployment.yml new file mode 100644 index 0000000000..95b4ef77d1 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/fido2/templates/deployment.yml @@ -0,0 +1,176 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "fido2.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "fido2.usr-envs" . | indent 12 }} + {{- include "fido2.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.0.23/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 0000000000..2457647e8a --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/fido2/templates/fido2-pdb.yaml b/charts/gluu/gluu/5.0.23/charts/fido2/templates/fido2-pdb.yaml new file mode 100644 index 0000000000..ebc9ce8dc8 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/fido2/templates/fido2-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "fido2.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.0.23/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 0000000000..88a91a994b --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.fido2.ingress.fido2ConfigEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.0.23/charts/fido2/templates/hpa.yaml new file mode 100644 index 0000000000..a4f1362a7b --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/fido2/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.0.23/charts/fido2/templates/service.yml new file mode 100644 index 0000000000..de91e893b3 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/fido2/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.23/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..e2139ba45f --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/fido2/values.yaml b/charts/gluu/gluu/5.0.23/charts/fido2/values.yaml new file mode 100644 index 0000000000..d1f9cd6cf1 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/fido2/values.yaml @@ -0,0 +1,91 @@ + +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.23/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.23/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/Chart.yaml new file mode 100644 index 0000000000..a764686e62 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Nginx ingress definitions chart +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- nginx +- ingress +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://kubernetes.io/docs/concepts/services-networking/ingress/ +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/nginx-ingress +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/README.md new file mode 100644 index 0000000000..0c1e348777 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/README.md @@ -0,0 +1,61 @@ +# nginx-ingress + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken | +| ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | +| ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | +| ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| ingress.scimConfigLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.scimLabels | object | `{}` | scim config ingress resource labels. key app is taken | +| ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| ingress.uma2ConfigLabels | object | `{}` | uma 2 config ingress resource labels. key app is taken | +| ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| nameOverride | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..7b38455692 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/admin-ui-ingress.yaml new file mode 100644 index 0000000000..1fa7a08de1 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/admin-ui-ingress.yaml @@ -0,0 +1,53 @@ +{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.adminUiLabels }} +{{ toYaml .Values.ingress.adminUiLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.ingress.adminUiAdditionalAnnotations }} +{{ toYaml .Values.ingress.adminUiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml new file mode 100644 index 0000000000..b5c482d5f6 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml @@ -0,0 +1,115 @@ +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedTokenLabels }} +{{ toYaml .Values.ingress.authServerProtectedTokenLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedTokenAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedTokenAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedRegisterLabels }} +{{ toYaml .Values.ingress.authServerProtectedRegisterLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedRegisterAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedRegisterAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/casa-ingress.yaml b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/casa-ingress.yaml new file mode 100644 index 0000000000..f21ae0afe9 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/casa-ingress.yaml @@ -0,0 +1,54 @@ +{{ if .Values.global.casa.ingress.casaEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-casa + labels: + app: {{ $fullName }}-casa +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.casaLabels }} +{{ toYaml .Values.ingress.casaLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "casa-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.casaAdditionalAnnotations }} +{{ toYaml .Values.ingress.casaAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-casa + pathType: Prefix + backend: + service: + name: {{ .Values.global.casa.casaServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/certificate.yaml b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/certificate.yaml new file mode 100644 index 0000000000..6cfb84f431 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/certificate.yaml @@ -0,0 +1,18 @@ +{{- if .Values.certManager.certificate.enabled }} + {{- $domain := (required "Domain is required in chartValues when certManager is enabled" .Values.global.fqdn) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + {{- range .Values.ingress.tls }} + secretName: {{ .secretName }} + {{- end }} + dnsNames: + - {{ quote $domain }} + issuerRef: + name: {{ required "nginx-ingress.certManager.certificate.issuerName is required in chart values" .Values.certManager.certificate.issuerName }} + kind: {{ required "nginx-ingress.certManager.certificate.issuerKind is required in chart values" .Values.certManager.certificate.issuerKind }} + group: {{ required "nginx-ingress.certManager.certificate.issuerGroup is required in chart values" .Values.certManager.certificate.issuerGroup }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 0000000000..ddd01115c4 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,672 @@ +{{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.openidConfigLabels }} +{{ toYaml .Values.ingress.openidConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if .Values.ingress.openidAdditionalAnnotations }} +{{ toYaml .Values.ingress.openidAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-device-code + labels: + app: {{ $fullName }}-device-code +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.deviceCodeLabels }} +{{ toYaml .Values.ingress.deviceCodeLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/device_authorization.htm +{{- if .Values.ingress.deviceCodeAdditionalAnnotations }} +{{ toYaml .Values.ingress.deviceCodeAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /device-code + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-firebase-messaging + labels: + app: {{ $fullName }}-firebase-messaging +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.firebaseMessagingLabels }} +{{ toYaml .Values.ingress.firebaseMessagingLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/firebase-messaging-sw.js +{{- if .Values.ingress.firebaseMessagingAdditionalAnnotations }} +{{ toYaml .Values.ingress.firebaseMessagingAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /firebase-messaging-sw.js + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.uma2ConfigLabels }} +{{ toYaml .Values.ingress.uma2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if .Values.ingress.uma2AdditionalAnnotations }} +{{ toYaml .Values.ingress.uma2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webfingerLabels }} +{{ toYaml .Values.ingress.webfingerLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if .Values.ingress.webfingerAdditionalAnnotations }} +{{ toYaml .Values.ingress.webfingerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webdiscoveryLabels }} +{{ toYaml .Values.ingress.webdiscoveryLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if .Values.ingress.webdiscoveryAdditionalAnnotations }} +{{ toYaml .Values.ingress.webdiscoveryAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{- if .Values.global.scim.ingress.scimConfigEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimConfigLabels }} +{{ toYaml .Values.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{- if .Values.global.scim.ingress.scimEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimLabels }} +{{ toYaml .Values.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "config-api" "ingress" "configApiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-config-api + labels: + app: {{ $fullName }}-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.configApiLabels }} +{{ toYaml .Values.ingress.configApiLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.configApiAdditionalAnnotations }} +{{ toYaml .Values.ingress.configApiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.u2fConfigLabels }} +{{ toYaml .Values.ingress.u2fConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if .Values.ingress.u2fAdditionalAnnotations }} +{{ toYaml .Values.ingress.u2fAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2ConfigLabels }} +{{ toYaml .Values.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerLabels }} +{{ toYaml .Values.ingress.authServerLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + diff --git a/charts/gluu/gluu/5.0.23/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/values.yaml new file mode 100644 index 0000000000..60330b1541 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/nginx-ingress/values.yaml @@ -0,0 +1,77 @@ + +# -- Nginx ingress definitions chart +ingress: + enabled: true + # -- Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. + legacy: false + path: / + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma 2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- scim config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable all fido2 endpoints + fido2Enabled: false + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- Auth server config ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: { } + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + hosts: + - demoexample.gluu.org + tls: + - secretName: tls-certificate # DON'T change + hosts: + - demoexample.gluu.org +nameOverride: "" +fullnameOverride: "" diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/.helmignore b/charts/gluu/gluu/5.0.23/charts/opendj/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/opendj/Chart.yaml new file mode 100644 index 0000000000..521192d88e --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OpenDJ is a directory server which implements a wide range of Lightweight + Directory Access Protocol and related standards, including full compliance with + LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in + Java, OpenDJ offers multi-master replication, access control, and many extensions. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- LDAP +- OpenDJ +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: opendj +sources: +- https://github.com/GluuFederation/docker-opendj +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/opendj +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/README.md b/charts/gluu/gluu/5.0.23/charts/opendj/README.md new file mode 100644 index 0000000000..faa7a675b0 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/README.md @@ -0,0 +1,74 @@ +# opendj + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-15"` | Image tag to use for deploying. | +| lifecycle.preStop.exec.command[0] | string | `"/bin/sh"` | | +| lifecycle.preStop.exec.command[1] | string | `"-c"` | | +| lifecycle.preStop.exec.command[2] | string | `"python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| openDjVolumeMounts.config.mountPath | string | `"/opt/opendj/config"` | | +| openDjVolumeMounts.config.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.db.mountPath | string | `"/opt/opendj/db"` | | +| openDjVolumeMounts.db.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.flag.mountPath | string | `"/flag"` | | +| openDjVolumeMounts.flag.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.ldif.mountPath | string | `"/opt/opendj/ldif"` | | +| openDjVolumeMounts.ldif.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.logs.mountPath | string | `"/opt/opendj/logs"` | | +| openDjVolumeMounts.logs.name | string | `"opendj-volume"` | | +| persistence.accessModes | string | `"ReadWriteOnce"` | | +| persistence.size | string | `"5Gi"` | OpenDJ volume size | +| persistence.type | string | `"DirectoryOrCreate"` | | +| ports | object | `{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}}` | servicePorts values used in StatefulSet container | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1500m"` | CPU limit. | +| resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1500m"` | CPU request. | +| resources.requests.memory | string | `"2000Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/opendj/templates/_helpers.tpl new file mode 100644 index 0000000000..ecab10b753 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opendj.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opendj.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opendj.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "opendj.labels" -}} +app: {{ .Release.Name }}-{{ include "opendj.name" . }} +helm.sh/chart: {{ include "opendj.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "opendj.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "opendj.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "opendj.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "opendj.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.23/charts/opendj/templates/cronjobs.yaml new file mode 100644 index 0000000000..930d6f0679 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/templates/cronjobs.yaml @@ -0,0 +1,95 @@ +{{- if .Values.backup.enabled }} +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "opendj.fullname" . }}-backup +spec: + schedule: {{ .Values.backup.cronJobSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "opendj.fullname" . }}-backup + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + ports: + {{- range $key, $value := .Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + env: + - name: LDAP_HOST + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_host + - name: LDAP_PORT + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_port + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_site_binddn + - name: LDAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-ldap-cron-pass + key: password + # while true; do sleep 60; ldaplog=$(cat /opt/opendj/logs/server.out); startedstr="The Directory Server has started successfully"; if [ -z "${ldaplog##*$startedstr*}" ]; then break; fi; echo "Waiting for opendj server to start"; done + command: + - /bin/sh + - -c + - | + # ========= + # FUNCTIONS + # ========= + + set_java_args() { + # not sure if we can omit `-server` safely + local java_args="-server" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${GLUU_MAX_RAM_PERCENTAGE} ${GLUU_JAVA_OPTIONS}" + # set the env var so it is loaded by `start-ds` script + export OPENDJ_JAVA_ARGS=${java_args} + } + + # ========== + # ENTRYPOINT + # ========== + + mkdir -p /opt/opendj/locks + + export JAVA_VERSION=$(java -version 2>&1 | awk -F '[\"_]' 'NR==1{print $2}') + + python3 /app/scripts/wait.py + + if [ ! -f /deploy/touched ]; then + python3 /app/scripts/entrypoint.py + touch /deploy/touched + fi + # run OpenDJ server + set_java_args + exec /opt/opendj/bin/start-ds -N & + sleep 300 + RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) + LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + restartPolicy: Never +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/templates/hpa.yaml b/charts/gluu/gluu/5.0.23/charts/opendj/templates/hpa.yaml new file mode 100644 index 0000000000..157ea310b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "opendj.fullname" . }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "opendj.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/templates/opendj-destination-rules.yaml b/charts/gluu/gluu/5.0.23/charts/opendj/templates/opendj-destination-rules.yaml new file mode 100644 index 0000000000..a6a8f56849 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/templates/opendj-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-ldap-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.opendj.ldapServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/templates/opendj-pdb.yaml b/charts/gluu/gluu/5.0.23/charts/opendj/templates/opendj-pdb.yaml new file mode 100644 index 0000000000..1615c4ac29 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/templates/opendj-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "opendj.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/templates/service.yaml b/charts/gluu/gluu/5.0.23/charts/opendj/templates/service.yaml new file mode 100644 index 0000000000..ec7d0a8252 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/templates/service.yaml @@ -0,0 +1,30 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $.Values.global.opendj.ldapServiceName }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + {{- range $key, $value := $.Values.ports }} + - port: {{ $value.port }} + name: {{ $key }} + targetPort: {{ $value.targetPort }} + protocol: {{ $value.protocol}} + {{- if $value.nodePort }} + nodePort: {{ $value.nodePort }} + {{- end }} + {{- end }} + clusterIP: None + selector: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/5.0.23/charts/opendj/templates/statefulset.yaml new file mode 100644 index 0000000000..989a156b2e --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/templates/statefulset.yaml @@ -0,0 +1,96 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "opendj.fullname" $ }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: {{ include "opendj.name" $ }} + serviceName: {{ include "opendj.name" $ }} + replicas: {{ $.Values.replicas }} + template: + metadata: + labels: + app: {{ include "opendj.name" $ }} + {{- if $.Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: {{ include "opendj.name" $ }} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + {{- include "opendj.usr-envs" $ | indent 12 }} + {{- include "opendj.usr-secret-envs" $ | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + envFrom: + - configMapRef: + name: {{ $.Release.Name }}-config-cm + {{ if $.Values.global.usrEnvs.secret }} + - secretRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + {{ if $.Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + ports: + {{- range $key, $value := $.Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + livenessProbe: +{{- toYaml $.Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml $.Values.readinessProbe | nindent 10 }} + {{- if or (eq $.Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if $.Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: opendj-volume + spec: + accessModes: + - {{ $.Values.persistence.accessModes }} + resources: + requests: + storage: {{ $.Values.persistence.size }} + {{- if eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath" }} + storageClassName: standard + {{- else }} + storageClassName: {{ include "opendj.fullname" $ | quote }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/templates/storageclass.yaml b/charts/gluu/gluu/5.0.23/charts/opendj/templates/storageclass.yaml new file mode 100644 index 0000000000..d33175d10b --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/templates/storageclass.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ include "opendj.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + storage: opendj +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + # Annotation below is to keep the storage class during upgrade. Otherwise, due to the flag at line 1 which is needed, this resource will be deleted. + helm.sh/resource-policy: keep + storageclass.beta.kubernetes.io/is-default-class: "false" + {{- if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + openebs.io/cas-type: local + cas.openebs.io/config: | + - name: StorageType + value: hostpath + - name: BasePath + value: /var/local-hostpath + {{- end }} +provisioner: {{ .Values.global.storageClass.provisioner }} +{{- if and ( ne .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) ( ne .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") ( ne .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") ( ne .Values.global.storageClass.provisioner "kubernetes.io/gce-pd") ( ne .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com") ( ne .Values.global.storageClass.provisioner "openebs.io/local") ( ne .Values.global.storageClass.provisioner "kubernetes.io/azure-disk") }} +parameters: +{{ toYaml .Values.global.storageClass.parameters | indent 4 }} +{{- else }} +parameters: + {{- if eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs" }} + type: {{ .Values.global.awsStorageType }} + fsType: ext4 + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/gce-pd" }} + type: {{ .Values.global.gcePdStorageType }} + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/azure-disk" }} + storageAccountType: {{ .Values.global.azureStorageAccountType }} + kind: {{ .Values.global.azureStorageKind }} + {{- else if eq .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com" }} + {{- else if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + {{- else }} + pool: default + fsType: ext4 + {{- end }} +{{- end }} +allowVolumeExpansion: {{ .Values.global.storageClass.allowVolumeExpansion }} +volumeBindingMode: {{ .Values.global.storageClass.volumeBindingMode }} +reclaimPolicy: {{ .Values.global.storageClass.reclaimPolicy }} +mountOptions: {{ .Values.global.storageClass.mountOptions | toJson }} +allowedTopologies: {{ .Values.global.storageClass.allowedTopologies | toJson }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.23/charts/opendj/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8fcf989cd5 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/opendj/values.yaml b/charts/gluu/gluu/5.0.23/charts/opendj/values.yaml new file mode 100644 index 0000000000..8fec7b7337 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/opendj/values.yaml @@ -0,0 +1,138 @@ + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-15 + # -- Image Pull Secrets + pullSecrets: [ ] +persistence: + # -- OpenDJ volume size + size: 5Gi + accessModes: ReadWriteOnce + type: DirectoryOrCreate +# -- servicePorts values used in StatefulSet container +ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi +# -- Configure the liveness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] +nameOverride: "" +fullnameOverride: "" +# VolumeMounts for StatefulSet +# opendj-init vm +openDjVolumeMounts: + config: + mountPath: /opt/opendj/config + name: opendj-volume + ldif: + mountPath: /opt/opendj/ldif + name: opendj-volume + logs: + mountPath: /opt/opendj/logs + name: opendj-volume + db: + mountPath: /opt/opendj/db + name: opendj-volume + flag: + mountPath: /flag + name: opendj-volume + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/oxpassport/.helmignore b/charts/gluu/gluu/5.0.23/charts/oxpassport/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxpassport/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.23/charts/oxpassport/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/oxpassport/Chart.yaml new file mode 100644 index 0000000000..cb361ec800 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxpassport/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Gluu interface to Passport.js to support social login and inbound identity. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Passport.js +- Inbound Identity +- Social login +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxpassport +sources: +- https://github.com/GluuFederation/gluu-passport +- https://github.com/GluuFederation/docker-oxpassport +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxpassport +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/oxpassport/README.md b/charts/gluu/gluu/5.0.23/charts/oxpassport/README.md new file mode 100644 index 0000000000..76ba3a11dc --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxpassport/README.md @@ -0,0 +1,67 @@ +# oxpassport + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu interface to Passport.js to support social login and inbound identity. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxpassport"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for oxPassport if needed. | +| livenessProbe.httpGet.path | string | `"/passport/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/passport/health-check","port":"http-passport"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxPassport if needed. | +| readinessProbe.httpGet.path | string | `"/passport/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number | +| resources | object | `{"limits":{"cpu":"700m","memory":"900Mi"},"requests":{"cpu":"700m","memory":"900Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"700m"` | CPU limit. | +| resources.limits.memory | string | `"900Mi"` | Memory limit. | +| resources.requests.cpu | string | `"700m"` | CPU request. | +| resources.requests.memory | string | `"900Mi"` | Memory request. | +| service.name | string | `"http-passport"` | The name of the oxPassport port within the oxPassport service. Please keep it as default. | +| service.port | int | `8090` | Port of the oxPassport service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/_helpers.tpl new file mode 100644 index 0000000000..1f9d4b7464 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxpassport.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxpassport.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxpassport.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxpassport.labels" -}} +app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +helm.sh/chart: {{ include "oxpassport.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxpassport.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxpassport.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "oxpassport.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "oxpassport.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/deployment.yaml b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/deployment.yaml new file mode 100644 index 0000000000..8ab9d9a2f2 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/deployment.yaml @@ -0,0 +1,183 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "oxpassport.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "oxpassport.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxpassport.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: PASSPORT_LOG_LEVEL + value: "info" + {{- include "oxpassport.usr-envs" . | indent 12 }} + {{- include "oxpassport.usr-secret-envs" . | indent 12 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxpassport.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/hpa.yaml b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/hpa.yaml new file mode 100644 index 0000000000..0764e19e39 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxpassport.fullname" . }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "oxpassport.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/oxpassport-destination-rules.yaml b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/oxpassport-destination-rules.yaml new file mode 100644 index 0000000000..238c976d17 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/oxpassport-destination-rules.yaml @@ -0,0 +1,21 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxpassport-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/oxpassport-pdb.yaml b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/oxpassport-pdb.yaml new file mode 100644 index 0000000000..8ebcdc7172 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/oxpassport-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "oxpassport.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/oxpassport-virtual-services.yaml b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/oxpassport-virtual-services.yaml new file mode 100644 index 0000000000..6c2416b84c --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/oxpassport-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-passport + namespace: {{.Release.Namespace}} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-passport + match: + - uri: + prefix: "/passport" + route: + - destination: + host: {{ .Values.global.oxpassport.oxPassportServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8090 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/service.yaml b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/service.yaml new file mode 100644 index 0000000000..b4fda32852 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxpassport.oxPassportServiceName }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxpassport.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..47ed7cd162 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxpassport/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "oxpassport.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/oxpassport/values.yaml b/charts/gluu/gluu/5.0.23/charts/oxpassport/values.yaml new file mode 100644 index 0000000000..b7b06d82d7 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxpassport/values.yaml @@ -0,0 +1,103 @@ + +# -- Gluu interface to Passport.js to support social login and inbound identity. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi +service: + # -- Port of the oxPassport service. Please keep it as default. + port: 8090 + # -- The name of the oxPassport port within the oxPassport service. Please keep it as default. + name: http-passport + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for oxPassport if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the oxPassport if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/oxshibboleth/.helmignore b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.23/charts/oxshibboleth/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/Chart.yaml new file mode 100644 index 0000000000..77d4503277 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Shibboleth project for the Gluu Server's SAML IDP functionality. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SAML +- Shibboleth +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: oxshibboleth +sources: +- https://github.com/GluuFederation/oxShibboleth +- https://github.com/GluuFederation/docker-oxshibboleth +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/oxshibboleth +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/oxshibboleth/README.md b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/README.md new file mode 100644 index 0000000000..a3f0f8ee09 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/README.md @@ -0,0 +1,68 @@ +# oxshibboleth + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Shibboleth project for the Gluu Server's SAML IDP functionality. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/oxshibboleth"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-12"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the oxShibboleth if needed. | +| livenessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/idp","port":"http-oxshib"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the oxshibboleth if needed. | +| readinessProbe.httpGet.path | string | `"/idp"` | http liveness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-oxshib"` | Port of the oxShibboleth service. Please keep it as default. | +| service.port | int | `8080` | The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| service.targetPort | int | `8080` | | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/_helpers.tpl new file mode 100644 index 0000000000..a9a1a94b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/_helpers.tpl @@ -0,0 +1,144 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oxshibboleth.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oxshibboleth.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oxshibboleth.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "oxshibboleth.labels" -}} +app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +helm.sh/chart: {{ include "oxshibboleth.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "oxshibboleth.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "oxshibboleth.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create GLUU_JAVA_OPTIONS ENV for passing detailed logs +*/}} +{{- define "oxshibboleth.detailedLogs"}} +{{ $ldap := "" }} +{{ $messages := "" }} +{{ $encryption := "" }} +{{ $opensaml := "" }} +{{ $props := "" }} +{{ $httpclient := "" }} +{{ $spring := "" }} +{{ $container := "" }} +{{ $xmlsec := "" }} + +{{- if .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} +{{ $ldap = printf "-Didp.loglevel.ldap=%s " .Values.global.oxshibboleth.appLoggers.ldapLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} +{{ $messages = printf "-Didp.loglevel.messages=%s " .Values.global.oxshibboleth.appLoggers.messagesLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} +{{ $encryption = printf "-Didp.loglevel.encryption=%s " .Values.global.oxshibboleth.appLoggers.encryptionLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} +{{ $opensaml = printf "-Didp.loglevel.opensaml=%s " .Values.global.oxshibboleth.appLoggers.opensamlLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.propsLogLevel }} +{{ $props = printf "-Didp.loglevel.props=%s " .Values.global.oxshibboleth.appLoggers.propsLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} +{{ $httpclient = printf "-Didp.loglevel.httpclient=%s " .Values.global.oxshibboleth.appLoggers.httpclientLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.springLogLevel }} +{{ $spring = printf "-Didp.loglevel.spring=%s " .Values.global.oxshibboleth.appLoggers.springLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.containerLogLevel }} +{{ $container = printf "-Didp.loglevel.container=%s " .Values.global.oxshibboleth.appLoggers.containerLogLevel }} +{{- end}} +{{- if .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} +{{ $xmlsec = printf "-Didp.loglevel.xmlsec=%s " .Values.global.oxshibboleth.appLoggers.xmlsecLogLevel }} +{{- end}} + +{{ $detailLogs := printf "%s%s%s%s%s%s%s%s%s" $ldap $messages $encryption $opensaml $props $httpclient $spring $container $xmlsec }} +{{ $detailLogs | trimSuffix " " | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "oxshibboleth.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "oxshibboleth.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/hpa.yaml b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/hpa.yaml new file mode 100644 index 0000000000..3d4c0597ff --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "oxshibboleth.fullname" . }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "oxshibboleth.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml new file mode 100644 index 0000000000..8478504b68 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/oxshibboleth-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-oxshibboleth-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml new file mode 100644 index 0000000000..a8c99410cf --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/oxshibboleth-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "oxshibboleth.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml new file mode 100644 index 0000000000..5f89fa5c2c --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/oxshibboleth-virtual-services.yaml @@ -0,0 +1,33 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-oxshibbioleth + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} + gateways: + - {{ .Release.Name }}-global-gtw + http: + - name: {{ .Release.Name }}-istio-oxshibbioleth + match: + - uri: + prefix: /idp + route: + - destination: + host: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/service.yaml b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/service.yaml new file mode 100644 index 0000000000..4781774752 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/service.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.oxshibboleth.oxShibbolethServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- else }} + clusterIP: None + {{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/statefulset.yaml b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/statefulset.yaml new file mode 100644 index 0000000000..17bb8379e6 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/statefulset.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "oxshibboleth.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + serviceName: oxshibboleth + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: oxshibboleth + app: {{ .Release.Name }}-{{ include "oxshibboleth.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "oxshibboleth.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "oxshibboleth.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "oxshibboleth.usr-envs" . | indent 12 }} + {{- include "oxshibboleth.usr-secret-envs" . | indent 12 }} + - name: GLUU_JAVA_OPTIONS + value: {{ include "oxshibboleth.detailedLogs" . | trim }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + protocol: TCP + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + mountPath: /scripts + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "oxshibboleth.fullname" .}}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..fd6e4e0aaa --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: oxshibboleth +{{ include "oxshibboleth.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/oxshibboleth/values.yaml b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/values.yaml new file mode 100644 index 0000000000..224291fdc4 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/oxshibboleth/values.yaml @@ -0,0 +1,102 @@ + +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the oxShibboleth port within the oxShibboleth service. Please keep it as default. + port: 8080 + targetPort: 8080 + # -- Port of the oxShibboleth service. Please keep it as default. + name: http-oxshib + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 + +# -- Configure the liveness healthcheck for the oxShibboleth if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the oxshibboleth if needed. +readinessProbe: + httpGet: + # -- http liveness probe endpoint + path: /idp + port: http-oxshib + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nameOverride: "" +fullnameOverride: "" + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/persistence/.helmignore b/charts/gluu/gluu/5.0.23/charts/persistence/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.23/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/persistence/Chart.yaml new file mode 100644 index 0000000000..6981090f71 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/persistence/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Job to generate data and initial config for Gluu Server persistence layer. +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- persistence prep +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: persistence +sources: +- https://github.com/JanssenProject/jans/docker-jans-persistence-loader +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/persistence +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/persistence/README.md b/charts/gluu/gluu/5.0.23/charts/persistence/README.md new file mode 100644 index 0000000000..9485c50f43 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/persistence/README.md @@ -0,0 +1,52 @@ +# persistence + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Job to generate data and initial config for Gluu Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| lifecycle | object | `{}` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/persistence/templates/_helpers.tpl new file mode 100644 index 0000000000..bf0a313b23 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.0.23/charts/persistence/templates/jobs.yml new file mode 100644 index 0000000000..151d0e2ab8 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/persistence/templates/jobs.yml @@ -0,0 +1,128 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if .Values.global.istio.enabled }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + /app/scripts/entrypoint.sh + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.0.23/charts/persistence/templates/service.yaml new file mode 100644 index 0000000000..b266650a69 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/persistence/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.23/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..29c8651b84 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/persistence/values.yaml b/charts/gluu/gluu/5.0.23/charts/persistence/values.yaml new file mode 100644 index 0000000000..322caf2ee8 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/persistence/values.yaml @@ -0,0 +1,54 @@ + +# -- Job to generate data and initial config for Gluu Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/scim/.helmignore b/charts/gluu/gluu/5.0.23/charts/scim/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.23/charts/scim/Chart.yaml b/charts/gluu/gluu/5.0.23/charts/scim/Chart.yaml new file mode 100644 index 0000000000..625a34b7d8 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/scim/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: System for Cross-domain Identity Management (SCIM) version 2.0 +home: https://gluu.org/docs/gluu-server +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SCIM +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: scim +sources: +- https://github.com/JanssenProject/jans/jans-scim +- https://github.com/JanssenProject/jans/docker-jans-scim +- https://github.com/GluuFederation/flex/tree/main/flex-cn-setup/pygluu/kubernetes/templates/helm/gluu/charts/scim +type: application +version: 5.0.23 diff --git a/charts/gluu/gluu/5.0.23/charts/scim/README.md b/charts/gluu/gluu/5.0.23/charts/scim/README.md new file mode 100644 index 0000000000..9e9ce08a93 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/scim/README.md @@ -0,0 +1,61 @@ +# scim + +![Version: 5.0.23](https://img.shields.io/badge/Version-5.0.23-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.0.19-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.23/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/charts/scim/templates/_helpers.tpl new file mode 100644 index 0000000000..04b66d5afd --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/scim/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "scim.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "scim.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.0.23/charts/scim/templates/deployment.yml new file mode 100644 index 0000000000..7e1022a958 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/scim/templates/deployment.yml @@ -0,0 +1,174 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "scim.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "scim.usr-envs" . | indent 12 }} + {{- include "scim.usr-secret-envs" . | indent 12 }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + command: + - /bin/sh + - -c + - | + /usr/bin/python3 /scripts/updatelbip.py & + /app/scripts/entrypoint.sh + {{- end}} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.0.23/charts/scim/templates/hpa.yaml new file mode 100644 index 0000000000..d3ba580d6f --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/scim/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.0.23/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 0000000000..fc26343bdf --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/scim/templates/scim-pdb.yaml b/charts/gluu/gluu/5.0.23/charts/scim/templates/scim-pdb.yaml new file mode 100644 index 0000000000..d700490a85 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/scim/templates/scim-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "scim.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.0.23/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 0000000000..14fafd1d46 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.scim.ingress.scimConfigEnabled }} + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /jans-scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.scim.ingress.scimEnabled }} + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/jans-scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/scim/templates/service.yml b/charts/gluu/gluu/5.0.23/charts/scim/templates/service.yml new file mode 100644 index 0000000000..a585ea31b9 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/scim/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.23/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.23/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..d9f83a46e1 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/charts/scim/values.yaml b/charts/gluu/gluu/5.0.23/charts/scim/values.yaml new file mode 100644 index 0000000000..3c730edfc2 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/charts/scim/values.yaml @@ -0,0 +1,90 @@ + +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/openbanking-values.yaml b/charts/gluu/gluu/5.0.23/openbanking-values.yaml new file mode 100644 index 0000000000..32957c91c8 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/openbanking-values.yaml @@ -0,0 +1,700 @@ +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: true + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token . Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + ingress: + # -- Enable casa endpoints /casa + casaEnabled: true + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Load balancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled. + enabled: false + # -- Gluu distributions supported are: default|openbanking. + distribution: openbanking + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.19_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.23/questions.yaml b/charts/gluu/gluu/5.0.23/questions.yaml new file mode 100644 index 0000000000..237575ec1b --- /dev/null +++ b/charts/gluu/gluu/5.0.23/questions.yaml @@ -0,0 +1,1209 @@ +questions: +# ================== +# License SSA group +# ================== +- variable: global.licenseSsa + default: "" + required: true + type: string + label: License SSA + description: "Before initiating the setup, please contact Gluu to obtain a valid license or trial license. Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded." + group: "License SSA" + +# ================== +# Distribution group +# ================== +- variable: global.distribution + default: "openbanking" + required: true + type: enum + label: Gluu Distribution + description: "Gluu Distribution. Openbanking only contains Config-API and the Auth Server customized for Openbanking industry." + group: "Global Settings" + options: + - "default" + - "openbanking" + +# ======================== +# OpenBanking Distribution +# ======================== +- variable: global.cnObExtSigningJwksUri + required: true + default: "https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks" + description: "Open banking external signing jwks uri. Used in SSA Validation." + type: hostname + group: "OpenBanking Distribution" + label: Openbanking external signing JWKS URI + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObExtSigningJwksCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS certificate authority string + - variable: global.cnObExtSigningJwksKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS key string + - variable: global.cnObExtSigningJwksKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: password + label: Open banking external signing jwks AS key passphrase + min_length: 6 + - variable: global.cnObExtSigningAlias + default: "XkwIzWy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking external signing AS Alias +- variable: global.cnObStaticSigningKeyKid + default: "Wy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking signing AS kid + show_if: "global.distribution=openbanking" +- variable: global.cnObTransportAlias + default: "" + required: false + group: "OpenBanking Distribution" + description: "Open banking transport Alias used inside the JVM." + type: string + label: Open banking transport Alias used inside the JVM. + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObTransportCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport crt + - variable: global.cnObTransportKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport key + - variable: global.cnObTransportKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64." + type: password + label: Open banking AS transport key passphrase + min_length: 6 + - variable: global.cnObTransportTrustStore + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking external signing jwks AS certificate authority string + +# ======================= +# Optional Services group +# ======================= +- variable: global.admin-ui.enabled + default: false + type: boolean + group: "Optional Services" + required: false + label: Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. This requires a license agreement with Gluu. + show_if: "global.distribution=default" + show_subquestion_if: true +- variable: global.auth-server-key-rotation.enabled + default: true + type: boolean + group: "Optional Services" + required: true + label: Enable Auth key rotation cronjob. Disable this if using the OB distribution. + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: auth-server-key-rotation.keysLife + default: 48 + description: "Auth server key rotation keys life in hours." + type: int + label: Key life +- variable: global.fido2.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable Fido2 + description: "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments." +- variable: global.config-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ConfigAPI + description: "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)." +- variable: global.casa.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Casa + description: "Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server." +- variable: global.scim.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable SCIM + description: "System for Cross-domain Identity Management (SCIM) version 2.0" + +# ====================== +# Test environment group +# ====================== +- variable: global.cloud.testEnviroment + default: false + type: boolean + group: "Test Environment" + required: true + label: Test environment + description: "Boolean flag if enabled will strip resources requests and limits from all services." + +# ================= +# Persistence group +# ================= +- variable: global.cnPersistenceType + default: "sql" + required: true + type: enum + group: "Persistence" + label: Gluu Persistence backend + description: "Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner" + options: + - "ldap" + - "couchbase" + - "hybrid" + - "spanner" + - "sql" +# LDAP +- variable: global.opendj.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable installation of OpenDJ + description: "Boolean flag to enable/disable the OpenDJ chart." + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnLdapUrl + default: "opendj:1636" + type: hostname + group: "Persistence" + required: true + label: OpenDJ remote URL + description: "OpenDJ remote URL. This must be resolvable by the pods" + show_if: "global.opendj.enabled=false&&global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnPersistenceHybridMapping + default: "{}" + required: false + type: enum + group: "Persistence" + label: Gluu Persistence LDAP mapping + description: "Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`." + options: + - "default" + - "user" + - "site" + - "cache" + - "token" + - "session" + show_if: "global.cnPersistenceType=hybrid" +# SQL +- variable: config.configmap.cnSqlDbDialect + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu SQL Database dialect + description: "SQL database dialect. `mysql` or `pgsql`." + options: + - "pgsql" + - "mysql" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbHost + default: "postgresql.default.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: SQL database host uri + description: "SQL database host uri" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbPort + default: 5432 + required: false + type: int + group: "Persistence" + label: SQL database port + description: "SQL database port" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbUser + default: "gluu" + group: "Persistence" + description: "SQL database username" + type: string + label: SQL database username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqldbUserPassword + default: "Test1234#" + group: "Persistence" + description: "SQL password" + type: password + label: SQL password + + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbName + default: "gluu" + group: "Persistence" + description: "SQL database name" + type: string + label: SQL database name + show_if: "global.cnPersistenceType=sql" +# Spanner +- variable: config.configmap.cnGoogleSpannerInstanceId + default: "" + group: "Persistence" + description: "The google spanner instance ID" + type: string + label: Google Spanner Instance ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSpannerDatabaseId + default: "" + group: "Persistence" + description: "The google spanner database ID" + type: string + label: Google Spanner Database ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + group: "Persistence" + description: "The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner." + type: multiline + label: Google Spanner Service Account json + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleProjectId + default: "" + group: "Persistence" + description: "The Google Project ID" + type: string + label: Google Project ID + show_if: "global.cnPersistenceType=spanner" +#Couchbase +- variable: config.configmap.cnCouchbaseCrt + default: "" + group: "Persistence" + description: "Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required." + type: multiline + label: Couchbase certificate authority string + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUrl + default: "gluu.cbns.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: Couchbase host uri + description: "Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseBucketPrefix + default: "gluu" + type: string + description: "The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu." + group: "Persistence" + required: true + label: The prefix of Couchbase buckets + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseIndexNumReplica + default: 0 + type: int + description: "The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1." + group: "Persistence" + required: true + label: The number of replicas per index created + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUser + default: "admin" + group: "Persistence" + description: "he Couchbase super user (admin) user name. This user is used during initialization only." + type: string + label: The Couchbase super user (admin) user name. + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUserPassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + type: password + label: Couchbase password for the super users + + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUser + default: "gluu" + group: "Persistence" + description: "Couchbase restricted user, used in Gluu operations with Couchbase. Used only when global.cnPersistenceType is hybrid or couchbase." + type: string + label: Couchbase restricted username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbasePassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ." + type: password + label: Couchbase password for the restricted user + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" + +# ============================== +# StorageClass and volume group +# ============================== +- variable: global.storageClass.provisioner + default: "microk8s.io/hostpath" + type: string + group: "Volumes" + required: true + label: StorageClass provisioner + show_if: "global.cnPersistenceType=ldap" + subquestions: + - variable: global.storageClass.allowVolumeExpansion + default: true + type: boolean + group: "Volumes" + required: true + label: StorageClass Volume expansion + - variable: global.storageClass.reclaimPolicy + default: "Retain" + type: enum + group: "Volumes" + required: true + label: StorageClass reclaimPolicy + options: + - "Delete" + - "Retain" + - variable: global.storageClass.volumeBindingMode + default: "WaitForFirstConsumer" + type: enum + group: "Volumes" + required: true + options: + - "WaitForFirstConsumer" + - "Immediate" + label: StorageClass volumeBindingMode + +# =========== +# Cache group +# =========== +- variable: config.configmap.cnCacheType + default: "NATIVE_PERSISTENCE" + required: true + type: enum + group: "Cache" + label: Gluu Cache + description: "Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` ." + options: + - "NATIVE_PERSISTENCE" + - "IN_MEMORY" + - "REDIS" + show_subquestion_if: "REDIS" + subquestions: + - variable: config.configmap.cnRedisType + default: "STANDALONE" + type: enum + group: "Cache" + required: false + label: Redix service type + description: "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + options: + - "STANDALONE" + - "CLUSTER" + - variable: config.redisPassword + default: "Test1234#" + type: password + group: "Cache" + required: false + label: Redis admin password + description: "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`." + + - variable: config.configmap.cnRedisUrl + default: "redis.redis.svc.cluster.local:6379" + required: false + type: hostname + group: "Cache" + label: Redis URL + description: "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + +# ================== +# Configuration group +# ================== +- variable: global.fqdn + default: "demoexample.gluu.org" + required: true + type: hostname + group: "Configuration" + label: Gluu Installation FQDN + description: "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services." +- variable: global.countryCode + default: "US" + required: true + type: string + group: "Configuration" + label: Country code + description: "Country code. Used for certificate creation." +- variable: config.state + default: "TX" + required: true + type: string + group: "Configuration" + label: State code + description: "State code. Used for certificate creation." +- variable: config.city + default: "Austin" + required: true + type: string + group: "Configuration" + label: City + description: "City. Used for certificate creation." +- variable: config.email + default: "support@gluu.org" + required: true + type: string + group: "Configuration" + label: Email + description: "Email address of the administrator usually. Used for certificate creation." +- variable: config.orgName + default: "Gluu" + required: true + type: string + group: "Configuration" + label: Organization + description: "Organization name. Used for certificate creation." +- variable: config.adminPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: Admin UI password + description: "Admin password to log in to the UI." + +- variable: config.ldapPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: LDAP password + description: "LDAP admin password if OpenDJ is used for persistence" + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" + +- variable: global.isFqdnRegistered + default: true + required: true + type: boolean + group: "Configuration" + label: Is the FQDN globally resolvable + description: "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically." +- variable: config.migration.enabled + default: false + required: true + type: boolean + group: "Configuration" + label: Migration from Gluu CE + description: "Boolean flag to enable migration from CE" + show_subquestion_if: true + subquestions: + - variable: config.migration.migrationDataFormat + default: "ldif" + type: enum + group: "Configuration" + required: false + label: Migration data-format + description: "Migration data-format depending on persistence backend." + options: + - "ldif" + - "couchbase+json" + - "spanner+avro" + - "postgresql+json" + - "mysql+json" + - variable: config.migration.migrationDir + default: "/ce-migration" + required: false + type: string + group: "Configuration" + label: Migration Directory + description: "Directory holding all migration files" + +# Configmap +- variable: global.configAdapterName + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu configuration backend + description: "The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + +# Secret +- variable: global.configSecretAdapter + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu secret backend + description: "The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + + +# Google +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + type: string + group: "Configuration" + required: true + label: Service account base64 encoded + description: "Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleProjectId + default: "" + type: string + group: "Configuration" + required: true + label: Project ID + description: "Project id of the Google project the secret manager belongs to" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretVersionId + default: "latest" + type: string + group: "Configuration" + required: true + label: Secrets version + description: "Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in Google Secret Manager. Defaults to gluu" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +# AWS +- variable: config.configmap.cnAwsAccessKeyId + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Account Access Key ID + description: "AWS Access key id that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretAccessKey + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Secret Access Key + description: "AWS Secret Access key that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in AWS Secrets Manager. Defaults to gluu" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsProfile + default: "gluu" + type: string + group: "Configuration" + required: true + label: AWS named profile + description: "The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsDefaultRegion + default: "us-west-1" + type: string + group: "Configuration" + required: true + label: Default region + description: "The default AWS Region to use, for example, `us-west-1` or `us-west-2`" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsEndpointUrl + default: "" + type: string + group: "Configuration" + required: false + label: Secrets Manager Endpoint URL + description: "The URL of AWS secretsmanager service. If omitted, it will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + + +# =========================== +# Ingress group(Istio, NGINX) +# =========================== + +# =========== +# Istio group +# =========== +- variable: global.istio.enabled + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio side cars with Gluu services." + label: Use Istio side cars + show_subquestion_if: true + subquestions: + - variable: global.istio.ingress + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Use Istio Ingress + - variable: global.istio.namespace + default: "istio-system" + type: string + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Istio namespace + - variable: config.configmap.lbAddr + default: "" + group: "Istio" + description: "Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# NGINX group +# =========== +- variable: config.configmap.lbAddr + default: "" + group: "NGINX" + show_if: "global.istio.ingress=false&&global.isFqdnRegistered=false" + description: "loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# Ingress group +# =========== +- variable: global.admin-ui.ingress.adminUiEnabled + default: false + type: boolean + group: "Ingress" + required: false + description: "Enable Admin UI endpoints." + label: Enable Admin UI endpoints + subquestions: + # auth-server + - variable: global.auth-server.ingress.authServerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable Auth server endpoints /jans-auth" + label: Enable Auth server endpoints /jans-auth + - variable: global.auth-server.ingress.openidConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/openid-configuration" + label: Enable endpoint /.well-known/openid-configuration + - variable: global.auth-server.ingress.deviceCodeEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /device-code" + label: Enable endpoint /device-code + - variable: global.auth-server.ingress.firebaseMessagingEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /firebase-messaging-sw.js" + label: Enable endpoint /firebase-messaging-sw.js + - variable: global.auth-server.ingress.uma2ConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/uma2-configuration" + label: Enable endpoint /.well-known/uma2-configuration + - variable: global.auth-server.ingress.webfingerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/webfinger" + label: Enable endpoint /.well-known/webfinger + - variable: global.auth-server.ingress.webdiscoveryEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/simple-web-discovery" + label: Enable endpoint /.well-known/simple-web-discovery + - variable: global.auth-server.ingress.u2fConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/fido-configuration" + label: Enable endpoint /.well-known/fido-configuration + # config-api + - variable: global.config-api.ingress.configApiEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable config API endpoints /jans-config-api" + label: Enable config API endpoints /jans-config-api + +#fido2 +- variable: global.fido2.ingress.fido2ConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.fido2.enabled=true" + required: true + description: "Enable endpoint /.well-known/fido2-configuration. Enable this!" + label: Enable endpoint /.well-known/fido2-configuration +#Casa +- variable: global.casa.ingress.casaEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.casa.enabled=true" + required: true + description: "Enable endpoint /casa. Enable this!" + label: Enable endpoint /casa Enable this! +#auth-server OB +- variable: global.auth-server.ingress.authServerProtectedToken + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/token" + label: Enable mTLS on Auth server endpoint /jans-auth/restv1/token +- variable: global.auth-server.ingress.authServerProtectedRegister + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/register" + label: Enable mTLS onn Auth server endpoint /jans-auth/restv1/register +# scim +- variable: global.scim.ingress.scimConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable endpoint /.well-known/scim-configuration. Enable this!" + label: Enable endpoint /.well-known/scim-configuration. Enable this! +- variable: global.scim.ingress.scimEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable SCIM endpoints /jans-scim. Enable this!" + label: Enable SCIM endpoints /jans-scim. Enable this! + +# ============ +# Images group +# ============ +# AuthServer +- variable: auth-server.image.repository + required: true + type: string + default: "janssenproject/auth-server" + description: "The Auth Server Image repository" + label: Auth Server image repo + group: "Images" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server Image pull policy" + label: Auth Server imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server image tag + group: "Images" + show_if: "global.auth-server.enabled=true" +# AdminUI +- variable: admin-ui.image.repository + required: true + type: string + default: "gluufederation/admin-ui" + description: "The AdminUI Image repository" + label: The AdminUI Image repository + group: "Images" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The AdminUI Image pull policy" + label: AdminUI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The AdminUI Image tag" + label: AdminUI image tag + group: "Images" + show_if: "global.admin-ui.enabled=true" +# AuthServer KeyRotation +- variable: auth-server-key-rotation.image.repository + required: true + type: string + default: "janssenproject/certmanager" + description: "The Auth Server KeyRotation Image repository" + label: Auth Server KeyRotation image repo + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server KeyRotation Image pull policy" + label: Auth Server KeyRotation imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server KeyRotation image tag + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +# Casa +- variable: casa.image.repository + required: true + type: string + default: "gluufederation/casa" + description: "The Casa Image repository" + label: Casa image repo + group: "Images" + show_if: "global.casa.enabled=true" +- variable: casa.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Casa Image pull policy" + label: Casa imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.casa.enabled=true" +- variable: casa.image.tag + required: true + type: string + default: "5.0.0-4" + description: "The Casa Image tag" + label: Casa image tag + group: "Images" + show_if: "global.casa.enabled=true" +# Configurator +- variable: config.image.repository + required: true + type: string + default: "janssenproject/configurator" + description: "The Configurator Image repository" + label: Configurator image repo + group: "Images" + show_if: "global.config.enabled=true" +- variable: config.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Configurator Image pull policy" + label: Configurator imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config.enabled=true" +- variable: config.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Configurator Image tag" + label: Configurator image tag + group: "Images" + show_if: "global.config.enabled=true" +# ConfigAPI +- variable: config-api.image.repository + required: true + type: string + default: "janssenproject/config-api" + description: "The ConfigAPI Image repository" + label: ConfigAPI image repo + group: "Images" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ConfigAPI Image pull policy" + label: ConfigAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The ConfigAPI Image tag" + label: ConfigAPI image tag + group: "Images" + show_if: "global.config-api.enabled=true" +# Fido2 +- variable: fido2.image.repository + required: true + type: string + default: "janssenproject/fido2" + description: "The Fido2 Image repository" + label: Fido2 image repo + group: "Images" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Fido2 Image pull policy" + label: Fido2 imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Fido2 Image tag" + label: Fido2 image tag + group: "Images" + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.image.repository + required: true + type: string + default: "gluufederation/opendj" + description: "The OpenDJ Image repository" + label: OpenDJ image repo + group: "Images" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The OpenDJ Image pull policy" + label: OpenDJ imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.tag + required: true + type: string + default: "5.0.0_dev" + description: "The OpenDJ Image tag" + label: OpenDJ image tag + group: "Images" + show_if: "global.opendj.enabled=true" +# Persistence +- variable: persistence.image.repository + required: true + type: string + default: "janssenproject/persistence-loader" + description: "The Persistence Image repository" + label: Persistence image repo + group: "Images" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Persistence Image pull policy" + label: Persistence imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Persistence Image tag" + label: Persistence image tag + group: "Images" + show_if: "global.persistence.enabled=true" +# SCIM +- variable: scim.image.repository + required: true + type: string + default: "janssenproject/scim" + description: "The SCIM Image repository" + label: SCIM image repo + group: "Images" + show_if: "global.scim.enabled=true" +- variable: scim.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The SCIM Image pull policy" + label: SCIM imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.scim.enabled=true" +- variable: scim.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The SCIM Image tag" + label: SCIM image tag + group: "Images" + show_if: "global.scim.enabled=true" + +# ============== +# Replicas group +# ============== +# AuthServer +- variable: auth-server.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Auth-server Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# Casa +- variable: casa.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Casa Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# ConfigAPI +- variable: config-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ConfigAPI Replicas + description: "Service replica number." + show_if: "global.config-api.enabled=true" +# AdminUi +- variable: admin-ui.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Admin UI Replicas + description: "Service replica number." + show_if: "global.admin-ui.enabled=true" +# Fido2 +- variable: fido2.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Fido2 Replicas + description: "Service replica number." + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: OpenDJ Replicas + description: "Service replica number." + show_if: "global.opendj.enabled=true" +# SCIM +- variable: scim.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: SCIM Replicas + description: "Service replica number." + show_if: "global.scim.enabled=true" + diff --git a/charts/gluu/gluu/5.0.23/templates/_helpers.tpl b/charts/gluu/gluu/5.0.23/templates/_helpers.tpl new file mode 100644 index 0000000000..c5b8d3d303 --- /dev/null +++ b/charts/gluu/gluu/5.0.23/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.23/values.schema.json b/charts/gluu/gluu/5.0.23/values.schema.json new file mode 100644 index 0000000000..11b96aa7cb --- /dev/null +++ b/charts/gluu/gluu/5.0.23/values.schema.json @@ -0,0 +1,2872 @@ +{ + "$schema":"https://json-schema.org/draft/2020-12/schema#", + "type":"object", + "properties":{ + "admin-ui":{ + "description":"Admin GUI for configuration of the auth-server", + "type":"object", + "properties":{ + + } + }, + "auth-server":{ + "description":"OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type":"object", + "properties":{ + + } + }, + "auth-server-key-rotation":{ + "description":"Responsible for regenerating auth-keys per x hours", + "type":"object", + "properties":{ + + } + }, + "casa":{ + "description":"Gluu Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.", + "type":"object", + "properties":{ + + } + } + }, + "config":{ + "description":"Configuration parameters for setup and initial configuration secret annd config layers used by Gluu services.", + "type":"object", + "properties":{ + "adminPass":{ + "description":"Admin password to login to the UI", + "$ref":"#/definitions/password" + }, + "city":{ + "description":"City of the company or individual. Used in generating the self-signed certificate", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "configmap":{ + "description":"Configuration parameters mapped to envs in a ConfigMap", + "type":"object", + "properties":{ + "cnSqlDbDialect":{ + "description":"SQL dialect", + "type":"string", + "pattern":"^(mysql)$" + }, + "cnSqlDbHost":{ + "description":"SQL server address or ip", + "anyOf":[ + { + "$ref":"#/definitions/url-pattern" + }, + { + "$ref":"#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort":{ + "description":"SQL server port", + "type":"integer" + }, + "cnSqlDbName":{ + "description":"SQL server database name for Jans", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbUser":{ + "description":"SQL database Jans username", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbTimezone":{ + "description":"SQL database timezone", + "type":"string", + "pattern":"^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqldbUserPassword":{ + "description":"Password for user config.configmap.cnSqlDbUser.", + "$ref":"#/definitions/password" + }, + "cnCacheType":{ + "description":"Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type":"string", + "pattern":"^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnConfigKubernetesConfigMap":{ + "description":"The name of the ConfigMap that will hold the configuration layer", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseBucketPrefix":{ + "description":"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseCrt":{ + "description":"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnCouchbaseIndexNumReplica":{ + "description":"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.", + "type":"integer" + }, + "cnCouchbasePass":{ + "description":"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUser":{ + "description":"The Couchbase super user (admin) user name. This user is used during initialization only.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseSuperUserPass":{ + "description":"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUserPassFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type":"string", + "pattern":".*couchbase_superuser_password\\b.*" + }, + "cnCouchbaseUrl":{ + "description":"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnCouchbaseUser":{ + "description":"Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerServiceAccount":{ + "description":"Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId":{ + "description":"Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"" + }, + "cnGoogleSpannerInstanceId":{ + "description":"Google Spanner ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^([a-z0-9\\-])*$" + }, + "cnGoogleSpannerDatabaseId":{ + "description":"Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^[a-z0-9\\-]*$" + }, + "cnGoogleSecretVersionId":{ + "description":"Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnGoogleSecretNamePrefix":{ + "description":"Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase":{ + "description":"Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref":"#/definitions/password" + }, + "cnLdapUrl":{ + "description":"OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.", + "type":"string", + "pattern":"^[a-z0-9-:]+$" + }, + "cnMaxRamPercent":{ + "description":"Value passed to Java option -XX:MaxRAMPercentage", + "type":"string", + "pattern":"^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode":{ + "description":"SCIM protection mode OAUTH|TEST|UMA", + "type":"string", + "pattern":"^(OAUTH|TEST|UMA)$" + }, + "cnPersistenceHybridMapping":{ + "description":"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type":"string" + }, + "cnRedisSentinelGroup":{ + "description":"Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisSslTruststore":{ + "description":"Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisType":{ + "description":"Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string", + "pattern":"^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl":{ + "description":"Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref":"#/definitions/url-pattern" + }, + "cnRedisUseSsl":{ + "description":"Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"boolean" + }, + "cnSecretKubernetesSecret":{ + "description":"Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "lbAddr":{ + "description":"Loadbalancer address for AWS if the FQDN is not registered.", + "$ref":"#/definitions/url-pattern" + } + } + }, + "countryCode":{ + "description":"Country code. Used for certificate creation.", + "type":"string", + "pattern":"^[A-Z]+$" + }, + "email":{ + "description":"Email address of the administrator usually. Used for certificate creation.", + "$ref":"#/definitions/email-format" + }, + "image":{ + "type":"object", + "properties":{ + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "ldapPassword":{ + "description":"LDAP admin password if OpennDJ is used for persistence.", + "$ref":"#/definitions/password" + }, + "orgName":{ + "description":"Organization name. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "redisPassword":{ + "description":"Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref":"#/definitions/password" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "state":{ + "description":"State code. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + } + } + }, + "config-api":{ + "description":"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type":"object", + "properties":{ + + } + }, + "fido2":{ + "description":"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type":"object", + "properties":{ + + } + }, + "global":{ + "description":"Parameters used globally across all services helm charts.", + "type":"object", + "properties":{ + "licenseSsa":{ + "description":"Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "alb":{ + "type":"object", + "properties":{ + "ingress":{ + "description":"Activates ALB ingress", + "type":"boolean" + } + } + }, + "auth-server":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type":"boolean" + }, + "authServerServiceName":{ + "description":"Name of the auth-server service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-auth.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-auth.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget":{ + "description":"http_request_response target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "httpLogLevel":{ + "description":"http_request_response level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-auth_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-auth_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-auth_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-auth_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-auth_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-auth_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-auth_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-auth_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget":{ + "description":"jans-auth_audit.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "auditStatsLogLevel":{ + "description":"jans-auth_audit.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "authServerEnabled":{ + "description":"Enable Auth server endpoints /jans-auth", + "type":"boolean" + }, + "openidConfigEnabled":{ + "description":"Enable endpoint /.well-known/openid-configuration", + "type":"boolean" + }, + "deviceCodeEnabled":{ + "description":"Enable endpoint /device-code", + "type":"boolean" + }, + "firebaseMessagingEnabled":{ + "description":"Enable endpoint /firebase-messaging-sw.js", + "type":"boolean" + }, + "uma2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/uma2-configuration", + "type":"boolean" + }, + "webfingerEnabled":{ + "description":"Enable endpoint /.well-known/webfinger", + "type":"boolean" + }, + "webdiscoveryEnabled":{ + "description":"Enable endpoint /.well-known/simple-web-discovery", + "type":"boolean" + }, + "u2fConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido-configuration", + "type":"boolean" + }, + "authServerProtectedToken":{ + "description":"Enable mTLS on Auth server endpoint /jans-auth/restv1/token", + "type":"boolean" + }, + "authServerProtectedRegister":{ + "description":"Enable mTLS onn Auth server endpoint /jans-auth/restv1/register", + "type":"boolean" + } + } + } + + } + }, + "admin-ui":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable admin-ui chart. You should never set this to false.", + "type":"boolean" + }, + "adminUiServiceName":{ + "description":"Name of the admin service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "adminUiEnabled":{ + "description":"Enable Admin UI endpoints.", + "type":"boolean" + } + } + } + } + }, + + "auth-server-key-rotation":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type":"boolean" + } + } + }, + "awsStorageType":{ + "description":"Volume stroage type if using AWS volumes.", + "type":"string", + "pattern":"^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType":{ + "description":"Volume storage type if using Azure disks.", + "type":"string", + "pattern":"^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind":{ + "description":"Azure storage kind if using Azure disks", + "type":"string", + "pattern":"^(Managed)$" + }, + "cloud":{ + "type":"object", + "properties":{ + "testEnviroment":{ + "description":"Boolean flag if enabled will strip resources requests and limits from all services.", + "type":"boolean" + } + } + }, + "cnPersistenceType":{ + "description":"Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner.", + "type":"string", + "pattern":"^(ldap|couchbase|hybrid|sql|spanner)$" + }, + "cnDocumentStoreType":{ + "description":"Document store type to use for shibboleth files LOCAL.", + "type":"string", + "pattern":"^(LOCAL)$" + }, + "cnObExtSigningJwksUri":{ + "description":"Open banking external signing jwks uri. Used in SSA Validation.", + "type":"string" + }, + "cnObExtSigningJwksCrt":{ + "description":"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey":{ + "description":"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase":{ + "description":"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias":{ + "description":"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObStaticSigningKeyKid":{ + "description":"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObTransportCrt":{ + "description":"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey":{ + "description":"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase":{ + "description":"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias":{ + "description":"Open banking transport Alias used inside the JVM.", + "type":"string" + }, + "cnObTransportTrustStore":{ + "description":"Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type":"boolean" + } + } + }, + "configAdapterName":{ + "description":"The config backend adapter that will hold Gluu configuration layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "configSecretAdapter":{ + "description":"The config backend adapter that will hold Gluu secret layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "cnGoogleApplicationCredentials":{ + "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", + "type":"string", + "pattern":".*google-credentials.json\\b.*" + }, + "casa":{ + "type":"object", + "properties":{ + "casaServiceName":{ + "description":"Name of the casa service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the casa chart.", + "type":"boolean" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "casaEnabled":{ + "description":" Enable casa endpoints /casa", + "type":"boolean" + } + } + } + } + }, + "config-api":{ + "type":"object", + "properties":{ + "configApiServerServiceName":{ + "description":"Name of the config-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the config-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "configApiLogTarget":{ + "description":"configapi.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "configApiLogLevel":{ + "description":"configapi.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "adminUiAppLoggers":{ + "type":"object", + "properties":{ + "adminUiLogTarget":{ + "description":"config-api admin-ui plugin log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiLogLevel":{ + "description":"config-api admin-ui plugin log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "adminUiAuditLogTarget":{ + "description":"config-api admin-ui plugin audit log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiAuditLogLevel":{ + "description":"config-api admin-ui plugin audit log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "configApiEnabled":{ + "description":"Enable config API endpoints /jans-config-api", + "type":"boolean" + } + } + } + + + } + }, + "fqdn":{ + "description":"Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.", + "$ref":"#/definitions/fqdn-pattern" + }, + "fido2":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the fido2 chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "fido2LogTarget":{ + "description":"fido2.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "fido2LogLevel":{ + "description":"fido2.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"fido2_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"fido2_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "fido2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido2-configuration", + "type":"boolean" + } + } + } + + } + }, + "gcePdStorageType":{ + "description":"GCE storage kind if using Google disks", + "type":"string", + "pattern":"^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered":{ + "description":"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type":"boolean" + }, + "istio":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag that enables using istio side cars with Gluu services.", + "type":"boolean" + }, + "ingress":{ + "description":"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.", + "type":"boolean" + }, + "namespace":{ + "description":"The namespace istio is deployed in. The is normally istio-system.", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + } + } + }, + "lbIp":{ + "description":"The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref":"#/definitions/ip-pattern" + }, + "nginx-ingress":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type":"boolean" + } + } + }, + "opendj":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the OpenDJ chart.", + "type":"boolean" + }, + "ldapServiceName":{ + "description":"Name of the OpenDJ service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "oxshibboleth":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the oxShibbboleth chart. Not part of the openbanking distribution. Keep as default.This also enables SAML-related features; UI menu, etc. Not part of the openbanking distribution. Please leave this disabled.", + "type":"boolean" + } + } + }, + "distribution":{ + "description":"Gluu distributions supported are: default|openbanking.", + "type":"string", + "pattern":"^(default|openbanking)$" + }, + "persistence":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the persistence chart.", + "type":"boolean" + } + } + }, + "oxpassport": { + "type": "object", + "properties": { + "enabled": { + "description": "Boolean flag to enable/disable the oxpassport chart.", + "type": "boolean" + }, + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "scim":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the SCIM chart.", + "type":"boolean" + }, + "scimServiceName":{ + "description":"Name of the scim service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-scim.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-scim.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-scim_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-scim_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-scim_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-scim_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-scim_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-scim_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-scim_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-scim_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "scimEnabled":{ + "description":"Enable SCIM endpoints /jans-scim", + "type":"boolean" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + } + } + } + + } + }, + "storageClass":{ + "description":"StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type":"object", + "properties":{ + "allowVolumeExpansion":{ + "type":"boolean" + }, + "allowedTopologies":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "mountOptions":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "parameters":{ + "type":"object", + "properties":{ + "fsType":{ + "type":"string" + }, + "kind":{ + "type":"string" + }, + "pool":{ + "type":"string" + }, + "storageAccountType":{ + "type":"string" + }, + "type":{ + "type":"string" + } + } + }, + "provisioner":{ + "type":"string" + }, + "reclaimPolicy":{ + "type":"string" + }, + "volumeBindingMode":{ + "type":"string" + } + } + } + } + }, + "nginx-ingress":{ + "description":"Nginx ingress definitions chart", + "type":"object", + "properties":{ + + } + }, + "opendj":{ + "description":"OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.", + "type":"object", + "properties":{ + + } + }, + "oxpassport":{ + "description":"Gluu interface to Passport.js to support social login and inbound identity.", + "type":"object", + "properties":{ + + } + }, + "oxshibboleth":{ + "description":"Shibboleth project for the Gluu Server's SAML IDP functionality.", + "type":"object", + "properties":{ + + } + }, + "persistence":{ + "description":"Job to generate data and intial config for Gluu Server persistence layer.", + "type":"object", + "properties":{ + + } + }, + "scim":{ + "description":"System for Cross-domain Identity Management (SCIM) version 2.0", + "type":"object", + "properties":{ + + } + } + , + "allOf":[ + { + "$ref":"#/definitions/admin-ui-enabled" + }, + { + "$ref":"#/definitions/auth-server-enabled" + }, + { + "$ref":"#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref":"#/definitions/casa-enabled" + }, + { + "$ref":"#/definitions/config-api-enabled" + }, + { + "$ref":"#/definitions/fido2-enabled" + }, + { + "$ref":"#/definitions/nginx-ingress-enabled" + }, + { + "$ref":"#/definitions/opendj-enabled" + }, + { + "$ref":"#/definitions/oxpassport-enabled" + }, + { + "$ref":"#/definitions/oxshibboleth-enabled" + }, + { + "$ref":"#/definitions/persistence-enabled" + }, + { + "$ref":"#/definitions/scim-enabled" + } + ], + "definitions":{ + "password":{ + "anyOf":[ + { + "type":"string", + "minLength":8, + "pattern":"", + "description":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "password-pattern":{ + "type":"string", + "minLength":6, + "pattern":"", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format":{ + "type":"string", + "format":"email" + }, + "fqdn-pattern":{ + "anyOf":[ + { + "type":"string", + "errors":{ + "pattern":"Setting not FQDN structured. Please enter a FQDN with the format demoexample.gluu.org" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "url-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors":{ + "pattern":"URL pattern is not meeting standards." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "ip-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors":{ + "pattern":"Not a valid IP." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "admin-ui-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "admin-ui":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "admin-ui":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-key-rotation-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "keysLife":{ + "description":"Auth server key rotation keys life in hours", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + }, + "required":[ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else":true + }, + "casa-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "casa":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "casa":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "config-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "config-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "config-api":{ + "required":[ + "image", + "replicas", + "resources" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "fido2-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "fido2":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "fido2":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the Fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "nginx-ingress-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "nginx-ingress":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "nginx-ingress":{ + "type":"object", + "properties":{ + "ingress":{ + "type":"object", + "required":[ + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties":{ + "adminUiLabels":{ + "description":"Admin UI ingress resource labels. key app is taken.", + "type":"object" + }, + "openidConfigLabels":{ + "description":"openid-configuration ingress resource labels. key app is taken", + "type":"object" + }, + "uma2ConfigLabels":{ + "description":"uma2 config ingress resource labels. key app is taken", + "type":"object" + }, + "webfingerLabels":{ + "description":"webfinger ingress resource labels. key app is taken", + "type":"object" + }, + "webdiscoveryLabels":{ + "description":"webdiscovery ingress resource labels. key app is taken", + "type":"object" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + }, + "scimConfigLabels":{ + "description":"SCIM config ingress resource labels. key app is taken", + "type":"object" + }, + "scimLabels":{ + "description":"SCIM ingress resource labels. key app is taken", + "type":"object" + }, + "configApiLabels":{ + "description":"configAPI ingress resource labels. key app is taken", + "type":"object" + }, + "u2fConfigLabels":{ + "description":"u2f ingress resource labels. key app is taken", + "type":"object" + }, + "fido2ConfigLabels":{ + "description":"fido2 ingress resource labels. key app is taken", + "type":"object" + }, + "authServerLabels":{ + "description":"Auth server config ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedTokenLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedRedisterLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "additionalAnnotations":{ + "description":"Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type":"object" + }, + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "path":{ + "type":"string" + }, + "tls":{ + "description":"Secret holding HTTPS CA cert and key.", + "type":"array", + "items":{ + "type":"object", + "properties":{ + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "secretName":{ + "type":"string", + "pattern":"^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else":true + }, + "opendj-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "opendj":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "opendj":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "persistence":{ + "type":"object", + "properties":{ + "size":{ + "description":"OpenDJ volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + }, + "ports":{ + "type":"object", + "properties":{ + "tcp-admin":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldap":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldaps":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-repl":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "udp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "oxpassport-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxpassport":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxpassport":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxPassportServiceName":{ + "description":"Name of the oxPassport service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "oxshibboleth-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "oxshibboleth":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "oxshibboleth":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "oxShibbolethServiceName":{ + "description":"Name of the oxShibboleth service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "persistence-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "persistence":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "persistence":{ + "required":[ + "image", + "resources" + ], + "type":"object", + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "scim-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "scim":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "scim":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "scimServiceName":{ + "description":"Name of the SCIM service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + } + } +} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.23/values.yaml b/charts/gluu/gluu/5.0.23/values.yaml new file mode 100644 index 0000000000..f536c10a2d --- /dev/null +++ b/charts/gluu/gluu/5.0.23/values.yaml @@ -0,0 +1,1756 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +installer-settings: + currentVersion: "" + acceptLicense: "" + namespace: "" + releaseName: "" + nginxIngress: + releaseName: "" + namespace: "" + nodes: + names: "" + zones: "" + ips: "" + images: + edit: "" + aws: + lbType: "" + arn: + enabled: "" + arnAcmCert: "" + vpcCidr: "0.0.0.0/0" + couchbase: + clusterName: "" + namespace: "" + lowResourceInstall: "" + install: "" + customFileOverride: "" + backup: + incrementalSchedule: "" + fullSchedule: "" + retentionTime: "" + storageSize: "" + # Couchbase cert related keys + subjectAlternativeName: "" + commonName: "" + # Couchbase cluster yaml generator keys + totalNumberOfExpectedUsers: "" + totalNumberOfExpectedTransactionsPerSec: "" + volumeType: "" + volumeProvisionStrategy: "" + ldap: + backup: + fullSchedule: "" + postgres: + install: "" + namespace: "" + sql: + install: "" + namespace: "" + google: + useSecretManager: "" + redis: + install: "" + namespace: "" + openbanking: + hasCnObTransportTrustStore: false + cnObTransportTrustStoreP12password: "" + confirmSettings: false + +# -- Admin GUI for configuration of the auth-server +admin-ui: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2000m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 2000m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for the admin ui if needed. + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the admin ui if needed. + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/auth-server + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/certmanager + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +casa: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/casa + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + # -- Configure the liveness healthcheck for casa if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). + cnSqlDbSchema: "" + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) username. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/configurator + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- LDAP admin password if OpenDJ is used for persistence. + ldapPassword: P@ssw0rds + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + # -- CE to CN Migration section + migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/config-api + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/fido2 + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + # -- Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. + licenseSsa: "" + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: false + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- casa.log target + casaLogTarget: "STDOUT" + # -- casa.log level + casaLogLevel: "INFO" + # -- casa timer log target + timerLogTarget: "FILE" + # -- casa timer log level + timerLogLevel: "INFO" + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable casa endpoints /casa + casaEnabled: false + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. + cnAwsSharedCredentialsFile: /etc/jans/conf/aws_shared_credential_file + # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. + cnAwsConfigFile: /etc/jans/conf/aws_config_file + # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. + cnAwsSecretsReplicaRegionsFile: /etc/jans/conf/aws_secrets_replica_regions + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- config-api_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- fido2_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- fido2_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- fido2_script.log target + scriptLogTarget: "FILE" + # -- fido2_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. + gateways: [ ] + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + oxpassport: + # -- Name of the oxPassport service. Please keep it as default. + oxPassportServiceName: oxpassport + # -- Boolean flag to enable/disable passport chart + enabled: false + oxshibboleth: + # -- Name of the oxShibboleth service. Please keep it as default. + oxShibbolethServiceName: oxshibboleth + # -- Boolean flag to enable/disable the oxShibbboleth chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + # log levels are "OFF", "FATAL", "ERROR", "WARN", "INFO", "DEBUG", "TRACE" + # Targets are "STDOUT" and "FILE" + appLoggers: + # -- idp-process.log target + idpLogTarget: "STDOUT" + # -- idp-process.log level + idpLogLevel: "INFO" + # -- idp-script.log target + scriptLogTarget: "FILE" + # -- idp-script.log level + scriptLogLevel: "INFO" + # -- idp-audit.log target + auditStatsLogTarget: "FILE" + # -- idp-audit.log level + auditStatsLogLevel: "INFO" + # -- idp-consent-audit.log target + consentAuditLogTarget: "FILE" + # -- idp-consent-audit.log level + consentAuditLogLevel: "INFO" + # -- https://github.com/GluuFederation/docker-oxshibboleth#additional-logger-configuration + # The below are very noisy logs and are better left untouched + ldapLogLevel: "" + messagesLogLevel: "" + encryptionLogLevel: "" + opensamlLogLevel: "" + propsLogLevel: "" + httpclientLogLevel: "" + springLogLevel: "" + containerLogLevel: "" + xmlsecLogLevel: "" + # -- Gluu distributions supported are: default|openbanking. + distribution: default + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + +# -- Nginx ingress definitions chart +nginx-ingress: + certManager: + # Enable deploying a certificate that uses dns01 challenge instead of passing an annotation nginx-ingress.ingress.additionalAnnotations for nginx http01 challenge. + certificate: + enabled: false + issuerKind: ClusterIssuer + # Issuer name which you will create manually. Can be letsencrypt-production. + issuerName: "" + issuerGroup: cert-manager.io + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +opendj: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure ldap backup cronjob + backup: + enabled: true + cronJobSchedule: "*/59 * * * *" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + + persistence: + # -- OpenDJ volume size + size: 5Gi + ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Gluu interface to Passport.js to support social login and inbound identity. +oxpassport: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxpassport + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 700m + # -- Memory limit. + memory: 900Mi + requests: + # -- CPU request. + cpu: 700m + # -- Memory request. + memory: 900Mi + # -- Configure the liveness healthcheck for oxPassport if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the oxPassport if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /passport/health-check + port: http-passport + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Shibboleth project for the Gluu Server's SAML IDP functionality. +oxshibboleth: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/oxshibboleth + # -- Image tag to use for deploying. + tag: 5.0.0-12 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for oxshibboleth if needed. + # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + # https://github.com/GluuFederation/docker-oxshibboleth/blob/master/scripts/healthcheck.py + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/scim + # -- Image tag to use for deploying. + tag: 1.0.19-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.24/Chart.yaml b/charts/gluu/gluu/5.0.24/Chart.yaml new file mode 100644 index 0000000000..333b605889 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/Chart.yaml @@ -0,0 +1,91 @@ +annotations: + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.0.21-1 + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.0.21-1 + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.0.21-1 + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.0.21-1 + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.0.21-1 + - name: opendj + image: gluufederation/opendj:5.0.0_dev + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.0.21-1 + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.0.21-1 + - name: casa + image: ghcr.io/janssenproject/jans/casa:1.0.21-1 + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:1.0.21-1 + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "true" + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu +apiVersion: v2 +appVersion: 5.0.0 +dependencies: +- condition: global.config.enabled + name: config + repository: file://./charts/config + version: 5.0.24 +- condition: global.config-api.enabled + name: config-api + repository: file://./charts/config-api + version: 5.0.24 +- condition: global.opendj.enabled + name: opendj + repository: file://./charts/opendj + version: 5.0.24 +- condition: global.auth-server.enabled + name: auth-server + repository: file://./charts/auth-server + version: 5.0.24 +- condition: global.admin-ui.enabled + name: admin-ui + repository: file://./charts/admin-ui + version: 5.0.24 +- condition: global.fido2.enabled + name: fido2 + repository: file://./charts/fido2 + version: 5.0.24 +- condition: global.scim.enabled + name: scim + repository: file://./charts/scim + version: 5.0.24 +- condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: file://./charts/nginx-ingress + version: 5.0.24 +- condition: global.casa.enabled + name: casa + repository: file://./charts/casa + version: 5.0.24 +- condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: file://./charts/auth-server-key-rotation + version: 5.0.24 +- condition: global.persistence.enabled + name: persistence + repository: file://./charts/persistence + version: 5.0.24 +- condition: global.istio.ingress + name: cn-istio-ingress + repository: file://./charts/cn-istio-ingress + version: 5.0.24 +description: Gluu Access and Identity Management +home: https://www.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: moabu +name: gluu +sources: +- https://docs.gluu.org +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/README.md b/charts/gluu/gluu/5.0.24/README.md new file mode 100644 index 0000000000..fa27c946ad --- /dev/null +++ b/charts/gluu/gluu/5.0.24/README.md @@ -0,0 +1,547 @@ +# gluu + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Gluu Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | | | + +## Source Code + +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | admin-ui | 5.0.24 | +| | auth-server | 5.0.24 | +| | auth-server-key-rotation | 5.0.24 | +| | casa | 5.0.24 | +| | cn-istio-ingress | 5.0.24 | +| | config | 5.0.24 | +| | config-api | 5.0.24 | +| | fido2 | 5.0.24 | +| | nginx-ingress | 5.0.24 | +| | opendj | 5.0.24 | +| | persistence | 5.0.24 | +| | scim | 5.0.24 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"1.0.21-1"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| admin-ui.dnsConfig | object | `{}` | Add custom dns config | +| admin-ui.dnsPolicy | string | `""` | Add custom dns policy | +| admin-ui.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| admin-ui.hpa.behavior | object | `{}` | Scaling Policies | +| admin-ui.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | +| admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | +| admin-ui.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| admin-ui.replicas | int | `1` | Service replica number. | +| admin-ui.resources | object | `{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}}` | Resource specs. | +| admin-ui.resources.limits.cpu | string | `"2000m"` | CPU limit. | +| admin-ui.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| admin-ui.resources.requests.cpu | string | `"2000m"` | CPU request. | +| admin-ui.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| admin-ui.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| admin-ui.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| admin-ui.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.0.21-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.0.21-1"},"keysLife":48,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/casa","tag":"1.0.21-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. | +| casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| casa.dnsConfig | object | `{}` | Add custom dns config | +| casa.dnsPolicy | string | `""` | Add custom dns policy | +| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| casa.hpa.behavior | object | `{}` | Scaling Policies | +| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| casa.image.pullSecrets | list | `[]` | Image Pull Secrets | +| casa.image.repository | string | `"ghcr.io/janssenproject/jans/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http liveness probe endpoint | +| casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| casa.readinessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http readiness probe endpoint | +| casa.replicas | int | `1` | Service replica number. | +| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| casa.resources.limits.cpu | string | `"500m"` | CPU limit. | +| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| casa.resources.requests.cpu | string | `"500m"` | CPU request. | +| casa.resources.requests.memory | string | `"500Mi"` | Memory request. | +| casa.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapKey":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","lbAddr":""},"countryCode":"US","dnsConfig":{},"dnsPolicy":"","email":"support@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.0.21-1"},"ldapPassword":"P@ssw0rds","ldapTruststorePassword":"changeit","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.0.21-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| config-api.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) username. This user is used during initialization only. | +| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| config.configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| config.configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ certificate string. This must be encoded using base64. | +| config.configmap.cnLdapKey | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ key string. This must be encoded using base64. | +| config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbSchema | string | `""` | Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.lbAddr | string | `""` | Load balancer address for AWS if the FQDN is not registered. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpenDJ is used for persistence. | +| config.ldapTruststorePassword | string | `"changeit"` | LDAP truststore password if OpenDJ is used for persistence | +| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.0.21-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}},"auth-server-key-rotation":{"enabled":true},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"LOCAL","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnLdapCacertFile":"/etc/certs/opendj.pem","cnLdapCertFile":"/etc/certs/opendj.crt","cnLdapKeyFile":"/etc/certs/opendj.key","cnLdapPasswordFile":"/etc/jans/conf/ldap_password","cnLdapTruststoreFile":"/etc/certs/opendj.pkcs12","cnLdapTruststorePasswordFile":"/etc/jans/conf/ldap_truststore_password","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true}},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"lbIp":"22.22.22.22","licenseSsa":"","nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"persistence":{"enabled":true},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | +| global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | +| global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `true` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level | +| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.auth-server.ingress | object | `{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.auth-server.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| global.auth-server.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. | +| global.auth-server.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. | +| global.auth-server.ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| global.auth-server.ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| global.auth-server.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| global.auth-server.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| global.auth-server.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| global.auth-server.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| global.auth-server.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.casa.appLoggers | object | `{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.casa.appLoggers.casaLogLevel | string | `"INFO"` | casa.log level | +| global.casa.appLoggers.casaLogTarget | string | `"STDOUT"` | casa.log target | +| global.casa.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO | +| global.casa.appLoggers.timerLogLevel | string | `"INFO"` | casa timer log level | +| global.casa.appLoggers.timerLogTarget | string | `"FILE"` | casa timer log target | +| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. | +| global.casa.enabled | bool | `true` | Boolean flag to enable/disable the casa chart. | +| global.casa.ingress | object | `{"casaEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.casa.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnCouchbasePasswordFile | string | `"/etc/jans/conf/couchbase_password"` | Path to Couchbase password file | +| global.cnCouchbaseSuperuserPasswordFile | string | `"/etc/jans/conf/couchbase_superuser_password"` | Path to Couchbase superuser password file | +| global.cnDocumentStoreType | string | `"LOCAL"` | Document store type to use for shibboleth files LOCAL. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. | +| global.cnLdapCacertFile | string | `"/etc/certs/opendj.pem"` | Path to OpenDJ CA cert file | +| global.cnLdapCertFile | string | `"/etc/certs/opendj.crt"` | Path to OpenDJ cert file | +| global.cnLdapKeyFile | string | `"/etc/certs/opendj.key"` | Path to OpenDJ key file | +| global.cnLdapPasswordFile | string | `"/etc/jans/conf/ldap_password"` | Path to LDAP password file | +| global.cnLdapTruststoreFile | string | `"/etc/certs/opendj.pkcs12"` | Path to OpenDJ truststore file | +| global.cnLdapTruststorePasswordFile | string | `"/etc/jans/conf/ldap_truststore_password"` | Path to LDAP truststore password file | +| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G | +| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G | +| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. | +| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. | +| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | +| global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. | +| global.cnPrometheusPort | string | `""` | Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. | +| global.cnSqlPasswordFile | string | `"/etc/jans/conf/sql_password"` | Path to SQL password file | +| global.config-api.adminUiAppLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | +| global.config-api.adminUiAppLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | +| global.config-api.adminUiAppLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | +| global.config-api.adminUiAppLoggers.adminUiLogTarget | string | `"FILE"` | config-api admin-ui plugin log level | +| global.config-api.adminUiAppLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers.ldapStatsLogLevel | string | `"INFO"` | config-api_persistence_ldap_statistics.log level | +| global.config-api.appLoggers.ldapStatsLogTarget | string | `"FILE"` | config-api_persistence_ldap_statistics.log target | +| global.config-api.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | config-api_persistence_duration.log level | +| global.config-api.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | config-api_persistence_duration.log target | +| global.config-api.appLoggers.persistenceLogLevel | string | `"INFO"` | config-api_persistence.log level | +| global.config-api.appLoggers.persistenceLogTarget | string | `"FILE"` | config-api_persistence.log target | +| global.config-api.appLoggers.scriptLogLevel | string | `"INFO"` | config-api_script.log level | +| global.config-api.appLoggers.scriptLogTarget | string | `"FILE"` | config-api_script.log target | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config-api.ingress | object | `{"configApiEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes | +| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | +| global.fido2.appLoggers | object | `{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | fido2_persistence_duration.log level | +| global.fido2.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | fido2_persistence_duration.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.appLoggers.scriptLogLevel | string | `"INFO"` | fido2_script.log level | +| global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fido2.ingress | object | `{"fido2ConfigEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side-cars with Gluu services. | +| global.istio.gateways | list | `[]` | Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. | +| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. | +| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | +| global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | +| global.licenseSsa | string | `""` | Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | +| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO | +| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level | +| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.ingress | object | `{"scimConfigEnabled":false,"scimEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.scim.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| global.scim.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: fsType: "" kind: "" pool: "" storageAccountType: "" type: "" | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"ldap":{"backup":{"fullSchedule":""}},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| nginx-ingress.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedRegisterAdditionalAnnotations | object | `{}` | Auth server protected register ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedRegisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedTokenAdditionalAnnotations | object | `{}` | Auth server protected token ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| nginx-ingress.ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| nginx-ingress.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| nginx-ingress.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| nginx-ingress.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0-1"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| opendj.dnsConfig | object | `{}` | Add custom dns config | +| opendj.dnsPolicy | string | `""` | Add custom dns policy | +| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| opendj.hpa.behavior | object | `{}` | Scaling Policies | +| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | +| opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| opendj.image.tag | string | `"5.0.0-1"` | Image tag to use for deploying. | +| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| opendj.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size | +| opendj.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.replicas | int | `1` | Service replica number. | +| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. | +| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. | +| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| opendj.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.0.21-1"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.0.21-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/app-readme.md b/charts/gluu/gluu/5.0.24/app-readme.md new file mode 100644 index 0000000000..b2148c4c1e --- /dev/null +++ b/charts/gluu/gluu/5.0.24/app-readme.md @@ -0,0 +1,38 @@ +## Tutorial + +For a full walkthrough of the Gluu Flex Server on Rancher, please see the [Gluu Server on Rancher Tutorial](https://docs.gluu.org/stable/admin/recipes/getting-started-rancher/). + +## Introduction +The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions. + +Common use cases include: + +- Single sign-on (SSO) +- Mobile authentication +- API access management +- Two-factor authentication (2FA) +- Customer identity and access management (CIAM) +- Identity federation + +### Free Open Source Software +The Gluu Server is a FOSS platform for IAM. + +### Open Web Standards +The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management: + +- OAuth 2.0 +- OpenID Connect +- User Managed Access 2.0 (UMA) +- System for Cross-domain Identity Management (SCIM) +- FIDO Universal 2nd Factor (U2F) +- FIDO 2.0 / WebAuthn +- Lightweight Directory Access Protocol (LDAP) +- Remote Authentication Dial-In User Service (RADIUS) + +### Important notes for installation: +- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image. + +### Quick install on Rancher UI with Docker single node +- Install the nginx-ingress-controller chart. +- Install the OpenEBS chart. +- Install Gluu chart and specify your persistence as ldap. \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/admin-ui/.helmignore b/charts/gluu/gluu/5.0.24/charts/admin-ui/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.24/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.0.24/charts/admin-ui/Chart.yaml new file mode 100644 index 0000000000..169b00209c --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Admin GUI. Requires license. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +- GUI +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: admin-ui +sources: +- https://github.com/GluuFederation/docker-gluu-admin-ui +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/admin-ui +type: application +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/charts/admin-ui/README.md b/charts/gluu/gluu/5.0.24/charts/admin-ui/README.md new file mode 100644 index 0000000000..7870e21b3e --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/admin-ui/README.md @@ -0,0 +1,60 @@ +# admin-ui + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Admin GUI. Requires license. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. | +| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/_helpers.tpl new file mode 100644 index 0000000000..3fa0c5985e --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "admin-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "admin-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "admin-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "admin-ui.labels" -}} +app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +helm.sh/chart: {{ include "admin-ui.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "admin-ui.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "admin-ui.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "admin-ui.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "admin-ui.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/admin-ui-destination-rules.yaml new file mode 100644 index 0000000000..ecf4699b22 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/admin-ui-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-admin-ui-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/admin-ui-pdb.yaml b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/admin-ui-pdb.yaml new file mode 100644 index 0000000000..5d81cf14be --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/admin-ui-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "admin-ui.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/admin-ui-virtual-services.yaml new file mode 100644 index 0000000000..2b0fc58df1 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/admin-ui-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "admin-ui" "ingress" "adminUiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-admin-ui + namespace: {{.Release.Namespace}} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/admin" + route: + - destination: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/deployment.yml new file mode 100644 index 0000000000..0dbaac0667 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/deployment.yml @@ -0,0 +1,216 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "admin-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + template: + metadata: + labels: + APP_NAME: admin-ui + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "admin-ui.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "admin-ui.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "admin-ui.usr-envs" . | indent 12 }} + {{- include "admin-ui.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: /etc/jans/conf/ssa + name: license-ssa + subPath: ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: license-ssa + secret: + secretName: {{ .Release.Name }}-license-ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/hpa.yaml new file mode 100644 index 0000000000..4720b2c49b --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "admin-ui.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/service.yml new file mode 100644 index 0000000000..54b311c2e2 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..02fd969b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/admin-ui/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.0.24/charts/admin-ui/values.yaml new file mode 100644 index 0000000000..22b82df277 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/admin-ui/values.yaml @@ -0,0 +1,92 @@ +# -- Admin GUI. Requires license. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the admin ui port within the admin service. Please keep it as default. + name: http-admin-ui + # -- Port of the admin ui service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the admin ui if needed. +livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the admin ui if needed. +readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/.helmignore b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 0000000000..06a084e8d7 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Responsible for regenerating auth-keys per x hours +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Auth keys Rotation +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server-key-rotation +sources: +- https://github.com/JanssenProject/docker-jans-certmanager +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server-key-rotation +type: application +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/README.md new file mode 100644 index 0000000000..f03d939d56 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/README.md @@ -0,0 +1,50 @@ +# auth-server-key-rotation + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| lifecycle | object | `{}` | | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 0000000000..e76631f29c --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 0000000000..876cdd27d4 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,171 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "@every {{ .Values.keysLife }}h" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + {{- if .Values.customScripts }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 20}} + {{- end }} + /app/scripts/entrypoint.sh + {{- end}} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 16 }} + volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 0000000000..4b1f6ff076 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.fullname" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..5ed268ebb5 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 0000000000..71c0a21c26 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,57 @@ + +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/.helmignore b/charts/gluu/gluu/5.0.24/charts/auth-server/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server/Chart.yaml new file mode 100644 index 0000000000..7b6b7d2914 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization + Server--this is the main Internet facing component of Gluu. It's the service that + returns tokens, JWT's and identity assertions. This service must be Internet facing. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Autherization +- OpenID +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server +sources: +- https://github.com/JanssenProject/jans-auth-server +- https://github.com/JanssenProject/docker-jans-auth-server +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server +type: application +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/README.md b/charts/gluu/gluu/5.0.24/charts/auth-server/README.md new file mode 100644 index 0000000000..dae336e474 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/README.md @@ -0,0 +1,62 @@ +# auth-server + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 0000000000..2712f9870a --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "auth-server.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "auth-server.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 0000000000..708ce616c6 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/templates/auth-server-pdb.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/auth-server-pdb.yaml new file mode 100644 index 0000000000..5ca61a6255 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/auth-server-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "auth-server.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/templates/auth-server-protected-virtual-services.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/auth-server-protected-virtual-services.yaml new file mode 100644 index 0000000000..522f6757b4 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/auth-server-protected-virtual-services.yaml @@ -0,0 +1,53 @@ +{{- if .Values.global.istio.ingress }} +# NEEDS WORK TO ALLOW CLIENT SIDE AUTHENTICATION. THIS IS MERELY A PLACEHOLDER +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server-protected-endpoints + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-token" + match: + - uri: + prefix: "/jans-auth/restv1/token" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-register" + match: + - uri: + prefix: "/jans-auth/restv1/register" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 0000000000..55cc397244 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,137 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/jans-auth/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} + - name: "{{ .Release.Name }}-istio-device-code" + match: + - uri: + prefix: "/device-code" + rewrite: + uri: "/jans-auth/device_authorization.htm" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} + - name: "{{ .Release.Name }}-istio-firebase-messaging" + match: + - uri: + prefix: "/firebase-messaging-sw.js" + rewrite: + uri: "/jans-auth/firebase-messaging-sw.js" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/jans-auth/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/jans-auth/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/jans-auth/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/jans-auth/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/deployment.yml new file mode 100644 index 0000000000..10a69dec0e --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/deployment.yml @@ -0,0 +1,305 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "auth-server.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "auth-server.usr-envs" . | indent 12 }} + {{- include "auth-server.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/hpa.yaml new file mode 100644 index 0000000000..7a35d43381 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/service.yml new file mode 100644 index 0000000000..07b0de5897 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..19b24ab92c --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/auth-server/values.yaml b/charts/gluu/gluu/5.0.24/charts/auth-server/values.yaml new file mode 100644 index 0000000000..5c5a9a27b6 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/auth-server/values.yaml @@ -0,0 +1,95 @@ + +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/casa/.helmignore b/charts/gluu/gluu/5.0.24/charts/casa/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/casa/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.24/charts/casa/Chart.yaml b/charts/gluu/gluu/5.0.24/charts/casa/Chart.yaml new file mode 100644 index 0000000000..8b0d394b5b --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/casa/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Jans Casa ("Casa") is a self-service web portal for end-users to manage + authentication and authorization preferences for their account in a Jans Server. +home: https://gluu.org/docs/casa/ +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- casa +- 2FA +- passwordless +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: casa +sources: +- https://gluu.org/casa/ +- https://github.com/JanssenProject/jans/docker-jans-casa +type: application +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/charts/casa/README.md b/charts/gluu/gluu/5.0.24/charts/casa/README.md new file mode 100644 index 0000000000..3946dbe3a8 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/casa/README.md @@ -0,0 +1,66 @@ +# casa + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/casa"` | Image to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| livenessProbe.httpGet.path | string | `"/casa/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| readinessProbe.httpGet.path | string | `"/casa/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. | +| service.port | int | `8080` | Port of the casa service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/charts/casa/templates/_helpers.tpl new file mode 100644 index 0000000000..4fc7d069e4 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/casa/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "casa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "casa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "casa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "casa.labels" -}} +app: {{ .Release.Name }}-{{ include "casa.name" . }} +helm.sh/chart: {{ include "casa.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "casa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "casa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "casa.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "casa.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "casa.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "casa.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.0.24/charts/casa/templates/casa-destination-rules.yaml new file mode 100644 index 0000000000..eb2e5eaa61 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/casa/templates/casa-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-casa-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/casa/templates/casa-pdb.yaml b/charts/gluu/gluu/5.0.24/charts/casa/templates/casa-pdb.yaml new file mode 100644 index 0000000000..54ad15de59 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/casa/templates/casa-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "casa.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.0.24/charts/casa/templates/casa-virtual-services.yaml new file mode 100644 index 0000000000..b3d7659499 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/casa/templates/casa-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.casa.ingress.casaEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-casa + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-casa + match: + - uri: + prefix: /casa + route: + - destination: + host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.0.24/charts/casa/templates/deployment.yaml new file mode 100644 index 0000000000..55c1e62fdc --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/casa/templates/deployment.yaml @@ -0,0 +1,221 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "casa.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: casa + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "casa.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "casa.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "casa.usr-envs" . | indent 12 }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.0.24/charts/casa/templates/hpa.yaml new file mode 100644 index 0000000000..0d292fd3fd --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/casa/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "casa.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.0.24/charts/casa/templates/service.yaml new file mode 100644 index 0000000000..e736cc014a --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/casa/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.casa.casaServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.24/charts/casa/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8a71e1ea8f --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/casa/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/casa/values.yaml b/charts/gluu/gluu/5.0.24/charts/casa/values.yaml new file mode 100644 index 0000000000..417c5bea08 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/casa/values.yaml @@ -0,0 +1,107 @@ +# -- Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/casa + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the casa service. Please keep it as default. + port: 8080 + # -- The name of the casa port within the casa service. Please keep it as default. + name: http-casa + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for casa if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the casa if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/Chart.yaml new file mode 100644 index 0000000000..69a0761f4e --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Istio Gateway +home: https://docs.gluu.org/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- istio +- gateway +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: cn-istio-ingress +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/cn-istio-ingress +type: application +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/README.md new file mode 100644 index 0000000000..3ea9ede115 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/README.md @@ -0,0 +1,25 @@ +# cn-istio-ingress + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Istio Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..75a5dee781 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "istio.labels" -}} +helm.sh/chart: {{ include "istio.chart" . }} +{{ include "istio.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "istio.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "istio.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/templates/gateway.yaml new file mode 100644 index 0000000000..12a9700134 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/templates/gateway.yaml @@ -0,0 +1,36 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Release.Name }}-global-gtw + namespace: {{ .Release.Namespace }} +{{- if .Values.global.istio.additionalLabels }} + labels: +{{ toYaml .Values.global.istio.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.istio.additionalAnnotations }} + annotations: +{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + istio: ingressgateway + servers: + # admin-ui + - port: + number: 80 + name: http-admin-ui + protocol: HTTP + hosts: + - {{ .Values.global.fqdn }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - {{ .Values.global.fqdn }} + tls: + mode: SIMPLE # enable https on this port + credentialName: tls-certificate # fetch cert from k8s secret + \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/values.yaml new file mode 100644 index 0000000000..645a121318 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/cn-istio-ingress/values.yaml @@ -0,0 +1,4 @@ +# Default values for istio. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + diff --git a/charts/gluu/gluu/5.0.24/charts/config-api/.helmignore b/charts/gluu/gluu/5.0.24/charts/config-api/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.24/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.0.24/charts/config-api/Chart.yaml new file mode 100644 index 0000000000..10c76f8398 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Jans Config Api endpoints can be used to configure jans-auth-server, + which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server + (AS) +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config-api +sources: +- https://github.com/JanssenProject/jans/jans-config-api +- https://github.com/JanssenProject/jans/docker-jans-config-api +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config-api +type: application +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/charts/config-api/README.md b/charts/gluu/gluu/5.0.24/charts/config-api/README.md new file mode 100644 index 0000000000..6edbe2d1a3 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config-api/README.md @@ -0,0 +1,66 @@ +# config-api + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/charts/config-api/templates/_helpers.tpl new file mode 100644 index 0000000000..a32d54db37 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "config-api.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "config-api.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.0.24/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 0000000000..255fac7282 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/config-api/templates/config-api-pdb.yaml b/charts/gluu/gluu/5.0.24/charts/config-api/templates/config-api-pdb.yaml new file mode 100644 index 0000000000..2153d9a39c --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config-api/templates/config-api-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "config-api.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/config-api/templates/config-api-virtual-services.yaml b/charts/gluu/gluu/5.0.24/charts/config-api/templates/config-api-virtual-services.yaml new file mode 100644 index 0000000000..49bd94283f --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config-api/templates/config-api-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "config-api" "ingress" "configApiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-config-api + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-config-api + match: + - uri: + prefix: /jans-config-api + route: + - destination: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8074 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.0.24/charts/config-api/templates/deployment.yaml new file mode 100644 index 0000000000..350dc909f9 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config-api/templates/deployment.yaml @@ -0,0 +1,209 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "config-api.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "config-api.usr-envs" . | indent 12 }} + {{- include "config-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - containerPort: 9444 + - containerPort: 8074 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.0.24/charts/config-api/templates/hpa.yaml new file mode 100644 index 0000000000..aed5352e74 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config-api/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.0.24/charts/config-api/templates/service.yaml new file mode 100644 index 0000000000..1782cc7e9d --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config-api/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/config-api/values.yaml b/charts/gluu/gluu/5.0.24/charts/config-api/values.yaml new file mode 100644 index 0000000000..42454ace71 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config-api/values.yaml @@ -0,0 +1,106 @@ + +# -- Gluu Admin UI. This shouldn't be internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +# https://github.com/GluuFederation/docker-oxauth/blob/4.3/scripts/healthcheck.py +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/config/.helmignore b/charts/gluu/gluu/5.0.24/charts/config/.helmignore new file mode 100644 index 0000000000..b8204d7442 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/gluu/gluu/5.0.24/charts/config/Chart.yaml b/charts/gluu/gluu/5.0.24/charts/config/Chart.yaml new file mode 100644 index 0000000000..5ed9602218 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Configuration parameters for setup and initial configuration secret and + config layers used by Gluu services. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- secrets +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config +sources: +- https://gluu.org/docs/gluu-server/reference/container-configs/ +- https://github.com/JanssenProject/jans/docker-jans-configurator +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config +type: application +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/charts/config/README.md b/charts/gluu/gluu/5.0.24/charts/config/README.md new file mode 100644 index 0000000000..6376da4b6a --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/README.md @@ -0,0 +1,109 @@ +# config + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnAwsAccessKeyId | string | `""` | | +| configmap.cnAwsDefaultRegion | string | `"us-west-1"` | | +| configmap.cnAwsProfile | string | `"gluu"` | | +| configmap.cnAwsSecretAccessKey | string | `""` | | +| configmap.cnAwsSecretsEndpointUrl | string | `""` | | +| configmap.cnAwsSecretsNamePrefix | string | `"gluu"` | | +| configmap.cnAwsSecretsReplicaRegions | list | `[]` | | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ certificate string. This must be encoded using base64. | +| configmap.cnLdapKey | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ key string. This must be encoded using base64. | +| configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"support@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| ldapTruststorePassword | string | `"changeit"` | LDAP truststore password if OpenDJ is used for persistence | +| lifecycle | object | `{}` | | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/charts/config/templates/_helpers.tpl new file mode 100644 index 0000000000..1273a27d8b --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/templates/_helpers.tpl @@ -0,0 +1,97 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ $newList = append $newList ("couchbase" | quote) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{- if .Values.global.opendj.enabled}} +{{ $newList = append $newList ("ldap" | quote) }} +{{- end}} +{{- if .Values.global.casa}} +{{ $newList = append $newList ("casa" | quote) }} +{{- end}} +{{- if .Values.global.fido2.enabled}} +{{ $newList = append $newList ("fido2" | quote) }} +{{- end}} +{{- if .Values.global.scim.enabled}} +{{ $newList = append $newList ("scim" | quote) }} +{{- end}} +{{ toJson $newList }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.0.24/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ce43044f50 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.0.24/charts/config/templates/configmaps.yaml new file mode 100644 index 0000000000..101d4bbcef --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/templates/configmaps.yaml @@ -0,0 +1,453 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + # Port used by Prometheus JMX agent + CN_PROMETHEUS_PORT: {{ .Values.global.cnPrometheusPort | quote }} + CN_DISTRIBUTION: {{ .Values.global.distribution | quote }} + {{ if .Values.global.cnObExtSigningJwksUri }} + CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }} + CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }} + CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }} + # force the AS to use a specific signing key + CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }} + {{- end }} + {{ if or (eq .Values.global.configAdapterName "google") (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + {{- end }} + {{ if eq .Values.global.cnPersistenceType "spanner" }} + # [google_spanner_envs] Envs related to using Google Cloud Spanner + CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }} + CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }} + # [google_spanner_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.configAdapterName "google") }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnGoogleSecretVersionId | quote }} + CN_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + # [aws_envs] Envs related to using AWS + {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} + CN_AWS_SECRETS_ENDPOINT_URL: {{ .Values.configmap.cnAwsSecretsEndpointUrl }} + {{- end }} + CN_AWS_SECRETS_PREFIX: {{ .Values.configmap.cnAwsSecretsNamePrefix }} + CN_AWS_SECRETS_REPLICA_FILE: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + AWS_DEFAULT_REGION: {{ .Values.configmap.cnAwsDefaultRegion }} + AWS_SHARED_CREDENTIALS_FILE: {{ .Values.global.cnAwsSharedCredentialsFile }} + AWS_CONFIG_FILE: {{ .Values.global.cnAwsConfigFile }} + #AWS_PROFILE + # [aws_envs] END + {{- end }} + CN_SQL_DB_SCHEMA: {{ .Values.configmap.cnSqlDbSchema | quote }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.global.cnDocumentStoreType | quote }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is ldap or hybrid + {{- if .Values.configmap.cnLdapUrl }} + CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }} + {{- else }} + CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }} + {{- end }} + {{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is couchbase or hybrid + CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }} + CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }} + CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }} + CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }} + CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }} + {{- end }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + {{- if .Values.global.isFqdnRegistered }} + CN_SSL_CERT_FROM_SECRETS: "false" + {{- else }} + CN_SSL_CERT_FROM_SECRETS: "true" + {{- end }} + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }} + # must the same as the opendj service name + CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service + CN_HYBRID_MAPPING: {{ .Values.configmap.cnPersistenceHybridMapping | quote }} + {{- end }} + # Auto enable installation of some services + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.istio.enabled }} + CN_COUCHBASE_TRUSTSTORE_ENABLE: "false" + CN_LDAP_USE_SSL: "false" + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + # ADMIN-UI + ADMIN_UI_JWKS: {{ cat "http://" ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080/jans-auth/restv1/jwks" | quote | nospace }} + CN_CONFIG_API_PLUGINS: "admin-ui,scim,fido2,user-mgt" + CN_ADMIN_UI_PLUGIN_LOGGERS: {{ index .Values "global" "config-api" "adminUiAppLoggers" + | toJson + | replace "adminUiLogTarget" "admin_ui_log_target" + | replace "adminUiLogLevel" "admin_ui_log_level" + | replace "adminUiAuditLogTarget" "admin_ui_audit_log_target" + | replace "adminUiAuditLogLevel" "admin_ui_audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.casa.enabled }} + # CASA + CN_CASA_APP_LOGGERS: {{ .Values.global.casa + | toJson + | replace "casaLogTarget" "casa_log_target" + | replace "casaLogLevel" "casa_log_level" + | replace "timerLogTarget" "timer_log_target" + | replace "timerLogLevel" "timer_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + # delete Duo script (https://github.com/GluuFederation/flex/issues/1120) by disabling the feature + CN_DUO_ENABLED: "false" + CN_SQL_PASSWORD_FILE: {{ .Values.global.cnSqlPasswordFile }} + CN_COUCHBASE_PASSWORD_FILE: {{ .Values.global.cnCouchbasePasswordFile }} + CN_COUCHBASE_SUPERUSER_PASSWORD_FILE: {{ .Values.global.cnCouchbaseSuperuserPasswordFile }} + CN_LDAP_PASSWORD_FILE: {{ .Values.global.cnLdapPasswordFile }} + CN_LDAP_TRUSTSTORE_PASSWORD_FILE: {{ .Values.global.cnLdapTruststorePasswordFile }} + CN_LDAP_CERT_FILE: {{ .Values.global.cnLdapCertFile }} + CN_LDAP_KEY_FILE: {{ .Values.global.cnLdapKeyFile }} + CN_LDAP_CACERT_FILE: {{ .Values.global.cnLdapCacertFile }} + CN_LDAP_TRUSTSTORE_FILE: {{ .Values.global.cnLdapTruststoreFile }} +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + import base64 + + from jans.pycloudlib import get_manager + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if gluu secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from gluu secrets + """ + def b64encode(value): + return base64.b64encode(value.encode()).decode() + + manager = get_manager() + + # returns empty string if not found + ssl_cert = manager.secret.get("ssl_cert") + if ssl_cert: + ssl_cert = b64encode(ssl_cert) + + # returns empty string if not found + ssl_key = manager.secret.get("ssl_key") + if ssl_key: + ssl_key = b64encode(ssl_key) + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert or key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error( + "No certificate or key was found in secrets." + "This can happen when the ssl certificate for the domain is able to be pulled." + "In that scenario the ssl_cert will be pulled from the domain provided" + ) + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Gluu Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.gluu.org") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/config/templates/license-secrets.yaml b/charts/gluu/gluu/5.0.24/charts/config/templates/license-secrets.yaml new file mode 100644 index 0000000000..0cf764a03c --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/templates/license-secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-license-ssa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ssa: {{ required "global.licenseSsa is required in chart values. This is a base64 string provided by Gluu to activate your license." .Values.global.licenseSsa }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.0.24/charts/config/templates/load-init-config.yml new file mode 100644 index 0000000000..53236bad0a --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/templates/load-init-config.yml @@ -0,0 +1,174 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + - name: {{ include "config.fullname" . }}-mount-gen-file + secret: + secretName: {{ include "config.fullname" . }}-gen-json-file + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + - mountPath: /app/db/generate.json + name: {{ include "config.fullname" . }}-mount-gen-file + subPath: generate.json + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} && /usr/bin/python3 /scripts/tls_generator.py + {{- else }} + /app/scripts/entrypoint.sh load && /usr/bin/python3 /scripts/tls_generator.py + {{- end }} + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.0.24/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.0.24/charts/config/templates/ob-secrets.yaml new file mode 100644 index 0000000000..cdb1f90415 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/templates/ob-secrets.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.cnObExtSigningJwksCrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }} + {{ if .Values.global.cnObExtSigningJwksKey }} + ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportCrt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport.crt: {{ .Values.global.cnObTransportCrt }} + {{ if .Values.global.cnObTransportKey }} + ob-transport.key: {{ .Values.global.cnObTransportKey }} + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportTrustStore }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-truststore + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.0.24/charts/config/templates/rolebinding.yaml new file mode 100644 index 0000000000..7a58fd6095 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.0.24/charts/config/templates/roles.yaml new file mode 100644 index 0000000000..ef3d0c7083 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/templates/roles.yaml @@ -0,0 +1,19 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/gluu/gluu/5.0.24/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.0.24/charts/config/templates/secrets.yaml new file mode 100644 index 0000000000..d6e4c86fa6 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/templates/secrets.yaml @@ -0,0 +1,206 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config.fullname" . }}-gen-json-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + generate.json: |- + { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_pw": {{ .Values.adminPassword | quote }}, + "ldap_pw": {{ .Values.ldapPassword | quote }}, + "redis_pw": {{ .Values.redisPassword | quote }}, + "email": {{ .Values.email | quote }}, + "org_name": {{ .Values.orgName | quote }}, + {{ if eq .Values.global.cnPersistenceType "sql" }} + "sql_pw": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "couchbase_pw": {{ .Values.configmap.cnCouchbasePassword | quote }}, + "couchbase_superuser_pw": {{ .Values.configmap.cnCouchbaseSuperUserPassword | quote }}, + {{- end }} + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }} + } + +{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} +{{- if not .Values.global.istio.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-crt + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }} +{{- end }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-aws-config-creds + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + aws_shared_credential_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }} + aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }} + aws_config_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + region = {{ .Values.configmap.cnAwsDefaultRegion }} + aws_secrets_replica_regions: |- + {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }} +{{- end }} +{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-google-sa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-cron-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + ldap_password: {{ .Values.ldapPassword | b64enc }} + ldap_truststore_password: {{ .Values.ldapTruststorePassword | b64enc }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-certkey + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + opendj.crt: |- +{{ .Values.configmap.cnLdapCrt | indent 4 }} + opendj.key: |- +{{ .Values.configmap.cnLdapKey | indent 4 }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-sql-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + sql_password: {{ .Values.configmap.cnSqldbUserPassword | b64enc }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + couchbase_password: {{ .Values.configmap.cnCouchbasePassword | b64enc }} + couchbase_superuser_password: {{ .Values.configmap.cnCouchbaseSuperUserPassword | b64enc }} +{{- end}} diff --git a/charts/gluu/gluu/5.0.24/charts/config/templates/service.yaml b/charts/gluu/gluu/5.0.24/charts/config/templates/service.yaml new file mode 100644 index 0000000000..da5dedf891 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.0.24/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 0000000000..35b4fa8cb0 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,64 @@ +{{ if .Values.global.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val | quote }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.0.24/charts/config/values.yaml b/charts/gluu/gluu/5.0.24/charts/config/values.yaml new file mode 100644 index 0000000000..666668ff3e --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/config/values.yaml @@ -0,0 +1,189 @@ + +# Required environment variables for generating Gluu server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in the secrets. + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- OpenDJ certificate string. This must be encoded using base64. + cnLdapCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- OpenDJ key string. This must be encoded using base64. + cnLdapKey: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: support@gluu.org +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- LDAP admin password if OpennDJ is used for persistence. +ldapPassword: P@ssw0rds +# -- LDAP truststore password if OpenDJ is used for persistence +ldapTruststorePassword: changeit +# -- Organization name. Used for certificate creation. +orgName: Gluu +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/fido2/.helmignore b/charts/gluu/gluu/5.0.24/charts/fido2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.24/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.0.24/charts/fido2/Chart.yaml new file mode 100644 index 0000000000..b404b519ba --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/fido2/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging + common devices to authenticate to online services in both mobile and desktop environments. +home: https://docs.gluu.org/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- fido2 +- u2f +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: fido2 +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/JanssenProject/jans/jans-fido2 +- https://github.com/JanssenProject/jans/docker-jans-fido2 +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/fido2 +type: application +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/charts/fido2/README.md b/charts/gluu/gluu/5.0.24/charts/fido2/README.md new file mode 100644 index 0000000000..ff6c7bccde --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/fido2/README.md @@ -0,0 +1,63 @@ +# fido2 + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/charts/fido2/templates/_helpers.tpl new file mode 100644 index 0000000000..10484b1e97 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "fido2.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "fido2.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.0.24/charts/fido2/templates/deployment.yml new file mode 100644 index 0000000000..c3d0ded19f --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/fido2/templates/deployment.yml @@ -0,0 +1,218 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "fido2.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "fido2.usr-envs" . | indent 12 }} + {{- include "fido2.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.0.24/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 0000000000..2457647e8a --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/fido2/templates/fido2-pdb.yaml b/charts/gluu/gluu/5.0.24/charts/fido2/templates/fido2-pdb.yaml new file mode 100644 index 0000000000..ebc9ce8dc8 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/fido2/templates/fido2-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "fido2.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.0.24/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 0000000000..88a91a994b --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.fido2.ingress.fido2ConfigEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.0.24/charts/fido2/templates/hpa.yaml new file mode 100644 index 0000000000..a4f1362a7b --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/fido2/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.0.24/charts/fido2/templates/service.yml new file mode 100644 index 0000000000..de91e893b3 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/fido2/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.24/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..e2139ba45f --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/fido2/values.yaml b/charts/gluu/gluu/5.0.24/charts/fido2/values.yaml new file mode 100644 index 0000000000..b619be81a9 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/fido2/values.yaml @@ -0,0 +1,95 @@ + +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.24/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/Chart.yaml new file mode 100644 index 0000000000..cad3f402f2 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Nginx ingress definitions chart +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- nginx +- ingress +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://kubernetes.io/docs/concepts/services-networking/ingress/ +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/nginx-ingress +type: application +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/README.md new file mode 100644 index 0000000000..c0b0d7af31 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/README.md @@ -0,0 +1,61 @@ +# nginx-ingress + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken | +| ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | +| ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | +| ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| ingress.scimConfigLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.scimLabels | object | `{}` | scim config ingress resource labels. key app is taken | +| ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| ingress.uma2ConfigLabels | object | `{}` | uma 2 config ingress resource labels. key app is taken | +| ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| nameOverride | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..7b38455692 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/admin-ui-ingress.yaml new file mode 100644 index 0000000000..1fa7a08de1 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/admin-ui-ingress.yaml @@ -0,0 +1,53 @@ +{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.adminUiLabels }} +{{ toYaml .Values.ingress.adminUiLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.ingress.adminUiAdditionalAnnotations }} +{{ toYaml .Values.ingress.adminUiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml new file mode 100644 index 0000000000..b5c482d5f6 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml @@ -0,0 +1,115 @@ +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedTokenLabels }} +{{ toYaml .Values.ingress.authServerProtectedTokenLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedTokenAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedTokenAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedRegisterLabels }} +{{ toYaml .Values.ingress.authServerProtectedRegisterLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedRegisterAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedRegisterAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/casa-ingress.yaml b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/casa-ingress.yaml new file mode 100644 index 0000000000..165348c071 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/casa-ingress.yaml @@ -0,0 +1,55 @@ +{{ if .Values.global.casa.ingress.casaEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-casa + labels: + app: {{ $fullName }}-casa +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.casaLabels }} +{{ toYaml .Values.ingress.casaLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "casa-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.casaAdditionalAnnotations }} +{{ toYaml .Values.ingress.casaAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-casa + pathType: Prefix + backend: + service: + name: {{ .Values.global.casa.casaServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/certificate.yaml b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/certificate.yaml new file mode 100644 index 0000000000..6cfb84f431 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/certificate.yaml @@ -0,0 +1,18 @@ +{{- if .Values.certManager.certificate.enabled }} + {{- $domain := (required "Domain is required in chartValues when certManager is enabled" .Values.global.fqdn) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + {{- range .Values.ingress.tls }} + secretName: {{ .secretName }} + {{- end }} + dnsNames: + - {{ quote $domain }} + issuerRef: + name: {{ required "nginx-ingress.certManager.certificate.issuerName is required in chart values" .Values.certManager.certificate.issuerName }} + kind: {{ required "nginx-ingress.certManager.certificate.issuerKind is required in chart values" .Values.certManager.certificate.issuerKind }} + group: {{ required "nginx-ingress.certManager.certificate.issuerGroup is required in chart values" .Values.certManager.certificate.issuerGroup }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 0000000000..4f84bd2545 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,671 @@ +{{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.openidConfigLabels }} +{{ toYaml .Values.ingress.openidConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if .Values.ingress.openidAdditionalAnnotations }} +{{ toYaml .Values.ingress.openidAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-device-code + labels: + app: {{ $fullName }}-device-code +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.deviceCodeLabels }} +{{ toYaml .Values.ingress.deviceCodeLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/device_authorization.htm +{{- if .Values.ingress.deviceCodeAdditionalAnnotations }} +{{ toYaml .Values.ingress.deviceCodeAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /device-code + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-firebase-messaging + labels: + app: {{ $fullName }}-firebase-messaging +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.firebaseMessagingLabels }} +{{ toYaml .Values.ingress.firebaseMessagingLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/firebase-messaging-sw.js +{{- if .Values.ingress.firebaseMessagingAdditionalAnnotations }} +{{ toYaml .Values.ingress.firebaseMessagingAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /firebase-messaging-sw.js + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.uma2ConfigLabels }} +{{ toYaml .Values.ingress.uma2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if .Values.ingress.uma2AdditionalAnnotations }} +{{ toYaml .Values.ingress.uma2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webfingerLabels }} +{{ toYaml .Values.ingress.webfingerLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if .Values.ingress.webfingerAdditionalAnnotations }} +{{ toYaml .Values.ingress.webfingerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webdiscoveryLabels }} +{{ toYaml .Values.ingress.webdiscoveryLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if .Values.ingress.webdiscoveryAdditionalAnnotations }} +{{ toYaml .Values.ingress.webdiscoveryAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{- if .Values.global.scim.ingress.scimConfigEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimConfigLabels }} +{{ toYaml .Values.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{- if .Values.global.scim.ingress.scimEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimLabels }} +{{ toYaml .Values.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "config-api" "ingress" "configApiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-config-api + labels: + app: {{ $fullName }}-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.configApiLabels }} +{{ toYaml .Values.ingress.configApiLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.configApiAdditionalAnnotations }} +{{ toYaml .Values.ingress.configApiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.u2fConfigLabels }} +{{ toYaml .Values.ingress.u2fConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if .Values.ingress.u2fAdditionalAnnotations }} +{{ toYaml .Values.ingress.u2fAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2ConfigLabels }} +{{ toYaml .Values.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerLabels }} +{{ toYaml .Values.ingress.authServerLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/values.yaml new file mode 100644 index 0000000000..60330b1541 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/nginx-ingress/values.yaml @@ -0,0 +1,77 @@ + +# -- Nginx ingress definitions chart +ingress: + enabled: true + # -- Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. + legacy: false + path: / + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma 2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- scim config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable all fido2 endpoints + fido2Enabled: false + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- Auth server config ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: { } + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + hosts: + - demoexample.gluu.org + tls: + - secretName: tls-certificate # DON'T change + hosts: + - demoexample.gluu.org +nameOverride: "" +fullnameOverride: "" diff --git a/charts/gluu/gluu/5.0.24/charts/opendj/.helmignore b/charts/gluu/gluu/5.0.24/charts/opendj/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.24/charts/opendj/Chart.yaml b/charts/gluu/gluu/5.0.24/charts/opendj/Chart.yaml new file mode 100644 index 0000000000..d676398df4 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/opendj/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: OpenDJ is a directory server which implements a wide range of Lightweight + Directory Access Protocol and related standards, including full compliance with + LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in + Java, OpenDJ offers multi-master replication, access control, and many extensions. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- LDAP +- OpenDJ +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: opendj +sources: +- https://github.com/GluuFederation/docker-opendj +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/opendj +type: application +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/charts/opendj/README.md b/charts/gluu/gluu/5.0.24/charts/opendj/README.md new file mode 100644 index 0000000000..b8b4527e19 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/opendj/README.md @@ -0,0 +1,75 @@ +# opendj + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-15"` | Image tag to use for deploying. | +| lifecycle.preStop.exec.command[0] | string | `"/bin/sh"` | | +| lifecycle.preStop.exec.command[1] | string | `"-c"` | | +| lifecycle.preStop.exec.command[2] | string | `"python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| openDjVolumeMounts.config.mountPath | string | `"/opt/opendj/config"` | | +| openDjVolumeMounts.config.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.db.mountPath | string | `"/opt/opendj/db"` | | +| openDjVolumeMounts.db.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.flag.mountPath | string | `"/flag"` | | +| openDjVolumeMounts.flag.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.ldif.mountPath | string | `"/opt/opendj/ldif"` | | +| openDjVolumeMounts.ldif.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.logs.mountPath | string | `"/opt/opendj/logs"` | | +| openDjVolumeMounts.logs.name | string | `"opendj-volume"` | | +| persistence.accessModes | string | `"ReadWriteOnce"` | | +| persistence.size | string | `"5Gi"` | OpenDJ volume size | +| persistence.type | string | `"DirectoryOrCreate"` | | +| ports | object | `{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}}` | servicePorts values used in StatefulSet container | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1500m"` | CPU limit. | +| resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1500m"` | CPU request. | +| resources.requests.memory | string | `"2000Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/charts/opendj/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/charts/opendj/templates/_helpers.tpl new file mode 100644 index 0000000000..ecab10b753 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/opendj/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opendj.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opendj.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opendj.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "opendj.labels" -}} +app: {{ .Release.Name }}-{{ include "opendj.name" . }} +helm.sh/chart: {{ include "opendj.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "opendj.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "opendj.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "opendj.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "opendj.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.24/charts/opendj/templates/cronjobs.yaml new file mode 100644 index 0000000000..7483be66ca --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/opendj/templates/cronjobs.yaml @@ -0,0 +1,110 @@ +{{- if .Values.backup.enabled }} +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "opendj.fullname" . }}-backup +spec: + schedule: {{ .Values.backup.cronJobSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "opendj.fullname" . }}-backup + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + ports: + {{- range $key, $value := .Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + env: + - name: LDAP_HOST + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_host + - name: LDAP_PORT + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_port + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_site_binddn + - name: LDAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-ldap-cron-pass + key: password + # while true; do sleep 60; ldaplog=$(cat /opt/opendj/logs/server.out); startedstr="The Directory Server has started successfully"; if [ -z "${ldaplog##*$startedstr*}" ]; then break; fi; echo "Waiting for opendj server to start"; done + command: + - /bin/sh + - -c + - | + # ========= + # FUNCTIONS + # ========= + + set_java_args() { + # not sure if we can omit `-server` safely + local java_args="-server" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${CN_MAX_RAM_PERCENTAGE} ${CN_JAVA_OPTIONS}" + # set the env var so it is loaded by `start-ds` script + export OPENDJ_JAVA_ARGS=${java_args} + } + + # ========== + # ENTRYPOINT + # ========== + + mkdir -p /opt/opendj/locks + + python3 /app/scripts/wait.py + python3 /app/scripts/bootstrap.py + + # run OpenDJ server + set_java_args + exec /opt/opendj/bin/start-ds -N & + sleep 300 + RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) + LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + volumeMounts: + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapCertFile }} + subPath: opendj.crt + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapKeyFile }} + subPath: opendj.key + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + restartPolicy: Never + volumes: + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + - name: ldap-certkey + secret: + secretName: {{ .Release.Name }}-ldap-certkey +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/opendj/templates/hpa.yaml b/charts/gluu/gluu/5.0.24/charts/opendj/templates/hpa.yaml new file mode 100644 index 0000000000..157ea310b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/opendj/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "opendj.fullname" . }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "opendj.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/opendj/templates/opendj-destination-rules.yaml b/charts/gluu/gluu/5.0.24/charts/opendj/templates/opendj-destination-rules.yaml new file mode 100644 index 0000000000..a6a8f56849 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/opendj/templates/opendj-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-ldap-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.opendj.ldapServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/opendj/templates/opendj-pdb.yaml b/charts/gluu/gluu/5.0.24/charts/opendj/templates/opendj-pdb.yaml new file mode 100644 index 0000000000..1615c4ac29 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/opendj/templates/opendj-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "opendj.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/opendj/templates/service.yaml b/charts/gluu/gluu/5.0.24/charts/opendj/templates/service.yaml new file mode 100644 index 0000000000..ec7d0a8252 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/opendj/templates/service.yaml @@ -0,0 +1,30 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $.Values.global.opendj.ldapServiceName }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + {{- range $key, $value := $.Values.ports }} + - port: {{ $value.port }} + name: {{ $key }} + targetPort: {{ $value.targetPort }} + protocol: {{ $value.protocol}} + {{- if $value.nodePort }} + nodePort: {{ $value.nodePort }} + {{- end }} + {{- end }} + clusterIP: None + selector: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/5.0.24/charts/opendj/templates/statefulset.yaml similarity index 100% rename from charts/gluu/gluu/charts/opendj/templates/statefulset.yaml rename to charts/gluu/gluu/5.0.24/charts/opendj/templates/statefulset.yaml diff --git a/charts/gluu/gluu/5.0.24/charts/opendj/templates/storageclass.yaml b/charts/gluu/gluu/5.0.24/charts/opendj/templates/storageclass.yaml new file mode 100644 index 0000000000..d33175d10b --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/opendj/templates/storageclass.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ include "opendj.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + storage: opendj +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + # Annotation below is to keep the storage class during upgrade. Otherwise, due to the flag at line 1 which is needed, this resource will be deleted. + helm.sh/resource-policy: keep + storageclass.beta.kubernetes.io/is-default-class: "false" + {{- if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + openebs.io/cas-type: local + cas.openebs.io/config: | + - name: StorageType + value: hostpath + - name: BasePath + value: /var/local-hostpath + {{- end }} +provisioner: {{ .Values.global.storageClass.provisioner }} +{{- if and ( ne .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) ( ne .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") ( ne .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") ( ne .Values.global.storageClass.provisioner "kubernetes.io/gce-pd") ( ne .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com") ( ne .Values.global.storageClass.provisioner "openebs.io/local") ( ne .Values.global.storageClass.provisioner "kubernetes.io/azure-disk") }} +parameters: +{{ toYaml .Values.global.storageClass.parameters | indent 4 }} +{{- else }} +parameters: + {{- if eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs" }} + type: {{ .Values.global.awsStorageType }} + fsType: ext4 + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/gce-pd" }} + type: {{ .Values.global.gcePdStorageType }} + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/azure-disk" }} + storageAccountType: {{ .Values.global.azureStorageAccountType }} + kind: {{ .Values.global.azureStorageKind }} + {{- else if eq .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com" }} + {{- else if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + {{- else }} + pool: default + fsType: ext4 + {{- end }} +{{- end }} +allowVolumeExpansion: {{ .Values.global.storageClass.allowVolumeExpansion }} +volumeBindingMode: {{ .Values.global.storageClass.volumeBindingMode }} +reclaimPolicy: {{ .Values.global.storageClass.reclaimPolicy }} +mountOptions: {{ .Values.global.storageClass.mountOptions | toJson }} +allowedTopologies: {{ .Values.global.storageClass.allowedTopologies | toJson }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.24/charts/opendj/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8fcf989cd5 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/opendj/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/opendj/values.yaml b/charts/gluu/gluu/5.0.24/charts/opendj/values.yaml new file mode 100644 index 0000000000..6efb0d9c65 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/opendj/values.yaml @@ -0,0 +1,142 @@ + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-15 + # -- Image Pull Secrets + pullSecrets: [ ] +persistence: + # -- OpenDJ volume size + size: 5Gi + accessModes: ReadWriteOnce + type: DirectoryOrCreate +# -- servicePorts values used in StatefulSet container +ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi +# -- Configure the liveness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for OpenDJ if needed. +# https://github.com/GluuFederation/docker-opendj/blob/4.3/scripts/healthcheck.py +readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] +nameOverride: "" +fullnameOverride: "" +# VolumeMounts for StatefulSet +# opendj-init vm +openDjVolumeMounts: + config: + mountPath: /opt/opendj/config + name: opendj-volume + ldif: + mountPath: /opt/opendj/ldif + name: opendj-volume + logs: + mountPath: /opt/opendj/logs + name: opendj-volume + db: + mountPath: /opt/opendj/db + name: opendj-volume + flag: + mountPath: /flag + name: opendj-volume + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/persistence/.helmignore b/charts/gluu/gluu/5.0.24/charts/persistence/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.24/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.0.24/charts/persistence/Chart.yaml new file mode 100644 index 0000000000..015c23506e --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/persistence/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: Job to generate data and initial config for Gluu Server persistence layer. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- persistence prep +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: persistence +sources: +- https://github.com/JanssenProject/jans/docker-jans-persistence-loader +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/persistence +type: application +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/charts/persistence/README.md b/charts/gluu/gluu/5.0.24/charts/persistence/README.md new file mode 100644 index 0000000000..d1667696f9 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/persistence/README.md @@ -0,0 +1,53 @@ +# persistence + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +Job to generate data and initial config for Gluu Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| lifecycle | object | `{}` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/charts/persistence/templates/_helpers.tpl new file mode 100644 index 0000000000..bf0a313b23 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.0.24/charts/persistence/templates/jobs.yml new file mode 100644 index 0000000000..80f8b592f7 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/persistence/templates/jobs.yml @@ -0,0 +1,170 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if or ( .Values.global.istio.enabled ) ( .Values.customScripts )}} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 12}} + {{- end }} + /app/scripts/entrypoint.sh + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbaseSuperuserPasswordFile }} + subPath: couchbase_superuser_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + - key: couchbase_password + path: couchbase_password + - key: couchbase_superuser_password + path: couchbase_superuser_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.0.24/charts/persistence/templates/service.yaml new file mode 100644 index 0000000000..b266650a69 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/persistence/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.24/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..29c8651b84 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/persistence/values.yaml b/charts/gluu/gluu/5.0.24/charts/persistence/values.yaml new file mode 100644 index 0000000000..cc2b290bc9 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/persistence/values.yaml @@ -0,0 +1,58 @@ + +# -- Job to generate data and initial config for Gluu Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/scim/.helmignore b/charts/gluu/gluu/5.0.24/charts/scim/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.24/charts/scim/Chart.yaml b/charts/gluu/gluu/5.0.24/charts/scim/Chart.yaml new file mode 100644 index 0000000000..0fffa412ed --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/scim/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.0 +description: System for Cross-domain Identity Management (SCIM) version 2.0 +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SCIM +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: scim +sources: +- https://github.com/JanssenProject/jans/jans-scim +- https://github.com/JanssenProject/jans/docker-jans-scim +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/scim +type: application +version: 5.0.24 diff --git a/charts/gluu/gluu/5.0.24/charts/scim/README.md b/charts/gluu/gluu/5.0.24/charts/scim/README.md new file mode 100644 index 0000000000..7155c569cb --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/scim/README.md @@ -0,0 +1,62 @@ +# scim + +![Version: 5.0.24](https://img.shields.io/badge/Version-5.0.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.0](https://img.shields.io/badge/AppVersion-5.0.0-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.0.21-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.0.24/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/charts/scim/templates/_helpers.tpl new file mode 100644 index 0000000000..04b66d5afd --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/scim/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "scim.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "scim.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.0.24/charts/scim/templates/deployment.yml new file mode 100644 index 0000000000..8bb3605eb9 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/scim/templates/deployment.yml @@ -0,0 +1,216 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "scim.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "scim.usr-envs" . | indent 12 }} + {{- include "scim.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.0.24/charts/scim/templates/hpa.yaml new file mode 100644 index 0000000000..d3ba580d6f --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/scim/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.0.24/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 0000000000..fc26343bdf --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/scim/templates/scim-pdb.yaml b/charts/gluu/gluu/5.0.24/charts/scim/templates/scim-pdb.yaml new file mode 100644 index 0000000000..d700490a85 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/scim/templates/scim-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "scim.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.0.24/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 0000000000..14fafd1d46 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.scim.ingress.scimConfigEnabled }} + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /jans-scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.scim.ingress.scimEnabled }} + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/jans-scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/scim/templates/service.yml b/charts/gluu/gluu/5.0.24/charts/scim/templates/service.yml new file mode 100644 index 0000000000..a585ea31b9 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/scim/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.24/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.24/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..d9f83a46e1 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/charts/scim/values.yaml b/charts/gluu/gluu/5.0.24/charts/scim/values.yaml new file mode 100644 index 0000000000..946b87396b --- /dev/null +++ b/charts/gluu/gluu/5.0.24/charts/scim/values.yaml @@ -0,0 +1,94 @@ + +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.24/openbanking-values.yaml b/charts/gluu/gluu/5.0.24/openbanking-values.yaml new file mode 100644 index 0000000000..1a3c608829 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/openbanking-values.yaml @@ -0,0 +1,690 @@ +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.20-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.20-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.20-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: true + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token . Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + ingress: + # -- Enable casa endpoints /casa + casaEnabled: true + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Load balancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + # -- Gluu distributions supported are: default|openbanking. + distribution: openbanking + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.20-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.24/questions.yaml b/charts/gluu/gluu/5.0.24/questions.yaml new file mode 100644 index 0000000000..237575ec1b --- /dev/null +++ b/charts/gluu/gluu/5.0.24/questions.yaml @@ -0,0 +1,1209 @@ +questions: +# ================== +# License SSA group +# ================== +- variable: global.licenseSsa + default: "" + required: true + type: string + label: License SSA + description: "Before initiating the setup, please contact Gluu to obtain a valid license or trial license. Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded." + group: "License SSA" + +# ================== +# Distribution group +# ================== +- variable: global.distribution + default: "openbanking" + required: true + type: enum + label: Gluu Distribution + description: "Gluu Distribution. Openbanking only contains Config-API and the Auth Server customized for Openbanking industry." + group: "Global Settings" + options: + - "default" + - "openbanking" + +# ======================== +# OpenBanking Distribution +# ======================== +- variable: global.cnObExtSigningJwksUri + required: true + default: "https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks" + description: "Open banking external signing jwks uri. Used in SSA Validation." + type: hostname + group: "OpenBanking Distribution" + label: Openbanking external signing JWKS URI + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObExtSigningJwksCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS certificate authority string + - variable: global.cnObExtSigningJwksKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS key string + - variable: global.cnObExtSigningJwksKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: password + label: Open banking external signing jwks AS key passphrase + min_length: 6 + - variable: global.cnObExtSigningAlias + default: "XkwIzWy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking external signing AS Alias +- variable: global.cnObStaticSigningKeyKid + default: "Wy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking signing AS kid + show_if: "global.distribution=openbanking" +- variable: global.cnObTransportAlias + default: "" + required: false + group: "OpenBanking Distribution" + description: "Open banking transport Alias used inside the JVM." + type: string + label: Open banking transport Alias used inside the JVM. + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObTransportCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport crt + - variable: global.cnObTransportKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport key + - variable: global.cnObTransportKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64." + type: password + label: Open banking AS transport key passphrase + min_length: 6 + - variable: global.cnObTransportTrustStore + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking external signing jwks AS certificate authority string + +# ======================= +# Optional Services group +# ======================= +- variable: global.admin-ui.enabled + default: false + type: boolean + group: "Optional Services" + required: false + label: Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. This requires a license agreement with Gluu. + show_if: "global.distribution=default" + show_subquestion_if: true +- variable: global.auth-server-key-rotation.enabled + default: true + type: boolean + group: "Optional Services" + required: true + label: Enable Auth key rotation cronjob. Disable this if using the OB distribution. + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: auth-server-key-rotation.keysLife + default: 48 + description: "Auth server key rotation keys life in hours." + type: int + label: Key life +- variable: global.fido2.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable Fido2 + description: "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments." +- variable: global.config-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ConfigAPI + description: "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)." +- variable: global.casa.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Casa + description: "Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server." +- variable: global.scim.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable SCIM + description: "System for Cross-domain Identity Management (SCIM) version 2.0" + +# ====================== +# Test environment group +# ====================== +- variable: global.cloud.testEnviroment + default: false + type: boolean + group: "Test Environment" + required: true + label: Test environment + description: "Boolean flag if enabled will strip resources requests and limits from all services." + +# ================= +# Persistence group +# ================= +- variable: global.cnPersistenceType + default: "sql" + required: true + type: enum + group: "Persistence" + label: Gluu Persistence backend + description: "Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner" + options: + - "ldap" + - "couchbase" + - "hybrid" + - "spanner" + - "sql" +# LDAP +- variable: global.opendj.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable installation of OpenDJ + description: "Boolean flag to enable/disable the OpenDJ chart." + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnLdapUrl + default: "opendj:1636" + type: hostname + group: "Persistence" + required: true + label: OpenDJ remote URL + description: "OpenDJ remote URL. This must be resolvable by the pods" + show_if: "global.opendj.enabled=false&&global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnPersistenceHybridMapping + default: "{}" + required: false + type: enum + group: "Persistence" + label: Gluu Persistence LDAP mapping + description: "Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`." + options: + - "default" + - "user" + - "site" + - "cache" + - "token" + - "session" + show_if: "global.cnPersistenceType=hybrid" +# SQL +- variable: config.configmap.cnSqlDbDialect + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu SQL Database dialect + description: "SQL database dialect. `mysql` or `pgsql`." + options: + - "pgsql" + - "mysql" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbHost + default: "postgresql.default.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: SQL database host uri + description: "SQL database host uri" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbPort + default: 5432 + required: false + type: int + group: "Persistence" + label: SQL database port + description: "SQL database port" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbUser + default: "gluu" + group: "Persistence" + description: "SQL database username" + type: string + label: SQL database username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqldbUserPassword + default: "Test1234#" + group: "Persistence" + description: "SQL password" + type: password + label: SQL password + + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbName + default: "gluu" + group: "Persistence" + description: "SQL database name" + type: string + label: SQL database name + show_if: "global.cnPersistenceType=sql" +# Spanner +- variable: config.configmap.cnGoogleSpannerInstanceId + default: "" + group: "Persistence" + description: "The google spanner instance ID" + type: string + label: Google Spanner Instance ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSpannerDatabaseId + default: "" + group: "Persistence" + description: "The google spanner database ID" + type: string + label: Google Spanner Database ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + group: "Persistence" + description: "The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner." + type: multiline + label: Google Spanner Service Account json + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleProjectId + default: "" + group: "Persistence" + description: "The Google Project ID" + type: string + label: Google Project ID + show_if: "global.cnPersistenceType=spanner" +#Couchbase +- variable: config.configmap.cnCouchbaseCrt + default: "" + group: "Persistence" + description: "Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required." + type: multiline + label: Couchbase certificate authority string + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUrl + default: "gluu.cbns.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: Couchbase host uri + description: "Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseBucketPrefix + default: "gluu" + type: string + description: "The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu." + group: "Persistence" + required: true + label: The prefix of Couchbase buckets + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseIndexNumReplica + default: 0 + type: int + description: "The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1." + group: "Persistence" + required: true + label: The number of replicas per index created + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUser + default: "admin" + group: "Persistence" + description: "he Couchbase super user (admin) user name. This user is used during initialization only." + type: string + label: The Couchbase super user (admin) user name. + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUserPassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + type: password + label: Couchbase password for the super users + + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUser + default: "gluu" + group: "Persistence" + description: "Couchbase restricted user, used in Gluu operations with Couchbase. Used only when global.cnPersistenceType is hybrid or couchbase." + type: string + label: Couchbase restricted username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbasePassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ." + type: password + label: Couchbase password for the restricted user + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" + +# ============================== +# StorageClass and volume group +# ============================== +- variable: global.storageClass.provisioner + default: "microk8s.io/hostpath" + type: string + group: "Volumes" + required: true + label: StorageClass provisioner + show_if: "global.cnPersistenceType=ldap" + subquestions: + - variable: global.storageClass.allowVolumeExpansion + default: true + type: boolean + group: "Volumes" + required: true + label: StorageClass Volume expansion + - variable: global.storageClass.reclaimPolicy + default: "Retain" + type: enum + group: "Volumes" + required: true + label: StorageClass reclaimPolicy + options: + - "Delete" + - "Retain" + - variable: global.storageClass.volumeBindingMode + default: "WaitForFirstConsumer" + type: enum + group: "Volumes" + required: true + options: + - "WaitForFirstConsumer" + - "Immediate" + label: StorageClass volumeBindingMode + +# =========== +# Cache group +# =========== +- variable: config.configmap.cnCacheType + default: "NATIVE_PERSISTENCE" + required: true + type: enum + group: "Cache" + label: Gluu Cache + description: "Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` ." + options: + - "NATIVE_PERSISTENCE" + - "IN_MEMORY" + - "REDIS" + show_subquestion_if: "REDIS" + subquestions: + - variable: config.configmap.cnRedisType + default: "STANDALONE" + type: enum + group: "Cache" + required: false + label: Redix service type + description: "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + options: + - "STANDALONE" + - "CLUSTER" + - variable: config.redisPassword + default: "Test1234#" + type: password + group: "Cache" + required: false + label: Redis admin password + description: "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`." + + - variable: config.configmap.cnRedisUrl + default: "redis.redis.svc.cluster.local:6379" + required: false + type: hostname + group: "Cache" + label: Redis URL + description: "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + +# ================== +# Configuration group +# ================== +- variable: global.fqdn + default: "demoexample.gluu.org" + required: true + type: hostname + group: "Configuration" + label: Gluu Installation FQDN + description: "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services." +- variable: global.countryCode + default: "US" + required: true + type: string + group: "Configuration" + label: Country code + description: "Country code. Used for certificate creation." +- variable: config.state + default: "TX" + required: true + type: string + group: "Configuration" + label: State code + description: "State code. Used for certificate creation." +- variable: config.city + default: "Austin" + required: true + type: string + group: "Configuration" + label: City + description: "City. Used for certificate creation." +- variable: config.email + default: "support@gluu.org" + required: true + type: string + group: "Configuration" + label: Email + description: "Email address of the administrator usually. Used for certificate creation." +- variable: config.orgName + default: "Gluu" + required: true + type: string + group: "Configuration" + label: Organization + description: "Organization name. Used for certificate creation." +- variable: config.adminPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: Admin UI password + description: "Admin password to log in to the UI." + +- variable: config.ldapPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: LDAP password + description: "LDAP admin password if OpenDJ is used for persistence" + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" + +- variable: global.isFqdnRegistered + default: true + required: true + type: boolean + group: "Configuration" + label: Is the FQDN globally resolvable + description: "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically." +- variable: config.migration.enabled + default: false + required: true + type: boolean + group: "Configuration" + label: Migration from Gluu CE + description: "Boolean flag to enable migration from CE" + show_subquestion_if: true + subquestions: + - variable: config.migration.migrationDataFormat + default: "ldif" + type: enum + group: "Configuration" + required: false + label: Migration data-format + description: "Migration data-format depending on persistence backend." + options: + - "ldif" + - "couchbase+json" + - "spanner+avro" + - "postgresql+json" + - "mysql+json" + - variable: config.migration.migrationDir + default: "/ce-migration" + required: false + type: string + group: "Configuration" + label: Migration Directory + description: "Directory holding all migration files" + +# Configmap +- variable: global.configAdapterName + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu configuration backend + description: "The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + +# Secret +- variable: global.configSecretAdapter + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu secret backend + description: "The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + + +# Google +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + type: string + group: "Configuration" + required: true + label: Service account base64 encoded + description: "Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleProjectId + default: "" + type: string + group: "Configuration" + required: true + label: Project ID + description: "Project id of the Google project the secret manager belongs to" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretVersionId + default: "latest" + type: string + group: "Configuration" + required: true + label: Secrets version + description: "Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in Google Secret Manager. Defaults to gluu" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +# AWS +- variable: config.configmap.cnAwsAccessKeyId + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Account Access Key ID + description: "AWS Access key id that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretAccessKey + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Secret Access Key + description: "AWS Secret Access key that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in AWS Secrets Manager. Defaults to gluu" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsProfile + default: "gluu" + type: string + group: "Configuration" + required: true + label: AWS named profile + description: "The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsDefaultRegion + default: "us-west-1" + type: string + group: "Configuration" + required: true + label: Default region + description: "The default AWS Region to use, for example, `us-west-1` or `us-west-2`" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsEndpointUrl + default: "" + type: string + group: "Configuration" + required: false + label: Secrets Manager Endpoint URL + description: "The URL of AWS secretsmanager service. If omitted, it will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + + +# =========================== +# Ingress group(Istio, NGINX) +# =========================== + +# =========== +# Istio group +# =========== +- variable: global.istio.enabled + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio side cars with Gluu services." + label: Use Istio side cars + show_subquestion_if: true + subquestions: + - variable: global.istio.ingress + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Use Istio Ingress + - variable: global.istio.namespace + default: "istio-system" + type: string + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Istio namespace + - variable: config.configmap.lbAddr + default: "" + group: "Istio" + description: "Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# NGINX group +# =========== +- variable: config.configmap.lbAddr + default: "" + group: "NGINX" + show_if: "global.istio.ingress=false&&global.isFqdnRegistered=false" + description: "loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# Ingress group +# =========== +- variable: global.admin-ui.ingress.adminUiEnabled + default: false + type: boolean + group: "Ingress" + required: false + description: "Enable Admin UI endpoints." + label: Enable Admin UI endpoints + subquestions: + # auth-server + - variable: global.auth-server.ingress.authServerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable Auth server endpoints /jans-auth" + label: Enable Auth server endpoints /jans-auth + - variable: global.auth-server.ingress.openidConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/openid-configuration" + label: Enable endpoint /.well-known/openid-configuration + - variable: global.auth-server.ingress.deviceCodeEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /device-code" + label: Enable endpoint /device-code + - variable: global.auth-server.ingress.firebaseMessagingEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /firebase-messaging-sw.js" + label: Enable endpoint /firebase-messaging-sw.js + - variable: global.auth-server.ingress.uma2ConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/uma2-configuration" + label: Enable endpoint /.well-known/uma2-configuration + - variable: global.auth-server.ingress.webfingerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/webfinger" + label: Enable endpoint /.well-known/webfinger + - variable: global.auth-server.ingress.webdiscoveryEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/simple-web-discovery" + label: Enable endpoint /.well-known/simple-web-discovery + - variable: global.auth-server.ingress.u2fConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/fido-configuration" + label: Enable endpoint /.well-known/fido-configuration + # config-api + - variable: global.config-api.ingress.configApiEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable config API endpoints /jans-config-api" + label: Enable config API endpoints /jans-config-api + +#fido2 +- variable: global.fido2.ingress.fido2ConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.fido2.enabled=true" + required: true + description: "Enable endpoint /.well-known/fido2-configuration. Enable this!" + label: Enable endpoint /.well-known/fido2-configuration +#Casa +- variable: global.casa.ingress.casaEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.casa.enabled=true" + required: true + description: "Enable endpoint /casa. Enable this!" + label: Enable endpoint /casa Enable this! +#auth-server OB +- variable: global.auth-server.ingress.authServerProtectedToken + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/token" + label: Enable mTLS on Auth server endpoint /jans-auth/restv1/token +- variable: global.auth-server.ingress.authServerProtectedRegister + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/register" + label: Enable mTLS onn Auth server endpoint /jans-auth/restv1/register +# scim +- variable: global.scim.ingress.scimConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable endpoint /.well-known/scim-configuration. Enable this!" + label: Enable endpoint /.well-known/scim-configuration. Enable this! +- variable: global.scim.ingress.scimEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable SCIM endpoints /jans-scim. Enable this!" + label: Enable SCIM endpoints /jans-scim. Enable this! + +# ============ +# Images group +# ============ +# AuthServer +- variable: auth-server.image.repository + required: true + type: string + default: "janssenproject/auth-server" + description: "The Auth Server Image repository" + label: Auth Server image repo + group: "Images" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server Image pull policy" + label: Auth Server imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server image tag + group: "Images" + show_if: "global.auth-server.enabled=true" +# AdminUI +- variable: admin-ui.image.repository + required: true + type: string + default: "gluufederation/admin-ui" + description: "The AdminUI Image repository" + label: The AdminUI Image repository + group: "Images" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The AdminUI Image pull policy" + label: AdminUI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The AdminUI Image tag" + label: AdminUI image tag + group: "Images" + show_if: "global.admin-ui.enabled=true" +# AuthServer KeyRotation +- variable: auth-server-key-rotation.image.repository + required: true + type: string + default: "janssenproject/certmanager" + description: "The Auth Server KeyRotation Image repository" + label: Auth Server KeyRotation image repo + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server KeyRotation Image pull policy" + label: Auth Server KeyRotation imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server KeyRotation image tag + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +# Casa +- variable: casa.image.repository + required: true + type: string + default: "gluufederation/casa" + description: "The Casa Image repository" + label: Casa image repo + group: "Images" + show_if: "global.casa.enabled=true" +- variable: casa.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Casa Image pull policy" + label: Casa imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.casa.enabled=true" +- variable: casa.image.tag + required: true + type: string + default: "5.0.0-4" + description: "The Casa Image tag" + label: Casa image tag + group: "Images" + show_if: "global.casa.enabled=true" +# Configurator +- variable: config.image.repository + required: true + type: string + default: "janssenproject/configurator" + description: "The Configurator Image repository" + label: Configurator image repo + group: "Images" + show_if: "global.config.enabled=true" +- variable: config.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Configurator Image pull policy" + label: Configurator imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config.enabled=true" +- variable: config.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Configurator Image tag" + label: Configurator image tag + group: "Images" + show_if: "global.config.enabled=true" +# ConfigAPI +- variable: config-api.image.repository + required: true + type: string + default: "janssenproject/config-api" + description: "The ConfigAPI Image repository" + label: ConfigAPI image repo + group: "Images" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ConfigAPI Image pull policy" + label: ConfigAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The ConfigAPI Image tag" + label: ConfigAPI image tag + group: "Images" + show_if: "global.config-api.enabled=true" +# Fido2 +- variable: fido2.image.repository + required: true + type: string + default: "janssenproject/fido2" + description: "The Fido2 Image repository" + label: Fido2 image repo + group: "Images" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Fido2 Image pull policy" + label: Fido2 imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Fido2 Image tag" + label: Fido2 image tag + group: "Images" + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.image.repository + required: true + type: string + default: "gluufederation/opendj" + description: "The OpenDJ Image repository" + label: OpenDJ image repo + group: "Images" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The OpenDJ Image pull policy" + label: OpenDJ imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.tag + required: true + type: string + default: "5.0.0_dev" + description: "The OpenDJ Image tag" + label: OpenDJ image tag + group: "Images" + show_if: "global.opendj.enabled=true" +# Persistence +- variable: persistence.image.repository + required: true + type: string + default: "janssenproject/persistence-loader" + description: "The Persistence Image repository" + label: Persistence image repo + group: "Images" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Persistence Image pull policy" + label: Persistence imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Persistence Image tag" + label: Persistence image tag + group: "Images" + show_if: "global.persistence.enabled=true" +# SCIM +- variable: scim.image.repository + required: true + type: string + default: "janssenproject/scim" + description: "The SCIM Image repository" + label: SCIM image repo + group: "Images" + show_if: "global.scim.enabled=true" +- variable: scim.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The SCIM Image pull policy" + label: SCIM imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.scim.enabled=true" +- variable: scim.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The SCIM Image tag" + label: SCIM image tag + group: "Images" + show_if: "global.scim.enabled=true" + +# ============== +# Replicas group +# ============== +# AuthServer +- variable: auth-server.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Auth-server Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# Casa +- variable: casa.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Casa Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# ConfigAPI +- variable: config-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ConfigAPI Replicas + description: "Service replica number." + show_if: "global.config-api.enabled=true" +# AdminUi +- variable: admin-ui.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Admin UI Replicas + description: "Service replica number." + show_if: "global.admin-ui.enabled=true" +# Fido2 +- variable: fido2.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Fido2 Replicas + description: "Service replica number." + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: OpenDJ Replicas + description: "Service replica number." + show_if: "global.opendj.enabled=true" +# SCIM +- variable: scim.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: SCIM Replicas + description: "Service replica number." + show_if: "global.scim.enabled=true" + diff --git a/charts/gluu/gluu/5.0.24/templates/_helpers.tpl b/charts/gluu/gluu/5.0.24/templates/_helpers.tpl new file mode 100644 index 0000000000..c5b8d3d303 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.24/values.schema.json b/charts/gluu/gluu/5.0.24/values.schema.json new file mode 100644 index 0000000000..2bef4ca26d --- /dev/null +++ b/charts/gluu/gluu/5.0.24/values.schema.json @@ -0,0 +1,2582 @@ +{ + "$schema":"https://json-schema.org/draft/2020-12/schema#", + "type":"object", + "properties":{ + "admin-ui":{ + "description":"Admin GUI for configuration of the auth-server", + "type":"object", + "properties":{ + + } + }, + "auth-server":{ + "description":"OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type":"object", + "properties":{ + + } + }, + "auth-server-key-rotation":{ + "description":"Responsible for regenerating auth-keys per x hours", + "type":"object", + "properties":{ + + } + }, + "casa":{ + "description":"Gluu Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.", + "type":"object", + "properties":{ + + } + } + }, + "config":{ + "description":"Configuration parameters for setup and initial configuration secret annd config layers used by Gluu services.", + "type":"object", + "properties":{ + "adminPass":{ + "description":"Admin password to login to the UI", + "$ref":"#/definitions/password" + }, + "city":{ + "description":"City of the company or individual. Used in generating the self-signed certificate", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "configmap":{ + "description":"Configuration parameters mapped to envs in a ConfigMap", + "type":"object", + "properties":{ + "cnSqlDbDialect":{ + "description":"SQL dialect", + "type":"string", + "pattern":"^(mysql)$" + }, + "cnSqlDbHost":{ + "description":"SQL server address or ip", + "anyOf":[ + { + "$ref":"#/definitions/url-pattern" + }, + { + "$ref":"#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort":{ + "description":"SQL server port", + "type":"integer" + }, + "cnSqlDbName":{ + "description":"SQL server database name for Jans", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbUser":{ + "description":"SQL database Jans username", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbTimezone":{ + "description":"SQL database timezone", + "type":"string", + "pattern":"^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqldbUserPassword":{ + "description":"Password for user config.configmap.cnSqlDbUser.", + "$ref":"#/definitions/password" + }, + "cnCacheType":{ + "description":"Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type":"string", + "pattern":"^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnConfigKubernetesConfigMap":{ + "description":"The name of the ConfigMap that will hold the configuration layer", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseBucketPrefix":{ + "description":"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseCrt":{ + "description":"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnCouchbaseIndexNumReplica":{ + "description":"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.", + "type":"integer" + }, + "cnCouchbasePass":{ + "description":"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUser":{ + "description":"The Couchbase super user (admin) user name. This user is used during initialization only.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseSuperUserPass":{ + "description":"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUserPassFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type":"string", + "pattern":".*couchbase_superuser_password\\b.*" + }, + "cnCouchbaseUrl":{ + "description":"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnCouchbaseUser":{ + "description":"Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerServiceAccount":{ + "description":"Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId":{ + "description":"Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"" + }, + "cnGoogleSpannerInstanceId":{ + "description":"Google Spanner ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^([a-z0-9\\-])*$" + }, + "cnGoogleSpannerDatabaseId":{ + "description":"Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^[a-z0-9\\-]*$" + }, + "cnGoogleSecretVersionId":{ + "description":"Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnGoogleSecretNamePrefix":{ + "description":"Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase":{ + "description":"Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref":"#/definitions/password" + }, + "cnLdapUrl":{ + "description":"OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.", + "type":"string", + "pattern":"^[a-z0-9-:]+$" + }, + "cnMaxRamPercent":{ + "description":"Value passed to Java option -XX:MaxRAMPercentage", + "type":"string", + "pattern":"^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode":{ + "description":"SCIM protection mode OAUTH|TEST|UMA", + "type":"string", + "pattern":"^(OAUTH|TEST|UMA)$" + }, + "cnPersistenceHybridMapping":{ + "description":"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type":"string" + }, + "cnRedisSentinelGroup":{ + "description":"Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisSslTruststore":{ + "description":"Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisType":{ + "description":"Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string", + "pattern":"^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl":{ + "description":"Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref":"#/definitions/url-pattern" + }, + "cnRedisUseSsl":{ + "description":"Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"boolean" + }, + "cnSecretKubernetesSecret":{ + "description":"Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "lbAddr":{ + "description":"Loadbalancer address for AWS if the FQDN is not registered.", + "$ref":"#/definitions/url-pattern" + }, + "cnLdapCrt": { + "description": "OpenDJ certificate string. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnLdapKey": { + "description": "OpenDJ key string. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + } + } + }, + "countryCode":{ + "description":"Country code. Used for certificate creation.", + "type":"string", + "pattern":"^[A-Z]+$" + }, + "email":{ + "description":"Email address of the administrator usually. Used for certificate creation.", + "$ref":"#/definitions/email-format" + }, + "image":{ + "type":"object", + "properties":{ + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "ldapPassword":{ + "description":"LDAP admin password if OpennDJ is used for persistence.", + "$ref":"#/definitions/password" + }, + "orgName":{ + "description":"Organization name. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "redisPassword":{ + "description":"Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref":"#/definitions/password" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "state":{ + "description":"State code. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + } + } + }, + "config-api":{ + "description":"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type":"object", + "properties":{ + + } + }, + "fido2":{ + "description":"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type":"object", + "properties":{ + + } + }, + "global":{ + "description":"Parameters used globally across all services helm charts.", + "type":"object", + "properties":{ + "licenseSsa":{ + "description":"Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "alb":{ + "type":"object", + "properties":{ + "ingress":{ + "description":"Activates ALB ingress", + "type":"boolean" + } + } + }, + "auth-server":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type":"boolean" + }, + "authServerServiceName":{ + "description":"Name of the auth-server service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-auth.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-auth.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget":{ + "description":"http_request_response target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "httpLogLevel":{ + "description":"http_request_response level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-auth_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-auth_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-auth_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-auth_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-auth_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-auth_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-auth_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-auth_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget":{ + "description":"jans-auth_audit.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "auditStatsLogLevel":{ + "description":"jans-auth_audit.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "authServerEnabled":{ + "description":"Enable Auth server endpoints /jans-auth", + "type":"boolean" + }, + "openidConfigEnabled":{ + "description":"Enable endpoint /.well-known/openid-configuration", + "type":"boolean" + }, + "deviceCodeEnabled":{ + "description":"Enable endpoint /device-code", + "type":"boolean" + }, + "firebaseMessagingEnabled":{ + "description":"Enable endpoint /firebase-messaging-sw.js", + "type":"boolean" + }, + "uma2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/uma2-configuration", + "type":"boolean" + }, + "webfingerEnabled":{ + "description":"Enable endpoint /.well-known/webfinger", + "type":"boolean" + }, + "webdiscoveryEnabled":{ + "description":"Enable endpoint /.well-known/simple-web-discovery", + "type":"boolean" + }, + "u2fConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido-configuration", + "type":"boolean" + }, + "authServerProtectedToken":{ + "description":"Enable mTLS on Auth server endpoint /jans-auth/restv1/token", + "type":"boolean" + }, + "authServerProtectedRegister":{ + "description":"Enable mTLS onn Auth server endpoint /jans-auth/restv1/register", + "type":"boolean" + } + } + } + + } + }, + "admin-ui":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable admin-ui chart. You should never set this to false.", + "type":"boolean" + }, + "adminUiServiceName":{ + "description":"Name of the admin service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "adminUiEnabled":{ + "description":"Enable Admin UI endpoints.", + "type":"boolean" + } + } + } + } + }, + + "auth-server-key-rotation":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type":"boolean" + } + } + }, + "awsStorageType":{ + "description":"Volume stroage type if using AWS volumes.", + "type":"string", + "pattern":"^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType":{ + "description":"Volume storage type if using Azure disks.", + "type":"string", + "pattern":"^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind":{ + "description":"Azure storage kind if using Azure disks", + "type":"string", + "pattern":"^(Managed)$" + }, + "cloud":{ + "type":"object", + "properties":{ + "testEnviroment":{ + "description":"Boolean flag if enabled will strip resources requests and limits from all services.", + "type":"boolean" + } + } + }, + "cnPersistenceType":{ + "description":"Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner.", + "type":"string", + "pattern":"^(ldap|couchbase|hybrid|sql|spanner)$" + }, + "cnDocumentStoreType":{ + "description":"Document store type to use for shibboleth files LOCAL.", + "type":"string", + "pattern":"^(LOCAL)$" + }, + "cnObExtSigningJwksUri":{ + "description":"Open banking external signing jwks uri. Used in SSA Validation.", + "type":"string" + }, + "cnObExtSigningJwksCrt":{ + "description":"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey":{ + "description":"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase":{ + "description":"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias":{ + "description":"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObStaticSigningKeyKid":{ + "description":"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObTransportCrt":{ + "description":"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey":{ + "description":"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase":{ + "description":"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias":{ + "description":"Open banking transport Alias used inside the JVM.", + "type":"string" + }, + "cnObTransportTrustStore":{ + "description":"Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type":"boolean" + } + } + }, + "configAdapterName":{ + "description":"The config backend adapter that will hold Gluu configuration layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "configSecretAdapter":{ + "description":"The config backend adapter that will hold Gluu secret layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "cnGoogleApplicationCredentials":{ + "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", + "type":"string", + "pattern":".*google-credentials.json\\b.*" + }, + "casa":{ + "type":"object", + "properties":{ + "casaServiceName":{ + "description":"Name of the casa service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the casa chart.", + "type":"boolean" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "casaEnabled":{ + "description":" Enable casa endpoints /casa", + "type":"boolean" + } + } + } + } + }, + "config-api":{ + "type":"object", + "properties":{ + "configApiServerServiceName":{ + "description":"Name of the config-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the config-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "configApiLogTarget":{ + "description":"configapi.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "configApiLogLevel":{ + "description":"configapi.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "adminUiAppLoggers":{ + "type":"object", + "properties":{ + "adminUiLogTarget":{ + "description":"config-api admin-ui plugin log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiLogLevel":{ + "description":"config-api admin-ui plugin log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "adminUiAuditLogTarget":{ + "description":"config-api admin-ui plugin audit log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiAuditLogLevel":{ + "description":"config-api admin-ui plugin audit log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "configApiEnabled":{ + "description":"Enable config API endpoints /jans-config-api", + "type":"boolean" + } + } + } + + + } + }, + "fqdn":{ + "description":"Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.", + "$ref":"#/definitions/fqdn-pattern" + }, + "fido2":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the fido2 chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "fido2LogTarget":{ + "description":"fido2.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "fido2LogLevel":{ + "description":"fido2.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"fido2_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"fido2_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "fido2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido2-configuration", + "type":"boolean" + } + } + } + + } + }, + "gcePdStorageType":{ + "description":"GCE storage kind if using Google disks", + "type":"string", + "pattern":"^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered":{ + "description":"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type":"boolean" + }, + "istio":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag that enables using istio side cars with Gluu services.", + "type":"boolean" + }, + "ingress":{ + "description":"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.", + "type":"boolean" + }, + "namespace":{ + "description":"The namespace istio is deployed in. The is normally istio-system.", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + } + } + }, + "lbIp":{ + "description":"The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref":"#/definitions/ip-pattern" + }, + "nginx-ingress":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type":"boolean" + } + } + }, + "opendj":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the OpenDJ chart.", + "type":"boolean" + }, + "ldapServiceName":{ + "description":"Name of the OpenDJ service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "distribution":{ + "description":"Gluu distributions supported are: default|openbanking.", + "type":"string", + "pattern":"^(default|openbanking)$" + }, + "persistence":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the persistence chart.", + "type":"boolean" + } + } + }, + "scim":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the SCIM chart.", + "type":"boolean" + }, + "scimServiceName":{ + "description":"Name of the scim service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-scim.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-scim.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-scim_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-scim_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-scim_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-scim_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-scim_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-scim_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-scim_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-scim_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "scimEnabled":{ + "description":"Enable SCIM endpoints /jans-scim", + "type":"boolean" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + } + } + } + + } + }, + "storageClass":{ + "description":"StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type":"object", + "properties":{ + "allowVolumeExpansion":{ + "type":"boolean" + }, + "allowedTopologies":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "mountOptions":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "parameters":{ + "type":"object", + "properties":{ + "fsType":{ + "type":"string" + }, + "kind":{ + "type":"string" + }, + "pool":{ + "type":"string" + }, + "storageAccountType":{ + "type":"string" + }, + "type":{ + "type":"string" + } + } + }, + "provisioner":{ + "type":"string" + }, + "reclaimPolicy":{ + "type":"string" + }, + "volumeBindingMode":{ + "type":"string" + } + } + }, + "cnSqlPasswordFile": { + "description": "The location of file contains password for the SQL user config.configmap.cnSqlDbUser. The file path must end with sql_password.", + "type": "string", + "pattern": ".*sql_password\\b.*" + }, + "cnCouchbasePasswordFile": { + "description": "The location of the Couchbase user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password.", + "type": "string", + "pattern": ".*couchbase_password\\b.*" + }, + "cnCouchbaseSuperuserPasswordFile": { + "description": "The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type": "string", + "pattern": ".*couchbase_superuser_password\\b.*" + }, + "cnLdapPasswordFile": { + "description": "The location of the OpenDJ user password. The file path must end with ldap_password.", + "type": "string", + "pattern": ".*ldap_password\\b.*" + }, + "cnLdapTruststorePasswordFile": { + "description": "The location of the OpenDJ truststore password file. The file path must end with ldap_truststore_password.", + "type": "string", + "pattern": ".*ldap_truststore_password\\b.*" + }, + "cnLdapCertFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.crt.", + "type": "string", + "pattern": ".*opendj.crt\\b.*" + }, + "cnLdapKeyFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.key.", + "type": "string", + "pattern": ".*opendj.key\\b.*" + }, + "cnLdapCacertFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.pem.", + "type": "string", + "pattern": ".*opendj.pem\\b.*" + }, + "cnLdapTruststoreFile": { + "description": "The location of the OpenDJ truststore file. The file path must end with opendj.pkcs12.", + "type": "string", + "pattern": ".*opendj.pkcs12\\b.*" + } + } + }, + "nginx-ingress":{ + "description":"Nginx ingress definitions chart", + "type":"object", + "properties":{ + + } + }, + "opendj":{ + "description":"OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.", + "type":"object", + "properties":{ + + } + }, + "persistence":{ + "description":"Job to generate data and intial config for Gluu Server persistence layer.", + "type":"object", + "properties":{ + + } + }, + "scim":{ + "description":"System for Cross-domain Identity Management (SCIM) version 2.0", + "type":"object", + "properties":{ + + } + } + , + "allOf":[ + { + "$ref":"#/definitions/admin-ui-enabled" + }, + { + "$ref":"#/definitions/auth-server-enabled" + }, + { + "$ref":"#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref":"#/definitions/casa-enabled" + }, + { + "$ref":"#/definitions/config-api-enabled" + }, + { + "$ref":"#/definitions/fido2-enabled" + }, + { + "$ref":"#/definitions/nginx-ingress-enabled" + }, + { + "$ref":"#/definitions/opendj-enabled" + }, + { + "$ref":"#/definitions/persistence-enabled" + }, + { + "$ref":"#/definitions/scim-enabled" + } + ], + "definitions":{ + "password":{ + "anyOf":[ + { + "type":"string", + "minLength":8, + "pattern":"", + "description":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "password-pattern":{ + "type":"string", + "minLength":6, + "pattern":"", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format":{ + "type":"string", + "format":"email" + }, + "fqdn-pattern":{ + "anyOf":[ + { + "type":"string", + "errors":{ + "pattern":"Setting not FQDN structured. Please enter a FQDN with the format demoexample.gluu.org" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "url-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors":{ + "pattern":"URL pattern is not meeting standards." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "ip-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors":{ + "pattern":"Not a valid IP." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "admin-ui-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "admin-ui":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "admin-ui":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-key-rotation-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "keysLife":{ + "description":"Auth server key rotation keys life in hours", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + }, + "required":[ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else":true + }, + "casa-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "casa":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "casa":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "config-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "config-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "config-api":{ + "required":[ + "image", + "replicas", + "resources" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "fido2-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "fido2":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "fido2":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the Fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "nginx-ingress-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "nginx-ingress":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "nginx-ingress":{ + "type":"object", + "properties":{ + "ingress":{ + "type":"object", + "required":[ + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties":{ + "adminUiLabels":{ + "description":"Admin UI ingress resource labels. key app is taken.", + "type":"object" + }, + "openidConfigLabels":{ + "description":"openid-configuration ingress resource labels. key app is taken", + "type":"object" + }, + "uma2ConfigLabels":{ + "description":"uma2 config ingress resource labels. key app is taken", + "type":"object" + }, + "webfingerLabels":{ + "description":"webfinger ingress resource labels. key app is taken", + "type":"object" + }, + "webdiscoveryLabels":{ + "description":"webdiscovery ingress resource labels. key app is taken", + "type":"object" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + }, + "scimConfigLabels":{ + "description":"SCIM config ingress resource labels. key app is taken", + "type":"object" + }, + "scimLabels":{ + "description":"SCIM ingress resource labels. key app is taken", + "type":"object" + }, + "configApiLabels":{ + "description":"configAPI ingress resource labels. key app is taken", + "type":"object" + }, + "u2fConfigLabels":{ + "description":"u2f ingress resource labels. key app is taken", + "type":"object" + }, + "fido2ConfigLabels":{ + "description":"fido2 ingress resource labels. key app is taken", + "type":"object" + }, + "authServerLabels":{ + "description":"Auth server config ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedTokenLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedRedisterLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "additionalAnnotations":{ + "description":"Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type":"object" + }, + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "path":{ + "type":"string" + }, + "tls":{ + "description":"Secret holding HTTPS CA cert and key.", + "type":"array", + "items":{ + "type":"object", + "properties":{ + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "secretName":{ + "type":"string", + "pattern":"^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else":true + }, + "opendj-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "opendj":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "opendj":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "persistence":{ + "type":"object", + "properties":{ + "size":{ + "description":"OpenDJ volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + }, + "ports":{ + "type":"object", + "properties":{ + "tcp-admin":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldap":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldaps":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-repl":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "udp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "persistence-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "persistence":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "persistence":{ + "required":[ + "image", + "resources" + ], + "type":"object", + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "scim-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "scim":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "scim":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "scimServiceName":{ + "description":"Name of the SCIM service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + } + } +} diff --git a/charts/gluu/gluu/5.0.24/values.yaml b/charts/gluu/gluu/5.0.24/values.yaml new file mode 100644 index 0000000000..d187fc6b61 --- /dev/null +++ b/charts/gluu/gluu/5.0.24/values.yaml @@ -0,0 +1,1566 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +installer-settings: + currentVersion: "" + acceptLicense: "" + namespace: "" + releaseName: "" + nginxIngress: + releaseName: "" + namespace: "" + nodes: + names: "" + zones: "" + ips: "" + images: + edit: "" + aws: + lbType: "" + arn: + enabled: "" + arnAcmCert: "" + vpcCidr: "0.0.0.0/0" + couchbase: + clusterName: "" + namespace: "" + lowResourceInstall: "" + install: "" + customFileOverride: "" + backup: + incrementalSchedule: "" + fullSchedule: "" + retentionTime: "" + storageSize: "" + # Couchbase cert related keys + subjectAlternativeName: "" + commonName: "" + # Couchbase cluster yaml generator keys + totalNumberOfExpectedUsers: "" + totalNumberOfExpectedTransactionsPerSec: "" + volumeType: "" + volumeProvisionStrategy: "" + ldap: + backup: + fullSchedule: "" + postgres: + install: "" + namespace: "" + sql: + install: "" + namespace: "" + google: + useSecretManager: "" + redis: + install: "" + namespace: "" + openbanking: + hasCnObTransportTrustStore: false + cnObTransportTrustStoreP12password: "" + confirmSettings: false + +# -- Admin GUI for configuration of the auth-server +admin-ui: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2000m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 2000m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for the admin ui if needed. + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the admin ui if needed. + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/auth-server + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/certmanager + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- Gluu Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. +casa: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/casa + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + # -- Configure the liveness healthcheck for casa if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). + cnSqlDbSchema: "" + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) username. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- OpenDJ certificate string. This must be encoded using base64. + cnLdapCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- OpenDJ key string. This must be encoded using base64. + cnLdapKey: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: support@gluu.org + image: + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/configurator + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- LDAP admin password if OpenDJ is used for persistence. + ldapPassword: P@ssw0rds + # -- LDAP truststore password if OpenDJ is used for persistence + ldapTruststorePassword: changeit + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + # -- CE to CN Migration section + migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/config-api + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/fido2 + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + # -- Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. + licenseSsa: "" + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: false + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: true + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- casa.log target + casaLogTarget: "STDOUT" + # -- casa.log level + casaLogLevel: "INFO" + # -- casa timer log target + timerLogTarget: "FILE" + # -- casa timer log level + timerLogLevel: "INFO" + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable casa endpoints /casa + casaEnabled: false + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files LOCAL. + cnDocumentStoreType: LOCAL + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. + cnAwsSharedCredentialsFile: /etc/jans/conf/aws_shared_credential_file + # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. + cnAwsConfigFile: /etc/jans/conf/aws_config_file + # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. + cnAwsSecretsReplicaRegionsFile: /etc/jans/conf/aws_secrets_replica_regions + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- config-api_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- fido2_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- fido2_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- fido2_script.log target + scriptLogTarget: "FILE" + # -- fido2_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. + gateways: [ ] + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + # -- Gluu distributions supported are: default|openbanking. + distribution: default + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + # -- Path to SQL password file + cnSqlPasswordFile: /etc/jans/conf/sql_password + # -- Path to Couchbase password file + cnCouchbasePasswordFile: /etc/jans/conf/couchbase_password + # -- Path to Couchbase superuser password file + cnCouchbaseSuperuserPasswordFile: /etc/jans/conf/couchbase_superuser_password + # -- Path to LDAP password file + cnLdapPasswordFile: /etc/jans/conf/ldap_password + # -- Path to LDAP truststore password file + cnLdapTruststorePasswordFile: /etc/jans/conf/ldap_truststore_password + # -- Path to OpenDJ cert file + cnLdapCertFile: /etc/certs/opendj.crt + # -- Path to OpenDJ key file + cnLdapKeyFile: /etc/certs/opendj.key + # -- Path to OpenDJ CA cert file + cnLdapCacertFile: /etc/certs/opendj.pem + # -- Path to OpenDJ truststore file + cnLdapTruststoreFile: /etc/certs/opendj.pkcs12 + +# -- Nginx ingress definitions chart +nginx-ingress: + certManager: + # Enable deploying a certificate that uses dns01 challenge instead of passing an annotation nginx-ingress.ingress.additionalAnnotations for nginx http01 challenge. + certificate: + enabled: false + issuerKind: ClusterIssuer + # Issuer name which you will create manually. Can be letsencrypt-production. + issuerName: "" + issuerGroup: cert-manager.io + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +opendj: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure ldap backup cronjob + backup: + enabled: true + cronJobSchedule: "*/59 * * * *" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + + persistence: + # -- OpenDJ volume size + size: 5Gi + ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/scim + # -- Image tag to use for deploying. + tag: 1.0.21-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] diff --git a/charts/gluu/gluu/5.0.25/Chart.yaml b/charts/gluu/gluu/5.0.25/Chart.yaml new file mode 100644 index 0000000000..c4ad47c784 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/Chart.yaml @@ -0,0 +1,100 @@ +annotations: + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.0.22-1 + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.0.22-1 + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.0.22-1 + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.0.22-1 + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.0.22-1 + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.0.22-1 + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.0.22-1 + - name: casa + image: ghcr.io/janssenproject/jans/casa:1.0.22-1 + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:1.0.22-1 + - name: link + image: ghcr.io/janssenproject/jans/link:1.0.22-1 + - name: saml + image: ghcr.io/janssenproject/jans/saml:1.0.22-1 + artifacthub.io/license: Apache-2.0 + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu +apiVersion: v2 +appVersion: 5.0.22 +dependencies: +- condition: global.config.enabled + name: config + repository: file://./charts/config + version: 5.0.25 +- condition: global.config-api.enabled + name: config-api + repository: file://./charts/config-api + version: 5.0.25 +- condition: global.opendj.enabled + name: opendj + repository: file://./charts/opendj + version: 5.0.25 +- condition: global.auth-server.enabled + name: auth-server + repository: file://./charts/auth-server + version: 5.0.25 +- condition: global.admin-ui.enabled + name: admin-ui + repository: file://./charts/admin-ui + version: 5.0.25 +- condition: global.fido2.enabled + name: fido2 + repository: file://./charts/fido2 + version: 5.0.25 +- condition: global.scim.enabled + name: scim + repository: file://./charts/scim + version: 5.0.25 +- condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: file://./charts/nginx-ingress + version: 5.0.25 +- condition: global.casa.enabled + name: casa + repository: file://./charts/casa + version: 5.0.25 +- condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: file://./charts/auth-server-key-rotation + version: 5.0.25 +- condition: global.persistence.enabled + name: persistence + repository: file://./charts/persistence + version: 5.0.25 +- condition: global.istio.ingress + name: cn-istio-ingress + repository: file://./charts/cn-istio-ingress + version: 5.0.25 +- condition: global.link.enabled + name: link + repository: file://./charts/link + version: 5.0.25 +- condition: global.saml.enabled + name: saml + repository: file://./charts/saml + version: 5.0.25 +description: Gluu Access and Identity Management +home: https://www.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: moabu +name: gluu +sources: +- https://docs.gluu.org +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/README.md b/charts/gluu/gluu/5.0.25/README.md new file mode 100644 index 0000000000..e97f64360a --- /dev/null +++ b/charts/gluu/gluu/5.0.25/README.md @@ -0,0 +1,653 @@ +# gluu + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +Gluu Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | | | + +## Source Code + +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | admin-ui | 5.0.25 | +| | auth-server | 5.0.25 | +| | auth-server-key-rotation | 5.0.25 | +| | casa | 5.0.25 | +| | cn-istio-ingress | 5.0.25 | +| | config | 5.0.25 | +| | config-api | 5.0.25 | +| | fido2 | 5.0.25 | +| | link | 5.0.25 | +| | nginx-ingress | 5.0.25 | +| | opendj | 5.0.25 | +| | persistence | 5.0.25 | +| | saml | 5.0.25 | +| | scim | 5.0.25 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| admin-ui.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| admin-ui.dnsConfig | object | `{}` | Add custom dns config | +| admin-ui.dnsPolicy | string | `""` | Add custom dns policy | +| admin-ui.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| admin-ui.hpa.behavior | object | `{}` | Scaling Policies | +| admin-ui.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | +| admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | +| admin-ui.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| admin-ui.replicas | int | `1` | Service replica number. | +| admin-ui.resources | object | `{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}}` | Resource specs. | +| admin-ui.resources.limits.cpu | string | `"2000m"` | CPU limit. | +| admin-ui.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| admin-ui.resources.requests.cpu | string | `"2000m"` | CPU request. | +| admin-ui.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| admin-ui.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| admin-ui.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| admin-ui.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.0.22_dev"},"keysLife":48,"keysPushDelay":0,"keysPushStrategy":"NEWER","keysStrategy":"NEWER","lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.keysPushDelay | int | `0` | Delay (in seconds) before pushing private keys to Auth server | +| auth-server-key-rotation.keysPushStrategy | string | `"NEWER"` | Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) | +| auth-server-key-rotation.keysStrategy | string | `"NEWER"` | Set key selection strategy used by Auth server | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/casa","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Janssen Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. | +| casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| casa.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| casa.dnsConfig | object | `{}` | Add custom dns config | +| casa.dnsPolicy | string | `""` | Add custom dns policy | +| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| casa.hpa.behavior | object | `{}` | Scaling Policies | +| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| casa.image.pullSecrets | list | `[]` | Image Pull Secrets | +| casa.image.repository | string | `"ghcr.io/janssenproject/jans/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http liveness probe endpoint | +| casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| casa.readinessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http readiness probe endpoint | +| casa.replicas | int | `1` | Service replica number. | +| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| casa.resources.limits.cpu | string | `"500m"` | CPU limit. | +| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| casa.resources.requests.cpu | string | `"500m"` | CPU request. | +| casa.resources.requests.memory | string | `"500Mi"` | Memory request. | +| casa.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapKey":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnMessageType":"DISABLED","cnOpaUrl":"http://opa.opa.svc.cluster.cluster.local:8181/v1","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","kcDbPassword":"Test1234#","kcDbSchema":"keycloak","kcDbUrlDatabase":"keycloak","kcDbUrlHost":"mysql.kc.svc.cluster.local","kcDbUrlPort":3306,"kcDbUrlProperties":"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4","kcDbUsername":"keycloak","kcDbVendor":"mysql","kcLogLevel":"INFO","kcProxy":"edge","lbAddr":"","quarkusTransactionEnableRecovery":true},"countryCode":"US","customScripts":[],"dnsConfig":{},"dnsPolicy":"","email":"team@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.0.22_dev"},"ldapPassword":"P@ssw0rds","ldapTruststorePassword":"changeit","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"salt":"","state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| config-api.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) username. This user is used during initialization only. | +| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| config.configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| config.configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ certificate string. This must be encoded using base64. | +| config.configmap.cnLdapKey | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ key string. This must be encoded using base64. | +| config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnMessageType | string | `"DISABLED"` | Message type (one of POSTGRES, REDIS, or DISABLED) | +| config.configmap.cnOpaUrl | string | `"http://opa.opa.svc.cluster.cluster.local:8181/v1"` | URL of OPA API | +| config.configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbSchema | string | `""` | Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access | +| config.configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may be using "public" schema). | +| config.configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name. | +| config.configmap.kcDbUrlHost | string | `"mysql.kc.svc.cluster.local"` | Keycloak database host uri | +| config.configmap.kcDbUrlPort | int | `3306` | Keycloak database port (default to port 3306 for mysql). | +| config.configmap.kcDbUrlProperties | string | `"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4"` | Keycloak database connection properties. If using postgresql, the value can be set to empty string. | +| config.configmap.kcDbUsername | string | `"keycloak"` | Keycloak database username | +| config.configmap.kcDbVendor | string | `"mysql"` | Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. | +| config.configmap.kcLogLevel | string | `"INFO"` | Keycloak logging level | +| config.configmap.kcProxy | string | `"edge"` | Keycloak proxy mode (for most deployments, this doesn't need to be changed) | +| config.configmap.lbAddr | string | `""` | Load balancer address for AWS if the FQDN is not registered. | +| config.configmap.quarkusTransactionEnableRecovery | bool | `true` | Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"team@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpenDJ is used for persistence. | +| config.ldapTruststorePassword | string | `"changeit"` | LDAP truststore password if OpenDJ is used for persistence | +| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.salt | string | `""` | Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true},"lockEnabled":false},"auth-server-key-rotation":{"enabled":true},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"DB","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnLdapCacertFile":"/etc/certs/opendj.pem","cnLdapCertFile":"/etc/certs/opendj.crt","cnLdapKeyFile":"/etc/certs/opendj.key","cnLdapPasswordFile":"/etc/jans/conf/ldap_password","cnLdapTruststoreFile":"/etc/certs/opendj.pkcs12","cnLdapTruststorePasswordFile":"/etc/jans/conf/ldap_truststore_password","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true},"plugins":"admin-ui,fido2,scim,user-mgt"},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"kcAdminCredentialsFile":"/etc/jans/conf/kc_admin_creds","kcDbPasswordFile":"/etc/jans/conf/kc_db_password","lbIp":"22.22.22.22","licenseSsa":"","link":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":false,"ingress":{"linkEnabled":true},"linkServiceName":"link"},"nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"persistence":{"enabled":true},"saml":{"enabled":false,"ingress":{"samlEnabled":false},"samlServiceName":"saml"},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | +| global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | +| global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `true` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level | +| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.auth-server.ingress | object | `{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.auth-server.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| global.auth-server.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. | +| global.auth-server.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. | +| global.auth-server.ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| global.auth-server.ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| global.auth-server.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| global.auth-server.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| global.auth-server.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| global.auth-server.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| global.auth-server.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| global.auth-server.lockEnabled | bool | `false` | Enable jans-lock as service running inside auth-server | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.casa.appLoggers | object | `{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.casa.appLoggers.casaLogLevel | string | `"INFO"` | casa.log level | +| global.casa.appLoggers.casaLogTarget | string | `"STDOUT"` | casa.log target | +| global.casa.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO | +| global.casa.appLoggers.timerLogLevel | string | `"INFO"` | casa timer log level | +| global.casa.appLoggers.timerLogTarget | string | `"FILE"` | casa timer log target | +| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. | +| global.casa.enabled | bool | `true` | Boolean flag to enable/disable the casa chart. | +| global.casa.ingress | object | `{"casaEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.casa.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnCouchbasePasswordFile | string | `"/etc/jans/conf/couchbase_password"` | Path to Couchbase password file | +| global.cnCouchbaseSuperuserPasswordFile | string | `"/etc/jans/conf/couchbase_superuser_password"` | Path to Couchbase superuser password file | +| global.cnDocumentStoreType | string | `"DB"` | Document store type to use for shibboleth files DB. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. | +| global.cnLdapCacertFile | string | `"/etc/certs/opendj.pem"` | Path to OpenDJ CA cert file | +| global.cnLdapCertFile | string | `"/etc/certs/opendj.crt"` | Path to OpenDJ cert file | +| global.cnLdapKeyFile | string | `"/etc/certs/opendj.key"` | Path to OpenDJ key file | +| global.cnLdapPasswordFile | string | `"/etc/jans/conf/ldap_password"` | Path to LDAP password file | +| global.cnLdapTruststoreFile | string | `"/etc/certs/opendj.pkcs12"` | Path to OpenDJ truststore file | +| global.cnLdapTruststorePasswordFile | string | `"/etc/jans/conf/ldap_truststore_password"` | Path to LDAP truststore password file | +| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G | +| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G | +| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. | +| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. | +| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | +| global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. | +| global.cnPrometheusPort | string | `""` | Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. | +| global.cnSqlPasswordFile | string | `"/etc/jans/conf/sql_password"` | Path to SQL password file | +| global.config-api.adminUiAppLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | +| global.config-api.adminUiAppLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | +| global.config-api.adminUiAppLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | +| global.config-api.adminUiAppLoggers.adminUiLogTarget | string | `"FILE"` | config-api admin-ui plugin log level | +| global.config-api.adminUiAppLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers.ldapStatsLogLevel | string | `"INFO"` | config-api_persistence_ldap_statistics.log level | +| global.config-api.appLoggers.ldapStatsLogTarget | string | `"FILE"` | config-api_persistence_ldap_statistics.log target | +| global.config-api.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | config-api_persistence_duration.log level | +| global.config-api.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | config-api_persistence_duration.log target | +| global.config-api.appLoggers.persistenceLogLevel | string | `"INFO"` | config-api_persistence.log level | +| global.config-api.appLoggers.persistenceLogTarget | string | `"FILE"` | config-api_persistence.log target | +| global.config-api.appLoggers.scriptLogLevel | string | `"INFO"` | config-api_script.log level | +| global.config-api.appLoggers.scriptLogTarget | string | `"FILE"` | config-api_script.log target | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config-api.ingress | object | `{"configApiEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.config-api.plugins | string | `"admin-ui,fido2,scim,user-mgt"` | Comma-separated values of enabled plugins (supported plugins are "admin-ui","fido2","scim","user-mgt","jans-link","kc-saml") | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes | +| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | +| global.fido2.appLoggers | object | `{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | fido2_persistence_duration.log level | +| global.fido2.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | fido2_persistence_duration.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.appLoggers.scriptLogLevel | string | `"INFO"` | fido2_script.log level | +| global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fido2.ingress | object | `{"fido2ConfigEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side-cars with Gluu services. | +| global.istio.gateways | list | `[]` | Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. | +| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. | +| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | +| global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| global.kcAdminCredentialsFile | string | `"/etc/jans/conf/kc_admin_creds"` | Path to file contains Keycloak admin credentials (username and password) | +| global.kcDbPasswordFile | string | `"/etc/jans/conf/kc_db_password"` | Path to file contains password for database access | +| global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | +| global.licenseSsa | string | `""` | Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. | +| global.link.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.link.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.link.appLoggers.ldapStatsLogLevel | string | `"INFO"` | cacherefresh_persistence_ldap_statistics.log level | +| global.link.appLoggers.ldapStatsLogTarget | string | `"FILE"` | cacherefresh_persistence_ldap_statistics.log target | +| global.link.appLoggers.linkLogLevel | string | `"INFO"` | cacherefresh.log level | +| global.link.appLoggers.linkLogTarget | string | `"STDOUT"` | cacherefresh.log target | +| global.link.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | cacherefresh_persistence_duration.log level | +| global.link.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | cacherefresh_persistence_duration.log target | +| global.link.appLoggers.persistenceLogLevel | string | `"INFO"` | cacherefresh_persistence.log level | +| global.link.appLoggers.persistenceLogTarget | string | `"FILE"` | cacherefresh_persistence.log target | +| global.link.appLoggers.scriptLogLevel | string | `"INFO"` | cacherefresh_script.log level | +| global.link.appLoggers.scriptLogTarget | string | `"FILE"` | cacherefresh_script.log target | +| global.link.enabled | bool | `false` | Boolean flag to enable/disable the link chart. | +| global.link.ingress | object | `{"linkEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.link.linkServiceName | string | `"link"` | Name of the link service. Please keep it as default. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | +| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.saml.enabled | bool | `false` | Boolean flag to enable/disable the saml chart. | +| global.saml.ingress | object | `{"samlEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.saml.samlServiceName | string | `"saml"` | Name of the saml service. Please keep it as default. | +| global.scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO | +| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level | +| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.ingress | object | `{"scimConfigEnabled":false,"scimEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.scim.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| global.scim.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: fsType: "" kind: "" pool: "" storageAccountType: "" type: "" | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"ldap":{"backup":{"fullSchedule":""}},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | +| link | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/link","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Link. | +| link.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| link.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| link.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| link.dnsConfig | object | `{}` | Add custom dns config | +| link.dnsPolicy | string | `""` | Add custom dns policy | +| link.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| link.hpa.behavior | object | `{}` | Scaling Policies | +| link.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| link.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| link.image.pullSecrets | list | `[]` | Image Pull Secrets | +| link.image.repository | string | `"ghcr.io/janssenproject/jans/link"` | Image to use for deploying. | +| link.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| link.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| link.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http liveness probe endpoint | +| link.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| link.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http readiness probe endpoint | +| link.replicas | int | `1` | Service replica number. | +| link.resources | object | `{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}}` | Resource specs. | +| link.resources.limits.cpu | string | `"500m"` | CPU limit. | +| link.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| link.resources.requests.cpu | string | `"500m"` | CPU request. | +| link.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| link.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| link.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| link.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| link.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| link.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| link.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| nginx-ingress.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedRegisterAdditionalAnnotations | object | `{}` | Auth server protected register ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedRegisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedTokenAdditionalAnnotations | object | `{}` | Auth server protected token ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| nginx-ingress.ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| nginx-ingress.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| nginx-ingress.ingress.samlAdditionalAnnotations | object | `{}` | SAML ingress resource additional annotations. | +| nginx-ingress.ingress.samlLabels | object | `{}` | SAML config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| nginx-ingress.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| nginx-ingress.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0-1"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| opendj.dnsConfig | object | `{}` | Add custom dns config | +| opendj.dnsPolicy | string | `""` | Add custom dns policy | +| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| opendj.hpa.behavior | object | `{}` | Scaling Policies | +| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | +| opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| opendj.image.tag | string | `"5.0.0-1"` | Image tag to use for deploying. | +| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| opendj.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size | +| opendj.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.replicas | int | `1` | Service replica number. | +| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. | +| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. | +| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| opendj.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.0.22_dev"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| saml | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/saml","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | SAML. | +| saml.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| saml.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| saml.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| saml.dnsConfig | object | `{}` | Add custom dns config | +| saml.dnsPolicy | string | `""` | Add custom dns policy | +| saml.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| saml.hpa.behavior | object | `{}` | Scaling Policies | +| saml.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| saml.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| saml.image.pullSecrets | list | `[]` | Image Pull Secrets | +| saml.image.repository | string | `"ghcr.io/janssenproject/jans/saml"` | Image to use for deploying. | +| saml.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| saml.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| saml.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http liveness probe endpoint | +| saml.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| saml.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http readiness probe endpoint | +| saml.replicas | int | `1` | Service replica number. | +| saml.resources | object | `{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}}` | Resource specs. | +| saml.resources.limits.cpu | string | `"500m"` | CPU limit. | +| saml.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| saml.resources.requests.cpu | string | `"500m"` | CPU request. | +| saml.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| saml.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| saml.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| saml.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| saml.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| saml.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| saml.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.0.22_dev"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/app-readme.md b/charts/gluu/gluu/5.0.25/app-readme.md new file mode 100644 index 0000000000..b2148c4c1e --- /dev/null +++ b/charts/gluu/gluu/5.0.25/app-readme.md @@ -0,0 +1,38 @@ +## Tutorial + +For a full walkthrough of the Gluu Flex Server on Rancher, please see the [Gluu Server on Rancher Tutorial](https://docs.gluu.org/stable/admin/recipes/getting-started-rancher/). + +## Introduction +The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions. + +Common use cases include: + +- Single sign-on (SSO) +- Mobile authentication +- API access management +- Two-factor authentication (2FA) +- Customer identity and access management (CIAM) +- Identity federation + +### Free Open Source Software +The Gluu Server is a FOSS platform for IAM. + +### Open Web Standards +The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management: + +- OAuth 2.0 +- OpenID Connect +- User Managed Access 2.0 (UMA) +- System for Cross-domain Identity Management (SCIM) +- FIDO Universal 2nd Factor (U2F) +- FIDO 2.0 / WebAuthn +- Lightweight Directory Access Protocol (LDAP) +- Remote Authentication Dial-In User Service (RADIUS) + +### Important notes for installation: +- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image. + +### Quick install on Rancher UI with Docker single node +- Install the nginx-ingress-controller chart. +- Install the OpenEBS chart. +- Install Gluu chart and specify your persistence as ldap. \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/admin-ui/.helmignore b/charts/gluu/gluu/5.0.25/charts/admin-ui/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.25/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/admin-ui/Chart.yaml new file mode 100644 index 0000000000..83e122fbd6 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: Admin GUI. Requires license. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +- GUI +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: admin-ui +sources: +- https://github.com/GluuFederation/docker-gluu-admin-ui +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/admin-ui +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/admin-ui/README.md b/charts/gluu/gluu/5.0.25/charts/admin-ui/README.md new file mode 100644 index 0000000000..e8d60582bc --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/admin-ui/README.md @@ -0,0 +1,60 @@ +# admin-ui + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +Admin GUI. Requires license. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. | +| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/_helpers.tpl new file mode 100644 index 0000000000..3fa0c5985e --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "admin-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "admin-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "admin-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "admin-ui.labels" -}} +app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +helm.sh/chart: {{ include "admin-ui.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "admin-ui.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "admin-ui.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "admin-ui.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "admin-ui.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/admin-ui-destination-rules.yaml new file mode 100644 index 0000000000..ecf4699b22 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/admin-ui-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-admin-ui-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/admin-ui-pdb.yaml b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/admin-ui-pdb.yaml new file mode 100644 index 0000000000..5d81cf14be --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/admin-ui-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "admin-ui.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/admin-ui-virtual-services.yaml new file mode 100644 index 0000000000..2b0fc58df1 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/admin-ui-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "admin-ui" "ingress" "adminUiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-admin-ui + namespace: {{.Release.Namespace}} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/admin" + route: + - destination: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/deployment.yml new file mode 100644 index 0000000000..0dbaac0667 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/deployment.yml @@ -0,0 +1,216 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "admin-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + template: + metadata: + labels: + APP_NAME: admin-ui + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "admin-ui.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "admin-ui.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "admin-ui.usr-envs" . | indent 12 }} + {{- include "admin-ui.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: /etc/jans/conf/ssa + name: license-ssa + subPath: ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: license-ssa + secret: + secretName: {{ .Release.Name }}-license-ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/hpa.yaml new file mode 100644 index 0000000000..4720b2c49b --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "admin-ui.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/service.yml new file mode 100644 index 0000000000..54b311c2e2 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..02fd969b74 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/admin-ui/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.0.25/charts/admin-ui/values.yaml new file mode 100644 index 0000000000..2fbb7400c0 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/admin-ui/values.yaml @@ -0,0 +1,92 @@ +# -- Admin GUI. Requires license. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the admin ui port within the admin service. Please keep it as default. + name: http-admin-ui + # -- Port of the admin ui service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the admin ui if needed. +livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the admin ui if needed. +readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/.helmignore b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 0000000000..14d306633b --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: Responsible for regenerating auth-keys per x hours +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Auth keys Rotation +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server-key-rotation +sources: +- https://github.com/JanssenProject/docker-jans-certmanager +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server-key-rotation +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/README.md new file mode 100644 index 0000000000..7fb435dc41 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/README.md @@ -0,0 +1,53 @@ +# auth-server-key-rotation + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| keysPushDelay | int | `0` | Delay (in seconds) before pushing private keys to Auth server | +| keysPushStrategy | string | `"NEWER"` | Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) | +| keysStrategy | string | `"NEWER"` | Set key selection strategy used by Auth server | +| lifecycle | object | `{}` | | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 0000000000..e76631f29c --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 0000000000..eddf7ec8d8 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,171 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "@every {{ .Values.keysLife }}h" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + {{- if .Values.customScripts }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 20}} + {{- end }} + /app/scripts/entrypoint.sh + {{- end}} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 16 }} + volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}", "--opts", "key-strategy:{{ .Values.keysStrategy }}", "--opts", "privkey-push-delay:{{ .Values.keysPushDelay }}", "--opts", "privkey-push-strategy:{{ .Values.keysPushStrategy }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/templates/service.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server-key-rotation/templates/service.yaml rename to charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/templates/service.yaml diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..5ed268ebb5 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 0000000000..d83f34c97d --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,62 @@ + +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Set key selection strategy used by Auth server +keysStrategy: NEWER +# -- Delay (in seconds) before pushing private keys to Auth server +keysPushDelay: 0 +# -- Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) +keysPushStrategy: NEWER +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/.helmignore b/charts/gluu/gluu/5.0.25/charts/auth-server/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server/Chart.yaml new file mode 100644 index 0000000000..63c8bdd857 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization + Server--this is the main Internet facing component of Gluu. It's the service that + returns tokens, JWT's and identity assertions. This service must be Internet facing. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server +sources: +- https://github.com/JanssenProject/jans-auth-server +- https://github.com/JanssenProject/docker-jans-auth-server +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/README.md b/charts/gluu/gluu/5.0.25/charts/auth-server/README.md new file mode 100644 index 0000000000..8585988edd --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/README.md @@ -0,0 +1,62 @@ +# auth-server + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 0000000000..2712f9870a --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "auth-server.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "auth-server.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 0000000000..708ce616c6 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/templates/auth-server-pdb.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/auth-server-pdb.yaml new file mode 100644 index 0000000000..5ca61a6255 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/auth-server-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "auth-server.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/templates/auth-server-protected-virtual-services.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/auth-server-protected-virtual-services.yaml new file mode 100644 index 0000000000..522f6757b4 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/auth-server-protected-virtual-services.yaml @@ -0,0 +1,53 @@ +{{- if .Values.global.istio.ingress }} +# NEEDS WORK TO ALLOW CLIENT SIDE AUTHENTICATION. THIS IS MERELY A PLACEHOLDER +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server-protected-endpoints + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-token" + match: + - uri: + prefix: "/jans-auth/restv1/token" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-register" + match: + - uri: + prefix: "/jans-auth/restv1/register" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 0000000000..55cc397244 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,137 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/jans-auth/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} + - name: "{{ .Release.Name }}-istio-device-code" + match: + - uri: + prefix: "/device-code" + rewrite: + uri: "/jans-auth/device_authorization.htm" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} + - name: "{{ .Release.Name }}-istio-firebase-messaging" + match: + - uri: + prefix: "/firebase-messaging-sw.js" + rewrite: + uri: "/jans-auth/firebase-messaging-sw.js" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/jans-auth/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/jans-auth/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/jans-auth/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/jans-auth/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/deployment.yml new file mode 100644 index 0000000000..10a69dec0e --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/deployment.yml @@ -0,0 +1,305 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "auth-server.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "auth-server.usr-envs" . | indent 12 }} + {{- include "auth-server.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/hpa.yaml new file mode 100644 index 0000000000..7a35d43381 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/service.yml new file mode 100644 index 0000000000..07b0de5897 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..19b24ab92c --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/auth-server/values.yaml b/charts/gluu/gluu/5.0.25/charts/auth-server/values.yaml new file mode 100644 index 0000000000..6a44e8942a --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/auth-server/values.yaml @@ -0,0 +1,94 @@ + +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] diff --git a/charts/gluu/gluu/5.0.25/charts/casa/.helmignore b/charts/gluu/gluu/5.0.25/charts/casa/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/casa/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.25/charts/casa/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/casa/Chart.yaml new file mode 100644 index 0000000000..230dda86fe --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/casa/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: Jans Casa ("Casa") is a self-service web portal for end-users to manage + authentication and authorization preferences for their account in a Jans Server. +home: https://gluu.org/docs/casa/ +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- casa +- 2FA +- passwordless +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: casa +sources: +- https://gluu.org/casa/ +- https://github.com/JanssenProject/jans/docker-jans-casa +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/casa/README.md b/charts/gluu/gluu/5.0.25/charts/casa/README.md new file mode 100644 index 0000000000..32ce166fc3 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/casa/README.md @@ -0,0 +1,66 @@ +# casa + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/casa"` | Image to use for deploying. | +| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| livenessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| readinessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. | +| service.port | int | `8080` | Port of the casa service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/casa/templates/_helpers.tpl new file mode 100644 index 0000000000..4fc7d069e4 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/casa/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "casa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "casa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "casa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "casa.labels" -}} +app: {{ .Release.Name }}-{{ include "casa.name" . }} +helm.sh/chart: {{ include "casa.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "casa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "casa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "casa.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "casa.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "casa.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "casa.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.0.25/charts/casa/templates/casa-destination-rules.yaml new file mode 100644 index 0000000000..eb2e5eaa61 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/casa/templates/casa-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-casa-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/casa/templates/casa-pdb.yaml b/charts/gluu/gluu/5.0.25/charts/casa/templates/casa-pdb.yaml new file mode 100644 index 0000000000..54ad15de59 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/casa/templates/casa-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "casa.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.0.25/charts/casa/templates/casa-virtual-services.yaml similarity index 100% rename from charts/gluu/gluu/charts/casa/templates/casa-virtual-services.yaml rename to charts/gluu/gluu/5.0.25/charts/casa/templates/casa-virtual-services.yaml diff --git a/charts/gluu/gluu/5.0.25/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.0.25/charts/casa/templates/deployment.yaml new file mode 100644 index 0000000000..55c1e62fdc --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/casa/templates/deployment.yaml @@ -0,0 +1,221 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "casa.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: casa + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "casa.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "casa.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "casa.usr-envs" . | indent 12 }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.0.25/charts/casa/templates/hpa.yaml new file mode 100644 index 0000000000..0d292fd3fd --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/casa/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "casa.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.0.25/charts/casa/templates/service.yaml new file mode 100644 index 0000000000..e736cc014a --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/casa/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.casa.casaServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.25/charts/casa/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8a71e1ea8f --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/casa/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/casa/values.yaml b/charts/gluu/gluu/5.0.25/charts/casa/values.yaml new file mode 100644 index 0000000000..25a92c41bb --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/casa/values.yaml @@ -0,0 +1,107 @@ +# -- Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/casa + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the casa service. Please keep it as default. + port: 8080 + # -- The name of the casa port within the casa service. Please keep it as default. + name: http-casa + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for casa if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the casa if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] diff --git a/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/Chart.yaml new file mode 100644 index 0000000000..bafa0b60d1 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: Istio Gateway +home: https://docs.gluu.org/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- istio +- gateway +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: cn-istio-ingress +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/cn-istio-ingress +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/README.md new file mode 100644 index 0000000000..9b9ed5a87b --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/README.md @@ -0,0 +1,25 @@ +# cn-istio-ingress + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +Istio Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..75a5dee781 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "istio.labels" -}} +helm.sh/chart: {{ include "istio.chart" . }} +{{ include "istio.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "istio.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "istio.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/gluu/gluu/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/templates/gateway.yaml similarity index 100% rename from charts/gluu/gluu/charts/cn-istio-ingress/templates/gateway.yaml rename to charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/templates/gateway.yaml diff --git a/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/values.yaml new file mode 100644 index 0000000000..645a121318 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/cn-istio-ingress/values.yaml @@ -0,0 +1,4 @@ +# Default values for istio. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + diff --git a/charts/gluu/gluu/5.0.25/charts/config-api/.helmignore b/charts/gluu/gluu/5.0.25/charts/config-api/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.25/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/config-api/Chart.yaml new file mode 100644 index 0000000000..a32bce5f6c --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: Jans Config Api endpoints can be used to configure jans-auth-server, + which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server + (AS) +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config-api +sources: +- https://github.com/JanssenProject/jans/jans-config-api +- https://github.com/JanssenProject/jans/docker-jans-config-api +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config-api +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/config-api/README.md b/charts/gluu/gluu/5.0.25/charts/config-api/README.md new file mode 100644 index 0000000000..345cb68f25 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config-api/README.md @@ -0,0 +1,66 @@ +# config-api + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/config-api/templates/_helpers.tpl new file mode 100644 index 0000000000..a32d54db37 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "config-api.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "config-api.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.0.25/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 0000000000..255fac7282 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/config-api/templates/config-api-pdb.yaml b/charts/gluu/gluu/5.0.25/charts/config-api/templates/config-api-pdb.yaml new file mode 100644 index 0000000000..2153d9a39c --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config-api/templates/config-api-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "config-api.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/config-api/templates/config-api-virtual-services.yaml b/charts/gluu/gluu/5.0.25/charts/config-api/templates/config-api-virtual-services.yaml new file mode 100644 index 0000000000..49bd94283f --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config-api/templates/config-api-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "config-api" "ingress" "configApiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-config-api + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-config-api + match: + - uri: + prefix: /jans-config-api + route: + - destination: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8074 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.0.25/charts/config-api/templates/deployment.yaml new file mode 100644 index 0000000000..350dc909f9 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config-api/templates/deployment.yaml @@ -0,0 +1,209 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "config-api.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "config-api.usr-envs" . | indent 12 }} + {{- include "config-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - containerPort: 9444 + - containerPort: 8074 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.0.25/charts/config-api/templates/hpa.yaml new file mode 100644 index 0000000000..aed5352e74 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config-api/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.0.25/charts/config-api/templates/service.yaml new file mode 100644 index 0000000000..1782cc7e9d --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config-api/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/config-api/values.yaml b/charts/gluu/gluu/5.0.25/charts/config-api/values.yaml new file mode 100644 index 0000000000..ece4dbbaa2 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config-api/values.yaml @@ -0,0 +1,102 @@ +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.0.25/charts/config/.helmignore b/charts/gluu/gluu/5.0.25/charts/config/.helmignore new file mode 100644 index 0000000000..b8204d7442 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/gluu/gluu/5.0.25/charts/config/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/config/Chart.yaml new file mode 100644 index 0000000000..6b5713daa0 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: Configuration parameters for setup and initial configuration secret and + config layers used by Gluu services. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- secrets +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config +sources: +- https://gluu.org/docs/gluu-server/reference/container-configs/ +- https://github.com/JanssenProject/jans/docker-jans-configurator +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/config/README.md b/charts/gluu/gluu/5.0.25/charts/config/README.md new file mode 100644 index 0000000000..88d20b5fac --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/README.md @@ -0,0 +1,123 @@ +# config + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnAwsAccessKeyId | string | `""` | | +| configmap.cnAwsDefaultRegion | string | `"us-west-1"` | | +| configmap.cnAwsProfile | string | `"gluu"` | | +| configmap.cnAwsSecretAccessKey | string | `""` | | +| configmap.cnAwsSecretsEndpointUrl | string | `""` | | +| configmap.cnAwsSecretsNamePrefix | string | `"gluu"` | | +| configmap.cnAwsSecretsReplicaRegions | list | `[]` | | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ certificate string. This must be encoded using base64. | +| configmap.cnLdapKey | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ key string. This must be encoded using base64. | +| configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnMessageType | string | `"DISABLED"` | Message type (one of POSTGRES, REDIS, or DISABLED) | +| configmap.cnOpaUrl | string | `"http://opa.opa.svc.cluster.cluster.local:8181/v1"` | URL of OPA API | +| configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access | +| configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may using "public" schema). | +| configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name | +| configmap.kcDbUrlHost | string | `"mysql.kc.svc.cluster.local"` | Keycloak database host | +| configmap.kcDbUrlPort | int | `3306` | Keycloak database port (default to port 3306 for mysql). | +| configmap.kcDbUrlProperties | string | `"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4"` | Keycloak database connection properties. If using postgresql, the value can be set to empty string. | +| configmap.kcDbUsername | string | `"keycloak"` | Keycloak database username | +| configmap.kcDbVendor | string | `"mysql"` | Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. | +| configmap.kcLogLevel | string | `"INFO"` | Keycloak logging level | +| configmap.kcProxy | string | `"edge"` | Keycloak proxy mode (for most deployments, this doesn't need to be changed) | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| configmap.quarkusTransactionEnableRecovery | bool | `true` | Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"team@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| ldapTruststorePassword | string | `"changeit"` | LDAP truststore password if OpenDJ is used for persistence | +| lifecycle | object | `{}` | | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| salt | string | `""` | Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/config/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/config/templates/_helpers.tpl rename to charts/gluu/gluu/5.0.25/charts/config/templates/_helpers.tpl diff --git a/charts/gluu/gluu/5.0.25/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.0.25/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ce43044f50 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.0.25/charts/config/templates/configmaps.yaml new file mode 100644 index 0000000000..2e2d0c9533 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/templates/configmaps.yaml @@ -0,0 +1,471 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + # Port used by Prometheus JMX agent + CN_PROMETHEUS_PORT: {{ .Values.global.cnPrometheusPort | quote }} + CN_DISTRIBUTION: {{ .Values.global.distribution | quote }} + {{ if .Values.global.cnObExtSigningJwksUri }} + CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }} + CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }} + CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }} + # force the AS to use a specific signing key + CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }} + {{- end }} + {{ if or (eq .Values.global.configAdapterName "google") (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + {{- end }} + {{ if eq .Values.global.cnPersistenceType "spanner" }} + # [google_spanner_envs] Envs related to using Google Cloud Spanner + CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }} + CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }} + # [google_spanner_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.configAdapterName "google") }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnGoogleSecretVersionId | quote }} + CN_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + # [aws_envs] Envs related to using AWS + {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} + CN_AWS_SECRETS_ENDPOINT_URL: {{ .Values.configmap.cnAwsSecretsEndpointUrl }} + {{- end }} + CN_AWS_SECRETS_PREFIX: {{ .Values.configmap.cnAwsSecretsNamePrefix }} + CN_AWS_SECRETS_REPLICA_FILE: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + AWS_DEFAULT_REGION: {{ .Values.configmap.cnAwsDefaultRegion }} + AWS_SHARED_CREDENTIALS_FILE: {{ .Values.global.cnAwsSharedCredentialsFile }} + AWS_CONFIG_FILE: {{ .Values.global.cnAwsConfigFile }} + #AWS_PROFILE + # [aws_envs] END + {{- end }} + CN_SQL_DB_SCHEMA: {{ .Values.configmap.cnSqlDbSchema | quote }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.global.cnDocumentStoreType | quote }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is ldap or hybrid + {{- if .Values.configmap.cnLdapUrl }} + CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }} + {{- else }} + CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }} + {{- end }} + {{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is couchbase or hybrid + CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }} + CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }} + CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }} + CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }} + CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }} + {{- end }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + {{- if .Values.global.isFqdnRegistered }} + CN_SSL_CERT_FROM_SECRETS: "false" + {{- else }} + CN_SSL_CERT_FROM_SECRETS: "true" + {{- end }} + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }} + # must the same as the opendj service name + CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service + CN_HYBRID_MAPPING: {{ .Values.configmap.cnPersistenceHybridMapping | quote }} + {{- end }} + # Auto enable installation of some services + {{ if or (eq .Values.configmap.cnCacheType "REDIS") (eq .Values.configmap.cnMessageType "REDIS") }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + {{- end }} + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.istio.enabled }} + CN_COUCHBASE_TRUSTSTORE_ENABLE: "false" + CN_LDAP_USE_SSL: "false" + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + # ADMIN-UI + ADMIN_UI_JWKS: {{ cat "http://" ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080/jans-auth/restv1/jwks" | quote | nospace }} + CN_ADMIN_UI_PLUGIN_LOGGERS: {{ index .Values "global" "config-api" "adminUiAppLoggers" + | toJson + | replace "adminUiLogTarget" "admin_ui_log_target" + | replace "adminUiLogLevel" "admin_ui_log_level" + | replace "adminUiAuditLogTarget" "admin_ui_audit_log_target" + | replace "adminUiAuditLogLevel" "admin_ui_audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.casa.enabled}} # CASA + CN_CASA_APP_LOGGERS: {{ .Values.global.casa.appLoggers + | toJson + | replace "casaLogTarget" "casa_log_target" + | replace "casaLogLevel" "casa_log_level" + | replace "timerLogTarget" "timer_log_target" + | replace "timerLogLevel" "timer_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + # delete Duo script (https://github.com/GluuFederation/flex/issues/1120) by disabling the feature + CN_DUO_ENABLED: "false" + CN_SQL_PASSWORD_FILE: {{ .Values.global.cnSqlPasswordFile }} + CN_COUCHBASE_PASSWORD_FILE: {{ .Values.global.cnCouchbasePasswordFile }} + CN_COUCHBASE_SUPERUSER_PASSWORD_FILE: {{ .Values.global.cnCouchbaseSuperuserPasswordFile }} + CN_LDAP_PASSWORD_FILE: {{ .Values.global.cnLdapPasswordFile }} + CN_LDAP_TRUSTSTORE_PASSWORD_FILE: {{ .Values.global.cnLdapTruststorePasswordFile }} + CN_LDAP_CERT_FILE: {{ .Values.global.cnLdapCertFile }} + CN_LDAP_KEY_FILE: {{ .Values.global.cnLdapKeyFile }} + CN_LDAP_CACERT_FILE: {{ .Values.global.cnLdapCacertFile }} + CN_LDAP_TRUSTSTORE_FILE: {{ .Values.global.cnLdapTruststoreFile }} + CN_CONFIG_API_PLUGINS: {{ index .Values "global" "config-api" "plugins" | quote }} + {{- if .Values.global.saml.enabled }} + QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY: {{ .Values.configmap.quarkusTransactionEnableRecovery | quote }} + KC_LOG_LEVEL: {{ .Values.configmap.kcLogLevel | quote }} + KC_PROXY: {{ .Values.configmap.kcProxy | quote }} + KC_DB: {{ .Values.configmap.kcDbVendor | quote }} + KC_DB_USERNAME: {{ .Values.configmap.kcDbUsername | quote }} + KC_DB_SCHEMA: {{ .Values.configmap.kcDbSchema | quote }} + KC_DB_URL_HOST: {{ .Values.configmap.kcDbUrlHost | quote }} + KC_DB_URL_PORT: {{ .Values.configmap.kcDbUrlPort | quote }} + KC_DB_URL_DATABASE: {{ .Values.configmap.kcDbUrlDatabase | quote }} + KC_DB_URL_PROPERTIES: {{ .Values.configmap.kcDbUrlProperties | quote }} + CN_SAML_KC_DB_PASSWORD_FILE: {{ .Values.global.kcDbPasswordFile | quote }} + CN_SAML_KC_ADMIN_CREDENTIALS_FILE: {{ .Values.global.kcAdminCredentialsFile | quote }} + {{- end }} + CN_LOCK_ENABLED: {{ index .Values "global" "auth-server" "lockEnabled" | quote }} + CN_OPA_URL: {{ .Values.configmap.cnOpaUrl | quote }} + CN_MESSAGE_TYPE: {{ .Values.configmap.cnMessageType | quote }} +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + import base64 + + from jans.pycloudlib import get_manager + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if gluu secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from gluu secrets + """ + def b64encode(value): + return base64.b64encode(value.encode()).decode() + + manager = get_manager() + + # returns empty string if not found + ssl_cert = manager.secret.get("ssl_cert") + if ssl_cert: + ssl_cert = b64encode(ssl_cert) + + # returns empty string if not found + ssl_key = manager.secret.get("ssl_key") + if ssl_key: + ssl_key = b64encode(ssl_key) + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert or key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error( + "No certificate or key was found in secrets." + "This can happen when the ssl certificate for the domain is able to be pulled." + "In that scenario the ssl_cert will be pulled from the domain provided" + ) + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Gluu Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.gluu.org") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/config/templates/license-secrets.yaml b/charts/gluu/gluu/5.0.25/charts/config/templates/license-secrets.yaml new file mode 100644 index 0000000000..0cf764a03c --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/templates/license-secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-license-ssa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ssa: {{ required "global.licenseSsa is required in chart values. This is a base64 string provided by Gluu to activate your license." .Values.global.licenseSsa }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.0.25/charts/config/templates/load-init-config.yml new file mode 100644 index 0000000000..64c48a7e3c --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/templates/load-init-config.yml @@ -0,0 +1,174 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + - name: {{ include "config.fullname" . }}-mount-gen-file + secret: + secretName: {{ include "config.fullname" . }}-gen-json-file + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + - mountPath: /app/db/generate.json + name: {{ include "config.fullname" . }}-mount-gen-file + subPath: generate.json + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} && /usr/bin/python3 /scripts/tls_generator.py + {{- else }} + /app/scripts/entrypoint.sh load && /usr/bin/python3 /scripts/tls_generator.py + {{- end }} + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.0.25/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.0.25/charts/config/templates/ob-secrets.yaml new file mode 100644 index 0000000000..cdb1f90415 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/templates/ob-secrets.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.cnObExtSigningJwksCrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }} + {{ if .Values.global.cnObExtSigningJwksKey }} + ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportCrt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport.crt: {{ .Values.global.cnObTransportCrt }} + {{ if .Values.global.cnObTransportKey }} + ob-transport.key: {{ .Values.global.cnObTransportKey }} + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportTrustStore }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-truststore + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.0.25/charts/config/templates/rolebinding.yaml new file mode 100644 index 0000000000..7a58fd6095 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.0.25/charts/config/templates/roles.yaml new file mode 100644 index 0000000000..ef3d0c7083 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/templates/roles.yaml @@ -0,0 +1,19 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/gluu/gluu/5.0.25/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.0.25/charts/config/templates/secrets.yaml new file mode 100644 index 0000000000..0167197d43 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/templates/secrets.yaml @@ -0,0 +1,229 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config.fullname" . }}-gen-json-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + generate.json: |- + { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_pw": {{ .Values.adminPassword | quote }}, + "ldap_pw": {{ .Values.ldapPassword | quote }}, + "redis_pw": {{ .Values.redisPassword | quote }}, + "email": {{ .Values.email | quote }}, + "org_name": {{ .Values.orgName | quote }}, + {{ if eq .Values.global.cnPersistenceType "sql" }} + "sql_pw": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "couchbase_pw": {{ .Values.configmap.cnCouchbasePassword | quote }}, + "couchbase_superuser_pw": {{ .Values.configmap.cnCouchbaseSuperUserPassword | quote }}, + {{- end }} + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }}, + "salt": {{ .Values.salt | quote }} + } + +{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} +{{- if not .Values.global.istio.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-crt + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }} +{{- end }} +{{- end }} + +{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-aws-config-creds + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + aws_shared_credential_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }} + aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }} + aws_config_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + region = {{ .Values.configmap.cnAwsDefaultRegion }} + aws_secrets_replica_regions: |- + {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }} +{{- end }} + +{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-google-sa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-cron-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + ldap_password: {{ .Values.ldapPassword | b64enc }} + ldap_truststore_password: {{ .Values.ldapTruststorePassword | b64enc }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-certkey + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + opendj.crt: |- +{{ .Values.configmap.cnLdapCrt | indent 4 }} + opendj.key: |- +{{ .Values.configmap.cnLdapKey | indent 4 }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-sql-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + sql_password: {{ .Values.configmap.cnSqldbUserPassword | b64enc }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + couchbase_password: {{ .Values.configmap.cnCouchbasePassword | b64enc }} + couchbase_superuser_password: {{ .Values.configmap.cnCouchbaseSuperUserPassword | b64enc }} +{{- end}} + + +{{- if .Values.global.saml.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-kc-db-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + kc_db_password: {{ .Values.configmap.kcDbPassword | b64enc }} +{{- end}} diff --git a/charts/gluu/gluu/5.0.25/charts/config/templates/service.yaml b/charts/gluu/gluu/5.0.25/charts/config/templates/service.yaml new file mode 100644 index 0000000000..da5dedf891 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.0.25/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 0000000000..35b4fa8cb0 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,64 @@ +{{ if .Values.global.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val | quote }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.0.25/charts/config/values.yaml b/charts/gluu/gluu/5.0.25/charts/config/values.yaml new file mode 100644 index 0000000000..fdfae08480 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/config/values.yaml @@ -0,0 +1,217 @@ + +# Required environment variables for generating Gluu server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +# -- Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. +salt: "" +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in the secrets. + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- OpenDJ certificate string. This must be encoded using base64. + cnLdapCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- OpenDJ key string. This must be encoded using base64. + cnLdapKey: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. + quarkusTransactionEnableRecovery: true + # -- Keycloak logging level + kcLogLevel: INFO + # -- Keycloak proxy mode (for most deployments, this doesn't need to be changed) + kcProxy: edge + # -- Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. + kcDbVendor: mysql + # -- Keycloak database username + kcDbUsername: keycloak + # -- Password for Keycloak database access + kcDbPassword: Test1234# + # -- Keycloak database schema name (note that PostgreSQL may using "public" schema). + kcDbSchema: keycloak + # -- Keycloak database host + kcDbUrlHost: mysql.kc.svc.cluster.local + # -- Keycloak database port (default to port 3306 for mysql). + kcDbUrlPort: 3306 + # -- Keycloak database name + kcDbUrlDatabase: keycloak + # -- Keycloak database connection properties. If using postgresql, the value can be set to empty string. + kcDbUrlProperties: "?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4" + # -- URL of OPA API + cnOpaUrl: http://opa.opa.svc.cluster.cluster.local:8181/v1 + # -- Message type (one of POSTGRES, REDIS, or DISABLED) + cnMessageType: DISABLED +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: team@gluu.org +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- LDAP admin password if OpennDJ is used for persistence. +ldapPassword: P@ssw0rds +# -- LDAP truststore password if OpenDJ is used for persistence +ldapTruststorePassword: changeit +# -- Organization name. Used for certificate creation. +orgName: Gluu +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.0.25/charts/fido2/.helmignore b/charts/gluu/gluu/5.0.25/charts/fido2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.25/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/fido2/Chart.yaml new file mode 100644 index 0000000000..3dd2798df7 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/fido2/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging + common devices to authenticate to online services in both mobile and desktop environments. +home: https://docs.gluu.org/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- fido2 +- u2f +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: fido2 +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/JanssenProject/jans/jans-fido2 +- https://github.com/JanssenProject/jans/docker-jans-fido2 +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/fido2 +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/fido2/README.md b/charts/gluu/gluu/5.0.25/charts/fido2/README.md new file mode 100644 index 0000000000..1382db8781 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/fido2/README.md @@ -0,0 +1,63 @@ +# fido2 + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/fido2/templates/_helpers.tpl new file mode 100644 index 0000000000..10484b1e97 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "fido2.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "fido2.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.0.25/charts/fido2/templates/deployment.yml new file mode 100644 index 0000000000..c3d0ded19f --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/fido2/templates/deployment.yml @@ -0,0 +1,218 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "fido2.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "fido2.usr-envs" . | indent 12 }} + {{- include "fido2.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.0.25/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 0000000000..2457647e8a --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/fido2/templates/fido2-pdb.yaml b/charts/gluu/gluu/5.0.25/charts/fido2/templates/fido2-pdb.yaml new file mode 100644 index 0000000000..ebc9ce8dc8 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/fido2/templates/fido2-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "fido2.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.0.25/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 0000000000..88a91a994b --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.fido2.ingress.fido2ConfigEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.0.25/charts/fido2/templates/hpa.yaml new file mode 100644 index 0000000000..a4f1362a7b --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/fido2/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.0.25/charts/fido2/templates/service.yml new file mode 100644 index 0000000000..de91e893b3 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/fido2/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.25/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..e2139ba45f --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/fido2/values.yaml b/charts/gluu/gluu/5.0.25/charts/fido2/values.yaml new file mode 100644 index 0000000000..9c90202f77 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/fido2/values.yaml @@ -0,0 +1,95 @@ + +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/link/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/link/Chart.yaml new file mode 100644 index 0000000000..08eeaf76f9 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/link/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: Jans Link +home: https://jans.io +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- link +kubeVersion: '>=v1.22.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: link +sources: +- https://github.com/JanssenProject/jans/jans-link +- https://github.com/JanssenProject/jans/docker-jans-link +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/link/README.md b/charts/gluu/gluu/5.0.25/charts/link/README.md new file mode 100644 index 0000000000..23d80eb5fd --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/link/README.md @@ -0,0 +1,65 @@ +# link + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +Jans Link + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.22.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"ghcr.io/janssenproject/jans/link"` | Image to use for deploying. | +| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the link if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the link if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-link"` | The name of the link port within the link service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/link/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/link/templates/_helpers.tpl new file mode 100644 index 0000000000..42e2f3184f --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/link/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "link.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "link.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "link.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "link.labels" -}} +app: {{ .Release.Name }}-{{ include "link.name" . }} +helm.sh/chart: {{ include "link.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "link.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "link.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "link.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "link.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/link/templates/deployment.yaml b/charts/gluu/gluu/5.0.25/charts/link/templates/deployment.yaml new file mode 100644 index 0000000000..c9c439c59f --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/link/templates/deployment.yaml @@ -0,0 +1,208 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "link.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "link.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "link.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "link.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "link.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "link.usr-envs" . | indent 12 }} + {{- include "link.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - containerPort: 9091 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "link.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "link.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/charts/link/templates/hpa.yaml b/charts/gluu/gluu/5.0.25/charts/link/templates/hpa.yaml similarity index 100% rename from charts/gluu/gluu/charts/link/templates/hpa.yaml rename to charts/gluu/gluu/5.0.25/charts/link/templates/hpa.yaml diff --git a/charts/gluu/gluu/charts/link/templates/link-destination-rules.yaml b/charts/gluu/gluu/5.0.25/charts/link/templates/link-destination-rules.yaml similarity index 100% rename from charts/gluu/gluu/charts/link/templates/link-destination-rules.yaml rename to charts/gluu/gluu/5.0.25/charts/link/templates/link-destination-rules.yaml diff --git a/charts/gluu/gluu/charts/link/templates/link-pdb.yaml b/charts/gluu/gluu/5.0.25/charts/link/templates/link-pdb.yaml similarity index 100% rename from charts/gluu/gluu/charts/link/templates/link-pdb.yaml rename to charts/gluu/gluu/5.0.25/charts/link/templates/link-pdb.yaml diff --git a/charts/gluu/gluu/charts/link/templates/link-virtual-services.yaml b/charts/gluu/gluu/5.0.25/charts/link/templates/link-virtual-services.yaml similarity index 100% rename from charts/gluu/gluu/charts/link/templates/link-virtual-services.yaml rename to charts/gluu/gluu/5.0.25/charts/link/templates/link-virtual-services.yaml diff --git a/charts/gluu/gluu/charts/link/templates/service.yaml b/charts/gluu/gluu/5.0.25/charts/link/templates/service.yaml similarity index 100% rename from charts/gluu/gluu/charts/link/templates/service.yaml rename to charts/gluu/gluu/5.0.25/charts/link/templates/service.yaml diff --git a/charts/gluu/gluu/5.0.25/charts/link/values.yaml b/charts/gluu/gluu/5.0.25/charts/link/values.yaml new file mode 100644 index 0000000000..840a781a57 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/link/values.yaml @@ -0,0 +1,104 @@ +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/link + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the link port within the link service. Please keep it as default. + name: http-link + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the link if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the link if needed. +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.0.25/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.25/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/Chart.yaml new file mode 100644 index 0000000000..fabe0fae5b --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: Nginx ingress definitions chart +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- nginx +- ingress +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://kubernetes.io/docs/concepts/services-networking/ingress/ +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/nginx-ingress +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/README.md new file mode 100644 index 0000000000..e66cff04a6 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/README.md @@ -0,0 +1,65 @@ +# nginx-ingress + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken | +| ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | +| ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | +| ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| ingress.samlAdditionalAnnotations | object | `{}` | SAML ingress resource additional annotations. | +| ingress.samlLabels | object | `{}` | SAML config ingress resource labels. key app is taken | +| ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| ingress.scimConfigLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.scimLabels | object | `{}` | scim config ingress resource labels. key app is taken | +| ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| ingress.uma2ConfigLabels | object | `{}` | uma 2 config ingress resource labels. key app is taken | +| ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| nameOverride | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..7b38455692 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/admin-ui-ingress.yaml new file mode 100644 index 0000000000..1fa7a08de1 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/admin-ui-ingress.yaml @@ -0,0 +1,53 @@ +{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.adminUiLabels }} +{{ toYaml .Values.ingress.adminUiLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.ingress.adminUiAdditionalAnnotations }} +{{ toYaml .Values.ingress.adminUiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml new file mode 100644 index 0000000000..b5c482d5f6 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml @@ -0,0 +1,115 @@ +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedTokenLabels }} +{{ toYaml .Values.ingress.authServerProtectedTokenLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedTokenAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedTokenAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedRegisterLabels }} +{{ toYaml .Values.ingress.authServerProtectedRegisterLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedRegisterAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedRegisterAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/certificate.yaml b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/certificate.yaml new file mode 100644 index 0000000000..6cfb84f431 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/certificate.yaml @@ -0,0 +1,18 @@ +{{- if .Values.certManager.certificate.enabled }} + {{- $domain := (required "Domain is required in chartValues when certManager is enabled" .Values.global.fqdn) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + {{- range .Values.ingress.tls }} + secretName: {{ .secretName }} + {{- end }} + dnsNames: + - {{ quote $domain }} + issuerRef: + name: {{ required "nginx-ingress.certManager.certificate.issuerName is required in chart values" .Values.certManager.certificate.issuerName }} + kind: {{ required "nginx-ingress.certManager.certificate.issuerKind is required in chart values" .Values.certManager.certificate.issuerKind }} + group: {{ required "nginx-ingress.certManager.certificate.issuerGroup is required in chart values" .Values.certManager.certificate.issuerGroup }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 0000000000..94e244e656 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,787 @@ +{{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.openidConfigLabels }} +{{ toYaml .Values.ingress.openidConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if .Values.ingress.openidAdditionalAnnotations }} +{{ toYaml .Values.ingress.openidAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-device-code + labels: + app: {{ $fullName }}-device-code +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.deviceCodeLabels }} +{{ toYaml .Values.ingress.deviceCodeLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/device_authorization.htm +{{- if .Values.ingress.deviceCodeAdditionalAnnotations }} +{{ toYaml .Values.ingress.deviceCodeAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /device-code + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-firebase-messaging + labels: + app: {{ $fullName }}-firebase-messaging +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.firebaseMessagingLabels }} +{{ toYaml .Values.ingress.firebaseMessagingLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/firebase-messaging-sw.js +{{- if .Values.ingress.firebaseMessagingAdditionalAnnotations }} +{{ toYaml .Values.ingress.firebaseMessagingAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /firebase-messaging-sw.js + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.uma2ConfigLabels }} +{{ toYaml .Values.ingress.uma2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if .Values.ingress.uma2AdditionalAnnotations }} +{{ toYaml .Values.ingress.uma2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webfingerLabels }} +{{ toYaml .Values.ingress.webfingerLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if .Values.ingress.webfingerAdditionalAnnotations }} +{{ toYaml .Values.ingress.webfingerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webdiscoveryLabels }} +{{ toYaml .Values.ingress.webdiscoveryLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if .Values.ingress.webdiscoveryAdditionalAnnotations }} +{{ toYaml .Values.ingress.webdiscoveryAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{- if .Values.global.scim.ingress.scimConfigEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimConfigLabels }} +{{ toYaml .Values.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{- if .Values.global.scim.ingress.scimEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimLabels }} +{{ toYaml .Values.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "config-api" "ingress" "configApiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-config-api + labels: + app: {{ $fullName }}-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.configApiLabels }} +{{ toYaml .Values.ingress.configApiLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.configApiAdditionalAnnotations }} +{{ toYaml .Values.ingress.configApiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.u2fConfigLabels }} +{{ toYaml .Values.ingress.u2fConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if .Values.ingress.u2fAdditionalAnnotations }} +{{ toYaml .Values.ingress.u2fAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2ConfigLabels }} +{{ toYaml .Values.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerLabels }} +{{ toYaml .Values.ingress.authServerLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.casa.ingress.casaEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-casa + labels: + app: {{ $fullName }}-casa +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.casaLabels }} +{{ toYaml .Values.ingress.casaLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "casa-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.casaAdditionalAnnotations }} +{{ toYaml .Values.ingress.casaAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-casa + pathType: Prefix + backend: + service: + name: {{ .Values.global.casa.casaServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.saml.ingress.samlEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-saml + labels: + app: {{ $fullName }}-saml +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.samlLabels }} +{{ toYaml .Values.ingress.samlLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "saml-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.samlAdditionalAnnotations }} +{{ toYaml .Values.ingress.samlAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /kc + pathType: Prefix + backend: + service: + name: {{ .Values.global.saml.samlServiceName }} + port: + number: 8083 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/values.yaml new file mode 100644 index 0000000000..02ce71b132 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/nginx-ingress/values.yaml @@ -0,0 +1,85 @@ + +# -- Nginx ingress definitions chart +ingress: + enabled: true + # -- Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. + legacy: false + path: / + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma 2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- scim config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable all fido2 endpoints + fido2Enabled: false + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- Auth server config ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- SAML config ingress resource labels. key app is taken + samlLabels: { } + # -- SAML ingress resource additional annotations. + samlAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: { } + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + hosts: + - demoexample.gluu.org + tls: + - secretName: tls-certificate # DON'T change + hosts: + - demoexample.gluu.org +nameOverride: "" +fullnameOverride: "" diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/.helmignore b/charts/gluu/gluu/5.0.25/charts/opendj/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/opendj/Chart.yaml new file mode 100644 index 0000000000..4cab677326 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: OpenDJ is a directory server which implements a wide range of Lightweight + Directory Access Protocol and related standards, including full compliance with + LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in + Java, OpenDJ offers multi-master replication, access control, and many extensions. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- LDAP +- OpenDJ +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: opendj +sources: +- https://github.com/GluuFederation/docker-opendj +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/opendj +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/README.md b/charts/gluu/gluu/5.0.25/charts/opendj/README.md new file mode 100644 index 0000000000..a13db320a6 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/README.md @@ -0,0 +1,75 @@ +# opendj + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| image.tag | string | `"5.0.0-15"` | Image tag to use for deploying. | +| lifecycle.preStop.exec.command[0] | string | `"/bin/sh"` | | +| lifecycle.preStop.exec.command[1] | string | `"-c"` | | +| lifecycle.preStop.exec.command[2] | string | `"python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| openDjVolumeMounts.config.mountPath | string | `"/opt/opendj/config"` | | +| openDjVolumeMounts.config.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.db.mountPath | string | `"/opt/opendj/db"` | | +| openDjVolumeMounts.db.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.flag.mountPath | string | `"/flag"` | | +| openDjVolumeMounts.flag.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.ldif.mountPath | string | `"/opt/opendj/ldif"` | | +| openDjVolumeMounts.ldif.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.logs.mountPath | string | `"/opt/opendj/logs"` | | +| openDjVolumeMounts.logs.name | string | `"opendj-volume"` | | +| persistence.accessModes | string | `"ReadWriteOnce"` | | +| persistence.size | string | `"5Gi"` | OpenDJ volume size | +| persistence.type | string | `"DirectoryOrCreate"` | | +| ports | object | `{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}}` | servicePorts values used in StatefulSet container | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1500m"` | CPU limit. | +| resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1500m"` | CPU request. | +| resources.requests.memory | string | `"2000Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/opendj/templates/_helpers.tpl new file mode 100644 index 0000000000..ecab10b753 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opendj.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opendj.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opendj.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "opendj.labels" -}} +app: {{ .Release.Name }}-{{ include "opendj.name" . }} +helm.sh/chart: {{ include "opendj.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "opendj.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "opendj.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "opendj.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "opendj.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/5.0.25/charts/opendj/templates/cronjobs.yaml new file mode 100644 index 0000000000..7483be66ca --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/templates/cronjobs.yaml @@ -0,0 +1,110 @@ +{{- if .Values.backup.enabled }} +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "opendj.fullname" . }}-backup +spec: + schedule: {{ .Values.backup.cronJobSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "opendj.fullname" . }}-backup + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + ports: + {{- range $key, $value := .Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + env: + - name: LDAP_HOST + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_host + - name: LDAP_PORT + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_port + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_site_binddn + - name: LDAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-ldap-cron-pass + key: password + # while true; do sleep 60; ldaplog=$(cat /opt/opendj/logs/server.out); startedstr="The Directory Server has started successfully"; if [ -z "${ldaplog##*$startedstr*}" ]; then break; fi; echo "Waiting for opendj server to start"; done + command: + - /bin/sh + - -c + - | + # ========= + # FUNCTIONS + # ========= + + set_java_args() { + # not sure if we can omit `-server` safely + local java_args="-server" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${CN_MAX_RAM_PERCENTAGE} ${CN_JAVA_OPTIONS}" + # set the env var so it is loaded by `start-ds` script + export OPENDJ_JAVA_ARGS=${java_args} + } + + # ========== + # ENTRYPOINT + # ========== + + mkdir -p /opt/opendj/locks + + python3 /app/scripts/wait.py + python3 /app/scripts/bootstrap.py + + # run OpenDJ server + set_java_args + exec /opt/opendj/bin/start-ds -N & + sleep 300 + RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) + LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + volumeMounts: + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapCertFile }} + subPath: opendj.crt + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapKeyFile }} + subPath: opendj.key + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + restartPolicy: Never + volumes: + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + - name: ldap-certkey + secret: + secretName: {{ .Release.Name }}-ldap-certkey +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/templates/hpa.yaml b/charts/gluu/gluu/5.0.25/charts/opendj/templates/hpa.yaml new file mode 100644 index 0000000000..157ea310b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "opendj.fullname" . }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "opendj.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/templates/opendj-destination-rules.yaml b/charts/gluu/gluu/5.0.25/charts/opendj/templates/opendj-destination-rules.yaml new file mode 100644 index 0000000000..a6a8f56849 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/templates/opendj-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-ldap-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.opendj.ldapServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/templates/opendj-pdb.yaml b/charts/gluu/gluu/5.0.25/charts/opendj/templates/opendj-pdb.yaml new file mode 100644 index 0000000000..1615c4ac29 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/templates/opendj-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "opendj.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/templates/service.yaml b/charts/gluu/gluu/5.0.25/charts/opendj/templates/service.yaml new file mode 100644 index 0000000000..ec7d0a8252 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/templates/service.yaml @@ -0,0 +1,30 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $.Values.global.opendj.ldapServiceName }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + {{- range $key, $value := $.Values.ports }} + - port: {{ $value.port }} + name: {{ $key }} + targetPort: {{ $value.targetPort }} + protocol: {{ $value.protocol}} + {{- if $value.nodePort }} + nodePort: {{ $value.nodePort }} + {{- end }} + {{- end }} + clusterIP: None + selector: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/5.0.25/charts/opendj/templates/statefulset.yaml new file mode 100644 index 0000000000..a44a60e217 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/templates/statefulset.yaml @@ -0,0 +1,125 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "opendj.fullname" $ }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: {{ include "opendj.name" $ }} + serviceName: {{ include "opendj.name" $ }} + replicas: {{ $.Values.replicas }} + template: + metadata: + labels: + app: {{ include "opendj.name" $ }} + {{- if $.Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: {{ include "opendj.name" $ }} + {{- if .Values.customScripts }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + /app/scripts/entrypoint.sh + {{- end}} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + {{- include "opendj.usr-envs" $ | indent 12 }} + {{- include "opendj.usr-secret-envs" $ | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + envFrom: + - configMapRef: + name: {{ $.Release.Name }}-config-cm + {{ if $.Values.global.usrEnvs.secret }} + - secretRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + {{ if $.Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + ports: + {{- range $key, $value := $.Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapCertFile }} + subPath: opendj.crt + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapKeyFile }} + subPath: opendj.key + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + livenessProbe: +{{- toYaml $.Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml $.Values.readinessProbe | nindent 10 }} + {{- if or (eq $.Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if $.Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + volumes: + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + - name: ldap-certkey + secret: + secretName: {{ .Release.Name }}-ldap-certkey + volumeClaimTemplates: + - metadata: + name: opendj-volume + spec: + accessModes: + - {{ $.Values.persistence.accessModes }} + resources: + requests: + storage: {{ $.Values.persistence.size }} + {{- if eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath" }} + storageClassName: standard + {{- else }} + storageClassName: {{ include "opendj.fullname" $ | quote }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/templates/storageclass.yaml b/charts/gluu/gluu/5.0.25/charts/opendj/templates/storageclass.yaml new file mode 100644 index 0000000000..d33175d10b --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/templates/storageclass.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ include "opendj.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + storage: opendj +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + # Annotation below is to keep the storage class during upgrade. Otherwise, due to the flag at line 1 which is needed, this resource will be deleted. + helm.sh/resource-policy: keep + storageclass.beta.kubernetes.io/is-default-class: "false" + {{- if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + openebs.io/cas-type: local + cas.openebs.io/config: | + - name: StorageType + value: hostpath + - name: BasePath + value: /var/local-hostpath + {{- end }} +provisioner: {{ .Values.global.storageClass.provisioner }} +{{- if and ( ne .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) ( ne .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") ( ne .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") ( ne .Values.global.storageClass.provisioner "kubernetes.io/gce-pd") ( ne .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com") ( ne .Values.global.storageClass.provisioner "openebs.io/local") ( ne .Values.global.storageClass.provisioner "kubernetes.io/azure-disk") }} +parameters: +{{ toYaml .Values.global.storageClass.parameters | indent 4 }} +{{- else }} +parameters: + {{- if eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs" }} + type: {{ .Values.global.awsStorageType }} + fsType: ext4 + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/gce-pd" }} + type: {{ .Values.global.gcePdStorageType }} + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/azure-disk" }} + storageAccountType: {{ .Values.global.azureStorageAccountType }} + kind: {{ .Values.global.azureStorageKind }} + {{- else if eq .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com" }} + {{- else if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + {{- else }} + pool: default + fsType: ext4 + {{- end }} +{{- end }} +allowVolumeExpansion: {{ .Values.global.storageClass.allowVolumeExpansion }} +volumeBindingMode: {{ .Values.global.storageClass.volumeBindingMode }} +reclaimPolicy: {{ .Values.global.storageClass.reclaimPolicy }} +mountOptions: {{ .Values.global.storageClass.mountOptions | toJson }} +allowedTopologies: {{ .Values.global.storageClass.allowedTopologies | toJson }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.25/charts/opendj/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8fcf989cd5 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/opendj/values.yaml b/charts/gluu/gluu/5.0.25/charts/opendj/values.yaml new file mode 100644 index 0000000000..2ee772cb9a --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/opendj/values.yaml @@ -0,0 +1,140 @@ + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-15 + # -- Image Pull Secrets + pullSecrets: [ ] +persistence: + # -- OpenDJ volume size + size: 5Gi + accessModes: ReadWriteOnce + type: DirectoryOrCreate +# -- servicePorts values used in StatefulSet container +ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi +# -- Configure the liveness healthcheck for OpenDJ if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for OpenDJ if needed. +readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] +nameOverride: "" +fullnameOverride: "" +# VolumeMounts for StatefulSet +# opendj-init vm +openDjVolumeMounts: + config: + mountPath: /opt/opendj/config + name: opendj-volume + ldif: + mountPath: /opt/opendj/ldif + name: opendj-volume + logs: + mountPath: /opt/opendj/logs + name: opendj-volume + db: + mountPath: /opt/opendj/db + name: opendj-volume + flag: + mountPath: /flag + name: opendj-volume + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.0.25/charts/persistence/.helmignore b/charts/gluu/gluu/5.0.25/charts/persistence/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.25/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/persistence/Chart.yaml new file mode 100644 index 0000000000..2bf88dcf6f --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/persistence/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: Job to generate data and initial config for Gluu Server persistence layer. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- persistence prep +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: persistence +sources: +- https://github.com/JanssenProject/jans/docker-jans-persistence-loader +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/persistence +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/persistence/README.md b/charts/gluu/gluu/5.0.25/charts/persistence/README.md new file mode 100644 index 0000000000..fc2306faf0 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/persistence/README.md @@ -0,0 +1,53 @@ +# persistence + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +Job to generate data and initial config for Gluu Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| lifecycle | object | `{}` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/persistence/templates/_helpers.tpl new file mode 100644 index 0000000000..bf0a313b23 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.0.25/charts/persistence/templates/jobs.yml new file mode 100644 index 0000000000..80f8b592f7 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/persistence/templates/jobs.yml @@ -0,0 +1,170 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if or ( .Values.global.istio.enabled ) ( .Values.customScripts )}} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 12}} + {{- end }} + /app/scripts/entrypoint.sh + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbaseSuperuserPasswordFile }} + subPath: couchbase_superuser_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + - key: couchbase_password + path: couchbase_password + - key: couchbase_superuser_password + path: couchbase_superuser_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.0.25/charts/persistence/templates/service.yaml new file mode 100644 index 0000000000..b266650a69 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/persistence/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.25/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..29c8651b84 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/persistence/values.yaml b/charts/gluu/gluu/5.0.25/charts/persistence/values.yaml new file mode 100644 index 0000000000..ad955bfa74 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/persistence/values.yaml @@ -0,0 +1,58 @@ + +# -- Job to generate data and initial config for Gluu Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.0.25/charts/saml/.helmignore b/charts/gluu/gluu/5.0.25/charts/saml/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/saml/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.0.25/charts/saml/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/saml/Chart.yaml new file mode 100644 index 0000000000..a107137cf1 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/saml/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: Jans SAML +home: https://jans.io +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- SAML +- Keycloak +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: saml +sources: +- https://github.com/JanssenProject/jans/docker-jans-saml +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/saml/README.md b/charts/gluu/gluu/5.0.25/charts/saml/README.md new file mode 100644 index 0000000000..2a5b650481 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/saml/README.md @@ -0,0 +1,64 @@ +# saml + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +Jans SAML + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/saml"` | Image to use for deploying. | +| image.tag | string | `"1.0.22-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for saml if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the saml if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-saml"` | The name of the saml port within the saml service. Please keep it as default. | +| service.port | int | `8083` | Port of the saml service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/saml/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/saml/templates/_helpers.tpl new file mode 100644 index 0000000000..784308f4b8 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/saml/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "saml.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "saml.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "saml.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "saml.labels" -}} +app: {{ .Release.Name }}-{{ include "saml.name" . }} +helm.sh/chart: {{ include "saml.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "saml.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "saml.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "saml.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "saml.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "saml.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "saml.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/saml/templates/deployment.yaml b/charts/gluu/gluu/5.0.25/charts/saml/templates/deployment.yaml new file mode 100644 index 0000000000..5992ca2315 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/saml/templates/deployment.yaml @@ -0,0 +1,227 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "saml.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "saml.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: saml + app: {{ .Release.Name }}-{{ include "saml.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "saml.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "saml.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "saml.usr-envs" . | indent 12 }} + {{- include "saml.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + - name: kc-db-pass + mountPath: {{ .Values.global.kcDbPasswordFile }} + subPath: kc_db_password + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "saml.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: kc-db-pass + secret: + secretName: {{ .Release.Name }}-kc-db-pass + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "saml.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/charts/saml/templates/hpa.yaml b/charts/gluu/gluu/5.0.25/charts/saml/templates/hpa.yaml similarity index 100% rename from charts/gluu/gluu/charts/saml/templates/hpa.yaml rename to charts/gluu/gluu/5.0.25/charts/saml/templates/hpa.yaml diff --git a/charts/gluu/gluu/charts/saml/templates/saml-destination-rules.yaml b/charts/gluu/gluu/5.0.25/charts/saml/templates/saml-destination-rules.yaml similarity index 100% rename from charts/gluu/gluu/charts/saml/templates/saml-destination-rules.yaml rename to charts/gluu/gluu/5.0.25/charts/saml/templates/saml-destination-rules.yaml diff --git a/charts/gluu/gluu/charts/saml/templates/saml-pdb.yaml b/charts/gluu/gluu/5.0.25/charts/saml/templates/saml-pdb.yaml similarity index 100% rename from charts/gluu/gluu/charts/saml/templates/saml-pdb.yaml rename to charts/gluu/gluu/5.0.25/charts/saml/templates/saml-pdb.yaml diff --git a/charts/gluu/gluu/charts/saml/templates/saml-virtual-services.yaml b/charts/gluu/gluu/5.0.25/charts/saml/templates/saml-virtual-services.yaml similarity index 100% rename from charts/gluu/gluu/charts/saml/templates/saml-virtual-services.yaml rename to charts/gluu/gluu/5.0.25/charts/saml/templates/saml-virtual-services.yaml diff --git a/charts/gluu/gluu/charts/saml/templates/service.yaml b/charts/gluu/gluu/5.0.25/charts/saml/templates/service.yaml similarity index 100% rename from charts/gluu/gluu/charts/saml/templates/service.yaml rename to charts/gluu/gluu/5.0.25/charts/saml/templates/service.yaml diff --git a/charts/gluu/gluu/charts/saml/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.25/charts/saml/templates/user-custom-secret-envs.yaml similarity index 100% rename from charts/gluu/gluu/charts/saml/templates/user-custom-secret-envs.yaml rename to charts/gluu/gluu/5.0.25/charts/saml/templates/user-custom-secret-envs.yaml diff --git a/charts/gluu/gluu/5.0.25/charts/saml/values.yaml b/charts/gluu/gluu/5.0.25/charts/saml/values.yaml new file mode 100644 index 0000000000..c4dbf735ee --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/saml/values.yaml @@ -0,0 +1,110 @@ +# -- Jans SAML +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/saml + # -- Image tag to use for deploying. + tag: 1.0.22-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the saml service. Please keep it as default. + port: 8083 + # -- The name of the saml port within the saml service. Please keep it as default. + name: http-saml + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for saml if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 10 +# -- Configure the readiness healthcheck for the saml if needed. +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 10 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] diff --git a/charts/gluu/gluu/5.0.25/charts/scim/.helmignore b/charts/gluu/gluu/5.0.25/charts/scim/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.0.25/charts/scim/Chart.yaml b/charts/gluu/gluu/5.0.25/charts/scim/Chart.yaml new file mode 100644 index 0000000000..c796939e6e --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/scim/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.0.22 +description: System for Cross-domain Identity Management (SCIM) version 2.0 +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SCIM +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: scim +sources: +- https://github.com/JanssenProject/jans/jans-scim +- https://github.com/JanssenProject/jans/docker-jans-scim +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/scim +type: application +version: 5.0.25 diff --git a/charts/gluu/gluu/5.0.25/charts/scim/README.md b/charts/gluu/gluu/5.0.25/charts/scim/README.md new file mode 100644 index 0000000000..f47ce1dab6 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/scim/README.md @@ -0,0 +1,62 @@ +# scim + +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.22](https://img.shields.io/badge/AppVersion-5.0.22-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.0.22_dev"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/gluu/gluu/5.0.25/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/charts/scim/templates/_helpers.tpl new file mode 100644 index 0000000000..04b66d5afd --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/scim/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "scim.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "scim.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.0.25/charts/scim/templates/deployment.yml new file mode 100644 index 0000000000..8bb3605eb9 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/scim/templates/deployment.yml @@ -0,0 +1,216 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "scim.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "scim.usr-envs" . | indent 12 }} + {{- include "scim.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.0.25/charts/scim/templates/hpa.yaml new file mode 100644 index 0000000000..d3ba580d6f --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/scim/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.0.25/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 0000000000..fc26343bdf --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/scim/templates/scim-pdb.yaml b/charts/gluu/gluu/5.0.25/charts/scim/templates/scim-pdb.yaml new file mode 100644 index 0000000000..d700490a85 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/scim/templates/scim-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "scim.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.0.25/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 0000000000..14fafd1d46 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.scim.ingress.scimConfigEnabled }} + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /jans-scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.scim.ingress.scimEnabled }} + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/jans-scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/scim/templates/service.yml b/charts/gluu/gluu/5.0.25/charts/scim/templates/service.yml new file mode 100644 index 0000000000..a585ea31b9 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/scim/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.0.25/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.0.25/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..d9f83a46e1 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/charts/scim/values.yaml b/charts/gluu/gluu/5.0.25/charts/scim/values.yaml new file mode 100644 index 0000000000..b6806f2d62 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/charts/scim/values.yaml @@ -0,0 +1,94 @@ + +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.0.25/openbanking-values.yaml b/charts/gluu/gluu/5.0.25/openbanking-values.yaml new file mode 100644 index 0000000000..562c7c4bb2 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/openbanking-values.yaml @@ -0,0 +1,690 @@ +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.0.20-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: team@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.0.20-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.0.20-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: true + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token . Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + ingress: + # -- Enable casa endpoints /casa + casaEnabled: true + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files DB. + cnDocumentStoreType: DB + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Load balancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + # -- Gluu distributions supported are: default|openbanking. + distribution: openbanking + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.20-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.0.25/questions.yaml b/charts/gluu/gluu/5.0.25/questions.yaml new file mode 100644 index 0000000000..237575ec1b --- /dev/null +++ b/charts/gluu/gluu/5.0.25/questions.yaml @@ -0,0 +1,1209 @@ +questions: +# ================== +# License SSA group +# ================== +- variable: global.licenseSsa + default: "" + required: true + type: string + label: License SSA + description: "Before initiating the setup, please contact Gluu to obtain a valid license or trial license. Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded." + group: "License SSA" + +# ================== +# Distribution group +# ================== +- variable: global.distribution + default: "openbanking" + required: true + type: enum + label: Gluu Distribution + description: "Gluu Distribution. Openbanking only contains Config-API and the Auth Server customized for Openbanking industry." + group: "Global Settings" + options: + - "default" + - "openbanking" + +# ======================== +# OpenBanking Distribution +# ======================== +- variable: global.cnObExtSigningJwksUri + required: true + default: "https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks" + description: "Open banking external signing jwks uri. Used in SSA Validation." + type: hostname + group: "OpenBanking Distribution" + label: Openbanking external signing JWKS URI + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObExtSigningJwksCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS certificate authority string + - variable: global.cnObExtSigningJwksKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS key string + - variable: global.cnObExtSigningJwksKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: password + label: Open banking external signing jwks AS key passphrase + min_length: 6 + - variable: global.cnObExtSigningAlias + default: "XkwIzWy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking external signing AS Alias +- variable: global.cnObStaticSigningKeyKid + default: "Wy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking signing AS kid + show_if: "global.distribution=openbanking" +- variable: global.cnObTransportAlias + default: "" + required: false + group: "OpenBanking Distribution" + description: "Open banking transport Alias used inside the JVM." + type: string + label: Open banking transport Alias used inside the JVM. + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObTransportCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport crt + - variable: global.cnObTransportKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport key + - variable: global.cnObTransportKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64." + type: password + label: Open banking AS transport key passphrase + min_length: 6 + - variable: global.cnObTransportTrustStore + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking external signing jwks AS certificate authority string + +# ======================= +# Optional Services group +# ======================= +- variable: global.admin-ui.enabled + default: false + type: boolean + group: "Optional Services" + required: false + label: Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. This requires a license agreement with Gluu. + show_if: "global.distribution=default" + show_subquestion_if: true +- variable: global.auth-server-key-rotation.enabled + default: true + type: boolean + group: "Optional Services" + required: true + label: Enable Auth key rotation cronjob. Disable this if using the OB distribution. + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: auth-server-key-rotation.keysLife + default: 48 + description: "Auth server key rotation keys life in hours." + type: int + label: Key life +- variable: global.fido2.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable Fido2 + description: "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments." +- variable: global.config-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ConfigAPI + description: "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)." +- variable: global.casa.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Casa + description: "Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server." +- variable: global.scim.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable SCIM + description: "System for Cross-domain Identity Management (SCIM) version 2.0" + +# ====================== +# Test environment group +# ====================== +- variable: global.cloud.testEnviroment + default: false + type: boolean + group: "Test Environment" + required: true + label: Test environment + description: "Boolean flag if enabled will strip resources requests and limits from all services." + +# ================= +# Persistence group +# ================= +- variable: global.cnPersistenceType + default: "sql" + required: true + type: enum + group: "Persistence" + label: Gluu Persistence backend + description: "Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner" + options: + - "ldap" + - "couchbase" + - "hybrid" + - "spanner" + - "sql" +# LDAP +- variable: global.opendj.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable installation of OpenDJ + description: "Boolean flag to enable/disable the OpenDJ chart." + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnLdapUrl + default: "opendj:1636" + type: hostname + group: "Persistence" + required: true + label: OpenDJ remote URL + description: "OpenDJ remote URL. This must be resolvable by the pods" + show_if: "global.opendj.enabled=false&&global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnPersistenceHybridMapping + default: "{}" + required: false + type: enum + group: "Persistence" + label: Gluu Persistence LDAP mapping + description: "Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`." + options: + - "default" + - "user" + - "site" + - "cache" + - "token" + - "session" + show_if: "global.cnPersistenceType=hybrid" +# SQL +- variable: config.configmap.cnSqlDbDialect + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu SQL Database dialect + description: "SQL database dialect. `mysql` or `pgsql`." + options: + - "pgsql" + - "mysql" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbHost + default: "postgresql.default.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: SQL database host uri + description: "SQL database host uri" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbPort + default: 5432 + required: false + type: int + group: "Persistence" + label: SQL database port + description: "SQL database port" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbUser + default: "gluu" + group: "Persistence" + description: "SQL database username" + type: string + label: SQL database username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqldbUserPassword + default: "Test1234#" + group: "Persistence" + description: "SQL password" + type: password + label: SQL password + + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbName + default: "gluu" + group: "Persistence" + description: "SQL database name" + type: string + label: SQL database name + show_if: "global.cnPersistenceType=sql" +# Spanner +- variable: config.configmap.cnGoogleSpannerInstanceId + default: "" + group: "Persistence" + description: "The google spanner instance ID" + type: string + label: Google Spanner Instance ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSpannerDatabaseId + default: "" + group: "Persistence" + description: "The google spanner database ID" + type: string + label: Google Spanner Database ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + group: "Persistence" + description: "The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner." + type: multiline + label: Google Spanner Service Account json + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleProjectId + default: "" + group: "Persistence" + description: "The Google Project ID" + type: string + label: Google Project ID + show_if: "global.cnPersistenceType=spanner" +#Couchbase +- variable: config.configmap.cnCouchbaseCrt + default: "" + group: "Persistence" + description: "Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required." + type: multiline + label: Couchbase certificate authority string + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUrl + default: "gluu.cbns.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: Couchbase host uri + description: "Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseBucketPrefix + default: "gluu" + type: string + description: "The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu." + group: "Persistence" + required: true + label: The prefix of Couchbase buckets + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseIndexNumReplica + default: 0 + type: int + description: "The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1." + group: "Persistence" + required: true + label: The number of replicas per index created + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUser + default: "admin" + group: "Persistence" + description: "he Couchbase super user (admin) user name. This user is used during initialization only." + type: string + label: The Couchbase super user (admin) user name. + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUserPassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + type: password + label: Couchbase password for the super users + + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUser + default: "gluu" + group: "Persistence" + description: "Couchbase restricted user, used in Gluu operations with Couchbase. Used only when global.cnPersistenceType is hybrid or couchbase." + type: string + label: Couchbase restricted username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbasePassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ." + type: password + label: Couchbase password for the restricted user + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" + +# ============================== +# StorageClass and volume group +# ============================== +- variable: global.storageClass.provisioner + default: "microk8s.io/hostpath" + type: string + group: "Volumes" + required: true + label: StorageClass provisioner + show_if: "global.cnPersistenceType=ldap" + subquestions: + - variable: global.storageClass.allowVolumeExpansion + default: true + type: boolean + group: "Volumes" + required: true + label: StorageClass Volume expansion + - variable: global.storageClass.reclaimPolicy + default: "Retain" + type: enum + group: "Volumes" + required: true + label: StorageClass reclaimPolicy + options: + - "Delete" + - "Retain" + - variable: global.storageClass.volumeBindingMode + default: "WaitForFirstConsumer" + type: enum + group: "Volumes" + required: true + options: + - "WaitForFirstConsumer" + - "Immediate" + label: StorageClass volumeBindingMode + +# =========== +# Cache group +# =========== +- variable: config.configmap.cnCacheType + default: "NATIVE_PERSISTENCE" + required: true + type: enum + group: "Cache" + label: Gluu Cache + description: "Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` ." + options: + - "NATIVE_PERSISTENCE" + - "IN_MEMORY" + - "REDIS" + show_subquestion_if: "REDIS" + subquestions: + - variable: config.configmap.cnRedisType + default: "STANDALONE" + type: enum + group: "Cache" + required: false + label: Redix service type + description: "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + options: + - "STANDALONE" + - "CLUSTER" + - variable: config.redisPassword + default: "Test1234#" + type: password + group: "Cache" + required: false + label: Redis admin password + description: "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`." + + - variable: config.configmap.cnRedisUrl + default: "redis.redis.svc.cluster.local:6379" + required: false + type: hostname + group: "Cache" + label: Redis URL + description: "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + +# ================== +# Configuration group +# ================== +- variable: global.fqdn + default: "demoexample.gluu.org" + required: true + type: hostname + group: "Configuration" + label: Gluu Installation FQDN + description: "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services." +- variable: global.countryCode + default: "US" + required: true + type: string + group: "Configuration" + label: Country code + description: "Country code. Used for certificate creation." +- variable: config.state + default: "TX" + required: true + type: string + group: "Configuration" + label: State code + description: "State code. Used for certificate creation." +- variable: config.city + default: "Austin" + required: true + type: string + group: "Configuration" + label: City + description: "City. Used for certificate creation." +- variable: config.email + default: "support@gluu.org" + required: true + type: string + group: "Configuration" + label: Email + description: "Email address of the administrator usually. Used for certificate creation." +- variable: config.orgName + default: "Gluu" + required: true + type: string + group: "Configuration" + label: Organization + description: "Organization name. Used for certificate creation." +- variable: config.adminPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: Admin UI password + description: "Admin password to log in to the UI." + +- variable: config.ldapPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: LDAP password + description: "LDAP admin password if OpenDJ is used for persistence" + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" + +- variable: global.isFqdnRegistered + default: true + required: true + type: boolean + group: "Configuration" + label: Is the FQDN globally resolvable + description: "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically." +- variable: config.migration.enabled + default: false + required: true + type: boolean + group: "Configuration" + label: Migration from Gluu CE + description: "Boolean flag to enable migration from CE" + show_subquestion_if: true + subquestions: + - variable: config.migration.migrationDataFormat + default: "ldif" + type: enum + group: "Configuration" + required: false + label: Migration data-format + description: "Migration data-format depending on persistence backend." + options: + - "ldif" + - "couchbase+json" + - "spanner+avro" + - "postgresql+json" + - "mysql+json" + - variable: config.migration.migrationDir + default: "/ce-migration" + required: false + type: string + group: "Configuration" + label: Migration Directory + description: "Directory holding all migration files" + +# Configmap +- variable: global.configAdapterName + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu configuration backend + description: "The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + +# Secret +- variable: global.configSecretAdapter + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu secret backend + description: "The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + + +# Google +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + type: string + group: "Configuration" + required: true + label: Service account base64 encoded + description: "Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleProjectId + default: "" + type: string + group: "Configuration" + required: true + label: Project ID + description: "Project id of the Google project the secret manager belongs to" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretVersionId + default: "latest" + type: string + group: "Configuration" + required: true + label: Secrets version + description: "Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in Google Secret Manager. Defaults to gluu" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +# AWS +- variable: config.configmap.cnAwsAccessKeyId + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Account Access Key ID + description: "AWS Access key id that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretAccessKey + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Secret Access Key + description: "AWS Secret Access key that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in AWS Secrets Manager. Defaults to gluu" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsProfile + default: "gluu" + type: string + group: "Configuration" + required: true + label: AWS named profile + description: "The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsDefaultRegion + default: "us-west-1" + type: string + group: "Configuration" + required: true + label: Default region + description: "The default AWS Region to use, for example, `us-west-1` or `us-west-2`" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsEndpointUrl + default: "" + type: string + group: "Configuration" + required: false + label: Secrets Manager Endpoint URL + description: "The URL of AWS secretsmanager service. If omitted, it will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + + +# =========================== +# Ingress group(Istio, NGINX) +# =========================== + +# =========== +# Istio group +# =========== +- variable: global.istio.enabled + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio side cars with Gluu services." + label: Use Istio side cars + show_subquestion_if: true + subquestions: + - variable: global.istio.ingress + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Use Istio Ingress + - variable: global.istio.namespace + default: "istio-system" + type: string + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Istio namespace + - variable: config.configmap.lbAddr + default: "" + group: "Istio" + description: "Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# NGINX group +# =========== +- variable: config.configmap.lbAddr + default: "" + group: "NGINX" + show_if: "global.istio.ingress=false&&global.isFqdnRegistered=false" + description: "loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# Ingress group +# =========== +- variable: global.admin-ui.ingress.adminUiEnabled + default: false + type: boolean + group: "Ingress" + required: false + description: "Enable Admin UI endpoints." + label: Enable Admin UI endpoints + subquestions: + # auth-server + - variable: global.auth-server.ingress.authServerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable Auth server endpoints /jans-auth" + label: Enable Auth server endpoints /jans-auth + - variable: global.auth-server.ingress.openidConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/openid-configuration" + label: Enable endpoint /.well-known/openid-configuration + - variable: global.auth-server.ingress.deviceCodeEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /device-code" + label: Enable endpoint /device-code + - variable: global.auth-server.ingress.firebaseMessagingEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /firebase-messaging-sw.js" + label: Enable endpoint /firebase-messaging-sw.js + - variable: global.auth-server.ingress.uma2ConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/uma2-configuration" + label: Enable endpoint /.well-known/uma2-configuration + - variable: global.auth-server.ingress.webfingerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/webfinger" + label: Enable endpoint /.well-known/webfinger + - variable: global.auth-server.ingress.webdiscoveryEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/simple-web-discovery" + label: Enable endpoint /.well-known/simple-web-discovery + - variable: global.auth-server.ingress.u2fConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/fido-configuration" + label: Enable endpoint /.well-known/fido-configuration + # config-api + - variable: global.config-api.ingress.configApiEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable config API endpoints /jans-config-api" + label: Enable config API endpoints /jans-config-api + +#fido2 +- variable: global.fido2.ingress.fido2ConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.fido2.enabled=true" + required: true + description: "Enable endpoint /.well-known/fido2-configuration. Enable this!" + label: Enable endpoint /.well-known/fido2-configuration +#Casa +- variable: global.casa.ingress.casaEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.casa.enabled=true" + required: true + description: "Enable endpoint /casa. Enable this!" + label: Enable endpoint /casa Enable this! +#auth-server OB +- variable: global.auth-server.ingress.authServerProtectedToken + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/token" + label: Enable mTLS on Auth server endpoint /jans-auth/restv1/token +- variable: global.auth-server.ingress.authServerProtectedRegister + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/register" + label: Enable mTLS onn Auth server endpoint /jans-auth/restv1/register +# scim +- variable: global.scim.ingress.scimConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable endpoint /.well-known/scim-configuration. Enable this!" + label: Enable endpoint /.well-known/scim-configuration. Enable this! +- variable: global.scim.ingress.scimEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable SCIM endpoints /jans-scim. Enable this!" + label: Enable SCIM endpoints /jans-scim. Enable this! + +# ============ +# Images group +# ============ +# AuthServer +- variable: auth-server.image.repository + required: true + type: string + default: "janssenproject/auth-server" + description: "The Auth Server Image repository" + label: Auth Server image repo + group: "Images" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server Image pull policy" + label: Auth Server imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server image tag + group: "Images" + show_if: "global.auth-server.enabled=true" +# AdminUI +- variable: admin-ui.image.repository + required: true + type: string + default: "gluufederation/admin-ui" + description: "The AdminUI Image repository" + label: The AdminUI Image repository + group: "Images" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The AdminUI Image pull policy" + label: AdminUI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The AdminUI Image tag" + label: AdminUI image tag + group: "Images" + show_if: "global.admin-ui.enabled=true" +# AuthServer KeyRotation +- variable: auth-server-key-rotation.image.repository + required: true + type: string + default: "janssenproject/certmanager" + description: "The Auth Server KeyRotation Image repository" + label: Auth Server KeyRotation image repo + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server KeyRotation Image pull policy" + label: Auth Server KeyRotation imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server KeyRotation image tag + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +# Casa +- variable: casa.image.repository + required: true + type: string + default: "gluufederation/casa" + description: "The Casa Image repository" + label: Casa image repo + group: "Images" + show_if: "global.casa.enabled=true" +- variable: casa.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Casa Image pull policy" + label: Casa imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.casa.enabled=true" +- variable: casa.image.tag + required: true + type: string + default: "5.0.0-4" + description: "The Casa Image tag" + label: Casa image tag + group: "Images" + show_if: "global.casa.enabled=true" +# Configurator +- variable: config.image.repository + required: true + type: string + default: "janssenproject/configurator" + description: "The Configurator Image repository" + label: Configurator image repo + group: "Images" + show_if: "global.config.enabled=true" +- variable: config.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Configurator Image pull policy" + label: Configurator imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config.enabled=true" +- variable: config.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Configurator Image tag" + label: Configurator image tag + group: "Images" + show_if: "global.config.enabled=true" +# ConfigAPI +- variable: config-api.image.repository + required: true + type: string + default: "janssenproject/config-api" + description: "The ConfigAPI Image repository" + label: ConfigAPI image repo + group: "Images" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ConfigAPI Image pull policy" + label: ConfigAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The ConfigAPI Image tag" + label: ConfigAPI image tag + group: "Images" + show_if: "global.config-api.enabled=true" +# Fido2 +- variable: fido2.image.repository + required: true + type: string + default: "janssenproject/fido2" + description: "The Fido2 Image repository" + label: Fido2 image repo + group: "Images" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Fido2 Image pull policy" + label: Fido2 imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Fido2 Image tag" + label: Fido2 image tag + group: "Images" + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.image.repository + required: true + type: string + default: "gluufederation/opendj" + description: "The OpenDJ Image repository" + label: OpenDJ image repo + group: "Images" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The OpenDJ Image pull policy" + label: OpenDJ imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.tag + required: true + type: string + default: "5.0.0_dev" + description: "The OpenDJ Image tag" + label: OpenDJ image tag + group: "Images" + show_if: "global.opendj.enabled=true" +# Persistence +- variable: persistence.image.repository + required: true + type: string + default: "janssenproject/persistence-loader" + description: "The Persistence Image repository" + label: Persistence image repo + group: "Images" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Persistence Image pull policy" + label: Persistence imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Persistence Image tag" + label: Persistence image tag + group: "Images" + show_if: "global.persistence.enabled=true" +# SCIM +- variable: scim.image.repository + required: true + type: string + default: "janssenproject/scim" + description: "The SCIM Image repository" + label: SCIM image repo + group: "Images" + show_if: "global.scim.enabled=true" +- variable: scim.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The SCIM Image pull policy" + label: SCIM imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.scim.enabled=true" +- variable: scim.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The SCIM Image tag" + label: SCIM image tag + group: "Images" + show_if: "global.scim.enabled=true" + +# ============== +# Replicas group +# ============== +# AuthServer +- variable: auth-server.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Auth-server Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# Casa +- variable: casa.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Casa Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# ConfigAPI +- variable: config-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ConfigAPI Replicas + description: "Service replica number." + show_if: "global.config-api.enabled=true" +# AdminUi +- variable: admin-ui.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Admin UI Replicas + description: "Service replica number." + show_if: "global.admin-ui.enabled=true" +# Fido2 +- variable: fido2.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Fido2 Replicas + description: "Service replica number." + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: OpenDJ Replicas + description: "Service replica number." + show_if: "global.opendj.enabled=true" +# SCIM +- variable: scim.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: SCIM Replicas + description: "Service replica number." + show_if: "global.scim.enabled=true" + diff --git a/charts/gluu/gluu/5.0.25/templates/_helpers.tpl b/charts/gluu/gluu/5.0.25/templates/_helpers.tpl new file mode 100644 index 0000000000..c5b8d3d303 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.0.25/values.schema.json b/charts/gluu/gluu/5.0.25/values.schema.json new file mode 100644 index 0000000000..f07c7855ce --- /dev/null +++ b/charts/gluu/gluu/5.0.25/values.schema.json @@ -0,0 +1,2582 @@ +{ + "$schema":"https://json-schema.org/draft/2020-12/schema#", + "type":"object", + "properties":{ + "admin-ui":{ + "description":"Admin GUI for configuration of the auth-server", + "type":"object", + "properties":{ + + } + }, + "auth-server":{ + "description":"OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type":"object", + "properties":{ + + } + }, + "auth-server-key-rotation":{ + "description":"Responsible for regenerating auth-keys per x hours", + "type":"object", + "properties":{ + + } + }, + "casa":{ + "description":"Gluu Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.", + "type":"object", + "properties":{ + + } + } + }, + "config":{ + "description":"Configuration parameters for setup and initial configuration secret annd config layers used by Gluu services.", + "type":"object", + "properties":{ + "adminPass":{ + "description":"Admin password to login to the UI", + "$ref":"#/definitions/password" + }, + "city":{ + "description":"City of the company or individual. Used in generating the self-signed certificate", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "configmap":{ + "description":"Configuration parameters mapped to envs in a ConfigMap", + "type":"object", + "properties":{ + "cnSqlDbDialect":{ + "description":"SQL dialect", + "type":"string", + "pattern":"^(mysql)$" + }, + "cnSqlDbHost":{ + "description":"SQL server address or ip", + "anyOf":[ + { + "$ref":"#/definitions/url-pattern" + }, + { + "$ref":"#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort":{ + "description":"SQL server port", + "type":"integer" + }, + "cnSqlDbName":{ + "description":"SQL server database name for Jans", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbUser":{ + "description":"SQL database Jans username", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbTimezone":{ + "description":"SQL database timezone", + "type":"string", + "pattern":"^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqldbUserPassword":{ + "description":"Password for user config.configmap.cnSqlDbUser.", + "$ref":"#/definitions/password" + }, + "cnCacheType":{ + "description":"Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type":"string", + "pattern":"^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnConfigKubernetesConfigMap":{ + "description":"The name of the ConfigMap that will hold the configuration layer", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseBucketPrefix":{ + "description":"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseCrt":{ + "description":"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnCouchbaseIndexNumReplica":{ + "description":"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.", + "type":"integer" + }, + "cnCouchbasePass":{ + "description":"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUser":{ + "description":"The Couchbase super user (admin) user name. This user is used during initialization only.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseSuperUserPass":{ + "description":"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUserPassFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type":"string", + "pattern":".*couchbase_superuser_password\\b.*" + }, + "cnCouchbaseUrl":{ + "description":"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnCouchbaseUser":{ + "description":"Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerServiceAccount":{ + "description":"Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId":{ + "description":"Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"" + }, + "cnGoogleSpannerInstanceId":{ + "description":"Google Spanner ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^([a-z0-9\\-])*$" + }, + "cnGoogleSpannerDatabaseId":{ + "description":"Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^[a-z0-9\\-]*$" + }, + "cnGoogleSecretVersionId":{ + "description":"Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnGoogleSecretNamePrefix":{ + "description":"Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase":{ + "description":"Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref":"#/definitions/password" + }, + "cnLdapUrl":{ + "description":"OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.", + "type":"string", + "pattern":"^[a-z0-9-:]+$" + }, + "cnMaxRamPercent":{ + "description":"Value passed to Java option -XX:MaxRAMPercentage", + "type":"string", + "pattern":"^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode":{ + "description":"SCIM protection mode OAUTH|TEST|UMA", + "type":"string", + "pattern":"^(OAUTH|TEST|UMA)$" + }, + "cnPersistenceHybridMapping":{ + "description":"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type":"string" + }, + "cnRedisSentinelGroup":{ + "description":"Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisSslTruststore":{ + "description":"Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisType":{ + "description":"Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string", + "pattern":"^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl":{ + "description":"Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref":"#/definitions/url-pattern" + }, + "cnRedisUseSsl":{ + "description":"Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"boolean" + }, + "cnSecretKubernetesSecret":{ + "description":"Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "lbAddr":{ + "description":"Loadbalancer address for AWS if the FQDN is not registered.", + "$ref":"#/definitions/url-pattern" + }, + "cnLdapCrt": { + "description": "OpenDJ certificate string. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnLdapKey": { + "description": "OpenDJ key string. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + } + } + }, + "countryCode":{ + "description":"Country code. Used for certificate creation.", + "type":"string", + "pattern":"^[A-Z]+$" + }, + "email":{ + "description":"Email address of the administrator usually. Used for certificate creation.", + "$ref":"#/definitions/email-format" + }, + "image":{ + "type":"object", + "properties":{ + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "ldapPassword":{ + "description":"LDAP admin password if OpennDJ is used for persistence.", + "$ref":"#/definitions/password" + }, + "orgName":{ + "description":"Organization name. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "redisPassword":{ + "description":"Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref":"#/definitions/password" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "state":{ + "description":"State code. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + } + } + }, + "config-api":{ + "description":"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type":"object", + "properties":{ + + } + }, + "fido2":{ + "description":"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type":"object", + "properties":{ + + } + }, + "global":{ + "description":"Parameters used globally across all services helm charts.", + "type":"object", + "properties":{ + "licenseSsa":{ + "description":"Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "alb":{ + "type":"object", + "properties":{ + "ingress":{ + "description":"Activates ALB ingress", + "type":"boolean" + } + } + }, + "auth-server":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type":"boolean" + }, + "authServerServiceName":{ + "description":"Name of the auth-server service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-auth.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-auth.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget":{ + "description":"http_request_response target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "httpLogLevel":{ + "description":"http_request_response level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-auth_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-auth_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-auth_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-auth_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-auth_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-auth_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-auth_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-auth_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget":{ + "description":"jans-auth_audit.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "auditStatsLogLevel":{ + "description":"jans-auth_audit.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "authServerEnabled":{ + "description":"Enable Auth server endpoints /jans-auth", + "type":"boolean" + }, + "openidConfigEnabled":{ + "description":"Enable endpoint /.well-known/openid-configuration", + "type":"boolean" + }, + "deviceCodeEnabled":{ + "description":"Enable endpoint /device-code", + "type":"boolean" + }, + "firebaseMessagingEnabled":{ + "description":"Enable endpoint /firebase-messaging-sw.js", + "type":"boolean" + }, + "uma2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/uma2-configuration", + "type":"boolean" + }, + "webfingerEnabled":{ + "description":"Enable endpoint /.well-known/webfinger", + "type":"boolean" + }, + "webdiscoveryEnabled":{ + "description":"Enable endpoint /.well-known/simple-web-discovery", + "type":"boolean" + }, + "u2fConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido-configuration", + "type":"boolean" + }, + "authServerProtectedToken":{ + "description":"Enable mTLS on Auth server endpoint /jans-auth/restv1/token", + "type":"boolean" + }, + "authServerProtectedRegister":{ + "description":"Enable mTLS onn Auth server endpoint /jans-auth/restv1/register", + "type":"boolean" + } + } + } + + } + }, + "admin-ui":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable admin-ui chart. You should never set this to false.", + "type":"boolean" + }, + "adminUiServiceName":{ + "description":"Name of the admin service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "adminUiEnabled":{ + "description":"Enable Admin UI endpoints.", + "type":"boolean" + } + } + } + } + }, + + "auth-server-key-rotation":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type":"boolean" + } + } + }, + "awsStorageType":{ + "description":"Volume stroage type if using AWS volumes.", + "type":"string", + "pattern":"^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType":{ + "description":"Volume storage type if using Azure disks.", + "type":"string", + "pattern":"^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind":{ + "description":"Azure storage kind if using Azure disks", + "type":"string", + "pattern":"^(Managed)$" + }, + "cloud":{ + "type":"object", + "properties":{ + "testEnviroment":{ + "description":"Boolean flag if enabled will strip resources requests and limits from all services.", + "type":"boolean" + } + } + }, + "cnPersistenceType":{ + "description":"Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner.", + "type":"string", + "pattern":"^(ldap|couchbase|hybrid|sql|spanner)$" + }, + "cnDocumentStoreType":{ + "description":"Document store type to use for shibboleth files DB.", + "type":"string", + "pattern":"^(DB)$" + }, + "cnObExtSigningJwksUri":{ + "description":"Open banking external signing jwks uri. Used in SSA Validation.", + "type":"string" + }, + "cnObExtSigningJwksCrt":{ + "description":"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey":{ + "description":"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase":{ + "description":"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias":{ + "description":"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObStaticSigningKeyKid":{ + "description":"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObTransportCrt":{ + "description":"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey":{ + "description":"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase":{ + "description":"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias":{ + "description":"Open banking transport Alias used inside the JVM.", + "type":"string" + }, + "cnObTransportTrustStore":{ + "description":"Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type":"boolean" + } + } + }, + "configAdapterName":{ + "description":"The config backend adapter that will hold Gluu configuration layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "configSecretAdapter":{ + "description":"The config backend adapter that will hold Gluu secret layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "cnGoogleApplicationCredentials":{ + "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", + "type":"string", + "pattern":".*google-credentials.json\\b.*" + }, + "casa":{ + "type":"object", + "properties":{ + "casaServiceName":{ + "description":"Name of the casa service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the casa chart.", + "type":"boolean" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "casaEnabled":{ + "description":" Enable casa endpoints /casa", + "type":"boolean" + } + } + } + } + }, + "config-api":{ + "type":"object", + "properties":{ + "configApiServerServiceName":{ + "description":"Name of the config-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the config-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "configApiLogTarget":{ + "description":"configapi.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "configApiLogLevel":{ + "description":"configapi.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "adminUiAppLoggers":{ + "type":"object", + "properties":{ + "adminUiLogTarget":{ + "description":"config-api admin-ui plugin log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiLogLevel":{ + "description":"config-api admin-ui plugin log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "adminUiAuditLogTarget":{ + "description":"config-api admin-ui plugin audit log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiAuditLogLevel":{ + "description":"config-api admin-ui plugin audit log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "configApiEnabled":{ + "description":"Enable config API endpoints /jans-config-api", + "type":"boolean" + } + } + } + + + } + }, + "fqdn":{ + "description":"Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.", + "$ref":"#/definitions/fqdn-pattern" + }, + "fido2":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the fido2 chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "fido2LogTarget":{ + "description":"fido2.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "fido2LogLevel":{ + "description":"fido2.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"fido2_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"fido2_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "fido2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido2-configuration", + "type":"boolean" + } + } + } + + } + }, + "gcePdStorageType":{ + "description":"GCE storage kind if using Google disks", + "type":"string", + "pattern":"^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered":{ + "description":"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type":"boolean" + }, + "istio":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag that enables using istio side cars with Gluu services.", + "type":"boolean" + }, + "ingress":{ + "description":"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.", + "type":"boolean" + }, + "namespace":{ + "description":"The namespace istio is deployed in. The is normally istio-system.", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + } + } + }, + "lbIp":{ + "description":"The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref":"#/definitions/ip-pattern" + }, + "nginx-ingress":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type":"boolean" + } + } + }, + "opendj":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the OpenDJ chart.", + "type":"boolean" + }, + "ldapServiceName":{ + "description":"Name of the OpenDJ service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "distribution":{ + "description":"Gluu distributions supported are: default|openbanking.", + "type":"string", + "pattern":"^(default|openbanking)$" + }, + "persistence":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the persistence chart.", + "type":"boolean" + } + } + }, + "scim":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the SCIM chart.", + "type":"boolean" + }, + "scimServiceName":{ + "description":"Name of the scim service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-scim.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-scim.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-scim_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-scim_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-scim_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-scim_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-scim_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-scim_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-scim_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-scim_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "scimEnabled":{ + "description":"Enable SCIM endpoints /jans-scim", + "type":"boolean" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + } + } + } + + } + }, + "storageClass":{ + "description":"StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type":"object", + "properties":{ + "allowVolumeExpansion":{ + "type":"boolean" + }, + "allowedTopologies":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "mountOptions":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "parameters":{ + "type":"object", + "properties":{ + "fsType":{ + "type":"string" + }, + "kind":{ + "type":"string" + }, + "pool":{ + "type":"string" + }, + "storageAccountType":{ + "type":"string" + }, + "type":{ + "type":"string" + } + } + }, + "provisioner":{ + "type":"string" + }, + "reclaimPolicy":{ + "type":"string" + }, + "volumeBindingMode":{ + "type":"string" + } + } + }, + "cnSqlPasswordFile": { + "description": "The location of file contains password for the SQL user config.configmap.cnSqlDbUser. The file path must end with sql_password.", + "type": "string", + "pattern": ".*sql_password\\b.*" + }, + "cnCouchbasePasswordFile": { + "description": "The location of the Couchbase user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password.", + "type": "string", + "pattern": ".*couchbase_password\\b.*" + }, + "cnCouchbaseSuperuserPasswordFile": { + "description": "The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type": "string", + "pattern": ".*couchbase_superuser_password\\b.*" + }, + "cnLdapPasswordFile": { + "description": "The location of the OpenDJ user password. The file path must end with ldap_password.", + "type": "string", + "pattern": ".*ldap_password\\b.*" + }, + "cnLdapTruststorePasswordFile": { + "description": "The location of the OpenDJ truststore password file. The file path must end with ldap_truststore_password.", + "type": "string", + "pattern": ".*ldap_truststore_password\\b.*" + }, + "cnLdapCertFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.crt.", + "type": "string", + "pattern": ".*opendj.crt\\b.*" + }, + "cnLdapKeyFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.key.", + "type": "string", + "pattern": ".*opendj.key\\b.*" + }, + "cnLdapCacertFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.pem.", + "type": "string", + "pattern": ".*opendj.pem\\b.*" + }, + "cnLdapTruststoreFile": { + "description": "The location of the OpenDJ truststore file. The file path must end with opendj.pkcs12.", + "type": "string", + "pattern": ".*opendj.pkcs12\\b.*" + } + } + }, + "nginx-ingress":{ + "description":"Nginx ingress definitions chart", + "type":"object", + "properties":{ + + } + }, + "opendj":{ + "description":"OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.", + "type":"object", + "properties":{ + + } + }, + "persistence":{ + "description":"Job to generate data and intial config for Gluu Server persistence layer.", + "type":"object", + "properties":{ + + } + }, + "scim":{ + "description":"System for Cross-domain Identity Management (SCIM) version 2.0", + "type":"object", + "properties":{ + + } + } + , + "allOf":[ + { + "$ref":"#/definitions/admin-ui-enabled" + }, + { + "$ref":"#/definitions/auth-server-enabled" + }, + { + "$ref":"#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref":"#/definitions/casa-enabled" + }, + { + "$ref":"#/definitions/config-api-enabled" + }, + { + "$ref":"#/definitions/fido2-enabled" + }, + { + "$ref":"#/definitions/nginx-ingress-enabled" + }, + { + "$ref":"#/definitions/opendj-enabled" + }, + { + "$ref":"#/definitions/persistence-enabled" + }, + { + "$ref":"#/definitions/scim-enabled" + } + ], + "definitions":{ + "password":{ + "anyOf":[ + { + "type":"string", + "minLength":8, + "pattern":"", + "description":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "password-pattern":{ + "type":"string", + "minLength":6, + "pattern":"", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format":{ + "type":"string", + "format":"email" + }, + "fqdn-pattern":{ + "anyOf":[ + { + "type":"string", + "errors":{ + "pattern":"Setting not FQDN structured. Please enter a FQDN with the format demoexample.gluu.org" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "url-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors":{ + "pattern":"URL pattern is not meeting standards." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "ip-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors":{ + "pattern":"Not a valid IP." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "admin-ui-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "admin-ui":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "admin-ui":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-key-rotation-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "keysLife":{ + "description":"Auth server key rotation keys life in hours", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + }, + "required":[ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else":true + }, + "casa-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "casa":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "casa":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "config-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "config-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "config-api":{ + "required":[ + "image", + "replicas", + "resources" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "fido2-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "fido2":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "fido2":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the Fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "nginx-ingress-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "nginx-ingress":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "nginx-ingress":{ + "type":"object", + "properties":{ + "ingress":{ + "type":"object", + "required":[ + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties":{ + "adminUiLabels":{ + "description":"Admin UI ingress resource labels. key app is taken.", + "type":"object" + }, + "openidConfigLabels":{ + "description":"openid-configuration ingress resource labels. key app is taken", + "type":"object" + }, + "uma2ConfigLabels":{ + "description":"uma2 config ingress resource labels. key app is taken", + "type":"object" + }, + "webfingerLabels":{ + "description":"webfinger ingress resource labels. key app is taken", + "type":"object" + }, + "webdiscoveryLabels":{ + "description":"webdiscovery ingress resource labels. key app is taken", + "type":"object" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + }, + "scimConfigLabels":{ + "description":"SCIM config ingress resource labels. key app is taken", + "type":"object" + }, + "scimLabels":{ + "description":"SCIM ingress resource labels. key app is taken", + "type":"object" + }, + "configApiLabels":{ + "description":"configAPI ingress resource labels. key app is taken", + "type":"object" + }, + "u2fConfigLabels":{ + "description":"u2f ingress resource labels. key app is taken", + "type":"object" + }, + "fido2ConfigLabels":{ + "description":"fido2 ingress resource labels. key app is taken", + "type":"object" + }, + "authServerLabels":{ + "description":"Auth server config ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedTokenLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedRedisterLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "additionalAnnotations":{ + "description":"Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type":"object" + }, + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "path":{ + "type":"string" + }, + "tls":{ + "description":"Secret holding HTTPS CA cert and key.", + "type":"array", + "items":{ + "type":"object", + "properties":{ + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "secretName":{ + "type":"string", + "pattern":"^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else":true + }, + "opendj-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "opendj":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "opendj":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "persistence":{ + "type":"object", + "properties":{ + "size":{ + "description":"OpenDJ volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + }, + "ports":{ + "type":"object", + "properties":{ + "tcp-admin":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldap":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldaps":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-repl":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "udp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "persistence-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "persistence":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "persistence":{ + "required":[ + "image", + "resources" + ], + "type":"object", + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "scim-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "scim":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "scim":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "scimServiceName":{ + "description":"Name of the SCIM service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + } + } +} diff --git a/charts/gluu/gluu/5.0.25/values.yaml b/charts/gluu/gluu/5.0.25/values.yaml new file mode 100644 index 0000000000..1b07668221 --- /dev/null +++ b/charts/gluu/gluu/5.0.25/values.yaml @@ -0,0 +1,1878 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +installer-settings: + currentVersion: "" + acceptLicense: "" + namespace: "" + releaseName: "" + nginxIngress: + releaseName: "" + namespace: "" + nodes: + names: "" + zones: "" + ips: "" + images: + edit: "" + aws: + lbType: "" + arn: + enabled: "" + arnAcmCert: "" + vpcCidr: "0.0.0.0/0" + couchbase: + clusterName: "" + namespace: "" + lowResourceInstall: "" + install: "" + customFileOverride: "" + backup: + incrementalSchedule: "" + fullSchedule: "" + retentionTime: "" + storageSize: "" + # Couchbase cert related keys + subjectAlternativeName: "" + commonName: "" + # Couchbase cluster yaml generator keys + totalNumberOfExpectedUsers: "" + totalNumberOfExpectedTransactionsPerSec: "" + volumeType: "" + volumeProvisionStrategy: "" + ldap: + backup: + fullSchedule: "" + postgres: + install: "" + namespace: "" + sql: + install: "" + namespace: "" + google: + useSecretManager: "" + redis: + install: "" + namespace: "" + openbanking: + hasCnObTransportTrustStore: false + cnObTransportTrustStoreP12password: "" + confirmSettings: false + +# -- Admin GUI for configuration of the auth-server +admin-ui: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/admin-ui + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2000m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 2000m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for the admin ui if needed. + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the admin ui if needed. + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/auth-server + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/certmanager + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Set key selection strategy used by Auth server + keysStrategy: NEWER + # -- Delay (in seconds) before pushing private keys to Auth server + keysPushDelay: 0 + # -- Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) + keysPushStrategy: NEWER + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + # -- Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. + salt: "" + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). + cnSqlDbSchema: "" + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) username. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- OpenDJ certificate string. This must be encoded using base64. + cnLdapCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- OpenDJ key string. This must be encoded using base64. + cnLdapKey: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. + quarkusTransactionEnableRecovery: true + # -- Keycloak logging level + kcLogLevel: INFO + # -- Keycloak proxy mode (for most deployments, this doesn't need to be changed) + kcProxy: edge + # -- Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. + kcDbVendor: mysql + # -- Keycloak database username + kcDbUsername: keycloak + # -- Password for Keycloak database access + kcDbPassword: Test1234# + # -- Keycloak database schema name (note that PostgreSQL may be using "public" schema). + kcDbSchema: keycloak + # -- Keycloak database host uri + kcDbUrlHost: mysql.kc.svc.cluster.local + # -- Keycloak database port (default to port 3306 for mysql). + kcDbUrlPort: 3306 + # -- Keycloak database name. + kcDbUrlDatabase: keycloak + # -- Keycloak database connection properties. If using postgresql, the value can be set to empty string. + kcDbUrlProperties: "?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4" + # -- URL of OPA API + cnOpaUrl: http://opa.opa.svc.cluster.cluster.local:8181/v1 + # -- Message type (one of POSTGRES, REDIS, or DISABLED) + cnMessageType: DISABLED + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: team@gluu.org + image: + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/configurator + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- LDAP admin password if OpenDJ is used for persistence. + ldapPassword: P@ssw0rds + # -- LDAP truststore password if OpenDJ is used for persistence + ldapTruststorePassword: changeit + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + # -- CE to CN Migration section + migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/config-api + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/fido2 + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- Janssen Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. +casa: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/casa + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + # -- Configure the liveness healthcheck for casa if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + # -- Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. + licenseSsa: "" + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: false + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + # -- Enable jans-lock as service running inside auth-server + lockEnabled: false + + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: true + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- casa.log target + casaLogTarget: "STDOUT" + # -- casa.log level + casaLogLevel: "INFO" + # -- casa timer log target + timerLogTarget: "FILE" + # -- casa timer log level + timerLogLevel: "INFO" + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable casa endpoints /casa + casaEnabled: false + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files DB. + cnDocumentStoreType: DB + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. + cnAwsSharedCredentialsFile: /etc/jans/conf/aws_shared_credential_file + # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. + cnAwsConfigFile: /etc/jans/conf/aws_config_file + # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. + cnAwsSecretsReplicaRegionsFile: /etc/jans/conf/aws_secrets_replica_regions + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- config-api_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Comma-separated values of enabled plugins (supported plugins are "admin-ui","fido2","scim","user-mgt","jans-link","kc-saml") + plugins: "admin-ui,fido2,scim,user-mgt" + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- fido2_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- fido2_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- fido2_script.log target + scriptLogTarget: "FILE" + # -- fido2_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. + gateways: [ ] + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + # -- Gluu distributions supported are: default|openbanking. + distribution: default + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + link: + # -- Name of the link service. Please keep it as default. + linkServiceName: link + # -- Boolean flag to enable/disable the link chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- cacherefresh.log target + linkLogTarget: "STDOUT" + # -- cacherefresh.log level + linkLogLevel: "INFO" + # -- cacherefresh_persistence.log target + persistenceLogTarget: "FILE" + # -- cacherefresh_persistence.log level + persistenceLogLevel: "INFO" + # -- cacherefresh_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- cacherefresh_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- cacherefresh_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- cacherefresh_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- cacherefresh_script.log target + scriptLogTarget: "FILE" + # -- cacherefresh_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable link endpoints /jans-link + linkEnabled: true + saml: + # -- Name of the saml service. Please keep it as default. + samlServiceName: saml + # -- Boolean flag to enable/disable the saml chart. + enabled: false + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable saml endpoints /kc + samlEnabled: false + + # -- Path to SQL password file + cnSqlPasswordFile: /etc/jans/conf/sql_password + # -- Path to Couchbase password file + cnCouchbasePasswordFile: /etc/jans/conf/couchbase_password + # -- Path to Couchbase superuser password file + cnCouchbaseSuperuserPasswordFile: /etc/jans/conf/couchbase_superuser_password + # -- Path to LDAP password file + cnLdapPasswordFile: /etc/jans/conf/ldap_password + # -- Path to LDAP truststore password file + cnLdapTruststorePasswordFile: /etc/jans/conf/ldap_truststore_password + # -- Path to OpenDJ cert file + cnLdapCertFile: /etc/certs/opendj.crt + # -- Path to OpenDJ key file + cnLdapKeyFile: /etc/certs/opendj.key + # -- Path to OpenDJ CA cert file + cnLdapCacertFile: /etc/certs/opendj.pem + # -- Path to OpenDJ truststore file + cnLdapTruststoreFile: /etc/certs/opendj.pkcs12 + # -- Path to file contains password for database access + kcDbPasswordFile: /etc/jans/conf/kc_db_password + # -- Path to file contains Keycloak admin credentials (username and password) + kcAdminCredentialsFile: /etc/jans/conf/kc_admin_creds + +# -- Nginx ingress definitions chart +nginx-ingress: + certManager: + # Enable deploying a certificate that uses dns01 challenge instead of passing an annotation nginx-ingress.ingress.additionalAnnotations for nginx http01 challenge. + certificate: + enabled: false + issuerKind: ClusterIssuer + # Issuer name which you will create manually. Can be letsencrypt-production. + issuerName: "" + issuerGroup: cert-manager.io + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- SAML config ingress resource labels. key app is taken + samlLabels: { } + # -- SAML ingress resource additional annotations. + samlAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +opendj: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure ldap backup cronjob + backup: + enabled: true + cronJobSchedule: "*/59 * * * *" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + + persistence: + # -- OpenDJ volume size + size: 5Gi + ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/persistence-loader + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/scim + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- Link. +link: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/link + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- SAML. +saml: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/saml + # -- Image tag to use for deploying. + tag: 1.0.22_dev + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 10 + readinessProbe: + # -- http readiness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 10 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] diff --git a/charts/gluu/gluu/5.1.0/Chart.yaml b/charts/gluu/gluu/5.1.0/Chart.yaml new file mode 100644 index 0000000000..183aba220e --- /dev/null +++ b/charts/gluu/gluu/5.1.0/Chart.yaml @@ -0,0 +1,100 @@ +annotations: + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.1.0-1 + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.1.0-1 + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.1.0-1 + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.1.0-1 + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.1.0-1 + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.1.0-1 + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.1.0-1 + - name: casa + image: ghcr.io/janssenproject/jans/casa:1.1.0-1 + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:5.1.0-1 + - name: link + image: ghcr.io/janssenproject/jans/link:1.1.0-1 + - name: saml + image: ghcr.io/janssenproject/jans/saml:1.1.0-1 + artifacthub.io/license: Apache-2.0 + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu +apiVersion: v2 +appVersion: 5.1.0 +dependencies: +- condition: global.config.enabled + name: config + repository: file://./charts/config + version: 1.1.0 +- condition: global.config-api.enabled + name: config-api + repository: file://./charts/config-api + version: 1.1.0 +- condition: global.opendj.enabled + name: opendj + repository: file://./charts/opendj + version: 5.1.0 +- condition: global.auth-server.enabled + name: auth-server + repository: file://./charts/auth-server + version: 1.1.0 +- condition: global.admin-ui.enabled + name: admin-ui + repository: file://./charts/admin-ui + version: 5.1.0 +- condition: global.fido2.enabled + name: fido2 + repository: file://./charts/fido2 + version: 1.1.0 +- condition: global.scim.enabled + name: scim + repository: file://./charts/scim + version: 1.1.0 +- condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: file://./charts/nginx-ingress + version: 5.1.0 +- condition: global.casa.enabled + name: casa + repository: file://./charts/casa + version: 1.1.0 +- condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: file://./charts/auth-server-key-rotation + version: 1.1.0 +- condition: global.persistence.enabled + name: persistence + repository: file://./charts/persistence + version: 1.1.0 +- condition: global.istio.ingress + name: cn-istio-ingress + repository: file://./charts/cn-istio-ingress + version: 5.1.0 +- condition: global.link.enabled + name: link + repository: file://./charts/link + version: 1.1.0 +- condition: global.saml.enabled + name: saml + repository: file://./charts/saml + version: 1.1.0 +description: Gluu Access and Identity Management +home: https://www.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: moabu +name: gluu +sources: +- https://docs.gluu.org +version: 5.1.0 diff --git a/charts/gluu/gluu/5.1.0/README.md b/charts/gluu/gluu/5.1.0/README.md new file mode 100644 index 0000000000..53447b2768 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/README.md @@ -0,0 +1,667 @@ +# gluu + +![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +Gluu Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | | | + +## Source Code + +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | admin-ui | 5.1.0 | +| | auth-server | 1.1.0 | +| | auth-server-key-rotation | 1.1.0 | +| | casa | 1.1.0 | +| | cn-istio-ingress | 5.1.0 | +| | config | 1.1.0 | +| | config-api | 1.1.0 | +| | fido2 | 1.1.0 | +| | link | 1.1.0 | +| | nginx-ingress | 5.1.0 | +| | opendj | 5.1.0 | +| | persistence | 1.1.0 | +| | saml | 1.1.0 | +| | scim | 1.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"5.1.0-1"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| admin-ui.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| admin-ui.dnsConfig | object | `{}` | Add custom dns config | +| admin-ui.dnsPolicy | string | `""` | Add custom dns policy | +| admin-ui.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| admin-ui.hpa.behavior | object | `{}` | Scaling Policies | +| admin-ui.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | +| admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | +| admin-ui.image.tag | string | `"5.1.0-1"` | Image tag to use for deploying. | +| admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| admin-ui.replicas | int | `1` | Service replica number. | +| admin-ui.resources | object | `{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}}` | Resource specs. | +| admin-ui.resources.limits.cpu | string | `"2000m"` | CPU limit. | +| admin-ui.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| admin-ui.resources.requests.cpu | string | `"2000m"` | CPU request. | +| admin-ui.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| admin-ui.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| admin-ui.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| admin-ui.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.1.0-1"},"keysLife":48,"keysPushDelay":0,"keysPushStrategy":"NEWER","keysStrategy":"NEWER","lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.keysPushDelay | int | `0` | Delay (in seconds) before pushing private keys to Auth server | +| auth-server-key-rotation.keysPushStrategy | string | `"NEWER"` | Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) | +| auth-server-key-rotation.keysStrategy | string | `"NEWER"` | Set key selection strategy used by Auth server | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/casa","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Janssen Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. | +| casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| casa.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| casa.dnsConfig | object | `{}` | Add custom dns config | +| casa.dnsPolicy | string | `""` | Add custom dns policy | +| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| casa.hpa.behavior | object | `{}` | Scaling Policies | +| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| casa.image.pullSecrets | list | `[]` | Image Pull Secrets | +| casa.image.repository | string | `"ghcr.io/janssenproject/jans/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http liveness probe endpoint | +| casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| casa.readinessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http readiness probe endpoint | +| casa.replicas | int | `1` | Service replica number. | +| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| casa.resources.limits.cpu | string | `"500m"` | CPU limit. | +| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| casa.resources.requests.cpu | string | `"500m"` | CPU request. | +| casa.resources.requests.memory | string | `"500Mi"` | Memory request. | +| casa.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapKey":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnMessageType":"DISABLED","cnOpaUrl":"http://opa.opa.svc.cluster.cluster.local:8181/v1","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","cnVaultAddr":"http://localhost:8200","cnVaultAppRolePath":"approle","cnVaultKvPath":"secret","cnVaultNamespace":"","cnVaultPrefix":"jans","cnVaultRoleId":"","cnVaultRoleIdFile":"/etc/certs/vault_role_id","cnVaultSecretId":"","cnVaultSecretIdFile":"/etc/certs/vault_secret_id","cnVaultVerify":false,"kcDbPassword":"Test1234#","kcDbSchema":"keycloak","kcDbUrlDatabase":"keycloak","kcDbUrlHost":"mysql.kc.svc.cluster.local","kcDbUrlPort":3306,"kcDbUrlProperties":"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4","kcDbUsername":"keycloak","kcDbVendor":"mysql","kcLogLevel":"INFO","kcProxy":"edge","lbAddr":"","quarkusTransactionEnableRecovery":true},"countryCode":"US","customScripts":[],"dnsConfig":{},"dnsPolicy":"","email":"team@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.1.0-1"},"ldapPassword":"P@ssw0rds","ldapTruststorePassword":"changeit","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"salt":"","state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| config-api.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) username. This user is used during initialization only. | +| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| config.configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| config.configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ certificate string. This must be encoded using base64. | +| config.configmap.cnLdapKey | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ key string. This must be encoded using base64. | +| config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnMessageType | string | `"DISABLED"` | Message type (one of POSTGRES, REDIS, or DISABLED) | +| config.configmap.cnOpaUrl | string | `"http://opa.opa.svc.cluster.cluster.local:8181/v1"` | URL of OPA API | +| config.configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbSchema | string | `""` | Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.cnVaultAddr | string | `"http://localhost:8200"` | Base URL of Vault. | +| config.configmap.cnVaultAppRolePath | string | `"approle"` | Path to Vault AppRole. | +| config.configmap.cnVaultKvPath | string | `"secret"` | Path to Vault KV secrets engine. | +| config.configmap.cnVaultNamespace | string | `""` | Vault namespace used to access the secrets. | +| config.configmap.cnVaultPrefix | string | `"jans"` | Base prefix name used to access secrets. | +| config.configmap.cnVaultRoleId | string | `""` | Vault AppRole RoleID. | +| config.configmap.cnVaultRoleIdFile | string | `"/etc/certs/vault_role_id"` | Path to file contains Vault AppRole role ID. | +| config.configmap.cnVaultSecretId | string | `""` | Vault AppRole SecretID. | +| config.configmap.cnVaultSecretIdFile | string | `"/etc/certs/vault_secret_id"` | Path to file contains Vault AppRole secret ID. | +| config.configmap.cnVaultVerify | bool | `false` | Verify connection to Vault. | +| config.configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access | +| config.configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may be using "public" schema). | +| config.configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name. | +| config.configmap.kcDbUrlHost | string | `"mysql.kc.svc.cluster.local"` | Keycloak database host uri | +| config.configmap.kcDbUrlPort | int | `3306` | Keycloak database port (default to port 3306 for mysql). | +| config.configmap.kcDbUrlProperties | string | `"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4"` | Keycloak database connection properties. If using postgresql, the value can be set to empty string. | +| config.configmap.kcDbUsername | string | `"keycloak"` | Keycloak database username | +| config.configmap.kcDbVendor | string | `"mysql"` | Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. | +| config.configmap.kcLogLevel | string | `"INFO"` | Keycloak logging level | +| config.configmap.kcProxy | string | `"edge"` | Keycloak proxy mode (for most deployments, this doesn't need to be changed) | +| config.configmap.lbAddr | string | `""` | Load balancer address for AWS if the FQDN is not registered. | +| config.configmap.quarkusTransactionEnableRecovery | bool | `true` | Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"team@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpenDJ is used for persistence. | +| config.ldapTruststorePassword | string | `"changeit"` | LDAP truststore password if OpenDJ is used for persistence | +| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.salt | string | `""` | Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true},"lockEnabled":false},"auth-server-key-rotation":{"enabled":true,"initKeysLife":48},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"DB","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnLdapCacertFile":"/etc/certs/opendj.pem","cnLdapCertFile":"/etc/certs/opendj.crt","cnLdapKeyFile":"/etc/certs/opendj.key","cnLdapPasswordFile":"/etc/jans/conf/ldap_password","cnLdapTruststoreFile":"/etc/certs/opendj.pkcs12","cnLdapTruststorePasswordFile":"/etc/jans/conf/ldap_truststore_password","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true},"plugins":"admin-ui,fido2,scim,user-mgt"},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false,"fido2Enabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"kcAdminCredentialsFile":"/etc/jans/conf/kc_admin_creds","kcDbPasswordFile":"/etc/jans/conf/kc_db_password","lbIp":"22.22.22.22","licenseSsa":"","link":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":false,"ingress":{"linkEnabled":true},"linkServiceName":"link"},"nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"persistence":{"enabled":true},"saml":{"enabled":false,"ingress":{"samlEnabled":false},"samlServiceName":"saml"},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | +| global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | +| global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `true` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server-key-rotation.initKeysLife | int | `48` | The initial auth server key rotation keys life in hours | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level | +| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.auth-server.ingress | object | `{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.auth-server.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| global.auth-server.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. | +| global.auth-server.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. | +| global.auth-server.ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| global.auth-server.ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| global.auth-server.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| global.auth-server.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| global.auth-server.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| global.auth-server.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| global.auth-server.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| global.auth-server.lockEnabled | bool | `false` | Enable jans-lock as service running inside auth-server | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.casa.appLoggers | object | `{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.casa.appLoggers.casaLogLevel | string | `"INFO"` | casa.log level | +| global.casa.appLoggers.casaLogTarget | string | `"STDOUT"` | casa.log target | +| global.casa.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO | +| global.casa.appLoggers.timerLogLevel | string | `"INFO"` | casa timer log level | +| global.casa.appLoggers.timerLogTarget | string | `"FILE"` | casa timer log target | +| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. | +| global.casa.enabled | bool | `true` | Boolean flag to enable/disable the casa chart. | +| global.casa.ingress | object | `{"casaEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.casa.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnCouchbasePasswordFile | string | `"/etc/jans/conf/couchbase_password"` | Path to Couchbase password file | +| global.cnCouchbaseSuperuserPasswordFile | string | `"/etc/jans/conf/couchbase_superuser_password"` | Path to Couchbase superuser password file | +| global.cnDocumentStoreType | string | `"DB"` | Document store type to use for shibboleth files DB. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. | +| global.cnLdapCacertFile | string | `"/etc/certs/opendj.pem"` | Path to OpenDJ CA cert file | +| global.cnLdapCertFile | string | `"/etc/certs/opendj.crt"` | Path to OpenDJ cert file | +| global.cnLdapKeyFile | string | `"/etc/certs/opendj.key"` | Path to OpenDJ key file | +| global.cnLdapPasswordFile | string | `"/etc/jans/conf/ldap_password"` | Path to LDAP password file | +| global.cnLdapTruststoreFile | string | `"/etc/certs/opendj.pkcs12"` | Path to OpenDJ truststore file | +| global.cnLdapTruststorePasswordFile | string | `"/etc/jans/conf/ldap_truststore_password"` | Path to LDAP truststore password file | +| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G | +| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G | +| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. | +| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. | +| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | +| global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. | +| global.cnPrometheusPort | string | `""` | Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. | +| global.cnSqlPasswordFile | string | `"/etc/jans/conf/sql_password"` | Path to SQL password file | +| global.config-api.adminUiAppLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | +| global.config-api.adminUiAppLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | +| global.config-api.adminUiAppLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | +| global.config-api.adminUiAppLoggers.adminUiLogTarget | string | `"FILE"` | config-api admin-ui plugin log level | +| global.config-api.adminUiAppLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers.ldapStatsLogLevel | string | `"INFO"` | config-api_persistence_ldap_statistics.log level | +| global.config-api.appLoggers.ldapStatsLogTarget | string | `"FILE"` | config-api_persistence_ldap_statistics.log target | +| global.config-api.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | config-api_persistence_duration.log level | +| global.config-api.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | config-api_persistence_duration.log target | +| global.config-api.appLoggers.persistenceLogLevel | string | `"INFO"` | config-api_persistence.log level | +| global.config-api.appLoggers.persistenceLogTarget | string | `"FILE"` | config-api_persistence.log target | +| global.config-api.appLoggers.scriptLogLevel | string | `"INFO"` | config-api_script.log level | +| global.config-api.appLoggers.scriptLogTarget | string | `"FILE"` | config-api_script.log target | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config-api.ingress | object | `{"configApiEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.config-api.plugins | string | `"admin-ui,fido2,scim,user-mgt"` | Comma-separated values of enabled plugins (supported plugins are "admin-ui","fido2","scim","user-mgt","jans-link","kc-saml") | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. vault|aws|google|kubernetes | +| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | +| global.fido2.appLoggers | object | `{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | fido2_persistence_duration.log level | +| global.fido2.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | fido2_persistence_duration.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.appLoggers.scriptLogLevel | string | `"INFO"` | fido2_script.log level | +| global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fido2.ingress | object | `{"fido2ConfigEnabled":false,"fido2Enabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fido2.ingress.fido2Enabled | bool | `false` | Enable endpoint /jans-fido2 | +| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side-cars with Gluu services. | +| global.istio.gateways | list | `[]` | Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. | +| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. | +| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | +| global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| global.kcAdminCredentialsFile | string | `"/etc/jans/conf/kc_admin_creds"` | Path to file contains Keycloak admin credentials (username and password) | +| global.kcDbPasswordFile | string | `"/etc/jans/conf/kc_db_password"` | Path to file contains password for database access | +| global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | +| global.licenseSsa | string | `""` | Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. | +| global.link.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.link.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.link.appLoggers.ldapStatsLogLevel | string | `"INFO"` | cacherefresh_persistence_ldap_statistics.log level | +| global.link.appLoggers.ldapStatsLogTarget | string | `"FILE"` | cacherefresh_persistence_ldap_statistics.log target | +| global.link.appLoggers.linkLogLevel | string | `"INFO"` | cacherefresh.log level | +| global.link.appLoggers.linkLogTarget | string | `"STDOUT"` | cacherefresh.log target | +| global.link.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | cacherefresh_persistence_duration.log level | +| global.link.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | cacherefresh_persistence_duration.log target | +| global.link.appLoggers.persistenceLogLevel | string | `"INFO"` | cacherefresh_persistence.log level | +| global.link.appLoggers.persistenceLogTarget | string | `"FILE"` | cacherefresh_persistence.log target | +| global.link.appLoggers.scriptLogLevel | string | `"INFO"` | cacherefresh_script.log level | +| global.link.appLoggers.scriptLogTarget | string | `"FILE"` | cacherefresh_script.log target | +| global.link.enabled | bool | `false` | Boolean flag to enable/disable the link chart. | +| global.link.ingress | object | `{"linkEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.link.linkServiceName | string | `"link"` | Name of the link service. Please keep it as default. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | +| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.saml.enabled | bool | `false` | Boolean flag to enable/disable the saml chart. | +| global.saml.ingress | object | `{"samlEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.saml.samlServiceName | string | `"saml"` | Name of the saml service. Please keep it as default. | +| global.scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO | +| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level | +| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.ingress | object | `{"scimConfigEnabled":false,"scimEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.scim.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| global.scim.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: fsType: "" kind: "" pool: "" storageAccountType: "" type: "" | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"ldap":{"backup":{"fullSchedule":""}},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | +| link | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/link","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Link. | +| link.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| link.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| link.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| link.dnsConfig | object | `{}` | Add custom dns config | +| link.dnsPolicy | string | `""` | Add custom dns policy | +| link.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| link.hpa.behavior | object | `{}` | Scaling Policies | +| link.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| link.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| link.image.pullSecrets | list | `[]` | Image Pull Secrets | +| link.image.repository | string | `"ghcr.io/janssenproject/jans/link"` | Image to use for deploying. | +| link.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| link.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| link.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http liveness probe endpoint | +| link.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| link.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http readiness probe endpoint | +| link.replicas | int | `1` | Service replica number. | +| link.resources | object | `{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}}` | Resource specs. | +| link.resources.limits.cpu | string | `"500m"` | CPU limit. | +| link.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| link.resources.requests.cpu | string | `"500m"` | CPU request. | +| link.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| link.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| link.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| link.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| link.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| link.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| link.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| nginx-ingress.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedRegisterAdditionalAnnotations | object | `{}` | Auth server protected register ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedRegisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedTokenAdditionalAnnotations | object | `{}` | Auth server protected token ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| nginx-ingress.ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| nginx-ingress.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2AdditionalAnnotations | object | `{}` | fido2 ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| nginx-ingress.ingress.samlAdditionalAnnotations | object | `{}` | SAML ingress resource additional annotations. | +| nginx-ingress.ingress.samlLabels | object | `{}` | SAML config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| nginx-ingress.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| nginx-ingress.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0_dev"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| opendj.dnsConfig | object | `{}` | Add custom dns config | +| opendj.dnsPolicy | string | `""` | Add custom dns policy | +| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| opendj.hpa.behavior | object | `{}` | Scaling Policies | +| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | +| opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| opendj.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| opendj.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size | +| opendj.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.replicas | int | `1` | Service replica number. | +| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. | +| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. | +| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| opendj.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.1.0-1"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| saml | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/saml","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | SAML. | +| saml.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| saml.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| saml.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| saml.dnsConfig | object | `{}` | Add custom dns config | +| saml.dnsPolicy | string | `""` | Add custom dns policy | +| saml.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| saml.hpa.behavior | object | `{}` | Scaling Policies | +| saml.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| saml.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| saml.image.pullSecrets | list | `[]` | Image Pull Secrets | +| saml.image.repository | string | `"ghcr.io/janssenproject/jans/saml"` | Image to use for deploying. | +| saml.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| saml.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| saml.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http liveness probe endpoint | +| saml.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| saml.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http readiness probe endpoint | +| saml.replicas | int | `1` | Service replica number. | +| saml.resources | object | `{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}}` | Resource specs. | +| saml.resources.limits.cpu | string | `"500m"` | CPU limit. | +| saml.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| saml.resources.requests.cpu | string | `"500m"` | CPU request. | +| saml.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| saml.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| saml.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| saml.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| saml.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| saml.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| saml.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.1.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/app-readme.md b/charts/gluu/gluu/5.1.0/app-readme.md new file mode 100644 index 0000000000..b2148c4c1e --- /dev/null +++ b/charts/gluu/gluu/5.1.0/app-readme.md @@ -0,0 +1,38 @@ +## Tutorial + +For a full walkthrough of the Gluu Flex Server on Rancher, please see the [Gluu Server on Rancher Tutorial](https://docs.gluu.org/stable/admin/recipes/getting-started-rancher/). + +## Introduction +The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions. + +Common use cases include: + +- Single sign-on (SSO) +- Mobile authentication +- API access management +- Two-factor authentication (2FA) +- Customer identity and access management (CIAM) +- Identity federation + +### Free Open Source Software +The Gluu Server is a FOSS platform for IAM. + +### Open Web Standards +The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management: + +- OAuth 2.0 +- OpenID Connect +- User Managed Access 2.0 (UMA) +- System for Cross-domain Identity Management (SCIM) +- FIDO Universal 2nd Factor (U2F) +- FIDO 2.0 / WebAuthn +- Lightweight Directory Access Protocol (LDAP) +- Remote Authentication Dial-In User Service (RADIUS) + +### Important notes for installation: +- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image. + +### Quick install on Rancher UI with Docker single node +- Install the nginx-ingress-controller chart. +- Install the OpenEBS chart. +- Install Gluu chart and specify your persistence as ldap. \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/admin-ui/.helmignore b/charts/gluu/gluu/5.1.0/charts/admin-ui/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.0/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/admin-ui/Chart.yaml new file mode 100644 index 0000000000..df7736c498 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: Admin GUI. Requires license. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +- GUI +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: admin-ui +sources: +- https://github.com/GluuFederation/docker-gluu-admin-ui +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/admin-ui +type: application +version: 5.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/admin-ui/README.md b/charts/gluu/gluu/5.1.0/charts/admin-ui/README.md new file mode 100644 index 0000000000..be4a003a7c --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/admin-ui/README.md @@ -0,0 +1,60 @@ +# admin-ui + +![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +Admin GUI. Requires license. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| image.tag | string | `"5.1.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. | +| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/_helpers.tpl new file mode 100644 index 0000000000..3fa0c5985e --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "admin-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "admin-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "admin-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "admin-ui.labels" -}} +app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +helm.sh/chart: {{ include "admin-ui.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "admin-ui.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "admin-ui.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "admin-ui.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "admin-ui.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/admin-ui-destination-rules.yaml new file mode 100644 index 0000000000..ecf4699b22 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/admin-ui-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-admin-ui-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/admin-ui-pdb.yaml b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/admin-ui-pdb.yaml new file mode 100644 index 0000000000..5d81cf14be --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/admin-ui-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "admin-ui.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/admin-ui-virtual-services.yaml new file mode 100644 index 0000000000..2b0fc58df1 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/admin-ui-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "admin-ui" "ingress" "adminUiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-admin-ui + namespace: {{.Release.Namespace}} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/admin" + route: + - destination: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/deployment.yml new file mode 100644 index 0000000000..3d6677d3dd --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/deployment.yml @@ -0,0 +1,234 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "admin-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + template: + metadata: + labels: + APP_NAME: admin-ui + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "admin-ui.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "admin-ui.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "admin-ui.usr-envs" . | indent 12 }} + {{- include "admin-ui.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - mountPath: /etc/jans/conf/ssa + name: license-ssa + subPath: ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: license-ssa + secret: + secretName: {{ .Release.Name }}-license-ssa + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/hpa.yaml new file mode 100644 index 0000000000..4720b2c49b --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "admin-ui.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/service.yml new file mode 100644 index 0000000000..54b311c2e2 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..02fd969b74 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/admin-ui/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.1.0/charts/admin-ui/values.yaml new file mode 100644 index 0000000000..4ecfeac684 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/admin-ui/values.yaml @@ -0,0 +1,92 @@ +# -- Admin GUI. Requires license. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 5.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the admin ui port within the admin service. Please keep it as default. + name: http-admin-ui + # -- Port of the admin ui service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the admin ui if needed. +livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the admin ui if needed. +readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/.helmignore b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 0000000000..85a8bbdd60 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: Responsible for regenerating auth-keys per x hours +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Auth keys Rotation +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server-key-rotation +sources: +- https://github.com/JanssenProject/docker-jans-certmanager +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server-key-rotation +type: application +version: 1.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/README.md new file mode 100644 index 0000000000..ffbd487460 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/README.md @@ -0,0 +1,53 @@ +# auth-server-key-rotation + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| keysPushDelay | int | `0` | Delay (in seconds) before pushing private keys to Auth server | +| keysPushStrategy | string | `"NEWER"` | Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) | +| keysStrategy | string | `"NEWER"` | Set key selection strategy used by Auth server | +| lifecycle | object | `{}` | | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 0000000000..e76631f29c --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 0000000000..3f159db5a7 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,189 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "@every {{ .Values.keysLife }}h" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + {{- if .Values.customScripts }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 20}} + {{- end }} + /app/scripts/entrypoint.sh + {{- end}} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 16 }} + volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}", "--opts", "key-strategy:{{ .Values.keysStrategy }}", "--opts", "privkey-push-delay:{{ .Values.keysPushDelay }}", "--opts", "privkey-push-strategy:{{ .Values.keysPushStrategy }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 0000000000..af58e82830 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..5ed268ebb5 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 0000000000..9a31ff4743 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,62 @@ + +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Set key selection strategy used by Auth server +keysStrategy: NEWER +# -- Delay (in seconds) before pushing private keys to Auth server +keysPushDelay: 0 +# -- Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) +keysPushStrategy: NEWER +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/.helmignore b/charts/gluu/gluu/5.1.0/charts/auth-server/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server/Chart.yaml new file mode 100644 index 0000000000..1cad3ee829 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization + Server--this is the main Internet facing component of Gluu. It's the service that + returns tokens, JWT's and identity assertions. This service must be Internet facing. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server +sources: +- https://github.com/JanssenProject/jans-auth-server +- https://github.com/JanssenProject/docker-jans-auth-server +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server +type: application +version: 1.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/README.md b/charts/gluu/gluu/5.1.0/charts/auth-server/README.md new file mode 100644 index 0000000000..9d30ff7b2b --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/README.md @@ -0,0 +1,62 @@ +# auth-server + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 0000000000..2712f9870a --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "auth-server.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "auth-server.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 0000000000..708ce616c6 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/templates/auth-server-pdb.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/auth-server-pdb.yaml new file mode 100644 index 0000000000..5ca61a6255 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/auth-server-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "auth-server.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/templates/auth-server-protected-virtual-services.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/auth-server-protected-virtual-services.yaml new file mode 100644 index 0000000000..522f6757b4 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/auth-server-protected-virtual-services.yaml @@ -0,0 +1,53 @@ +{{- if .Values.global.istio.ingress }} +# NEEDS WORK TO ALLOW CLIENT SIDE AUTHENTICATION. THIS IS MERELY A PLACEHOLDER +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server-protected-endpoints + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-token" + match: + - uri: + prefix: "/jans-auth/restv1/token" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-register" + match: + - uri: + prefix: "/jans-auth/restv1/register" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 0000000000..55cc397244 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,137 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/jans-auth/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} + - name: "{{ .Release.Name }}-istio-device-code" + match: + - uri: + prefix: "/device-code" + rewrite: + uri: "/jans-auth/device_authorization.htm" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} + - name: "{{ .Release.Name }}-istio-firebase-messaging" + match: + - uri: + prefix: "/firebase-messaging-sw.js" + rewrite: + uri: "/jans-auth/firebase-messaging-sw.js" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/jans-auth/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/jans-auth/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/jans-auth/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/jans-auth/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/deployment.yml new file mode 100644 index 0000000000..8437c16250 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/deployment.yml @@ -0,0 +1,322 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "auth-server.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "auth-server.usr-envs" . | indent 12 }} + {{- include "auth-server.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/hpa.yaml new file mode 100644 index 0000000000..7a35d43381 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/service.yml new file mode 100644 index 0000000000..07b0de5897 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..19b24ab92c --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/auth-server/values.yaml b/charts/gluu/gluu/5.1.0/charts/auth-server/values.yaml new file mode 100644 index 0000000000..56a516b513 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/auth-server/values.yaml @@ -0,0 +1,94 @@ + +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] diff --git a/charts/gluu/gluu/5.1.0/charts/casa/.helmignore b/charts/gluu/gluu/5.1.0/charts/casa/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/casa/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.1.0/charts/casa/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/casa/Chart.yaml new file mode 100644 index 0000000000..17e9958fba --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/casa/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: Jans Casa ("Casa") is a self-service web portal for end-users to manage + authentication and authorization preferences for their account in a Jans Server. +home: https://gluu.org/docs/casa/ +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- casa +- 2FA +- passwordless +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: casa +sources: +- https://gluu.org/casa/ +- https://github.com/JanssenProject/jans/docker-jans-casa +type: application +version: 1.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/casa/README.md b/charts/gluu/gluu/5.1.0/charts/casa/README.md new file mode 100644 index 0000000000..e32589eea3 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/casa/README.md @@ -0,0 +1,66 @@ +# casa + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/casa"` | Image to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| livenessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| readinessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. | +| service.port | int | `8080` | Port of the casa service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/casa/templates/_helpers.tpl new file mode 100644 index 0000000000..4fc7d069e4 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/casa/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "casa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "casa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "casa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "casa.labels" -}} +app: {{ .Release.Name }}-{{ include "casa.name" . }} +helm.sh/chart: {{ include "casa.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "casa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "casa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "casa.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "casa.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "casa.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "casa.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.1.0/charts/casa/templates/casa-destination-rules.yaml new file mode 100644 index 0000000000..eb2e5eaa61 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/casa/templates/casa-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-casa-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/casa/templates/casa-pdb.yaml b/charts/gluu/gluu/5.1.0/charts/casa/templates/casa-pdb.yaml new file mode 100644 index 0000000000..54ad15de59 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/casa/templates/casa-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "casa.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.1.0/charts/casa/templates/casa-virtual-services.yaml new file mode 100644 index 0000000000..3d34e05410 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/casa/templates/casa-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.casa.ingress.casaEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-casa + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-casa + match: + - uri: + prefix: /jans-casa + route: + - destination: + host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.1.0/charts/casa/templates/deployment.yaml new file mode 100644 index 0000000000..0161333c88 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/casa/templates/deployment.yaml @@ -0,0 +1,238 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "casa.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: casa + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "casa.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "casa.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "casa.usr-envs" . | indent 12 }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.1.0/charts/casa/templates/hpa.yaml new file mode 100644 index 0000000000..0d292fd3fd --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/casa/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "casa.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.1.0/charts/casa/templates/service.yaml new file mode 100644 index 0000000000..e736cc014a --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/casa/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.casa.casaServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.0/charts/casa/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8a71e1ea8f --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/casa/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/casa/values.yaml b/charts/gluu/gluu/5.1.0/charts/casa/values.yaml new file mode 100644 index 0000000000..6c97c2f9ec --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/casa/values.yaml @@ -0,0 +1,107 @@ +# -- Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/casa + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the casa service. Please keep it as default. + port: 8080 + # -- The name of the casa port within the casa service. Please keep it as default. + name: http-casa + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for casa if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the casa if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] diff --git a/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/Chart.yaml new file mode 100644 index 0000000000..abeafee463 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: Istio Gateway +home: https://docs.gluu.org/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- istio +- gateway +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: cn-istio-ingress +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/cn-istio-ingress +type: application +version: 5.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/README.md new file mode 100644 index 0000000000..87dc3f6591 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/README.md @@ -0,0 +1,25 @@ +# cn-istio-ingress + +![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +Istio Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..75a5dee781 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "istio.labels" -}} +helm.sh/chart: {{ include "istio.chart" . }} +{{ include "istio.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "istio.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "istio.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/templates/gateway.yaml new file mode 100644 index 0000000000..13434720ad --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/templates/gateway.yaml @@ -0,0 +1,37 @@ +{{- if not .Values.global.istio.gateways }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Release.Name }}-global-gtw + namespace: {{ .Release.Namespace }} +{{- if .Values.global.istio.additionalLabels }} + labels: +{{ toYaml .Values.global.istio.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.istio.additionalAnnotations }} + annotations: +{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + istio: ingressgateway + servers: + # admin-ui + - port: + number: 80 + name: http-admin-ui + protocol: HTTP + hosts: + - {{ .Values.global.fqdn }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - {{ .Values.global.fqdn }} + tls: + mode: SIMPLE # enable https on this port + credentialName: tls-certificate # fetch cert from k8s secret +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/values.yaml new file mode 100644 index 0000000000..645a121318 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/cn-istio-ingress/values.yaml @@ -0,0 +1,4 @@ +# Default values for istio. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + diff --git a/charts/gluu/gluu/5.1.0/charts/config-api/.helmignore b/charts/gluu/gluu/5.1.0/charts/config-api/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.0/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/config-api/Chart.yaml new file mode 100644 index 0000000000..e71e87cd63 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: Jans Config Api endpoints can be used to configure jans-auth-server, + which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server + (AS) +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config-api +sources: +- https://github.com/JanssenProject/jans/jans-config-api +- https://github.com/JanssenProject/jans/docker-jans-config-api +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config-api +type: application +version: 1.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/config-api/README.md b/charts/gluu/gluu/5.1.0/charts/config-api/README.md new file mode 100644 index 0000000000..712ee707d8 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config-api/README.md @@ -0,0 +1,66 @@ +# config-api + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/config-api/templates/_helpers.tpl new file mode 100644 index 0000000000..a32d54db37 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "config-api.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "config-api.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.1.0/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 0000000000..255fac7282 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/config-api/templates/config-api-pdb.yaml b/charts/gluu/gluu/5.1.0/charts/config-api/templates/config-api-pdb.yaml new file mode 100644 index 0000000000..2153d9a39c --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config-api/templates/config-api-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "config-api.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/config-api/templates/config-api-virtual-services.yaml b/charts/gluu/gluu/5.1.0/charts/config-api/templates/config-api-virtual-services.yaml new file mode 100644 index 0000000000..49bd94283f --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config-api/templates/config-api-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "config-api" "ingress" "configApiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-config-api + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-config-api + match: + - uri: + prefix: /jans-config-api + route: + - destination: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8074 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.1.0/charts/config-api/templates/deployment.yaml new file mode 100644 index 0000000000..e9754eff7a --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config-api/templates/deployment.yaml @@ -0,0 +1,225 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "config-api.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "config-api.usr-envs" . | indent 12 }} + {{- include "config-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - containerPort: 9444 + - containerPort: 8074 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.1.0/charts/config-api/templates/hpa.yaml new file mode 100644 index 0000000000..aed5352e74 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config-api/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.1.0/charts/config-api/templates/service.yaml new file mode 100644 index 0000000000..1782cc7e9d --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config-api/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/config-api/values.yaml b/charts/gluu/gluu/5.1.0/charts/config-api/values.yaml new file mode 100644 index 0000000000..d752530b76 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config-api/values.yaml @@ -0,0 +1,102 @@ +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.1.0/charts/config/.helmignore b/charts/gluu/gluu/5.1.0/charts/config/.helmignore new file mode 100644 index 0000000000..b8204d7442 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/gluu/gluu/5.1.0/charts/config/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/config/Chart.yaml new file mode 100644 index 0000000000..3bdb3ce63f --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: Configuration parameters for setup and initial configuration secret and + config layers used by Gluu services. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- secrets +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config +sources: +- https://gluu.org/docs/gluu-server/reference/container-configs/ +- https://github.com/JanssenProject/jans/docker-jans-configurator +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config +type: application +version: 1.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/config/README.md b/charts/gluu/gluu/5.1.0/charts/config/README.md new file mode 100644 index 0000000000..f4a8a37234 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/README.md @@ -0,0 +1,133 @@ +# config + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnAwsAccessKeyId | string | `""` | | +| configmap.cnAwsDefaultRegion | string | `"us-west-1"` | | +| configmap.cnAwsProfile | string | `"gluu"` | | +| configmap.cnAwsSecretAccessKey | string | `""` | | +| configmap.cnAwsSecretsEndpointUrl | string | `""` | | +| configmap.cnAwsSecretsNamePrefix | string | `"gluu"` | | +| configmap.cnAwsSecretsReplicaRegions | list | `[]` | | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ certificate string. This must be encoded using base64. | +| configmap.cnLdapKey | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ key string. This must be encoded using base64. | +| configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnMessageType | string | `"DISABLED"` | Message type (one of POSTGRES, REDIS, or DISABLED) | +| configmap.cnOpaUrl | string | `"http://opa.opa.svc.cluster.cluster.local:8181/v1"` | URL of OPA API | +| configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.cnVaultAddr | string | `"http://localhost:8200"` | Base URL of Vault. | +| configmap.cnVaultAppRolePath | string | `"approle"` | Path to Vault AppRole. | +| configmap.cnVaultKvPath | string | `"secret"` | Path to Vault KV secrets engine. | +| configmap.cnVaultNamespace | string | `""` | Vault namespace used to access the secrets. | +| configmap.cnVaultPrefix | string | `"jans"` | Base prefix name used to access secrets. | +| configmap.cnVaultRoleId | string | `""` | Vault AppRole RoleID. | +| configmap.cnVaultRoleIdFile | string | `"/etc/certs/vault_role_id"` | Path to file contains Vault AppRole role ID. | +| configmap.cnVaultSecretId | string | `""` | Vault AppRole SecretID. | +| configmap.cnVaultSecretIdFile | string | `"/etc/certs/vault_secret_id"` | Path to file contains Vault AppRole secret ID. | +| configmap.cnVaultVerify | bool | `false` | Verify connection to Vault. | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access | +| configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may using "public" schema). | +| configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name | +| configmap.kcDbUrlHost | string | `"mysql.kc.svc.cluster.local"` | Keycloak database host | +| configmap.kcDbUrlPort | int | `3306` | Keycloak database port (default to port 3306 for mysql). | +| configmap.kcDbUrlProperties | string | `"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4"` | Keycloak database connection properties. If using postgresql, the value can be set to empty string. | +| configmap.kcDbUsername | string | `"keycloak"` | Keycloak database username | +| configmap.kcDbVendor | string | `"mysql"` | Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. | +| configmap.kcLogLevel | string | `"INFO"` | Keycloak logging level | +| configmap.kcProxy | string | `"edge"` | Keycloak proxy mode (for most deployments, this doesn't need to be changed) | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| configmap.quarkusTransactionEnableRecovery | bool | `true` | Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"team@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| ldapTruststorePassword | string | `"changeit"` | LDAP truststore password if OpenDJ is used for persistence | +| lifecycle | object | `{}` | | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| salt | string | `""` | Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/config/templates/_helpers.tpl new file mode 100644 index 0000000000..b8fd74dfb3 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/templates/_helpers.tpl @@ -0,0 +1,97 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ $newList = append $newList ("couchbase" | quote) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{- if .Values.global.opendj.enabled}} +{{ $newList = append $newList ("ldap" | quote) }} +{{- end}} +{{- if .Values.global.fido2.enabled}} +{{ $newList = append $newList ("fido2" | quote) }} +{{- end}} +{{- if .Values.global.casa.enabled}} +{{ $newList = append $newList ("casa" | quote) }} +{{- end}} +{{- if .Values.global.scim.enabled}} +{{ $newList = append $newList ("scim" | quote) }} +{{- end}} +{{ toJson $newList }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.1.0/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ce43044f50 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.1.0/charts/config/templates/configmaps.yaml similarity index 100% rename from charts/gluu/gluu/charts/config/templates/configmaps.yaml rename to charts/gluu/gluu/5.1.0/charts/config/templates/configmaps.yaml diff --git a/charts/gluu/gluu/5.1.0/charts/config/templates/license-secrets.yaml b/charts/gluu/gluu/5.1.0/charts/config/templates/license-secrets.yaml new file mode 100644 index 0000000000..0cf764a03c --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/templates/license-secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-license-ssa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ssa: {{ required "global.licenseSsa is required in chart values. This is a base64 string provided by Gluu to activate your license." .Values.global.licenseSsa }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.1.0/charts/config/templates/load-init-config.yml new file mode 100644 index 0000000000..9988d9ceb9 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/templates/load-init-config.yml @@ -0,0 +1,192 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + - name: {{ include "config.fullname" . }}-mount-gen-file + secret: + secretName: {{ include "config.fullname" . }}-gen-json-file + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + - mountPath: /app/db/generate.json + name: {{ include "config.fullname" . }}-mount-gen-file + subPath: generate.json + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} && /usr/bin/python3 /scripts/tls_generator.py + {{- else }} + /app/scripts/entrypoint.sh load && /usr/bin/python3 /scripts/tls_generator.py + {{- end }} + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.1.0/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.1.0/charts/config/templates/ob-secrets.yaml new file mode 100644 index 0000000000..cdb1f90415 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/templates/ob-secrets.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.cnObExtSigningJwksCrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }} + {{ if .Values.global.cnObExtSigningJwksKey }} + ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportCrt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport.crt: {{ .Values.global.cnObTransportCrt }} + {{ if .Values.global.cnObTransportKey }} + ob-transport.key: {{ .Values.global.cnObTransportKey }} + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportTrustStore }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-truststore + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.1.0/charts/config/templates/rolebinding.yaml new file mode 100644 index 0000000000..7a58fd6095 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.1.0/charts/config/templates/roles.yaml new file mode 100644 index 0000000000..ef3d0c7083 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/templates/roles.yaml @@ -0,0 +1,19 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/gluu/gluu/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.1.0/charts/config/templates/secrets.yaml similarity index 100% rename from charts/gluu/gluu/charts/config/templates/secrets.yaml rename to charts/gluu/gluu/5.1.0/charts/config/templates/secrets.yaml diff --git a/charts/gluu/gluu/5.1.0/charts/config/templates/service.yaml b/charts/gluu/gluu/5.1.0/charts/config/templates/service.yaml new file mode 100644 index 0000000000..da5dedf891 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.1.0/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 0000000000..35b4fa8cb0 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,64 @@ +{{ if .Values.global.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val | quote }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.1.0/charts/config/values.yaml b/charts/gluu/gluu/5.1.0/charts/config/values.yaml new file mode 100644 index 0000000000..afe841a897 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/config/values.yaml @@ -0,0 +1,239 @@ + +# Required environment variables for generating Gluu server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +# -- Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. +salt: "" +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in the secrets. + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # [vault_envs] Envs related to Hashicorp vault + # -- Vault AppRole RoleID. + cnVaultRoleId: "" + # -- Vault AppRole SecretID. + cnVaultSecretId: "" + # -- Base URL of Vault. + cnVaultAddr: http://localhost:8200 + # -- Verify connection to Vault. + cnVaultVerify: false + # -- Path to file contains Vault AppRole role ID. + cnVaultRoleIdFile: /etc/certs/vault_role_id + # -- Path to file contains Vault AppRole secret ID. + cnVaultSecretIdFile: /etc/certs/vault_secret_id + # -- Vault namespace used to access the secrets. + cnVaultNamespace: "" + # -- Path to Vault KV secrets engine. + cnVaultKvPath: secret + # -- Base prefix name used to access secrets. + cnVaultPrefix: jans + # -- Path to Vault AppRole. + cnVaultAppRolePath: approle + # [vault_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- OpenDJ certificate string. This must be encoded using base64. + cnLdapCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- OpenDJ key string. This must be encoded using base64. + cnLdapKey: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. + quarkusTransactionEnableRecovery: true + # -- Keycloak logging level + kcLogLevel: INFO + # -- Keycloak proxy mode (for most deployments, this doesn't need to be changed) + kcProxy: edge + # -- Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. + kcDbVendor: mysql + # -- Keycloak database username + kcDbUsername: keycloak + # -- Password for Keycloak database access + kcDbPassword: Test1234# + # -- Keycloak database schema name (note that PostgreSQL may using "public" schema). + kcDbSchema: keycloak + # -- Keycloak database host + kcDbUrlHost: mysql.kc.svc.cluster.local + # -- Keycloak database port (default to port 3306 for mysql). + kcDbUrlPort: 3306 + # -- Keycloak database name + kcDbUrlDatabase: keycloak + # -- Keycloak database connection properties. If using postgresql, the value can be set to empty string. + kcDbUrlProperties: "?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4" + # -- URL of OPA API + cnOpaUrl: http://opa.opa.svc.cluster.cluster.local:8181/v1 + # -- Message type (one of POSTGRES, REDIS, or DISABLED) + cnMessageType: DISABLED +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: team@gluu.org +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- LDAP admin password if OpennDJ is used for persistence. +ldapPassword: P@ssw0rds +# -- LDAP truststore password if OpenDJ is used for persistence +ldapTruststorePassword: changeit +# -- Organization name. Used for certificate creation. +orgName: Gluu +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.1.0/charts/fido2/.helmignore b/charts/gluu/gluu/5.1.0/charts/fido2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.0/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/fido2/Chart.yaml new file mode 100644 index 0000000000..5e53d2dc53 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/fido2/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging + common devices to authenticate to online services in both mobile and desktop environments. +home: https://docs.gluu.org/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- fido2 +- u2f +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: fido2 +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/JanssenProject/jans/jans-fido2 +- https://github.com/JanssenProject/jans/docker-jans-fido2 +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/fido2 +type: application +version: 1.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/fido2/README.md b/charts/gluu/gluu/5.1.0/charts/fido2/README.md new file mode 100644 index 0000000000..f14edfea4d --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/fido2/README.md @@ -0,0 +1,63 @@ +# fido2 + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/fido2/templates/_helpers.tpl new file mode 100644 index 0000000000..10484b1e97 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "fido2.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "fido2.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.1.0/charts/fido2/templates/deployment.yml new file mode 100644 index 0000000000..84615d338c --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/fido2/templates/deployment.yml @@ -0,0 +1,234 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "fido2.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "fido2.usr-envs" . | indent 12 }} + {{- include "fido2.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.1.0/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 0000000000..2457647e8a --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/fido2/templates/fido2-pdb.yaml b/charts/gluu/gluu/5.1.0/charts/fido2/templates/fido2-pdb.yaml new file mode 100644 index 0000000000..ebc9ce8dc8 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/fido2/templates/fido2-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "fido2.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.1.0/charts/fido2/templates/fido2-virtual-services.yaml similarity index 100% rename from charts/gluu/gluu/charts/fido2/templates/fido2-virtual-services.yaml rename to charts/gluu/gluu/5.1.0/charts/fido2/templates/fido2-virtual-services.yaml diff --git a/charts/gluu/gluu/5.1.0/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.1.0/charts/fido2/templates/hpa.yaml new file mode 100644 index 0000000000..a4f1362a7b --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/fido2/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.1.0/charts/fido2/templates/service.yml new file mode 100644 index 0000000000..de91e893b3 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/fido2/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.0/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..e2139ba45f --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/fido2/values.yaml b/charts/gluu/gluu/5.1.0/charts/fido2/values.yaml new file mode 100644 index 0000000000..048c9db22e --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/fido2/values.yaml @@ -0,0 +1,95 @@ + +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/link/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/link/Chart.yaml new file mode 100644 index 0000000000..307126631f --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/link/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: Jans Link +home: https://jans.io +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- link +kubeVersion: '>=v1.22.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: link +sources: +- https://github.com/JanssenProject/jans/jans-link +- https://github.com/JanssenProject/jans/docker-jans-link +type: application +version: 1.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/link/README.md b/charts/gluu/gluu/5.1.0/charts/link/README.md new file mode 100644 index 0000000000..5f1d1925cc --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/link/README.md @@ -0,0 +1,65 @@ +# link + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +Jans Link + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.22.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"ghcr.io/janssenproject/jans/link"` | Image to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the link if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the link if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-link"` | The name of the link port within the link service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/link/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/link/templates/_helpers.tpl new file mode 100644 index 0000000000..42e2f3184f --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/link/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "link.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "link.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "link.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "link.labels" -}} +app: {{ .Release.Name }}-{{ include "link.name" . }} +helm.sh/chart: {{ include "link.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "link.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "link.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "link.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "link.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/link/templates/deployment.yaml b/charts/gluu/gluu/5.1.0/charts/link/templates/deployment.yaml new file mode 100644 index 0000000000..dca074b28c --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/link/templates/deployment.yaml @@ -0,0 +1,224 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "link.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "link.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "link.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "link.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "link.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "link.usr-envs" . | indent 12 }} + {{- include "link.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - containerPort: 9091 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "link.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "link.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/link/templates/hpa.yaml b/charts/gluu/gluu/5.1.0/charts/link/templates/hpa.yaml new file mode 100644 index 0000000000..0b706a2d2b --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/link/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "link.fullname" . }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "link.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/link/templates/link-destination-rules.yaml b/charts/gluu/gluu/5.1.0/charts/link/templates/link-destination-rules.yaml new file mode 100644 index 0000000000..993f7ded03 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/link/templates/link-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-link-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "link" "linkServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/link/templates/link-pdb.yaml b/charts/gluu/gluu/5.1.0/charts/link/templates/link-pdb.yaml new file mode 100644 index 0000000000..1db31aa244 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/link/templates/link-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "link.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "link.name" . }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/link/templates/link-virtual-services.yaml b/charts/gluu/gluu/5.1.0/charts/link/templates/link-virtual-services.yaml new file mode 100644 index 0000000000..b1bd93214d --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/link/templates/link-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "link" "ingress" "linkEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-link + namespace: {{.Release.Namespace}} + labels: + APP_NAME:link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-link + match: + - uri: + prefix: /jans-link + route: + - destination: + host: {{ index .Values "global" "link" "linkServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 9091 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/link/templates/service.yaml b/charts/gluu/gluu/5.1.0/charts/link/templates/service.yaml new file mode 100644 index 0000000000..1221c29090 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/link/templates/service.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "link" "linkServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9091 + name: tcp-{{ include "link.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "link.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/link/values.yaml b/charts/gluu/gluu/5.1.0/charts/link/values.yaml new file mode 100644 index 0000000000..8291d38c64 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/link/values.yaml @@ -0,0 +1,104 @@ +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/link + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the link port within the link service. Please keep it as default. + name: http-link + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the link if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the link if needed. +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.1.0/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.0/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/Chart.yaml new file mode 100644 index 0000000000..d0195b4536 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: Nginx ingress definitions chart +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- nginx +- ingress +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://kubernetes.io/docs/concepts/services-networking/ingress/ +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/nginx-ingress +type: application +version: 5.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/README.md new file mode 100644 index 0000000000..1a258970c1 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/README.md @@ -0,0 +1,66 @@ +# nginx-ingress + +![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken | +| ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2AdditionalAnnotations | object | `{}` | fido2 ingress resource additional annotations. | +| ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | +| ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | +| ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| ingress.samlAdditionalAnnotations | object | `{}` | SAML ingress resource additional annotations. | +| ingress.samlLabels | object | `{}` | SAML config ingress resource labels. key app is taken | +| ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| ingress.scimConfigLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.scimLabels | object | `{}` | scim config ingress resource labels. key app is taken | +| ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| ingress.uma2ConfigLabels | object | `{}` | uma 2 config ingress resource labels. key app is taken | +| ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| nameOverride | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..7b38455692 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/admin-ui-ingress.yaml new file mode 100644 index 0000000000..1fa7a08de1 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/admin-ui-ingress.yaml @@ -0,0 +1,53 @@ +{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.adminUiLabels }} +{{ toYaml .Values.ingress.adminUiLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.ingress.adminUiAdditionalAnnotations }} +{{ toYaml .Values.ingress.adminUiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml new file mode 100644 index 0000000000..b5c482d5f6 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml @@ -0,0 +1,115 @@ +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedTokenLabels }} +{{ toYaml .Values.ingress.authServerProtectedTokenLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedTokenAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedTokenAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedRegisterLabels }} +{{ toYaml .Values.ingress.authServerProtectedRegisterLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedRegisterAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedRegisterAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/certificate.yaml b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/certificate.yaml new file mode 100644 index 0000000000..6cfb84f431 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/certificate.yaml @@ -0,0 +1,18 @@ +{{- if .Values.certManager.certificate.enabled }} + {{- $domain := (required "Domain is required in chartValues when certManager is enabled" .Values.global.fqdn) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + {{- range .Values.ingress.tls }} + secretName: {{ .secretName }} + {{- end }} + dnsNames: + - {{ quote $domain }} + issuerRef: + name: {{ required "nginx-ingress.certManager.certificate.issuerName is required in chart values" .Values.certManager.certificate.issuerName }} + kind: {{ required "nginx-ingress.certManager.certificate.issuerKind is required in chart values" .Values.certManager.certificate.issuerKind }} + group: {{ required "nginx-ingress.certManager.certificate.issuerGroup is required in chart values" .Values.certManager.certificate.issuerGroup }} +{{- end }} diff --git a/charts/gluu/gluu/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/ingress.yaml similarity index 100% rename from charts/gluu/gluu/charts/nginx-ingress/templates/ingress.yaml rename to charts/gluu/gluu/5.1.0/charts/nginx-ingress/templates/ingress.yaml diff --git a/charts/gluu/gluu/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.1.0/charts/nginx-ingress/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/nginx-ingress/values.yaml rename to charts/gluu/gluu/5.1.0/charts/nginx-ingress/values.yaml diff --git a/charts/gluu/gluu/5.1.0/charts/opendj/.helmignore b/charts/gluu/gluu/5.1.0/charts/opendj/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.0/charts/opendj/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/opendj/Chart.yaml new file mode 100644 index 0000000000..8575735dc7 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/opendj/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: OpenDJ is a directory server which implements a wide range of Lightweight + Directory Access Protocol and related standards, including full compliance with + LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in + Java, OpenDJ offers multi-master replication, access control, and many extensions. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- LDAP +- OpenDJ +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: opendj +sources: +- https://github.com/GluuFederation/docker-opendj +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/opendj +type: application +version: 5.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/opendj/README.md b/charts/gluu/gluu/5.1.0/charts/opendj/README.md new file mode 100644 index 0000000000..dd612c324d --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/opendj/README.md @@ -0,0 +1,75 @@ +# opendj + +![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| lifecycle.preStop.exec.command[0] | string | `"/bin/sh"` | | +| lifecycle.preStop.exec.command[1] | string | `"-c"` | | +| lifecycle.preStop.exec.command[2] | string | `"python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| openDjVolumeMounts.config.mountPath | string | `"/opt/opendj/config"` | | +| openDjVolumeMounts.config.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.db.mountPath | string | `"/opt/opendj/db"` | | +| openDjVolumeMounts.db.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.flag.mountPath | string | `"/flag"` | | +| openDjVolumeMounts.flag.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.ldif.mountPath | string | `"/opt/opendj/ldif"` | | +| openDjVolumeMounts.ldif.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.logs.mountPath | string | `"/opt/opendj/logs"` | | +| openDjVolumeMounts.logs.name | string | `"opendj-volume"` | | +| persistence.accessModes | string | `"ReadWriteOnce"` | | +| persistence.size | string | `"5Gi"` | OpenDJ volume size | +| persistence.type | string | `"DirectoryOrCreate"` | | +| ports | object | `{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}}` | servicePorts values used in StatefulSet container | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1500m"` | CPU limit. | +| resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1500m"` | CPU request. | +| resources.requests.memory | string | `"2000Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/opendj/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/opendj/templates/_helpers.tpl new file mode 100644 index 0000000000..ecab10b753 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/opendj/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opendj.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opendj.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opendj.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "opendj.labels" -}} +app: {{ .Release.Name }}-{{ include "opendj.name" . }} +helm.sh/chart: {{ include "opendj.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "opendj.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "opendj.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "opendj.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "opendj.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/5.1.0/charts/opendj/templates/cronjobs.yaml similarity index 100% rename from charts/gluu/gluu/charts/opendj/templates/cronjobs.yaml rename to charts/gluu/gluu/5.1.0/charts/opendj/templates/cronjobs.yaml diff --git a/charts/gluu/gluu/5.1.0/charts/opendj/templates/hpa.yaml b/charts/gluu/gluu/5.1.0/charts/opendj/templates/hpa.yaml new file mode 100644 index 0000000000..157ea310b8 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/opendj/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "opendj.fullname" . }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "opendj.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/opendj/templates/opendj-destination-rules.yaml b/charts/gluu/gluu/5.1.0/charts/opendj/templates/opendj-destination-rules.yaml new file mode 100644 index 0000000000..a6a8f56849 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/opendj/templates/opendj-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-ldap-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.opendj.ldapServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/opendj/templates/opendj-pdb.yaml b/charts/gluu/gluu/5.1.0/charts/opendj/templates/opendj-pdb.yaml new file mode 100644 index 0000000000..1615c4ac29 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/opendj/templates/opendj-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "opendj.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/opendj/templates/service.yaml b/charts/gluu/gluu/5.1.0/charts/opendj/templates/service.yaml new file mode 100644 index 0000000000..ec7d0a8252 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/opendj/templates/service.yaml @@ -0,0 +1,30 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $.Values.global.opendj.ldapServiceName }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + {{- range $key, $value := $.Values.ports }} + - port: {{ $value.port }} + name: {{ $key }} + targetPort: {{ $value.targetPort }} + protocol: {{ $value.protocol}} + {{- if $value.nodePort }} + nodePort: {{ $value.nodePort }} + {{- end }} + {{- end }} + clusterIP: None + selector: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/5.1.0/charts/opendj/templates/statefulset.yaml new file mode 100644 index 0000000000..a44a60e217 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/opendj/templates/statefulset.yaml @@ -0,0 +1,125 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "opendj.fullname" $ }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: {{ include "opendj.name" $ }} + serviceName: {{ include "opendj.name" $ }} + replicas: {{ $.Values.replicas }} + template: + metadata: + labels: + app: {{ include "opendj.name" $ }} + {{- if $.Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: {{ include "opendj.name" $ }} + {{- if .Values.customScripts }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + /app/scripts/entrypoint.sh + {{- end}} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + {{- include "opendj.usr-envs" $ | indent 12 }} + {{- include "opendj.usr-secret-envs" $ | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + envFrom: + - configMapRef: + name: {{ $.Release.Name }}-config-cm + {{ if $.Values.global.usrEnvs.secret }} + - secretRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + {{ if $.Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + ports: + {{- range $key, $value := $.Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapCertFile }} + subPath: opendj.crt + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapKeyFile }} + subPath: opendj.key + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + livenessProbe: +{{- toYaml $.Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml $.Values.readinessProbe | nindent 10 }} + {{- if or (eq $.Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if $.Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + volumes: + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + - name: ldap-certkey + secret: + secretName: {{ .Release.Name }}-ldap-certkey + volumeClaimTemplates: + - metadata: + name: opendj-volume + spec: + accessModes: + - {{ $.Values.persistence.accessModes }} + resources: + requests: + storage: {{ $.Values.persistence.size }} + {{- if eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath" }} + storageClassName: standard + {{- else }} + storageClassName: {{ include "opendj.fullname" $ | quote }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/opendj/templates/storageclass.yaml b/charts/gluu/gluu/5.1.0/charts/opendj/templates/storageclass.yaml new file mode 100644 index 0000000000..d33175d10b --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/opendj/templates/storageclass.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ include "opendj.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + storage: opendj +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + # Annotation below is to keep the storage class during upgrade. Otherwise, due to the flag at line 1 which is needed, this resource will be deleted. + helm.sh/resource-policy: keep + storageclass.beta.kubernetes.io/is-default-class: "false" + {{- if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + openebs.io/cas-type: local + cas.openebs.io/config: | + - name: StorageType + value: hostpath + - name: BasePath + value: /var/local-hostpath + {{- end }} +provisioner: {{ .Values.global.storageClass.provisioner }} +{{- if and ( ne .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) ( ne .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") ( ne .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") ( ne .Values.global.storageClass.provisioner "kubernetes.io/gce-pd") ( ne .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com") ( ne .Values.global.storageClass.provisioner "openebs.io/local") ( ne .Values.global.storageClass.provisioner "kubernetes.io/azure-disk") }} +parameters: +{{ toYaml .Values.global.storageClass.parameters | indent 4 }} +{{- else }} +parameters: + {{- if eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs" }} + type: {{ .Values.global.awsStorageType }} + fsType: ext4 + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/gce-pd" }} + type: {{ .Values.global.gcePdStorageType }} + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/azure-disk" }} + storageAccountType: {{ .Values.global.azureStorageAccountType }} + kind: {{ .Values.global.azureStorageKind }} + {{- else if eq .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com" }} + {{- else if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + {{- else }} + pool: default + fsType: ext4 + {{- end }} +{{- end }} +allowVolumeExpansion: {{ .Values.global.storageClass.allowVolumeExpansion }} +volumeBindingMode: {{ .Values.global.storageClass.volumeBindingMode }} +reclaimPolicy: {{ .Values.global.storageClass.reclaimPolicy }} +mountOptions: {{ .Values.global.storageClass.mountOptions | toJson }} +allowedTopologies: {{ .Values.global.storageClass.allowedTopologies | toJson }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.0/charts/opendj/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8fcf989cd5 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/opendj/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/opendj/values.yaml b/charts/gluu/gluu/5.1.0/charts/opendj/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/opendj/values.yaml rename to charts/gluu/gluu/5.1.0/charts/opendj/values.yaml diff --git a/charts/gluu/gluu/5.1.0/charts/persistence/.helmignore b/charts/gluu/gluu/5.1.0/charts/persistence/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.1.0/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/persistence/Chart.yaml new file mode 100644 index 0000000000..afb793acb0 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/persistence/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: Job to generate data and initial config for Gluu Server persistence layer. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- persistence prep +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: persistence +sources: +- https://github.com/JanssenProject/jans/docker-jans-persistence-loader +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/persistence +type: application +version: 1.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/persistence/README.md b/charts/gluu/gluu/5.1.0/charts/persistence/README.md new file mode 100644 index 0000000000..d9afcbf435 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/persistence/README.md @@ -0,0 +1,53 @@ +# persistence + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +Job to generate data and initial config for Gluu Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| lifecycle | object | `{}` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/persistence/templates/_helpers.tpl new file mode 100644 index 0000000000..bf0a313b23 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.1.0/charts/persistence/templates/jobs.yml similarity index 100% rename from charts/gluu/gluu/charts/persistence/templates/jobs.yml rename to charts/gluu/gluu/5.1.0/charts/persistence/templates/jobs.yml diff --git a/charts/gluu/gluu/5.1.0/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.1.0/charts/persistence/templates/service.yaml new file mode 100644 index 0000000000..b266650a69 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/persistence/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.0/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..29c8651b84 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/persistence/values.yaml b/charts/gluu/gluu/5.1.0/charts/persistence/values.yaml new file mode 100644 index 0000000000..7517100340 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/persistence/values.yaml @@ -0,0 +1,58 @@ + +# -- Job to generate data and initial config for Gluu Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.1.0/charts/saml/.helmignore b/charts/gluu/gluu/5.1.0/charts/saml/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/saml/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.1.0/charts/saml/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/saml/Chart.yaml new file mode 100644 index 0000000000..3ffa22c573 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/saml/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: Jans SAML +home: https://jans.io +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- SAML +- Keycloak +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: saml +sources: +- https://github.com/JanssenProject/jans/docker-jans-saml +type: application +version: 1.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/saml/README.md b/charts/gluu/gluu/5.1.0/charts/saml/README.md new file mode 100644 index 0000000000..d92826108f --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/saml/README.md @@ -0,0 +1,64 @@ +# saml + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +Jans SAML + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/saml"` | Image to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for saml if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the saml if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-saml"` | The name of the saml port within the saml service. Please keep it as default. | +| service.port | int | `8083` | Port of the saml service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/saml/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/saml/templates/_helpers.tpl new file mode 100644 index 0000000000..784308f4b8 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/saml/templates/_helpers.tpl @@ -0,0 +1,109 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "saml.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "saml.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "saml.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "saml.labels" -}} +app: {{ .Release.Name }}-{{ include "saml.name" . }} +helm.sh/chart: {{ include "saml.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "saml.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "saml.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "saml.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "saml.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "saml.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "saml.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/saml/templates/deployment.yaml b/charts/gluu/gluu/5.1.0/charts/saml/templates/deployment.yaml new file mode 100644 index 0000000000..b1045fde84 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/saml/templates/deployment.yaml @@ -0,0 +1,244 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "saml.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "saml.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: saml + app: {{ .Release.Name }}-{{ include "saml.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "saml.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "saml.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "saml.usr-envs" . | indent 12 }} + {{- include "saml.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + - name: kc-db-pass + mountPath: {{ .Values.global.kcDbPasswordFile }} + subPath: kc_db_password + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "saml.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: kc-db-pass + secret: + secretName: {{ .Release.Name }}-kc-db-pass + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "saml.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/saml/templates/hpa.yaml b/charts/gluu/gluu/5.1.0/charts/saml/templates/hpa.yaml new file mode 100644 index 0000000000..088742f0f0 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/saml/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "saml.fullname" . }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "saml.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/saml/templates/saml-destination-rules.yaml b/charts/gluu/gluu/5.1.0/charts/saml/templates/saml-destination-rules.yaml new file mode 100644 index 0000000000..5547957c4b --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/saml/templates/saml-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-saml-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.saml.samlServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/saml/templates/saml-pdb.yaml b/charts/gluu/gluu/5.1.0/charts/saml/templates/saml-pdb.yaml new file mode 100644 index 0000000000..a6adbd310c --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/saml/templates/saml-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "saml.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "saml.name" . }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/saml/templates/saml-virtual-services.yaml b/charts/gluu/gluu/5.1.0/charts/saml/templates/saml-virtual-services.yaml new file mode 100644 index 0000000000..8f2c106d4c --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/saml/templates/saml-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.saml.ingress.samlEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-saml + namespace: {{.Release.Namespace}} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-saml + match: + - uri: + prefix: /kc + route: + - destination: + host: {{ .Values.global.saml.samlServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8083 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/saml/templates/service.yaml b/charts/gluu/gluu/5.1.0/charts/saml/templates/service.yaml new file mode 100644 index 0000000000..e05fa7ac64 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/saml/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.saml.samlServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "saml.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/saml/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.0/charts/saml/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..b4bc2994cc --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/saml/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.1.0/charts/saml/values.yaml b/charts/gluu/gluu/5.1.0/charts/saml/values.yaml new file mode 100644 index 0000000000..ef911217f1 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/saml/values.yaml @@ -0,0 +1,110 @@ +# -- Jans SAML +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/saml + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the saml service. Please keep it as default. + port: 8083 + # -- The name of the saml port within the saml service. Please keep it as default. + name: http-saml + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for saml if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 10 +# -- Configure the readiness healthcheck for the saml if needed. +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 10 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] diff --git a/charts/gluu/gluu/5.1.0/charts/scim/.helmignore b/charts/gluu/gluu/5.1.0/charts/scim/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.0/charts/scim/Chart.yaml b/charts/gluu/gluu/5.1.0/charts/scim/Chart.yaml new file mode 100644 index 0000000000..814b7ef079 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/scim/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.1.0 +description: System for Cross-domain Identity Management (SCIM) version 2.0 +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SCIM +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: scim +sources: +- https://github.com/JanssenProject/jans/jans-scim +- https://github.com/JanssenProject/jans/docker-jans-scim +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/scim +type: application +version: 1.1.0 diff --git a/charts/gluu/gluu/5.1.0/charts/scim/README.md b/charts/gluu/gluu/5.1.0/charts/scim/README.md new file mode 100644 index 0000000000..62d134ad39 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/scim/README.md @@ -0,0 +1,62 @@ +# scim + +![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.0](https://img.shields.io/badge/AppVersion-5.1.0-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.1.0-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.0/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/charts/scim/templates/_helpers.tpl new file mode 100644 index 0000000000..04b66d5afd --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/scim/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "scim.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "scim.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.1.0/charts/scim/templates/deployment.yml new file mode 100644 index 0000000000..ad172ffa9f --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/scim/templates/deployment.yml @@ -0,0 +1,233 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "scim.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "scim.usr-envs" . | indent 12 }} + {{- include "scim.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.1.0/charts/scim/templates/hpa.yaml new file mode 100644 index 0000000000..d3ba580d6f --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/scim/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.1.0/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 0000000000..fc26343bdf --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/scim/templates/scim-pdb.yaml b/charts/gluu/gluu/5.1.0/charts/scim/templates/scim-pdb.yaml new file mode 100644 index 0000000000..d700490a85 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/scim/templates/scim-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "scim.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.1.0/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 0000000000..14fafd1d46 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.scim.ingress.scimConfigEnabled }} + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /jans-scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.scim.ingress.scimEnabled }} + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/jans-scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/scim/templates/service.yml b/charts/gluu/gluu/5.1.0/charts/scim/templates/service.yml new file mode 100644 index 0000000000..a585ea31b9 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/scim/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.0/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.0/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..d9f83a46e1 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/charts/scim/values.yaml b/charts/gluu/gluu/5.1.0/charts/scim/values.yaml new file mode 100644 index 0000000000..84bfb61caa --- /dev/null +++ b/charts/gluu/gluu/5.1.0/charts/scim/values.yaml @@ -0,0 +1,94 @@ + +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.0/openbanking-values.yaml b/charts/gluu/gluu/5.1.0/openbanking-values.yaml new file mode 100644 index 0000000000..5544c91790 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/openbanking-values.yaml @@ -0,0 +1,690 @@ +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: team@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: true + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token . Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + ingress: + # -- Enable casa endpoints /casa + casaEnabled: true + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files DB. + cnDocumentStoreType: DB + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Load balancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + # -- Gluu distributions supported are: default|openbanking. + distribution: openbanking + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.1.0/questions.yaml b/charts/gluu/gluu/5.1.0/questions.yaml new file mode 100644 index 0000000000..237575ec1b --- /dev/null +++ b/charts/gluu/gluu/5.1.0/questions.yaml @@ -0,0 +1,1209 @@ +questions: +# ================== +# License SSA group +# ================== +- variable: global.licenseSsa + default: "" + required: true + type: string + label: License SSA + description: "Before initiating the setup, please contact Gluu to obtain a valid license or trial license. Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded." + group: "License SSA" + +# ================== +# Distribution group +# ================== +- variable: global.distribution + default: "openbanking" + required: true + type: enum + label: Gluu Distribution + description: "Gluu Distribution. Openbanking only contains Config-API and the Auth Server customized for Openbanking industry." + group: "Global Settings" + options: + - "default" + - "openbanking" + +# ======================== +# OpenBanking Distribution +# ======================== +- variable: global.cnObExtSigningJwksUri + required: true + default: "https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks" + description: "Open banking external signing jwks uri. Used in SSA Validation." + type: hostname + group: "OpenBanking Distribution" + label: Openbanking external signing JWKS URI + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObExtSigningJwksCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS certificate authority string + - variable: global.cnObExtSigningJwksKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS key string + - variable: global.cnObExtSigningJwksKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: password + label: Open banking external signing jwks AS key passphrase + min_length: 6 + - variable: global.cnObExtSigningAlias + default: "XkwIzWy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking external signing AS Alias +- variable: global.cnObStaticSigningKeyKid + default: "Wy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking signing AS kid + show_if: "global.distribution=openbanking" +- variable: global.cnObTransportAlias + default: "" + required: false + group: "OpenBanking Distribution" + description: "Open banking transport Alias used inside the JVM." + type: string + label: Open banking transport Alias used inside the JVM. + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObTransportCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport crt + - variable: global.cnObTransportKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport key + - variable: global.cnObTransportKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64." + type: password + label: Open banking AS transport key passphrase + min_length: 6 + - variable: global.cnObTransportTrustStore + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking external signing jwks AS certificate authority string + +# ======================= +# Optional Services group +# ======================= +- variable: global.admin-ui.enabled + default: false + type: boolean + group: "Optional Services" + required: false + label: Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. This requires a license agreement with Gluu. + show_if: "global.distribution=default" + show_subquestion_if: true +- variable: global.auth-server-key-rotation.enabled + default: true + type: boolean + group: "Optional Services" + required: true + label: Enable Auth key rotation cronjob. Disable this if using the OB distribution. + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: auth-server-key-rotation.keysLife + default: 48 + description: "Auth server key rotation keys life in hours." + type: int + label: Key life +- variable: global.fido2.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable Fido2 + description: "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments." +- variable: global.config-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ConfigAPI + description: "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)." +- variable: global.casa.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Casa + description: "Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server." +- variable: global.scim.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable SCIM + description: "System for Cross-domain Identity Management (SCIM) version 2.0" + +# ====================== +# Test environment group +# ====================== +- variable: global.cloud.testEnviroment + default: false + type: boolean + group: "Test Environment" + required: true + label: Test environment + description: "Boolean flag if enabled will strip resources requests and limits from all services." + +# ================= +# Persistence group +# ================= +- variable: global.cnPersistenceType + default: "sql" + required: true + type: enum + group: "Persistence" + label: Gluu Persistence backend + description: "Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner" + options: + - "ldap" + - "couchbase" + - "hybrid" + - "spanner" + - "sql" +# LDAP +- variable: global.opendj.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable installation of OpenDJ + description: "Boolean flag to enable/disable the OpenDJ chart." + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnLdapUrl + default: "opendj:1636" + type: hostname + group: "Persistence" + required: true + label: OpenDJ remote URL + description: "OpenDJ remote URL. This must be resolvable by the pods" + show_if: "global.opendj.enabled=false&&global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnPersistenceHybridMapping + default: "{}" + required: false + type: enum + group: "Persistence" + label: Gluu Persistence LDAP mapping + description: "Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`." + options: + - "default" + - "user" + - "site" + - "cache" + - "token" + - "session" + show_if: "global.cnPersistenceType=hybrid" +# SQL +- variable: config.configmap.cnSqlDbDialect + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu SQL Database dialect + description: "SQL database dialect. `mysql` or `pgsql`." + options: + - "pgsql" + - "mysql" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbHost + default: "postgresql.default.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: SQL database host uri + description: "SQL database host uri" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbPort + default: 5432 + required: false + type: int + group: "Persistence" + label: SQL database port + description: "SQL database port" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbUser + default: "gluu" + group: "Persistence" + description: "SQL database username" + type: string + label: SQL database username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqldbUserPassword + default: "Test1234#" + group: "Persistence" + description: "SQL password" + type: password + label: SQL password + + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbName + default: "gluu" + group: "Persistence" + description: "SQL database name" + type: string + label: SQL database name + show_if: "global.cnPersistenceType=sql" +# Spanner +- variable: config.configmap.cnGoogleSpannerInstanceId + default: "" + group: "Persistence" + description: "The google spanner instance ID" + type: string + label: Google Spanner Instance ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSpannerDatabaseId + default: "" + group: "Persistence" + description: "The google spanner database ID" + type: string + label: Google Spanner Database ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + group: "Persistence" + description: "The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner." + type: multiline + label: Google Spanner Service Account json + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleProjectId + default: "" + group: "Persistence" + description: "The Google Project ID" + type: string + label: Google Project ID + show_if: "global.cnPersistenceType=spanner" +#Couchbase +- variable: config.configmap.cnCouchbaseCrt + default: "" + group: "Persistence" + description: "Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required." + type: multiline + label: Couchbase certificate authority string + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUrl + default: "gluu.cbns.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: Couchbase host uri + description: "Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseBucketPrefix + default: "gluu" + type: string + description: "The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu." + group: "Persistence" + required: true + label: The prefix of Couchbase buckets + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseIndexNumReplica + default: 0 + type: int + description: "The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1." + group: "Persistence" + required: true + label: The number of replicas per index created + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUser + default: "admin" + group: "Persistence" + description: "he Couchbase super user (admin) user name. This user is used during initialization only." + type: string + label: The Couchbase super user (admin) user name. + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUserPassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + type: password + label: Couchbase password for the super users + + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUser + default: "gluu" + group: "Persistence" + description: "Couchbase restricted user, used in Gluu operations with Couchbase. Used only when global.cnPersistenceType is hybrid or couchbase." + type: string + label: Couchbase restricted username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbasePassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ." + type: password + label: Couchbase password for the restricted user + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" + +# ============================== +# StorageClass and volume group +# ============================== +- variable: global.storageClass.provisioner + default: "microk8s.io/hostpath" + type: string + group: "Volumes" + required: true + label: StorageClass provisioner + show_if: "global.cnPersistenceType=ldap" + subquestions: + - variable: global.storageClass.allowVolumeExpansion + default: true + type: boolean + group: "Volumes" + required: true + label: StorageClass Volume expansion + - variable: global.storageClass.reclaimPolicy + default: "Retain" + type: enum + group: "Volumes" + required: true + label: StorageClass reclaimPolicy + options: + - "Delete" + - "Retain" + - variable: global.storageClass.volumeBindingMode + default: "WaitForFirstConsumer" + type: enum + group: "Volumes" + required: true + options: + - "WaitForFirstConsumer" + - "Immediate" + label: StorageClass volumeBindingMode + +# =========== +# Cache group +# =========== +- variable: config.configmap.cnCacheType + default: "NATIVE_PERSISTENCE" + required: true + type: enum + group: "Cache" + label: Gluu Cache + description: "Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` ." + options: + - "NATIVE_PERSISTENCE" + - "IN_MEMORY" + - "REDIS" + show_subquestion_if: "REDIS" + subquestions: + - variable: config.configmap.cnRedisType + default: "STANDALONE" + type: enum + group: "Cache" + required: false + label: Redix service type + description: "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + options: + - "STANDALONE" + - "CLUSTER" + - variable: config.redisPassword + default: "Test1234#" + type: password + group: "Cache" + required: false + label: Redis admin password + description: "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`." + + - variable: config.configmap.cnRedisUrl + default: "redis.redis.svc.cluster.local:6379" + required: false + type: hostname + group: "Cache" + label: Redis URL + description: "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + +# ================== +# Configuration group +# ================== +- variable: global.fqdn + default: "demoexample.gluu.org" + required: true + type: hostname + group: "Configuration" + label: Gluu Installation FQDN + description: "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services." +- variable: global.countryCode + default: "US" + required: true + type: string + group: "Configuration" + label: Country code + description: "Country code. Used for certificate creation." +- variable: config.state + default: "TX" + required: true + type: string + group: "Configuration" + label: State code + description: "State code. Used for certificate creation." +- variable: config.city + default: "Austin" + required: true + type: string + group: "Configuration" + label: City + description: "City. Used for certificate creation." +- variable: config.email + default: "support@gluu.org" + required: true + type: string + group: "Configuration" + label: Email + description: "Email address of the administrator usually. Used for certificate creation." +- variable: config.orgName + default: "Gluu" + required: true + type: string + group: "Configuration" + label: Organization + description: "Organization name. Used for certificate creation." +- variable: config.adminPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: Admin UI password + description: "Admin password to log in to the UI." + +- variable: config.ldapPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: LDAP password + description: "LDAP admin password if OpenDJ is used for persistence" + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" + +- variable: global.isFqdnRegistered + default: true + required: true + type: boolean + group: "Configuration" + label: Is the FQDN globally resolvable + description: "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically." +- variable: config.migration.enabled + default: false + required: true + type: boolean + group: "Configuration" + label: Migration from Gluu CE + description: "Boolean flag to enable migration from CE" + show_subquestion_if: true + subquestions: + - variable: config.migration.migrationDataFormat + default: "ldif" + type: enum + group: "Configuration" + required: false + label: Migration data-format + description: "Migration data-format depending on persistence backend." + options: + - "ldif" + - "couchbase+json" + - "spanner+avro" + - "postgresql+json" + - "mysql+json" + - variable: config.migration.migrationDir + default: "/ce-migration" + required: false + type: string + group: "Configuration" + label: Migration Directory + description: "Directory holding all migration files" + +# Configmap +- variable: global.configAdapterName + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu configuration backend + description: "The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + +# Secret +- variable: global.configSecretAdapter + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu secret backend + description: "The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + + +# Google +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + type: string + group: "Configuration" + required: true + label: Service account base64 encoded + description: "Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleProjectId + default: "" + type: string + group: "Configuration" + required: true + label: Project ID + description: "Project id of the Google project the secret manager belongs to" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretVersionId + default: "latest" + type: string + group: "Configuration" + required: true + label: Secrets version + description: "Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in Google Secret Manager. Defaults to gluu" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +# AWS +- variable: config.configmap.cnAwsAccessKeyId + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Account Access Key ID + description: "AWS Access key id that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretAccessKey + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Secret Access Key + description: "AWS Secret Access key that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in AWS Secrets Manager. Defaults to gluu" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsProfile + default: "gluu" + type: string + group: "Configuration" + required: true + label: AWS named profile + description: "The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsDefaultRegion + default: "us-west-1" + type: string + group: "Configuration" + required: true + label: Default region + description: "The default AWS Region to use, for example, `us-west-1` or `us-west-2`" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsEndpointUrl + default: "" + type: string + group: "Configuration" + required: false + label: Secrets Manager Endpoint URL + description: "The URL of AWS secretsmanager service. If omitted, it will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + + +# =========================== +# Ingress group(Istio, NGINX) +# =========================== + +# =========== +# Istio group +# =========== +- variable: global.istio.enabled + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio side cars with Gluu services." + label: Use Istio side cars + show_subquestion_if: true + subquestions: + - variable: global.istio.ingress + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Use Istio Ingress + - variable: global.istio.namespace + default: "istio-system" + type: string + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Istio namespace + - variable: config.configmap.lbAddr + default: "" + group: "Istio" + description: "Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# NGINX group +# =========== +- variable: config.configmap.lbAddr + default: "" + group: "NGINX" + show_if: "global.istio.ingress=false&&global.isFqdnRegistered=false" + description: "loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# Ingress group +# =========== +- variable: global.admin-ui.ingress.adminUiEnabled + default: false + type: boolean + group: "Ingress" + required: false + description: "Enable Admin UI endpoints." + label: Enable Admin UI endpoints + subquestions: + # auth-server + - variable: global.auth-server.ingress.authServerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable Auth server endpoints /jans-auth" + label: Enable Auth server endpoints /jans-auth + - variable: global.auth-server.ingress.openidConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/openid-configuration" + label: Enable endpoint /.well-known/openid-configuration + - variable: global.auth-server.ingress.deviceCodeEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /device-code" + label: Enable endpoint /device-code + - variable: global.auth-server.ingress.firebaseMessagingEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /firebase-messaging-sw.js" + label: Enable endpoint /firebase-messaging-sw.js + - variable: global.auth-server.ingress.uma2ConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/uma2-configuration" + label: Enable endpoint /.well-known/uma2-configuration + - variable: global.auth-server.ingress.webfingerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/webfinger" + label: Enable endpoint /.well-known/webfinger + - variable: global.auth-server.ingress.webdiscoveryEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/simple-web-discovery" + label: Enable endpoint /.well-known/simple-web-discovery + - variable: global.auth-server.ingress.u2fConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/fido-configuration" + label: Enable endpoint /.well-known/fido-configuration + # config-api + - variable: global.config-api.ingress.configApiEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable config API endpoints /jans-config-api" + label: Enable config API endpoints /jans-config-api + +#fido2 +- variable: global.fido2.ingress.fido2ConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.fido2.enabled=true" + required: true + description: "Enable endpoint /.well-known/fido2-configuration. Enable this!" + label: Enable endpoint /.well-known/fido2-configuration +#Casa +- variable: global.casa.ingress.casaEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.casa.enabled=true" + required: true + description: "Enable endpoint /casa. Enable this!" + label: Enable endpoint /casa Enable this! +#auth-server OB +- variable: global.auth-server.ingress.authServerProtectedToken + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/token" + label: Enable mTLS on Auth server endpoint /jans-auth/restv1/token +- variable: global.auth-server.ingress.authServerProtectedRegister + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/register" + label: Enable mTLS onn Auth server endpoint /jans-auth/restv1/register +# scim +- variable: global.scim.ingress.scimConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable endpoint /.well-known/scim-configuration. Enable this!" + label: Enable endpoint /.well-known/scim-configuration. Enable this! +- variable: global.scim.ingress.scimEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable SCIM endpoints /jans-scim. Enable this!" + label: Enable SCIM endpoints /jans-scim. Enable this! + +# ============ +# Images group +# ============ +# AuthServer +- variable: auth-server.image.repository + required: true + type: string + default: "janssenproject/auth-server" + description: "The Auth Server Image repository" + label: Auth Server image repo + group: "Images" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server Image pull policy" + label: Auth Server imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server image tag + group: "Images" + show_if: "global.auth-server.enabled=true" +# AdminUI +- variable: admin-ui.image.repository + required: true + type: string + default: "gluufederation/admin-ui" + description: "The AdminUI Image repository" + label: The AdminUI Image repository + group: "Images" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The AdminUI Image pull policy" + label: AdminUI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The AdminUI Image tag" + label: AdminUI image tag + group: "Images" + show_if: "global.admin-ui.enabled=true" +# AuthServer KeyRotation +- variable: auth-server-key-rotation.image.repository + required: true + type: string + default: "janssenproject/certmanager" + description: "The Auth Server KeyRotation Image repository" + label: Auth Server KeyRotation image repo + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server KeyRotation Image pull policy" + label: Auth Server KeyRotation imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server KeyRotation image tag + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +# Casa +- variable: casa.image.repository + required: true + type: string + default: "gluufederation/casa" + description: "The Casa Image repository" + label: Casa image repo + group: "Images" + show_if: "global.casa.enabled=true" +- variable: casa.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Casa Image pull policy" + label: Casa imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.casa.enabled=true" +- variable: casa.image.tag + required: true + type: string + default: "5.0.0-4" + description: "The Casa Image tag" + label: Casa image tag + group: "Images" + show_if: "global.casa.enabled=true" +# Configurator +- variable: config.image.repository + required: true + type: string + default: "janssenproject/configurator" + description: "The Configurator Image repository" + label: Configurator image repo + group: "Images" + show_if: "global.config.enabled=true" +- variable: config.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Configurator Image pull policy" + label: Configurator imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config.enabled=true" +- variable: config.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Configurator Image tag" + label: Configurator image tag + group: "Images" + show_if: "global.config.enabled=true" +# ConfigAPI +- variable: config-api.image.repository + required: true + type: string + default: "janssenproject/config-api" + description: "The ConfigAPI Image repository" + label: ConfigAPI image repo + group: "Images" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ConfigAPI Image pull policy" + label: ConfigAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The ConfigAPI Image tag" + label: ConfigAPI image tag + group: "Images" + show_if: "global.config-api.enabled=true" +# Fido2 +- variable: fido2.image.repository + required: true + type: string + default: "janssenproject/fido2" + description: "The Fido2 Image repository" + label: Fido2 image repo + group: "Images" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Fido2 Image pull policy" + label: Fido2 imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Fido2 Image tag" + label: Fido2 image tag + group: "Images" + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.image.repository + required: true + type: string + default: "gluufederation/opendj" + description: "The OpenDJ Image repository" + label: OpenDJ image repo + group: "Images" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The OpenDJ Image pull policy" + label: OpenDJ imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.tag + required: true + type: string + default: "5.0.0_dev" + description: "The OpenDJ Image tag" + label: OpenDJ image tag + group: "Images" + show_if: "global.opendj.enabled=true" +# Persistence +- variable: persistence.image.repository + required: true + type: string + default: "janssenproject/persistence-loader" + description: "The Persistence Image repository" + label: Persistence image repo + group: "Images" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Persistence Image pull policy" + label: Persistence imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Persistence Image tag" + label: Persistence image tag + group: "Images" + show_if: "global.persistence.enabled=true" +# SCIM +- variable: scim.image.repository + required: true + type: string + default: "janssenproject/scim" + description: "The SCIM Image repository" + label: SCIM image repo + group: "Images" + show_if: "global.scim.enabled=true" +- variable: scim.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The SCIM Image pull policy" + label: SCIM imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.scim.enabled=true" +- variable: scim.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The SCIM Image tag" + label: SCIM image tag + group: "Images" + show_if: "global.scim.enabled=true" + +# ============== +# Replicas group +# ============== +# AuthServer +- variable: auth-server.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Auth-server Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# Casa +- variable: casa.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Casa Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# ConfigAPI +- variable: config-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ConfigAPI Replicas + description: "Service replica number." + show_if: "global.config-api.enabled=true" +# AdminUi +- variable: admin-ui.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Admin UI Replicas + description: "Service replica number." + show_if: "global.admin-ui.enabled=true" +# Fido2 +- variable: fido2.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Fido2 Replicas + description: "Service replica number." + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: OpenDJ Replicas + description: "Service replica number." + show_if: "global.opendj.enabled=true" +# SCIM +- variable: scim.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: SCIM Replicas + description: "Service replica number." + show_if: "global.scim.enabled=true" + diff --git a/charts/gluu/gluu/5.1.0/templates/_helpers.tpl b/charts/gluu/gluu/5.1.0/templates/_helpers.tpl new file mode 100644 index 0000000000..c5b8d3d303 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.1.0/values.schema.json b/charts/gluu/gluu/5.1.0/values.schema.json new file mode 100644 index 0000000000..ad1eb07856 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/values.schema.json @@ -0,0 +1,2582 @@ +{ + "$schema":"https://json-schema.org/draft/2020-12/schema#", + "type":"object", + "properties":{ + "admin-ui":{ + "description":"Admin GUI for configuration of the auth-server", + "type":"object", + "properties":{ + + } + }, + "auth-server":{ + "description":"OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type":"object", + "properties":{ + + } + }, + "auth-server-key-rotation":{ + "description":"Responsible for regenerating auth-keys per x hours", + "type":"object", + "properties":{ + + } + }, + "casa":{ + "description":"Gluu Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.", + "type":"object", + "properties":{ + + } + } + }, + "config":{ + "description":"Configuration parameters for setup and initial configuration secret annd config layers used by Gluu services.", + "type":"object", + "properties":{ + "adminPass":{ + "description":"Admin password to login to the UI", + "$ref":"#/definitions/password" + }, + "city":{ + "description":"City of the company or individual. Used in generating the self-signed certificate", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "configmap":{ + "description":"Configuration parameters mapped to envs in a ConfigMap", + "type":"object", + "properties":{ + "cnSqlDbDialect":{ + "description":"SQL dialect", + "type":"string", + "pattern":"^(mysql)$" + }, + "cnSqlDbHost":{ + "description":"SQL server address or ip", + "anyOf":[ + { + "$ref":"#/definitions/url-pattern" + }, + { + "$ref":"#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort":{ + "description":"SQL server port", + "type":"integer" + }, + "cnSqlDbName":{ + "description":"SQL server database name for Jans", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbUser":{ + "description":"SQL database Jans username", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbTimezone":{ + "description":"SQL database timezone", + "type":"string", + "pattern":"^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqldbUserPassword":{ + "description":"Password for user config.configmap.cnSqlDbUser.", + "$ref":"#/definitions/password" + }, + "cnCacheType":{ + "description":"Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type":"string", + "pattern":"^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnConfigKubernetesConfigMap":{ + "description":"The name of the ConfigMap that will hold the configuration layer", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseBucketPrefix":{ + "description":"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseCrt":{ + "description":"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnCouchbaseIndexNumReplica":{ + "description":"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.", + "type":"integer" + }, + "cnCouchbasePass":{ + "description":"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUser":{ + "description":"The Couchbase super user (admin) user name. This user is used during initialization only.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseSuperUserPass":{ + "description":"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUserPassFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type":"string", + "pattern":".*couchbase_superuser_password\\b.*" + }, + "cnCouchbaseUrl":{ + "description":"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnCouchbaseUser":{ + "description":"Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerServiceAccount":{ + "description":"Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId":{ + "description":"Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"" + }, + "cnGoogleSpannerInstanceId":{ + "description":"Google Spanner ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^([a-z0-9\\-])*$" + }, + "cnGoogleSpannerDatabaseId":{ + "description":"Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^[a-z0-9\\-]*$" + }, + "cnGoogleSecretVersionId":{ + "description":"Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnGoogleSecretNamePrefix":{ + "description":"Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase":{ + "description":"Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref":"#/definitions/password" + }, + "cnLdapUrl":{ + "description":"OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.", + "type":"string", + "pattern":"^[a-z0-9-:]+$" + }, + "cnMaxRamPercent":{ + "description":"Value passed to Java option -XX:MaxRAMPercentage", + "type":"string", + "pattern":"^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode":{ + "description":"SCIM protection mode OAUTH|TEST|UMA", + "type":"string", + "pattern":"^(OAUTH|TEST|UMA)$" + }, + "cnPersistenceHybridMapping":{ + "description":"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type":"string" + }, + "cnRedisSentinelGroup":{ + "description":"Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisSslTruststore":{ + "description":"Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisType":{ + "description":"Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string", + "pattern":"^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl":{ + "description":"Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref":"#/definitions/url-pattern" + }, + "cnRedisUseSsl":{ + "description":"Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"boolean" + }, + "cnSecretKubernetesSecret":{ + "description":"Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "lbAddr":{ + "description":"Loadbalancer address for AWS if the FQDN is not registered.", + "$ref":"#/definitions/url-pattern" + }, + "cnLdapCrt": { + "description": "OpenDJ certificate string. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnLdapKey": { + "description": "OpenDJ key string. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + } + } + }, + "countryCode":{ + "description":"Country code. Used for certificate creation.", + "type":"string", + "pattern":"^[A-Z]+$" + }, + "email":{ + "description":"Email address of the administrator usually. Used for certificate creation.", + "$ref":"#/definitions/email-format" + }, + "image":{ + "type":"object", + "properties":{ + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "ldapPassword":{ + "description":"LDAP admin password if OpennDJ is used for persistence.", + "$ref":"#/definitions/password" + }, + "orgName":{ + "description":"Organization name. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "redisPassword":{ + "description":"Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref":"#/definitions/password" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "state":{ + "description":"State code. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + } + } + }, + "config-api":{ + "description":"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type":"object", + "properties":{ + + } + }, + "fido2":{ + "description":"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type":"object", + "properties":{ + + } + }, + "global":{ + "description":"Parameters used globally across all services helm charts.", + "type":"object", + "properties":{ + "licenseSsa":{ + "description":"Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "alb":{ + "type":"object", + "properties":{ + "ingress":{ + "description":"Activates ALB ingress", + "type":"boolean" + } + } + }, + "auth-server":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type":"boolean" + }, + "authServerServiceName":{ + "description":"Name of the auth-server service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-auth.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-auth.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget":{ + "description":"http_request_response target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "httpLogLevel":{ + "description":"http_request_response level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-auth_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-auth_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-auth_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-auth_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-auth_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-auth_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-auth_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-auth_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget":{ + "description":"jans-auth_audit.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "auditStatsLogLevel":{ + "description":"jans-auth_audit.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "authServerEnabled":{ + "description":"Enable Auth server endpoints /jans-auth", + "type":"boolean" + }, + "openidConfigEnabled":{ + "description":"Enable endpoint /.well-known/openid-configuration", + "type":"boolean" + }, + "deviceCodeEnabled":{ + "description":"Enable endpoint /device-code", + "type":"boolean" + }, + "firebaseMessagingEnabled":{ + "description":"Enable endpoint /firebase-messaging-sw.js", + "type":"boolean" + }, + "uma2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/uma2-configuration", + "type":"boolean" + }, + "webfingerEnabled":{ + "description":"Enable endpoint /.well-known/webfinger", + "type":"boolean" + }, + "webdiscoveryEnabled":{ + "description":"Enable endpoint /.well-known/simple-web-discovery", + "type":"boolean" + }, + "u2fConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido-configuration", + "type":"boolean" + }, + "authServerProtectedToken":{ + "description":"Enable mTLS on Auth server endpoint /jans-auth/restv1/token", + "type":"boolean" + }, + "authServerProtectedRegister":{ + "description":"Enable mTLS onn Auth server endpoint /jans-auth/restv1/register", + "type":"boolean" + } + } + } + + } + }, + "admin-ui":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable admin-ui chart. You should never set this to false.", + "type":"boolean" + }, + "adminUiServiceName":{ + "description":"Name of the admin service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "adminUiEnabled":{ + "description":"Enable Admin UI endpoints.", + "type":"boolean" + } + } + } + } + }, + + "auth-server-key-rotation":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type":"boolean" + } + } + }, + "awsStorageType":{ + "description":"Volume stroage type if using AWS volumes.", + "type":"string", + "pattern":"^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType":{ + "description":"Volume storage type if using Azure disks.", + "type":"string", + "pattern":"^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind":{ + "description":"Azure storage kind if using Azure disks", + "type":"string", + "pattern":"^(Managed)$" + }, + "cloud":{ + "type":"object", + "properties":{ + "testEnviroment":{ + "description":"Boolean flag if enabled will strip resources requests and limits from all services.", + "type":"boolean" + } + } + }, + "cnPersistenceType":{ + "description":"Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner.", + "type":"string", + "pattern":"^(ldap|couchbase|hybrid|sql|spanner)$" + }, + "cnDocumentStoreType":{ + "description":"Document store type to use for shibboleth files DB.", + "type":"string", + "pattern":"^(DB)$" + }, + "cnObExtSigningJwksUri":{ + "description":"Open banking external signing jwks uri. Used in SSA Validation.", + "type":"string" + }, + "cnObExtSigningJwksCrt":{ + "description":"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey":{ + "description":"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase":{ + "description":"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias":{ + "description":"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObStaticSigningKeyKid":{ + "description":"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObTransportCrt":{ + "description":"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey":{ + "description":"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase":{ + "description":"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias":{ + "description":"Open banking transport Alias used inside the JVM.", + "type":"string" + }, + "cnObTransportTrustStore":{ + "description":"Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type":"boolean" + } + } + }, + "configAdapterName":{ + "description":"The config backend adapter that will hold Gluu configuration layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "configSecretAdapter":{ + "description":"The config backend adapter that will hold Gluu secret layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws|vault)$" + }, + "cnGoogleApplicationCredentials":{ + "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", + "type":"string", + "pattern":".*google-credentials.json\\b.*" + }, + "casa":{ + "type":"object", + "properties":{ + "casaServiceName":{ + "description":"Name of the casa service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the casa chart.", + "type":"boolean" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "casaEnabled":{ + "description":" Enable casa endpoints /casa", + "type":"boolean" + } + } + } + } + }, + "config-api":{ + "type":"object", + "properties":{ + "configApiServerServiceName":{ + "description":"Name of the config-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the config-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "configApiLogTarget":{ + "description":"configapi.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "configApiLogLevel":{ + "description":"configapi.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "adminUiAppLoggers":{ + "type":"object", + "properties":{ + "adminUiLogTarget":{ + "description":"config-api admin-ui plugin log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiLogLevel":{ + "description":"config-api admin-ui plugin log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "adminUiAuditLogTarget":{ + "description":"config-api admin-ui plugin audit log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiAuditLogLevel":{ + "description":"config-api admin-ui plugin audit log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "configApiEnabled":{ + "description":"Enable config API endpoints /jans-config-api", + "type":"boolean" + } + } + } + + + } + }, + "fqdn":{ + "description":"Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.", + "$ref":"#/definitions/fqdn-pattern" + }, + "fido2":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the fido2 chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "fido2LogTarget":{ + "description":"fido2.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "fido2LogLevel":{ + "description":"fido2.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"fido2_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"fido2_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "fido2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido2-configuration", + "type":"boolean" + } + } + } + + } + }, + "gcePdStorageType":{ + "description":"GCE storage kind if using Google disks", + "type":"string", + "pattern":"^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered":{ + "description":"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type":"boolean" + }, + "istio":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag that enables using istio side cars with Gluu services.", + "type":"boolean" + }, + "ingress":{ + "description":"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.", + "type":"boolean" + }, + "namespace":{ + "description":"The namespace istio is deployed in. The is normally istio-system.", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + } + } + }, + "lbIp":{ + "description":"The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref":"#/definitions/ip-pattern" + }, + "nginx-ingress":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type":"boolean" + } + } + }, + "opendj":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the OpenDJ chart.", + "type":"boolean" + }, + "ldapServiceName":{ + "description":"Name of the OpenDJ service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "distribution":{ + "description":"Gluu distributions supported are: default|openbanking.", + "type":"string", + "pattern":"^(default|openbanking)$" + }, + "persistence":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the persistence chart.", + "type":"boolean" + } + } + }, + "scim":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the SCIM chart.", + "type":"boolean" + }, + "scimServiceName":{ + "description":"Name of the scim service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-scim.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-scim.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-scim_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-scim_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-scim_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-scim_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-scim_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-scim_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-scim_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-scim_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "scimEnabled":{ + "description":"Enable SCIM endpoints /jans-scim", + "type":"boolean" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + } + } + } + + } + }, + "storageClass":{ + "description":"StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type":"object", + "properties":{ + "allowVolumeExpansion":{ + "type":"boolean" + }, + "allowedTopologies":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "mountOptions":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "parameters":{ + "type":"object", + "properties":{ + "fsType":{ + "type":"string" + }, + "kind":{ + "type":"string" + }, + "pool":{ + "type":"string" + }, + "storageAccountType":{ + "type":"string" + }, + "type":{ + "type":"string" + } + } + }, + "provisioner":{ + "type":"string" + }, + "reclaimPolicy":{ + "type":"string" + }, + "volumeBindingMode":{ + "type":"string" + } + } + }, + "cnSqlPasswordFile": { + "description": "The location of file contains password for the SQL user config.configmap.cnSqlDbUser. The file path must end with sql_password.", + "type": "string", + "pattern": ".*sql_password\\b.*" + }, + "cnCouchbasePasswordFile": { + "description": "The location of the Couchbase user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password.", + "type": "string", + "pattern": ".*couchbase_password\\b.*" + }, + "cnCouchbaseSuperuserPasswordFile": { + "description": "The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type": "string", + "pattern": ".*couchbase_superuser_password\\b.*" + }, + "cnLdapPasswordFile": { + "description": "The location of the OpenDJ user password. The file path must end with ldap_password.", + "type": "string", + "pattern": ".*ldap_password\\b.*" + }, + "cnLdapTruststorePasswordFile": { + "description": "The location of the OpenDJ truststore password file. The file path must end with ldap_truststore_password.", + "type": "string", + "pattern": ".*ldap_truststore_password\\b.*" + }, + "cnLdapCertFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.crt.", + "type": "string", + "pattern": ".*opendj.crt\\b.*" + }, + "cnLdapKeyFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.key.", + "type": "string", + "pattern": ".*opendj.key\\b.*" + }, + "cnLdapCacertFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.pem.", + "type": "string", + "pattern": ".*opendj.pem\\b.*" + }, + "cnLdapTruststoreFile": { + "description": "The location of the OpenDJ truststore file. The file path must end with opendj.pkcs12.", + "type": "string", + "pattern": ".*opendj.pkcs12\\b.*" + } + } + }, + "nginx-ingress":{ + "description":"Nginx ingress definitions chart", + "type":"object", + "properties":{ + + } + }, + "opendj":{ + "description":"OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.", + "type":"object", + "properties":{ + + } + }, + "persistence":{ + "description":"Job to generate data and intial config for Gluu Server persistence layer.", + "type":"object", + "properties":{ + + } + }, + "scim":{ + "description":"System for Cross-domain Identity Management (SCIM) version 2.0", + "type":"object", + "properties":{ + + } + } + , + "allOf":[ + { + "$ref":"#/definitions/admin-ui-enabled" + }, + { + "$ref":"#/definitions/auth-server-enabled" + }, + { + "$ref":"#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref":"#/definitions/casa-enabled" + }, + { + "$ref":"#/definitions/config-api-enabled" + }, + { + "$ref":"#/definitions/fido2-enabled" + }, + { + "$ref":"#/definitions/nginx-ingress-enabled" + }, + { + "$ref":"#/definitions/opendj-enabled" + }, + { + "$ref":"#/definitions/persistence-enabled" + }, + { + "$ref":"#/definitions/scim-enabled" + } + ], + "definitions":{ + "password":{ + "anyOf":[ + { + "type":"string", + "minLength":8, + "pattern":"", + "description":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "password-pattern":{ + "type":"string", + "minLength":6, + "pattern":"", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format":{ + "type":"string", + "format":"email" + }, + "fqdn-pattern":{ + "anyOf":[ + { + "type":"string", + "errors":{ + "pattern":"Setting not FQDN structured. Please enter a FQDN with the format demoexample.gluu.org" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "url-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors":{ + "pattern":"URL pattern is not meeting standards." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "ip-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors":{ + "pattern":"Not a valid IP." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "admin-ui-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "admin-ui":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "admin-ui":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-key-rotation-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "keysLife":{ + "description":"Auth server key rotation keys life in hours", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + }, + "required":[ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else":true + }, + "casa-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "casa":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "casa":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "config-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "config-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "config-api":{ + "required":[ + "image", + "replicas", + "resources" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "fido2-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "fido2":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "fido2":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the Fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "nginx-ingress-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "nginx-ingress":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "nginx-ingress":{ + "type":"object", + "properties":{ + "ingress":{ + "type":"object", + "required":[ + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties":{ + "adminUiLabels":{ + "description":"Admin UI ingress resource labels. key app is taken.", + "type":"object" + }, + "openidConfigLabels":{ + "description":"openid-configuration ingress resource labels. key app is taken", + "type":"object" + }, + "uma2ConfigLabels":{ + "description":"uma2 config ingress resource labels. key app is taken", + "type":"object" + }, + "webfingerLabels":{ + "description":"webfinger ingress resource labels. key app is taken", + "type":"object" + }, + "webdiscoveryLabels":{ + "description":"webdiscovery ingress resource labels. key app is taken", + "type":"object" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + }, + "scimConfigLabels":{ + "description":"SCIM config ingress resource labels. key app is taken", + "type":"object" + }, + "scimLabels":{ + "description":"SCIM ingress resource labels. key app is taken", + "type":"object" + }, + "configApiLabels":{ + "description":"configAPI ingress resource labels. key app is taken", + "type":"object" + }, + "u2fConfigLabels":{ + "description":"u2f ingress resource labels. key app is taken", + "type":"object" + }, + "fido2ConfigLabels":{ + "description":"fido2 ingress resource labels. key app is taken", + "type":"object" + }, + "authServerLabels":{ + "description":"Auth server config ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedTokenLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedRedisterLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "additionalAnnotations":{ + "description":"Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type":"object" + }, + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "path":{ + "type":"string" + }, + "tls":{ + "description":"Secret holding HTTPS CA cert and key.", + "type":"array", + "items":{ + "type":"object", + "properties":{ + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "secretName":{ + "type":"string", + "pattern":"^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else":true + }, + "opendj-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "opendj":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "opendj":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "persistence":{ + "type":"object", + "properties":{ + "size":{ + "description":"OpenDJ volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + }, + "ports":{ + "type":"object", + "properties":{ + "tcp-admin":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldap":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldaps":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-repl":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "udp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "persistence-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "persistence":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "persistence":{ + "required":[ + "image", + "resources" + ], + "type":"object", + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "scim-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "scim":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "scim":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "scimServiceName":{ + "description":"Name of the SCIM service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + } + } +} diff --git a/charts/gluu/gluu/5.1.0/values.yaml b/charts/gluu/gluu/5.1.0/values.yaml new file mode 100644 index 0000000000..d5ea1f1015 --- /dev/null +++ b/charts/gluu/gluu/5.1.0/values.yaml @@ -0,0 +1,1908 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +installer-settings: + currentVersion: "" + acceptLicense: "" + namespace: "" + releaseName: "" + nginxIngress: + releaseName: "" + namespace: "" + nodes: + names: "" + zones: "" + ips: "" + images: + edit: "" + aws: + lbType: "" + arn: + enabled: "" + arnAcmCert: "" + vpcCidr: "0.0.0.0/0" + couchbase: + clusterName: "" + namespace: "" + lowResourceInstall: "" + install: "" + customFileOverride: "" + backup: + incrementalSchedule: "" + fullSchedule: "" + retentionTime: "" + storageSize: "" + # Couchbase cert related keys + subjectAlternativeName: "" + commonName: "" + # Couchbase cluster yaml generator keys + totalNumberOfExpectedUsers: "" + totalNumberOfExpectedTransactionsPerSec: "" + volumeType: "" + volumeProvisionStrategy: "" + ldap: + backup: + fullSchedule: "" + postgres: + install: "" + namespace: "" + sql: + install: "" + namespace: "" + google: + useSecretManager: "" + redis: + install: "" + namespace: "" + openbanking: + hasCnObTransportTrustStore: false + cnObTransportTrustStoreP12password: "" + confirmSettings: false + +# -- Admin GUI for configuration of the auth-server +admin-ui: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/admin-ui + # -- Image tag to use for deploying. + tag: 5.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2000m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 2000m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for the admin ui if needed. + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the admin ui if needed. + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/auth-server + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/certmanager + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Set key selection strategy used by Auth server + keysStrategy: NEWER + # -- Delay (in seconds) before pushing private keys to Auth server + keysPushDelay: 0 + # -- Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) + keysPushStrategy: NEWER + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + # -- Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. + salt: "" + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). + cnSqlDbSchema: "" + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) username. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # [vault_envs] Envs related to Hashicorp vault + # -- Vault AppRole RoleID. + cnVaultRoleId: "" + # -- Vault AppRole SecretID. + cnVaultSecretId: "" + # -- Base URL of Vault. + cnVaultAddr: http://localhost:8200 + # -- Verify connection to Vault. + cnVaultVerify: false + # -- Path to file contains Vault AppRole role ID. + cnVaultRoleIdFile: /etc/certs/vault_role_id + # -- Path to file contains Vault AppRole secret ID. + cnVaultSecretIdFile: /etc/certs/vault_secret_id + # -- Vault namespace used to access the secrets. + cnVaultNamespace: "" + # -- Path to Vault KV secrets engine. + cnVaultKvPath: secret + # -- Base prefix name used to access secrets. + cnVaultPrefix: jans + # -- Path to Vault AppRole. + cnVaultAppRolePath: approle + # [vault_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- OpenDJ certificate string. This must be encoded using base64. + cnLdapCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- OpenDJ key string. This must be encoded using base64. + cnLdapKey: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. + quarkusTransactionEnableRecovery: true + # -- Keycloak logging level + kcLogLevel: INFO + # -- Keycloak proxy mode (for most deployments, this doesn't need to be changed) + kcProxy: edge + # -- Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. + kcDbVendor: mysql + # -- Keycloak database username + kcDbUsername: keycloak + # -- Password for Keycloak database access + kcDbPassword: Test1234# + # -- Keycloak database schema name (note that PostgreSQL may be using "public" schema). + kcDbSchema: keycloak + # -- Keycloak database host uri + kcDbUrlHost: mysql.kc.svc.cluster.local + # -- Keycloak database port (default to port 3306 for mysql). + kcDbUrlPort: 3306 + # -- Keycloak database name. + kcDbUrlDatabase: keycloak + # -- Keycloak database connection properties. If using postgresql, the value can be set to empty string. + kcDbUrlProperties: "?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4" + # -- URL of OPA API + cnOpaUrl: http://opa.opa.svc.cluster.cluster.local:8181/v1 + # -- Message type (one of POSTGRES, REDIS, or DISABLED) + cnMessageType: DISABLED + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: team@gluu.org + image: + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/configurator + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- LDAP admin password if OpenDJ is used for persistence. + ldapPassword: P@ssw0rds + # -- LDAP truststore password if OpenDJ is used for persistence + ldapTruststorePassword: changeit + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + # -- CE to CN Migration section + migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/config-api + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/fido2 + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- Janssen Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. +casa: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/casa + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + # -- Configure the liveness healthcheck for casa if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + # -- Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded. + licenseSsa: "" + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: false + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + # -- Enable jans-lock as service running inside auth-server + lockEnabled: false + + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: true + # -- The initial auth server key rotation keys life in hours + initKeysLife: 48 + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- casa.log target + casaLogTarget: "STDOUT" + # -- casa.log level + casaLogLevel: "INFO" + # -- casa timer log target + timerLogTarget: "FILE" + # -- casa timer log level + timerLogLevel: "INFO" + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable casa endpoints /casa + casaEnabled: false + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files DB. + cnDocumentStoreType: DB + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. vault|aws|google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. + cnAwsSharedCredentialsFile: /etc/jans/conf/aws_shared_credential_file + # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. + cnAwsConfigFile: /etc/jans/conf/aws_config_file + # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. + cnAwsSecretsReplicaRegionsFile: /etc/jans/conf/aws_secrets_replica_regions + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- config-api_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Comma-separated values of enabled plugins (supported plugins are "admin-ui","fido2","scim","user-mgt","jans-link","kc-saml") + plugins: "admin-ui,fido2,scim,user-mgt" + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- fido2_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- fido2_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- fido2_script.log target + scriptLogTarget: "FILE" + # -- fido2_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- Enable endpoint /jans-fido2 + fido2Enabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. + gateways: [ ] + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + # -- Gluu distributions supported are: default|openbanking. + distribution: default + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + link: + # -- Name of the link service. Please keep it as default. + linkServiceName: link + # -- Boolean flag to enable/disable the link chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- cacherefresh.log target + linkLogTarget: "STDOUT" + # -- cacherefresh.log level + linkLogLevel: "INFO" + # -- cacherefresh_persistence.log target + persistenceLogTarget: "FILE" + # -- cacherefresh_persistence.log level + persistenceLogLevel: "INFO" + # -- cacherefresh_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- cacherefresh_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- cacherefresh_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- cacherefresh_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- cacherefresh_script.log target + scriptLogTarget: "FILE" + # -- cacherefresh_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable link endpoints /jans-link + linkEnabled: true + saml: + # -- Name of the saml service. Please keep it as default. + samlServiceName: saml + # -- Boolean flag to enable/disable the saml chart. + enabled: false + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable saml endpoints /kc + samlEnabled: false + + # -- Path to SQL password file + cnSqlPasswordFile: /etc/jans/conf/sql_password + # -- Path to Couchbase password file + cnCouchbasePasswordFile: /etc/jans/conf/couchbase_password + # -- Path to Couchbase superuser password file + cnCouchbaseSuperuserPasswordFile: /etc/jans/conf/couchbase_superuser_password + # -- Path to LDAP password file + cnLdapPasswordFile: /etc/jans/conf/ldap_password + # -- Path to LDAP truststore password file + cnLdapTruststorePasswordFile: /etc/jans/conf/ldap_truststore_password + # -- Path to OpenDJ cert file + cnLdapCertFile: /etc/certs/opendj.crt + # -- Path to OpenDJ key file + cnLdapKeyFile: /etc/certs/opendj.key + # -- Path to OpenDJ CA cert file + cnLdapCacertFile: /etc/certs/opendj.pem + # -- Path to OpenDJ truststore file + cnLdapTruststoreFile: /etc/certs/opendj.pkcs12 + # -- Path to file contains password for database access + kcDbPasswordFile: /etc/jans/conf/kc_db_password + # -- Path to file contains Keycloak admin credentials (username and password) + kcAdminCredentialsFile: /etc/jans/conf/kc_admin_creds + +# -- Nginx ingress definitions chart +nginx-ingress: + certManager: + # Enable deploying a certificate that uses dns01 challenge instead of passing an annotation nginx-ingress.ingress.additionalAnnotations for nginx http01 challenge. + certificate: + enabled: false + issuerKind: ClusterIssuer + # Issuer name which you will create manually. Can be letsencrypt-production. + issuerName: "" + issuerGroup: cert-manager.io + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- fido2 ingress resource additional annotations. + fido2AdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- SAML config ingress resource labels. key app is taken + samlLabels: { } + # -- SAML ingress resource additional annotations. + samlAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +opendj: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure ldap backup cronjob + backup: + enabled: true + cronJobSchedule: "*/59 * * * *" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] + + persistence: + # -- OpenDJ volume size + size: 5Gi + ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/persistence-loader + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/scim + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- Link. +link: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/link + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- SAML. +saml: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/saml + # -- Image tag to use for deploying. + tag: 1.1.0-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 10 + readinessProbe: + # -- http readiness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 10 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] diff --git a/charts/gluu/gluu/5.1.1/Chart.yaml b/charts/gluu/gluu/5.1.1/Chart.yaml new file mode 100644 index 0000000000..5d1f7a30ca --- /dev/null +++ b/charts/gluu/gluu/5.1.1/Chart.yaml @@ -0,0 +1,100 @@ +annotations: + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/images: | + - name: auth-server + image: ghcr.io/janssenproject/jans/auth-server:1.1.1-1 + - name: auth-server-key-rotation + image: ghcr.io/janssenproject/jans/certmanager:1.1.1-1 + - name: configuration-manager + image: ghcr.io/janssenproject/jans/configurator:1.1.1-1 + - name: config-api + image: ghcr.io/janssenproject/jans/config-api:1.1.1-1 + - name: fido2 + image: ghcr.io/janssenproject/jans/fido2:1.1.1-1 + - name: persistence + image: ghcr.io/janssenproject/jans/persistence-loader:1.1.1-1 + - name: scim + image: ghcr.io/janssenproject/jans/scim:1.1.1-1 + - name: casa + image: ghcr.io/janssenproject/jans/casa:1.1.1-1 + - name: admin-ui + image: ghcr.io/gluufederation/flex/admin-ui:5.1.1-1 + - name: link + image: ghcr.io/janssenproject/jans/link:1.1.1-1 + - name: saml + image: ghcr.io/janssenproject/jans/saml:1.1.1-1 + artifacthub.io/license: Apache-2.0 + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Gluu Cloud Identity and Access Management + catalog.cattle.io/kube-version: '>=v1.21.0-0' + catalog.cattle.io/release-name: gluu +apiVersion: v2 +appVersion: 5.1.1 +dependencies: +- condition: global.config.enabled + name: config + repository: file://./charts/config + version: 1.1.1 +- condition: global.config-api.enabled + name: config-api + repository: file://./charts/config-api + version: 1.1.1 +- condition: global.opendj.enabled + name: opendj + repository: file://./charts/opendj + version: 5.1.1 +- condition: global.auth-server.enabled + name: auth-server + repository: file://./charts/auth-server + version: 1.1.1 +- condition: global.admin-ui.enabled + name: admin-ui + repository: file://./charts/admin-ui + version: 5.1.1 +- condition: global.fido2.enabled + name: fido2 + repository: file://./charts/fido2 + version: 1.1.1 +- condition: global.scim.enabled + name: scim + repository: file://./charts/scim + version: 1.1.1 +- condition: global.nginx-ingress.enabled + name: nginx-ingress + repository: file://./charts/nginx-ingress + version: 5.1.1 +- condition: global.casa.enabled + name: casa + repository: file://./charts/casa + version: 1.1.1 +- condition: global.auth-server-key-rotation.enabled + name: auth-server-key-rotation + repository: file://./charts/auth-server-key-rotation + version: 1.1.1 +- condition: global.persistence.enabled + name: persistence + repository: file://./charts/persistence + version: 1.1.1 +- condition: global.istio.ingress + name: cn-istio-ingress + repository: file://./charts/cn-istio-ingress + version: 5.1.1 +- condition: global.link.enabled + name: link + repository: file://./charts/link + version: 1.1.1 +- condition: global.saml.enabled + name: saml + repository: file://./charts/saml + version: 1.1.1 +description: Gluu Access and Identity Management +home: https://www.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: moabu +name: gluu +sources: +- https://docs.gluu.org +version: 5.1.1 diff --git a/charts/gluu/gluu/5.1.1/README.md b/charts/gluu/gluu/5.1.1/README.md new file mode 100644 index 0000000000..e4a5c4f837 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/README.md @@ -0,0 +1,673 @@ +# gluu + +![Version: 5.1.1](https://img.shields.io/badge/Version-5.1.1--dev-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +Gluu Access and Identity Management + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| moabu | | | + +## Source Code + +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | admin-ui | 5.1.1 | +| | auth-server | 1.1.1 | +| | auth-server-key-rotation | 1.1.1 | +| | casa | 1.1.1 | +| | cn-istio-ingress | 5.1.1 | +| | config | 1.1.1 | +| | config-api | 1.1.1 | +| | fido2 | 1.1.1 | +| | link | 1.1.1 | +| | nginx-ingress | 5.1.1 | +| | opendj | 5.1.1 | +| | persistence | 1.1.1 | +| | saml | 1.1.1 | +| | scim | 1.1.1 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| admin-ui | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"5.1.1-1"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Admin GUI for configuration of the auth-server | +| admin-ui.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| admin-ui.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| admin-ui.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| admin-ui.dnsConfig | object | `{}` | Add custom dns config | +| admin-ui.dnsPolicy | string | `""` | Add custom dns policy | +| admin-ui.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| admin-ui.hpa.behavior | object | `{}` | Scaling Policies | +| admin-ui.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| admin-ui.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| admin-ui.image.pullSecrets | list | `[]` | Image Pull Secrets | +| admin-ui.image.repository | string | `"ghcr.io/gluufederation/flex/admin-ui"` | Image to use for deploying. | +| admin-ui.image.tag | string | `"5.1.1-1"` | Image tag to use for deploying. | +| admin-ui.livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| admin-ui.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| admin-ui.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| admin-ui.replicas | int | `1` | Service replica number. | +| admin-ui.resources | object | `{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}}` | Resource specs. | +| admin-ui.resources.limits.cpu | string | `"2000m"` | CPU limit. | +| admin-ui.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| admin-ui.resources.requests.cpu | string | `"2000m"` | CPU request. | +| admin-ui.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| admin-ui.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| admin-ui.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| admin-ui.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| admin-ui.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| admin-ui.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| admin-ui.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.1.1-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. | +| auth-server-key-rotation | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.1.1-1"},"keysLife":48,"keysPushDelay":0,"keysPushStrategy":"NEWER","keysStrategy":"NEWER","lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for regenerating auth-keys per x hours | +| auth-server-key-rotation.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server-key-rotation.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server-key-rotation.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| auth-server-key-rotation.dnsConfig | object | `{}` | Add custom dns config | +| auth-server-key-rotation.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server-key-rotation.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server-key-rotation.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server-key-rotation.image.repository | string | `"ghcr.io/janssenproject/jans/certmanager"` | Image to use for deploying. | +| auth-server-key-rotation.image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| auth-server-key-rotation.keysLife | int | `48` | Auth server key rotation keys life in hours | +| auth-server-key-rotation.keysPushDelay | int | `0` | Delay (in seconds) before pushing private keys to Auth server | +| auth-server-key-rotation.keysPushStrategy | string | `"NEWER"` | Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) | +| auth-server-key-rotation.keysStrategy | string | `"NEWER"` | Set key selection strategy used by Auth server | +| auth-server-key-rotation.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| auth-server-key-rotation.resources.limits.cpu | string | `"300m"` | CPU limit. | +| auth-server-key-rotation.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| auth-server-key-rotation.resources.requests.cpu | string | `"300m"` | CPU request. | +| auth-server-key-rotation.resources.requests.memory | string | `"300Mi"` | Memory request. | +| auth-server-key-rotation.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server-key-rotation.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server-key-rotation.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server-key-rotation.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server-key-rotation.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| auth-server.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| auth-server.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| auth-server.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| auth-server.dnsConfig | object | `{}` | Add custom dns config | +| auth-server.dnsPolicy | string | `""` | Add custom dns policy | +| auth-server.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| auth-server.hpa.behavior | object | `{}` | Scaling Policies | +| auth-server.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| auth-server.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| auth-server.image.pullSecrets | list | `[]` | Image Pull Secrets | +| auth-server.image.repository | string | `"ghcr.io/janssenproject/jans/auth-server"` | Image to use for deploying. | +| auth-server.image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| auth-server.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| auth-server.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| auth-server.readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py | +| auth-server.replicas | int | `1` | Service replica number. | +| auth-server.resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| auth-server.resources.limits.cpu | string | `"2500m"` | CPU limit. | +| auth-server.resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| auth-server.resources.requests.cpu | string | `"2500m"` | CPU request. | +| auth-server.resources.requests.memory | string | `"2500Mi"` | Memory request. | +| auth-server.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| auth-server.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| auth-server.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| auth-server.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| auth-server.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| auth-server.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| casa | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/casa","tag":"1.1.1-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Janssen Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. | +| casa.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| casa.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| casa.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| casa.dnsConfig | object | `{}` | Add custom dns config | +| casa.dnsPolicy | string | `""` | Add custom dns policy | +| casa.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| casa.hpa.behavior | object | `{}` | Scaling Policies | +| casa.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| casa.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| casa.image.pullSecrets | list | `[]` | Image Pull Secrets | +| casa.image.repository | string | `"ghcr.io/janssenproject/jans/casa"` | Image to use for deploying. | +| casa.image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| casa.livenessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| casa.livenessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http liveness probe endpoint | +| casa.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| casa.readinessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| casa.readinessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http readiness probe endpoint | +| casa.replicas | int | `1` | Service replica number. | +| casa.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| casa.resources.limits.cpu | string | `"500m"` | CPU limit. | +| casa.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| casa.resources.requests.cpu | string | `"500m"` | CPU request. | +| casa.resources.requests.memory | string | `"500Mi"` | Memory request. | +| casa.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| casa.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| casa.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| casa.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| casa.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| casa.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config | object | `{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnCouchbaseBucketPrefix":"jans","cnCouchbaseCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnCouchbaseIndexNumReplica":0,"cnCouchbasePassword":"P@ssw0rd","cnCouchbaseSuperUser":"admin","cnCouchbaseSuperUserPassword":"Test1234#","cnCouchbaseUrl":"cbgluu.default.svc.cluster.local","cnCouchbaseUser":"gluu","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnGoogleSpannerDatabaseId":"","cnGoogleSpannerInstanceId":"","cnJettyRequestHeaderSize":8192,"cnLdapCrt":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapKey":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnLdapUrl":"opendj:1636","cnMaxRamPercent":"75.0","cnMessageType":"DISABLED","cnOpaUrl":"http://opa.opa.svc.cluster.cluster.local:8181/v1","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","cnVaultAddr":"http://localhost:8200","cnVaultAppRolePath":"approle","cnVaultKvPath":"secret","cnVaultNamespace":"","cnVaultPrefix":"jans","cnVaultRoleId":"","cnVaultRoleIdFile":"/etc/certs/vault_role_id","cnVaultSecretId":"","cnVaultSecretIdFile":"/etc/certs/vault_secret_id","cnVaultVerify":false,"kcDbPassword":"Test1234#","kcDbSchema":"keycloak","kcDbUrlDatabase":"keycloak","kcDbUrlHost":"mysql.kc.svc.cluster.local","kcDbUrlPort":3306,"kcDbUrlProperties":"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4","kcDbUsername":"keycloak","kcDbVendor":"mysql","kcLogLevel":"INFO","kcProxy":"edge","lbAddr":"","quarkusTransactionEnableRecovery":true},"countryCode":"US","customScripts":[],"dnsConfig":{},"dnsPolicy":"","email":"team@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.1.1-1"},"ldapPassword":"P@ssw0rds","ldapTruststorePassword":"changeit","lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"salt":"","state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. | +| config-api | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.1.1-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). | +| config-api.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config-api.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config-api.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| config-api.dnsConfig | object | `{}` | Add custom dns config | +| config-api.dnsPolicy | string | `""` | Add custom dns policy | +| config-api.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| config-api.hpa.behavior | object | `{}` | Scaling Policies | +| config-api.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| config-api.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| config-api.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config-api.image.repository | string | `"ghcr.io/janssenproject/jans/config-api"` | Image to use for deploying. | +| config-api.image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| config-api.livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| config-api.livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | http liveness probe endpoint | +| config-api.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| config-api.readinessProbe.httpGet | object | `{"path":"jans-config-api/api/v1/health/ready","port":8074}` | http readiness probe endpoint | +| config-api.replicas | int | `1` | Service replica number. | +| config-api.resources | object | `{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}}` | Resource specs. | +| config-api.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| config-api.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| config-api.resources.requests.cpu | string | `"1000m"` | CPU request. | +| config-api.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| config-api.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| config-api.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| config-api.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| config-api.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| config-api.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config-api.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| config.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| config.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| config.adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| config.city | string | `"Austin"` | City. Used for certificate creation. | +| config.configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| config.configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| config.configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| config.configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| config.configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| config.configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| config.configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) username. This user is used during initialization only. | +| config.configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| config.configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| config.configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| config.configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| config.configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| config.configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| config.configmap.cnLdapCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ certificate string. This must be encoded using base64. | +| config.configmap.cnLdapKey | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ key string. This must be encoded using base64. | +| config.configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| config.configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| config.configmap.cnMessageType | string | `"DISABLED"` | Message type (one of POSTGRES, REDIS, or DISABLED) | +| config.configmap.cnOpaUrl | string | `"http://opa.opa.svc.cluster.cluster.local:8181/v1"` | URL of OPA API | +| config.configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| config.configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| config.configmap.cnScimProtectionMode | string | `"OAUTH"` | SCIM protection mode OAUTH|TEST|UMA | +| config.configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| config.configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| config.configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| config.configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| config.configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| config.configmap.cnSqlDbSchema | string | `""` | Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). | +| config.configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| config.configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| config.configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected the secrets . | +| config.configmap.cnVaultAddr | string | `"http://localhost:8200"` | Base URL of Vault. | +| config.configmap.cnVaultAppRolePath | string | `"approle"` | Path to Vault AppRole. | +| config.configmap.cnVaultKvPath | string | `"secret"` | Path to Vault KV secrets engine. | +| config.configmap.cnVaultNamespace | string | `""` | Vault namespace used to access the secrets. | +| config.configmap.cnVaultPrefix | string | `"jans"` | Base prefix name used to access secrets. | +| config.configmap.cnVaultRoleId | string | `""` | Vault AppRole RoleID. | +| config.configmap.cnVaultRoleIdFile | string | `"/etc/certs/vault_role_id"` | Path to file contains Vault AppRole role ID. | +| config.configmap.cnVaultSecretId | string | `""` | Vault AppRole SecretID. | +| config.configmap.cnVaultSecretIdFile | string | `"/etc/certs/vault_secret_id"` | Path to file contains Vault AppRole secret ID. | +| config.configmap.cnVaultVerify | bool | `false` | Verify connection to Vault. | +| config.configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access | +| config.configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may be using "public" schema). | +| config.configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name. | +| config.configmap.kcDbUrlHost | string | `"mysql.kc.svc.cluster.local"` | Keycloak database host uri | +| config.configmap.kcDbUrlPort | int | `3306` | Keycloak database port (default to port 3306 for mysql). | +| config.configmap.kcDbUrlProperties | string | `"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4"` | Keycloak database connection properties. If using postgresql, the value can be set to empty string. | +| config.configmap.kcDbUsername | string | `"keycloak"` | Keycloak database username | +| config.configmap.kcDbVendor | string | `"mysql"` | Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. | +| config.configmap.kcLogLevel | string | `"INFO"` | Keycloak logging level | +| config.configmap.kcProxy | string | `"edge"` | Keycloak proxy mode (for most deployments, this doesn't need to be changed) | +| config.configmap.lbAddr | string | `""` | Load balancer address for AWS if the FQDN is not registered. | +| config.configmap.quarkusTransactionEnableRecovery | bool | `true` | Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. | +| config.countryCode | string | `"US"` | Country code. Used for certificate creation. | +| config.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| config.dnsConfig | object | `{}` | Add custom dns config | +| config.dnsPolicy | string | `""` | Add custom dns policy | +| config.email | string | `"team@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| config.image.pullSecrets | list | `[]` | Image Pull Secrets | +| config.image.repository | string | `"ghcr.io/janssenproject/jans/configurator"` | Image to use for deploying. | +| config.image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| config.ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpenDJ is used for persistence. | +| config.ldapTruststorePassword | string | `"changeit"` | LDAP truststore password if OpenDJ is used for persistence | +| config.migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| config.migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| config.migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| config.migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| config.orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| config.redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| config.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| config.resources.limits.cpu | string | `"300m"` | CPU limit. | +| config.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| config.resources.requests.cpu | string | `"300m"` | CPU request. | +| config.resources.requests.memory | string | `"300Mi"` | Memory request. | +| config.salt | string | `""` | Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. | +| config.state | string | `"TX"` | State code. Used for certificate creation. | +| config.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| config.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| config.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| config.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| config.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| fido2 | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.1.1-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. | +| fido2.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| fido2.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| fido2.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| fido2.dnsConfig | object | `{}` | Add custom dns config | +| fido2.dnsPolicy | string | `""` | Add custom dns policy | +| fido2.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| fido2.hpa.behavior | object | `{}` | Scaling Policies | +| fido2.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| fido2.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| fido2.image.pullSecrets | list | `[]` | Image Pull Secrets | +| fido2.image.repository | string | `"ghcr.io/janssenproject/jans/fido2"` | Image to use for deploying. | +| fido2.image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| fido2.livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| fido2.livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| fido2.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| fido2.readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| fido2.replicas | int | `1` | Service replica number. | +| fido2.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| fido2.resources.limits.cpu | string | `"500m"` | CPU limit. | +| fido2.resources.limits.memory | string | `"500Mi"` | Memory limit. | +| fido2.resources.requests.cpu | string | `"500m"` | CPU request. | +| fido2.resources.requests.memory | string | `"500Mi"` | Memory request. | +| fido2.service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| fido2.service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| fido2.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| fido2.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| fido2.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| fido2.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| fido2.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| fido2.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| global | object | `{"admin-ui":{"adminUiServiceName":"admin-ui","enabled":true,"ingress":{"adminUiEnabled":false}},"alb":{"ingress":false},"auth-server":{"appLoggers":{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"authEncKeys":"RSA1_5 RSA-OAEP","authServerServiceName":"auth-server","authSigKeys":"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512","cnCustomJavaOptions":"","enabled":true,"ingress":{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true},"lockEnabled":false},"auth-server-key-rotation":{"enabled":true,"initKeysLife":48},"awsStorageType":"io1","azureStorageAccountType":"Standard_LRS","azureStorageKind":"Managed","casa":{"appLoggers":{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"},"casaServiceName":"casa","cnCustomJavaOptions":"","enabled":true,"ingress":{"casaEnabled":false}},"cloud":{"testEnviroment":false},"cnAwsConfigFile":"/etc/jans/conf/aws_config_file","cnAwsSecretsReplicaRegionsFile":"/etc/jans/conf/aws_secrets_replica_regions","cnAwsSharedCredentialsFile":"/etc/jans/conf/aws_shared_credential_file","cnCouchbasePasswordFile":"/etc/jans/conf/couchbase_password","cnCouchbaseSuperuserPasswordFile":"/etc/jans/conf/couchbase_superuser_password","cnDocumentStoreType":"DB","cnGoogleApplicationCredentials":"/etc/jans/conf/google-credentials.json","cnLdapCacertFile":"/etc/certs/opendj.pem","cnLdapCertFile":"/etc/certs/opendj.crt","cnLdapKeyFile":"/etc/certs/opendj.key","cnLdapPasswordFile":"/etc/jans/conf/ldap_password","cnLdapTruststoreFile":"/etc/certs/opendj.pkcs12","cnLdapTruststorePasswordFile":"/etc/jans/conf/ldap_truststore_password","cnObExtSigningAlias":"","cnObExtSigningJwksCrt":"","cnObExtSigningJwksKey":"","cnObExtSigningJwksKeyPassPhrase":"","cnObExtSigningJwksUri":"","cnObStaticSigningKeyKid":"","cnObTransportAlias":"","cnObTransportCrt":"","cnObTransportKey":"","cnObTransportKeyPassPhrase":"","cnObTransportTrustStore":"","cnPersistenceType":"sql","cnPrometheusPort":"","cnSqlPasswordFile":"/etc/jans/conf/sql_password","config":{"enabled":true},"config-api":{"adminUiAppLoggers":{"adminUiAuditLogLevel":"INFO","adminUiAuditLogTarget":"FILE","adminUiLogLevel":"INFO","adminUiLogTarget":"FILE","enableStdoutLogPrefix":"true"},"appLoggers":{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","configApiServerServiceName":"config-api","enabled":true,"ingress":{"configApiEnabled":true},"plugins":"admin-ui,fido2,scim,user-mgt"},"configAdapterName":"kubernetes","configSecretAdapter":"kubernetes","distribution":"default","fido2":{"appLoggers":{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","enabled":true,"fido2ServiceName":"fido2","ingress":{"fido2ConfigEnabled":false,"fido2Enabled":false}},"fqdn":"demoexample.gluu.org","gcePdStorageType":"pd-standard","isFqdnRegistered":false,"istio":{"additionalAnnotations":{},"additionalLabels":{},"enabled":false,"gateways":[],"ingress":false,"namespace":"istio-system"},"jobTtlSecondsAfterFinished":300,"kcAdminCredentialsFile":"/etc/jans/conf/kc_admin_creds","kcDbPasswordFile":"/etc/jans/conf/kc_db_password","lbIp":"22.22.22.22","link":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","enabled":false,"ingress":{"linkEnabled":true},"linkServiceName":"link"},"nginx-ingress":{"enabled":true},"opendj":{"enabled":false,"ldapServiceName":"opendj"},"persistence":{"enabled":true},"saml":{"cnCustomJavaOptions":"","enabled":false,"ingress":{"samlEnabled":false},"samlServiceName":"saml"},"scim":{"appLoggers":{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"},"cnCustomJavaOptions":"","enabled":true,"ingress":{"scimConfigEnabled":false,"scimEnabled":false},"scimServiceName":"scim"},"storageClass":{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"},"usrEnvs":{"normal":{},"secret":{}}}` | Parameters used globally across all services helm charts. | +| global.admin-ui.adminUiServiceName | string | `"admin-ui"` | Name of the admin-ui service. Please keep it as default. | +| global.admin-ui.enabled | bool | `true` | Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. | +| global.admin-ui.ingress.adminUiEnabled | bool | `false` | Enable Admin UI endpoints in either istio or nginx ingress depending on users choice | +| global.alb.ingress | bool | `false` | Activates ALB ingress | +| global.auth-server-key-rotation.enabled | bool | `true` | Boolean flag to enable/disable the auth-server-key rotation cronjob chart. | +| global.auth-server-key-rotation.initKeysLife | int | `48` | The initial auth server key rotation keys life in hours | +| global.auth-server.appLoggers | object | `{"auditStatsLogLevel":"INFO","auditStatsLogTarget":"FILE","authLogLevel":"INFO","authLogTarget":"STDOUT","enableStdoutLogPrefix":"true","httpLogLevel":"INFO","httpLogTarget":"FILE","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.auth-server.appLoggers.auditStatsLogLevel | string | `"INFO"` | jans-auth_audit.log level | +| global.auth-server.appLoggers.auditStatsLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.appLoggers.authLogLevel | string | `"INFO"` | jans-auth.log level | +| global.auth-server.appLoggers.authLogTarget | string | `"STDOUT"` | jans-auth.log target | +| global.auth-server.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO | +| global.auth-server.appLoggers.httpLogLevel | string | `"INFO"` | http_request_response.log level | +| global.auth-server.appLoggers.httpLogTarget | string | `"FILE"` | http_request_response.log target | +| global.auth-server.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-auth_persistence_ldap_statistics.log level | +| global.auth-server.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-auth_persistence_ldap_statistics.log target | +| global.auth-server.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-auth_persistence_duration.log level | +| global.auth-server.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-auth_persistence_duration.log target | +| global.auth-server.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-auth_persistence.log level | +| global.auth-server.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-auth_persistence.log target | +| global.auth-server.appLoggers.scriptLogLevel | string | `"INFO"` | jans-auth_script.log level | +| global.auth-server.appLoggers.scriptLogTarget | string | `"FILE"` | jans-auth_script.log target | +| global.auth-server.authEncKeys | string | `"RSA1_5 RSA-OAEP"` | space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) | +| global.auth-server.authServerServiceName | string | `"auth-server"` | Name of the auth-server service. Please keep it as default. | +| global.auth-server.authSigKeys | string | `"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512"` | space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) | +| global.auth-server.cnCustomJavaOptions | string | `""` | passing custom java options to auth-server. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. | +| global.auth-server.enabled | bool | `true` | Boolean flag to enable/disable auth-server chart. You should never set this to false. | +| global.auth-server.ingress | object | `{"authServerEnabled":true,"authServerProtectedRegister":false,"authServerProtectedToken":false,"deviceCodeEnabled":true,"firebaseMessagingEnabled":true,"openidConfigEnabled":true,"u2fConfigEnabled":true,"uma2ConfigEnabled":true,"webdiscoveryEnabled":true,"webfingerEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.auth-server.ingress.authServerEnabled | bool | `true` | Enable Auth server endpoints /jans-auth | +| global.auth-server.ingress.authServerProtectedRegister | bool | `false` | Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. | +| global.auth-server.ingress.authServerProtectedToken | bool | `false` | Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. | +| global.auth-server.ingress.deviceCodeEnabled | bool | `true` | Enable endpoint /device-code | +| global.auth-server.ingress.firebaseMessagingEnabled | bool | `true` | Enable endpoint /firebase-messaging-sw.js | +| global.auth-server.ingress.openidConfigEnabled | bool | `true` | Enable endpoint /.well-known/openid-configuration | +| global.auth-server.ingress.u2fConfigEnabled | bool | `true` | Enable endpoint /.well-known/fido-configuration | +| global.auth-server.ingress.uma2ConfigEnabled | bool | `true` | Enable endpoint /.well-known/uma2-configuration | +| global.auth-server.ingress.webdiscoveryEnabled | bool | `true` | Enable endpoint /.well-known/simple-web-discovery | +| global.auth-server.ingress.webfingerEnabled | bool | `true` | Enable endpoint /.well-known/webfinger | +| global.auth-server.lockEnabled | bool | `false` | Enable jans-lock as service running inside auth-server | +| global.awsStorageType | string | `"io1"` | Volume storage type if using AWS volumes. | +| global.azureStorageAccountType | string | `"Standard_LRS"` | Volume storage type if using Azure disks. | +| global.azureStorageKind | string | `"Managed"` | Azure storage kind if using Azure disks | +| global.casa.appLoggers | object | `{"casaLogLevel":"INFO","casaLogTarget":"STDOUT","enableStdoutLogPrefix":"true","timerLogLevel":"INFO","timerLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.casa.appLoggers.casaLogLevel | string | `"INFO"` | casa.log level | +| global.casa.appLoggers.casaLogTarget | string | `"STDOUT"` | casa.log target | +| global.casa.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO | +| global.casa.appLoggers.timerLogLevel | string | `"INFO"` | casa timer log level | +| global.casa.appLoggers.timerLogTarget | string | `"FILE"` | casa timer log target | +| global.casa.casaServiceName | string | `"casa"` | Name of the casa service. Please keep it as default. | +| global.casa.cnCustomJavaOptions | string | `""` | passing custom java options to casa. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. | +| global.casa.enabled | bool | `true` | Boolean flag to enable/disable the casa chart. | +| global.casa.ingress | object | `{"casaEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.casa.ingress.casaEnabled | bool | `false` | Enable casa endpoints /casa | +| global.cloud.testEnviroment | bool | `false` | Boolean flag if enabled will strip resources requests and limits from all services. | +| global.cnCouchbasePasswordFile | string | `"/etc/jans/conf/couchbase_password"` | Path to Couchbase password file | +| global.cnCouchbaseSuperuserPasswordFile | string | `"/etc/jans/conf/couchbase_superuser_password"` | Path to Couchbase superuser password file | +| global.cnDocumentStoreType | string | `"DB"` | Document store type to use for shibboleth files DB. | +| global.cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. | +| global.cnLdapCacertFile | string | `"/etc/certs/opendj.pem"` | Path to OpenDJ CA cert file | +| global.cnLdapCertFile | string | `"/etc/certs/opendj.crt"` | Path to OpenDJ cert file | +| global.cnLdapKeyFile | string | `"/etc/certs/opendj.key"` | Path to OpenDJ key file | +| global.cnLdapPasswordFile | string | `"/etc/jans/conf/ldap_password"` | Path to LDAP password file | +| global.cnLdapTruststoreFile | string | `"/etc/certs/opendj.pkcs12"` | Path to OpenDJ truststore file | +| global.cnLdapTruststorePasswordFile | string | `"/etc/jans/conf/ldap_truststore_password"` | Path to LDAP truststore password file | +| global.cnObExtSigningAlias | string | `""` | Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G | +| global.cnObExtSigningJwksCrt | string | `""` | Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKey | string | `""` | Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksKeyPassPhrase | string | `""` | Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. | +| global.cnObExtSigningJwksUri | string | `""` | Open banking external signing jwks uri. Used in SSA Validation. | +| global.cnObStaticSigningKeyKid | string | `""` | Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G | +| global.cnObTransportAlias | string | `""` | Open banking transport Alias used inside the JVM. | +| global.cnObTransportCrt | string | `""` | Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKey | string | `""` | Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. | +| global.cnObTransportKeyPassPhrase | string | `""` | Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. | +| global.cnObTransportTrustStore | string | `""` | Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. | +| global.cnPersistenceType | string | `"sql"` | Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. | +| global.cnPrometheusPort | string | `""` | Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. | +| global.cnSqlPasswordFile | string | `"/etc/jans/conf/sql_password"` | Path to SQL password file | +| global.config-api.adminUiAppLoggers.adminUiAuditLogLevel | string | `"INFO"` | config-api admin-ui plugin audit log level | +| global.config-api.adminUiAppLoggers.adminUiAuditLogTarget | string | `"FILE"` | config-api admin-ui plugin audit log target | +| global.config-api.adminUiAppLoggers.adminUiLogLevel | string | `"INFO"` | config-api admin-ui plugin log target | +| global.config-api.adminUiAppLoggers.adminUiLogTarget | string | `"FILE"` | config-api admin-ui plugin log level | +| global.config-api.adminUiAppLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers | object | `{"configApiLogLevel":"INFO","configApiLogTarget":"STDOUT","enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.config-api.appLoggers.configApiLogLevel | string | `"INFO"` | configapi.log level | +| global.config-api.appLoggers.configApiLogTarget | string | `"STDOUT"` | configapi.log target | +| global.config-api.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.config-api.appLoggers.ldapStatsLogLevel | string | `"INFO"` | config-api_persistence_ldap_statistics.log level | +| global.config-api.appLoggers.ldapStatsLogTarget | string | `"FILE"` | config-api_persistence_ldap_statistics.log target | +| global.config-api.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | config-api_persistence_duration.log level | +| global.config-api.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | config-api_persistence_duration.log target | +| global.config-api.appLoggers.persistenceLogLevel | string | `"INFO"` | config-api_persistence.log level | +| global.config-api.appLoggers.persistenceLogTarget | string | `"FILE"` | config-api_persistence.log target | +| global.config-api.appLoggers.scriptLogLevel | string | `"INFO"` | config-api_script.log level | +| global.config-api.appLoggers.scriptLogTarget | string | `"FILE"` | config-api_script.log target | +| global.config-api.cnCustomJavaOptions | string | `""` | passing custom java options to config-api. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. | +| global.config-api.configApiServerServiceName | string | `"config-api"` | Name of the config-api service. Please keep it as default. | +| global.config-api.enabled | bool | `true` | Boolean flag to enable/disable the config-api chart. | +| global.config-api.ingress | object | `{"configApiEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.config-api.plugins | string | `"admin-ui,fido2,scim,user-mgt"` | Comma-separated values of enabled plugins (supported plugins are "admin-ui","fido2","scim","user-mgt","jans-link","kc-saml") | +| global.config.enabled | bool | `true` | Boolean flag to enable/disable the configuration chart. This normally should never be false | +| global.configAdapterName | string | `"kubernetes"` | The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes | +| global.configSecretAdapter | string | `"kubernetes"` | The config backend adapter that will hold Gluu secret layer. vault|aws|google|kubernetes | +| global.distribution | string | `"default"` | Gluu distributions supported are: default|openbanking. | +| global.fido2.appLoggers | object | `{"enableStdoutLogPrefix":"true","fido2LogLevel":"INFO","fido2LogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.fido2.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO | +| global.fido2.appLoggers.fido2LogLevel | string | `"INFO"` | fido2.log level | +| global.fido2.appLoggers.fido2LogTarget | string | `"STDOUT"` | fido2.log target | +| global.fido2.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | fido2_persistence_duration.log level | +| global.fido2.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | fido2_persistence_duration.log target | +| global.fido2.appLoggers.persistenceLogLevel | string | `"INFO"` | fido2_persistence.log level | +| global.fido2.appLoggers.persistenceLogTarget | string | `"FILE"` | fido2_persistence.log target | +| global.fido2.appLoggers.scriptLogLevel | string | `"INFO"` | fido2_script.log level | +| global.fido2.appLoggers.scriptLogTarget | string | `"FILE"` | fido2_script.log target | +| global.fido2.cnCustomJavaOptions | string | `""` | passing custom java options to fido2. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. | +| global.fido2.enabled | bool | `true` | Boolean flag to enable/disable the fido2 chart. | +| global.fido2.fido2ServiceName | string | `"fido2"` | Name of the fido2 service. Please keep it as default. | +| global.fido2.ingress | object | `{"fido2ConfigEnabled":false,"fido2Enabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.fido2.ingress.fido2ConfigEnabled | bool | `false` | Enable endpoint /.well-known/fido2-configuration | +| global.fido2.ingress.fido2Enabled | bool | `false` | Enable endpoint /jans-fido2 | +| global.fqdn | string | `"demoexample.gluu.org"` | Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. | +| global.gcePdStorageType | string | `"pd-standard"` | GCE storage kind if using Google disks | +| global.isFqdnRegistered | bool | `false` | Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. | +| global.istio.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| global.istio.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| global.istio.enabled | bool | `false` | Boolean flag that enables using istio side-cars with Gluu services. | +| global.istio.gateways | list | `[]` | Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. | +| global.istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. | +| global.istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. | +| global.jobTtlSecondsAfterFinished | int | `300` | https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| global.kcAdminCredentialsFile | string | `"/etc/jans/conf/kc_admin_creds"` | Path to file contains Keycloak admin credentials (username and password) | +| global.kcDbPasswordFile | string | `"/etc/jans/conf/kc_db_password"` | Path to file contains password for database access | +| global.lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. | +| global.link.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.link.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO | +| global.link.appLoggers.ldapStatsLogLevel | string | `"INFO"` | cacherefresh_persistence_ldap_statistics.log level | +| global.link.appLoggers.ldapStatsLogTarget | string | `"FILE"` | cacherefresh_persistence_ldap_statistics.log target | +| global.link.appLoggers.linkLogLevel | string | `"INFO"` | cacherefresh.log level | +| global.link.appLoggers.linkLogTarget | string | `"STDOUT"` | cacherefresh.log target | +| global.link.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | cacherefresh_persistence_duration.log level | +| global.link.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | cacherefresh_persistence_duration.log target | +| global.link.appLoggers.persistenceLogLevel | string | `"INFO"` | cacherefresh_persistence.log level | +| global.link.appLoggers.persistenceLogTarget | string | `"FILE"` | cacherefresh_persistence.log target | +| global.link.appLoggers.scriptLogLevel | string | `"INFO"` | cacherefresh_script.log level | +| global.link.appLoggers.scriptLogTarget | string | `"FILE"` | cacherefresh_script.log target | +| global.link.cnCustomJavaOptions | string | `""` | passing custom java options to link. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. | +| global.link.enabled | bool | `false` | Boolean flag to enable/disable the link chart. | +| global.link.ingress | object | `{"linkEnabled":true}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.link.linkServiceName | string | `"link"` | Name of the link service. Please keep it as default. | +| global.nginx-ingress.enabled | bool | `true` | Boolean flag to enable/disable the nginx-ingress definitions chart. | +| global.opendj.enabled | bool | `false` | Boolean flag to enable/disable the OpenDJ chart. | +| global.opendj.ldapServiceName | string | `"opendj"` | Name of the OpenDJ service. Please keep it as default. | +| global.persistence.enabled | bool | `true` | Boolean flag to enable/disable the persistence chart. | +| global.saml.cnCustomJavaOptions | string | `""` | passing custom java options to saml. DO NOT PASS JAVA_OPTIONS in envs. | +| global.saml.enabled | bool | `false` | Boolean flag to enable/disable the saml chart. | +| global.saml.ingress | object | `{"samlEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.saml.samlServiceName | string | `"saml"` | Name of the saml service. Please keep it as default. | +| global.scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. | +| global.scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO | +| global.scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level | +| global.scim.appLoggers.ldapStatsLogTarget | string | `"FILE"` | jans-scim_persistence_ldap_statistics.log target | +| global.scim.appLoggers.persistenceDurationLogLevel | string | `"INFO"` | jans-scim_persistence_duration.log level | +| global.scim.appLoggers.persistenceDurationLogTarget | string | `"FILE"` | jans-scim_persistence_duration.log target | +| global.scim.appLoggers.persistenceLogLevel | string | `"INFO"` | jans-scim_persistence.log level | +| global.scim.appLoggers.persistenceLogTarget | string | `"FILE"` | jans-scim_persistence.log target | +| global.scim.appLoggers.scimLogLevel | string | `"INFO"` | jans-scim.log level | +| global.scim.appLoggers.scimLogTarget | string | `"STDOUT"` | jans-scim.log target | +| global.scim.appLoggers.scriptLogLevel | string | `"INFO"` | jans-scim_script.log level | +| global.scim.appLoggers.scriptLogTarget | string | `"FILE"` | jans-scim_script.log target | +| global.scim.cnCustomJavaOptions | string | `""` | passing custom java options to scim. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. | +| global.scim.enabled | bool | `true` | Boolean flag to enable/disable the SCIM chart. | +| global.scim.ingress | object | `{"scimConfigEnabled":false,"scimEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice | +| global.scim.ingress.scimConfigEnabled | bool | `false` | Enable endpoint /.well-known/scim-configuration | +| global.scim.ingress.scimEnabled | bool | `false` | Enable SCIM endpoints /jans-scim | +| global.scim.scimServiceName | string | `"scim"` | Name of the scim service. Please keep it as default. | +| global.storageClass | object | `{"allowVolumeExpansion":true,"allowedTopologies":[],"mountOptions":["debug"],"parameters":{},"provisioner":"microk8s.io/hostpath","reclaimPolicy":"Retain","volumeBindingMode":"WaitForFirstConsumer"}` | StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. | +| global.storageClass.parameters | object | `{}` | parameters: fsType: "" kind: "" pool: "" storageAccountType: "" type: "" | +| global.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services | +| global.usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| global.usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| installer-settings | object | `{"acceptLicense":"","aws":{"arn":{"arnAcmCert":"","enabled":""},"lbType":"","vpcCidr":"0.0.0.0/0"},"confirmSettings":false,"couchbase":{"backup":{"fullSchedule":"","incrementalSchedule":"","retentionTime":"","storageSize":""},"clusterName":"","commonName":"","customFileOverride":"","install":"","lowResourceInstall":"","namespace":"","subjectAlternativeName":"","totalNumberOfExpectedTransactionsPerSec":"","totalNumberOfExpectedUsers":"","volumeType":""},"currentVersion":"","google":{"useSecretManager":""},"images":{"edit":""},"ldap":{"backup":{"fullSchedule":""}},"namespace":"","nginxIngress":{"namespace":"","releaseName":""},"nodes":{"ips":"","names":"","zones":""},"openbanking":{"cnObTransportTrustStoreP12password":"","hasCnObTransportTrustStore":false},"postgres":{"install":"","namespace":""},"redis":{"install":"","namespace":""},"releaseName":"","sql":{"install":"","namespace":""},"volumeProvisionStrategy":""}` | Only used by the installer. These settings do not affect nor are used by the chart | +| link | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/link","tag":"1.1.1-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Link. | +| link.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| link.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| link.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| link.dnsConfig | object | `{}` | Add custom dns config | +| link.dnsPolicy | string | `""` | Add custom dns policy | +| link.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| link.hpa.behavior | object | `{}` | Scaling Policies | +| link.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| link.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| link.image.pullSecrets | list | `[]` | Image Pull Secrets | +| link.image.repository | string | `"ghcr.io/janssenproject/jans/link"` | Image to use for deploying. | +| link.image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| link.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| link.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http liveness probe endpoint | +| link.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| link.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http readiness probe endpoint | +| link.replicas | int | `1` | Service replica number. | +| link.resources | object | `{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}}` | Resource specs. | +| link.resources.limits.cpu | string | `"500m"` | CPU limit. | +| link.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| link.resources.requests.cpu | string | `"500m"` | CPU request. | +| link.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| link.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| link.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| link.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| link.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| link.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| link.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| nginx-ingress | object | `{"certManager":{"certificate":{"enabled":false,"issuerGroup":"cert-manager.io","issuerKind":"ClusterIssuer","issuerName":""}},"ingress":{"additionalAnnotations":{},"additionalLabels":{},"adminUiAdditionalAnnotations":{},"adminUiLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"authServerProtectedRegisterAdditionalAnnotations":{},"authServerProtectedRegisterLabels":{},"authServerProtectedTokenAdditionalAnnotations":{},"authServerProtectedTokenLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"configApiAdditionalAnnotations":{},"configApiLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}}` | Nginx ingress definitions chart | +| nginx-ingress.ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| nginx-ingress.ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| nginx-ingress.ingress.adminUiAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.adminUiLabels | object | `{}` | Admin UI ingress resource labels. key app is taken. | +| nginx-ingress.ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| nginx-ingress.ingress.authServerLabels | object | `{}` | Auth server ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedRegisterAdditionalAnnotations | object | `{}` | Auth server protected register ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedRegisterLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.authServerProtectedTokenAdditionalAnnotations | object | `{}` | Auth server protected token ingress resource additional annotations. | +| nginx-ingress.ingress.authServerProtectedTokenLabels | object | `{}` | Auth server protected token ingress resource labels. key app is taken | +| nginx-ingress.ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| nginx-ingress.ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| nginx-ingress.ingress.configApiAdditionalAnnotations | object | `{}` | ConfigAPI ingress resource additional annotations. | +| nginx-ingress.ingress.configApiLabels | object | `{}` | configAPI ingress resource labels. key app is taken | +| nginx-ingress.ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| nginx-ingress.ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2AdditionalAnnotations | object | `{}` | fido2 ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| nginx-ingress.ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| nginx-ingress.ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| nginx-ingress.ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| nginx-ingress.ingress.samlAdditionalAnnotations | object | `{}` | SAML ingress resource additional annotations. | +| nginx-ingress.ingress.samlLabels | object | `{}` | SAML config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.scimLabels | object | `{}` | SCIM config ingress resource labels. key app is taken | +| nginx-ingress.ingress.tls | list | `[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}]` | Secrets holding HTTPS CA cert and key. | +| nginx-ingress.ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| nginx-ingress.ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| nginx-ingress.ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| nginx-ingress.ingress.uma2ConfigLabels | object | `{}` | uma2 config ingress resource labels. key app is taken | +| nginx-ingress.ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| nginx-ingress.ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| nginx-ingress.ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| nginx-ingress.ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| opendj | object | `{"additionalAnnotations":{},"additionalLabels":{},"backup":{"cronJobSchedule":"*/59 * * * *","enabled":true},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"gluufederation/opendj","tag":"5.0.0_dev"},"lifecycle":{"preStop":{"exec":{"command":["/bin/sh","-c","python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"]}}},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":1},"persistence":{"size":"5Gi"},"ports":{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. | +| opendj.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| opendj.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| opendj.backup | object | `{"cronJobSchedule":"*/59 * * * *","enabled":true}` | Configure ldap backup cronjob | +| opendj.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| opendj.dnsConfig | object | `{}` | Add custom dns config | +| opendj.dnsPolicy | string | `""` | Add custom dns policy | +| opendj.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| opendj.hpa.behavior | object | `{}` | Scaling Policies | +| opendj.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| opendj.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| opendj.image.pullSecrets | list | `[]` | Image Pull Secrets | +| opendj.image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| opendj.image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| opendj.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| opendj.pdb | object | `{"enabled":true,"maxUnavailable":1}` | Configure the PodDisruptionBudget | +| opendj.persistence.size | string | `"5Gi"` | OpenDJ volume size | +| opendj.readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py | +| opendj.replicas | int | `1` | Service replica number. | +| opendj.resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| opendj.resources.limits.cpu | string | `"1500m"` | CPU limit. | +| opendj.resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| opendj.resources.requests.cpu | string | `"1500m"` | CPU request. | +| opendj.resources.requests.memory | string | `"2000Mi"` | Memory request. | +| opendj.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| opendj.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| opendj.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| opendj.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| opendj.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| opendj.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| persistence | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.1.1-1"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Job to generate data and initial config for Gluu Server persistence layer. | +| persistence.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| persistence.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| persistence.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| persistence.dnsConfig | object | `{}` | Add custom dns config | +| persistence.dnsPolicy | string | `""` | Add custom dns policy | +| persistence.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| persistence.image.pullSecrets | list | `[]` | Image Pull Secrets | +| persistence.image.repository | string | `"ghcr.io/janssenproject/jans/persistence-loader"` | Image to use for deploying. | +| persistence.image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| persistence.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| persistence.resources.limits.cpu | string | `"300m"` | CPU limit | +| persistence.resources.limits.memory | string | `"300Mi"` | Memory limit. | +| persistence.resources.requests.cpu | string | `"300m"` | CPU request. | +| persistence.resources.requests.memory | string | `"300Mi"` | Memory request. | +| persistence.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| persistence.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| persistence.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| persistence.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| persistence.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| saml | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/saml","tag":"1.1.1-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | SAML. | +| saml.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| saml.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| saml.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| saml.dnsConfig | object | `{}` | Add custom dns config | +| saml.dnsPolicy | string | `""` | Add custom dns policy | +| saml.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| saml.hpa.behavior | object | `{}` | Scaling Policies | +| saml.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| saml.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| saml.image.pullSecrets | list | `[]` | Image Pull Secrets | +| saml.image.repository | string | `"ghcr.io/janssenproject/jans/saml"` | Image to use for deploying. | +| saml.image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| saml.livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| saml.livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http liveness probe endpoint | +| saml.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| saml.readinessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | http readiness probe endpoint | +| saml.replicas | int | `1` | Service replica number. | +| saml.resources | object | `{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}}` | Resource specs. | +| saml.resources.limits.cpu | string | `"500m"` | CPU limit. | +| saml.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| saml.resources.requests.cpu | string | `"500m"` | CPU request. | +| saml.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| saml.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| saml.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| saml.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| saml.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| saml.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| saml.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | +| scim | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.1.1-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1000Mi"},"requests":{"cpu":"1000m","memory":"1000Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | System for Cross-domain Identity Management (SCIM) version 2.0 | +| scim.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} | +| scim.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} | +| scim.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| scim.dnsConfig | object | `{}` | Add custom dns config | +| scim.dnsPolicy | string | `""` | Add custom dns policy | +| scim.hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| scim.hpa.behavior | object | `{}` | Scaling Policies | +| scim.hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| scim.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| scim.image.pullSecrets | list | `[]` | Image Pull Secrets | +| scim.image.repository | string | `"ghcr.io/janssenproject/jans/scim"` | Image to use for deploying. | +| scim.image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| scim.livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| scim.livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| scim.pdb | object | `{"enabled":true,"maxUnavailable":"90%"}` | Configure the PodDisruptionBudget | +| scim.readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| scim.readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| scim.replicas | int | `1` | Service replica number. | +| scim.resources.limits.cpu | string | `"1000m"` | CPU limit. | +| scim.resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| scim.resources.requests.cpu | string | `"1000m"` | CPU request. | +| scim.resources.requests.memory | string | `"1000Mi"` | Memory request. | +| scim.service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| scim.service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| scim.topologySpreadConstraints | object | `{}` | Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| scim.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| scim.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| scim.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| scim.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| scim.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/app-readme.md b/charts/gluu/gluu/5.1.1/app-readme.md new file mode 100644 index 0000000000..b2148c4c1e --- /dev/null +++ b/charts/gluu/gluu/5.1.1/app-readme.md @@ -0,0 +1,38 @@ +## Tutorial + +For a full walkthrough of the Gluu Flex Server on Rancher, please see the [Gluu Server on Rancher Tutorial](https://docs.gluu.org/stable/admin/recipes/getting-started-rancher/). + +## Introduction +The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions. + +Common use cases include: + +- Single sign-on (SSO) +- Mobile authentication +- API access management +- Two-factor authentication (2FA) +- Customer identity and access management (CIAM) +- Identity federation + +### Free Open Source Software +The Gluu Server is a FOSS platform for IAM. + +### Open Web Standards +The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management: + +- OAuth 2.0 +- OpenID Connect +- User Managed Access 2.0 (UMA) +- System for Cross-domain Identity Management (SCIM) +- FIDO Universal 2nd Factor (U2F) +- FIDO 2.0 / WebAuthn +- Lightweight Directory Access Protocol (LDAP) +- Remote Authentication Dial-In User Service (RADIUS) + +### Important notes for installation: +- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image. + +### Quick install on Rancher UI with Docker single node +- Install the nginx-ingress-controller chart. +- Install the OpenEBS chart. +- Install Gluu chart and specify your persistence as ldap. \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/admin-ui/.helmignore b/charts/gluu/gluu/5.1.1/charts/admin-ui/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.1/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/admin-ui/Chart.yaml new file mode 100644 index 0000000000..5b5a078607 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: Admin GUI. Requires license. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +- GUI +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: admin-ui +sources: +- https://github.com/GluuFederation/docker-gluu-admin-ui +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/admin-ui +type: application +version: 5.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/admin-ui/README.md b/charts/gluu/gluu/5.1.1/charts/admin-ui/README.md new file mode 100644 index 0000000000..23596fb8ea --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/admin-ui/README.md @@ -0,0 +1,60 @@ +# admin-ui + +![Version: 5.1.1](https://img.shields.io/badge/Version-5.1.1--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +Admin GUI. Requires license. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/admin-ui"` | Image to use for deploying. | +| image.tag | string | `"5.1.1-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the liveness healthcheck for the admin ui if needed. | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5}` | Configure the readiness healthcheck for the admin ui if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-admin-ui"` | The name of the admin ui port within the admin service. Please keep it as default. | +| service.port | int | `8080` | Port of the admin ui service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/_helpers.tpl new file mode 100644 index 0000000000..3fa0c5985e --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "admin-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "admin-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "admin-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "admin-ui.labels" -}} +app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +helm.sh/chart: {{ include "admin-ui.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "admin-ui.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "admin-ui.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "admin-ui.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "admin-ui.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/admin-ui-destination-rules.yaml new file mode 100644 index 0000000000..ecf4699b22 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/admin-ui-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-admin-ui-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/admin-ui-pdb.yaml b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/admin-ui-pdb.yaml new file mode 100644 index 0000000000..5d81cf14be --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/admin-ui-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "admin-ui.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/admin-ui-virtual-services.yaml new file mode 100644 index 0000000000..2b0fc58df1 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/admin-ui-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "admin-ui" "ingress" "adminUiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-admin-ui + namespace: {{.Release.Namespace}} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/admin" + route: + - destination: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/deployment.yml new file mode 100644 index 0000000000..d364cef18a --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/deployment.yml @@ -0,0 +1,228 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "admin-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + template: + metadata: + labels: + APP_NAME: admin-ui + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "admin-ui.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "admin-ui.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + {{- include "admin-ui.usr-envs" . | indent 12 }} + {{- include "admin-ui.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "admin-ui.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/hpa.yaml new file mode 100644 index 0000000000..4720b2c49b --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "admin-ui.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/service.yml new file mode 100644 index 0000000000..54b311c2e2 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..02fd969b74 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/admin-ui/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.1.1/charts/admin-ui/values.yaml new file mode 100644 index 0000000000..0ba7b68196 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/admin-ui/values.yaml @@ -0,0 +1,92 @@ +# -- Admin GUI. Requires license. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/admin-ui + # -- Image tag to use for deploying. + tag: 5.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the admin ui port within the admin service. Please keep it as default. + name: http-admin-ui + # -- Port of the admin ui service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the admin ui if needed. +livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure the readiness healthcheck for the admin ui if needed. +readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/.helmignore b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/Chart.yaml new file mode 100644 index 0000000000..7f19f03d5a --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: Responsible for regenerating auth-keys per x hours +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Auth keys Rotation +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server-key-rotation +sources: +- https://github.com/JanssenProject/docker-jans-certmanager +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server-key-rotation +type: application +version: 1.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/README.md new file mode 100644 index 0000000000..d2af4b5cb2 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/README.md @@ -0,0 +1,53 @@ +# auth-server-key-rotation + +![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +Responsible for regenerating auth-keys per x hours + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/certmanager"` | Image to use for deploying. | +| image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| keysLife | int | `48` | Auth server key rotation keys life in hours | +| keysPushDelay | int | `0` | Delay (in seconds) before pushing private keys to Auth server | +| keysPushStrategy | string | `"NEWER"` | Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) | +| keysStrategy | string | `"NEWER"` | Set key selection strategy used by Auth server | +| lifecycle | object | `{}` | | +| nodeSelector | object | `{}` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 0000000000..e76631f29c --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/templates/cronjobs.yaml new file mode 100644 index 0000000000..3f159db5a7 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/templates/cronjobs.yaml @@ -0,0 +1,189 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server-key-rotation + release: {{ .Release.Name }} +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + schedule: "@every {{ .Values.keysLife }}h" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "auth-server-key-rotation.name" . }} + {{- if .Values.customScripts }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 20}} + {{- end }} + /app/scripts/entrypoint.sh + {{- end}} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + {{- include "auth-server-key-rotation.usr-envs" . | indent 16 }} + {{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 16 }} + volumeMounts: + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 16 }} + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 16 }} + {{- end }} + args: ["patch", "auth", "--opts", "interval:{{ .Values.keysLife }}", "--opts", "key-strategy:{{ .Values.keysStrategy }}", "--opts", "privkey-push-delay:{{ .Values.keysPushDelay }}", "--opts", "privkey-push-strategy:{{ .Values.keysPushStrategy }}"] + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 0000000000..af58e82830 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..5ed268ebb5 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/values.yaml new file mode 100644 index 0000000000..67380da4a5 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server-key-rotation/values.yaml @@ -0,0 +1,62 @@ + +# -- Responsible for regenerating auth-keys per x hours +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/certmanager + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Auth server key rotation keys life in hours +keysLife: 48 +# -- Set key selection strategy used by Auth server +keysStrategy: NEWER +# -- Delay (in seconds) before pushing private keys to Auth server +keysPushDelay: 0 +# -- Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) +keysPushStrategy: NEWER +# -- Resource specs. +resources: + limits: + cpu: 300m + memory: 300Mi + requests: + cpu: 300m + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/.helmignore b/charts/gluu/gluu/5.1.1/charts/auth-server/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server/Chart.yaml new file mode 100644 index 0000000000..2311850124 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization + Server--this is the main Internet facing component of Gluu. It's the service that + returns tokens, JWT's and identity assertions. This service must be Internet facing. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- Authorization +- OpenID +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: auth-server +sources: +- https://github.com/JanssenProject/jans-auth-server +- https://github.com/JanssenProject/docker-jans-auth-server +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/auth-server +type: application +version: 1.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/README.md b/charts/gluu/gluu/5.1.1/charts/auth-server/README.md new file mode 100644 index 0000000000..593c4b9c5f --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/README.md @@ -0,0 +1,62 @@ +# auth-server + +![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/auth-server"` | Image to use for deploying. | +| image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-auth"` | The name of the oxauth port within the oxauth service. Please keep it as default. | +| service.port | int | `8080` | Port of the oxauth service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/_helpers.tpl new file mode 100644 index 0000000000..8abe7329de --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/_helpers.tpl @@ -0,0 +1,113 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +helm.sh/chart: {{ include "auth-server.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "auth-server.customJavaOptions"}} +{{ $custom := "" }} +{{- $cnCustomJavaOptions := index .Values.global "auth-server" "cnCustomJavaOptions" }} +{{- $custom := printf "%s" $cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" $memory -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory 300) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "auth-server.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "auth-server.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 0000000000..708ce616c6 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/templates/auth-server-pdb.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/auth-server-pdb.yaml new file mode 100644 index 0000000000..5ca61a6255 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/auth-server-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "auth-server.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/templates/auth-server-protected-virtual-services.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/auth-server-protected-virtual-services.yaml new file mode 100644 index 0000000000..522f6757b4 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/auth-server-protected-virtual-services.yaml @@ -0,0 +1,53 @@ +{{- if .Values.global.istio.ingress }} +# NEEDS WORK TO ALLOW CLIENT SIDE AUTHENTICATION. THIS IS MERELY A PLACEHOLDER +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server-protected-endpoints + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-token" + match: + - uri: + prefix: "/jans-auth/restv1/token" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-register" + match: + - uri: + prefix: "/jans-auth/restv1/register" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 0000000000..55cc397244 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,137 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/jans-auth/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} + - name: "{{ .Release.Name }}-istio-device-code" + match: + - uri: + prefix: "/device-code" + rewrite: + uri: "/jans-auth/device_authorization.htm" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} + - name: "{{ .Release.Name }}-istio-firebase-messaging" + match: + - uri: + prefix: "/firebase-messaging-sw.js" + rewrite: + uri: "/jans-auth/firebase-messaging-sw.js" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/jans-auth/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/jans-auth/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/jans-auth/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/jans-auth/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/deployment.yml new file mode 100644 index 0000000000..a5524d9f07 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/deployment.yml @@ -0,0 +1,324 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "auth-server.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + template: + metadata: + labels: + APP_NAME: auth-server + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "auth-server.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "auth-server.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + env: + - name: CN_AUTH_JAVA_OPTIONS + value: {{ include "auth-server.customJavaOptions" . | trim }} + {{- include "auth-server.usr-envs" . | indent 12 }} + {{- include "auth-server.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + mountPath: /etc/certs/ob-ext-signing.pin + subPath: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + mountPath: /etc/certs/ob-ext-signing.key + subPath: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + mountPath: /etc/certs/ob-ext-signing.crt + subPath: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + mountPath: /etc/certs/ob-transport.pin + subPath: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + mountPath: /etc/certs/ob-transport.key + subPath: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + mountPath: /etc/certs/ob-transport.crt + subPath: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + mountPath: /etc/certs/ob-transport-truststore.p12 + subPath: ob-transport-truststore.p12 + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if .Values.global.cnObExtSigningJwksCrt }} + - name: cn-ob-ext-signing-jwks-crt + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.crt + path: ob-ext-signing.crt + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKey }} + - name: cn-ob-ext-signing-jwks-key + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.key + path: ob-ext-signing.key + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + - name: cn-ob-ext-signing-jwks-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + items: + - key: ob-ext-signing.pin + path: ob-ext-signing.pin + {{- end }} + {{ if .Values.global.cnObTransportCrt }} + - name: cn-ob-transport-crt + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.crt + path: ob-transport.crt + {{- end }} + {{ if .Values.global.cnObTransportKey }} + - name: cn-ob-transport-key + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.key + path: ob-transport.key + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + - name: cn-ob-transport-key-passphrase + secret: + secretName: {{ .Release.Name }}-ob-transport-crt-key-pin + items: + - key: ob-transport.pin + path: ob-transport.pin + {{- end }} + {{ if .Values.global.cnObTransportTrustStore }} + - name: cn-ob-transport-truststore + secret: + secretName: {{ .Release.Name }}-ob-transport-truststore + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "auth-server.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/hpa.yaml new file mode 100644 index 0000000000..7a35d43381 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/service.yml new file mode 100644 index 0000000000..07b0de5897 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..19b24ab92c --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/auth-server/values.yaml b/charts/gluu/gluu/5.1.1/charts/auth-server/values.yaml new file mode 100644 index 0000000000..e2553ab909 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/auth-server/values.yaml @@ -0,0 +1,94 @@ + +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the oxauth port within the oxauth service. Please keep it as default. + name: http-auth + # -- Port of the oxauth service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] diff --git a/charts/gluu/gluu/5.1.1/charts/casa/.helmignore b/charts/gluu/gluu/5.1.1/charts/casa/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/casa/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.1.1/charts/casa/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/casa/Chart.yaml new file mode 100644 index 0000000000..7bd9a53967 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/casa/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: Jans Casa ("Casa") is a self-service web portal for end-users to manage + authentication and authorization preferences for their account in a Jans Server. +home: https://gluu.org/docs/casa/ +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- casa +- 2FA +- passwordless +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: casa +sources: +- https://gluu.org/casa/ +- https://github.com/JanssenProject/jans/docker-jans-casa +type: application +version: 1.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/casa/README.md b/charts/gluu/gluu/5.1.1/charts/casa/README.md new file mode 100644 index 0000000000..ed476add25 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/casa/README.md @@ -0,0 +1,66 @@ +# casa + +![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/casa"` | Image to use for deploying. | +| image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for casa if needed. | +| livenessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http liveness probe endpoint | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the casa if needed. | +| readinessProbe.httpGet.path | string | `"/jans-casa/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-casa"` | The name of the casa port within the casa service. Please keep it as default. | +| service.port | int | `8080` | Port of the casa service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/casa/templates/_helpers.tpl new file mode 100644 index 0000000000..efdb4a4605 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/casa/templates/_helpers.tpl @@ -0,0 +1,122 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "casa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "casa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "casa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "casa.labels" -}} +app: {{ .Release.Name }}-{{ include "casa.name" . }} +helm.sh/chart: {{ include "casa.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "casa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "casa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "casa.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "casa.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "casa.customJavaOptions"}} +{{ $custom := "" }} +{{ $custom = printf "%s" .Values.global.casa.cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" $memory -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory 300) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "casa.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "casa.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.1.1/charts/casa/templates/casa-destination-rules.yaml new file mode 100644 index 0000000000..eb2e5eaa61 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/casa/templates/casa-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-casa-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/casa/templates/casa-pdb.yaml b/charts/gluu/gluu/5.1.1/charts/casa/templates/casa-pdb.yaml new file mode 100644 index 0000000000..54ad15de59 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/casa/templates/casa-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "casa.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.1.1/charts/casa/templates/casa-virtual-services.yaml new file mode 100644 index 0000000000..3d34e05410 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/casa/templates/casa-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.casa.ingress.casaEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-casa + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-casa + match: + - uri: + prefix: /jans-casa + route: + - destination: + host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.1.1/charts/casa/templates/deployment.yaml new file mode 100644 index 0000000000..fd41e3cdaf --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/casa/templates/deployment.yaml @@ -0,0 +1,240 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "casa.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: casa + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "casa.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "casa.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: CN_CASA_JAVA_OPTIONS + value: {{ include "casa.customJavaOptions" . | trim }} + {{- include "casa.usr-envs" . | indent 12 }} + {{- include "casa.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "casa.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.1.1/charts/casa/templates/hpa.yaml new file mode 100644 index 0000000000..0d292fd3fd --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/casa/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "casa.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.1.1/charts/casa/templates/service.yaml new file mode 100644 index 0000000000..e736cc014a --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/casa/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.casa.casaServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.1/charts/casa/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8a71e1ea8f --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/casa/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/casa/values.yaml b/charts/gluu/gluu/5.1.1/charts/casa/values.yaml new file mode 100644 index 0000000000..391b0e057b --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/casa/values.yaml @@ -0,0 +1,107 @@ +# -- Jans Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Jans Server. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/casa + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the casa service. Please keep it as default. + port: 8080 + # -- The name of the casa port within the casa service. Please keep it as default. + name: http-casa + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for casa if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the casa if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] diff --git a/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/Chart.yaml new file mode 100644 index 0000000000..714bd359e3 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: Istio Gateway +home: https://docs.gluu.org/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- istio +- gateway +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: cn-istio-ingress +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/cn-istio-ingress +type: application +version: 5.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/README.md new file mode 100644 index 0000000000..77c7172542 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/README.md @@ -0,0 +1,25 @@ +# cn-istio-ingress + +![Version: 5.1.1](https://img.shields.io/badge/Version-5.1.1--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +Istio Gateway + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..75a5dee781 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "istio.labels" -}} +helm.sh/chart: {{ include "istio.chart" . }} +{{ include "istio.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "istio.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "istio.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/templates/gateway.yaml new file mode 100644 index 0000000000..13434720ad --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/templates/gateway.yaml @@ -0,0 +1,37 @@ +{{- if not .Values.global.istio.gateways }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Release.Name }}-global-gtw + namespace: {{ .Release.Namespace }} +{{- if .Values.global.istio.additionalLabels }} + labels: +{{ toYaml .Values.global.istio.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.istio.additionalAnnotations }} + annotations: +{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + istio: ingressgateway + servers: + # admin-ui + - port: + number: 80 + name: http-admin-ui + protocol: HTTP + hosts: + - {{ .Values.global.fqdn }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - {{ .Values.global.fqdn }} + tls: + mode: SIMPLE # enable https on this port + credentialName: tls-certificate # fetch cert from k8s secret +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/values.yaml new file mode 100644 index 0000000000..645a121318 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/cn-istio-ingress/values.yaml @@ -0,0 +1,4 @@ +# Default values for istio. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + diff --git a/charts/gluu/gluu/5.1.1/charts/config-api/.helmignore b/charts/gluu/gluu/5.1.1/charts/config-api/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.1/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/config-api/Chart.yaml new file mode 100644 index 0000000000..9850b51fe0 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config-api/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: Jans Config Api endpoints can be used to configure jans-auth-server, + which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server + (AS) +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config-api +sources: +- https://github.com/JanssenProject/jans/jans-config-api +- https://github.com/JanssenProject/jans/docker-jans-config-api +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config-api +type: application +version: 1.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/config-api/README.md b/charts/gluu/gluu/5.1.1/charts/config-api/README.md new file mode 100644 index 0000000000..f738607c28 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config-api/README.md @@ -0,0 +1,66 @@ +# config-api + +![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +Jans Config Api endpoints can be used to configure jans-auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS) + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/config-api"` | Image to use for deploying. | +| image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the auth server if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-config-api/api/v1/health/live","port":8074}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"httpGet":{"path":"/jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the auth server if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"2500m"` | CPU limit. | +| resources.limits.memory | string | `"2500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"2500m"` | CPU request. | +| resources.requests.memory | string | `"2500Mi"` | Memory request. | +| service.name | string | `"http-config-api"` | The name of the config-api port within the config-api service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/config-api/templates/_helpers.tpl new file mode 100644 index 0000000000..0fee22c05c --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config-api/templates/_helpers.tpl @@ -0,0 +1,112 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config-api.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-api.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-api.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config-api.labels" -}} +app: {{ .Release.Name }}-{{ include "config-api.name" . }} +helm.sh/chart: {{ include "config-api.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config-api.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config-api.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "config-api.customJavaOptions"}} +{{ $custom := "" }} +{{- $cnCustomJavaOptions := index .Values.global "config-api" "cnCustomJavaOptions" }} +{{- $custom := printf "%s" $cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" $memory -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory 300) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "config-api.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "config-api.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.1.1/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 0000000000..255fac7282 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/config-api/templates/config-api-pdb.yaml b/charts/gluu/gluu/5.1.1/charts/config-api/templates/config-api-pdb.yaml new file mode 100644 index 0000000000..2153d9a39c --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config-api/templates/config-api-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "config-api.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/config-api/templates/config-api-virtual-services.yaml b/charts/gluu/gluu/5.1.1/charts/config-api/templates/config-api-virtual-services.yaml new file mode 100644 index 0000000000..49bd94283f --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config-api/templates/config-api-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "config-api" "ingress" "configApiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-config-api + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-config-api + match: + - uri: + prefix: /jans-config-api + route: + - destination: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8074 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.1.1/charts/config-api/templates/deployment.yaml new file mode 100644 index 0000000000..77dcec6d91 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config-api/templates/deployment.yaml @@ -0,0 +1,227 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "config-api.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "config-api.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: CN_CONFIG_API_JAVA_OPTIONS + value: {{ include "config-api.customJavaOptions" . | trim }} + {{- include "config-api.usr-envs" . | indent 12 }} + {{- include "config-api.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - containerPort: 9444 + - containerPort: 8074 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "config-api.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.1.1/charts/config-api/templates/hpa.yaml new file mode 100644 index 0000000000..aed5352e74 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config-api/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.1.1/charts/config-api/templates/service.yaml new file mode 100644 index 0000000000..1782cc7e9d --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config-api/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/config-api/values.yaml b/charts/gluu/gluu/5.1.1/charts/config-api/values.yaml new file mode 100644 index 0000000000..973222cd6b --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config-api/values.yaml @@ -0,0 +1,102 @@ +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi +service: + # -- The name of the config-api port within the config-api service. Please keep it as default. + name: http-config-api + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the auth server if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the auth server if needed. +readinessProbe: + httpGet: + path: /jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.1.1/charts/config/.helmignore b/charts/gluu/gluu/5.1.1/charts/config/.helmignore new file mode 100644 index 0000000000..b8204d7442 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/gluu/gluu/5.1.1/charts/config/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/config/Chart.yaml new file mode 100644 index 0000000000..c59c260514 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: Configuration parameters for setup and initial configuration secret and + config layers used by Gluu services. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- configuration +- secrets +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: config +sources: +- https://gluu.org/docs/gluu-server/reference/container-configs/ +- https://github.com/JanssenProject/jans/docker-jans-configurator +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/config +type: application +version: 1.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/config/README.md b/charts/gluu/gluu/5.1.1/charts/config/README.md new file mode 100644 index 0000000000..01b3fada5c --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/README.md @@ -0,0 +1,133 @@ +# config + +![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| adminPassword | string | `"Test1234#"` | Admin password to log in to the UI. | +| city | string | `"Austin"` | City. Used for certificate creation. | +| configmap.cnAwsAccessKeyId | string | `""` | | +| configmap.cnAwsDefaultRegion | string | `"us-west-1"` | | +| configmap.cnAwsProfile | string | `"gluu"` | | +| configmap.cnAwsSecretAccessKey | string | `""` | | +| configmap.cnAwsSecretsEndpointUrl | string | `""` | | +| configmap.cnAwsSecretsNamePrefix | string | `"gluu"` | | +| configmap.cnAwsSecretsReplicaRegions | list | `[]` | | +| configmap.cnCacheType | string | `"NATIVE_PERSISTENCE"` | Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . | +| configmap.cnConfigKubernetesConfigMap | string | `"cn"` | The name of the Kubernetes ConfigMap that will hold the configuration layer | +| configmap.cnCouchbaseBucketPrefix | string | `"jans"` | The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. | +| configmap.cnCouchbaseCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. | +| configmap.cnCouchbaseIndexNumReplica | int | `0` | The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. | +| configmap.cnCouchbasePassword | string | `"P@ssw0rd"` | Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . | +| configmap.cnCouchbaseSuperUser | string | `"admin"` | The Couchbase super user (admin) user name. This user is used during initialization only. | +| configmap.cnCouchbaseSuperUserPassword | string | `"Test1234#"` | Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol | +| configmap.cnCouchbaseUrl | string | `"cbgluu.default.svc.cluster.local"` | Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster | +| configmap.cnCouchbaseUser | string | `"gluu"` | Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. | +| configmap.cnGoogleProjectId | string | `"google-project-to-save-config-and-secrets-to"` | Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretManagerServiceAccount | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretNamePrefix | string | `"gluu"` | Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSecretVersionId | string | `"latest"` | Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. | +| configmap.cnGoogleSpannerDatabaseId | string | `""` | Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnGoogleSpannerInstanceId | string | `""` | Google Spanner ID. Used only when global.cnPersistenceType is spanner. | +| configmap.cnJettyRequestHeaderSize | int | `8192` | Jetty header size in bytes in the auth server | +| configmap.cnLdapCrt | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ certificate string. This must be encoded using base64. | +| configmap.cnLdapKey | string | `"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo="` | OpenDJ key string. This must be encoded using base64. | +| configmap.cnLdapUrl | string | `"opendj:1636"` | OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. | +| configmap.cnMaxRamPercent | string | `"75.0"` | Value passed to Java option -XX:MaxRAMPercentage | +| configmap.cnMessageType | string | `"DISABLED"` | Message type (one of POSTGRES, REDIS, or DISABLED) | +| configmap.cnOpaUrl | string | `"http://opa.opa.svc.cluster.cluster.local:8181/v1"` | URL of OPA API | +| configmap.cnPersistenceHybridMapping | string | `"{}"` | Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. { "default": "", "user": "", "site": "", "cache": "", "token": "", "session": "", } | +| configmap.cnRedisSentinelGroup | string | `""` | Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisSslTruststore | string | `""` | Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisType | string | `"STANDALONE"` | Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUrl | string | `"redis.redis.svc.cluster.local:6379"` | Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnRedisUseSsl | bool | `false` | Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. | +| configmap.cnSecretKubernetesSecret | string | `"cn"` | Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. | +| configmap.cnSqlDbDialect | string | `"mysql"` | SQL database dialect. `mysql` or `pgsql` | +| configmap.cnSqlDbHost | string | `"my-release-mysql.default.svc.cluster.local"` | SQL database host uri. | +| configmap.cnSqlDbName | string | `"gluu"` | SQL database name. | +| configmap.cnSqlDbPort | int | `3306` | SQL database port. | +| configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. | +| configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. | +| configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password injected in the secrets. | +| configmap.cnVaultAddr | string | `"http://localhost:8200"` | Base URL of Vault. | +| configmap.cnVaultAppRolePath | string | `"approle"` | Path to Vault AppRole. | +| configmap.cnVaultKvPath | string | `"secret"` | Path to Vault KV secrets engine. | +| configmap.cnVaultNamespace | string | `""` | Vault namespace used to access the secrets. | +| configmap.cnVaultPrefix | string | `"jans"` | Base prefix name used to access secrets. | +| configmap.cnVaultRoleId | string | `""` | Vault AppRole RoleID. | +| configmap.cnVaultRoleIdFile | string | `"/etc/certs/vault_role_id"` | Path to file contains Vault AppRole role ID. | +| configmap.cnVaultSecretId | string | `""` | Vault AppRole SecretID. | +| configmap.cnVaultSecretIdFile | string | `"/etc/certs/vault_secret_id"` | Path to file contains Vault AppRole secret ID. | +| configmap.cnVaultVerify | bool | `false` | Verify connection to Vault. | +| configmap.containerMetadataName | string | `"kubernetes"` | | +| configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access | +| configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may using "public" schema). | +| configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name | +| configmap.kcDbUrlHost | string | `"mysql.kc.svc.cluster.local"` | Keycloak database host | +| configmap.kcDbUrlPort | int | `3306` | Keycloak database port (default to port 3306 for mysql). | +| configmap.kcDbUrlProperties | string | `"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4"` | Keycloak database connection properties. If using postgresql, the value can be set to empty string. | +| configmap.kcDbUsername | string | `"keycloak"` | Keycloak database username | +| configmap.kcDbVendor | string | `"mysql"` | Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. | +| configmap.kcLogLevel | string | `"INFO"` | Keycloak logging level | +| configmap.kcProxy | string | `"edge"` | Keycloak proxy mode (for most deployments, this doesn't need to be changed) | +| configmap.lbAddr | string | `""` | Loadbalancer address for AWS if the FQDN is not registered. | +| configmap.quarkusTransactionEnableRecovery | bool | `true` | Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. | +| countryCode | string | `"US"` | Country code. Used for certificate creation. | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| email | string | `"team@gluu.org"` | Email address of the administrator usually. Used for certificate creation. | +| fullNameOverride | string | `""` | | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/configurator"` | Image to use for deploying. | +| image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| ldapPassword | string | `"P@ssw0rds"` | LDAP admin password if OpennDJ is used for persistence. | +| ldapTruststorePassword | string | `"changeit"` | LDAP truststore password if OpenDJ is used for persistence | +| lifecycle | object | `{}` | | +| migration | object | `{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"}` | CE to CN Migration section | +| migration.enabled | bool | `false` | Boolean flag to enable migration from CE | +| migration.migrationDataFormat | string | `"ldif"` | migration data-format depending on persistence backend. Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. | +| migration.migrationDir | string | `"/ce-migration"` | Directory holding all migration files | +| nameOverride | string | `""` | | +| orgName | string | `"Gluu"` | Organization name. Used for certificate creation. | +| redisPassword | string | `"P@assw0rd"` | Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit. | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| salt | string | `""` | Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. | +| state | string | `"TX"` | State code. Used for certificate creation. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service. | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service. variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service. variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/config/templates/_helpers.tpl new file mode 100644 index 0000000000..b8fd74dfb3 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/templates/_helpers.tpl @@ -0,0 +1,97 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ $newList = append $newList ("couchbase" | quote) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{- if .Values.global.opendj.enabled}} +{{ $newList = append $newList ("ldap" | quote) }} +{{- end}} +{{- if .Values.global.fido2.enabled}} +{{ $newList = append $newList ("fido2" | quote) }} +{{- end}} +{{- if .Values.global.casa.enabled}} +{{ $newList = append $newList ("casa" | quote) }} +{{- end}} +{{- if .Values.global.scim.enabled}} +{{ $newList = append $newList ("scim" | quote) }} +{{- end}} +{{ toJson $newList }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.1.1/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ce43044f50 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.1.1/charts/config/templates/configmaps.yaml new file mode 100644 index 0000000000..9265387494 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/templates/configmaps.yaml @@ -0,0 +1,483 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + # Port used by Prometheus JMX agent + CN_PROMETHEUS_PORT: {{ .Values.global.cnPrometheusPort | quote }} + CN_DISTRIBUTION: {{ .Values.global.distribution | quote }} + {{ if .Values.global.cnObExtSigningJwksUri }} + CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }} + CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }} + CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }} + # force the AS to use a specific signing key + CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }} + {{- end }} + {{ if or (eq .Values.global.configAdapterName "google") (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + {{- end }} + {{ if eq .Values.global.cnPersistenceType "spanner" }} + # [google_spanner_envs] Envs related to using Google Cloud Spanner + CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }} + CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }} + # [google_spanner_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.configAdapterName "google") }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnGoogleSecretVersionId | quote }} + CN_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + # [aws_envs] Envs related to using AWS + {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} + CN_AWS_SECRETS_ENDPOINT_URL: {{ .Values.configmap.cnAwsSecretsEndpointUrl }} + {{- end }} + CN_AWS_SECRETS_PREFIX: {{ .Values.configmap.cnAwsSecretsNamePrefix }} + CN_AWS_SECRETS_REPLICA_FILE: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + AWS_DEFAULT_REGION: {{ .Values.configmap.cnAwsDefaultRegion }} + AWS_SHARED_CREDENTIALS_FILE: {{ .Values.global.cnAwsSharedCredentialsFile }} + AWS_CONFIG_FILE: {{ .Values.global.cnAwsConfigFile }} + #AWS_PROFILE + # [aws_envs] END + {{- end }} + # [vault_envs] Envs related to Hashicorp vault + {{ if eq .Values.global.configSecretAdapter "vault" }} + CN_SECRET_VAULT_ADDR: {{ .Values.configmap.cnVaultAddr | quote }} + CN_SECRET_VAULT_VERIFY: {{ .Values.configmap.cnVaultVerify | quote }} + CN_SECRET_VAULT_ROLE_ID_FILE: {{ .Values.configmap.cnVaultRoleIdFile | quote }} + CN_SECRET_VAULT_SECRET_ID_FILE: {{ .Values.configmap.cnVaultSecretIdFile | quote }} + CN_SECRET_VAULT_NAMESPACE: {{ .Values.configmap.cnVaultNamespace | quote }} + CN_SECRET_VAULT_KV_PATH: {{ .Values.configmap.cnVaultKvPath | quote }} + CN_SECRET_VAULT_PREFIX: {{ .Values.configmap.cnVaultPrefix | quote }} + CN_SECRET_VAULT_APPROLE_PATH: {{ .Values.configmap.cnVaultAppRolePath | quote }} + # [vault_envs] END + {{- end }} + CN_SQL_DB_SCHEMA: {{ .Values.configmap.cnSqlDbSchema | quote }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.global.cnDocumentStoreType | quote }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is ldap or hybrid + {{- if .Values.configmap.cnLdapUrl }} + CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }} + {{- else }} + CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }} + {{- end }} + {{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is couchbase or hybrid + CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }} + CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }} + CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }} + CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }} + CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }} + {{- end }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + {{- if .Values.global.isFqdnRegistered }} + CN_SSL_CERT_FROM_SECRETS: "false" + {{- else }} + CN_SSL_CERT_FROM_SECRETS: "true" + {{- end }} + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }} + # must the same as the opendj service name + CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service + CN_HYBRID_MAPPING: {{ .Values.configmap.cnPersistenceHybridMapping | quote }} + {{- end }} + # Auto enable installation of some services + {{ if or (eq .Values.configmap.cnCacheType "REDIS") (eq .Values.configmap.cnMessageType "REDIS") }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + {{- end }} + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.istio.enabled }} + CN_COUCHBASE_TRUSTSTORE_ENABLE: "false" + CN_LDAP_USE_SSL: "false" + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + # ADMIN-UI + ADMIN_UI_JWKS: {{ cat "http://" ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080/jans-auth/restv1/jwks" | quote | nospace }} + CN_ADMIN_UI_PLUGIN_LOGGERS: {{ index .Values "global" "config-api" "adminUiAppLoggers" + | toJson + | replace "adminUiLogTarget" "admin_ui_log_target" + | replace "adminUiLogLevel" "admin_ui_log_level" + | replace "adminUiAuditLogTarget" "admin_ui_audit_log_target" + | replace "adminUiAuditLogLevel" "admin_ui_audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.casa.enabled}} # CASA + CN_CASA_APP_LOGGERS: {{ .Values.global.casa.appLoggers + | toJson + | replace "casaLogTarget" "casa_log_target" + | replace "casaLogLevel" "casa_log_level" + | replace "timerLogTarget" "timer_log_target" + | replace "timerLogLevel" "timer_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + # delete Duo script (https://github.com/GluuFederation/flex/issues/1120) by disabling the feature + CN_DUO_ENABLED: "false" + CN_SQL_PASSWORD_FILE: {{ .Values.global.cnSqlPasswordFile }} + CN_COUCHBASE_PASSWORD_FILE: {{ .Values.global.cnCouchbasePasswordFile }} + CN_COUCHBASE_SUPERUSER_PASSWORD_FILE: {{ .Values.global.cnCouchbaseSuperuserPasswordFile }} + CN_LDAP_PASSWORD_FILE: {{ .Values.global.cnLdapPasswordFile }} + CN_LDAP_TRUSTSTORE_PASSWORD_FILE: {{ .Values.global.cnLdapTruststorePasswordFile }} + CN_LDAP_CERT_FILE: {{ .Values.global.cnLdapCertFile }} + CN_LDAP_KEY_FILE: {{ .Values.global.cnLdapKeyFile }} + CN_LDAP_CACERT_FILE: {{ .Values.global.cnLdapCacertFile }} + CN_LDAP_TRUSTSTORE_FILE: {{ .Values.global.cnLdapTruststoreFile }} + CN_CONFIG_API_PLUGINS: {{ index .Values "global" "config-api" "plugins" | quote }} + {{- if .Values.global.saml.enabled }} + QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY: {{ .Values.configmap.quarkusTransactionEnableRecovery | quote }} + KC_LOG_LEVEL: {{ .Values.configmap.kcLogLevel | quote }} + KC_PROXY: {{ .Values.configmap.kcProxy | quote }} + KC_DB: {{ .Values.configmap.kcDbVendor | quote }} + KC_DB_USERNAME: {{ .Values.configmap.kcDbUsername | quote }} + KC_DB_SCHEMA: {{ .Values.configmap.kcDbSchema | quote }} + KC_DB_URL_HOST: {{ .Values.configmap.kcDbUrlHost | quote }} + KC_DB_URL_PORT: {{ .Values.configmap.kcDbUrlPort | quote }} + KC_DB_URL_DATABASE: {{ .Values.configmap.kcDbUrlDatabase | quote }} + KC_DB_URL_PROPERTIES: {{ .Values.configmap.kcDbUrlProperties | quote }} + CN_SAML_KC_DB_PASSWORD_FILE: {{ .Values.global.kcDbPasswordFile | quote }} + CN_SAML_KC_ADMIN_CREDENTIALS_FILE: {{ .Values.global.kcAdminCredentialsFile | quote }} + {{- end }} + CN_LOCK_ENABLED: {{ index .Values "global" "auth-server" "lockEnabled" | quote }} + CN_OPA_URL: {{ .Values.configmap.cnOpaUrl | quote }} + CN_MESSAGE_TYPE: {{ .Values.configmap.cnMessageType | quote }} +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + import base64 + + from jans.pycloudlib import get_manager + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if gluu secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from gluu secrets + """ + def b64encode(value): + return base64.b64encode(value.encode()).decode() + + manager = get_manager() + + # returns empty string if not found + ssl_cert = manager.secret.get("ssl_cert") + if ssl_cert: + ssl_cert = b64encode(ssl_cert) + + # returns empty string if not found + ssl_key = manager.secret.get("ssl_key") + if ssl_key: + ssl_key = b64encode(ssl_key) + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert or key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error( + "No certificate or key was found in secrets." + "This can happen when the ssl certificate for the domain is able to be pulled." + "In that scenario the ssl_cert will be pulled from the domain provided" + ) + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Gluu Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.gluu.org") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.1.1/charts/config/templates/load-init-config.yml new file mode 100644 index 0000000000..9988d9ceb9 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/templates/load-init-config.yml @@ -0,0 +1,192 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "config.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "config.name" . }}-job + labels: + APP_NAME: configurator + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + - name: {{ include "config.fullname" . }}-mount-gen-file + secret: + secretName: {{ include "config.fullname" . }}-gen-json-file + - name: {{ include "config.fullname" . }}-tls-script + configMap: + name: {{ include "config.fullname" . }}-tls-script + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} + containers: + - name: {{ include "config.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "config.usr-envs" . | indent 12 }} + {{- include "config.usr-secret-envs" . | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + - mountPath: /app/db/generate.json + name: {{ include "config.fullname" . }}-mount-gen-file + subPath: generate.json + - mountPath: /scripts/tls_generator.py + name: {{ include "config.fullname" . }}-tls-script + subPath: tls_generator.py + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if .Values.migration.enabled }} + /app/scripts/entrypoint.sh migrate --migration-dir {{ .Values.migration.migrationDir | quote }} --data-format {{ .Values.migration.migrationDataFormat | quote }} && /usr/bin/python3 /scripts/tls_generator.py + {{- else }} + /app/scripts/entrypoint.sh load && /usr/bin/python3 /scripts/tls_generator.py + {{- end }} + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + restartPolicy: Never diff --git a/charts/gluu/gluu/5.1.1/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.1.1/charts/config/templates/ob-secrets.yaml new file mode 100644 index 0000000000..cdb1f90415 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/templates/ob-secrets.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.cnObExtSigningJwksCrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }} + {{ if .Values.global.cnObExtSigningJwksKey }} + ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportCrt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport.crt: {{ .Values.global.cnObTransportCrt }} + {{ if .Values.global.cnObTransportKey }} + ob-transport.key: {{ .Values.global.cnObTransportKey }} + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportTrustStore }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-truststore + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.1.1/charts/config/templates/rolebinding.yaml new file mode 100644 index 0000000000..7a58fd6095 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.1.1/charts/config/templates/roles.yaml new file mode 100644 index 0000000000..ef3d0c7083 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/templates/roles.yaml @@ -0,0 +1,19 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/gluu/gluu/5.1.1/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.1.1/charts/config/templates/secrets.yaml new file mode 100644 index 0000000000..31fa0e439e --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/templates/secrets.yaml @@ -0,0 +1,251 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config.fullname" . }}-gen-json-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + generate.json: |- + { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_pw": {{ .Values.adminPassword | quote }}, + "ldap_pw": {{ .Values.ldapPassword | quote }}, + "redis_pw": {{ .Values.redisPassword | quote }}, + "email": {{ .Values.email | quote }}, + "org_name": {{ .Values.orgName | quote }}, + {{ if eq .Values.global.cnPersistenceType "sql" }} + "sql_pw": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "couchbase_pw": {{ .Values.configmap.cnCouchbasePassword | quote }}, + "couchbase_superuser_pw": {{ .Values.configmap.cnCouchbaseSuperUserPassword | quote }}, + {{- end }} + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }}, + "salt": {{ .Values.salt | quote }}, + "init_keys_exp": {{ index .Values "global" "auth-server-key-rotation" "initKeysLife" }} + } + +{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} +{{- if not .Values.global.istio.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-crt + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }} +{{- end }} +{{- end }} + +{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-aws-config-creds + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + aws_shared_credential_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }} + aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }} + aws_config_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + region = {{ .Values.configmap.cnAwsDefaultRegion }} + aws_secrets_replica_regions: |- + {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }} +{{- end }} + +{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-google-sa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} +{{- end}} + +{{ if eq .Values.global.configSecretAdapter "vault" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-vault + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + vault_role_id: {{ .Values.configmap.cnVaultRoleId | b64enc }} + vault_secret_id: {{ .Values.configmap.cnVaultSecretId | b64enc }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-cron-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + ldap_password: {{ .Values.ldapPassword | b64enc }} + ldap_truststore_password: {{ .Values.ldapTruststorePassword | b64enc }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-certkey + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + opendj.crt: |- +{{ .Values.configmap.cnLdapCrt | indent 4 }} + opendj.key: |- +{{ .Values.configmap.cnLdapKey | indent 4 }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-sql-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + sql_password: {{ .Values.configmap.cnSqldbUserPassword | b64enc }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + couchbase_password: {{ .Values.configmap.cnCouchbasePassword | b64enc }} + couchbase_superuser_password: {{ .Values.configmap.cnCouchbaseSuperUserPassword | b64enc }} +{{- end}} + + +{{- if .Values.global.saml.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-kc-db-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + kc_db_password: {{ .Values.configmap.kcDbPassword | b64enc }} +{{- end}} diff --git a/charts/gluu/gluu/5.1.1/charts/config/templates/service.yaml b/charts/gluu/gluu/5.1.1/charts/config/templates/service.yaml new file mode 100644 index 0000000000..da5dedf891 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.1.1/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 0000000000..35b4fa8cb0 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,64 @@ +{{ if .Values.global.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val | quote }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.1.1/charts/config/values.yaml b/charts/gluu/gluu/5.1.1/charts/config/values.yaml new file mode 100644 index 0000000000..9491bbb3f7 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/config/values.yaml @@ -0,0 +1,239 @@ + +# Required environment variables for generating Gluu server initial config +# -- Add custom normal and secret envs to the service. +usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} +# -- Admin password to log in to the UI. +adminPassword: Test1234# +# -- City. Used for certificate creation. +city: Austin +# -- Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. +salt: "" +configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected in the secrets. + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + containerMetadataName: kubernetes + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) user name. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # [vault_envs] Envs related to Hashicorp vault + # -- Vault AppRole RoleID. + cnVaultRoleId: "" + # -- Vault AppRole SecretID. + cnVaultSecretId: "" + # -- Base URL of Vault. + cnVaultAddr: http://localhost:8200 + # -- Verify connection to Vault. + cnVaultVerify: false + # -- Path to file contains Vault AppRole role ID. + cnVaultRoleIdFile: /etc/certs/vault_role_id + # -- Path to file contains Vault AppRole secret ID. + cnVaultSecretIdFile: /etc/certs/vault_secret_id + # -- Vault namespace used to access the secrets. + cnVaultNamespace: "" + # -- Path to Vault KV secrets engine. + cnVaultKvPath: secret + # -- Base prefix name used to access secrets. + cnVaultPrefix: jans + # -- Path to Vault AppRole. + cnVaultAppRolePath: approle + # [vault_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- Specify data that should be saved in each persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Loadbalancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- OpenDJ certificate string. This must be encoded using base64. + cnLdapCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- OpenDJ key string. This must be encoded using base64. + cnLdapKey: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. + quarkusTransactionEnableRecovery: true + # -- Keycloak logging level + kcLogLevel: INFO + # -- Keycloak proxy mode (for most deployments, this doesn't need to be changed) + kcProxy: edge + # -- Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. + kcDbVendor: mysql + # -- Keycloak database username + kcDbUsername: keycloak + # -- Password for Keycloak database access + kcDbPassword: Test1234# + # -- Keycloak database schema name (note that PostgreSQL may using "public" schema). + kcDbSchema: keycloak + # -- Keycloak database host + kcDbUrlHost: mysql.kc.svc.cluster.local + # -- Keycloak database port (default to port 3306 for mysql). + kcDbUrlPort: 3306 + # -- Keycloak database name + kcDbUrlDatabase: keycloak + # -- Keycloak database connection properties. If using postgresql, the value can be set to empty string. + kcDbUrlProperties: "?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4" + # -- URL of OPA API + cnOpaUrl: http://opa.opa.svc.cluster.cluster.local:8181/v1 + # -- Message type (one of POSTGRES, REDIS, or DISABLED) + cnMessageType: DISABLED +# -- Country code. Used for certificate creation. +countryCode: US +# -- Email address of the administrator usually. Used for certificate creation. +email: team@gluu.org +image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- LDAP admin password if OpennDJ is used for persistence. +ldapPassword: P@ssw0rds +# -- LDAP truststore password if OpenDJ is used for persistence +ldapTruststorePassword: changeit +# -- Organization name. Used for certificate creation. +orgName: Gluu +# -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. +redisPassword: P@assw0rd +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- State code. Used for certificate creation. +state: TX +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +# -- CE to CN Migration section +migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + +nameOverride: "" +fullNameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.1.1/charts/fido2/.helmignore b/charts/gluu/gluu/5.1.1/charts/fido2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.1/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/fido2/Chart.yaml new file mode 100644 index 0000000000..e23565b71f --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/fido2/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging + common devices to authenticate to online services in both mobile and desktop environments. +home: https://docs.gluu.org/ +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- fido2 +- u2f +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: fido2 +sources: +- https://gluu.org/docs/gluu-server/ +- https://github.com/JanssenProject/jans/jans-fido2 +- https://github.com/JanssenProject/jans/docker-jans-fido2 +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/fido2 +type: application +version: 1.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/fido2/README.md b/charts/gluu/gluu/5.1.1/charts/fido2/README.md new file mode 100644 index 0000000000..295f1b77db --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/fido2/README.md @@ -0,0 +1,63 @@ +# fido2 + +![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/fido2"` | Image to use for deploying. | +| image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the liveness healthcheck for the fido2 if needed. | +| livenessProbe.httpGet | object | `{"path":"/jans-fido2/sys/health-check","port":"http-fido2"}` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the readiness healthcheck for the fido2 if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| service.name | string | `"http-fido2"` | The name of the fido2 port within the fido2 service. Please keep it as default. | +| service.port | int | `8080` | Port of the fido2 service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/fido2/templates/_helpers.tpl new file mode 100644 index 0000000000..622416f343 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/fido2/templates/_helpers.tpl @@ -0,0 +1,111 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "fido2.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fido2.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "fido2.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "fido2.labels" -}} +app: {{ .Release.Name }}-{{ include "fido2.name" . }} +helm.sh/chart: {{ include "fido2.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "fido2.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "fido2.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "fido2.customJavaOptions"}} +{{ $custom := "" }} +{{ $custom = printf "%s" .Values.global.fido2.cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" $memory -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory 300) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "fido2.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "fido2.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.1.1/charts/fido2/templates/deployment.yml new file mode 100644 index 0000000000..8ec0385f9d --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/fido2/templates/deployment.yml @@ -0,0 +1,236 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "fido2.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + template: + metadata: + labels: + APP_NAME: fido2 + app: {{ .Release.Name }}-{{ include "fido2.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "fido2.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "fido2.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + - name: CN_FIDO2_JAVA_OPTIONS + value: {{ include "fido2.customJavaOptions" . | trim }} + {{- include "fido2.usr-envs" . | indent 12 }} + {{- include "fido2.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "fido2.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.1.1/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 0000000000..2457647e8a --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/fido2/templates/fido2-pdb.yaml b/charts/gluu/gluu/5.1.1/charts/fido2/templates/fido2-pdb.yaml new file mode 100644 index 0000000000..ebc9ce8dc8 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/fido2/templates/fido2-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "fido2.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.1.1/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 0000000000..fe906fa682 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.fido2.ingress.fido2ConfigEnabled }} + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.fido2.ingress.fido2Enabled }} + - name: {{ .Release.Name }}-istio-fido2 + match: + - uri: + prefix: "/jans-fido2" + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.1.1/charts/fido2/templates/hpa.yaml new file mode 100644 index 0000000000..a4f1362a7b --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/fido2/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.1.1/charts/fido2/templates/service.yml new file mode 100644 index 0000000000..de91e893b3 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/fido2/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.1/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..e2139ba45f --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/fido2/values.yaml b/charts/gluu/gluu/5.1.1/charts/fido2/values.yaml new file mode 100644 index 0000000000..99f776a782 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/fido2/values.yaml @@ -0,0 +1,95 @@ + +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. + +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/fido2 + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the fido2 if needed. +livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the fido2 if needed. +readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/link/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/link/Chart.yaml new file mode 100644 index 0000000000..aba5467518 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/link/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: Jans Link +home: https://jans.io +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- link +kubeVersion: '>=v1.22.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: link +sources: +- https://github.com/JanssenProject/jans/jans-link +- https://github.com/JanssenProject/jans/docker-jans-link +type: application +version: 1.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/link/README.md b/charts/gluu/gluu/5.1.1/charts/link/README.md new file mode 100644 index 0000000000..4eb60b12db --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/link/README.md @@ -0,0 +1,65 @@ +# link + +![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +Jans Link + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.22.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| affinity | object | `{}` | | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"ghcr.io/janssenproject/jans/link"` | Image to use for deploying. | +| image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for the link if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the link if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"1000Mi"},"requests":{"cpu":"500m","memory":"1000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-link"` | The name of the link port within the link service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| tolerations | list | `[]` | | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/link/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/link/templates/_helpers.tpl new file mode 100644 index 0000000000..49c1621e5b --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/link/templates/_helpers.tpl @@ -0,0 +1,111 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "link.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "link.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "link.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "link.labels" -}} +app: {{ .Release.Name }}-{{ include "link.name" . }} +helm.sh/chart: {{ include "link.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "link.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "link.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "link.customJavaOptions"}} +{{ $custom := "" }} +{{ $custom = printf "%s" .Values.global.link.cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" $memory -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory 300) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "link.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "link.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/link/templates/deployment.yaml b/charts/gluu/gluu/5.1.1/charts/link/templates/deployment.yaml new file mode 100644 index 0000000000..d9398cadd9 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/link/templates/deployment.yaml @@ -0,0 +1,226 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "link.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "link.name" . }} + template: + metadata: + labels: + app: {{ .Release.Name }}-{{ include "link.name" . }} + release: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "link.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "link.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: CN_LINK_JAVA_OPTIONS + value: {{ include "link.customJavaOptions" . | trim }} + {{- include "link.usr-envs" . | indent 12 }} + {{- include "link.usr-secret-envs" . | indent 12 }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + ports: + - containerPort: 9091 + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "link.name" . }}-updatelbip + mountPath: /scripts + {{- end }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "link.name" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/link/templates/hpa.yaml b/charts/gluu/gluu/5.1.1/charts/link/templates/hpa.yaml new file mode 100644 index 0000000000..0b706a2d2b --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/link/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "link.fullname" . }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "link.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/link/templates/link-destination-rules.yaml b/charts/gluu/gluu/5.1.1/charts/link/templates/link-destination-rules.yaml new file mode 100644 index 0000000000..993f7ded03 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/link/templates/link-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-link-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "link" "linkServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/link/templates/link-pdb.yaml b/charts/gluu/gluu/5.1.1/charts/link/templates/link-pdb.yaml new file mode 100644 index 0000000000..1db31aa244 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/link/templates/link-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "link.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "link.name" . }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/link/templates/link-virtual-services.yaml b/charts/gluu/gluu/5.1.1/charts/link/templates/link-virtual-services.yaml new file mode 100644 index 0000000000..b1bd93214d --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/link/templates/link-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "link" "ingress" "linkEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-link + namespace: {{.Release.Namespace}} + labels: + APP_NAME:link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-link + match: + - uri: + prefix: /jans-link + route: + - destination: + host: {{ index .Values "global" "link" "linkServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 9091 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/link/templates/service.yaml b/charts/gluu/gluu/5.1.1/charts/link/templates/service.yaml new file mode 100644 index 0000000000..1221c29090 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/link/templates/service.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "link" "linkServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9091 + name: tcp-{{ include "link.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "link.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/link/values.yaml b/charts/gluu/gluu/5.1.1/charts/link/values.yaml new file mode 100644 index 0000000000..facaecac31 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/link/values.yaml @@ -0,0 +1,104 @@ +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + + +nameOverride: "" +fullnameOverride: "" + +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/link + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the link port within the link service. Please keep it as default. + name: http-link + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for the link if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the link if needed. +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + +nodeSelector: {} + +tolerations: [] + +affinity: {} +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.1.1/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.1/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/Chart.yaml new file mode 100644 index 0000000000..16e6ec6a37 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: Nginx ingress definitions chart +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- nginx +- ingress +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: nginx-ingress +sources: +- https://github.com/kubernetes/ingress-nginx +- https://kubernetes.io/docs/concepts/services-networking/ingress/ +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/nginx-ingress +type: application +version: 5.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/README.md new file mode 100644 index 0000000000..ab86bdaa2d --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/README.md @@ -0,0 +1,66 @@ +# nginx-ingress + +![Version: 5.1.1](https://img.shields.io/badge/Version-5.1.1--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +Nginx ingress definitions chart + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | | +| ingress | object | `{"additionalAnnotations":{},"additionalLabels":{},"authServerAdditionalAnnotations":{},"authServerLabels":{},"casaAdditionalAnnotations":{},"casaLabels":{},"deviceCodeAdditionalAnnotations":{},"deviceCodeLabels":{},"enabled":true,"fido2AdditionalAnnotations":{},"fido2ConfigAdditionalAnnotations":{},"fido2ConfigLabels":{},"fido2Enabled":false,"fido2Labels":{},"firebaseMessagingAdditionalAnnotations":{},"firebaseMessagingLabels":{},"hosts":["demoexample.gluu.org"],"ingressClassName":"nginx","legacy":false,"openidAdditionalAnnotations":{},"openidConfigLabels":{},"path":"/","samlAdditionalAnnotations":{},"samlLabels":{},"scimAdditionalAnnotations":{},"scimConfigAdditionalAnnotations":{},"scimConfigLabels":{},"scimLabels":{},"tls":[{"hosts":["demoexample.gluu.org"],"secretName":"tls-certificate"}],"u2fAdditionalAnnotations":{},"u2fConfigLabels":{},"uma2AdditionalAnnotations":{},"uma2ConfigLabels":{},"webdiscoveryAdditionalAnnotations":{},"webdiscoveryLabels":{},"webfingerAdditionalAnnotations":{},"webfingerLabels":{}}` | Nginx ingress definitions chart | +| ingress.additionalAnnotations | object | `{}` | Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" | +| ingress.additionalLabels | object | `{}` | Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} | +| ingress.authServerAdditionalAnnotations | object | `{}` | Auth server ingress resource additional annotations. | +| ingress.authServerLabels | object | `{}` | Auth server config ingress resource labels. key app is taken | +| ingress.casaAdditionalAnnotations | object | `{}` | Casa ingress resource additional annotations. | +| ingress.casaLabels | object | `{}` | Casa ingress resource labels. key app is taken | +| ingress.deviceCodeAdditionalAnnotations | object | `{}` | device-code ingress resource additional annotations. | +| ingress.deviceCodeLabels | object | `{}` | device-code ingress resource labels. key app is taken | +| ingress.fido2AdditionalAnnotations | object | `{}` | fido2 ingress resource additional annotations. | +| ingress.fido2ConfigAdditionalAnnotations | object | `{}` | fido2 config ingress resource additional annotations. | +| ingress.fido2ConfigLabels | object | `{}` | fido2 config ingress resource labels. key app is taken | +| ingress.fido2Enabled | bool | `false` | Enable all fido2 endpoints | +| ingress.fido2Labels | object | `{}` | fido2 ingress resource labels. key app is taken | +| ingress.firebaseMessagingAdditionalAnnotations | object | `{}` | Firebase Messaging ingress resource additional annotations. | +| ingress.firebaseMessagingLabels | object | `{}` | Firebase Messaging ingress resource labels. key app is taken | +| ingress.legacy | bool | `false` | Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. | +| ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. | +| ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken | +| ingress.samlAdditionalAnnotations | object | `{}` | SAML ingress resource additional annotations. | +| ingress.samlLabels | object | `{}` | SAML config ingress resource labels. key app is taken | +| ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. | +| ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. | +| ingress.scimConfigLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.scimLabels | object | `{}` | scim config ingress resource labels. key app is taken | +| ingress.u2fAdditionalAnnotations | object | `{}` | u2f config ingress resource additional annotations. | +| ingress.u2fConfigLabels | object | `{}` | u2f config ingress resource labels. key app is taken | +| ingress.uma2AdditionalAnnotations | object | `{}` | uma2 config ingress resource additional annotations. | +| ingress.uma2ConfigLabels | object | `{}` | uma 2 config ingress resource labels. key app is taken | +| ingress.webdiscoveryAdditionalAnnotations | object | `{}` | webdiscovery ingress resource additional annotations. | +| ingress.webdiscoveryLabels | object | `{}` | webdiscovery ingress resource labels. key app is taken | +| ingress.webfingerAdditionalAnnotations | object | `{}` | webfinger ingress resource additional annotations. | +| ingress.webfingerLabels | object | `{}` | webfinger ingress resource labels. key app is taken | +| nameOverride | string | `""` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..7b38455692 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/admin-ui-ingress.yaml new file mode 100644 index 0000000000..1fa7a08de1 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/admin-ui-ingress.yaml @@ -0,0 +1,53 @@ +{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.adminUiLabels }} +{{ toYaml .Values.ingress.adminUiLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.ingress.adminUiAdditionalAnnotations }} +{{ toYaml .Values.ingress.adminUiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml new file mode 100644 index 0000000000..b5c482d5f6 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml @@ -0,0 +1,115 @@ +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedTokenLabels }} +{{ toYaml .Values.ingress.authServerProtectedTokenLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedTokenAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedTokenAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedRegisterLabels }} +{{ toYaml .Values.ingress.authServerProtectedRegisterLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedRegisterAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedRegisterAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/certificate.yaml b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/certificate.yaml new file mode 100644 index 0000000000..6cfb84f431 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/certificate.yaml @@ -0,0 +1,18 @@ +{{- if .Values.certManager.certificate.enabled }} + {{- $domain := (required "Domain is required in chartValues when certManager is enabled" .Values.global.fqdn) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + {{- range .Values.ingress.tls }} + secretName: {{ .secretName }} + {{- end }} + dnsNames: + - {{ quote $domain }} + issuerRef: + name: {{ required "nginx-ingress.certManager.certificate.issuerName is required in chart values" .Values.certManager.certificate.issuerName }} + kind: {{ required "nginx-ingress.certManager.certificate.issuerKind is required in chart values" .Values.certManager.certificate.issuerKind }} + group: {{ required "nginx-ingress.certManager.certificate.issuerGroup is required in chart values" .Values.certManager.certificate.issuerGroup }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 0000000000..8069c0038b --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,843 @@ +{{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.openidConfigLabels }} +{{ toYaml .Values.ingress.openidConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if .Values.ingress.openidAdditionalAnnotations }} +{{ toYaml .Values.ingress.openidAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-device-code + labels: + app: {{ $fullName }}-device-code +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.deviceCodeLabels }} +{{ toYaml .Values.ingress.deviceCodeLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/device_authorization.htm +{{- if .Values.ingress.deviceCodeAdditionalAnnotations }} +{{ toYaml .Values.ingress.deviceCodeAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /device-code + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-firebase-messaging + labels: + app: {{ $fullName }}-firebase-messaging +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.firebaseMessagingLabels }} +{{ toYaml .Values.ingress.firebaseMessagingLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/firebase-messaging-sw.js +{{- if .Values.ingress.firebaseMessagingAdditionalAnnotations }} +{{ toYaml .Values.ingress.firebaseMessagingAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /firebase-messaging-sw.js + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.uma2ConfigLabels }} +{{ toYaml .Values.ingress.uma2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if .Values.ingress.uma2AdditionalAnnotations }} +{{ toYaml .Values.ingress.uma2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webfingerLabels }} +{{ toYaml .Values.ingress.webfingerLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if .Values.ingress.webfingerAdditionalAnnotations }} +{{ toYaml .Values.ingress.webfingerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webdiscoveryLabels }} +{{ toYaml .Values.ingress.webdiscoveryLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if .Values.ingress.webdiscoveryAdditionalAnnotations }} +{{ toYaml .Values.ingress.webdiscoveryAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{- if .Values.global.scim.ingress.scimConfigEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimConfigLabels }} +{{ toYaml .Values.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{- if .Values.global.scim.ingress.scimEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimLabels }} +{{ toYaml .Values.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "config-api" "ingress" "configApiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-config-api + labels: + app: {{ $fullName }}-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.configApiLabels }} +{{ toYaml .Values.ingress.configApiLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.configApiAdditionalAnnotations }} +{{ toYaml .Values.ingress.configApiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.u2fConfigLabels }} +{{ toYaml .Values.ingress.u2fConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if .Values.ingress.u2fAdditionalAnnotations }} +{{ toYaml .Values.ingress.u2fAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2ConfigLabels }} +{{ toYaml .Values.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2Enabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2 + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2Labels }} +{{ toYaml .Values.ingress.fido2Labels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "fido2" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.fido2AdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-fido2 + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerLabels }} +{{ toYaml .Values.ingress.authServerLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.casa.ingress.casaEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-casa + labels: + app: {{ $fullName }}-casa +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.casaLabels }} +{{ toYaml .Values.ingress.casaLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "casa-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.casaAdditionalAnnotations }} +{{ toYaml .Values.ingress.casaAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-casa + pathType: Prefix + backend: + service: + name: {{ .Values.global.casa.casaServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.saml.ingress.samlEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-saml + labels: + app: {{ $fullName }}-saml +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.samlLabels }} +{{ toYaml .Values.ingress.samlLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "saml-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.samlAdditionalAnnotations }} +{{ toYaml .Values.ingress.samlAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /kc + pathType: Prefix + backend: + service: + name: {{ .Values.global.saml.samlServiceName }} + port: + number: 8083 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/values.yaml new file mode 100644 index 0000000000..901a6ca1a7 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/nginx-ingress/values.yaml @@ -0,0 +1,87 @@ + +# -- Nginx ingress definitions chart +ingress: + enabled: true + # -- Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. + legacy: false + path: / + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma 2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- scim config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable all fido2 endpoints + fido2Enabled: false + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- fido2 ingress resource additional annotations. + fido2AdditionalAnnotations: { } + # -- Auth server config ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- SAML config ingress resource labels. key app is taken + samlLabels: { } + # -- SAML ingress resource additional annotations. + samlAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: { } + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + hosts: + - demoexample.gluu.org + tls: + - secretName: tls-certificate # DON'T change + hosts: + - demoexample.gluu.org +nameOverride: "" +fullnameOverride: "" diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/.helmignore b/charts/gluu/gluu/5.1.1/charts/opendj/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/opendj/Chart.yaml new file mode 100644 index 0000000000..be1827c6bc --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: OpenDJ is a directory server which implements a wide range of Lightweight + Directory Access Protocol and related standards, including full compliance with + LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in + Java, OpenDJ offers multi-master replication, access control, and many extensions. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- LDAP +- OpenDJ +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: opendj +sources: +- https://github.com/GluuFederation/docker-opendj +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/opendj +type: application +version: 5.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/README.md b/charts/gluu/gluu/5.1.1/charts/opendj/README.md new file mode 100644 index 0000000000..d19b607856 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/README.md @@ -0,0 +1,75 @@ +# opendj + +![Version: 5.1.1](https://img.shields.io/badge/Version-5.1.1--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"gluufederation/opendj"` | Image to use for deploying. | +| image.tag | string | `"5.0.0_dev"` | Image tag to use for deploying. | +| lifecycle.preStop.exec.command[0] | string | `"/bin/sh"` | | +| lifecycle.preStop.exec.command[1] | string | `"-c"` | | +| lifecycle.preStop.exec.command[2] | string | `"python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":20,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for OpenDJ if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| openDjVolumeMounts.config.mountPath | string | `"/opt/opendj/config"` | | +| openDjVolumeMounts.config.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.db.mountPath | string | `"/opt/opendj/db"` | | +| openDjVolumeMounts.db.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.flag.mountPath | string | `"/flag"` | | +| openDjVolumeMounts.flag.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.ldif.mountPath | string | `"/opt/opendj/ldif"` | | +| openDjVolumeMounts.ldif.name | string | `"opendj-volume"` | | +| openDjVolumeMounts.logs.mountPath | string | `"/opt/opendj/logs"` | | +| openDjVolumeMounts.logs.name | string | `"opendj-volume"` | | +| persistence.accessModes | string | `"ReadWriteOnce"` | | +| persistence.size | string | `"5Gi"` | OpenDJ volume size | +| persistence.type | string | `"DirectoryOrCreate"` | | +| ports | object | `{"tcp-admin":{"nodePort":"","port":4444,"protocol":"TCP","targetPort":4444},"tcp-ldap":{"nodePort":"","port":1389,"protocol":"TCP","targetPort":1389},"tcp-ldaps":{"nodePort":"","port":1636,"protocol":"TCP","targetPort":1636},"tcp-repl":{"nodePort":"","port":8989,"protocol":"TCP","targetPort":8989},"tcp-serf":{"nodePort":"","port":7946,"protocol":"TCP","targetPort":7946},"udp-serf":{"nodePort":"","port":7946,"protocol":"UDP","targetPort":7946}}` | servicePorts values used in StatefulSet container | +| readinessProbe | object | `{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":1636},"timeoutSeconds":5}` | Configure the readiness healthcheck for OpenDJ if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"1500m","memory":"2000Mi"},"requests":{"cpu":"1500m","memory":"2000Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"1500m"` | CPU limit. | +| resources.limits.memory | string | `"2000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1500m"` | CPU request. | +| resources.requests.memory | string | `"2000Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/opendj/templates/_helpers.tpl new file mode 100644 index 0000000000..ecab10b753 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opendj.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opendj.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opendj.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "opendj.labels" -}} +app: {{ .Release.Name }}-{{ include "opendj.name" . }} +helm.sh/chart: {{ include "opendj.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "opendj.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "opendj.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "opendj.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "opendj.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/5.1.1/charts/opendj/templates/cronjobs.yaml new file mode 100644 index 0000000000..0227258a46 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/templates/cronjobs.yaml @@ -0,0 +1,110 @@ +{{- if and ( .Values.backup.enabled ) (or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid")) }} +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "opendj.fullname" . }}-backup +spec: + schedule: {{ .Values.backup.cronJobSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "opendj.fullname" . }}-backup + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + ports: + {{- range $key, $value := .Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + env: + - name: LDAP_HOST + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_host + - name: LDAP_PORT + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_port + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_site_binddn + - name: LDAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-ldap-cron-pass + key: password + # while true; do sleep 60; ldaplog=$(cat /opt/opendj/logs/server.out); startedstr="The Directory Server has started successfully"; if [ -z "${ldaplog##*$startedstr*}" ]; then break; fi; echo "Waiting for opendj server to start"; done + command: + - /bin/sh + - -c + - | + # ========= + # FUNCTIONS + # ========= + + set_java_args() { + # not sure if we can omit `-server` safely + local java_args="-server" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${CN_MAX_RAM_PERCENTAGE} ${CN_JAVA_OPTIONS}" + # set the env var so it is loaded by `start-ds` script + export OPENDJ_JAVA_ARGS=${java_args} + } + + # ========== + # ENTRYPOINT + # ========== + + mkdir -p /opt/opendj/locks + + python3 /app/scripts/wait.py + python3 /app/scripts/bootstrap.py + + # run OpenDJ server + set_java_args + exec /opt/opendj/bin/start-ds -N & + sleep 300 + RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) + LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + volumeMounts: + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapCertFile }} + subPath: opendj.crt + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapKeyFile }} + subPath: opendj.key + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + restartPolicy: Never + volumes: + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + - name: ldap-certkey + secret: + secretName: {{ .Release.Name }}-ldap-certkey +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/templates/hpa.yaml b/charts/gluu/gluu/5.1.1/charts/opendj/templates/hpa.yaml new file mode 100644 index 0000000000..157ea310b8 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "opendj.fullname" . }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "opendj.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/templates/opendj-destination-rules.yaml b/charts/gluu/gluu/5.1.1/charts/opendj/templates/opendj-destination-rules.yaml new file mode 100644 index 0000000000..a6a8f56849 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/templates/opendj-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-ldap-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.opendj.ldapServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/templates/opendj-pdb.yaml b/charts/gluu/gluu/5.1.1/charts/opendj/templates/opendj-pdb.yaml new file mode 100644 index 0000000000..1615c4ac29 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/templates/opendj-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "opendj.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/templates/service.yaml b/charts/gluu/gluu/5.1.1/charts/opendj/templates/service.yaml new file mode 100644 index 0000000000..ec7d0a8252 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/templates/service.yaml @@ -0,0 +1,30 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $.Values.global.opendj.ldapServiceName }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + {{- range $key, $value := $.Values.ports }} + - port: {{ $value.port }} + name: {{ $key }} + targetPort: {{ $value.targetPort }} + protocol: {{ $value.protocol}} + {{- if $value.nodePort }} + nodePort: {{ $value.nodePort }} + {{- end }} + {{- end }} + clusterIP: None + selector: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/5.1.1/charts/opendj/templates/statefulset.yaml new file mode 100644 index 0000000000..a44a60e217 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/templates/statefulset.yaml @@ -0,0 +1,125 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "opendj.fullname" $ }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: {{ include "opendj.name" $ }} + serviceName: {{ include "opendj.name" $ }} + replicas: {{ $.Values.replicas }} + template: + metadata: + labels: + app: {{ include "opendj.name" $ }} + {{- if $.Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: {{ include "opendj.name" $ }} + {{- if .Values.customScripts }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + /app/scripts/entrypoint.sh + {{- end}} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + {{- include "opendj.usr-envs" $ | indent 12 }} + {{- include "opendj.usr-secret-envs" $ | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + envFrom: + - configMapRef: + name: {{ $.Release.Name }}-config-cm + {{ if $.Values.global.usrEnvs.secret }} + - secretRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + {{ if $.Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + ports: + {{- range $key, $value := $.Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapCertFile }} + subPath: opendj.crt + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapKeyFile }} + subPath: opendj.key + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + livenessProbe: +{{- toYaml $.Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml $.Values.readinessProbe | nindent 10 }} + {{- if or (eq $.Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if $.Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + volumes: + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + - name: ldap-certkey + secret: + secretName: {{ .Release.Name }}-ldap-certkey + volumeClaimTemplates: + - metadata: + name: opendj-volume + spec: + accessModes: + - {{ $.Values.persistence.accessModes }} + resources: + requests: + storage: {{ $.Values.persistence.size }} + {{- if eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath" }} + storageClassName: standard + {{- else }} + storageClassName: {{ include "opendj.fullname" $ | quote }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/templates/storageclass.yaml b/charts/gluu/gluu/5.1.1/charts/opendj/templates/storageclass.yaml new file mode 100644 index 0000000000..d33175d10b --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/templates/storageclass.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ include "opendj.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + storage: opendj +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + # Annotation below is to keep the storage class during upgrade. Otherwise, due to the flag at line 1 which is needed, this resource will be deleted. + helm.sh/resource-policy: keep + storageclass.beta.kubernetes.io/is-default-class: "false" + {{- if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + openebs.io/cas-type: local + cas.openebs.io/config: | + - name: StorageType + value: hostpath + - name: BasePath + value: /var/local-hostpath + {{- end }} +provisioner: {{ .Values.global.storageClass.provisioner }} +{{- if and ( ne .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) ( ne .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") ( ne .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") ( ne .Values.global.storageClass.provisioner "kubernetes.io/gce-pd") ( ne .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com") ( ne .Values.global.storageClass.provisioner "openebs.io/local") ( ne .Values.global.storageClass.provisioner "kubernetes.io/azure-disk") }} +parameters: +{{ toYaml .Values.global.storageClass.parameters | indent 4 }} +{{- else }} +parameters: + {{- if eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs" }} + type: {{ .Values.global.awsStorageType }} + fsType: ext4 + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/gce-pd" }} + type: {{ .Values.global.gcePdStorageType }} + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/azure-disk" }} + storageAccountType: {{ .Values.global.azureStorageAccountType }} + kind: {{ .Values.global.azureStorageKind }} + {{- else if eq .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com" }} + {{- else if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + {{- else }} + pool: default + fsType: ext4 + {{- end }} +{{- end }} +allowVolumeExpansion: {{ .Values.global.storageClass.allowVolumeExpansion }} +volumeBindingMode: {{ .Values.global.storageClass.volumeBindingMode }} +reclaimPolicy: {{ .Values.global.storageClass.reclaimPolicy }} +mountOptions: {{ .Values.global.storageClass.mountOptions | toJson }} +allowedTopologies: {{ .Values.global.storageClass.allowedTopologies | toJson }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.1/charts/opendj/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8fcf989cd5 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/opendj/values.yaml b/charts/gluu/gluu/5.1.1/charts/opendj/values.yaml new file mode 100644 index 0000000000..d397c37385 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/opendj/values.yaml @@ -0,0 +1,140 @@ + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] +persistence: + # -- OpenDJ volume size + size: 5Gi + accessModes: ReadWriteOnce + type: DirectoryOrCreate +# -- servicePorts values used in StatefulSet container +ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi +# -- Configure the liveness healthcheck for OpenDJ if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for OpenDJ if needed. +readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] +nameOverride: "" +fullnameOverride: "" +# VolumeMounts for StatefulSet +# opendj-init vm +openDjVolumeMounts: + config: + mountPath: /opt/opendj/config + name: opendj-volume + ldif: + mountPath: /opt/opendj/ldif + name: opendj-volume + logs: + mountPath: /opt/opendj/logs + name: opendj-volume + db: + mountPath: /opt/opendj/db + name: opendj-volume + flag: + mountPath: /flag + name: opendj-volume + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.1.1/charts/persistence/.helmignore b/charts/gluu/gluu/5.1.1/charts/persistence/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.1.1/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/persistence/Chart.yaml new file mode 100644 index 0000000000..456919f269 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/persistence/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: Job to generate data and initial config for Gluu Server persistence layer. +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- persistence prep +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: persistence +sources: +- https://github.com/JanssenProject/jans/docker-jans-persistence-loader +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/persistence +type: application +version: 1.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/persistence/README.md b/charts/gluu/gluu/5.1.1/charts/persistence/README.md new file mode 100644 index 0000000000..cf340d2c33 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/persistence/README.md @@ -0,0 +1,53 @@ +# persistence + +![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +Job to generate data and initial config for Gluu Server persistence layer. + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/persistence"` | Image to use for deploying. | +| image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| imagePullSecrets | list | `[]` | | +| lifecycle | object | `{}` | | +| nameOverride | string | `""` | | +| resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"300m"` | CPU limit | +| resources.limits.memory | string | `"300Mi"` | Memory limit. | +| resources.requests.cpu | string | `"300m"` | CPU request. | +| resources.requests.memory | string | `"300Mi"` | Memory request. | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/persistence/templates/_helpers.tpl new file mode 100644 index 0000000000..bf0a313b23 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.1.1/charts/persistence/templates/jobs.yml new file mode 100644 index 0000000000..efcf04028e --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/persistence/templates/jobs.yml @@ -0,0 +1,188 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if or ( .Values.global.istio.enabled ) ( .Values.customScripts )}} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 12}} + {{- end }} + /app/scripts/entrypoint.sh + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbaseSuperuserPasswordFile }} + subPath: couchbase_superuser_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + - key: couchbase_password + path: couchbase_password + - key: couchbase_superuser_password + path: couchbase_superuser_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.1.1/charts/persistence/templates/service.yaml new file mode 100644 index 0000000000..b266650a69 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/persistence/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.1/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..29c8651b84 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/persistence/values.yaml b/charts/gluu/gluu/5.1.1/charts/persistence/values.yaml new file mode 100644 index 0000000000..55901cd859 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/persistence/values.yaml @@ -0,0 +1,58 @@ + +# -- Job to generate data and initial config for Gluu Server persistence layer. +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Resource specs. +resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.1.1/charts/saml/.helmignore b/charts/gluu/gluu/5.1.1/charts/saml/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/saml/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/5.1.1/charts/saml/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/saml/Chart.yaml new file mode 100644 index 0000000000..c07a077a37 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/saml/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: Jans SAML +home: https://jans.io +icon: https://github.com/JanssenProject/jans/raw/main/docs/assets/logo/janssen_project_favicon_transparent_50px_50px.png +keywords: +- SAML +- Keycloak +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: support@jans.io + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: saml +sources: +- https://github.com/JanssenProject/jans/docker-jans-saml +type: application +version: 1.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/saml/README.md b/charts/gluu/gluu/5.1.1/charts/saml/README.md new file mode 100644 index 0000000000..3a757f6daa --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/saml/README.md @@ -0,0 +1,64 @@ +# saml + +![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +Jans SAML + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| fullnameOverride | string | `""` | | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/saml"` | Image to use for deploying. | +| image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for saml if needed. | +| livenessProbe.exec | object | `{"command":["python3","/app/scripts/healthcheck.py"]}` | Executes the python3 healthcheck. | +| nameOverride | string | `""` | | +| podSecurityContext | object | `{}` | | +| readinessProbe | object | `{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the saml if needed. | +| replicas | int | `1` | Service replica number. | +| resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}}` | Resource specs. | +| resources.limits.cpu | string | `"500m"` | CPU limit. | +| resources.limits.memory | string | `"500Mi"` | Memory limit. | +| resources.requests.cpu | string | `"500m"` | CPU request. | +| resources.requests.memory | string | `"500Mi"` | Memory request. | +| securityContext | object | `{}` | | +| service.name | string | `"http-saml"` | The name of the saml port within the saml service. Please keep it as default. | +| service.port | int | `8083` | Port of the saml service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/saml/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/saml/templates/_helpers.tpl new file mode 100644 index 0000000000..8139686d8b --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/saml/templates/_helpers.tpl @@ -0,0 +1,122 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "saml.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "saml.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "saml.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "saml.labels" -}} +app: {{ .Release.Name }}-{{ include "saml.name" . }} +helm.sh/chart: {{ include "saml.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "saml.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "saml.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "saml.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "saml.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "saml.customJavaOptions"}} +{{ $custom := "" }} +{{ $custom = printf "%s" .Values.global.saml.cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" $memory -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory 300) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "saml.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "saml.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/saml/templates/deployment.yaml b/charts/gluu/gluu/5.1.1/charts/saml/templates/deployment.yaml new file mode 100644 index 0000000000..38039dbef2 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/saml/templates/deployment.yaml @@ -0,0 +1,246 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "saml.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "saml.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + APP_NAME: saml + app: {{ .Release.Name }}-{{ include "saml.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "saml.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "saml.name" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + env: + - name: CN_SAML_JAVA_OPTIONS + value: {{ include "saml.customJavaOptions" . | trim }} + {{- include "saml.usr-envs" . | indent 12 }} + {{- include "saml.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 16}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port}} + protocol: TCP + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 12 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 12 }} + {{- end }} + - name: kc-db-pass + mountPath: {{ .Values.global.kcDbPasswordFile }} + subPath: kc_db_password + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "saml.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 12 }} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 12 }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + - name: kc-db-pass + secret: + secretName: {{ .Release.Name }}-kc-db-pass + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "saml.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/saml/templates/hpa.yaml b/charts/gluu/gluu/5.1.1/charts/saml/templates/hpa.yaml new file mode 100644 index 0000000000..088742f0f0 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/saml/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "saml.fullname" . }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "saml.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/saml/templates/saml-destination-rules.yaml b/charts/gluu/gluu/5.1.1/charts/saml/templates/saml-destination-rules.yaml new file mode 100644 index 0000000000..5547957c4b --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/saml/templates/saml-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-saml-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.saml.samlServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/saml/templates/saml-pdb.yaml b/charts/gluu/gluu/5.1.1/charts/saml/templates/saml-pdb.yaml new file mode 100644 index 0000000000..a6adbd310c --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/saml/templates/saml-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "saml.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "saml.name" . }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/saml/templates/saml-virtual-services.yaml b/charts/gluu/gluu/5.1.1/charts/saml/templates/saml-virtual-services.yaml new file mode 100644 index 0000000000..8f2c106d4c --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/saml/templates/saml-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.saml.ingress.samlEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-saml + namespace: {{.Release.Namespace}} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-saml + match: + - uri: + prefix: /kc + route: + - destination: + host: {{ .Values.global.saml.samlServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8083 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/saml/templates/service.yaml b/charts/gluu/gluu/5.1.1/charts/saml/templates/service.yaml new file mode 100644 index 0000000000..e05fa7ac64 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/saml/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.saml.samlServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "saml.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/saml/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.1/charts/saml/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..b4bc2994cc --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/saml/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/5.1.1/charts/saml/values.yaml b/charts/gluu/gluu/5.1.1/charts/saml/values.yaml new file mode 100644 index 0000000000..f9ae228b3c --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/saml/values.yaml @@ -0,0 +1,110 @@ +# -- Jans SAML +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/saml + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi +service: + # -- Port of the saml service. Please keep it as default. + port: 8083 + # -- The name of the saml port within the saml service. Please keep it as default. + name: http-saml + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for saml if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 10 +# -- Configure the readiness healthcheck for the saml if needed. +readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 10 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} + +nameOverride: "" +fullnameOverride: "" + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +customScripts: [] diff --git a/charts/gluu/gluu/5.1.1/charts/scim/.helmignore b/charts/gluu/gluu/5.1.1/charts/scim/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/5.1.1/charts/scim/Chart.yaml b/charts/gluu/gluu/5.1.1/charts/scim/Chart.yaml new file mode 100644 index 0000000000..38a95f64f0 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/scim/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 5.1.1 +description: System for Cross-domain Identity Management (SCIM) version 2.0 +home: https://docs.gluu.org +icon: https://gluu.org/docs/gluu-server/favicon.ico +keywords: +- SCIM +- API +kubeVersion: '>=v1.21.0-0' +maintainers: +- email: team@gluu.org + name: Mohammad Abudayyeh + url: https://github.com/moabu +name: scim +sources: +- https://github.com/JanssenProject/jans/jans-scim +- https://github.com/JanssenProject/jans/docker-jans-scim +- https://github.com/GluuFederation/flex/tree/main/charts/gluu/charts/scim +type: application +version: 1.1.1 diff --git a/charts/gluu/gluu/5.1.1/charts/scim/README.md b/charts/gluu/gluu/5.1.1/charts/scim/README.md new file mode 100644 index 0000000000..ae1d1f5133 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/scim/README.md @@ -0,0 +1,62 @@ +# scim + +![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.1.1](https://img.shields.io/badge/AppVersion-5.1.1-informational?style=flat-square) + +System for Cross-domain Identity Management (SCIM) version 2.0 + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Mohammad Abudayyeh | | | + +## Source Code + +* +* +* + +## Requirements + +Kubernetes: `>=v1.21.0-0` + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken | +| additionalLabels | object | `{}` | Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} | +| customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh | +| dnsConfig | object | `{}` | Add custom dns config | +| dnsPolicy | string | `""` | Add custom dns policy | +| hpa | object | `{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50}` | Configure the HorizontalPodAutoscaler | +| hpa.behavior | object | `{}` | Scaling Policies | +| hpa.metrics | list | `[]` | metrics if targetCPUUtilizationPercentage is not set | +| image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. | +| image.pullSecrets | list | `[]` | Image Pull Secrets | +| image.repository | string | `"janssenproject/scim"` | Image to use for deploying. | +| image.tag | string | `"1.1.1-1"` | Image tag to use for deploying. | +| lifecycle | object | `{}` | | +| livenessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5}` | Configure the liveness healthcheck for SCIM if needed. | +| livenessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http liveness probe endpoint | +| readinessProbe | object | `{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5}` | Configure the readiness healthcheck for the SCIM if needed. | +| readinessProbe.httpGet.path | string | `"/jans-scim/sys/health-check"` | http readiness probe endpoint | +| replicas | int | `1` | Service replica number. | +| resources.limits.cpu | string | `"1000m"` | CPU limit. | +| resources.limits.memory | string | `"1000Mi"` | Memory limit. | +| resources.requests.cpu | string | `"1000m"` | CPU request. | +| resources.requests.memory | string | `"1000Mi"` | Memory request. | +| service.name | string | `"http-scim"` | The name of the scim port within the scim service. Please keep it as default. | +| service.port | int | `8080` | Port of the scim service. Please keep it as default. | +| service.sessionAffinity | string | `"None"` | Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP | +| service.sessionAffinityConfig | object | `{"clientIP":{"timeoutSeconds":10800}}` | the maximum session sticky time if sessionAffinity is ClientIP | +| usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service | +| usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 | +| usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 | +| volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers | +| volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/gluu/gluu/5.1.1/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/charts/scim/templates/_helpers.tpl new file mode 100644 index 0000000000..5c23b42a6a --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/scim/templates/_helpers.tpl @@ -0,0 +1,111 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "scim.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "scim.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "scim.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "scim.labels" -}} +app: {{ .Release.Name }}-{{ include "scim.name" . }} +helm.sh/chart: {{ include "scim.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "scim.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "scim.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create JAVA_OPTIONS ENV for passing custom work and detailed logs +*/}} +{{- define "scim.customJavaOptions"}} +{{ $custom := "" }} +{{ $custom = printf "%s" .Values.global.scim.cnCustomJavaOptions }} +{{ $memory := .Values.resources.limits.memory | replace "Mi" "" | int -}} +{{- $maxDirectMemory := printf "-XX:MaxDirectMemorySize=%dm" $memory -}} +{{- $xmx := printf "-Xmx%dm" (sub $memory 300) -}} +{{- $customJavaOptions := printf "%s %s %s" $custom $maxDirectMemory $xmx -}} +{{ $customJavaOptions | trim | quote }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "scim.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "scim.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.1.1/charts/scim/templates/deployment.yml new file mode 100644 index 0000000000..4f63d351fa --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/scim/templates/deployment.yml @@ -0,0 +1,235 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "scim.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} + template: + metadata: + labels: + APP_NAME: scim + app: {{ .Release.Name }}-{{ include "scim.name" . }} + {{- if .Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- include "scim.topology-spread-constraints" . | indent 8 }} + {{- end }} + containers: + - name: {{ include "scim.name" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + - name: CN_SCIM_JAVA_OPTIONS + value: {{ include "scim.customJavaOptions" . | trim }} + {{- include "scim.usr-envs" . | indent 12 }} + {{- include "scim.usr-secret-envs" . | indent 12 }} + {{- if or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local") ( .Values.customScripts) }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + /usr/bin/python3 /scripts/updatelbip.py & + {{- end}} + /app/scripts/entrypoint.sh + {{- end}} + {{- if and ( .Values.global.opendj.enabled ) (or (eq .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath")) }} + resources: {} + {{- else if .Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.service.name }} + containerPort: {{ .Values.service.port }} + {{ if .Values.global.cnPrometheusPort }} + - name: prometheus-port + containerPort: {{ .Values.global.cnPrometheusPort }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" .}}-updatelbip + mountPath: "/scripts" + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + {{- end }} + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + {{- end }} + livenessProbe: +{{- toYaml .Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml .Values.readinessProbe | nindent 10 }} + {{- if not .Values.global.isFqdnRegistered }} + hostAliases: + - ip: {{ .Values.global.lbIp }} + hostnames: + - {{ .Values.global.fqdn }} + {{- end }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + + {{- if not .Values.global.istio.enabled }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + {{- end }} + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + # we are mostly need non-superuser couchbase password file here + - key: couchbase_password + path: couchbase_password + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + - name: {{ include "scim.fullname" . }}-updatelbip + configMap: + name: {{ .Release.Name }}-updatelbip + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + - key: ldap_truststore_password + path: ldap_truststore_password + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.1.1/charts/scim/templates/hpa.yaml new file mode 100644 index 0000000000..d3ba580d6f --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/scim/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.1.1/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 0000000000..fc26343bdf --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/scim/templates/scim-pdb.yaml b/charts/gluu/gluu/5.1.1/charts/scim/templates/scim-pdb.yaml new file mode 100644 index 0000000000..d700490a85 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/scim/templates/scim-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "scim.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.1.1/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 0000000000..14fafd1d46 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.scim.ingress.scimConfigEnabled }} + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /jans-scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.scim.ingress.scimEnabled }} + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/jans-scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/scim/templates/service.yml b/charts/gluu/gluu/5.1.1/charts/scim/templates/service.yml new file mode 100644 index 0000000000..a585ea31b9 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/scim/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.1/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.1/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..d9f83a46e1 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/charts/scim/values.yaml b/charts/gluu/gluu/5.1.1/charts/scim/values.yaml new file mode 100644 index 0000000000..bbdc54637d --- /dev/null +++ b/charts/gluu/gluu/5.1.1/charts/scim/values.yaml @@ -0,0 +1,94 @@ + +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/scim + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] +# -- Service replica number. +replicas: 1 +resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi +service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP + sessionAffinity: None + # -- the maximum session sticky time if sessionAffinity is ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 10800 +# -- Configure the liveness healthcheck for SCIM if needed. +livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 +# -- Configure the readiness healthcheck for the SCIM if needed. +readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +# Actions on lifecycle events such as postStart and preStop +# Example +# lifecycle: +# postStart: +# exec: +# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] +lifecycle: {} +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.1/openbanking-values.yaml b/charts/gluu/gluu/5.1.1/openbanking-values.yaml new file mode 100644 index 0000000000..195890488e --- /dev/null +++ b/charts/gluu/gluu/5.1.1/openbanking-values.yaml @@ -0,0 +1,690 @@ +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/auth-server + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- City. Used for certificate creation. + city: Austin + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnSecretGoogleSecretNamePrefix: gluu + # -- Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerPassPhrase: Test1234# + # -- Secret version to be used for configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretVersionId: "latest" + # -- Prefix for Gluu configuration secret in Google Secret Manager. Defaults to gluu. If left intact gluu-configuration secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnConfigGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: team@gluu.org + image: + # -- Image to use for deploying. + repository: janssenproject/configurator + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/config-api + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 400Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 400Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: true + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token . Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: false + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + ingress: + # -- Enable casa endpoints /casa + casaEnabled: true + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files DB. + cnDocumentStoreType: DB + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- The Load balancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + # -- Gluu distributions supported are: default|openbanking. + distribution: openbanking + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: false + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer +# -- Nginx ingress definitions chart +nginx-ingress: + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: janssenproject/persistence-loader + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } diff --git a/charts/gluu/gluu/5.1.1/questions.yaml b/charts/gluu/gluu/5.1.1/questions.yaml new file mode 100644 index 0000000000..237575ec1b --- /dev/null +++ b/charts/gluu/gluu/5.1.1/questions.yaml @@ -0,0 +1,1209 @@ +questions: +# ================== +# License SSA group +# ================== +- variable: global.licenseSsa + default: "" + required: true + type: string + label: License SSA + description: "Before initiating the setup, please contact Gluu to obtain a valid license or trial license. Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded." + group: "License SSA" + +# ================== +# Distribution group +# ================== +- variable: global.distribution + default: "openbanking" + required: true + type: enum + label: Gluu Distribution + description: "Gluu Distribution. Openbanking only contains Config-API and the Auth Server customized for Openbanking industry." + group: "Global Settings" + options: + - "default" + - "openbanking" + +# ======================== +# OpenBanking Distribution +# ======================== +- variable: global.cnObExtSigningJwksUri + required: true + default: "https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks" + description: "Open banking external signing jwks uri. Used in SSA Validation." + type: hostname + group: "OpenBanking Distribution" + label: Openbanking external signing JWKS URI + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObExtSigningJwksCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS certificate authority string + - variable: global.cnObExtSigningJwksKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS key string + - variable: global.cnObExtSigningJwksKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: password + label: Open banking external signing jwks AS key passphrase + min_length: 6 + - variable: global.cnObExtSigningAlias + default: "XkwIzWy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking external signing AS Alias +- variable: global.cnObStaticSigningKeyKid + default: "Wy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking signing AS kid + show_if: "global.distribution=openbanking" +- variable: global.cnObTransportAlias + default: "" + required: false + group: "OpenBanking Distribution" + description: "Open banking transport Alias used inside the JVM." + type: string + label: Open banking transport Alias used inside the JVM. + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObTransportCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport crt + - variable: global.cnObTransportKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport key + - variable: global.cnObTransportKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64." + type: password + label: Open banking AS transport key passphrase + min_length: 6 + - variable: global.cnObTransportTrustStore + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking external signing jwks AS certificate authority string + +# ======================= +# Optional Services group +# ======================= +- variable: global.admin-ui.enabled + default: false + type: boolean + group: "Optional Services" + required: false + label: Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. This requires a license agreement with Gluu. + show_if: "global.distribution=default" + show_subquestion_if: true +- variable: global.auth-server-key-rotation.enabled + default: true + type: boolean + group: "Optional Services" + required: true + label: Enable Auth key rotation cronjob. Disable this if using the OB distribution. + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: auth-server-key-rotation.keysLife + default: 48 + description: "Auth server key rotation keys life in hours." + type: int + label: Key life +- variable: global.fido2.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable Fido2 + description: "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments." +- variable: global.config-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ConfigAPI + description: "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)." +- variable: global.casa.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Casa + description: "Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server." +- variable: global.scim.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable SCIM + description: "System for Cross-domain Identity Management (SCIM) version 2.0" + +# ====================== +# Test environment group +# ====================== +- variable: global.cloud.testEnviroment + default: false + type: boolean + group: "Test Environment" + required: true + label: Test environment + description: "Boolean flag if enabled will strip resources requests and limits from all services." + +# ================= +# Persistence group +# ================= +- variable: global.cnPersistenceType + default: "sql" + required: true + type: enum + group: "Persistence" + label: Gluu Persistence backend + description: "Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner" + options: + - "ldap" + - "couchbase" + - "hybrid" + - "spanner" + - "sql" +# LDAP +- variable: global.opendj.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable installation of OpenDJ + description: "Boolean flag to enable/disable the OpenDJ chart." + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnLdapUrl + default: "opendj:1636" + type: hostname + group: "Persistence" + required: true + label: OpenDJ remote URL + description: "OpenDJ remote URL. This must be resolvable by the pods" + show_if: "global.opendj.enabled=false&&global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnPersistenceHybridMapping + default: "{}" + required: false + type: enum + group: "Persistence" + label: Gluu Persistence LDAP mapping + description: "Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`." + options: + - "default" + - "user" + - "site" + - "cache" + - "token" + - "session" + show_if: "global.cnPersistenceType=hybrid" +# SQL +- variable: config.configmap.cnSqlDbDialect + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu SQL Database dialect + description: "SQL database dialect. `mysql` or `pgsql`." + options: + - "pgsql" + - "mysql" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbHost + default: "postgresql.default.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: SQL database host uri + description: "SQL database host uri" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbPort + default: 5432 + required: false + type: int + group: "Persistence" + label: SQL database port + description: "SQL database port" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbUser + default: "gluu" + group: "Persistence" + description: "SQL database username" + type: string + label: SQL database username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqldbUserPassword + default: "Test1234#" + group: "Persistence" + description: "SQL password" + type: password + label: SQL password + + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbName + default: "gluu" + group: "Persistence" + description: "SQL database name" + type: string + label: SQL database name + show_if: "global.cnPersistenceType=sql" +# Spanner +- variable: config.configmap.cnGoogleSpannerInstanceId + default: "" + group: "Persistence" + description: "The google spanner instance ID" + type: string + label: Google Spanner Instance ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSpannerDatabaseId + default: "" + group: "Persistence" + description: "The google spanner database ID" + type: string + label: Google Spanner Database ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + group: "Persistence" + description: "The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner." + type: multiline + label: Google Spanner Service Account json + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleProjectId + default: "" + group: "Persistence" + description: "The Google Project ID" + type: string + label: Google Project ID + show_if: "global.cnPersistenceType=spanner" +#Couchbase +- variable: config.configmap.cnCouchbaseCrt + default: "" + group: "Persistence" + description: "Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required." + type: multiline + label: Couchbase certificate authority string + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUrl + default: "gluu.cbns.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: Couchbase host uri + description: "Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseBucketPrefix + default: "gluu" + type: string + description: "The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu." + group: "Persistence" + required: true + label: The prefix of Couchbase buckets + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseIndexNumReplica + default: 0 + type: int + description: "The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1." + group: "Persistence" + required: true + label: The number of replicas per index created + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUser + default: "admin" + group: "Persistence" + description: "he Couchbase super user (admin) user name. This user is used during initialization only." + type: string + label: The Couchbase super user (admin) user name. + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUserPassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + type: password + label: Couchbase password for the super users + + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUser + default: "gluu" + group: "Persistence" + description: "Couchbase restricted user, used in Gluu operations with Couchbase. Used only when global.cnPersistenceType is hybrid or couchbase." + type: string + label: Couchbase restricted username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbasePassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ." + type: password + label: Couchbase password for the restricted user + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" + +# ============================== +# StorageClass and volume group +# ============================== +- variable: global.storageClass.provisioner + default: "microk8s.io/hostpath" + type: string + group: "Volumes" + required: true + label: StorageClass provisioner + show_if: "global.cnPersistenceType=ldap" + subquestions: + - variable: global.storageClass.allowVolumeExpansion + default: true + type: boolean + group: "Volumes" + required: true + label: StorageClass Volume expansion + - variable: global.storageClass.reclaimPolicy + default: "Retain" + type: enum + group: "Volumes" + required: true + label: StorageClass reclaimPolicy + options: + - "Delete" + - "Retain" + - variable: global.storageClass.volumeBindingMode + default: "WaitForFirstConsumer" + type: enum + group: "Volumes" + required: true + options: + - "WaitForFirstConsumer" + - "Immediate" + label: StorageClass volumeBindingMode + +# =========== +# Cache group +# =========== +- variable: config.configmap.cnCacheType + default: "NATIVE_PERSISTENCE" + required: true + type: enum + group: "Cache" + label: Gluu Cache + description: "Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` ." + options: + - "NATIVE_PERSISTENCE" + - "IN_MEMORY" + - "REDIS" + show_subquestion_if: "REDIS" + subquestions: + - variable: config.configmap.cnRedisType + default: "STANDALONE" + type: enum + group: "Cache" + required: false + label: Redix service type + description: "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + options: + - "STANDALONE" + - "CLUSTER" + - variable: config.redisPassword + default: "Test1234#" + type: password + group: "Cache" + required: false + label: Redis admin password + description: "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`." + + - variable: config.configmap.cnRedisUrl + default: "redis.redis.svc.cluster.local:6379" + required: false + type: hostname + group: "Cache" + label: Redis URL + description: "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + +# ================== +# Configuration group +# ================== +- variable: global.fqdn + default: "demoexample.gluu.org" + required: true + type: hostname + group: "Configuration" + label: Gluu Installation FQDN + description: "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services." +- variable: global.countryCode + default: "US" + required: true + type: string + group: "Configuration" + label: Country code + description: "Country code. Used for certificate creation." +- variable: config.state + default: "TX" + required: true + type: string + group: "Configuration" + label: State code + description: "State code. Used for certificate creation." +- variable: config.city + default: "Austin" + required: true + type: string + group: "Configuration" + label: City + description: "City. Used for certificate creation." +- variable: config.email + default: "support@gluu.org" + required: true + type: string + group: "Configuration" + label: Email + description: "Email address of the administrator usually. Used for certificate creation." +- variable: config.orgName + default: "Gluu" + required: true + type: string + group: "Configuration" + label: Organization + description: "Organization name. Used for certificate creation." +- variable: config.adminPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: Admin UI password + description: "Admin password to log in to the UI." + +- variable: config.ldapPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: LDAP password + description: "LDAP admin password if OpenDJ is used for persistence" + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" + +- variable: global.isFqdnRegistered + default: true + required: true + type: boolean + group: "Configuration" + label: Is the FQDN globally resolvable + description: "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically." +- variable: config.migration.enabled + default: false + required: true + type: boolean + group: "Configuration" + label: Migration from Gluu CE + description: "Boolean flag to enable migration from CE" + show_subquestion_if: true + subquestions: + - variable: config.migration.migrationDataFormat + default: "ldif" + type: enum + group: "Configuration" + required: false + label: Migration data-format + description: "Migration data-format depending on persistence backend." + options: + - "ldif" + - "couchbase+json" + - "spanner+avro" + - "postgresql+json" + - "mysql+json" + - variable: config.migration.migrationDir + default: "/ce-migration" + required: false + type: string + group: "Configuration" + label: Migration Directory + description: "Directory holding all migration files" + +# Configmap +- variable: global.configAdapterName + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu configuration backend + description: "The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + +# Secret +- variable: global.configSecretAdapter + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu secret backend + description: "The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + + +# Google +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + type: string + group: "Configuration" + required: true + label: Service account base64 encoded + description: "Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleProjectId + default: "" + type: string + group: "Configuration" + required: true + label: Project ID + description: "Project id of the Google project the secret manager belongs to" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretVersionId + default: "latest" + type: string + group: "Configuration" + required: true + label: Secrets version + description: "Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in Google Secret Manager. Defaults to gluu" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +# AWS +- variable: config.configmap.cnAwsAccessKeyId + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Account Access Key ID + description: "AWS Access key id that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretAccessKey + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Secret Access Key + description: "AWS Secret Access key that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in AWS Secrets Manager. Defaults to gluu" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsProfile + default: "gluu" + type: string + group: "Configuration" + required: true + label: AWS named profile + description: "The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsDefaultRegion + default: "us-west-1" + type: string + group: "Configuration" + required: true + label: Default region + description: "The default AWS Region to use, for example, `us-west-1` or `us-west-2`" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsEndpointUrl + default: "" + type: string + group: "Configuration" + required: false + label: Secrets Manager Endpoint URL + description: "The URL of AWS secretsmanager service. If omitted, it will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + + +# =========================== +# Ingress group(Istio, NGINX) +# =========================== + +# =========== +# Istio group +# =========== +- variable: global.istio.enabled + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio side cars with Gluu services." + label: Use Istio side cars + show_subquestion_if: true + subquestions: + - variable: global.istio.ingress + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Use Istio Ingress + - variable: global.istio.namespace + default: "istio-system" + type: string + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Istio namespace + - variable: config.configmap.lbAddr + default: "" + group: "Istio" + description: "Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# NGINX group +# =========== +- variable: config.configmap.lbAddr + default: "" + group: "NGINX" + show_if: "global.istio.ingress=false&&global.isFqdnRegistered=false" + description: "loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# Ingress group +# =========== +- variable: global.admin-ui.ingress.adminUiEnabled + default: false + type: boolean + group: "Ingress" + required: false + description: "Enable Admin UI endpoints." + label: Enable Admin UI endpoints + subquestions: + # auth-server + - variable: global.auth-server.ingress.authServerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable Auth server endpoints /jans-auth" + label: Enable Auth server endpoints /jans-auth + - variable: global.auth-server.ingress.openidConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/openid-configuration" + label: Enable endpoint /.well-known/openid-configuration + - variable: global.auth-server.ingress.deviceCodeEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /device-code" + label: Enable endpoint /device-code + - variable: global.auth-server.ingress.firebaseMessagingEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /firebase-messaging-sw.js" + label: Enable endpoint /firebase-messaging-sw.js + - variable: global.auth-server.ingress.uma2ConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/uma2-configuration" + label: Enable endpoint /.well-known/uma2-configuration + - variable: global.auth-server.ingress.webfingerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/webfinger" + label: Enable endpoint /.well-known/webfinger + - variable: global.auth-server.ingress.webdiscoveryEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/simple-web-discovery" + label: Enable endpoint /.well-known/simple-web-discovery + - variable: global.auth-server.ingress.u2fConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/fido-configuration" + label: Enable endpoint /.well-known/fido-configuration + # config-api + - variable: global.config-api.ingress.configApiEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable config API endpoints /jans-config-api" + label: Enable config API endpoints /jans-config-api + +#fido2 +- variable: global.fido2.ingress.fido2ConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.fido2.enabled=true" + required: true + description: "Enable endpoint /.well-known/fido2-configuration. Enable this!" + label: Enable endpoint /.well-known/fido2-configuration +#Casa +- variable: global.casa.ingress.casaEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.casa.enabled=true" + required: true + description: "Enable endpoint /casa. Enable this!" + label: Enable endpoint /casa Enable this! +#auth-server OB +- variable: global.auth-server.ingress.authServerProtectedToken + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/token" + label: Enable mTLS on Auth server endpoint /jans-auth/restv1/token +- variable: global.auth-server.ingress.authServerProtectedRegister + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/register" + label: Enable mTLS onn Auth server endpoint /jans-auth/restv1/register +# scim +- variable: global.scim.ingress.scimConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable endpoint /.well-known/scim-configuration. Enable this!" + label: Enable endpoint /.well-known/scim-configuration. Enable this! +- variable: global.scim.ingress.scimEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable SCIM endpoints /jans-scim. Enable this!" + label: Enable SCIM endpoints /jans-scim. Enable this! + +# ============ +# Images group +# ============ +# AuthServer +- variable: auth-server.image.repository + required: true + type: string + default: "janssenproject/auth-server" + description: "The Auth Server Image repository" + label: Auth Server image repo + group: "Images" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server Image pull policy" + label: Auth Server imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server image tag + group: "Images" + show_if: "global.auth-server.enabled=true" +# AdminUI +- variable: admin-ui.image.repository + required: true + type: string + default: "gluufederation/admin-ui" + description: "The AdminUI Image repository" + label: The AdminUI Image repository + group: "Images" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The AdminUI Image pull policy" + label: AdminUI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The AdminUI Image tag" + label: AdminUI image tag + group: "Images" + show_if: "global.admin-ui.enabled=true" +# AuthServer KeyRotation +- variable: auth-server-key-rotation.image.repository + required: true + type: string + default: "janssenproject/certmanager" + description: "The Auth Server KeyRotation Image repository" + label: Auth Server KeyRotation image repo + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server KeyRotation Image pull policy" + label: Auth Server KeyRotation imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server KeyRotation image tag + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +# Casa +- variable: casa.image.repository + required: true + type: string + default: "gluufederation/casa" + description: "The Casa Image repository" + label: Casa image repo + group: "Images" + show_if: "global.casa.enabled=true" +- variable: casa.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Casa Image pull policy" + label: Casa imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.casa.enabled=true" +- variable: casa.image.tag + required: true + type: string + default: "5.0.0-4" + description: "The Casa Image tag" + label: Casa image tag + group: "Images" + show_if: "global.casa.enabled=true" +# Configurator +- variable: config.image.repository + required: true + type: string + default: "janssenproject/configurator" + description: "The Configurator Image repository" + label: Configurator image repo + group: "Images" + show_if: "global.config.enabled=true" +- variable: config.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Configurator Image pull policy" + label: Configurator imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config.enabled=true" +- variable: config.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Configurator Image tag" + label: Configurator image tag + group: "Images" + show_if: "global.config.enabled=true" +# ConfigAPI +- variable: config-api.image.repository + required: true + type: string + default: "janssenproject/config-api" + description: "The ConfigAPI Image repository" + label: ConfigAPI image repo + group: "Images" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ConfigAPI Image pull policy" + label: ConfigAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The ConfigAPI Image tag" + label: ConfigAPI image tag + group: "Images" + show_if: "global.config-api.enabled=true" +# Fido2 +- variable: fido2.image.repository + required: true + type: string + default: "janssenproject/fido2" + description: "The Fido2 Image repository" + label: Fido2 image repo + group: "Images" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Fido2 Image pull policy" + label: Fido2 imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Fido2 Image tag" + label: Fido2 image tag + group: "Images" + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.image.repository + required: true + type: string + default: "gluufederation/opendj" + description: "The OpenDJ Image repository" + label: OpenDJ image repo + group: "Images" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The OpenDJ Image pull policy" + label: OpenDJ imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.tag + required: true + type: string + default: "5.0.0_dev" + description: "The OpenDJ Image tag" + label: OpenDJ image tag + group: "Images" + show_if: "global.opendj.enabled=true" +# Persistence +- variable: persistence.image.repository + required: true + type: string + default: "janssenproject/persistence-loader" + description: "The Persistence Image repository" + label: Persistence image repo + group: "Images" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Persistence Image pull policy" + label: Persistence imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Persistence Image tag" + label: Persistence image tag + group: "Images" + show_if: "global.persistence.enabled=true" +# SCIM +- variable: scim.image.repository + required: true + type: string + default: "janssenproject/scim" + description: "The SCIM Image repository" + label: SCIM image repo + group: "Images" + show_if: "global.scim.enabled=true" +- variable: scim.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The SCIM Image pull policy" + label: SCIM imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.scim.enabled=true" +- variable: scim.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The SCIM Image tag" + label: SCIM image tag + group: "Images" + show_if: "global.scim.enabled=true" + +# ============== +# Replicas group +# ============== +# AuthServer +- variable: auth-server.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Auth-server Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# Casa +- variable: casa.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Casa Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# ConfigAPI +- variable: config-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ConfigAPI Replicas + description: "Service replica number." + show_if: "global.config-api.enabled=true" +# AdminUi +- variable: admin-ui.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Admin UI Replicas + description: "Service replica number." + show_if: "global.admin-ui.enabled=true" +# Fido2 +- variable: fido2.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Fido2 Replicas + description: "Service replica number." + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: OpenDJ Replicas + description: "Service replica number." + show_if: "global.opendj.enabled=true" +# SCIM +- variable: scim.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: SCIM Replicas + description: "Service replica number." + show_if: "global.scim.enabled=true" + diff --git a/charts/gluu/gluu/5.1.1/templates/_helpers.tpl b/charts/gluu/gluu/5.1.1/templates/_helpers.tpl new file mode 100644 index 0000000000..c5b8d3d303 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.1.1/values.schema.json b/charts/gluu/gluu/5.1.1/values.schema.json new file mode 100644 index 0000000000..620f8e8f96 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/values.schema.json @@ -0,0 +1,2577 @@ +{ + "$schema":"https://json-schema.org/draft/2020-12/schema#", + "type":"object", + "properties":{ + "admin-ui":{ + "description":"Admin GUI for configuration of the auth-server", + "type":"object", + "properties":{ + + } + }, + "auth-server":{ + "description":"OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing.", + "type":"object", + "properties":{ + + } + }, + "auth-server-key-rotation":{ + "description":"Responsible for regenerating auth-keys per x hours", + "type":"object", + "properties":{ + + } + }, + "casa":{ + "description":"Gluu Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server.", + "type":"object", + "properties":{ + + } + } + }, + "config":{ + "description":"Configuration parameters for setup and initial configuration secret annd config layers used by Gluu services.", + "type":"object", + "properties":{ + "adminPass":{ + "description":"Admin password to login to the UI", + "$ref":"#/definitions/password" + }, + "city":{ + "description":"City of the company or individual. Used in generating the self-signed certificate", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "configmap":{ + "description":"Configuration parameters mapped to envs in a ConfigMap", + "type":"object", + "properties":{ + "cnSqlDbDialect":{ + "description":"SQL dialect", + "type":"string", + "pattern":"^(mysql)$" + }, + "cnSqlDbHost":{ + "description":"SQL server address or ip", + "anyOf":[ + { + "$ref":"#/definitions/url-pattern" + }, + { + "$ref":"#/definitions/ip-pattern" + } + ] + }, + "cnSqlDbPort":{ + "description":"SQL server port", + "type":"integer" + }, + "cnSqlDbName":{ + "description":"SQL server database name for Jans", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbUser":{ + "description":"SQL database Jans username", + "type":"string", + "pattern":"^[a-z-0-9]+$" + }, + "cnSqlDbTimezone":{ + "description":"SQL database timezone", + "type":"string", + "pattern":"^(GMT|UTC|ECT|EET|ART|EAT|MET|NET|PLT|IST|BST|VST|CTT|JST|ACT|AET|SST|NST|MIT|HST|AST|PST|PNT|MST|CST|EST|IET|PRT|CNT|AGT|BET|CAT)$" + }, + "cnSqldbUserPassword":{ + "description":"Password for user config.configmap.cnSqlDbUser.", + "$ref":"#/definitions/password" + }, + "cnCacheType":{ + "description":"Cache type. NATIVE_PERSISTENCE, REDIS. or IN_MEMORY. Defaults to NATIVE_PERSISTENCE", + "type":"string", + "pattern":"^(NATIVE_PERSISTENCE|REDIS|IN_MEMORY)$" + }, + "cnConfigKubernetesConfigMap":{ + "description":"The name of the ConfigMap that will hold the configuration layer", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseBucketPrefix":{ + "description":"The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseCrt":{ + "description":"Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnCouchbaseIndexNumReplica":{ + "description":"The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1.", + "type":"integer" + }, + "cnCouchbasePass":{ + "description":"Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUser":{ + "description":"The Couchbase super user (admin) user name. This user is used during initialization only.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnCouchbaseSuperUserPass":{ + "description":"Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ", + "$ref":"#/definitions/password" + }, + "cnCouchbaseSuperUserPassFile":{ + "description":"The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type":"string", + "pattern":".*couchbase_superuser_password\\b.*" + }, + "cnCouchbaseUrl":{ + "description":"Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster", + "$ref":"#/definitions/fqdn-pattern" + }, + "cnCouchbaseUser":{ + "description":"Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerServiceAccount":{ + "description":"Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnGoogleProjectId":{ + "description":"Project id of the google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"" + }, + "cnGoogleSpannerInstanceId":{ + "description":"Google Spanner ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^([a-z0-9\\-])*$" + }, + "cnGoogleSpannerDatabaseId":{ + "description":"Google Spanner Database ID. Used only when global.cnPersistenceType is spanner.", + "type":"string", + "pattern":"^[a-z0-9\\-]*$" + }, + "cnGoogleSecretVersionId":{ + "description":"Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^([0-9]|latest)*$" + }, + "cnGoogleSecretNamePrefix":{ + "description":"Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "cnGoogleSecretManagerPassPhrase":{ + "description":"Passphrase for Gluu secret in Google Secret Manager. This is used for encrypting and decrypting data from the Google Secret Manager. Used only when global.configAdapterName and global.configSecretAdapter is set to google.", + "$ref":"#/definitions/password" + }, + "cnLdapUrl":{ + "description":"OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`.", + "type":"string", + "pattern":"^[a-z0-9-:]+$" + }, + "cnMaxRamPercent":{ + "description":"Value passed to Java option -XX:MaxRAMPercentage", + "type":"string", + "pattern":"^(\\d{0,2}(\\.\\d{1,2})?|100(\\.0?)?)$" + }, + "cnScimProtectionMode":{ + "description":"SCIM protection mode OAUTH|TEST|UMA", + "type":"string", + "pattern":"^(OAUTH|TEST|UMA)$" + }, + "cnPersistenceHybridMapping":{ + "description":"Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`.", + "type":"string" + }, + "cnRedisSentinelGroup":{ + "description":"Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisSslTruststore":{ + "description":"Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string" + }, + "cnRedisType":{ + "description":"Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"string", + "pattern":"^(SHARDED|STANDALONE|CLUSTER|SENTINEL)$" + }, + "cnRedisUrl":{ + "description":"Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "$ref":"#/definitions/url-pattern" + }, + "cnRedisUseSsl":{ + "description":"Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`.", + "type":"boolean" + }, + "cnSecretKubernetesSecret":{ + "description":"Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default.", + "type":"string", + "pattern":"^[a-z]+$" + }, + "lbAddr":{ + "description":"Loadbalancer address for AWS if the FQDN is not registered.", + "$ref":"#/definitions/url-pattern" + }, + "cnLdapCrt": { + "description": "OpenDJ certificate string. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnLdapKey": { + "description": "OpenDJ key string. This must be encoded using base64.", + "type": "string", + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + } + } + }, + "countryCode":{ + "description":"Country code. Used for certificate creation.", + "type":"string", + "pattern":"^[A-Z]+$" + }, + "email":{ + "description":"Email address of the administrator usually. Used for certificate creation.", + "$ref":"#/definitions/email-format" + }, + "image":{ + "type":"object", + "properties":{ + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "ldapPassword":{ + "description":"LDAP admin password if OpennDJ is used for persistence.", + "$ref":"#/definitions/password" + }, + "orgName":{ + "description":"Organization name. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "redisPassword":{ + "description":"Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`", + "$ref":"#/definitions/password" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "state":{ + "description":"State code. Used for certificate creation.", + "type":"string", + "pattern":"^[a-zA-Z]+$" + } + } + }, + "config-api":{ + "description":"Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS).", + "type":"object", + "properties":{ + + } + }, + "fido2":{ + "description":"FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments.", + "type":"object", + "properties":{ + + } + }, + "global":{ + "description":"Parameters used globally across all services helm charts.", + "type":"object", + "properties":{ + "alb":{ + "type":"object", + "properties":{ + "ingress":{ + "description":"Activates ALB ingress", + "type":"boolean" + } + } + }, + "auth-server":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable auth-server chart. You should never set this to false.", + "type":"boolean" + }, + "authServerServiceName":{ + "description":"Name of the auth-server service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-auth.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-auth.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "httpLogTarget":{ + "description":"http_request_response target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "httpLogLevel":{ + "description":"http_request_response level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-auth_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-auth_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-auth_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-auth_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-auth_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-auth_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-auth_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-auth_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "auditStatsLogTarget":{ + "description":"jans-auth_audit.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "auditStatsLogLevel":{ + "description":"jans-auth_audit.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "authServerEnabled":{ + "description":"Enable Auth server endpoints /jans-auth", + "type":"boolean" + }, + "openidConfigEnabled":{ + "description":"Enable endpoint /.well-known/openid-configuration", + "type":"boolean" + }, + "deviceCodeEnabled":{ + "description":"Enable endpoint /device-code", + "type":"boolean" + }, + "firebaseMessagingEnabled":{ + "description":"Enable endpoint /firebase-messaging-sw.js", + "type":"boolean" + }, + "uma2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/uma2-configuration", + "type":"boolean" + }, + "webfingerEnabled":{ + "description":"Enable endpoint /.well-known/webfinger", + "type":"boolean" + }, + "webdiscoveryEnabled":{ + "description":"Enable endpoint /.well-known/simple-web-discovery", + "type":"boolean" + }, + "u2fConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido-configuration", + "type":"boolean" + }, + "authServerProtectedToken":{ + "description":"Enable mTLS on Auth server endpoint /jans-auth/restv1/token", + "type":"boolean" + }, + "authServerProtectedRegister":{ + "description":"Enable mTLS onn Auth server endpoint /jans-auth/restv1/register", + "type":"boolean" + } + } + } + + } + }, + "admin-ui":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable admin-ui chart. You should never set this to false.", + "type":"boolean" + }, + "adminUiServiceName":{ + "description":"Name of the admin service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "adminUiEnabled":{ + "description":"Enable Admin UI endpoints.", + "type":"boolean" + } + } + } + } + }, + + "auth-server-key-rotation":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the auth-server-key rotation cronjob chart.", + "type":"boolean" + } + } + }, + "awsStorageType":{ + "description":"Volume stroage type if using AWS volumes.", + "type":"string", + "pattern":"^(io1|io2|gp2|st1|sc1)$" + }, + "azureStorageAccountType":{ + "description":"Volume storage type if using Azure disks.", + "type":"string", + "pattern":"^(Standard_LRS|Premium_LRS|StandardSSD_LRS|UltraSSD_LRS)$" + }, + "azureStorageKind":{ + "description":"Azure storage kind if using Azure disks", + "type":"string", + "pattern":"^(Managed)$" + }, + "cloud":{ + "type":"object", + "properties":{ + "testEnviroment":{ + "description":"Boolean flag if enabled will strip resources requests and limits from all services.", + "type":"boolean" + } + } + }, + "cnPersistenceType":{ + "description":"Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner.", + "type":"string", + "pattern":"^(ldap|couchbase|hybrid|sql|spanner)$" + }, + "cnDocumentStoreType":{ + "description":"Document store type to use for shibboleth files DB.", + "type":"string", + "pattern":"^(DB)$" + }, + "cnObExtSigningJwksUri":{ + "description":"Open banking external signing jwks uri. Used in SSA Validation.", + "type":"string" + }, + "cnObExtSigningJwksCrt":{ + "description":"Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKey":{ + "description":"Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningJwksKeyPassPhrase":{ + "description":"Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObExtSigningAlias":{ + "description":"Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObStaticSigningKeyKid":{ + "description":"Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G", + "type":"string" + }, + "cnObTransportCrt":{ + "description":"Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKey":{ + "description":"Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportKeyPassPhrase":{ + "description":"Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "cnObTransportAlias":{ + "description":"Open banking transport Alias used inside the JVM.", + "type":"string" + }, + "cnObTransportTrustStore":{ + "description":"Open banking AS transport truststore in .p12 format. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64.", + "type":"string", + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, + "config":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the configuration chart. This normally should always be true", + "type":"boolean" + } + } + }, + "configAdapterName":{ + "description":"The config backend adapter that will hold Gluu configuration layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws)$" + }, + "configSecretAdapter":{ + "description":"The config backend adapter that will hold Gluu secret layer. google|kubernetes|aws", + "type":"string", + "pattern":"^(kubernetes|google|aws|vault)$" + }, + "cnGoogleApplicationCredentials":{ + "description":"Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.", + "type":"string", + "pattern":".*google-credentials.json\\b.*" + }, + "casa":{ + "type":"object", + "properties":{ + "casaServiceName":{ + "description":"Name of the casa service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the casa chart.", + "type":"boolean" + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "casaEnabled":{ + "description":" Enable casa endpoints /casa", + "type":"boolean" + } + } + } + } + }, + "config-api":{ + "type":"object", + "properties":{ + "configApiServerServiceName":{ + "description":"Name of the config-api service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the config-api chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "configApiLogTarget":{ + "description":"configapi.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "configApiLogLevel":{ + "description":"configapi.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "adminUiAppLoggers":{ + "type":"object", + "properties":{ + "adminUiLogTarget":{ + "description":"config-api admin-ui plugin log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiLogLevel":{ + "description":"config-api admin-ui plugin log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "adminUiAuditLogTarget":{ + "description":"config-api admin-ui plugin audit log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "adminUiAuditLogLevel":{ + "description":"config-api admin-ui plugin audit log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "configApiEnabled":{ + "description":"Enable config API endpoints /jans-config-api", + "type":"boolean" + } + } + } + + + } + }, + "fqdn":{ + "description":"Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services.", + "$ref":"#/definitions/fqdn-pattern" + }, + "fido2":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "enabled":{ + "description":"Boolean flag to enable/disable the fido2 chart.", + "type":"boolean" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "fido2LogTarget":{ + "description":"fido2.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "fido2LogLevel":{ + "description":"fido2.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"fido2_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"fido2_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "fido2ConfigEnabled":{ + "description":"Enable endpoint /.well-known/fido2-configuration", + "type":"boolean" + } + } + } + + } + }, + "gcePdStorageType":{ + "description":"GCE storage kind if using Google disks", + "type":"string", + "pattern":"^(pd-standard|pd-balanced|pd-ssd)$" + }, + "isFqdnRegistered":{ + "description":"Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically.", + "type":"boolean" + }, + "istio":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag that enables using istio side cars with Gluu services.", + "type":"boolean" + }, + "ingress":{ + "description":"Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available.", + "type":"boolean" + }, + "namespace":{ + "description":"The namespace istio is deployed in. The is normally istio-system.", + "type":"string", + "pattern":"^[a-z0-9-_/]+$" + } + } + }, + "lbIp":{ + "description":"The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable.", + "$ref":"#/definitions/ip-pattern" + }, + "nginx-ingress":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the nginx-ingress definitions chart.", + "type":"boolean" + } + } + }, + "opendj":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the OpenDJ chart.", + "type":"boolean" + }, + "ldapServiceName":{ + "description":"Name of the OpenDJ service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + }, + "distribution":{ + "description":"Gluu distributions supported are: default|openbanking.", + "type":"string", + "pattern":"^(default|openbanking)$" + }, + "persistence":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the persistence chart.", + "type":"boolean" + } + } + }, + "scim":{ + "type":"object", + "properties":{ + "enabled":{ + "description":"Boolean flag to enable/disable the SCIM chart.", + "type":"boolean" + }, + "scimServiceName":{ + "description":"Name of the scim service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + }, + "appLoggers":{ + "type":"object", + "properties":{ + "authLogTarget":{ + "description":"jans-scim.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "authLogLevel":{ + "description":"jans-scim.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceLogTarget":{ + "description":"jans-scim_persistence.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceLogLevel":{ + "description":"jans-scim_persistence.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "persistenceDurationLogTarget":{ + "description":"jans-scim_persistence_duration.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "persistenceDurationLogLevel":{ + "description":"jans-scim_persistence_duration.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "ldapStatsLogTarget":{ + "description":"jans-scim_persistence_ldap_statistics.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "ldapStatsLogLevel":{ + "description":"jans-scim_persistence_ldap_statistics.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + }, + "scriptLogTarget":{ + "description":"jans-scim_script.log target", + "type":"string", + "pattern":"^(STDOUT|FILE)$" + }, + "scriptLogLevel":{ + "description":"jans-scim_script.log level", + "type":"string", + "pattern":"^(FATAL|ERROR|WARN|INFO|DEBUG|TRACE)$" + } + } + }, + "ingress":{ + "description":"Endpoint control", + "type":"object", + "properties": { + "scimEnabled":{ + "description":"Enable SCIM endpoints /jans-scim", + "type":"boolean" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + } + } + } + + } + }, + "storageClass":{ + "description":"StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed.", + "type":"object", + "properties":{ + "allowVolumeExpansion":{ + "type":"boolean" + }, + "allowedTopologies":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "mountOptions":{ + "type":"array", + "items":{ + "type":"string" + } + }, + "parameters":{ + "type":"object", + "properties":{ + "fsType":{ + "type":"string" + }, + "kind":{ + "type":"string" + }, + "pool":{ + "type":"string" + }, + "storageAccountType":{ + "type":"string" + }, + "type":{ + "type":"string" + } + } + }, + "provisioner":{ + "type":"string" + }, + "reclaimPolicy":{ + "type":"string" + }, + "volumeBindingMode":{ + "type":"string" + } + } + }, + "cnSqlPasswordFile": { + "description": "The location of file contains password for the SQL user config.configmap.cnSqlDbUser. The file path must end with sql_password.", + "type": "string", + "pattern": ".*sql_password\\b.*" + }, + "cnCouchbasePasswordFile": { + "description": "The location of the Couchbase user config.configmap.cnCouchbaseUser password. The file path must end with couchbase_password.", + "type": "string", + "pattern": ".*couchbase_password\\b.*" + }, + "cnCouchbaseSuperuserPasswordFile": { + "description": "The location of the Couchbase restricted user config.configmap.cnCouchbaseSuperUser password. The file path must end with couchbase_superuser_password.", + "type": "string", + "pattern": ".*couchbase_superuser_password\\b.*" + }, + "cnLdapPasswordFile": { + "description": "The location of the OpenDJ user password. The file path must end with ldap_password.", + "type": "string", + "pattern": ".*ldap_password\\b.*" + }, + "cnLdapTruststorePasswordFile": { + "description": "The location of the OpenDJ truststore password file. The file path must end with ldap_truststore_password.", + "type": "string", + "pattern": ".*ldap_truststore_password\\b.*" + }, + "cnLdapCertFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.crt.", + "type": "string", + "pattern": ".*opendj.crt\\b.*" + }, + "cnLdapKeyFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.key.", + "type": "string", + "pattern": ".*opendj.key\\b.*" + }, + "cnLdapCacertFile": { + "description": "The location of the OpenDJ certificate file. The file path must end with opendj.pem.", + "type": "string", + "pattern": ".*opendj.pem\\b.*" + }, + "cnLdapTruststoreFile": { + "description": "The location of the OpenDJ truststore file. The file path must end with opendj.pkcs12.", + "type": "string", + "pattern": ".*opendj.pkcs12\\b.*" + } + } + }, + "nginx-ingress":{ + "description":"Nginx ingress definitions chart", + "type":"object", + "properties":{ + + } + }, + "opendj":{ + "description":"OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions.", + "type":"object", + "properties":{ + + } + }, + "persistence":{ + "description":"Job to generate data and intial config for Gluu Server persistence layer.", + "type":"object", + "properties":{ + + } + }, + "scim":{ + "description":"System for Cross-domain Identity Management (SCIM) version 2.0", + "type":"object", + "properties":{ + + } + } + , + "allOf":[ + { + "$ref":"#/definitions/admin-ui-enabled" + }, + { + "$ref":"#/definitions/auth-server-enabled" + }, + { + "$ref":"#/definitions/auth-server-key-rotation-enabled" + }, + { + "$ref":"#/definitions/casa-enabled" + }, + { + "$ref":"#/definitions/config-api-enabled" + }, + { + "$ref":"#/definitions/fido2-enabled" + }, + { + "$ref":"#/definitions/nginx-ingress-enabled" + }, + { + "$ref":"#/definitions/opendj-enabled" + }, + { + "$ref":"#/definitions/persistence-enabled" + }, + { + "$ref":"#/definitions/scim-enabled" + } + ], + "definitions":{ + "password":{ + "anyOf":[ + { + "type":"string", + "minLength":8, + "pattern":"", + "description":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "password-pattern":{ + "type":"string", + "minLength":6, + "pattern":"", + "errors":{ + "minLength":"Password minimum 6 character", + "pattern":"Password does not meet requirements. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + } + }, + "email-format":{ + "type":"string", + "format":"email" + }, + "fqdn-pattern":{ + "anyOf":[ + { + "type":"string", + "errors":{ + "pattern":"Setting not FQDN structured. Please enter a FQDN with the format demoexample.gluu.org" + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "url-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"(^|\\s)((https?:\\/\\/)?[\\w-]+(\\.[\\w-]+)+\\.?(:\\d+)?(\\/\\S*)?)", + "errors":{ + "pattern":"URL pattern is not meeting standards." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "ip-pattern":{ + "anyOf":[ + { + "type":"string", + "pattern":"^(\\*|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$", + "errors":{ + "pattern":"Not a valid IP." + } + }, + { + "type":"string", + "maxLength":0 + } + ] + }, + "admin-ui-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "admin-ui":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "admin-ui":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "auth-server-key-rotation-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "auth-server-key-rotation":{ + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "keysLife":{ + "description":"Auth server key rotation keys life in hours", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + }, + "required":[ + "image", + "resources", + "keysLife" + ] + } + } + }, + "else":true + }, + "casa-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "casa":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "casa":{ + "required":[ + "image", + "replicas", + "resources" + ], + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "config-api-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "config-api":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "config-api":{ + "required":[ + "image", + "replicas", + "resources" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "fido2-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "fido2":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "fido2":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "fido2ServiceName":{ + "description":"Name of the Fido2 service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + }, + "nginx-ingress-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "nginx-ingress":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "nginx-ingress":{ + "type":"object", + "properties":{ + "ingress":{ + "type":"object", + "required":[ + "additionalAnnotations", + "path", + "hosts", + "tls" + ], + "properties":{ + "adminUiLabels":{ + "description":"Admin UI ingress resource labels. key app is taken.", + "type":"object" + }, + "openidConfigLabels":{ + "description":"openid-configuration ingress resource labels. key app is taken", + "type":"object" + }, + "uma2ConfigLabels":{ + "description":"uma2 config ingress resource labels. key app is taken", + "type":"object" + }, + "webfingerLabels":{ + "description":"webfinger ingress resource labels. key app is taken", + "type":"object" + }, + "webdiscoveryLabels":{ + "description":"webdiscovery ingress resource labels. key app is taken", + "type":"object" + }, + "scimConfigEnabled":{ + "description":"Enable endpoint /.well-known/scim-configuration", + "type":"boolean" + }, + "scimConfigLabels":{ + "description":"SCIM config ingress resource labels. key app is taken", + "type":"object" + }, + "scimLabels":{ + "description":"SCIM ingress resource labels. key app is taken", + "type":"object" + }, + "configApiLabels":{ + "description":"configAPI ingress resource labels. key app is taken", + "type":"object" + }, + "u2fConfigLabels":{ + "description":"u2f ingress resource labels. key app is taken", + "type":"object" + }, + "fido2ConfigLabels":{ + "description":"fido2 ingress resource labels. key app is taken", + "type":"object" + }, + "authServerLabels":{ + "description":"Auth server config ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedTokenLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "authServerProtectedRedisterLabels":{ + "description":"Auth server protected token ingress resource labels. key app is taken", + "type":"object" + }, + "additionalAnnotations":{ + "description":"Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"}", + "type":"object" + }, + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "path":{ + "type":"string" + }, + "tls":{ + "description":"Secret holding HTTPS CA cert and key.", + "type":"array", + "items":{ + "type":"object", + "properties":{ + "hosts":{ + "type":"array", + "items":{ + "$ref":"#/definitions/fqdn-pattern" + } + }, + "secretName":{ + "type":"string", + "pattern":"^[a-z-]+$" + } + } + } + } + } + } + } + } + } + }, + "else":true + }, + "opendj-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "opendj":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "opendj":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "persistence":{ + "type":"object", + "properties":{ + "size":{ + "description":"OpenDJ volume size", + "type":"string", + "pattern":"^[0-9]Gi+$" + } + } + }, + "ports":{ + "type":"object", + "properties":{ + "tcp-admin":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldap":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-ldaps":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-repl":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "tcp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + }, + "udp-serf":{ + "type":"object", + "properties":{ + "nodePort":{ + "type":"string" + }, + "port":{ + "type":"integer" + }, + "protocol":{ + "type":"string" + }, + "targetPort":{ + "type":"integer" + } + } + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "persistence-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "persistence":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "persistence":{ + "required":[ + "image", + "resources" + ], + "type":"object", + "properties":{ + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + } + } + } + } + }, + "else":true + }, + "scim-enabled":{ + "if":{ + "properties":{ + "global":{ + "properties":{ + "scim":{ + "properties":{ + "enabled":{ + "const":"true" + } + } + } + } + } + } + }, + "then":{ + "properties":{ + "scim":{ + "required":[ + "image", + "replicas", + "resources", + "service" + ], + "type":"object", + "properties":{ + "hpa":{ + "description":"Configure the HorizontalPodAutoscaler", + "type":"object", + "properties":{ + "enabled":{ + "type":"boolean" + }, + "minReplicas":{ + "type":"integer" + }, + "maxReplicas":{ + "type":"integer" + }, + "targetCPUUtilizationPercentage":{ + "type":"integer" + }, + "metrics":{ + "description":"metrics if targetCPUUtilizationPercentage is not set", + "type":"array" + }, + "behavior":{ + "description":"Scaling Policies", + "type":"object" + } + } + }, + "usrEnvs":{ + "description":"Add custom normal and secret envs to the service", + "type":"object", + "properties":{ + "normal":{ + "description":"Add custom normal envs to the service", + "type":"object" + }, + "secret":{ + "description":"Add custom secret envs to the service", + "type":"object" + } + } + }, + "dnsPolicy":{ + "description":"Add custom dns policy", + "type":"string", + "pattern":"^(Default|ClusterFirst|ClusterFirstWithHostNet|None|)$" + }, + "dnsConfig":{ + "description":"Add custom dns config", + "type":"object" + }, + "image":{ + "type":"object", + "properties":{ + "pullPolicy":{ + "description":"Image pullPolicy to use for deploying.", + "type":"string", + "pattern":"^(Always|Never|IfNotPresent)$" + }, + "repository":{ + "description":"Image to use for deploying", + "type":"string" + }, + "tag":{ + "description":"Image tag to use for deploying.", + "type":"string", + "pattern":"^[a-z0-9-_.]+$" + } + } + }, + "replicas":{ + "description":"Service replica number.", + "type":"integer" + }, + "resources":{ + "description":"Resource specs.", + "type":"object", + "properties":{ + "limits":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU limit.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory limit.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + }, + "requests":{ + "type":"object", + "properties":{ + "cpu":{ + "description":"CPU request.", + "type":"string", + "pattern":"^[0-9m]+$" + }, + "memory":{ + "description":"Memory request.", + "type":"string", + "pattern":"^[0-9Mi]+$" + } + } + } + } + }, + "service":{ + "type":"object", + "properties":{ + "scimServiceName":{ + "description":"Name of the SCIM service. Please keep it as default.", + "type":"string", + "pattern":"^[a-z0-9-]+$" + } + } + } + } + } + } + }, + "else":true + } + } +} diff --git a/charts/gluu/gluu/5.1.1/values.yaml b/charts/gluu/gluu/5.1.1/values.yaml new file mode 100644 index 0000000000..239cca7876 --- /dev/null +++ b/charts/gluu/gluu/5.1.1/values.yaml @@ -0,0 +1,1920 @@ +# -- Only used by the installer. These settings do not affect nor are used by the chart +installer-settings: + currentVersion: "" + acceptLicense: "" + namespace: "" + releaseName: "" + nginxIngress: + releaseName: "" + namespace: "" + nodes: + names: "" + zones: "" + ips: "" + images: + edit: "" + aws: + lbType: "" + arn: + enabled: "" + arnAcmCert: "" + vpcCidr: "0.0.0.0/0" + couchbase: + clusterName: "" + namespace: "" + lowResourceInstall: "" + install: "" + customFileOverride: "" + backup: + incrementalSchedule: "" + fullSchedule: "" + retentionTime: "" + storageSize: "" + # Couchbase cert related keys + subjectAlternativeName: "" + commonName: "" + # Couchbase cluster yaml generator keys + totalNumberOfExpectedUsers: "" + totalNumberOfExpectedTransactionsPerSec: "" + volumeType: "" + volumeProvisionStrategy: "" + ldap: + backup: + fullSchedule: "" + postgres: + install: "" + namespace: "" + sql: + install: "" + namespace: "" + google: + useSecretManager: "" + redis: + install: "" + namespace: "" + openbanking: + hasCnObTransportTrustStore: false + cnObTransportTrustStoreP12password: "" + confirmSettings: false + +# -- Admin GUI for configuration of the auth-server +admin-ui: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/gluufederation/flex/admin-ui + # -- Image tag to use for deploying. + tag: 5.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2000m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 2000m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for the admin ui if needed. + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure the readiness healthcheck for the admin ui if needed. + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. +auth-server: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/auth-server + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 2500m + # -- Memory limit. + memory: 2500Mi + requests: + # -- CPU request. + cpu: 2500m + # -- Memory request. + memory: 2500Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- Executes the python3 healthcheck. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the auth server if needed. + # https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py + readinessProbe: + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- Responsible for regenerating auth-keys per x hours +auth-server-key-rotation: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/certmanager + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Auth server key rotation keys life in hours + keysLife: 48 + # -- Set key selection strategy used by Auth server + keysStrategy: NEWER + # -- Delay (in seconds) before pushing private keys to Auth server + keysPushDelay: 0 + # -- Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) + keysPushStrategy: NEWER + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: {} + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. +config: + # -- Add custom normal and secret envs to the service. + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + # -- Admin password to log in to the UI. + adminPassword: Test1234# + # -- City. Used for certificate creation. + city: Austin + # -- Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. + salt: "" + configmap: + # -- Jetty header size in bytes in the auth server + cnJettyRequestHeaderSize: 8192 + # -- Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as `"public"`). + cnSqlDbSchema: "" + # -- SQL database dialect. `mysql` or `pgsql` + cnSqlDbDialect: mysql + # -- SQL database host uri. + cnSqlDbHost: my-release-mysql.default.svc.cluster.local + # -- SQL database port. + cnSqlDbPort: 3306 + # -- SQL database name. + cnSqlDbName: gluu + # -- SQL database username. + cnSqlDbUser: gluu + # -- SQL database timezone. + cnSqlDbTimezone: UTC + # -- SQL password injected the secrets . + cnSqldbUserPassword: Test1234# + # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` . + cnCacheType: NATIVE_PERSISTENCE + # -- The name of the Kubernetes ConfigMap that will hold the configuration layer + cnConfigKubernetesConfigMap: cn + # -- The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu. + cnCouchbaseBucketPrefix: jans + # -- Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required. + cnCouchbaseCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1. + cnCouchbaseIndexNumReplica: 0 + # -- Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol . + cnCouchbasePassword: P@ssw0rd + # -- The Couchbase super user (admin) username. This user is used during initialization only. + cnCouchbaseSuperUser: admin + # -- Couchbase password for the superuser config.configmap.cnCouchbaseSuperUser that is used during the initialization process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol + cnCouchbaseSuperUserPassword: Test1234# + # -- Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster + cnCouchbaseUrl: cbgluu.default.svc.cluster.local + # -- Couchbase restricted user. Used only when global.cnPersistenceType is hybrid or couchbase. + cnCouchbaseUser: gluu + # [google_envs] Envs related to using Google + # -- Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretManagerServiceAccount: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleProjectId: google-project-to-save-config-and-secrets-to + # [google_spanner_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Google Spanner ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerInstanceId: "" + # -- Google Spanner Database ID. Used only when global.cnPersistenceType is spanner. + cnGoogleSpannerDatabaseId: "" + # [google_spanner_envs] END + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + # -- Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretVersionId: "latest" + # -- Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. + cnGoogleSecretNamePrefix: gluu + # [google_secret_manager_envs] END + # [google_envs] END + # [aws_envs] Envs related to using AWS + # [aws_secret_manager_envs] + # AWS Access key id that belong to a user/id with SecretsManagerReadWrite policy + cnAwsAccessKeyId: "" + # AWS Secret Access key that belong to a user/id with SecretsManagerReadWrite policy + cnAwsSecretAccessKey: "" + #The URL of AWS secretsmanager service (if omitted, will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com). Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsEndpointUrl: "" + # The prefix name of the secrets. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. + cnAwsSecretsNamePrefix: gluu + # The default AWS Region to use, for example, `us-west-1` or `us-west-2`. + cnAwsDefaultRegion: us-west-1 + # The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html + cnAwsProfile: gluu + # Example replicated region [{"Region": "us-west-1"}, {"Region": "us-west-2"}] + cnAwsSecretsReplicaRegions: [] + # [aws_secret_manager_envs] END + # [aws_envs] END + # [vault_envs] Envs related to Hashicorp vault + # -- Vault AppRole RoleID. + cnVaultRoleId: "" + # -- Vault AppRole SecretID. + cnVaultSecretId: "" + # -- Base URL of Vault. + cnVaultAddr: http://localhost:8200 + # -- Verify connection to Vault. + cnVaultVerify: false + # -- Path to file contains Vault AppRole role ID. + cnVaultRoleIdFile: /etc/certs/vault_role_id + # -- Path to file contains Vault AppRole secret ID. + cnVaultSecretIdFile: /etc/certs/vault_secret_id + # -- Vault namespace used to access the secrets. + cnVaultNamespace: "" + # -- Path to Vault KV secrets engine. + cnVaultKvPath: secret + # -- Base prefix name used to access secrets. + cnVaultPrefix: jans + # -- Path to Vault AppRole. + cnVaultAppRolePath: approle + # [vault_envs] END + # -- OpenDJ internal address. Leave as default. Used when `global.cnPersistenceType` is set to `ldap`. + cnLdapUrl: "opendj:1636" + # -- Value passed to Java option -XX:MaxRAMPercentage + cnMaxRamPercent: "75.0" + # -- SCIM protection mode OAUTH|TEST|UMA + cnScimProtectionMode: "OAUTH" + # -- Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`. + #{ + # "default": "", + # "user": "", + # "site": "", + # "cache": "", + # "token": "", + # "session": "", + #} + cnPersistenceHybridMapping: "{}" + # -- Redis Sentinel Group. Often set when `config.configmap.cnRedisType` is set to `SENTINEL`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSentinelGroup: "" + # -- Redis SSL truststore. Optional. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisSslTruststore: "" + # -- Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisType: STANDALONE + # -- Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUrl: "redis.redis.svc.cluster.local:6379" + # -- Boolean to use SSL in Redis. Can be used when `config.configmap.cnCacheType` is set to `REDIS`. + cnRedisUseSsl: false + # -- Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. + cnSecretKubernetesSecret: cn + # -- Load balancer address for AWS if the FQDN is not registered. + lbAddr: "" + # -- OpenDJ certificate string. This must be encoded using base64. + cnLdapCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- OpenDJ key string. This must be encoded using base64. + cnLdapKey: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo= + # -- Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. + quarkusTransactionEnableRecovery: true + # -- Keycloak logging level + kcLogLevel: INFO + # -- Keycloak proxy mode (for most deployments, this doesn't need to be changed) + kcProxy: edge + # -- Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. + kcDbVendor: mysql + # -- Keycloak database username + kcDbUsername: keycloak + # -- Password for Keycloak database access + kcDbPassword: Test1234# + # -- Keycloak database schema name (note that PostgreSQL may be using "public" schema). + kcDbSchema: keycloak + # -- Keycloak database host uri + kcDbUrlHost: mysql.kc.svc.cluster.local + # -- Keycloak database port (default to port 3306 for mysql). + kcDbUrlPort: 3306 + # -- Keycloak database name. + kcDbUrlDatabase: keycloak + # -- Keycloak database connection properties. If using postgresql, the value can be set to empty string. + kcDbUrlProperties: "?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4" + # -- URL of OPA API + cnOpaUrl: http://opa.opa.svc.cluster.cluster.local:8181/v1 + # -- Message type (one of POSTGRES, REDIS, or DISABLED) + cnMessageType: DISABLED + # -- Country code. Used for certificate creation. + countryCode: US + # -- Email address of the administrator usually. Used for certificate creation. + email: team@gluu.org + image: + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/configurator + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- LDAP admin password if OpenDJ is used for persistence. + ldapPassword: P@ssw0rds + # -- LDAP truststore password if OpenDJ is used for persistence + ldapTruststorePassword: changeit + # -- Organization name. Used for certificate creation. + orgName: Gluu + # -- Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`. + redisPassword: P@assw0rd + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- State code. Used for certificate creation. + state: TX + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + # -- CE to CN Migration section + migration: + # -- Boolean flag to enable migration from CE + enabled: false + # -- Directory holding all migration files + migrationDir: /ce-migration + # -- migration data-format depending on persistence backend. + # Supported data formats are ldif, couchbase+json, spanner+avro, postgresql+json, and mysql+json. + migrationDataFormat: ldif + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). +config-api: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/config-api + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-config-api/api/v1/health/live + port: 8074 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + httpGet: + path: jans-config-api/api/v1/health/ready + port: 8074 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. +fido2: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/fido2 + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + service: + # -- The name of the fido2 port within the fido2 service. Please keep it as default. + name: http-fido2 + # -- Port of the fido2 service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for the fido2 if needed. + livenessProbe: + # -- http liveness probe endpoint + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the fido2 if needed. + readinessProbe: + httpGet: + path: /jans-fido2/sys/health-check + port: http-fido2 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- Janssen Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. +casa: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/casa + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 500Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 500Mi + # -- Configure the liveness healthcheck for casa if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the casa if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-casa/health-check + port: http-casa + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [] +# -- Parameters used globally across all services helm charts. +global: + # -- Add custom normal and secret envs to the service. + # Envs defined in global.userEnvs will be globally available to all services + usrEnvs: + # -- Add custom normal envs to the service. + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service. + # variable1: value1 + secret: {} + alb: + # -- Activates ALB ingress + ingress: false + admin-ui: + # -- Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. + enabled: true + # -- Name of the admin-ui service. Please keep it as default. + adminUiServiceName: admin-ui + ingress: + # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice + adminUiEnabled: false + + auth-server: + # -- Name of the auth-server service. Please keep it as default. + authServerServiceName: auth-server + # -- Boolean flag to enable/disable auth-server chart. You should never set this to false. + enabled: true + # -- passing custom java options to auth-server. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-auth.log target + authLogTarget: "STDOUT" + # -- jans-auth.log level + authLogLevel: "INFO" + # -- http_request_response.log target + httpLogTarget: "FILE" + # -- http_request_response.log level + httpLogLevel: "INFO" + # -- jans-auth_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-auth_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-auth_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-auth_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-auth_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-auth_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-auth_script.log target + scriptLogTarget: "FILE" + # -- jans-auth_script.log level + scriptLogLevel: "INFO" + # -- jans-auth_script.log target + auditStatsLogTarget: "FILE" + # -- jans-auth_audit.log level + auditStatsLogLevel: "INFO" + # -- space-separated key algorithm for signing (default to `RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512`) + authSigKeys: "RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512" + # -- space-separated key algorithm for encryption (default to `RSA1_5 RSA-OAEP`) + authEncKeys: "RSA1_5 RSA-OAEP" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable Auth server endpoints /jans-auth + authServerEnabled: true + # -- Enable endpoint /.well-known/openid-configuration + openidConfigEnabled: true + # -- Enable endpoint /device-code + deviceCodeEnabled: true + # -- Enable endpoint /firebase-messaging-sw.js + firebaseMessagingEnabled: true + # -- Enable endpoint /.well-known/uma2-configuration + uma2ConfigEnabled: true + # -- Enable endpoint /.well-known/webfinger + webfingerEnabled: true + # -- Enable endpoint /.well-known/simple-web-discovery + webdiscoveryEnabled: true + # -- Enable endpoint /.well-known/fido-configuration + u2fConfigEnabled: true + # -- Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. + authServerProtectedToken: false + # -- Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. + authServerProtectedRegister: false + # -- Enable jans-lock as service running inside auth-server + lockEnabled: false + + auth-server-key-rotation: + # -- Boolean flag to enable/disable the auth-server-key rotation cronjob chart. + enabled: true + # -- The initial auth server key rotation keys life in hours + initKeysLife: 48 + # -- Volume storage type if using AWS volumes. + awsStorageType: io1 + # -- Volume storage type if using Azure disks. + azureStorageAccountType: Standard_LRS + # -- Azure storage kind if using Azure disks + azureStorageKind: Managed + casa: + # -- passing custom java options to casa. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- casa.log target + casaLogTarget: "STDOUT" + # -- casa.log level + casaLogLevel: "INFO" + # -- casa timer log target + timerLogTarget: "FILE" + # -- casa timer log level + timerLogLevel: "INFO" + # -- Name of the casa service. Please keep it as default. + casaServiceName: casa + # -- Boolean flag to enable/disable the casa chart. + enabled: true + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable casa endpoints /casa + casaEnabled: false + cloud: + # -- Boolean flag if enabled will strip resources requests and limits from all services. + testEnviroment: false + # -- Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. + cnPrometheusPort: "" + # -- Document store type to use for shibboleth files DB. + cnDocumentStoreType: DB + # -- Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner. + cnPersistenceType: sql + # -- Open banking external signing jwks uri. Used in SSA Validation. + cnObExtSigningJwksUri: "" + # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksCrt: "" + # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKey: "" + # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. + cnObExtSigningJwksKeyPassPhrase: "" + # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G + cnObExtSigningAlias: "" + # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G + cnObStaticSigningKeyKid: "" + # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. + cnObTransportCrt: "" + # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. + cnObTransportKey: "" + # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. + cnObTransportKeyPassPhrase: "" + # -- Open banking transport Alias used inside the JVM. + cnObTransportAlias: "" + # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. + cnObTransportTrustStore: "" + config: + # -- Boolean flag to enable/disable the configuration chart. This normally should never be false + enabled: true + # -- https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + jobTtlSecondsAfterFinished: 300 + # -- The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes + configAdapterName: kubernetes + # -- The config backend adapter that will hold Gluu secret layer. vault|aws|google|kubernetes + configSecretAdapter: kubernetes + # -- Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner. Leave as this is a sensible default. + cnGoogleApplicationCredentials: /etc/jans/conf/google-credentials.json + # The location of the shared credentials file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).Leave as this is a sensible default. + cnAwsSharedCredentialsFile: /etc/jans/conf/aws_shared_credential_file + # The location of the config file used by the client (see https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Leave as this is a sensible default. + cnAwsConfigFile: /etc/jans/conf/aws_config_file + # The location of file contains replica regions definition (if any). This file is mostly used in primary region. Example of contents of the file: `[{"Region": "us-west-1"}]`. Used only when global.configAdapterName and global.configSecretAdapter is set to aws. Leave as this is a sensible default. + cnAwsSecretsReplicaRegionsFile: /etc/jans/conf/aws_secrets_replica_regions + config-api: + # -- Name of the config-api service. Please keep it as default. + configApiServerServiceName: config-api + # -- Boolean flag to enable/disable the config-api chart. + enabled: true + # -- passing custom java options to config-api. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- configapi.log target + configApiLogTarget: "STDOUT" + # -- configapi.log level + configApiLogLevel: "INFO" + # -- config-api_persistence.log target + persistenceLogTarget: "FILE" + # -- config-api_persistence.log level + persistenceLogLevel: "INFO" + # -- config-api_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- config-api_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- config-api_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- config-api_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- config-api_script.log target + scriptLogTarget: "FILE" + # -- config-api_script.log level + scriptLogLevel: "INFO" + adminUiAppLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- config-api admin-ui plugin log level + adminUiLogTarget: "FILE" + # -- config-api admin-ui plugin log target + adminUiLogLevel: "INFO" + # -- config-api admin-ui plugin audit log target + adminUiAuditLogTarget: "FILE" + # -- config-api admin-ui plugin audit log level + adminUiAuditLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable config API endpoints /jans-config-api + configApiEnabled: true + # -- Comma-separated values of enabled plugins (supported plugins are "admin-ui","fido2","scim","user-mgt","jans-link","kc-saml") + plugins: "admin-ui,fido2,scim,user-mgt" + # -- Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. + fqdn: demoexample.gluu.org + fido2: + # -- Name of the fido2 service. Please keep it as default. + fido2ServiceName: fido2 + # -- Boolean flag to enable/disable the fido2 chart. + enabled: true + # -- passing custom java options to fido2. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- fido2.log target + fido2LogTarget: "STDOUT" + # -- fido2.log level + fido2LogLevel: "INFO" + # -- fido2_persistence.log target + persistenceLogTarget: "FILE" + # -- fido2_persistence.log level + persistenceLogLevel: "INFO" + # -- fido2_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- fido2_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- fido2_script.log target + scriptLogTarget: "FILE" + # -- fido2_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/fido2-configuration + fido2ConfigEnabled: false + # -- Enable endpoint /jans-fido2 + fido2Enabled: false + # -- GCE storage kind if using Google disks + gcePdStorageType: pd-standard + # -- Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. + isFqdnRegistered: false + istio: + # -- Boolean flag that enables using istio side-cars with Gluu services. + enabled: false + # -- Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. + ingress: false + # -- The namespace istio is deployed in. The is normally istio-system. + namespace: istio-system + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. + gateways: [ ] + # -- The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `global.fqdn` is globally resolvable. + lbIp: 22.22.22.22 + nginx-ingress: + # -- Boolean flag to enable/disable the nginx-ingress definitions chart. + enabled: true + opendj: + # -- Boolean flag to enable/disable the OpenDJ chart. + enabled: false + # -- Name of the OpenDJ service. Please keep it as default. + ldapServiceName: opendj + # -- Gluu distributions supported are: default|openbanking. + distribution: default + persistence: + # -- Boolean flag to enable/disable the persistence chart. + enabled: true + scim: + # -- Name of the scim service. Please keep it as default. + scimServiceName: scim + # -- Boolean flag to enable/disable the SCIM chart. + enabled: true + # -- passing custom java options to scim. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- jans-scim.log target + scimLogTarget: "STDOUT" + # -- jans-scim.log level + scimLogLevel: "INFO" + # -- jans-scim_persistence.log target + persistenceLogTarget: "FILE" + # -- jans-scim_persistence.log level + persistenceLogLevel: "INFO" + # -- jans-scim_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- jans-scim_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- jans-scim_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- jans-scim_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- jans-scim_script.log target + scriptLogTarget: "FILE" + # -- jans-scim_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # -- Enable endpoint /.well-known/scim-configuration + scimConfigEnabled: false + # -- Enable SCIM endpoints /jans-scim + scimEnabled: false + # -- StorageClass section for OpenDJ charts. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. + storageClass: + allowVolumeExpansion: true + allowedTopologies: [] + mountOptions: + - debug + # -- parameters: + #fsType: "" + #kind: "" + #pool: "" + #storageAccountType: "" + #type: "" + parameters: {} + provisioner: microk8s.io/hostpath + reclaimPolicy: Retain + volumeBindingMode: WaitForFirstConsumer + link: + # -- Name of the link service. Please keep it as default. + linkServiceName: link + # -- Boolean flag to enable/disable the link chart. + enabled: false + # -- passing custom java options to link. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + # -- App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. + appLoggers: + # -- Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO + enableStdoutLogPrefix: "true" + # -- cacherefresh.log target + linkLogTarget: "STDOUT" + # -- cacherefresh.log level + linkLogLevel: "INFO" + # -- cacherefresh_persistence.log target + persistenceLogTarget: "FILE" + # -- cacherefresh_persistence.log level + persistenceLogLevel: "INFO" + # -- cacherefresh_persistence_duration.log target + persistenceDurationLogTarget: "FILE" + # -- cacherefresh_persistence_duration.log level + persistenceDurationLogLevel: "INFO" + # -- cacherefresh_persistence_ldap_statistics.log target + ldapStatsLogTarget: "FILE" + # -- cacherefresh_persistence_ldap_statistics.log level + ldapStatsLogLevel: "INFO" + # -- cacherefresh_script.log target + scriptLogTarget: "FILE" + # -- cacherefresh_script.log level + scriptLogLevel: "INFO" + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable link endpoints /jans-link + linkEnabled: true + saml: + # -- Name of the saml service. Please keep it as default. + samlServiceName: saml + # -- Boolean flag to enable/disable the saml chart. + enabled: false + # -- Enable endpoints in either istio or nginx ingress depending on users choice + ingress: + # Enable saml endpoints /kc + samlEnabled: false + # -- passing custom java options to saml. DO NOT PASS JAVA_OPTIONS in envs. + cnCustomJavaOptions: "" + + # -- Path to SQL password file + cnSqlPasswordFile: /etc/jans/conf/sql_password + # -- Path to Couchbase password file + cnCouchbasePasswordFile: /etc/jans/conf/couchbase_password + # -- Path to Couchbase superuser password file + cnCouchbaseSuperuserPasswordFile: /etc/jans/conf/couchbase_superuser_password + # -- Path to LDAP password file + cnLdapPasswordFile: /etc/jans/conf/ldap_password + # -- Path to LDAP truststore password file + cnLdapTruststorePasswordFile: /etc/jans/conf/ldap_truststore_password + # -- Path to OpenDJ cert file + cnLdapCertFile: /etc/certs/opendj.crt + # -- Path to OpenDJ key file + cnLdapKeyFile: /etc/certs/opendj.key + # -- Path to OpenDJ CA cert file + cnLdapCacertFile: /etc/certs/opendj.pem + # -- Path to OpenDJ truststore file + cnLdapTruststoreFile: /etc/certs/opendj.pkcs12 + # -- Path to file contains password for database access + kcDbPasswordFile: /etc/jans/conf/kc_db_password + # -- Path to file contains Keycloak admin credentials (username and password) + kcAdminCredentialsFile: /etc/jans/conf/kc_admin_creds + +# -- Nginx ingress definitions chart +nginx-ingress: + certManager: + # Enable deploying a certificate that uses dns01 challenge instead of passing an annotation nginx-ingress.ingress.additionalAnnotations for nginx http01 challenge. + certificate: + enabled: false + issuerKind: ClusterIssuer + # Issuer name which you will create manually. Can be letsencrypt-production. + issuerName: "" + issuerGroup: cert-manager.io + ingress: + # -- Admin UI ingress resource labels. key app is taken. + adminUiLabels: { } + # -- openid-configuration ingress resource additional annotations. + adminUiAdditionalAnnotations: { } + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- SCIM config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- configAPI ingress resource labels. key app is taken + configApiLabels: { } + # -- ConfigAPI ingress resource additional annotations. + configApiAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- fido2 ingress resource additional annotations. + fido2AdditionalAnnotations: { } + # -- Auth server ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- SAML config ingress resource labels. key app is taken + samlLabels: { } + # -- SAML ingress resource additional annotations. + samlAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedTokenLabels: { } + # -- Auth server protected token ingress resource additional annotations. + authServerProtectedTokenAdditionalAnnotations: { } + # -- Auth server protected token ingress resource labels. key app is taken + authServerProtectedRegisterLabels: { } + # -- Auth server protected register ingress resource additional annotations. + authServerProtectedRegisterAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: {} + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + path: / + hosts: + - demoexample.gluu.org + # -- Secrets holding HTTPS CA cert and key. + tls: + - secretName: tls-certificate + hosts: + - demoexample.gluu.org + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +opendj: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: 1 + # -- Configure ldap backup cronjob + backup: + enabled: true + cronJobSchedule: "*/59 * * * *" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] + + persistence: + # -- OpenDJ volume size + size: 5Gi + ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi + # -- Configure the liveness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 + # -- Configure the readiness healthcheck for OpenDJ if needed. + # https://github.com/GluuFederation/docker-opendj/blob/master/scripts/healthcheck.py + readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- Job to generate data and initial config for Gluu Server persistence layer. +persistence: + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/persistence-loader + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Resource specs. + resources: + limits: + # -- CPU limit + cpu: 300m + # -- Memory limit. + memory: 300Mi + requests: + # -- CPU request. + cpu: 300m + # -- Memory request. + memory: 300Mi + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- System for Cross-domain Identity Management (SCIM) version 2.0 +scim: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/scim + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + resources: + limits: + # -- CPU limit. + cpu: 1000m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 1000m + # -- Memory request. + memory: 1000Mi + service: + # -- The name of the scim port within the scim service. Please keep it as default. + name: http-scim + # -- Port of the scim service. Please keep it as default. + port: 8080 + # -- Configure the liveness healthcheck for SCIM if needed. + livenessProbe: + httpGet: + # -- http liveness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + # -- Configure the readiness healthcheck for the SCIM if needed. + readinessProbe: + httpGet: + # -- http readiness probe endpoint + path: /jans-scim/sys/health-check + port: 8080 + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- Link. +link: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/link + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + # -- http readiness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + + + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] +# -- SAML. +saml: + # -- Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API + # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: {} + # -- Define below as many constraints as needed. The key name should follow the structure tsc1, tsc2...etc. + # Do not enter the key labelSelector in the entry/entries below as that is automatically injected by the chart + #tsc1: + # maxSkew: 1 + # minDomains: 1 # optional; beta since v1.25 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: DoNotSchedule + # matchLabelKeys: [] # optional; alpha since v1.25 + # nodeAffinityPolicy: [] # optional; alpha since v1.25 + # nodeTaintsPolicy: [] # optional; alpha since v1.25 + #tsc2: + #maxSkew: 1 + # -- Configure the PodDisruptionBudget + pdb: + enabled: true + maxUnavailable: "90%" + # -- Configure the HorizontalPodAutoscaler + hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} + # -- Add custom normal and secret envs to the service + usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} + # -- Add custom dns policy + dnsPolicy: "" + # -- Add custom dns config + dnsConfig: {} + image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: ghcr.io/janssenproject/jans/saml + # -- Image tag to use for deploying. + tag: 1.1.1-1 + # -- Image Pull Secrets + pullSecrets: [ ] + # -- Service replica number. + replicas: 1 + # -- Resource specs. + resources: + limits: + # -- CPU limit. + cpu: 500m + # -- Memory limit. + memory: 1000Mi + requests: + # -- CPU request. + cpu: 500m + # -- Memory request. + memory: 1000Mi + # -- Configure the liveness healthcheck for the auth server if needed. + livenessProbe: + # -- http liveness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 10 + readinessProbe: + # -- http readiness probe endpoint + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 25 + periodSeconds: 25 + timeoutSeconds: 5 + failureThreshold: 10 + # -- Configure any additional volumes that need to be attached to the pod + volumes: [] + # -- Configure any additional volumesMounts that need to be attached to the containers + volumeMounts: [] + # Actions on lifecycle events such as postStart and preStop + # Example + # lifecycle: + # postStart: + # exec: + # command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"] + lifecycle: {} + + # -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} + additionalAnnotations: { } + # -- Add custom scripts that have been mounted to run before the entrypoint. + # - /tmp/custom.sh + # - /tmp/custom2.sh + customScripts: [ ] diff --git a/charts/gluu/gluu/Chart.yaml b/charts/gluu/gluu/5.1.2/Chart.yaml similarity index 100% rename from charts/gluu/gluu/Chart.yaml rename to charts/gluu/gluu/5.1.2/Chart.yaml diff --git a/charts/gluu/gluu/README.md b/charts/gluu/gluu/5.1.2/README.md similarity index 100% rename from charts/gluu/gluu/README.md rename to charts/gluu/gluu/5.1.2/README.md diff --git a/charts/gluu/gluu/5.1.2/app-readme.md b/charts/gluu/gluu/5.1.2/app-readme.md new file mode 100644 index 0000000000..b2148c4c1e --- /dev/null +++ b/charts/gluu/gluu/5.1.2/app-readme.md @@ -0,0 +1,38 @@ +## Tutorial + +For a full walkthrough of the Gluu Flex Server on Rancher, please see the [Gluu Server on Rancher Tutorial](https://docs.gluu.org/stable/admin/recipes/getting-started-rancher/). + +## Introduction +The Gluu Server is a container distribution of free open source software (FOSS) for identity and access management (IAM). SaaS, custom, open source and commercial web and mobile applications can leverage a Gluu Server for user authentication, identity information, and policy decisions. + +Common use cases include: + +- Single sign-on (SSO) +- Mobile authentication +- API access management +- Two-factor authentication (2FA) +- Customer identity and access management (CIAM) +- Identity federation + +### Free Open Source Software +The Gluu Server is a FOSS platform for IAM. + +### Open Web Standards +The Gluu Server can be deployed to support the following open standards for authentication, authorization, federated identity, and identity management: + +- OAuth 2.0 +- OpenID Connect +- User Managed Access 2.0 (UMA) +- System for Cross-domain Identity Management (SCIM) +- FIDO Universal 2nd Factor (U2F) +- FIDO 2.0 / WebAuthn +- Lightweight Directory Access Protocol (LDAP) +- Remote Authentication Dial-In User Service (RADIUS) + +### Important notes for installation: +- Make sure to enable `Customize Helm options before install` after clicking the initial `Install` on the top right. When you view your helm options, please uncheck the wait parameter as that conflicts with the post-install hook for the persistence image. + +### Quick install on Rancher UI with Docker single node +- Install the nginx-ingress-controller chart. +- Install the OpenEBS chart. +- Install Gluu chart and specify your persistence as ldap. \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/admin-ui/.helmignore b/charts/gluu/gluu/5.1.2/charts/admin-ui/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/charts/admin-ui/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/admin-ui/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/admin-ui/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/admin-ui/Chart.yaml diff --git a/charts/gluu/gluu/charts/admin-ui/README.md b/charts/gluu/gluu/5.1.2/charts/admin-ui/README.md similarity index 100% rename from charts/gluu/gluu/charts/admin-ui/README.md rename to charts/gluu/gluu/5.1.2/charts/admin-ui/README.md diff --git a/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/_helpers.tpl new file mode 100644 index 0000000000..3fa0c5985e --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "admin-ui.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "admin-ui.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "admin-ui.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "admin-ui.labels" -}} +app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +helm.sh/chart: {{ include "admin-ui.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "admin-ui.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "admin-ui.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "admin-ui.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "admin-ui.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/admin-ui-destination-rules.yaml b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/admin-ui-destination-rules.yaml new file mode 100644 index 0000000000..ecf4699b22 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/admin-ui-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-admin-ui-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/admin-ui-pdb.yaml b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/admin-ui-pdb.yaml new file mode 100644 index 0000000000..5d81cf14be --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/admin-ui-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "admin-ui.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/admin-ui-virtual-services.yaml b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/admin-ui-virtual-services.yaml new file mode 100644 index 0000000000..2b0fc58df1 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/admin-ui-virtual-services.yaml @@ -0,0 +1,37 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "admin-ui" "ingress" "adminUiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-admin-ui + namespace: {{.Release.Namespace}} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/admin" + route: + - destination: + host: {{ index .Values "global" "admin-ui" "adminUiServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/admin-ui/templates/deployment.yml b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/deployment.yml similarity index 100% rename from charts/gluu/gluu/charts/admin-ui/templates/deployment.yml rename to charts/gluu/gluu/5.1.2/charts/admin-ui/templates/deployment.yml diff --git a/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/hpa.yaml b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/hpa.yaml new file mode 100644 index 0000000000..4720b2c49b --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "admin-ui.fullname" . }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "admin-ui.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/service.yml b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/service.yml new file mode 100644 index 0000000000..54b311c2e2 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "admin-ui.name" . }} #admin-ui + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..02fd969b74 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/admin-ui/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: admin-ui +{{ include "admin-ui.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/admin-ui/values.yaml b/charts/gluu/gluu/5.1.2/charts/admin-ui/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/admin-ui/values.yaml rename to charts/gluu/gluu/5.1.2/charts/admin-ui/values.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/.helmignore b/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server-key-rotation/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/Chart.yaml diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/README.md b/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/README.md similarity index 100% rename from charts/gluu/gluu/charts/auth-server-key-rotation/README.md rename to charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/README.md diff --git a/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/templates/_helpers.tpl new file mode 100644 index 0000000000..e76631f29c --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "auth-server-key-rotation.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "auth-server-key-rotation.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "auth-server-key-rotation.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "auth-server-key-rotation.labels" -}} +app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} +helm.sh/chart: {{ include "auth-server-key-rotation.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "auth-server-key-rotation.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "auth-server-key-rotation.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/templates/cronjobs.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/templates/cronjobs.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server-key-rotation/templates/cronjobs.yaml rename to charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/templates/cronjobs.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/templates/service.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/templates/service.yaml new file mode 100644 index 0000000000..af58e82830 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/templates/service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +apiVersion: v1 +kind: Service +metadata: + name: {{ include "auth-server-key-rotation.fullname" . }} + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "auth-server-key-rotation.name" . }} + type: ClusterIP +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..5ed268ebb5 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "auth-server-key-rotation.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/auth-server-key-rotation/values.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server-key-rotation/values.yaml rename to charts/gluu/gluu/5.1.2/charts/auth-server-key-rotation/values.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/auth-server/.helmignore b/charts/gluu/gluu/5.1.2/charts/auth-server/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/auth-server/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/charts/auth-server/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/auth-server/Chart.yaml diff --git a/charts/gluu/gluu/charts/auth-server/README.md b/charts/gluu/gluu/5.1.2/charts/auth-server/README.md similarity index 100% rename from charts/gluu/gluu/charts/auth-server/README.md rename to charts/gluu/gluu/5.1.2/charts/auth-server/README.md diff --git a/charts/gluu/gluu/charts/auth-server/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/auth-server/templates/_helpers.tpl rename to charts/gluu/gluu/5.1.2/charts/auth-server/templates/_helpers.tpl diff --git a/charts/gluu/gluu/5.1.2/charts/auth-server/templates/auth-server-destination-rules.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/auth-server-destination-rules.yaml new file mode 100644 index 0000000000..708ce616c6 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/auth-server-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-auth-server-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/auth-server/templates/auth-server-pdb.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/auth-server-pdb.yaml new file mode 100644 index 0000000000..5ca61a6255 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/auth-server-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "auth-server.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/auth-server/templates/auth-server-protected-virtual-services.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/auth-server-protected-virtual-services.yaml new file mode 100644 index 0000000000..522f6757b4 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/auth-server-protected-virtual-services.yaml @@ -0,0 +1,53 @@ +{{- if .Values.global.istio.ingress }} +# NEEDS WORK TO ALLOW CLIENT SIDE AUTHENTICATION. THIS IS MERELY A PLACEHOLDER +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server-protected-endpoints + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-token" + match: + - uri: + prefix: "/jans-auth/restv1/token" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} + - name: "{{ .Release.Name }}-istio-auth-server-protected-register" + match: + - uri: + prefix: "/jans-auth/restv1/register" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/auth-server/templates/auth-server-virtual-services.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/auth-server-virtual-services.yaml new file mode 100644 index 0000000000..55cc397244 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/auth-server-virtual-services.yaml @@ -0,0 +1,137 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-auth-server + namespace: {{.Release.Namespace}} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-openid-config" + match: + - uri: + prefix: "/.well-known/openid-configuration" + rewrite: + uri: "/jans-auth/.well-known/openid-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} + - name: "{{ .Release.Name }}-istio-device-code" + match: + - uri: + prefix: "/device-code" + rewrite: + uri: "/jans-auth/device_authorization.htm" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} + - name: "{{ .Release.Name }}-istio-firebase-messaging" + match: + - uri: + prefix: "/firebase-messaging-sw.js" + rewrite: + uri: "/jans-auth/firebase-messaging-sw.js" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-uma2-config" + match: + - uri: + prefix: "/.well-known/uma2-configuration" + rewrite: + uri: "/jans-auth/restv1/uma2-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} + - name: "{{ .Release.Name }}-istio-webfinger" + match: + - uri: + prefix: "/.well-known/webfinger" + rewrite: + uri: "/jans-auth/.well-known/webfinger" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} + - name: "{{ .Release.Name }}-istio-webdiscovery" + match: + - uri: + prefix: "/.well-known/simple-web-discovery" + rewrite: + uri: "/jans-auth/.well-known/simple-web-discovery" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} + - name: "{{ .Release.Name }}-istio-cn" + match: + - uri: + prefix: "/jans-auth" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + {{- end }} + {{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} + - name: "{{ .Release.Name }}-istio-u2f-config" + match: + - uri: + prefix: "/.well-known/fido-configuration" + rewrite: + uri: "/jans-auth/restv1/fido-configuration" + route: + - destination: + host: {{ index .Values "global" "auth-server" "authServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/auth-server/templates/deployment.yml b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/deployment.yml similarity index 100% rename from charts/gluu/gluu/charts/auth-server/templates/deployment.yml rename to charts/gluu/gluu/5.1.2/charts/auth-server/templates/deployment.yml diff --git a/charts/gluu/gluu/5.1.2/charts/auth-server/templates/hpa.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/hpa.yaml new file mode 100644 index 0000000000..7a35d43381 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "auth-server.fullname" . }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "auth-server.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/auth-server/templates/service.yml b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/service.yml new file mode 100644 index 0000000000..07b0de5897 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "auth-server.name" . }} #auth-server + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/auth-server/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..19b24ab92c --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/auth-server/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: auth-server +{{ include "auth-server.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/auth-server/values.yaml b/charts/gluu/gluu/5.1.2/charts/auth-server/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/auth-server/values.yaml rename to charts/gluu/gluu/5.1.2/charts/auth-server/values.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/casa/.helmignore b/charts/gluu/gluu/5.1.2/charts/casa/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/casa/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/charts/casa/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/casa/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/casa/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/casa/Chart.yaml diff --git a/charts/gluu/gluu/charts/casa/README.md b/charts/gluu/gluu/5.1.2/charts/casa/README.md similarity index 100% rename from charts/gluu/gluu/charts/casa/README.md rename to charts/gluu/gluu/5.1.2/charts/casa/README.md diff --git a/charts/gluu/gluu/charts/casa/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/casa/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/casa/templates/_helpers.tpl rename to charts/gluu/gluu/5.1.2/charts/casa/templates/_helpers.tpl diff --git a/charts/gluu/gluu/5.1.2/charts/casa/templates/casa-destination-rules.yaml b/charts/gluu/gluu/5.1.2/charts/casa/templates/casa-destination-rules.yaml new file mode 100644 index 0000000000..eb2e5eaa61 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/casa/templates/casa-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-casa-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.casa.casaServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/casa/templates/casa-pdb.yaml b/charts/gluu/gluu/5.1.2/charts/casa/templates/casa-pdb.yaml new file mode 100644 index 0000000000..54ad15de59 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/casa/templates/casa-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "casa.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "casa.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/casa/templates/casa-virtual-services.yaml b/charts/gluu/gluu/5.1.2/charts/casa/templates/casa-virtual-services.yaml new file mode 100644 index 0000000000..3d34e05410 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/casa/templates/casa-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.casa.ingress.casaEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-casa + namespace: {{.Release.Namespace}} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-casa + match: + - uri: + prefix: /jans-casa + route: + - destination: + host: {{ .Values.global.casa.casaServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/charts/casa/templates/deployment.yaml b/charts/gluu/gluu/5.1.2/charts/casa/templates/deployment.yaml similarity index 100% rename from charts/gluu/gluu/charts/casa/templates/deployment.yaml rename to charts/gluu/gluu/5.1.2/charts/casa/templates/deployment.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/casa/templates/hpa.yaml b/charts/gluu/gluu/5.1.2/charts/casa/templates/hpa.yaml new file mode 100644 index 0000000000..0d292fd3fd --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/casa/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "casa.fullname" . }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "casa.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/casa/templates/service.yaml b/charts/gluu/gluu/5.1.2/charts/casa/templates/service.yaml new file mode 100644 index 0000000000..e736cc014a --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/casa/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.casa.casaServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "casa.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/casa/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.2/charts/casa/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8a71e1ea8f --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/casa/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: casa +{{ include "casa.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/casa/values.yaml b/charts/gluu/gluu/5.1.2/charts/casa/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/casa/values.yaml rename to charts/gluu/gluu/5.1.2/charts/casa/values.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/.helmignore b/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/charts/cn-istio-ingress/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/cn-istio-ingress/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/Chart.yaml diff --git a/charts/gluu/gluu/charts/cn-istio-ingress/README.md b/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/README.md similarity index 100% rename from charts/gluu/gluu/charts/cn-istio-ingress/README.md rename to charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/README.md diff --git a/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..75a5dee781 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "istio.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "istio.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "istio.labels" -}} +helm.sh/chart: {{ include "istio.chart" . }} +{{ include "istio.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "istio.selectorLabels" -}} +app.kubernetes.io/name: {{ include "istio.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "istio.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "istio.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/templates/gateway.yaml b/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/templates/gateway.yaml new file mode 100644 index 0000000000..13434720ad --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/templates/gateway.yaml @@ -0,0 +1,37 @@ +{{- if not .Values.global.istio.gateways }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: {{ .Release.Name }}-global-gtw + namespace: {{ .Release.Namespace }} +{{- if .Values.global.istio.additionalLabels }} + labels: +{{ toYaml .Values.global.istio.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.global.istio.additionalAnnotations }} + annotations: +{{ toYaml .Values.global.istio.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + istio: ingressgateway + servers: + # admin-ui + - port: + number: 80 + name: http-admin-ui + protocol: HTTP + hosts: + - {{ .Values.global.fqdn }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - {{ .Values.global.fqdn }} + tls: + mode: SIMPLE # enable https on this port + credentialName: tls-certificate # fetch cert from k8s secret +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/values.yaml b/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/values.yaml new file mode 100644 index 0000000000..645a121318 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/cn-istio-ingress/values.yaml @@ -0,0 +1,4 @@ +# Default values for istio. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + diff --git a/charts/gluu/gluu/5.1.2/charts/config-api/.helmignore b/charts/gluu/gluu/5.1.2/charts/config-api/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config-api/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/charts/config-api/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/config-api/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/config-api/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/config-api/Chart.yaml diff --git a/charts/gluu/gluu/charts/config-api/README.md b/charts/gluu/gluu/5.1.2/charts/config-api/README.md similarity index 100% rename from charts/gluu/gluu/charts/config-api/README.md rename to charts/gluu/gluu/5.1.2/charts/config-api/README.md diff --git a/charts/gluu/gluu/charts/config-api/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/config-api/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/config-api/templates/_helpers.tpl rename to charts/gluu/gluu/5.1.2/charts/config-api/templates/_helpers.tpl diff --git a/charts/gluu/gluu/5.1.2/charts/config-api/templates/config-api-destination-rules.yaml b/charts/gluu/gluu/5.1.2/charts/config-api/templates/config-api-destination-rules.yaml new file mode 100644 index 0000000000..255fac7282 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config-api/templates/config-api-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-config-api-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/config-api/templates/config-api-pdb.yaml b/charts/gluu/gluu/5.1.2/charts/config-api/templates/config-api-pdb.yaml new file mode 100644 index 0000000000..2153d9a39c --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config-api/templates/config-api-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "config-api.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/config-api/templates/config-api-virtual-services.yaml b/charts/gluu/gluu/5.1.2/charts/config-api/templates/config-api-virtual-services.yaml new file mode 100644 index 0000000000..49bd94283f --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config-api/templates/config-api-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "config-api" "ingress" "configApiEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-config-api + namespace: {{.Release.Namespace}} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-config-api + match: + - uri: + prefix: /jans-config-api + route: + - destination: + host: {{ index .Values "global" "config-api" "configApiServerServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8074 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/charts/config-api/templates/deployment.yaml b/charts/gluu/gluu/5.1.2/charts/config-api/templates/deployment.yaml similarity index 100% rename from charts/gluu/gluu/charts/config-api/templates/deployment.yaml rename to charts/gluu/gluu/5.1.2/charts/config-api/templates/deployment.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/config-api/templates/hpa.yaml b/charts/gluu/gluu/5.1.2/charts/config-api/templates/hpa.yaml new file mode 100644 index 0000000000..aed5352e74 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config-api/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-api.fullname" . }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-api.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/config-api/templates/service.yaml b/charts/gluu/gluu/5.1.2/charts/config-api/templates/service.yaml new file mode 100644 index 0000000000..1782cc7e9d --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config-api/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: config-api +{{ include "config-api.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9444 + name: tcp-{{ include "config-api.name" . }}-ssl + - port: 8074 + name: tcp-{{ include "config-api.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "config-api.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/charts/config-api/values.yaml b/charts/gluu/gluu/5.1.2/charts/config-api/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/config-api/values.yaml rename to charts/gluu/gluu/5.1.2/charts/config-api/values.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/config/.helmignore b/charts/gluu/gluu/5.1.2/charts/config/.helmignore new file mode 100644 index 0000000000..b8204d7442 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +tls_generator.py diff --git a/charts/gluu/gluu/charts/config/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/config/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/config/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/config/Chart.yaml diff --git a/charts/gluu/gluu/charts/config/README.md b/charts/gluu/gluu/5.1.2/charts/config/README.md similarity index 100% rename from charts/gluu/gluu/charts/config/README.md rename to charts/gluu/gluu/5.1.2/charts/config/README.md diff --git a/charts/gluu/gluu/5.1.2/charts/config/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/config/templates/_helpers.tpl new file mode 100644 index 0000000000..b8fd74dfb3 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config/templates/_helpers.tpl @@ -0,0 +1,97 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "config.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "config.labels" -}} +app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load +helm.sh/chart: {{ include "config.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "config.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "config.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create optional scopes list +*/}} +{{- define "config.optionalScopes"}} +{{ $newList := list }} +{{- if eq .Values.configmap.cnCacheType "REDIS" }} +{{ $newList = append $newList ("redis" | quote ) }} +{{- end}} +{{ if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +{{ $newList = append $newList ("couchbase" | quote) }} +{{- end}} +{{ if eq .Values.global.cnPersistenceType "sql" }} +{{ $newList = append $newList ("sql" | quote) }} +{{- end }} +{{- if .Values.global.opendj.enabled}} +{{ $newList = append $newList ("ldap" | quote) }} +{{- end}} +{{- if .Values.global.fido2.enabled}} +{{ $newList = append $newList ("fido2" | quote) }} +{{- end}} +{{- if .Values.global.casa.enabled}} +{{ $newList = append $newList ("casa" | quote) }} +{{- end}} +{{- if .Values.global.scim.enabled}} +{{ $newList = append $newList ("scim" | quote) }} +{{- end}} +{{ toJson $newList }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/config/templates/clusterrolebinding.yaml b/charts/gluu/gluu/5.1.2/charts/config/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..ce43044f50 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config/templates/clusterrolebinding.yaml @@ -0,0 +1,45 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-admin-binding + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: User + # change it to your actual account; the email can be fetched using + # the following command: `gcloud info | grep Account` + name: "ACCOUNT" + apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ include "config.name" . }}-load + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit +subjects: +- kind: ServiceAccount + name: default + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/config/templates/configmaps.yaml b/charts/gluu/gluu/5.1.2/charts/config/templates/configmaps.yaml new file mode 100644 index 0000000000..9265387494 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config/templates/configmaps.yaml @@ -0,0 +1,483 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-cm + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + # Jetty header size in bytes in the auth server + CN_JETTY_REQUEST_HEADER_SIZE: {{ .Values.configmap.cnJettyRequestHeaderSize | quote }} + # Port used by Prometheus JMX agent + CN_PROMETHEUS_PORT: {{ .Values.global.cnPrometheusPort | quote }} + CN_DISTRIBUTION: {{ .Values.global.distribution | quote }} + {{ if .Values.global.cnObExtSigningJwksUri }} + CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }} + CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }} + CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }} + # force the AS to use a specific signing key + CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }} + {{- end }} + {{ if or (eq .Values.global.configAdapterName "google") (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + # [google_envs] Envs related to using Google + GOOGLE_APPLICATION_CREDENTIALS: {{ .Values.global.cnGoogleApplicationCredentials | quote }} + GOOGLE_PROJECT_ID: {{ .Values.configmap.cnGoogleProjectId | quote }} + {{- end }} + {{ if eq .Values.global.cnPersistenceType "spanner" }} + # [google_spanner_envs] Envs related to using Google Cloud Spanner + CN_GOOGLE_SPANNER_INSTANCE_ID: {{ .Values.configmap.cnGoogleSpannerInstanceId | quote }} + CN_GOOGLE_SPANNER_DATABASE_ID: {{ .Values.configmap.cnGoogleSpannerDatabaseId | quote }} + # [google_spanner_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.configAdapterName "google") }} + # [google_secret_manager_envs] Envs related to using Google Secret Manager to store config and secret layer + CN_GOOGLE_SECRET_VERSION_ID: {{ .Values.configmap.cnGoogleSecretVersionId | quote }} + CN_GOOGLE_SECRET_NAME_PREFIX: {{ .Values.configmap.cnGoogleSecretNamePrefix | quote }} + # [google_secret_manager_envs] END + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + # [aws_envs] Envs related to using AWS + {{- if .Values.configmap.cnAwsSecretsEndpointUrl }} + CN_AWS_SECRETS_ENDPOINT_URL: {{ .Values.configmap.cnAwsSecretsEndpointUrl }} + {{- end }} + CN_AWS_SECRETS_PREFIX: {{ .Values.configmap.cnAwsSecretsNamePrefix }} + CN_AWS_SECRETS_REPLICA_FILE: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + AWS_DEFAULT_REGION: {{ .Values.configmap.cnAwsDefaultRegion }} + AWS_SHARED_CREDENTIALS_FILE: {{ .Values.global.cnAwsSharedCredentialsFile }} + AWS_CONFIG_FILE: {{ .Values.global.cnAwsConfigFile }} + #AWS_PROFILE + # [aws_envs] END + {{- end }} + # [vault_envs] Envs related to Hashicorp vault + {{ if eq .Values.global.configSecretAdapter "vault" }} + CN_SECRET_VAULT_ADDR: {{ .Values.configmap.cnVaultAddr | quote }} + CN_SECRET_VAULT_VERIFY: {{ .Values.configmap.cnVaultVerify | quote }} + CN_SECRET_VAULT_ROLE_ID_FILE: {{ .Values.configmap.cnVaultRoleIdFile | quote }} + CN_SECRET_VAULT_SECRET_ID_FILE: {{ .Values.configmap.cnVaultSecretIdFile | quote }} + CN_SECRET_VAULT_NAMESPACE: {{ .Values.configmap.cnVaultNamespace | quote }} + CN_SECRET_VAULT_KV_PATH: {{ .Values.configmap.cnVaultKvPath | quote }} + CN_SECRET_VAULT_PREFIX: {{ .Values.configmap.cnVaultPrefix | quote }} + CN_SECRET_VAULT_APPROLE_PATH: {{ .Values.configmap.cnVaultAppRolePath | quote }} + # [vault_envs] END + {{- end }} + CN_SQL_DB_SCHEMA: {{ .Values.configmap.cnSqlDbSchema | quote }} + CN_SQL_DB_DIALECT: {{ .Values.configmap.cnSqlDbDialect }} + CN_SQL_DB_HOST: {{ .Values.configmap.cnSqlDbHost }} + CN_SQL_DB_PORT: {{ .Values.configmap.cnSqlDbPort | quote }} + CN_SQL_DB_NAME: {{ .Values.configmap.cnSqlDbName }} + CN_SQL_DB_USER: {{ .Values.configmap.cnSqlDbUser }} + CN_SQL_DB_TIMEZONE: {{ .Values.configmap.cnSqlDbTimezone }} + CN_CONFIG_ADAPTER: {{ .Values.global.configAdapterName }} + CN_SECRET_ADAPTER: {{ .Values.global.configSecretAdapter }} + CN_CONFIG_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_SECRET_KUBERNETES_NAMESPACE: {{ .Release.Namespace | quote }} + CN_CONFIG_KUBERNETES_CONFIGMAP: {{ .Values.configmap.cnConfigKubernetesConfigMap }} + CN_SECRET_KUBERNETES_SECRET: {{ .Values.configmap.cnSecretKubernetesSecret }} + CN_CONTAINER_METADATA: {{ .Values.configmap.containerMetadataName | quote }} + CN_MAX_RAM_PERCENTAGE: {{ .Values.configmap.cnMaxRamPercent | quote }} + CN_CACHE_TYPE: {{ .Values.configmap.cnCacheType | quote }} + CN_DOCUMENT_STORE_TYPE: {{ .Values.global.cnDocumentStoreType | quote }} + DOMAIN: {{ .Values.global.fqdn | quote }} + CN_AUTH_SERVER_BACKEND: {{ cat ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080" | quote | nospace }} + CN_AUTH_APP_LOGGERS: {{ index .Values "global" "auth-server" "appLoggers" + | toJson + | replace "authLogTarget" "auth_log_target" + | replace "authLogLevel" "auth_log_level" + | replace "httpLogTarget" "http_log_target" + | replace "httpLogLevel" "http_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "auditStatsLogTarget" "audit_log_target" + | replace "auditStatsLogLevel" "audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- if index .Values "global" "config-api" "enabled" }} + CN_CONFIG_API_APP_LOGGERS: {{ index .Values "global" "config-api" "appLoggers" + | toJson + | replace "configApiLogTarget" "config_api_log_target" + | replace "configApiLogLevel" "config_api_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if and (not .Values.global.isFqdnRegistered ) (or (eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") (eq .Values.global.storageClass.provisioner "openebs.io/local")) }} + LB_ADDR: {{ .Values.configmap.lbAddr }} + {{- end }} + CN_PERSISTENCE_TYPE: {{ .Values.global.cnPersistenceType }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is ldap or hybrid + {{- if .Values.configmap.cnLdapUrl }} + CN_LDAP_URL: {{ .Values.configmap.cnLdapUrl | quote }} + {{- else }} + CN_LDAP_URL: {{ cat ( .Values.global.opendj.ldapServiceName ) ":1636" | quote | nospace }} + {{- end }} + {{- else if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + # used only if CN_PERSISTENCE_TYPE is couchbase or hybrid + CN_COUCHBASE_URL: {{ .Values.configmap.cnCouchbaseUrl }} + CN_COUCHBASE_BUCKET_PREFIX: {{ .Values.configmap.cnCouchbaseBucketPrefix }} + CN_COUCHBASE_INDEX_NUM_REPLICA: {{ .Values.configmap.cnCouchbaseIndexNumReplica | quote }} + CN_COUCHBASE_USER: {{ .Values.configmap.cnCouchbaseUser }} + CN_COUCHBASE_SUPERUSER: {{ .Values.configmap.cnCouchbaseSuperUser }} + {{- end }} + CN_KEY_ROTATION_FORCE: "false" + CN_KEY_ROTATION_CHECK: "3600" + CN_KEY_ROTATION_INTERVAL: "48" + {{- if .Values.global.isFqdnRegistered }} + CN_SSL_CERT_FROM_SECRETS: "false" + {{- else }} + CN_SSL_CERT_FROM_SECRETS: "true" + {{- end }} + CN_CONTAINER_MAIN_NAME: {{ .Release.Name }}-auth-server + # options: default/user/site/cache/statistic used only if CN_PERSISTENCE_TYPE is hybrid or hybrid + {{- if or (eq .Values.global.cnPersistenceType "hybrid") (eq .Values.global.cnPersistenceType "ldap") }} + # must the same as the opendj service name + CN_CERT_ALT_NAME: {{ .Values.global.opendj.ldapServiceName }} #{{ template "cn.fullname" . }}-service + CN_HYBRID_MAPPING: {{ .Values.configmap.cnPersistenceHybridMapping | quote }} + {{- end }} + # Auto enable installation of some services + {{ if or (eq .Values.configmap.cnCacheType "REDIS") (eq .Values.configmap.cnMessageType "REDIS") }} + CN_REDIS_URL: {{ .Values.configmap.cnRedisUrl | quote }} + {{- end }} + {{ if eq .Values.configmap.cnCacheType "REDIS" }} + CN_REDIS_TYPE: {{ .Values.configmap.cnRedisType | quote }} + CN_REDIS_USE_SSL: {{ .Values.configmap.cnRedisUseSsl | quote }} + CN_REDIS_SSL_TRUSTSTORE: {{ .Values.configmap.cnRedisSslTruststore | quote }} + CN_REDIS_SENTINEL_GROUP: {{ .Values.configmap.cnRedisSentinelGroup | quote }} + {{- end }} + {{- if .Values.global.istio.enabled }} + CN_COUCHBASE_TRUSTSTORE_ENABLE: "false" + CN_LDAP_USE_SSL: "false" + {{- end }} + {{- if .Values.global.scim.enabled }} + CN_SCIM_ENABLED: {{ .Values.global.scim.enabled | quote }} + CN_SCIM_PROTECTION_MODE: {{ .Values.configmap.cnScimProtectionMode | quote }} + CN_SCIM_APP_LOGGERS: {{ .Values.global.scim.appLoggers + | toJson + | replace "scimLogTarget" "scim_log_target" + | replace "scimLogLevel" "scim_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "ldapStatsLogTarget" "ldap_stats_log_target" + | replace "ldapStatsLogLevel" "ldap_stats_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.fido2.enabled }} + CN_FIDO2_APP_LOGGERS: {{ .Values.global.fido2.appLoggers + | toJson + | replace "fido2LogTarget" "fido2_log_target" + | replace "fido2LogLevel" "fido2_log_level" + | replace "persistenceLogTarget" "persistence_log_target" + | replace "persistenceLogLevel" "persistence_log_level" + | replace "persistenceDurationLogTarget" "persistence_duration_log_target" + | replace "persistenceDurationLogLevel" "persistence_duration_log_level" + | replace "scriptLogTarget" "script_log_target" + | replace "scriptLogLevel" "script_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if index .Values "global" "admin-ui" "enabled" }} + # ADMIN-UI + ADMIN_UI_JWKS: {{ cat "http://" ( index .Values "global" "auth-server" "authServerServiceName" ) ":8080/jans-auth/restv1/jwks" | quote | nospace }} + CN_ADMIN_UI_PLUGIN_LOGGERS: {{ index .Values "global" "config-api" "adminUiAppLoggers" + | toJson + | replace "adminUiLogTarget" "admin_ui_log_target" + | replace "adminUiLogLevel" "admin_ui_log_level" + | replace "adminUiAuditLogTarget" "admin_ui_audit_log_target" + | replace "adminUiAuditLogLevel" "admin_ui_audit_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + {{- if .Values.global.casa.enabled}} # CASA + CN_CASA_APP_LOGGERS: {{ .Values.global.casa.appLoggers + | toJson + | replace "casaLogTarget" "casa_log_target" + | replace "casaLogLevel" "casa_log_level" + | replace "timerLogTarget" "timer_log_target" + | replace "timerLogLevel" "timer_log_level" + | replace "enableStdoutLogPrefix" "enable_stdout_log_prefix" + | squote + }} + {{- end }} + # delete Duo script (https://github.com/GluuFederation/flex/issues/1120) by disabling the feature + CN_DUO_ENABLED: "false" + CN_SQL_PASSWORD_FILE: {{ .Values.global.cnSqlPasswordFile }} + CN_COUCHBASE_PASSWORD_FILE: {{ .Values.global.cnCouchbasePasswordFile }} + CN_COUCHBASE_SUPERUSER_PASSWORD_FILE: {{ .Values.global.cnCouchbaseSuperuserPasswordFile }} + CN_LDAP_PASSWORD_FILE: {{ .Values.global.cnLdapPasswordFile }} + CN_LDAP_TRUSTSTORE_PASSWORD_FILE: {{ .Values.global.cnLdapTruststorePasswordFile }} + CN_LDAP_CERT_FILE: {{ .Values.global.cnLdapCertFile }} + CN_LDAP_KEY_FILE: {{ .Values.global.cnLdapKeyFile }} + CN_LDAP_CACERT_FILE: {{ .Values.global.cnLdapCacertFile }} + CN_LDAP_TRUSTSTORE_FILE: {{ .Values.global.cnLdapTruststoreFile }} + CN_CONFIG_API_PLUGINS: {{ index .Values "global" "config-api" "plugins" | quote }} + {{- if .Values.global.saml.enabled }} + QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY: {{ .Values.configmap.quarkusTransactionEnableRecovery | quote }} + KC_LOG_LEVEL: {{ .Values.configmap.kcLogLevel | quote }} + KC_PROXY: {{ .Values.configmap.kcProxy | quote }} + KC_DB: {{ .Values.configmap.kcDbVendor | quote }} + KC_DB_USERNAME: {{ .Values.configmap.kcDbUsername | quote }} + KC_DB_SCHEMA: {{ .Values.configmap.kcDbSchema | quote }} + KC_DB_URL_HOST: {{ .Values.configmap.kcDbUrlHost | quote }} + KC_DB_URL_PORT: {{ .Values.configmap.kcDbUrlPort | quote }} + KC_DB_URL_DATABASE: {{ .Values.configmap.kcDbUrlDatabase | quote }} + KC_DB_URL_PROPERTIES: {{ .Values.configmap.kcDbUrlProperties | quote }} + CN_SAML_KC_DB_PASSWORD_FILE: {{ .Values.global.kcDbPasswordFile | quote }} + CN_SAML_KC_ADMIN_CREDENTIALS_FILE: {{ .Values.global.kcAdminCredentialsFile | quote }} + {{- end }} + CN_LOCK_ENABLED: {{ index .Values "global" "auth-server" "lockEnabled" | quote }} + CN_OPA_URL: {{ .Values.configmap.cnOpaUrl | quote }} + CN_MESSAGE_TYPE: {{ .Values.configmap.cnMessageType | quote }} +--- + +apiVersion: v1 +data: + tls_generator.py: |- + from kubernetes import config, client + import logging + import base64 + + from jans.pycloudlib import get_manager + + log_format = '%(asctime)s - %(name)8s - %(levelname)5s - %(message)s' + logging.basicConfig(format=log_format, level=logging.INFO) + logger = logging.getLogger("tls-generator") + + # use the serviceAccount k8s gives to pods + config.load_incluster_config() + core_cli = client.CoreV1Api() + + def patch_or_create_namespaced_secret(name, literal, value_of_literal, namespace="default", + secret_type="Opaque", second_literal=None, value_of_second_literal=None, + data=None): + """Patch secret and if not exist create + :param name: + :param literal: + :param value_of_literal: + :param namespace: + :param secret_type: + :param second_literal: + :param value_of_second_literal: + :param data: + :return: + """ + # Instantiate the Secret object + body = client.V1Secret() + metadata = client.V1ObjectMeta(name=name) + body.data = data + if not data: + body.data = {literal: value_of_literal} + body.metadata = metadata + body.type = secret_type + if second_literal: + body.data = {literal: value_of_literal, second_literal: value_of_second_literal} + try: + core_cli.patch_namespaced_secret(name, namespace, body) + logger.info('Secret {} in namespace {} has been patched'.format(name, namespace)) + return + except client.rest.ApiException as e: + if e.status == 404 or not e.status: + try: + core_cli.create_namespaced_secret(namespace=namespace, body=body) + logger.info('Created secret {} of type {} in namespace {}'.format(name, secret_type, namespace)) + return True + except client.rest.ApiException as e: + logger.exception(e) + return False + logger.exception(e) + return False + + # check if gluu secret exists + def get_certs(secret_name, namespace): + """ + + :param namespace: + :return: ssl cert and key from gluu secrets + """ + def b64encode(value): + return base64.b64encode(value.encode()).decode() + + manager = get_manager() + + # returns empty string if not found + ssl_cert = manager.secret.get("ssl_cert") + if ssl_cert: + ssl_cert = b64encode(ssl_cert) + + # returns empty string if not found + ssl_key = manager.secret.get("ssl_key") + if ssl_key: + ssl_key = b64encode(ssl_key) + return ssl_cert, ssl_key + + + def main(): + namespace = {{.Release.Namespace | quote}} + secret_name = {{ .Values.configmap.cnSecretKubernetesSecret | quote }} + cert, key = get_certs(secret_name, namespace) + # global vars + name = "tls-certificate" + + # if istio is enabled + {{- if.Values.global.istio.ingress}} + namespace = {{.Values.global.istio.namespace | quote}} + {{- end}} + + if cert or key: + patch_or_create_namespaced_secret(name=name, + namespace=namespace, + literal="tls.crt", + value_of_literal=cert, + secret_type="kubernetes.io/tls", + second_literal="tls.key", + value_of_second_literal=key) + else: + logger.error( + "No certificate or key was found in secrets." + "This can happen when the ssl certificate for the domain is able to be pulled." + "In that scenario the ssl_cert will be pulled from the domain provided" + ) + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ include "config.fullname" . }}-tls-script + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + +--- + +apiVersion: v1 +data: + updatelbip.py: |- + #!/usr/bin/env python3 + # -*- coding: utf-8 -*- + + # Update the IP of the load balancer automatically + + """ + License terms and conditions for Gluu Cloud Native Edition: + https://www.apache.org/licenses/LICENSE-2.0 + """ + + import socket + import os + import logging + import time + + logger = logging.getLogger("update-lb-ip") + logger.setLevel(logging.INFO) + ch = logging.StreamHandler() + fmt = logging.Formatter('%(levelname)s - %(asctime)s - %(message)s') + ch.setFormatter(fmt) + logger.addHandler(ch) + + + def backup(hosts): + timenow = time.strftime("%c") + timestamp = "Backup occurred %s \n" % timenow + logger.info("Backing up hosts file to /etc/hosts.back ...") + with open('/etc/hosts.back', 'a+') as f: + f.write(timestamp) + for line in hosts: + f.write(line) + + + def get_hosts(lb_addr, domain): + ip_list = [] + hosts_list = [] + ais = socket.getaddrinfo(lb_addr, 0, 0, 0, 0) + for result in ais: + ip_list.append(result[-1][0]) + ip_list = list(set(ip_list)) + for ip in ip_list: + add_host = ip + " " + domain + hosts_list.append(add_host) + + return hosts_list + + + def main(): + try: + while True: + lb_addr = os.environ.get("LB_ADDR", "") + domain = os.environ.get("DOMAIN", "demoexample.gluu.org") + host_file = open('/etc/hosts', 'r').readlines() + hosts = get_hosts(lb_addr, domain) + stop = [] + for host in hosts: + for i in host_file: + if host.replace(" ", "") in i.replace(" ", ""): + stop.append("found") + if len(stop) != len(hosts): + backup(host_file) + logger.info("Writing new hosts file") + with open('/etc/hosts', 'w') as f: + for line in host_file: + if domain not in line: + f.write(line) + for host in hosts: + f.write(host) + f.write("\n") + f.write("\n") + time.sleep(300) + except KeyboardInterrupt: + logger.warning("Canceled by user; exiting ...") + + + if __name__ == "__main__": + main() + +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-updatelbip + namespace: {{ .Release.Namespace }} + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} diff --git a/charts/gluu/gluu/charts/config/templates/load-init-config.yml b/charts/gluu/gluu/5.1.2/charts/config/templates/load-init-config.yml similarity index 100% rename from charts/gluu/gluu/charts/config/templates/load-init-config.yml rename to charts/gluu/gluu/5.1.2/charts/config/templates/load-init-config.yml diff --git a/charts/gluu/gluu/5.1.2/charts/config/templates/ob-secrets.yaml b/charts/gluu/gluu/5.1.2/charts/config/templates/ob-secrets.yaml new file mode 100644 index 0000000000..cdb1f90415 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config/templates/ob-secrets.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.cnObExtSigningJwksCrt }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-ext-signing-jwks-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-ext-signing.crt: {{ .Values.global.cnObExtSigningJwksCrt }} + {{ if .Values.global.cnObExtSigningJwksKey }} + ob-ext-signing.key: {{ .Values.global.cnObExtSigningJwksKey }} + {{- end }} + {{ if .Values.global.cnObExtSigningJwksKeyPassPhrase }} + ob-ext-signing.pin: {{ .Values.global.cnObExtSigningJwksKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportCrt }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-crt-key-pin + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport.crt: {{ .Values.global.cnObTransportCrt }} + {{ if .Values.global.cnObTransportKey }} + ob-transport.key: {{ .Values.global.cnObTransportKey }} + {{- end }} + {{ if .Values.global.cnObTransportKeyPassPhrase }} + ob-transport.pin: {{ .Values.global.cnObTransportKeyPassPhrase }} + {{- end }} +{{- end }} +{{ if .Values.global.cnObTransportTrustStore }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ob-transport-truststore + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + ob-transport-truststore.p12: {{ .Values.global.cnObTransportTrustStore }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/config/templates/rolebinding.yaml b/charts/gluu/gluu/5.1.2/charts/config/templates/rolebinding.yaml new file mode 100644 index 0000000000..7a58fd6095 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-rolebinding + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +subjects: +- kind: User + name: system:serviceaccount:{{ .Release.Namespace }}:default # Name is case sensitive + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role # this must be Role or ClusterRole + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/config/templates/roles.yaml b/charts/gluu/gluu/5.1.2/charts/config/templates/roles.yaml new file mode 100644 index 0000000000..ef3d0c7083 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config/templates/roles.yaml @@ -0,0 +1,19 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-{{ .Release.Namespace }}-cn-role + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +rules: +- apiGroups: [""] # "" refers to the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] diff --git a/charts/gluu/gluu/5.1.2/charts/config/templates/secrets.yaml b/charts/gluu/gluu/5.1.2/charts/config/templates/secrets.yaml new file mode 100644 index 0000000000..31fa0e439e --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config/templates/secrets.yaml @@ -0,0 +1,251 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config.fullname" . }}-gen-json-file + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + generate.json: |- + { + "hostname": {{ .Values.global.fqdn | quote }}, + "country_code": {{ .Values.countryCode | quote }}, + "state": {{ .Values.state | quote }}, + "city": {{ .Values.city | quote }}, + "admin_pw": {{ .Values.adminPassword | quote }}, + "ldap_pw": {{ .Values.ldapPassword | quote }}, + "redis_pw": {{ .Values.redisPassword | quote }}, + "email": {{ .Values.email | quote }}, + "org_name": {{ .Values.orgName | quote }}, + {{ if eq .Values.global.cnPersistenceType "sql" }} + "sql_pw": {{ .Values.configmap.cnSqldbUserPassword | quote }}, + {{- end }} + {{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} + "couchbase_pw": {{ .Values.configmap.cnCouchbasePassword | quote }}, + "couchbase_superuser_pw": {{ .Values.configmap.cnCouchbaseSuperUserPassword | quote }}, + {{- end }} + "auth_sig_keys": {{ index .Values "global" "auth-server" "authSigKeys" | quote }}, + "auth_enc_keys": {{ index .Values "global" "auth-server" "authEncKeys" | quote }}, + "optional_scopes": {{ list (include "config.optionalScopes" . | fromJsonArray | join ",") }}, + "salt": {{ .Values.salt | quote }}, + "init_keys_exp": {{ index .Values "global" "auth-server-key-rotation" "initKeysLife" }} + } + +{{ if or ( eq .Values.global.cnPersistenceType "couchbase" ) ( eq .Values.global.cnPersistenceType "hybrid" ) }} +{{- if not .Values.global.istio.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-crt + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }} +{{- end }} +{{- end }} + +{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-aws-config-creds + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +stringData: + aws_shared_credential_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }} + aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }} + aws_config_file: |- + [{{ .Values.configmap.cnAwsProfile }}] + region = {{ .Values.configmap.cnAwsDefaultRegion }} + aws_secrets_replica_regions: |- + {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }} +{{- end }} + +{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-google-sa + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + google-credentials.json: {{ .Values.configmap.cnGoogleSecretManagerServiceAccount }} +{{- end}} + +{{ if eq .Values.global.configSecretAdapter "vault" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-vault + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + vault_role_id: {{ .Values.configmap.cnVaultRoleId | b64enc }} + vault_secret_id: {{ .Values.configmap.cnVaultSecretId | b64enc }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +# Consider removing secret after moving ldapPass to global. This is only used by the cronJob ldap backup. +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-cron-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + password: {{ .Values.ldapPassword | b64enc }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + ldap_password: {{ .Values.ldapPassword | b64enc }} + ldap_truststore_password: {{ .Values.ldapTruststorePassword | b64enc }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-ldap-certkey + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + opendj.crt: |- +{{ .Values.configmap.cnLdapCrt | indent 4 }} + opendj.key: |- +{{ .Values.configmap.cnLdapKey | indent 4 }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-sql-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + sql_password: {{ .Values.configmap.cnSqldbUserPassword | b64enc }} +{{- end}} + +{{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cb-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + couchbase_password: {{ .Values.configmap.cnCouchbasePassword | b64enc }} + couchbase_superuser_password: {{ .Values.configmap.cnCouchbaseSuperUserPassword | b64enc }} +{{- end}} + + +{{- if .Values.global.saml.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-kc-db-pass + labels: +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + kc_db_password: {{ .Values.configmap.kcDbPassword | b64enc }} +{{- end}} diff --git a/charts/gluu/gluu/5.1.2/charts/config/templates/service.yaml b/charts/gluu/gluu/5.1.2/charts/config/templates/service.yaml new file mode 100644 index 0000000000..da5dedf891 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if ( .Values.global.istio.enabled) }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config.fullname" . }} + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/config/templates/user-custom-envs.yaml b/charts/gluu/gluu/5.1.2/charts/config/templates/user-custom-envs.yaml new file mode 100644 index 0000000000..35b4fa8cb0 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/config/templates/user-custom-envs.yaml @@ -0,0 +1,64 @@ +{{ if .Values.global.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.global.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} +{{ if .Values.global.usrEnvs.normal }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-global-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +data: + {{- range $key, $val := .Values.global.usrEnvs.normal }} + {{ $key }}: {{ $val | quote }} + {{- end}} +{{- end}} +{{ if .Values.usrEnvs.secret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: configurator +{{ include "config.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/charts/config/values.yaml b/charts/gluu/gluu/5.1.2/charts/config/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/config/values.yaml rename to charts/gluu/gluu/5.1.2/charts/config/values.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/fido2/.helmignore b/charts/gluu/gluu/5.1.2/charts/fido2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/fido2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/charts/fido2/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/fido2/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/fido2/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/fido2/Chart.yaml diff --git a/charts/gluu/gluu/charts/fido2/README.md b/charts/gluu/gluu/5.1.2/charts/fido2/README.md similarity index 100% rename from charts/gluu/gluu/charts/fido2/README.md rename to charts/gluu/gluu/5.1.2/charts/fido2/README.md diff --git a/charts/gluu/gluu/charts/fido2/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/fido2/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/fido2/templates/_helpers.tpl rename to charts/gluu/gluu/5.1.2/charts/fido2/templates/_helpers.tpl diff --git a/charts/gluu/gluu/charts/fido2/templates/deployment.yml b/charts/gluu/gluu/5.1.2/charts/fido2/templates/deployment.yml similarity index 100% rename from charts/gluu/gluu/charts/fido2/templates/deployment.yml rename to charts/gluu/gluu/5.1.2/charts/fido2/templates/deployment.yml diff --git a/charts/gluu/gluu/5.1.2/charts/fido2/templates/fido2-destination-rules.yaml b/charts/gluu/gluu/5.1.2/charts/fido2/templates/fido2-destination-rules.yaml new file mode 100644 index 0000000000..2457647e8a --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/fido2/templates/fido2-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-fido2-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/fido2/templates/fido2-pdb.yaml b/charts/gluu/gluu/5.1.2/charts/fido2/templates/fido2-pdb.yaml new file mode 100644 index 0000000000..ebc9ce8dc8 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/fido2/templates/fido2-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "fido2.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/fido2/templates/fido2-virtual-services.yaml b/charts/gluu/gluu/5.1.2/charts/fido2/templates/fido2-virtual-services.yaml new file mode 100644 index 0000000000..fe906fa682 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/fido2/templates/fido2-virtual-services.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-fido2-configuration + namespace: {{.Release.Namespace}} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.fido2.ingress.fido2ConfigEnabled }} + - name: {{ .Release.Name }}-istio-fido2-configuration + match: + - uri: + prefix: /.well-known/fido2-configuration + rewrite: + uri: /jans-fido2/restv1/fido2/configuration + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.fido2.ingress.fido2Enabled }} + - name: {{ .Release.Name }}-istio-fido2 + match: + - uri: + prefix: "/jans-fido2" + route: + - destination: + host: {{ .Values.global.fido2.fido2ServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/fido2/templates/hpa.yaml b/charts/gluu/gluu/5.1.2/charts/fido2/templates/hpa.yaml new file mode 100644 index 0000000000..a4f1362a7b --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/fido2/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "fido2.fullname" . }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "fido2.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/fido2/templates/service.yml b/charts/gluu/gluu/5.1.2/charts/fido2/templates/service.yml new file mode 100644 index 0000000000..de91e893b3 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/fido2/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.fido2.fido2ServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "fido2.name" . }} #fido2 + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/fido2/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.2/charts/fido2/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..e2139ba45f --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/fido2/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: fido2 +{{ include "fido2.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/fido2/values.yaml b/charts/gluu/gluu/5.1.2/charts/fido2/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/fido2/values.yaml rename to charts/gluu/gluu/5.1.2/charts/fido2/values.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/kc-scheduler/.helmignore b/charts/gluu/gluu/5.1.2/charts/kc-scheduler/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/kc-scheduler/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/charts/kc-scheduler/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/kc-scheduler/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/kc-scheduler/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/kc-scheduler/Chart.yaml diff --git a/charts/gluu/gluu/charts/kc-scheduler/README.md b/charts/gluu/gluu/5.1.2/charts/kc-scheduler/README.md similarity index 100% rename from charts/gluu/gluu/charts/kc-scheduler/README.md rename to charts/gluu/gluu/5.1.2/charts/kc-scheduler/README.md diff --git a/charts/gluu/gluu/charts/kc-scheduler/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/kc-scheduler/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/kc-scheduler/templates/_helpers.tpl rename to charts/gluu/gluu/5.1.2/charts/kc-scheduler/templates/_helpers.tpl diff --git a/charts/gluu/gluu/charts/kc-scheduler/templates/cronjobs.yaml b/charts/gluu/gluu/5.1.2/charts/kc-scheduler/templates/cronjobs.yaml similarity index 100% rename from charts/gluu/gluu/charts/kc-scheduler/templates/cronjobs.yaml rename to charts/gluu/gluu/5.1.2/charts/kc-scheduler/templates/cronjobs.yaml diff --git a/charts/gluu/gluu/charts/kc-scheduler/templates/service.yaml b/charts/gluu/gluu/5.1.2/charts/kc-scheduler/templates/service.yaml similarity index 100% rename from charts/gluu/gluu/charts/kc-scheduler/templates/service.yaml rename to charts/gluu/gluu/5.1.2/charts/kc-scheduler/templates/service.yaml diff --git a/charts/gluu/gluu/charts/kc-scheduler/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.2/charts/kc-scheduler/templates/user-custom-secret-envs.yaml similarity index 100% rename from charts/gluu/gluu/charts/kc-scheduler/templates/user-custom-secret-envs.yaml rename to charts/gluu/gluu/5.1.2/charts/kc-scheduler/templates/user-custom-secret-envs.yaml diff --git a/charts/gluu/gluu/charts/kc-scheduler/values.yaml b/charts/gluu/gluu/5.1.2/charts/kc-scheduler/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/kc-scheduler/values.yaml rename to charts/gluu/gluu/5.1.2/charts/kc-scheduler/values.yaml diff --git a/charts/gluu/gluu/charts/link/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/link/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/link/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/link/Chart.yaml diff --git a/charts/gluu/gluu/charts/link/README.md b/charts/gluu/gluu/5.1.2/charts/link/README.md similarity index 100% rename from charts/gluu/gluu/charts/link/README.md rename to charts/gluu/gluu/5.1.2/charts/link/README.md diff --git a/charts/gluu/gluu/charts/link/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/link/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/link/templates/_helpers.tpl rename to charts/gluu/gluu/5.1.2/charts/link/templates/_helpers.tpl diff --git a/charts/gluu/gluu/charts/link/templates/deployment.yaml b/charts/gluu/gluu/5.1.2/charts/link/templates/deployment.yaml similarity index 100% rename from charts/gluu/gluu/charts/link/templates/deployment.yaml rename to charts/gluu/gluu/5.1.2/charts/link/templates/deployment.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/link/templates/hpa.yaml b/charts/gluu/gluu/5.1.2/charts/link/templates/hpa.yaml new file mode 100644 index 0000000000..0b706a2d2b --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/link/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "link.fullname" . }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "link.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/link/templates/link-destination-rules.yaml b/charts/gluu/gluu/5.1.2/charts/link/templates/link-destination-rules.yaml new file mode 100644 index 0000000000..993f7ded03 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/link/templates/link-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-link-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ index .Values "global" "link" "linkServiceName" }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/link/templates/link-pdb.yaml b/charts/gluu/gluu/5.1.2/charts/link/templates/link-pdb.yaml new file mode 100644 index 0000000000..1db31aa244 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/link/templates/link-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "link.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "link.name" . }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/link/templates/link-virtual-services.yaml b/charts/gluu/gluu/5.1.2/charts/link/templates/link-virtual-services.yaml new file mode 100644 index 0000000000..b1bd93214d --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/link/templates/link-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (index .Values "global" "link" "ingress" "linkEnabled") }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-link + namespace: {{.Release.Namespace}} + labels: + APP_NAME:link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-link + match: + - uri: + prefix: /jans-link + route: + - destination: + host: {{ index .Values "global" "link" "linkServiceName" }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 9091 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/link/templates/service.yaml b/charts/gluu/gluu/5.1.2/charts/link/templates/service.yaml new file mode 100644 index 0000000000..1221c29090 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/link/templates/service.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Service +metadata: + # the name must match the application + name: {{ index .Values "global" "link" "linkServiceName" }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: link +{{ include "link.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - port: 9091 + name: tcp-{{ include "link.name" . }}-http + selector: + app: {{ .Release.Name }}-{{ include "link.name" . }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/charts/link/values.yaml b/charts/gluu/gluu/5.1.2/charts/link/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/link/values.yaml rename to charts/gluu/gluu/5.1.2/charts/link/values.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/nginx-ingress/.helmignore b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/charts/nginx-ingress/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/nginx-ingress/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/nginx-ingress/Chart.yaml diff --git a/charts/gluu/gluu/charts/nginx-ingress/README.md b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/README.md similarity index 100% rename from charts/gluu/gluu/charts/nginx-ingress/README.md rename to charts/gluu/gluu/5.1.2/charts/nginx-ingress/README.md diff --git a/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/_helpers.tpl new file mode 100644 index 0000000000..7b38455692 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "nginx-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/admin-ui-ingress.yaml b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/admin-ui-ingress.yaml new file mode 100644 index 0000000000..1fa7a08de1 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/admin-ui-ingress.yaml @@ -0,0 +1,53 @@ +{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-admin-ui + labels: + app: {{ $fullName }}-admin-ui +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.adminUiLabels }} +{{ toYaml .Values.ingress.adminUiLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" +{{- if .Values.ingress.adminUiAdditionalAnnotations }} +{{ toYaml .Values.ingress.adminUiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /admin + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "admin-ui" "adminUiServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml new file mode 100644 index 0000000000..b5c482d5f6 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml @@ -0,0 +1,115 @@ +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedToken" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-token + labels: + app: {{ $fullName }}-auth-server-protected-token +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedTokenLabels }} +{{ toYaml .Values.ingress.authServerProtectedTokenLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedTokenAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedTokenAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/token + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerProtectedRegister" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server-protected-register + labels: + app: {{ $fullName }}-auth-server-protected-register +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerProtectedRegisterLabels }} +{{ toYaml .Values.ingress.authServerProtectedRegisterLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerProtectedRegisterAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerProtectedRegisterAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: | + if ($ssl_client_verify != SUCCESS) {return 403;} + proxy_set_header X-ClientCert $ssl_client_escaped_cert; +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth/restv1/register + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/certificate.yaml b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/certificate.yaml new file mode 100644 index 0000000000..6cfb84f431 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/certificate.yaml @@ -0,0 +1,18 @@ +{{- if .Values.certManager.certificate.enabled }} + {{- $domain := (required "Domain is required in chartValues when certManager is enabled" .Values.global.fqdn) }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + {{- range .Values.ingress.tls }} + secretName: {{ .secretName }} + {{- end }} + dnsNames: + - {{ quote $domain }} + issuerRef: + name: {{ required "nginx-ingress.certManager.certificate.issuerName is required in chart values" .Values.certManager.certificate.issuerName }} + kind: {{ required "nginx-ingress.certManager.certificate.issuerKind is required in chart values" .Values.certManager.certificate.issuerKind }} + group: {{ required "nginx-ingress.certManager.certificate.issuerGroup is required in chart values" .Values.certManager.certificate.issuerGroup }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/ingress.yaml b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/ingress.yaml new file mode 100644 index 0000000000..8069c0038b --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/templates/ingress.yaml @@ -0,0 +1,843 @@ +{{ if index .Values "global" "auth-server" "ingress" "openidConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-openid-config + labels: + app: {{ $fullName }}-openid-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.openidConfigLabels }} +{{ toYaml .Values.ingress.openidConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration +{{- if .Values.ingress.openidAdditionalAnnotations }} +{{ toYaml .Values.ingress.openidAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/openid-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "deviceCodeEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-device-code + labels: + app: {{ $fullName }}-device-code +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.deviceCodeLabels }} +{{ toYaml .Values.ingress.deviceCodeLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/device_authorization.htm +{{- if .Values.ingress.deviceCodeAdditionalAnnotations }} +{{ toYaml .Values.ingress.deviceCodeAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /device-code + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "firebaseMessagingEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-firebase-messaging + labels: + app: {{ $fullName }}-firebase-messaging +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.firebaseMessagingLabels }} +{{ toYaml .Values.ingress.firebaseMessagingLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/firebase-messaging-sw.js +{{- if .Values.ingress.firebaseMessagingAdditionalAnnotations }} +{{ toYaml .Values.ingress.firebaseMessagingAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /firebase-messaging-sw.js + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "uma2ConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-uma2-config + labels: + app: {{ $fullName }}-uma2-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.uma2ConfigLabels }} +{{ toYaml .Values.ingress.uma2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration +{{- if .Values.ingress.uma2AdditionalAnnotations }} +{{ toYaml .Values.ingress.uma2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/uma2-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webfingerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webfinger + labels: + app: {{ $fullName }}-webfinger +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webfingerLabels }} +{{ toYaml .Values.ingress.webfingerLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger +{{- if .Values.ingress.webfingerAdditionalAnnotations }} +{{ toYaml .Values.ingress.webfingerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/webfinger + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "webdiscoveryEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-webdiscovery + labels: + app: {{ $fullName }}-webdiscovery +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.webdiscoveryLabels }} +{{ toYaml .Values.ingress.webdiscoveryLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery +{{- if .Values.ingress.webdiscoveryAdditionalAnnotations }} +{{ toYaml .Values.ingress.webdiscoveryAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/simple-web-discovery + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- +{{- if .Values.global.scim.ingress.scimConfigEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim-config + labels: + app: {{ $fullName }}-scim-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimConfigLabels }} +{{ toYaml .Values.ingress.scimConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration +{{- if .Values.ingress.scimConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/scim-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{- if .Values.global.scim.ingress.scimEnabled }} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-scim + labels: + app: {{ $fullName }}-scim +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.scimLabels }} +{{ toYaml .Values.ingress.scimLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "scim" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.scimAdditionalAnnotations }} +{{ toYaml .Values.ingress.scimAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-scim + pathType: Prefix + backend: + service: + name: {{ .Values.global.scim.scimServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "config-api" "ingress" "configApiEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-config-api + labels: + app: {{ $fullName }}-config-api +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.configApiLabels }} +{{ toYaml .Values.ingress.configApiLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "configapi" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.configApiAdditionalAnnotations }} +{{ toYaml .Values.ingress.configApiAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-config-api + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "config-api" "configApiServerServiceName" }} + port: + number: 8074 + {{- end }} + {{- end }} +{{- end }} + +--- +{{ if index .Values "global" "auth-server" "ingress" "u2fConfigEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-u2f-config + labels: + app: {{ $fullName }}-u2f-config +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.u2fConfigLabels }} +{{ toYaml .Values.ingress.u2fConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration +{{- if .Values.ingress.u2fAdditionalAnnotations }} +{{ toYaml .Values.ingress.u2fAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido-configuration + pathType: Exact + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2ConfigEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2-configuration + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2ConfigLabels }} +{{ toYaml .Values.ingress.fido2ConfigLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration +{{- if .Values.ingress.fido2ConfigAdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2ConfigAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /.well-known/fido2-configuration + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.fido2.ingress.fido2Enabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-fido2 + labels: + app: {{ $fullName }}-fido2 +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.fido2Labels }} +{{ toYaml .Values.ingress.fido2Labels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "fido2" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.fido2AdditionalAnnotations }} +{{ toYaml .Values.ingress.fido2AdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-fido2 + pathType: Exact + backend: + service: + name: {{ .Values.global.fido2.fido2ServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if index .Values "global" "auth-server" "ingress" "authServerEnabled" -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-auth-server + labels: + app: {{ $fullName }}-auth-server +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.authServerLabels }} +{{ toYaml .Values.ingress.authServerLabels | indent 4 }} +{{- end }} + annotations: + nginx.org/ssl-services: "auth-server" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.authServerAdditionalAnnotations }} +{{ toYaml .Values.ingress.authServerAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-auth + pathType: Prefix + backend: + service: + name: {{ index .Values "global" "auth-server" "authServerServiceName" }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.casa.ingress.casaEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-casa + labels: + app: {{ $fullName }}-casa +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.casaLabels }} +{{ toYaml .Values.ingress.casaLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "casa-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.casaAdditionalAnnotations }} +{{ toYaml .Values.ingress.casaAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /jans-casa + pathType: Prefix + backend: + service: + name: {{ .Values.global.casa.casaServiceName }} + port: + number: 8080 + {{- end }} + {{- end }} +{{- end }} + +--- + +{{ if .Values.global.saml.ingress.samlEnabled -}} +{{ $fullName := include "nginx-ingress.fullname" . -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }}-saml + labels: + app: {{ $fullName }}-saml +{{- if .Values.ingress.additionalLabels }} +{{ toYaml .Values.ingress.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.ingress.samlLabels }} +{{ toYaml .Values.ingress.samlLabels | indent 4 }} +{{- end }} + annotations: + nginx.ingress.kubernetes.io/affinity: cookie + nginx.ingress.kubernetes.io/session-cookie-hash: sha1 + nginx.ingress.kubernetes.io/session-cookie-name: "saml-route" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504" +{{- if .Values.ingress.samlAdditionalAnnotations }} +{{ toYaml .Values.ingress.samlAdditionalAnnotations | indent 4 }} +{{- end }} +{{- if .Values.ingress.additionalAnnotations }} +{{ toYaml .Values.ingress.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + {{- $host := . -}} + {{- with $ }} + - host: {{ $host | quote }} + http: + paths: + - path: /kc + pathType: Prefix + backend: + service: + name: {{ .Values.global.saml.samlServiceName }} + port: + number: 8083 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/nginx-ingress/values.yaml b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/values.yaml new file mode 100644 index 0000000000..901a6ca1a7 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/nginx-ingress/values.yaml @@ -0,0 +1,87 @@ + +# -- Nginx ingress definitions chart +ingress: + enabled: true + # -- Enable use of legacy API version networking.k8s.io/v1beta1 to support kubernetes 1.18. This flag should be removed next version release along with nginx-ingress/templates/ingress-legacy.yaml. + legacy: false + path: / + # -- openid-configuration ingress resource labels. key app is taken + openidConfigLabels: { } + # -- openid-configuration ingress resource additional annotations. + openidAdditionalAnnotations: { } + # -- device-code ingress resource labels. key app is taken + deviceCodeLabels: { } + # -- device-code ingress resource additional annotations. + deviceCodeAdditionalAnnotations: { } + # -- Firebase Messaging ingress resource labels. key app is taken + firebaseMessagingLabels: { } + # -- Firebase Messaging ingress resource additional annotations. + firebaseMessagingAdditionalAnnotations: { } + # -- uma 2 config ingress resource labels. key app is taken + uma2ConfigLabels: { } + # -- uma2 config ingress resource additional annotations. + uma2AdditionalAnnotations: { } + # -- webfinger ingress resource labels. key app is taken + webfingerLabels: { } + # -- webfinger ingress resource additional annotations. + webfingerAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + webdiscoveryLabels: { } + # -- webdiscovery ingress resource additional annotations. + webdiscoveryAdditionalAnnotations: { } + # -- webdiscovery ingress resource labels. key app is taken + scimConfigLabels: { } + # -- SCIM config ingress resource additional annotations. + scimConfigAdditionalAnnotations: { } + # -- scim config ingress resource labels. key app is taken + scimLabels: { } + # -- SCIM ingress resource additional annotations. + scimAdditionalAnnotations: { } + # -- u2f config ingress resource labels. key app is taken + u2fConfigLabels: { } + # -- u2f config ingress resource additional annotations. + u2fAdditionalAnnotations: { } + # -- fido2 config ingress resource labels. key app is taken + fido2ConfigLabels: { } + # -- fido2 config ingress resource additional annotations. + fido2ConfigAdditionalAnnotations: { } + # -- Enable all fido2 endpoints + fido2Enabled: false + # -- fido2 ingress resource labels. key app is taken + fido2Labels: { } + # -- fido2 ingress resource additional annotations. + fido2AdditionalAnnotations: { } + # -- Auth server config ingress resource labels. key app is taken + authServerLabels: { } + # -- Auth server ingress resource additional annotations. + authServerAdditionalAnnotations: { } + # -- Casa ingress resource labels. key app is taken + casaLabels: { } + # -- Casa ingress resource additional annotations. + casaAdditionalAnnotations: { } + # -- SAML config ingress resource labels. key app is taken + samlLabels: { } + # -- SAML ingress resource additional annotations. + samlAdditionalAnnotations: { } + # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"} + additionalLabels: { } + # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken + # Enable client certificate authentication + # nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional" + # Create the secret containing the trusted ca certificates + # nginx.ingress.kubernetes.io/auth-tls-secret: "gluu/tls-certificate" + # Specify the verification depth in the client certificates chain + # nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" + # Specify if certificates are passed to upstream server + # nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" + additionalAnnotations: { } + # Change ingressClassName to "public" if using microk8s + ingressClassName: nginx + hosts: + - demoexample.gluu.org + tls: + - secretName: tls-certificate # DON'T change + hosts: + - demoexample.gluu.org +nameOverride: "" +fullnameOverride: "" diff --git a/charts/gluu/gluu/5.1.2/charts/opendj/.helmignore b/charts/gluu/gluu/5.1.2/charts/opendj/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/opendj/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/charts/opendj/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/opendj/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/opendj/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/opendj/Chart.yaml diff --git a/charts/gluu/gluu/charts/opendj/README.md b/charts/gluu/gluu/5.1.2/charts/opendj/README.md similarity index 100% rename from charts/gluu/gluu/charts/opendj/README.md rename to charts/gluu/gluu/5.1.2/charts/opendj/README.md diff --git a/charts/gluu/gluu/5.1.2/charts/opendj/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/opendj/templates/_helpers.tpl new file mode 100644 index 0000000000..ecab10b753 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/opendj/templates/_helpers.tpl @@ -0,0 +1,98 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "opendj.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "opendj.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "opendj.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* + Common labels +*/}} +{{- define "opendj.labels" -}} +app: {{ .Release.Name }}-{{ include "opendj.name" . }} +helm.sh/chart: {{ include "opendj.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "opendj.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "opendj.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} + +{{/* +Create topologySpreadConstraints lists +*/}} +{{- define "opendj.topology-spread-constraints"}} +{{- range $key, $val := .Values.topologySpreadConstraints }} +- maxSkew: {{ $val.maxSkew }} + {{- if $val.minDomains }} + minDomains: {{ $val.minDomains }} # optional; beta since v1.25 + {{- end}} + {{- if $val.topologyKey }} + topologyKey: {{ $val.topologyKey }} + {{- end}} + {{- if $val.whenUnsatisfiable }} + whenUnsatisfiable: {{ $val.whenUnsatisfiable }} + {{- end}} + labelSelector: + matchLabels: + app: {{ $.Release.Name }}-{{ include "opendj.name" $ }} + {{- if $val.matchLabelKeys }} + matchLabelKeys: {{ $val.matchLabelKeys }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeAffinityPolicy }} + nodeAffinityPolicy: {{ $val.nodeAffinityPolicy }} # optional; alpha since v1.25 + {{- end}} + {{- if $val.nodeTaintsPolicy }} + nodeTaintsPolicy: {{ $val.nodeTaintsPolicy }} # optional; alpha since v1.25 + {{- end}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/opendj/templates/cronjobs.yaml b/charts/gluu/gluu/5.1.2/charts/opendj/templates/cronjobs.yaml new file mode 100644 index 0000000000..0227258a46 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/opendj/templates/cronjobs.yaml @@ -0,0 +1,110 @@ +{{- if and ( .Values.backup.enabled ) (or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid")) }} +kind: CronJob +apiVersion: batch/v1 +metadata: + name: {{ include "opendj.fullname" . }}-backup +spec: + schedule: {{ .Values.backup.cronJobSchedule | quote }} + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{ toYaml . | indent 12 }} + {{- end }} + containers: + - name: {{ include "opendj.fullname" . }}-backup + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + ports: + {{- range $key, $value := .Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + env: + - name: LDAP_HOST + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_host + - name: LDAP_PORT + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_init_port + - name: LDAP_BIND_DN + valueFrom: + configMapKeyRef: + # ConfigMap generated by the Configuration chart when Gluu was installed. This is normally cn. + # Found in Gluu chart under config.configmap.cnConfigKubernetesConfigMap + name: cn + key: ldap_site_binddn + - name: LDAP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-ldap-cron-pass + key: password + # while true; do sleep 60; ldaplog=$(cat /opt/opendj/logs/server.out); startedstr="The Directory Server has started successfully"; if [ -z "${ldaplog##*$startedstr*}" ]; then break; fi; echo "Waiting for opendj server to start"; done + command: + - /bin/sh + - -c + - | + # ========= + # FUNCTIONS + # ========= + + set_java_args() { + # not sure if we can omit `-server` safely + local java_args="-server" + java_args="${java_args} -XX:+UseContainerSupport -XX:MaxRAMPercentage=${CN_MAX_RAM_PERCENTAGE} ${CN_JAVA_OPTIONS}" + # set the env var so it is loaded by `start-ds` script + export OPENDJ_JAVA_ARGS=${java_args} + } + + # ========== + # ENTRYPOINT + # ========== + + mkdir -p /opt/opendj/locks + + python3 /app/scripts/wait.py + python3 /app/scripts/bootstrap.py + + # run OpenDJ server + set_java_args + exec /opt/opendj/bin/start-ds -N & + sleep 300 + RANDOM_NUM=$(cat /dev/urandom | tr -cd '0-5' | head -c 1) + LDAP_BACKUP_FILE=backup-$RANDOM_NUM.ldif + /opt/opendj/bin/export-ldif --hostname "$LDAP_HOST" --port 4444 --bindDN "$LDAP_BIND_DN" --bindPassword "$LDAP_PASSWORD" --backendID userRoot --ldifFile /opt/opendj/ldif/$LDAP_BACKUP_FILE --trustAll + volumeMounts: + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapCertFile }} + subPath: opendj.crt + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapKeyFile }} + subPath: opendj.key + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + restartPolicy: Never + volumes: + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + - name: ldap-certkey + secret: + secretName: {{ .Release.Name }}-ldap-certkey +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/opendj/templates/hpa.yaml b/charts/gluu/gluu/5.1.2/charts/opendj/templates/hpa.yaml new file mode 100644 index 0000000000..157ea310b8 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/opendj/templates/hpa.yaml @@ -0,0 +1,36 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "opendj.fullname" . }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "opendj.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/opendj/templates/opendj-destination-rules.yaml b/charts/gluu/gluu/5.1.2/charts/opendj/templates/opendj-destination-rules.yaml new file mode 100644 index 0000000000..a6a8f56849 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/opendj/templates/opendj-destination-rules.yaml @@ -0,0 +1,23 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-ldap-mtls + namespace: {{.Release.Namespace}} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.opendj.ldapServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/opendj/templates/opendj-pdb.yaml b/charts/gluu/gluu/5.1.2/charts/opendj/templates/opendj-pdb.yaml new file mode 100644 index 0000000000..1615c4ac29 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/opendj/templates/opendj-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "opendj.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/opendj/templates/service.yaml b/charts/gluu/gluu/5.1.2/charts/opendj/templates/service.yaml new file mode 100644 index 0000000000..ec7d0a8252 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/opendj/templates/service.yaml @@ -0,0 +1,30 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $.Values.global.opendj.ldapServiceName }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + {{- range $key, $value := $.Values.ports }} + - port: {{ $value.port }} + name: {{ $key }} + targetPort: {{ $value.targetPort }} + protocol: {{ $value.protocol}} + {{- if $value.nodePort }} + nodePort: {{ $value.nodePort }} + {{- end }} + {{- end }} + clusterIP: None + selector: + app: {{ include "opendj.name" $ }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/opendj/templates/statefulset.yaml b/charts/gluu/gluu/5.1.2/charts/opendj/templates/statefulset.yaml new file mode 100644 index 0000000000..a44a60e217 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/opendj/templates/statefulset.yaml @@ -0,0 +1,125 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "opendj.fullname" $ }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if $.Values.additionalLabels }} +{{ toYaml $.Values.additionalLabels | indent 4 }} +{{- end }} +{{- if $.Values.additionalAnnotations }} + annotations: +{{ toYaml $.Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + app: {{ include "opendj.name" $ }} + serviceName: {{ include "opendj.name" $ }} + replicas: {{ $.Values.replicas }} + template: + metadata: + labels: + app: {{ include "opendj.name" $ }} + {{- if $.Values.global.istio.ingress }} + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + {{- end }} + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: {{ include "opendj.name" $ }} + {{- if .Values.customScripts }} + command: + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 14}} + {{- end }} + /app/scripts/entrypoint.sh + {{- end}} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}" + env: + {{- include "opendj.usr-envs" $ | indent 12 }} + {{- include "opendj.usr-secret-envs" $ | indent 12 }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + envFrom: + - configMapRef: + name: {{ $.Release.Name }}-config-cm + {{ if $.Values.global.usrEnvs.secret }} + - secretRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + {{ if $.Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ $.Release.Name }}-global-user-custom-envs + {{- end }} + ports: + {{- range $key, $value := $.Values.ports }} + - containerPort: {{ $value.targetPort }} + name: {{ $key }} + {{- end }} + volumeMounts: + {{- range $key, $values := $.Values.openDjVolumeMounts }} + - mountPath: {{$values.mountPath}} + name: {{$values.name}} + subPath: {{$key}} + {{- end }} + {{- with $.Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapCertFile }} + subPath: opendj.crt + - name: ldap-certkey + mountPath: {{ .Values.global.cnLdapKeyFile }} + subPath: opendj.key + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapTruststorePasswordFile }} + subPath: ldap_truststore_password + livenessProbe: +{{- toYaml $.Values.livenessProbe | nindent 10 }} + readinessProbe: +{{- toYaml $.Values.readinessProbe | nindent 10 }} + {{- if or (eq $.Values.global.storageClass.provisioner "microk8s.io/hostpath" ) (eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") }} + resources: {} + {{- else if $.Values.global.cloud.testEnviroment }} + resources: {} + {{- else }} + resources: +{{- toYaml $.Values.resources | nindent 10 }} + {{- end }} + volumes: + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + - name: ldap-certkey + secret: + secretName: {{ .Release.Name }}-ldap-certkey + volumeClaimTemplates: + - metadata: + name: opendj-volume + spec: + accessModes: + - {{ $.Values.persistence.accessModes }} + resources: + requests: + storage: {{ $.Values.persistence.size }} + {{- if eq $.Values.global.storageClass.provisioner "k8s.io/minikube-hostpath" }} + storageClassName: standard + {{- else }} + storageClassName: {{ include "opendj.fullname" $ | quote }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/opendj/templates/storageclass.yaml b/charts/gluu/gluu/5.1.2/charts/opendj/templates/storageclass.yaml new file mode 100644 index 0000000000..d33175d10b --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/opendj/templates/storageclass.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ include "opendj.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + storage: opendj +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation +{{- if .Values.additionalAnnotations }} +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} + # Annotation below is to keep the storage class during upgrade. Otherwise, due to the flag at line 1 which is needed, this resource will be deleted. + helm.sh/resource-policy: keep + storageclass.beta.kubernetes.io/is-default-class: "false" + {{- if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + openebs.io/cas-type: local + cas.openebs.io/config: | + - name: StorageType + value: hostpath + - name: BasePath + value: /var/local-hostpath + {{- end }} +provisioner: {{ .Values.global.storageClass.provisioner }} +{{- if and ( ne .Values.global.storageClass.provisioner "microk8s.io/hostpath" ) ( ne .Values.global.storageClass.provisioner "k8s.io/minikube-hostpath") ( ne .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs") ( ne .Values.global.storageClass.provisioner "kubernetes.io/gce-pd") ( ne .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com") ( ne .Values.global.storageClass.provisioner "openebs.io/local") ( ne .Values.global.storageClass.provisioner "kubernetes.io/azure-disk") }} +parameters: +{{ toYaml .Values.global.storageClass.parameters | indent 4 }} +{{- else }} +parameters: + {{- if eq .Values.global.storageClass.provisioner "kubernetes.io/aws-ebs" }} + type: {{ .Values.global.awsStorageType }} + fsType: ext4 + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/gce-pd" }} + type: {{ .Values.global.gcePdStorageType }} + {{- else if eq .Values.global.storageClass.provisioner "kubernetes.io/azure-disk" }} + storageAccountType: {{ .Values.global.azureStorageAccountType }} + kind: {{ .Values.global.azureStorageKind }} + {{- else if eq .Values.global.storageClass.provisioner "dobs.csi.digitalocean.com" }} + {{- else if eq .Values.global.storageClass.provisioner "openebs.io/local" }} + {{- else }} + pool: default + fsType: ext4 + {{- end }} +{{- end }} +allowVolumeExpansion: {{ .Values.global.storageClass.allowVolumeExpansion }} +volumeBindingMode: {{ .Values.global.storageClass.volumeBindingMode }} +reclaimPolicy: {{ .Values.global.storageClass.reclaimPolicy }} +mountOptions: {{ .Values.global.storageClass.mountOptions | toJson }} +allowedTopologies: {{ .Values.global.storageClass.allowedTopologies | toJson }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/opendj/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.2/charts/opendj/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..8fcf989cd5 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/opendj/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "opendj.labels" $ | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/opendj/values.yaml b/charts/gluu/gluu/5.1.2/charts/opendj/values.yaml new file mode 100644 index 0000000000..d397c37385 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/opendj/values.yaml @@ -0,0 +1,140 @@ + +# -- OpenDJ is a directory server which implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory Service Markup Language (DSMLv2).Written in Java, OpenDJ offers multi-master replication, access control, and many extensions. +# -- Configure the HorizontalPodAutoscaler +hpa: + enabled: true + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + # -- metrics if targetCPUUtilizationPercentage is not set + metrics: [] + # -- Scaling Policies + behavior: {} +# -- Add custom normal and secret envs to the service +usrEnvs: + # -- Add custom normal envs to the service + # variable1: value1 + normal: {} + # -- Add custom secret envs to the service + # variable1: value1 + secret: {} +# -- Add custom dns policy +dnsPolicy: "" +# -- Add custom dns config +dnsConfig: {} +image: + # -- Image pullPolicy to use for deploying. + pullPolicy: IfNotPresent + # -- Image to use for deploying. + repository: gluufederation/opendj + # -- Image tag to use for deploying. + tag: 5.0.0_dev + # -- Image Pull Secrets + pullSecrets: [ ] +persistence: + # -- OpenDJ volume size + size: 5Gi + accessModes: ReadWriteOnce + type: DirectoryOrCreate +# -- servicePorts values used in StatefulSet container +ports: + tcp-admin: + nodePort: "" + port: 4444 + protocol: TCP + targetPort: 4444 + tcp-ldap: + nodePort: "" + port: 1389 + protocol: TCP + targetPort: 1389 + tcp-ldaps: + nodePort: "" + port: 1636 + protocol: TCP + targetPort: 1636 + tcp-repl: + nodePort: "" + port: 8989 + protocol: TCP + targetPort: 8989 + tcp-serf: + nodePort: "" + port: 7946 + protocol: TCP + targetPort: 7946 + udp-serf: + nodePort: "" + port: 7946 + protocol: UDP + targetPort: 7946 +# -- Service replica number. +replicas: 1 +# -- Resource specs. +resources: + limits: + # -- CPU limit. + cpu: 1500m + # -- Memory limit. + memory: 2000Mi + requests: + # -- CPU request. + cpu: 1500m + # -- Memory request. + memory: 2000Mi +# -- Configure the liveness healthcheck for OpenDJ if needed. +livenessProbe: + # -- Executes the python3 healthcheck. + exec: + command: + - python3 + - /app/scripts/healthcheck.py + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 20 +# -- Configure the readiness healthcheck for OpenDJ if needed. +readinessProbe: + tcpSocket: + port: 1636 + initialDelaySeconds: 60 + timeoutSeconds: 5 + periodSeconds: 25 + failureThreshold: 20 +# -- Configure any additional volumes that need to be attached to the pod +volumes: [] +# -- Configure any additional volumesMounts that need to be attached to the containers +volumeMounts: [] +lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "python3 /app/scripts/deregister_peer.py 1>&/proc/1/fd/1"] +nameOverride: "" +fullnameOverride: "" +# VolumeMounts for StatefulSet +# opendj-init vm +openDjVolumeMounts: + config: + mountPath: /opt/opendj/config + name: opendj-volume + ldif: + mountPath: /opt/opendj/ldif + name: opendj-volume + logs: + mountPath: /opt/opendj/logs + name: opendj-volume + db: + mountPath: /opt/opendj/db + name: opendj-volume + flag: + mountPath: /flag + name: opendj-volume + +# -- Additional labels that will be added across all resources definitions in the format of {mylabel: "myapp"} +additionalLabels: { } +# -- Additional annotations that will be added across all resources in the format of {cert-manager.io/issuer: "letsencrypt-prod"}. key app is taken +additionalAnnotations: { } +# -- Add custom scripts that have been mounted to run before the entrypoint. +# - /tmp/custom.sh +# - /tmp/custom2.sh +customScripts: [ ] diff --git a/charts/gluu/gluu/5.1.2/charts/persistence/.helmignore b/charts/gluu/gluu/5.1.2/charts/persistence/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/persistence/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/charts/persistence/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/persistence/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/persistence/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/persistence/Chart.yaml diff --git a/charts/gluu/gluu/charts/persistence/README.md b/charts/gluu/gluu/5.1.2/charts/persistence/README.md similarity index 100% rename from charts/gluu/gluu/charts/persistence/README.md rename to charts/gluu/gluu/5.1.2/charts/persistence/README.md diff --git a/charts/gluu/gluu/5.1.2/charts/persistence/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/persistence/templates/_helpers.tpl new file mode 100644 index 0000000000..bf0a313b23 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/persistence/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "persistence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "persistence.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "persistence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "persistence.labels" -}} +app: {{ .Release.Name }}-{{ include "persistence.name" . }} +helm.sh/chart: {{ include "persistence.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "persistence.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "persistence.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create user custom defined envs +*/}} +{{- define "persistence.usr-envs"}} +{{- range $key, $val := .Values.usrEnvs.normal }} +- name: {{ $key }} + value: {{ $val | quote }} +{{- end }} +{{- end }} + +{{/* +Create user custom defined secret envs +*/}} +{{- define "persistence.usr-secret-envs"}} +{{- range $key, $val := .Values.usrEnvs.secret }} +- name: {{ $key }} + valueFrom: + secretKeyRef: + name: {{ $.Release.Name }}-{{ $.Chart.Name }}-user-custom-envs + key: {{ $key | quote }} +{{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/persistence/templates/jobs.yml b/charts/gluu/gluu/5.1.2/charts/persistence/templates/jobs.yml new file mode 100644 index 0000000000..efcf04028e --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/persistence/templates/jobs.yml @@ -0,0 +1,188 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "persistence.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ttlSecondsAfterFinished: {{ .Values.global.jobTtlSecondsAfterFinished }} + template: + metadata: + name: {{ include "persistence.name" . }} + labels: + APP_NAME: persistence-loader + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- with .Values.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: {{ include "persistence.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + securityContext: + runAsUser: 1000 + runAsNonRoot: true + env: + {{- include "persistence.usr-envs" . | indent 12 }} + {{- include "persistence.usr-secret-envs" . | indent 12 }} + {{- if or ( .Values.global.istio.enabled ) ( .Values.customScripts )}} + command: + - tini + - -g + - -- + - /bin/sh + - -c + - | + {{- with .Values.customScripts }} + {{- toYaml . | replace "- " "" | nindent 12}} + {{- end }} + /app/scripts/entrypoint.sh + {{- if .Values.global.istio.enabled }} + curl -X POST http://localhost:15020/quitquitquit + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ .Release.Name }}-config-cm + {{ if .Values.global.usrEnvs.secret }} + - secretRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + {{ if .Values.global.usrEnvs.normal }} + - configMapRef: + name: {{ .Release.Name }}-global-user-custom-envs + {{- end }} + lifecycle: +{{- toYaml .Values.lifecycle | nindent 10 }} + volumeMounts: + {{- with .Values.volumeMounts }} +{{- toYaml . | nindent 10 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }} + name: aws-shared-credential-file + subPath: aws_shared_credential_file + - mountPath: {{ .Values.global.cnAwsConfigFile }} + name: aws-config-file + subPath: aws_config_file + - mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }} + name: aws-secrets-replica-regions + subPath: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - mountPath: {{ .Values.global.cnGoogleApplicationCredentials }} + name: google-sa + subPath: google-credentials.json + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + mountPath: /etc/certs/vault_role_id + subPath: vault_role_id + - name: vault + mountPath: /etc/certs/vault_secret_id + subPath: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + mountPath: "/etc/certs/couchbase.crt" + subPath: couchbase.crt + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbasePasswordFile }} + subPath: couchbase_password + - name: cb-pass + mountPath: {{ .Values.global.cnCouchbaseSuperuserPasswordFile }} + subPath: couchbase_superuser_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + mountPath: {{ .Values.global.cnSqlPasswordFile }} + subPath: sql_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + mountPath: {{ .Values.global.cnLdapPasswordFile }} + subPath: ldap_password + {{- end }} + resources: +{{- toYaml .Values.resources | nindent 10 }} + volumes: + {{- with .Values.volumes }} +{{- toYaml . | nindent 8 }} + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }} + - name: aws-shared-credential-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_shared_credential_file + path: aws_shared_credential_file + - name: aws-config-file + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_config_file + path: aws_config_file + - name: aws-secrets-replica-regions + secret: + secretName: {{ .Release.Name }}-aws-config-creds + items: + - key: aws_secrets_replica_regions + path: aws_secrets_replica_regions + {{- end }} + {{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }} + - name: google-sa + secret: + secretName: {{ .Release.Name }}-google-sa + {{- end }} + {{ if eq .Values.global.configSecretAdapter "vault" }} + - name: vault + secret: + secretName: {{ .Release.Name }}-vault + items: + - key: vault_role_id + path: vault_role_id + - key: vault_secret_id + path: vault_secret_id + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "couchbase") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: cb-crt + secret: + secretName: {{ .Release.Name }}-cb-crt + - name: cb-pass + secret: + secretName: {{ .Release.Name }}-cb-pass + items: + - key: couchbase_password + path: couchbase_password + - key: couchbase_superuser_password + path: couchbase_superuser_password + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "sql") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: sql-pass + secret: + secretName: {{ .Release.Name }}-sql-pass + {{- end }} + {{- if or (eq .Values.global.cnPersistenceType "ldap") (eq .Values.global.cnPersistenceType "hybrid") }} + - name: ldap-pass + secret: + secretName: {{ .Release.Name }}-ldap-pass + items: + - key: ldap_password + path: ldap_password + {{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/persistence/templates/service.yaml b/charts/gluu/gluu/5.1.2/charts/persistence/templates/service.yaml new file mode 100644 index 0000000000..b266650a69 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/persistence/templates/service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.global.istio.enabled }} +# License terms and conditions: +# https://www.apache.org/licenses/LICENSE-2.0 +# Used with Istio +apiVersion: v1 +kind: Service +metadata: + name: {{ include "persistence.fullname" . }} + labels: + APP_NAME: persistence-loader +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-{{ include "persistence.name" . }} + type: ClusterIP +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/persistence/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.2/charts/persistence/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..29c8651b84 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/persistence/templates/user-custom-secret-envs.yaml @@ -0,0 +1,20 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: +{{ include "persistence.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/persistence/values.yaml b/charts/gluu/gluu/5.1.2/charts/persistence/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/persistence/values.yaml rename to charts/gluu/gluu/5.1.2/charts/persistence/values.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/saml/.helmignore b/charts/gluu/gluu/5.1.2/charts/saml/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/saml/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/gluu/gluu/charts/saml/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/saml/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/saml/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/saml/Chart.yaml diff --git a/charts/gluu/gluu/charts/saml/README.md b/charts/gluu/gluu/5.1.2/charts/saml/README.md similarity index 100% rename from charts/gluu/gluu/charts/saml/README.md rename to charts/gluu/gluu/5.1.2/charts/saml/README.md diff --git a/charts/gluu/gluu/charts/saml/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/saml/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/saml/templates/_helpers.tpl rename to charts/gluu/gluu/5.1.2/charts/saml/templates/_helpers.tpl diff --git a/charts/gluu/gluu/charts/saml/templates/deployment.yaml b/charts/gluu/gluu/5.1.2/charts/saml/templates/deployment.yaml similarity index 100% rename from charts/gluu/gluu/charts/saml/templates/deployment.yaml rename to charts/gluu/gluu/5.1.2/charts/saml/templates/deployment.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/saml/templates/hpa.yaml b/charts/gluu/gluu/5.1.2/charts/saml/templates/hpa.yaml new file mode 100644 index 0000000000..088742f0f0 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/saml/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "saml.fullname" . }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "saml.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/saml/templates/saml-destination-rules.yaml b/charts/gluu/gluu/5.1.2/charts/saml/templates/saml-destination-rules.yaml new file mode 100644 index 0000000000..5547957c4b --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/saml/templates/saml-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-saml-mtls + namespace: {{.Release.Namespace}} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.saml.samlServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/saml/templates/saml-pdb.yaml b/charts/gluu/gluu/5.1.2/charts/saml/templates/saml-pdb.yaml new file mode 100644 index 0000000000..a6adbd310c --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/saml/templates/saml-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "saml.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "saml.name" . }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/saml/templates/saml-virtual-services.yaml b/charts/gluu/gluu/5.1.2/charts/saml/templates/saml-virtual-services.yaml new file mode 100644 index 0000000000..8f2c106d4c --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/saml/templates/saml-virtual-services.yaml @@ -0,0 +1,38 @@ +{{- if and (.Values.global.istio.ingress) (.Values.global.saml.ingress.samlEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-saml + namespace: {{.Release.Namespace}} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + hosts: + - {{ .Values.global.fqdn }} + http: + - name: {{ .Release.Name }}-istio-saml + match: + - uri: + prefix: /kc + route: + - destination: + host: {{ .Values.global.saml.samlServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8083 + weight: 100 +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/saml/templates/service.yaml b/charts/gluu/gluu/5.1.2/charts/saml/templates/service.yaml new file mode 100644 index 0000000000..e05fa7ac64 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/saml/templates/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.saml.samlServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "saml.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/saml/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.2/charts/saml/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..b4bc2994cc --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/saml/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: saml +{{ include "saml.labels" . | indent 4 }} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} diff --git a/charts/gluu/gluu/charts/saml/values.yaml b/charts/gluu/gluu/5.1.2/charts/saml/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/saml/values.yaml rename to charts/gluu/gluu/5.1.2/charts/saml/values.yaml diff --git a/charts/gluu/gluu/5.1.2/charts/scim/.helmignore b/charts/gluu/gluu/5.1.2/charts/scim/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/scim/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/gluu/gluu/charts/scim/Chart.yaml b/charts/gluu/gluu/5.1.2/charts/scim/Chart.yaml similarity index 100% rename from charts/gluu/gluu/charts/scim/Chart.yaml rename to charts/gluu/gluu/5.1.2/charts/scim/Chart.yaml diff --git a/charts/gluu/gluu/charts/scim/README.md b/charts/gluu/gluu/5.1.2/charts/scim/README.md similarity index 100% rename from charts/gluu/gluu/charts/scim/README.md rename to charts/gluu/gluu/5.1.2/charts/scim/README.md diff --git a/charts/gluu/gluu/charts/scim/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/charts/scim/templates/_helpers.tpl similarity index 100% rename from charts/gluu/gluu/charts/scim/templates/_helpers.tpl rename to charts/gluu/gluu/5.1.2/charts/scim/templates/_helpers.tpl diff --git a/charts/gluu/gluu/charts/scim/templates/deployment.yml b/charts/gluu/gluu/5.1.2/charts/scim/templates/deployment.yml similarity index 100% rename from charts/gluu/gluu/charts/scim/templates/deployment.yml rename to charts/gluu/gluu/5.1.2/charts/scim/templates/deployment.yml diff --git a/charts/gluu/gluu/5.1.2/charts/scim/templates/hpa.yaml b/charts/gluu/gluu/5.1.2/charts/scim/templates/hpa.yaml new file mode 100644 index 0000000000..d3ba580d6f --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/scim/templates/hpa.yaml @@ -0,0 +1,37 @@ +{{ if .Values.hpa.enabled -}} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "scim.fullname" . }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "scim.fullname" . }} + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} + {{- if .Values.hpa.targetCPUUtilizationPercentage }} + targetCPUUtilizationPercentage: {{ .Values.hpa.targetCPUUtilizationPercentage }} + {{- else if .Values.hpa.metrics }} + metrics: + {{- with .Values.hpa.metrics }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + {{- if .Values.hpa.behavior }} + behavior: + {{- with .Values.hpa.behavior }} +{{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/scim/templates/scim-destination-rules.yaml b/charts/gluu/gluu/5.1.2/charts/scim/templates/scim-destination-rules.yaml new file mode 100644 index 0000000000..fc26343bdf --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/scim/templates/scim-destination-rules.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ .Release.Name }}-scim-mtls + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + host: {{ .Values.global.scim.scimServiceName }}.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/scim/templates/scim-pdb.yaml b/charts/gluu/gluu/5.1.2/charts/scim/templates/scim-pdb.yaml new file mode 100644 index 0000000000..d700490a85 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/scim/templates/scim-pdb.yaml @@ -0,0 +1,11 @@ +{{ if .Values.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "scim.fullname" . }} +spec: + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + selector: + matchLabels: + app: {{ .Release.Name }}-{{ include "scim.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/gluu/gluu/5.1.2/charts/scim/templates/scim-virtual-services.yaml b/charts/gluu/gluu/5.1.2/charts/scim/templates/scim-virtual-services.yaml new file mode 100644 index 0000000000..14fafd1d46 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/scim/templates/scim-virtual-services.yaml @@ -0,0 +1,54 @@ +{{- if .Values.global.istio.ingress }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ .Release.Name }}-istio-scim-config + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + hosts: + - {{ .Values.global.fqdn }} +{{- if .Values.global.istio.gateways }} + gateways: +{{ toYaml .Values.global.istio.gateways | indent 2 }} +{{- else }} + gateways: + - {{ .Release.Name }}-global-gtw +{{- end }} + http: + {{- if .Values.global.scim.ingress.scimConfigEnabled }} + - name: {{ .Release.Name }}-istio-scim-config + match: + - uri: + prefix: /.well-known/scim-configuration + rewrite: + uri: /jans-scim/restv1/scim-configuration + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} + {{- if .Values.global.scim.ingress.scimEnabled }} + - name: {{ .Release.Name }}-istio-scim + match: + - uri: + prefix: "/jans-scim" + route: + - destination: + host: {{ .Values.global.scim.scimServiceName }}.{{.Release.Namespace}}.svc.cluster.local + port: + number: 8080 + weight: 100 + {{- end }} +{{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/scim/templates/service.yml b/charts/gluu/gluu/5.1.2/charts/scim/templates/service.yml new file mode 100644 index 0000000000..a585ea31b9 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/scim/templates/service.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.global.scim.scimServiceName }} + namespace: {{ .Release.Namespace }} + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +spec: + {{- if .Values.global.alb.ingress }} + type: NodePort + {{- end }} + ports: + - port: {{ .Values.service.port }} + name: {{ .Values.service.name }} + selector: + app: {{ .Release.Name }}-{{ include "scim.name" . }} #scim + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- with .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: +{{ toYaml . | indent 4 }} + {{- end }} diff --git a/charts/gluu/gluu/5.1.2/charts/scim/templates/user-custom-secret-envs.yaml b/charts/gluu/gluu/5.1.2/charts/scim/templates/user-custom-secret-envs.yaml new file mode 100644 index 0000000000..d9f83a46e1 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/charts/scim/templates/user-custom-secret-envs.yaml @@ -0,0 +1,21 @@ +{{ if .Values.usrEnvs.secret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-{{ .Chart.Name }}-user-custom-envs + labels: + APP_NAME: scim +{{ include "scim.labels" . | indent 4}} +{{- if .Values.additionalLabels }} +{{ toYaml .Values.additionalLabels | indent 4 }} +{{- end }} +{{- if .Values.additionalAnnotations }} + annotations: +{{ toYaml .Values.additionalAnnotations | indent 4 }} +{{- end }} +type: Opaque +data: + {{- range $key, $val := .Values.usrEnvs.secret }} + {{ $key }}: {{ $val | b64enc }} + {{- end}} +{{- end}} \ No newline at end of file diff --git a/charts/gluu/gluu/charts/scim/values.yaml b/charts/gluu/gluu/5.1.2/charts/scim/values.yaml similarity index 100% rename from charts/gluu/gluu/charts/scim/values.yaml rename to charts/gluu/gluu/5.1.2/charts/scim/values.yaml diff --git a/charts/gluu/gluu/openbanking-values.yaml b/charts/gluu/gluu/5.1.2/openbanking-values.yaml similarity index 100% rename from charts/gluu/gluu/openbanking-values.yaml rename to charts/gluu/gluu/5.1.2/openbanking-values.yaml diff --git a/charts/gluu/gluu/5.1.2/questions.yaml b/charts/gluu/gluu/5.1.2/questions.yaml new file mode 100644 index 0000000000..237575ec1b --- /dev/null +++ b/charts/gluu/gluu/5.1.2/questions.yaml @@ -0,0 +1,1209 @@ +questions: +# ================== +# License SSA group +# ================== +- variable: global.licenseSsa + default: "" + required: true + type: string + label: License SSA + description: "Before initiating the setup, please contact Gluu to obtain a valid license or trial license. Your organization needs to register with Gluu to trial Flex, after which you are issued a JWT placed here in which you can use to install. This must be base64 encoded." + group: "License SSA" + +# ================== +# Distribution group +# ================== +- variable: global.distribution + default: "openbanking" + required: true + type: enum + label: Gluu Distribution + description: "Gluu Distribution. Openbanking only contains Config-API and the Auth Server customized for Openbanking industry." + group: "Global Settings" + options: + - "default" + - "openbanking" + +# ======================== +# OpenBanking Distribution +# ======================== +- variable: global.cnObExtSigningJwksUri + required: true + default: "https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks" + description: "Open banking external signing jwks uri. Used in SSA Validation." + type: hostname + group: "OpenBanking Distribution" + label: Openbanking external signing JWKS URI + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObExtSigningJwksCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS certificate authority string + - variable: global.cnObExtSigningJwksKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: multiline + label: Open banking external signing jwks AS key string + - variable: global.cnObExtSigningJwksKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set." + type: password + label: Open banking external signing jwks AS key passphrase + min_length: 6 + - variable: global.cnObExtSigningAlias + default: "XkwIzWy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking external signing AS Alias +- variable: global.cnObStaticSigningKeyKid + default: "Wy44xWSlcWnMiEc8iq9s2G" + required: true + group: "OpenBanking Distribution" + description: "Open banking signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G" + type: string + label: Open banking signing AS kid + show_if: "global.distribution=openbanking" +- variable: global.cnObTransportAlias + default: "" + required: false + group: "OpenBanking Distribution" + description: "Open banking transport Alias used inside the JVM." + type: string + label: Open banking transport Alias used inside the JVM. + show_if: "global.distribution=openbanking" + subquestions: + - variable: global.cnObTransportCrt + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport crt + - variable: global.cnObTransportKey + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking AS transport key + - variable: global.cnObTransportKeyPassPhrase + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64." + type: password + label: Open banking AS transport key passphrase + min_length: 6 + - variable: global.cnObTransportTrustStore + default: "" + required: true + group: "OpenBanking Distribution" + description: "Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64." + type: multiline + label: Open banking external signing jwks AS certificate authority string + +# ======================= +# Optional Services group +# ======================= +- variable: global.admin-ui.enabled + default: false + type: boolean + group: "Optional Services" + required: false + label: Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. This requires a license agreement with Gluu. + show_if: "global.distribution=default" + show_subquestion_if: true +- variable: global.auth-server-key-rotation.enabled + default: true + type: boolean + group: "Optional Services" + required: true + label: Enable Auth key rotation cronjob. Disable this if using the OB distribution. + show_if: "global.distribution=default" + show_subquestion_if: true + subquestions: + - variable: auth-server-key-rotation.keysLife + default: 48 + description: "Auth server key rotation keys life in hours." + type: int + label: Key life +- variable: global.fido2.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable Fido2 + description: "FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments." +- variable: global.config-api.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable ConfigAPI + description: "Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS)." +- variable: global.casa.enabled + default: false + type: boolean + group: "Optional Services" + required: true + label: Enable Casa + description: "Gluu Casa ('Casa') is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server." +- variable: global.scim.enabled + default: false + type: boolean + group: "Optional Services" + required: true + show_if: "global.distribution=default" + label: Enable SCIM + description: "System for Cross-domain Identity Management (SCIM) version 2.0" + +# ====================== +# Test environment group +# ====================== +- variable: global.cloud.testEnviroment + default: false + type: boolean + group: "Test Environment" + required: true + label: Test environment + description: "Boolean flag if enabled will strip resources requests and limits from all services." + +# ================= +# Persistence group +# ================= +- variable: global.cnPersistenceType + default: "sql" + required: true + type: enum + group: "Persistence" + label: Gluu Persistence backend + description: "Persistence backend to run Gluu with ldap|couchbase|hybrid|sql|spanner" + options: + - "ldap" + - "couchbase" + - "hybrid" + - "spanner" + - "sql" +# LDAP +- variable: global.opendj.enabled + default: false + type: boolean + group: "Persistence" + required: true + label: Enable installation of OpenDJ + description: "Boolean flag to enable/disable the OpenDJ chart." + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnLdapUrl + default: "opendj:1636" + type: hostname + group: "Persistence" + required: true + label: OpenDJ remote URL + description: "OpenDJ remote URL. This must be resolvable by the pods" + show_if: "global.opendj.enabled=false&&global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnPersistenceHybridMapping + default: "{}" + required: false + type: enum + group: "Persistence" + label: Gluu Persistence LDAP mapping + description: "Specify data that should be saved in LDAP (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when `global.cnPersistenceType` is set to `hybrid`." + options: + - "default" + - "user" + - "site" + - "cache" + - "token" + - "session" + show_if: "global.cnPersistenceType=hybrid" +# SQL +- variable: config.configmap.cnSqlDbDialect + default: "default" + required: false + type: enum + group: "Persistence" + label: Gluu SQL Database dialect + description: "SQL database dialect. `mysql` or `pgsql`." + options: + - "pgsql" + - "mysql" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbHost + default: "postgresql.default.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: SQL database host uri + description: "SQL database host uri" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbPort + default: 5432 + required: false + type: int + group: "Persistence" + label: SQL database port + description: "SQL database port" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbUser + default: "gluu" + group: "Persistence" + description: "SQL database username" + type: string + label: SQL database username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqldbUserPassword + default: "Test1234#" + group: "Persistence" + description: "SQL password" + type: password + label: SQL password + + show_if: "global.cnPersistenceType=sql" +- variable: config.configmap.cnSqlDbName + default: "gluu" + group: "Persistence" + description: "SQL database name" + type: string + label: SQL database name + show_if: "global.cnPersistenceType=sql" +# Spanner +- variable: config.configmap.cnGoogleSpannerInstanceId + default: "" + group: "Persistence" + description: "The google spanner instance ID" + type: string + label: Google Spanner Instance ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSpannerDatabaseId + default: "" + group: "Persistence" + description: "The google spanner database ID" + type: string + label: Google Spanner Database ID + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + group: "Persistence" + description: "The service account with access roles/secretmanager.admin to use Google secret manager and/or roles/spanner.databaseUser to use Spanner." + type: multiline + label: Google Spanner Service Account json + show_if: "global.cnPersistenceType=spanner" +- variable: config.configmap.cnGoogleProjectId + default: "" + group: "Persistence" + description: "The Google Project ID" + type: string + label: Google Project ID + show_if: "global.cnPersistenceType=spanner" +#Couchbase +- variable: config.configmap.cnCouchbaseCrt + default: "" + group: "Persistence" + description: "Couchbase certificate authority string. This must be encoded using base64. This can also be found in your couchbase UI Security > Root Certificate. In mTLS setups this is not required." + type: multiline + label: Couchbase certificate authority string + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUrl + default: "gluu.cbns.svc.cluster.local" + required: false + type: hostname + group: "Persistence" + label: Couchbase host uri + description: "Couchbase URL. Used only when global.cnPersistenceType is hybrid or couchbase. This should be in FQDN format for either remote or local Couchbase clusters. The address can be an internal address inside the kubernetes cluster" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseBucketPrefix + default: "gluu" + type: string + description: "The prefix of couchbase buckets. This helps with separation in between different environments and allows for the same couchbase cluster to be used by different setups of Gluu." + group: "Persistence" + required: true + label: The prefix of Couchbase buckets + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseIndexNumReplica + default: 0 + type: int + description: "The number of replicas per index created. Please note that the number of index nodes must be one greater than the number of index replicas. That means if your couchbase cluster only has 2 index nodes you cannot place the number of replicas to be higher than 1." + group: "Persistence" + required: true + label: The number of replicas per index created + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUser + default: "admin" + group: "Persistence" + description: "he Couchbase super user (admin) user name. This user is used during initialization only." + type: string + label: The Couchbase super user (admin) user name. + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseSuperUserPassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the super user config.configmap.cnCouchbaseSuperUser that is used during the initialization and upgrade process. The password must contain one digit, one uppercase letter, one lower case letter and one symbol" + type: password + label: Couchbase password for the super users + + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbaseUser + default: "gluu" + group: "Persistence" + description: "Couchbase restricted user, used in Gluu operations with Couchbase. Used only when global.cnPersistenceType is hybrid or couchbase." + type: string + label: Couchbase restricted username + valid_chars: "^[a-z]+$" + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" +- variable: config.configmap.cnCouchbasePassword + default: "Test1234#" + group: "Persistence" + description: "Couchbase password for the restricted user config.configmap.cnCouchbaseUser that is often used inside the services. The password must contain one digit, one uppercase letter, one lower case letter and one symbol ." + type: password + label: Couchbase password for the restricted user + show_if: "global.cnPersistenceType=couchbase||global.cnPersistenceType=hybrid" + +# ============================== +# StorageClass and volume group +# ============================== +- variable: global.storageClass.provisioner + default: "microk8s.io/hostpath" + type: string + group: "Volumes" + required: true + label: StorageClass provisioner + show_if: "global.cnPersistenceType=ldap" + subquestions: + - variable: global.storageClass.allowVolumeExpansion + default: true + type: boolean + group: "Volumes" + required: true + label: StorageClass Volume expansion + - variable: global.storageClass.reclaimPolicy + default: "Retain" + type: enum + group: "Volumes" + required: true + label: StorageClass reclaimPolicy + options: + - "Delete" + - "Retain" + - variable: global.storageClass.volumeBindingMode + default: "WaitForFirstConsumer" + type: enum + group: "Volumes" + required: true + options: + - "WaitForFirstConsumer" + - "Immediate" + label: StorageClass volumeBindingMode + +# =========== +# Cache group +# =========== +- variable: config.configmap.cnCacheType + default: "NATIVE_PERSISTENCE" + required: true + type: enum + group: "Cache" + label: Gluu Cache + description: "Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` ." + options: + - "NATIVE_PERSISTENCE" + - "IN_MEMORY" + - "REDIS" + show_subquestion_if: "REDIS" + subquestions: + - variable: config.configmap.cnRedisType + default: "STANDALONE" + type: enum + group: "Cache" + required: false + label: Redix service type + description: "Redis service type. `STANDALONE` or `CLUSTER`. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + options: + - "STANDALONE" + - "CLUSTER" + - variable: config.redisPassword + default: "Test1234#" + type: password + group: "Cache" + required: false + label: Redis admin password + description: "Redis admin password if `config.configmap.cnCacheType` is set to `REDIS`." + + - variable: config.configmap.cnRedisUrl + default: "redis.redis.svc.cluster.local:6379" + required: false + type: hostname + group: "Cache" + label: Redis URL + description: "Redis URL and port number :. Can be used when `config.configmap.cnCacheType` is set to `REDIS`." + +# ================== +# Configuration group +# ================== +- variable: global.fqdn + default: "demoexample.gluu.org" + required: true + type: hostname + group: "Configuration" + label: Gluu Installation FQDN + description: "Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services." +- variable: global.countryCode + default: "US" + required: true + type: string + group: "Configuration" + label: Country code + description: "Country code. Used for certificate creation." +- variable: config.state + default: "TX" + required: true + type: string + group: "Configuration" + label: State code + description: "State code. Used for certificate creation." +- variable: config.city + default: "Austin" + required: true + type: string + group: "Configuration" + label: City + description: "City. Used for certificate creation." +- variable: config.email + default: "support@gluu.org" + required: true + type: string + group: "Configuration" + label: Email + description: "Email address of the administrator usually. Used for certificate creation." +- variable: config.orgName + default: "Gluu" + required: true + type: string + group: "Configuration" + label: Organization + description: "Organization name. Used for certificate creation." +- variable: config.adminPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: Admin UI password + description: "Admin password to log in to the UI." + +- variable: config.ldapPassword + default: "Test1234#" + type: password + group: "Configuration" + required: true + label: LDAP password + description: "LDAP admin password if OpenDJ is used for persistence" + show_if: "global.cnPersistenceType=ldap||global.cnPersistenceType=hybrid" + +- variable: global.isFqdnRegistered + default: true + required: true + type: boolean + group: "Configuration" + label: Is the FQDN globally resolvable + description: "Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for loadbalancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically." +- variable: config.migration.enabled + default: false + required: true + type: boolean + group: "Configuration" + label: Migration from Gluu CE + description: "Boolean flag to enable migration from CE" + show_subquestion_if: true + subquestions: + - variable: config.migration.migrationDataFormat + default: "ldif" + type: enum + group: "Configuration" + required: false + label: Migration data-format + description: "Migration data-format depending on persistence backend." + options: + - "ldif" + - "couchbase+json" + - "spanner+avro" + - "postgresql+json" + - "mysql+json" + - variable: config.migration.migrationDir + default: "/ce-migration" + required: false + type: string + group: "Configuration" + label: Migration Directory + description: "Directory holding all migration files" + +# Configmap +- variable: global.configAdapterName + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu configuration backend + description: "The config backend adapter that will hold Gluu configuration layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + +# Secret +- variable: global.configSecretAdapter + default: "kubernetes" + required: true + type: enum + group: "Configuration" + label: Gluu secret backend + description: "The config backend adapter that will hold Gluu secret layer. aws|google|kubernetes" + options: + - "aws" + - "google" + - "kubernetes" + + +# Google +- variable: config.configmap.cnGoogleSecretManagerServiceAccount + default: "" + type: string + group: "Configuration" + required: true + label: Service account base64 encoded + description: "Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleProjectId + default: "" + type: string + group: "Configuration" + required: true + label: Project ID + description: "Project id of the Google project the secret manager belongs to" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretVersionId + default: "latest" + type: string + group: "Configuration" + required: true + label: Secrets version + description: "Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way." + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +- variable: config.configmap.cnGoogleSecretNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in Google Secret Manager. Defaults to gluu" + show_if: "global.configAdapterName=google||global.configSecretAdapter=google" + +# AWS +- variable: config.configmap.cnAwsAccessKeyId + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Account Access Key ID + description: "AWS Access key id that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretAccessKey + default: "" + type: string + group: "Configuration" + required: true + label: AWS IAM Secret Access Key + description: "AWS Secret Access key that belongs to an IAM user with SecretsManagerReadWrite policy" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsNamePrefix + default: "gluu" + type: string + group: "Configuration" + required: true + label: Secrets name prefix + description: "Prefix for Gluu secret in AWS Secrets Manager. Defaults to gluu" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsProfile + default: "gluu" + type: string + group: "Configuration" + required: true + label: AWS named profile + description: "The aws named profile to use. Has to be created first. This is a sensible default and it's good to leave it as is. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsDefaultRegion + default: "us-west-1" + type: string + group: "Configuration" + required: true + label: Default region + description: "The default AWS Region to use, for example, `us-west-1` or `us-west-2`" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + +- variable: config.configmap.cnAwsSecretsEndpointUrl + default: "" + type: string + group: "Configuration" + required: false + label: Secrets Manager Endpoint URL + description: "The URL of AWS secretsmanager service. If omitted, it will use the one in the specified default region. Example: https://secretsmanager.us-west-1.amazonaws.com" + show_if: "global.configAdapterName=aws||global.configSecretAdapter=aws" + + +# =========================== +# Ingress group(Istio, NGINX) +# =========================== + +# =========== +# Istio group +# =========== +- variable: global.istio.enabled + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio side cars with Gluu services." + label: Use Istio side cars + show_subquestion_if: true + subquestions: + - variable: global.istio.ingress + default: false + type: boolean + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Use Istio Ingress + - variable: global.istio.namespace + default: "istio-system" + type: string + group: "Istio" + required: true + description: "Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available." + label: Istio namespace + - variable: config.configmap.lbAddr + default: "" + group: "Istio" + description: "Istio loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# NGINX group +# =========== +- variable: config.configmap.lbAddr + default: "" + group: "NGINX" + show_if: "global.istio.ingress=false&&global.isFqdnRegistered=false" + description: "loadbalancer address (eks) or ip (gke, aks, digital ocean, local)" + type: hostname + label: LB address or ip + +# =========== +# Ingress group +# =========== +- variable: global.admin-ui.ingress.adminUiEnabled + default: false + type: boolean + group: "Ingress" + required: false + description: "Enable Admin UI endpoints." + label: Enable Admin UI endpoints + subquestions: + # auth-server + - variable: global.auth-server.ingress.authServerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable Auth server endpoints /jans-auth" + label: Enable Auth server endpoints /jans-auth + - variable: global.auth-server.ingress.openidConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/openid-configuration" + label: Enable endpoint /.well-known/openid-configuration + - variable: global.auth-server.ingress.deviceCodeEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /device-code" + label: Enable endpoint /device-code + - variable: global.auth-server.ingress.firebaseMessagingEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /firebase-messaging-sw.js" + label: Enable endpoint /firebase-messaging-sw.js + - variable: global.auth-server.ingress.uma2ConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/uma2-configuration" + label: Enable endpoint /.well-known/uma2-configuration + - variable: global.auth-server.ingress.webfingerEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/webfinger" + label: Enable endpoint /.well-known/webfinger + - variable: global.auth-server.ingress.webdiscoveryEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/simple-web-discovery" + label: Enable endpoint /.well-known/simple-web-discovery + - variable: global.auth-server.ingress.u2fConfigEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable endpoint /.well-known/fido-configuration" + label: Enable endpoint /.well-known/fido-configuration + # config-api + - variable: global.config-api.ingress.configApiEnabled + default: true + type: boolean + group: "Ingress" + required: true + description: "Enable config API endpoints /jans-config-api" + label: Enable config API endpoints /jans-config-api + +#fido2 +- variable: global.fido2.ingress.fido2ConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.fido2.enabled=true" + required: true + description: "Enable endpoint /.well-known/fido2-configuration. Enable this!" + label: Enable endpoint /.well-known/fido2-configuration +#Casa +- variable: global.casa.ingress.casaEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.casa.enabled=true" + required: true + description: "Enable endpoint /casa. Enable this!" + label: Enable endpoint /casa Enable this! +#auth-server OB +- variable: global.auth-server.ingress.authServerProtectedToken + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/token" + label: Enable mTLS on Auth server endpoint /jans-auth/restv1/token +- variable: global.auth-server.ingress.authServerProtectedRegister + default: true + type: boolean + group: "Ingress" + show_if: "global.distribution=openbanking" + required: true + description: "Enable mTLS on Auth server endpoint /jans-auth/restv1/register" + label: Enable mTLS onn Auth server endpoint /jans-auth/restv1/register +# scim +- variable: global.scim.ingress.scimConfigEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable endpoint /.well-known/scim-configuration. Enable this!" + label: Enable endpoint /.well-known/scim-configuration. Enable this! +- variable: global.scim.ingress.scimEnabled + default: false + type: boolean + group: "Ingress" + show_if: "global.distribution=default&&global.scim.enabled=true" + required: true + description: "Enable SCIM endpoints /jans-scim. Enable this!" + label: Enable SCIM endpoints /jans-scim. Enable this! + +# ============ +# Images group +# ============ +# AuthServer +- variable: auth-server.image.repository + required: true + type: string + default: "janssenproject/auth-server" + description: "The Auth Server Image repository" + label: Auth Server image repo + group: "Images" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server Image pull policy" + label: Auth Server imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server.enabled=true" +- variable: auth-server.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server image tag + group: "Images" + show_if: "global.auth-server.enabled=true" +# AdminUI +- variable: admin-ui.image.repository + required: true + type: string + default: "gluufederation/admin-ui" + description: "The AdminUI Image repository" + label: The AdminUI Image repository + group: "Images" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The AdminUI Image pull policy" + label: AdminUI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.admin-ui.enabled=true" +- variable: admin-ui.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The AdminUI Image tag" + label: AdminUI image tag + group: "Images" + show_if: "global.admin-ui.enabled=true" +# AuthServer KeyRotation +- variable: auth-server-key-rotation.image.repository + required: true + type: string + default: "janssenproject/certmanager" + description: "The Auth Server KeyRotation Image repository" + label: Auth Server KeyRotation image repo + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Auth Server KeyRotation Image pull policy" + label: Auth Server KeyRotation imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.auth-server-key-rotation.enabled=true" +- variable: auth-server-key-rotation.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Auth Server Image tag" + label: Auth Server KeyRotation image tag + group: "Images" + show_if: "global.auth-server-key-rotation.enabled=true" +# Casa +- variable: casa.image.repository + required: true + type: string + default: "gluufederation/casa" + description: "The Casa Image repository" + label: Casa image repo + group: "Images" + show_if: "global.casa.enabled=true" +- variable: casa.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Casa Image pull policy" + label: Casa imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.casa.enabled=true" +- variable: casa.image.tag + required: true + type: string + default: "5.0.0-4" + description: "The Casa Image tag" + label: Casa image tag + group: "Images" + show_if: "global.casa.enabled=true" +# Configurator +- variable: config.image.repository + required: true + type: string + default: "janssenproject/configurator" + description: "The Configurator Image repository" + label: Configurator image repo + group: "Images" + show_if: "global.config.enabled=true" +- variable: config.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Configurator Image pull policy" + label: Configurator imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config.enabled=true" +- variable: config.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Configurator Image tag" + label: Configurator image tag + group: "Images" + show_if: "global.config.enabled=true" +# ConfigAPI +- variable: config-api.image.repository + required: true + type: string + default: "janssenproject/config-api" + description: "The ConfigAPI Image repository" + label: ConfigAPI image repo + group: "Images" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The ConfigAPI Image pull policy" + label: ConfigAPI imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.config-api.enabled=true" +- variable: config-api.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The ConfigAPI Image tag" + label: ConfigAPI image tag + group: "Images" + show_if: "global.config-api.enabled=true" +# Fido2 +- variable: fido2.image.repository + required: true + type: string + default: "janssenproject/fido2" + description: "The Fido2 Image repository" + label: Fido2 image repo + group: "Images" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Fido2 Image pull policy" + label: Fido2 imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.fido2.enabled=true" +- variable: fido2.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Fido2 Image tag" + label: Fido2 image tag + group: "Images" + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.image.repository + required: true + type: string + default: "gluufederation/opendj" + description: "The OpenDJ Image repository" + label: OpenDJ image repo + group: "Images" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The OpenDJ Image pull policy" + label: OpenDJ imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.opendj.enabled=true" +- variable: opendj.image.tag + required: true + type: string + default: "5.0.0_dev" + description: "The OpenDJ Image tag" + label: OpenDJ image tag + group: "Images" + show_if: "global.opendj.enabled=true" +# Persistence +- variable: persistence.image.repository + required: true + type: string + default: "janssenproject/persistence-loader" + description: "The Persistence Image repository" + label: Persistence image repo + group: "Images" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The Persistence Image pull policy" + label: Persistence imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.persistence.enabled=true" +- variable: persistence.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The Persistence Image tag" + label: Persistence image tag + group: "Images" + show_if: "global.persistence.enabled=true" +# SCIM +- variable: scim.image.repository + required: true + type: string + default: "janssenproject/scim" + description: "The SCIM Image repository" + label: SCIM image repo + group: "Images" + show_if: "global.scim.enabled=true" +- variable: scim.image.pullPolicy + required: true + type: enum + group: "Images" + default: IfNotPresent + description: "The SCIM Image pull policy" + label: SCIM imagePullPolicy + options: + - "Always" + - "IfNotPresent" + - "Never" + show_if: "global.scim.enabled=true" +- variable: scim.image.tag + required: true + type: string + default: "1.0.5-1" + description: "The SCIM Image tag" + label: SCIM image tag + group: "Images" + show_if: "global.scim.enabled=true" + +# ============== +# Replicas group +# ============== +# AuthServer +- variable: auth-server.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Auth-server Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# Casa +- variable: casa.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Casa Replicas + description: "Service replica number." + show_if: "global.auth-server.enabled=true" +# ConfigAPI +- variable: config-api.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: ConfigAPI Replicas + description: "Service replica number." + show_if: "global.config-api.enabled=true" +# AdminUi +- variable: admin-ui.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Admin UI Replicas + description: "Service replica number." + show_if: "global.admin-ui.enabled=true" +# Fido2 +- variable: fido2.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: Fido2 Replicas + description: "Service replica number." + show_if: "global.fido2.enabled=true" +# OpenDJ +- variable: opendj.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: OpenDJ Replicas + description: "Service replica number." + show_if: "global.opendj.enabled=true" +# SCIM +- variable: scim.replicas + default: 1 + required: false + type: int + group: "Replicas" + label: SCIM Replicas + description: "Service replica number." + show_if: "global.scim.enabled=true" + diff --git a/charts/gluu/gluu/5.1.2/templates/_helpers.tpl b/charts/gluu/gluu/5.1.2/templates/_helpers.tpl new file mode 100644 index 0000000000..c5b8d3d303 --- /dev/null +++ b/charts/gluu/gluu/5.1.2/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cn.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cn.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/gluu/gluu/values.schema.json b/charts/gluu/gluu/5.1.2/values.schema.json similarity index 100% rename from charts/gluu/gluu/values.schema.json rename to charts/gluu/gluu/5.1.2/values.schema.json diff --git a/charts/gluu/gluu/values.yaml b/charts/gluu/gluu/5.1.2/values.yaml similarity index 100% rename from charts/gluu/gluu/values.yaml rename to charts/gluu/gluu/5.1.2/values.yaml diff --git a/charts/gopaddle/gopaddle/Chart.yaml b/charts/gopaddle/gopaddle/5/Chart.yaml similarity index 100% rename from charts/gopaddle/gopaddle/Chart.yaml rename to charts/gopaddle/gopaddle/5/Chart.yaml diff --git a/charts/gopaddle/gopaddle/README.md b/charts/gopaddle/gopaddle/5/README.md similarity index 100% rename from charts/gopaddle/gopaddle/README.md rename to charts/gopaddle/gopaddle/5/README.md diff --git a/charts/gopaddle/gopaddle/app-readme.md b/charts/gopaddle/gopaddle/5/app-readme.md similarity index 100% rename from charts/gopaddle/gopaddle/app-readme.md rename to charts/gopaddle/gopaddle/5/app-readme.md diff --git a/charts/gopaddle/gopaddle/templates/NOTES.txt b/charts/gopaddle/gopaddle/5/templates/NOTES.txt similarity index 100% rename from charts/gopaddle/gopaddle/templates/NOTES.txt rename to charts/gopaddle/gopaddle/5/templates/NOTES.txt diff --git a/charts/gopaddle/gopaddle/templates/deployment.yaml b/charts/gopaddle/gopaddle/5/templates/deployment.yaml similarity index 100% rename from charts/gopaddle/gopaddle/templates/deployment.yaml rename to charts/gopaddle/gopaddle/5/templates/deployment.yaml diff --git a/charts/gopaddle/gopaddle/templates/role.yaml b/charts/gopaddle/gopaddle/5/templates/role.yaml similarity index 100% rename from charts/gopaddle/gopaddle/templates/role.yaml rename to charts/gopaddle/gopaddle/5/templates/role.yaml diff --git a/charts/gopaddle/gopaddle/templates/service.yaml b/charts/gopaddle/gopaddle/5/templates/service.yaml similarity index 100% rename from charts/gopaddle/gopaddle/templates/service.yaml rename to charts/gopaddle/gopaddle/5/templates/service.yaml diff --git a/charts/gopaddle/gopaddle/values.yaml b/charts/gopaddle/gopaddle/5/values.yaml similarity index 100% rename from charts/gopaddle/gopaddle/values.yaml rename to charts/gopaddle/gopaddle/5/values.yaml diff --git a/charts/haproxy/haproxy/1.30.6/.helmignore b/charts/haproxy/haproxy/1.30.6/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.30.6/Chart.yaml b/charts/haproxy/haproxy/1.30.6/Chart.yaml new file mode 100644 index 0000000000..b5fe66da23 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.10.4 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.4 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.30.6 diff --git a/charts/haproxy/haproxy/1.30.6/README.md b/charts/haproxy/haproxy/1.30.6/README.md new file mode 100644 index 0000000000..19d1e3f6db --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/README.md @@ -0,0 +1,285 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/app-readme.md b/charts/haproxy/haproxy/1.30.6/app-readme.md similarity index 100% rename from charts/haproxy/haproxy/app-readme.md rename to charts/haproxy/haproxy/1.30.6/app-readme.md diff --git a/charts/haproxy/haproxy/chart-icon.png b/charts/haproxy/haproxy/1.30.6/chart-icon.png similarity index 100% rename from charts/haproxy/haproxy/chart-icon.png rename to charts/haproxy/haproxy/1.30.6/chart-icon.png diff --git a/charts/haproxy/haproxy/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-customconfig-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-customconfig-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-customconfig-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-customnodeport-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-customnodeport-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-customnodeport-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-default-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-default-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-default-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-disableddefaultbackend-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-disableddefaultbackend-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-disableddefaultbackend-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-disabledsecretconfig-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-disabledsecretconfig-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-disabledsecretconfig-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-enableports-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-enableports-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-enableports-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-extraargs-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-extraargs-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-extraargs-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-extraenvs-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-extraenvs-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-extraenvs-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-hostport-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-hostport-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-hostport-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-ingressclass-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-ingressclass-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-ingressclass-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-kubernetesgateway-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-kubernetesgateway-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-kubernetesgateway-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-nodeport-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-nodeport-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-nodeport-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-privileged-ports.values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-privileged-ports.values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-privileged-ports.values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-publishservice-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-publishservice-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-publishservice-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-serviceannotation-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-serviceannotation-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-serviceannotation-values.yaml diff --git a/charts/haproxy/haproxy/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/daemonset-strategy-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-strategy-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/daemonset-strategy-values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-customconfig-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-customconfig-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-customconfig-values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-customnodeport-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-customnodeport-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-customnodeport-values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-default-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-default-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-default-values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-disableddefaultbackend-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-disableddefaultbackend-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-disableddefaultbackend-values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-disabledsecretconfig-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-disabledsecretconfig-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-disabledsecretconfig-values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-enableports-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-enableports-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-enableports-values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-extraargs-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-extraargs-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-extraargs-values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-extraenvs-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-extraenvs-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-extraenvs-values.yaml diff --git a/charts/haproxy/haproxy/1.30.6/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..0c83262362 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/ci/deployment-hpa-values.yaml @@ -0,0 +1,14 @@ +controller: + kind: Deployment + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-ingressclass-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-ingressclass-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-ingressclass-values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-kubernetesgateway-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-kubernetesgateway-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-kubernetesgateway-values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-nodeport-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-nodeport-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-nodeport-values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-privileged-ports.values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-privileged-ports.values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-privileged-ports.values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-publishservice-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-publishservice-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-publishservice-values.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-replicacount-unset.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-replicacount-unset.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-replicacount-unset.yaml diff --git a/charts/haproxy/haproxy/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.30.6/ci/deployment-strategy-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-strategy-values.yaml rename to charts/haproxy/haproxy/1.30.6/ci/deployment-strategy-values.yaml diff --git a/charts/haproxy/haproxy/1.30.6/crds/core.haproxy.org_backends.yaml b/charts/haproxy/haproxy/1.30.6/crds/core.haproxy.org_backends.yaml new file mode 100644 index 0000000000..43c74e6af1 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/crds/core.haproxy.org_backends.yaml @@ -0,0 +1,716 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: backends.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Backend + plural: backends + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Backend + description: HAProxy backend configuration + type: object + properties: + name: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + uri_whole: + type: boolean + uri_len: + type: integer + uri_depth: + type: integer + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_path_only: + type: boolean + hash_type: + type: object + properties: + method: + type: string + enum: + - map-based + - consistent + function: + type: string + enum: + - sdbm + - djb2 + - wt6 + - crc32 + modifier: + type: string + enum: + - avalanche + http-check: + type: object + required: + - type + properties: + type: + type: string + enum: + - disable-on-404 + - expect + - send-state + exclamation_mark: + type: boolean + match: + type: string + enum: + - status + - rstatus + - string + - rstring + pattern: ^[^\s]+$ + pattern: + type: string + bind_process: + type: string + pattern: ^[^\s]+$ + mode: + type: string + enum: + - http + - tcp + allbackups: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + abortonclose: + type: string + enum: + - enabled + - disabled + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + cookie: + type: object + required: + - name + properties: + name: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - rewrite + - insert + - prefix + indirect: + type: boolean + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + httponly: + type: boolean + secure: + type: boolean + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + maxidle: + type: integer + maxlife: + type: integer + dynamic: + type: boolean + default_server: + title: Default Server + type: object + properties: + init-addr: + pattern: ^[^\s]+$ + type: string + inter: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + downinter: + type: integer + nullable: true + rise: + type: integer + nullable: true + fall: + type: integer + nullable: true + check-sni: + type: string + pattern: ^[^\s]+$ + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + enabled: + type: string + enum: + - enabled + - disabled + disabled: + type: string + enum: + - enabled + - disabled + port: + type: integer + minimum: 1 + maximum: 65535 + nullable: true + resolvers: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + enum: + - ipv4 + - ipv6 + pattern: ^[^\s]+$ + resolve-net: + type: string + pattern: ^[^\s]+$ + name: + type: string + pattern: ^[^\s]+$ + address: + type: string + pattern: ^[^\s]+$ + health_check_port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + ssl_certificate: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-send: + type: string + agent-inter: + type: integer + nullable: true + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + check: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + error_limit: + type: integer + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + log_proto: + type: string + enum: + - legacy + - octet-count + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + max_reuse: + type: integer + nullable: true + minconn: + type: integer + nullable: true + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + redir: + type: string + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + socks4: + type: string + pattern: ^[^\s]+$ + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + track: + type: string + tls_tickets: + type: string + enum: + - enabled + - disabled + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + check_timeout: + type: integer + nullable: true + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + smtpchk_params: + type: object + properties: + hello: + type: string + domain: + type: string + mysql_check_params: + type: object + properties: + username: + type: string + client_version: + type: string + enum: + - pre-41 + - post-41 + pgsql_check_params: + type: object + properties: + username: + type: string + external_check: + type: string + enum: + - enabled + - disabled + external_check_path: + type: string + pattern: ^[^\s]+$ + external_check_command: + type: string + pattern: ^[^\s]+$ + queue_timeout: + type: integer + nullable: true + connect_timeout: + type: integer + nullable: true + http_request_timeout: + type: integer + nullable: true + http_keep_alive_timeout: + type: integer + nullable: true + retries: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + server_timeout: + type: integer + nullable: true + tunnel_timeout: + type: integer + nullable: true + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + stick_table: + type: object + properties: + type: + type: string + enum: + - ip + - ipv6 + - integer + - string + - binary + keylen: + type: integer + nullable: true + size: + type: integer + nullable: true + expire: + type: integer + nullable: true + nopurge: + type: boolean + peers: + type: string + pattern: ^[^\s]+$ + store: + type: string + pattern: ^[^\s]+$ + http-use-htx: + type: string + enum: + - enabled + - disabled + pattern: ^[^\s]+$ + stats_options: + type: object + properties: + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ diff --git a/charts/haproxy/haproxy/1.30.6/crds/core.haproxy.org_defaults.yaml b/charts/haproxy/haproxy/1.30.6/crds/core.haproxy.org_defaults.yaml new file mode 100644 index 0000000000..fa9b2cfa80 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/crds/core.haproxy.org_defaults.yaml @@ -0,0 +1,741 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: defaults.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Defaults + plural: defaults + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - config + properties: + config: + title: Defaults + description: HAProxy defaults configuration + type: object + properties: + mode: + type: string + enum: + - tcp + - http + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + uri_whole: + type: boolean + uri_len: + type: integer + uri_depth: + type: integer + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_path_only: + type: boolean + maxconn: + type: integer + nullable: true + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + smtpchk_params: + type: object + properties: + hello: + type: string + domain: + type: string + mysql_check_params: + type: object + properties: + username: + type: string + client_version: + type: string + enum: + - pre-41 + - post-41 + pgsql_check_params: + type: object + properties: + username: + type: string + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + http-check: + type: object + required: + - type + properties: + type: + type: string + enum: + - disable-on-404 + - expect + - send-state + exclamation_mark: + type: boolean + match: + type: string + enum: + - status + - rstatus + - string + - rstring + pattern: ^[^\s]+$ + pattern: + type: string + bind_process: + type: string + pattern: ^[^\s]+$ + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + abortonclose: + type: string + enum: + - enabled + - disabled + http-use-htx: + type: string + enum: + - enabled + - disabled + dontlognull: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + httplog: + type: boolean + clflog: + type: boolean + tcplog: + type: boolean + log_format: + type: string + log_format_sd: + type: string + log_tag: + type: string + pattern: ^[^\s]+$ + log_separate_errors: + type: string + enum: + - enabled + - disabled + clitcpka: + type: string + enum: + - enabled + - disabled + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + check_timeout: + type: integer + nullable: true + connect_timeout: + type: integer + nullable: true + contstats: + type: string + enum: + - enabled + cookie: + type: object + required: + - name + properties: + name: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - rewrite + - insert + - prefix + indirect: + type: boolean + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + httponly: + type: boolean + secure: + type: boolean + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + maxidle: + type: integer + maxlife: + type: integer + dynamic: + type: boolean + client_timeout: + type: integer + nullable: true + client_fin_timeout: + type: integer + nullable: true + http_request_timeout: + type: integer + nullable: true + http_keep_alive_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + server_timeout: + type: integer + nullable: true + server_fin_timeout: + type: integer + nullable: true + queue_timeout: + type: integer + nullable: true + tunnel_timeout: + type: integer + nullable: true + external_check: + type: string + enum: + - enabled + - disabled + external_check_path: + type: string + pattern: ^[^\s]+$ + external_check_command: + type: string + pattern: ^[^\s]+$ + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + default_backend: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + default_server: + title: Default Server + type: object + properties: + init-addr: + pattern: ^[^\s]+$ + type: string + inter: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + downinter: + type: integer + nullable: true + rise: + type: integer + nullable: true + fall: + type: integer + nullable: true + check-sni: + type: string + pattern: ^[^\s]+$ + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + enabled: + type: string + enum: + - enabled + - disabled + disabled: + type: string + enum: + - enabled + - disabled + port: + type: integer + minimum: 1 + maximum: 65535 + nullable: true + resolvers: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + enum: + - ipv4 + - ipv6 + pattern: ^[^\s]+$ + resolve-net: + type: string + pattern: ^[^\s]+$ + name: + type: string + pattern: ^[^\s]+$ + address: + type: string + pattern: ^[^\s]+$ + health_check_port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + ssl_certificate: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-send: + type: string + agent-inter: + type: integer + nullable: true + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + check: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + error_limit: + type: integer + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + log_proto: + type: string + enum: + - legacy + - octet-count + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + max_reuse: + type: integer + nullable: true + minconn: + type: integer + nullable: true + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + redir: + type: string + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + socks4: + type: string + pattern: ^[^\s]+$ + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + track: + type: string + tls_tickets: + type: string + enum: + - enabled + - disabled + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + error_files: + type: array + items: + type: object + properties: + code: + type: integer + enum: + - 200 + - 400 + - 403 + - 405 + - 408 + - 425 + - 429 + - 500 + - 502 + - 503 + - 504 + file: + type: string + unique_id_format: + type: string + unique_id_header: + type: string + logasap: + type: string + enum: + - enabled + - disabled + allbackups: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ diff --git a/charts/haproxy/haproxy/1.30.6/crds/core.haproxy.org_globals.yaml b/charts/haproxy/haproxy/1.30.6/crds/core.haproxy.org_globals.yaml new file mode 100644 index 0000000000..6b842a5fa6 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/crds/core.haproxy.org_globals.yaml @@ -0,0 +1,201 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: globals.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Global + plural: globals + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Global + description: HAProxy global configuration + type: object + properties: + chroot: + type: string + pattern: '^[^\s]+$' + group: + type: string + pattern: '^[^\s]+$' + hard_stop_after: + type: integer + user: + type: string + pattern: '^[^\s]+$' + daemon: + type: string + enum: [enabled, disabled] + nbproc: + type: integer + nbthread: + type: integer + master-worker: + type: boolean + external_check: + type: boolean + pidfile: + type: string + maxconn: + type: integer + server_state_base: + type: string + pattern: '^[^\s]+$' + tune_ssl_default_dh_param: + type: integer + ssl_default_bind_options: + type: string + ssl_default_bind_ciphers: + type: string + ssl_default_bind_ciphersuites: + type: string + ssl_default_server_options: + type: string + ssl_default_server_ciphers: + type: string + ssl_default_server_ciphersuites: + type: string + ssl_mode_async: + type: string + enum: [enabled, disabled] + cpu_maps: + type: array + items: + type: object + required: + - process + - cpu_set + properties: + process: + type: string + cpu_set: + type: string + runtime_apis: + type: array + items: + type: object + required: + - address + properties: + address: + type: string + pattern: '^[^\s]+$' + mode: + type: string + pattern: '^[^\s]+$' + level: + type: string + enum: [user, operator, admin] + process: + type: string + pattern: '^[^\s]+$' + exposeFdListeners: + type: boolean + stats_timeout: + type: integer + lua_loads: + type: array + items: + type: object + required: + - file + properties: + file: + type: string + pattern: '^[^\s]+$' + log_send_hostname: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: [enabled, disabled] + param: + type: string + pattern: '^[^\s]+$' + log_targets: + type: array + items: + type: object + required: + - address + - facility + properties: + index: + type: integer + nullable: true + address: + type: string + pattern: ^[^\s]+$ + length: + type: integer + format: + type: string + enum: + - rfc3164 + - rfc5424 + - short + - raw + facility: + type: string + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + level: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + minlevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug diff --git a/charts/haproxy/haproxy/questions.yml b/charts/haproxy/haproxy/1.30.6/questions.yml similarity index 100% rename from charts/haproxy/haproxy/questions.yml rename to charts/haproxy/haproxy/1.30.6/questions.yml diff --git a/charts/haproxy/haproxy/1.30.6/templates/NOTES.txt b/charts/haproxy/haproxy/1.30.6/templates/NOTES.txt new file mode 100644 index 0000000000..b5dd66716f --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.30.6/templates/_helpers.tpl b/charts/haproxy/haproxy/1.30.6/templates/_helpers.tpl new file mode 100644 index 0000000000..7cfa22cf66 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/_helpers.tpl @@ -0,0 +1,144 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name .Release.Namespace -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" .Release.Namespace (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.30.6/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.30.6/templates/clusterrole.yaml new file mode 100644 index 0000000000..f97551999a --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/clusterrole.yaml @@ -0,0 +1,111 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.30.6/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.30.6/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..642904d7b0 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-configmap.yaml new file mode 100644 index 0000000000..2e7a800d4c --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ template "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..60961ba021 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-daemonset.yaml @@ -0,0 +1,248 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ template "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ template "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ .Release.Namespace }}/{{ template "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..cb181cfba7 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-deployment.yaml new file mode 100644 index 0000000000..72c1ba4934 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-deployment.yaml @@ -0,0 +1,243 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ template "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ template "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ .Release.Namespace }}/{{ template "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-hpa.yaml new file mode 100644 index 0000000000..48ccd182f1 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..2266d007aa --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-keda.yaml new file mode 100644 index 0000000000..3807f2fa15 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ template "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..fa72096cef --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..732870a71e --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ template "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..88252394c7 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-role.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-role.yaml new file mode 100644 index 0000000000..3e41df6e43 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..40404a4013 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..ccdf135b65 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-service.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-service.yaml new file mode 100644 index 0000000000..eb78774036 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-service.yaml @@ -0,0 +1,107 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..c907109903 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.30.6/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.30.6/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..f428dadcab --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.30.6/templates/namespace.yaml b/charts/haproxy/haproxy/1.30.6/templates/namespace.yaml new file mode 100644 index 0000000000..5193c064ff --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.30.6/values.yaml b/charts/haproxy/haproxy/1.30.6/values.yaml new file mode 100644 index 0000000000..7989f64086 --- /dev/null +++ b/charts/haproxy/haproxy/1.30.6/values.yaml @@ -0,0 +1,516 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: "{{ .Release.Namespace }}" + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.31.0/.helmignore b/charts/haproxy/haproxy/1.31.0/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.31.0/Chart.yaml b/charts/haproxy/haproxy/1.31.0/Chart.yaml new file mode 100644 index 0000000000..bf17a14e3d --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Add IPv4/IPv6 dualstack support (#194) + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.4 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.31.0 diff --git a/charts/haproxy/haproxy/1.31.0/README.md b/charts/haproxy/haproxy/1.31.0/README.md new file mode 100644 index 0000000000..19d1e3f6db --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/README.md @@ -0,0 +1,285 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.31.0/app-readme.md b/charts/haproxy/haproxy/1.31.0/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.31.0/chart-icon.png b/charts/haproxy/haproxy/1.31.0/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.31.0/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-ipfamily-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-ipfamily-values.yaml rename to charts/haproxy/haproxy/1.31.0/ci/daemonset-ipfamily-values.yaml diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.31.0/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-hpa-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-hpa-values.yaml rename to charts/haproxy/haproxy/1.31.0/ci/deployment-hpa-values.yaml diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-ipfamily-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-ipfamily-values.yaml rename to charts/haproxy/haproxy/1.31.0/ci/deployment-ipfamily-values.yaml diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.31.0/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.31.0/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.31.0/crds/core.haproxy.org_backends.yaml b/charts/haproxy/haproxy/1.31.0/crds/core.haproxy.org_backends.yaml new file mode 100644 index 0000000000..43c74e6af1 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/crds/core.haproxy.org_backends.yaml @@ -0,0 +1,716 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: backends.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Backend + plural: backends + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Backend + description: HAProxy backend configuration + type: object + properties: + name: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + uri_whole: + type: boolean + uri_len: + type: integer + uri_depth: + type: integer + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_path_only: + type: boolean + hash_type: + type: object + properties: + method: + type: string + enum: + - map-based + - consistent + function: + type: string + enum: + - sdbm + - djb2 + - wt6 + - crc32 + modifier: + type: string + enum: + - avalanche + http-check: + type: object + required: + - type + properties: + type: + type: string + enum: + - disable-on-404 + - expect + - send-state + exclamation_mark: + type: boolean + match: + type: string + enum: + - status + - rstatus + - string + - rstring + pattern: ^[^\s]+$ + pattern: + type: string + bind_process: + type: string + pattern: ^[^\s]+$ + mode: + type: string + enum: + - http + - tcp + allbackups: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + abortonclose: + type: string + enum: + - enabled + - disabled + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + cookie: + type: object + required: + - name + properties: + name: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - rewrite + - insert + - prefix + indirect: + type: boolean + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + httponly: + type: boolean + secure: + type: boolean + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + maxidle: + type: integer + maxlife: + type: integer + dynamic: + type: boolean + default_server: + title: Default Server + type: object + properties: + init-addr: + pattern: ^[^\s]+$ + type: string + inter: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + downinter: + type: integer + nullable: true + rise: + type: integer + nullable: true + fall: + type: integer + nullable: true + check-sni: + type: string + pattern: ^[^\s]+$ + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + enabled: + type: string + enum: + - enabled + - disabled + disabled: + type: string + enum: + - enabled + - disabled + port: + type: integer + minimum: 1 + maximum: 65535 + nullable: true + resolvers: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + enum: + - ipv4 + - ipv6 + pattern: ^[^\s]+$ + resolve-net: + type: string + pattern: ^[^\s]+$ + name: + type: string + pattern: ^[^\s]+$ + address: + type: string + pattern: ^[^\s]+$ + health_check_port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + ssl_certificate: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-send: + type: string + agent-inter: + type: integer + nullable: true + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + check: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + error_limit: + type: integer + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + log_proto: + type: string + enum: + - legacy + - octet-count + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + max_reuse: + type: integer + nullable: true + minconn: + type: integer + nullable: true + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + redir: + type: string + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + socks4: + type: string + pattern: ^[^\s]+$ + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + track: + type: string + tls_tickets: + type: string + enum: + - enabled + - disabled + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + check_timeout: + type: integer + nullable: true + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + smtpchk_params: + type: object + properties: + hello: + type: string + domain: + type: string + mysql_check_params: + type: object + properties: + username: + type: string + client_version: + type: string + enum: + - pre-41 + - post-41 + pgsql_check_params: + type: object + properties: + username: + type: string + external_check: + type: string + enum: + - enabled + - disabled + external_check_path: + type: string + pattern: ^[^\s]+$ + external_check_command: + type: string + pattern: ^[^\s]+$ + queue_timeout: + type: integer + nullable: true + connect_timeout: + type: integer + nullable: true + http_request_timeout: + type: integer + nullable: true + http_keep_alive_timeout: + type: integer + nullable: true + retries: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + server_timeout: + type: integer + nullable: true + tunnel_timeout: + type: integer + nullable: true + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + stick_table: + type: object + properties: + type: + type: string + enum: + - ip + - ipv6 + - integer + - string + - binary + keylen: + type: integer + nullable: true + size: + type: integer + nullable: true + expire: + type: integer + nullable: true + nopurge: + type: boolean + peers: + type: string + pattern: ^[^\s]+$ + store: + type: string + pattern: ^[^\s]+$ + http-use-htx: + type: string + enum: + - enabled + - disabled + pattern: ^[^\s]+$ + stats_options: + type: object + properties: + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ diff --git a/charts/haproxy/haproxy/1.31.0/crds/core.haproxy.org_defaults.yaml b/charts/haproxy/haproxy/1.31.0/crds/core.haproxy.org_defaults.yaml new file mode 100644 index 0000000000..fa9b2cfa80 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/crds/core.haproxy.org_defaults.yaml @@ -0,0 +1,741 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: defaults.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Defaults + plural: defaults + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - config + properties: + config: + title: Defaults + description: HAProxy defaults configuration + type: object + properties: + mode: + type: string + enum: + - tcp + - http + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + uri_whole: + type: boolean + uri_len: + type: integer + uri_depth: + type: integer + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_path_only: + type: boolean + maxconn: + type: integer + nullable: true + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + smtpchk_params: + type: object + properties: + hello: + type: string + domain: + type: string + mysql_check_params: + type: object + properties: + username: + type: string + client_version: + type: string + enum: + - pre-41 + - post-41 + pgsql_check_params: + type: object + properties: + username: + type: string + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + http-check: + type: object + required: + - type + properties: + type: + type: string + enum: + - disable-on-404 + - expect + - send-state + exclamation_mark: + type: boolean + match: + type: string + enum: + - status + - rstatus + - string + - rstring + pattern: ^[^\s]+$ + pattern: + type: string + bind_process: + type: string + pattern: ^[^\s]+$ + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + abortonclose: + type: string + enum: + - enabled + - disabled + http-use-htx: + type: string + enum: + - enabled + - disabled + dontlognull: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + httplog: + type: boolean + clflog: + type: boolean + tcplog: + type: boolean + log_format: + type: string + log_format_sd: + type: string + log_tag: + type: string + pattern: ^[^\s]+$ + log_separate_errors: + type: string + enum: + - enabled + - disabled + clitcpka: + type: string + enum: + - enabled + - disabled + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + check_timeout: + type: integer + nullable: true + connect_timeout: + type: integer + nullable: true + contstats: + type: string + enum: + - enabled + cookie: + type: object + required: + - name + properties: + name: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - rewrite + - insert + - prefix + indirect: + type: boolean + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + httponly: + type: boolean + secure: + type: boolean + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + maxidle: + type: integer + maxlife: + type: integer + dynamic: + type: boolean + client_timeout: + type: integer + nullable: true + client_fin_timeout: + type: integer + nullable: true + http_request_timeout: + type: integer + nullable: true + http_keep_alive_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + server_timeout: + type: integer + nullable: true + server_fin_timeout: + type: integer + nullable: true + queue_timeout: + type: integer + nullable: true + tunnel_timeout: + type: integer + nullable: true + external_check: + type: string + enum: + - enabled + - disabled + external_check_path: + type: string + pattern: ^[^\s]+$ + external_check_command: + type: string + pattern: ^[^\s]+$ + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + default_backend: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + default_server: + title: Default Server + type: object + properties: + init-addr: + pattern: ^[^\s]+$ + type: string + inter: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + downinter: + type: integer + nullable: true + rise: + type: integer + nullable: true + fall: + type: integer + nullable: true + check-sni: + type: string + pattern: ^[^\s]+$ + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + enabled: + type: string + enum: + - enabled + - disabled + disabled: + type: string + enum: + - enabled + - disabled + port: + type: integer + minimum: 1 + maximum: 65535 + nullable: true + resolvers: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + enum: + - ipv4 + - ipv6 + pattern: ^[^\s]+$ + resolve-net: + type: string + pattern: ^[^\s]+$ + name: + type: string + pattern: ^[^\s]+$ + address: + type: string + pattern: ^[^\s]+$ + health_check_port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + ssl_certificate: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-send: + type: string + agent-inter: + type: integer + nullable: true + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + check: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + error_limit: + type: integer + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + log_proto: + type: string + enum: + - legacy + - octet-count + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + max_reuse: + type: integer + nullable: true + minconn: + type: integer + nullable: true + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + redir: + type: string + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + socks4: + type: string + pattern: ^[^\s]+$ + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + track: + type: string + tls_tickets: + type: string + enum: + - enabled + - disabled + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + error_files: + type: array + items: + type: object + properties: + code: + type: integer + enum: + - 200 + - 400 + - 403 + - 405 + - 408 + - 425 + - 429 + - 500 + - 502 + - 503 + - 504 + file: + type: string + unique_id_format: + type: string + unique_id_header: + type: string + logasap: + type: string + enum: + - enabled + - disabled + allbackups: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ diff --git a/charts/haproxy/haproxy/1.31.0/crds/core.haproxy.org_globals.yaml b/charts/haproxy/haproxy/1.31.0/crds/core.haproxy.org_globals.yaml new file mode 100644 index 0000000000..6b842a5fa6 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/crds/core.haproxy.org_globals.yaml @@ -0,0 +1,201 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: globals.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Global + plural: globals + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Global + description: HAProxy global configuration + type: object + properties: + chroot: + type: string + pattern: '^[^\s]+$' + group: + type: string + pattern: '^[^\s]+$' + hard_stop_after: + type: integer + user: + type: string + pattern: '^[^\s]+$' + daemon: + type: string + enum: [enabled, disabled] + nbproc: + type: integer + nbthread: + type: integer + master-worker: + type: boolean + external_check: + type: boolean + pidfile: + type: string + maxconn: + type: integer + server_state_base: + type: string + pattern: '^[^\s]+$' + tune_ssl_default_dh_param: + type: integer + ssl_default_bind_options: + type: string + ssl_default_bind_ciphers: + type: string + ssl_default_bind_ciphersuites: + type: string + ssl_default_server_options: + type: string + ssl_default_server_ciphers: + type: string + ssl_default_server_ciphersuites: + type: string + ssl_mode_async: + type: string + enum: [enabled, disabled] + cpu_maps: + type: array + items: + type: object + required: + - process + - cpu_set + properties: + process: + type: string + cpu_set: + type: string + runtime_apis: + type: array + items: + type: object + required: + - address + properties: + address: + type: string + pattern: '^[^\s]+$' + mode: + type: string + pattern: '^[^\s]+$' + level: + type: string + enum: [user, operator, admin] + process: + type: string + pattern: '^[^\s]+$' + exposeFdListeners: + type: boolean + stats_timeout: + type: integer + lua_loads: + type: array + items: + type: object + required: + - file + properties: + file: + type: string + pattern: '^[^\s]+$' + log_send_hostname: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: [enabled, disabled] + param: + type: string + pattern: '^[^\s]+$' + log_targets: + type: array + items: + type: object + required: + - address + - facility + properties: + index: + type: integer + nullable: true + address: + type: string + pattern: ^[^\s]+$ + length: + type: integer + format: + type: string + enum: + - rfc3164 + - rfc5424 + - short + - raw + facility: + type: string + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + level: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + minlevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug diff --git a/charts/haproxy/haproxy/1.31.0/questions.yml b/charts/haproxy/haproxy/1.31.0/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.31.0/templates/NOTES.txt b/charts/haproxy/haproxy/1.31.0/templates/NOTES.txt new file mode 100644 index 0000000000..b5dd66716f --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.31.0/templates/_helpers.tpl b/charts/haproxy/haproxy/1.31.0/templates/_helpers.tpl new file mode 100644 index 0000000000..7cfa22cf66 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/_helpers.tpl @@ -0,0 +1,144 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name .Release.Namespace -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" .Release.Namespace (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.31.0/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.31.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..f97551999a --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/clusterrole.yaml @@ -0,0 +1,111 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.31.0/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.31.0/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..642904d7b0 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-configmap.yaml new file mode 100644 index 0000000000..2e7a800d4c --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ template "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..60961ba021 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-daemonset.yaml @@ -0,0 +1,248 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ template "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ template "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ .Release.Namespace }}/{{ template "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..cb181cfba7 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-deployment.yaml new file mode 100644 index 0000000000..72c1ba4934 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-deployment.yaml @@ -0,0 +1,243 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ template "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ template "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ template "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ .Release.Namespace }}/{{ template "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ .Release.Namespace }}/{{ template "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ template "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-hpa.yaml new file mode 100644 index 0000000000..48ccd182f1 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..2266d007aa --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-keda.yaml new file mode 100644 index 0000000000..3807f2fa15 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ template "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..fa72096cef --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..732870a71e --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ template "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..88252394c7 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-role.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-role.yaml new file mode 100644 index 0000000000..3e41df6e43 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..40404a4013 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..ccdf135b65 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-service.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-service.yaml new file mode 100644 index 0000000000..bcef8ce1c5 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-service.yaml @@ -0,0 +1,114 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kubernetes-ingress.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..c907109903 --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.31.0/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.31.0/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..f428dadcab --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.31.0/templates/namespace.yaml b/charts/haproxy/haproxy/1.31.0/templates/namespace.yaml new file mode 100644 index 0000000000..5193c064ff --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "kubernetes-ingress.name" . }} + helm.sh/chart: {{ template "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.31.0/values.yaml b/charts/haproxy/haproxy/1.31.0/values.yaml new file mode 100644 index 0000000000..f7726220bb --- /dev/null +++ b/charts/haproxy/haproxy/1.31.0/values.yaml @@ -0,0 +1,522 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: "{{ .Release.Namespace }}" + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.32.0/.helmignore b/charts/haproxy/haproxy/1.32.0/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.32.0/Chart.yaml b/charts/haproxy/haproxy/1.32.0/Chart.yaml new file mode 100644 index 0000000000..631a0590e3 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + artifacthub.io/changes: | + - Allow the release namespace to be overridden (#195) + - Add missing RBAC rules for customresourcedefinitions (#196) + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.4 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.32.0 diff --git a/charts/haproxy/haproxy/1.32.0/README.md b/charts/haproxy/haproxy/1.32.0/README.md new file mode 100644 index 0000000000..19d1e3f6db --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/README.md @@ -0,0 +1,285 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.32.0/app-readme.md b/charts/haproxy/haproxy/1.32.0/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.32.0/chart-icon.png b/charts/haproxy/haproxy/1.32.0/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.32.0/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.32.0/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.32.0/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.32.0/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.32.0/crds/core.haproxy.org_backends.yaml b/charts/haproxy/haproxy/1.32.0/crds/core.haproxy.org_backends.yaml new file mode 100644 index 0000000000..43c74e6af1 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/crds/core.haproxy.org_backends.yaml @@ -0,0 +1,716 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: backends.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Backend + plural: backends + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Backend + description: HAProxy backend configuration + type: object + properties: + name: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + uri_whole: + type: boolean + uri_len: + type: integer + uri_depth: + type: integer + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_path_only: + type: boolean + hash_type: + type: object + properties: + method: + type: string + enum: + - map-based + - consistent + function: + type: string + enum: + - sdbm + - djb2 + - wt6 + - crc32 + modifier: + type: string + enum: + - avalanche + http-check: + type: object + required: + - type + properties: + type: + type: string + enum: + - disable-on-404 + - expect + - send-state + exclamation_mark: + type: boolean + match: + type: string + enum: + - status + - rstatus + - string + - rstring + pattern: ^[^\s]+$ + pattern: + type: string + bind_process: + type: string + pattern: ^[^\s]+$ + mode: + type: string + enum: + - http + - tcp + allbackups: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + abortonclose: + type: string + enum: + - enabled + - disabled + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + cookie: + type: object + required: + - name + properties: + name: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - rewrite + - insert + - prefix + indirect: + type: boolean + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + httponly: + type: boolean + secure: + type: boolean + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + maxidle: + type: integer + maxlife: + type: integer + dynamic: + type: boolean + default_server: + title: Default Server + type: object + properties: + init-addr: + pattern: ^[^\s]+$ + type: string + inter: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + downinter: + type: integer + nullable: true + rise: + type: integer + nullable: true + fall: + type: integer + nullable: true + check-sni: + type: string + pattern: ^[^\s]+$ + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + enabled: + type: string + enum: + - enabled + - disabled + disabled: + type: string + enum: + - enabled + - disabled + port: + type: integer + minimum: 1 + maximum: 65535 + nullable: true + resolvers: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + enum: + - ipv4 + - ipv6 + pattern: ^[^\s]+$ + resolve-net: + type: string + pattern: ^[^\s]+$ + name: + type: string + pattern: ^[^\s]+$ + address: + type: string + pattern: ^[^\s]+$ + health_check_port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + ssl_certificate: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-send: + type: string + agent-inter: + type: integer + nullable: true + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + check: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + error_limit: + type: integer + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + log_proto: + type: string + enum: + - legacy + - octet-count + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + max_reuse: + type: integer + nullable: true + minconn: + type: integer + nullable: true + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + redir: + type: string + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + socks4: + type: string + pattern: ^[^\s]+$ + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + track: + type: string + tls_tickets: + type: string + enum: + - enabled + - disabled + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + check_timeout: + type: integer + nullable: true + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + smtpchk_params: + type: object + properties: + hello: + type: string + domain: + type: string + mysql_check_params: + type: object + properties: + username: + type: string + client_version: + type: string + enum: + - pre-41 + - post-41 + pgsql_check_params: + type: object + properties: + username: + type: string + external_check: + type: string + enum: + - enabled + - disabled + external_check_path: + type: string + pattern: ^[^\s]+$ + external_check_command: + type: string + pattern: ^[^\s]+$ + queue_timeout: + type: integer + nullable: true + connect_timeout: + type: integer + nullable: true + http_request_timeout: + type: integer + nullable: true + http_keep_alive_timeout: + type: integer + nullable: true + retries: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + server_timeout: + type: integer + nullable: true + tunnel_timeout: + type: integer + nullable: true + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + stick_table: + type: object + properties: + type: + type: string + enum: + - ip + - ipv6 + - integer + - string + - binary + keylen: + type: integer + nullable: true + size: + type: integer + nullable: true + expire: + type: integer + nullable: true + nopurge: + type: boolean + peers: + type: string + pattern: ^[^\s]+$ + store: + type: string + pattern: ^[^\s]+$ + http-use-htx: + type: string + enum: + - enabled + - disabled + pattern: ^[^\s]+$ + stats_options: + type: object + properties: + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ diff --git a/charts/haproxy/haproxy/1.32.0/crds/core.haproxy.org_defaults.yaml b/charts/haproxy/haproxy/1.32.0/crds/core.haproxy.org_defaults.yaml new file mode 100644 index 0000000000..fa9b2cfa80 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/crds/core.haproxy.org_defaults.yaml @@ -0,0 +1,741 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: defaults.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Defaults + plural: defaults + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - config + properties: + config: + title: Defaults + description: HAProxy defaults configuration + type: object + properties: + mode: + type: string + enum: + - tcp + - http + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + uri_whole: + type: boolean + uri_len: + type: integer + uri_depth: + type: integer + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_path_only: + type: boolean + maxconn: + type: integer + nullable: true + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + smtpchk_params: + type: object + properties: + hello: + type: string + domain: + type: string + mysql_check_params: + type: object + properties: + username: + type: string + client_version: + type: string + enum: + - pre-41 + - post-41 + pgsql_check_params: + type: object + properties: + username: + type: string + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + http-check: + type: object + required: + - type + properties: + type: + type: string + enum: + - disable-on-404 + - expect + - send-state + exclamation_mark: + type: boolean + match: + type: string + enum: + - status + - rstatus + - string + - rstring + pattern: ^[^\s]+$ + pattern: + type: string + bind_process: + type: string + pattern: ^[^\s]+$ + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + abortonclose: + type: string + enum: + - enabled + - disabled + http-use-htx: + type: string + enum: + - enabled + - disabled + dontlognull: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + httplog: + type: boolean + clflog: + type: boolean + tcplog: + type: boolean + log_format: + type: string + log_format_sd: + type: string + log_tag: + type: string + pattern: ^[^\s]+$ + log_separate_errors: + type: string + enum: + - enabled + - disabled + clitcpka: + type: string + enum: + - enabled + - disabled + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + check_timeout: + type: integer + nullable: true + connect_timeout: + type: integer + nullable: true + contstats: + type: string + enum: + - enabled + cookie: + type: object + required: + - name + properties: + name: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - rewrite + - insert + - prefix + indirect: + type: boolean + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + httponly: + type: boolean + secure: + type: boolean + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + maxidle: + type: integer + maxlife: + type: integer + dynamic: + type: boolean + client_timeout: + type: integer + nullable: true + client_fin_timeout: + type: integer + nullable: true + http_request_timeout: + type: integer + nullable: true + http_keep_alive_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + server_timeout: + type: integer + nullable: true + server_fin_timeout: + type: integer + nullable: true + queue_timeout: + type: integer + nullable: true + tunnel_timeout: + type: integer + nullable: true + external_check: + type: string + enum: + - enabled + - disabled + external_check_path: + type: string + pattern: ^[^\s]+$ + external_check_command: + type: string + pattern: ^[^\s]+$ + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + default_backend: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + default_server: + title: Default Server + type: object + properties: + init-addr: + pattern: ^[^\s]+$ + type: string + inter: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + downinter: + type: integer + nullable: true + rise: + type: integer + nullable: true + fall: + type: integer + nullable: true + check-sni: + type: string + pattern: ^[^\s]+$ + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + enabled: + type: string + enum: + - enabled + - disabled + disabled: + type: string + enum: + - enabled + - disabled + port: + type: integer + minimum: 1 + maximum: 65535 + nullable: true + resolvers: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + enum: + - ipv4 + - ipv6 + pattern: ^[^\s]+$ + resolve-net: + type: string + pattern: ^[^\s]+$ + name: + type: string + pattern: ^[^\s]+$ + address: + type: string + pattern: ^[^\s]+$ + health_check_port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + ssl_certificate: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-send: + type: string + agent-inter: + type: integer + nullable: true + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-port: + type: integer + nullable: true + minimum: 1 + maximum: 65535 + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + check: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + error_limit: + type: integer + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + log_proto: + type: string + enum: + - legacy + - octet-count + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + max_reuse: + type: integer + nullable: true + minconn: + type: integer + nullable: true + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + redir: + type: string + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + socks4: + type: string + pattern: ^[^\s]+$ + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + track: + type: string + tls_tickets: + type: string + enum: + - enabled + - disabled + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + error_files: + type: array + items: + type: object + properties: + code: + type: integer + enum: + - 200 + - 400 + - 403 + - 405 + - 408 + - 425 + - 429 + - 500 + - 502 + - 503 + - 504 + file: + type: string + unique_id_format: + type: string + unique_id_header: + type: string + logasap: + type: string + enum: + - enabled + - disabled + allbackups: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ diff --git a/charts/haproxy/haproxy/1.32.0/crds/core.haproxy.org_globals.yaml b/charts/haproxy/haproxy/1.32.0/crds/core.haproxy.org_globals.yaml new file mode 100644 index 0000000000..6b842a5fa6 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/crds/core.haproxy.org_globals.yaml @@ -0,0 +1,201 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: globals.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Global + plural: globals + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Global + description: HAProxy global configuration + type: object + properties: + chroot: + type: string + pattern: '^[^\s]+$' + group: + type: string + pattern: '^[^\s]+$' + hard_stop_after: + type: integer + user: + type: string + pattern: '^[^\s]+$' + daemon: + type: string + enum: [enabled, disabled] + nbproc: + type: integer + nbthread: + type: integer + master-worker: + type: boolean + external_check: + type: boolean + pidfile: + type: string + maxconn: + type: integer + server_state_base: + type: string + pattern: '^[^\s]+$' + tune_ssl_default_dh_param: + type: integer + ssl_default_bind_options: + type: string + ssl_default_bind_ciphers: + type: string + ssl_default_bind_ciphersuites: + type: string + ssl_default_server_options: + type: string + ssl_default_server_ciphers: + type: string + ssl_default_server_ciphersuites: + type: string + ssl_mode_async: + type: string + enum: [enabled, disabled] + cpu_maps: + type: array + items: + type: object + required: + - process + - cpu_set + properties: + process: + type: string + cpu_set: + type: string + runtime_apis: + type: array + items: + type: object + required: + - address + properties: + address: + type: string + pattern: '^[^\s]+$' + mode: + type: string + pattern: '^[^\s]+$' + level: + type: string + enum: [user, operator, admin] + process: + type: string + pattern: '^[^\s]+$' + exposeFdListeners: + type: boolean + stats_timeout: + type: integer + lua_loads: + type: array + items: + type: object + required: + - file + properties: + file: + type: string + pattern: '^[^\s]+$' + log_send_hostname: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: [enabled, disabled] + param: + type: string + pattern: '^[^\s]+$' + log_targets: + type: array + items: + type: object + required: + - address + - facility + properties: + index: + type: integer + nullable: true + address: + type: string + pattern: ^[^\s]+$ + length: + type: integer + format: + type: string + enum: + - rfc3164 + - rfc5424 + - short + - raw + facility: + type: string + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + level: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + minlevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug diff --git a/charts/haproxy/haproxy/1.32.0/questions.yml b/charts/haproxy/haproxy/1.32.0/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.32.0/templates/NOTES.txt b/charts/haproxy/haproxy/1.32.0/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.32.0/templates/_helpers.tpl b/charts/haproxy/haproxy/1.32.0/templates/_helpers.tpl new file mode 100644 index 0000000000..556b32e238 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/templates/_helpers.tpl @@ -0,0 +1,155 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.32.0/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.32.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..12de84d5b2 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/templates/clusterrole.yaml @@ -0,0 +1,120 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.32.0/templates/clusterrolebinding.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/clusterrolebinding.yaml rename to charts/haproxy/haproxy/1.32.0/templates/clusterrolebinding.yaml diff --git a/charts/haproxy/haproxy/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-configmap.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-configmap.yaml rename to charts/haproxy/haproxy/1.32.0/templates/controller-configmap.yaml diff --git a/charts/haproxy/haproxy/1.32.0/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..bf07d60240 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/templates/controller-daemonset.yaml @@ -0,0 +1,248 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-defaultcertsecret.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-defaultcertsecret.yaml rename to charts/haproxy/haproxy/1.32.0/templates/controller-defaultcertsecret.yaml diff --git a/charts/haproxy/haproxy/1.32.0/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-deployment.yaml new file mode 100644 index 0000000000..50e0bf1e6e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/templates/controller-deployment.yaml @@ -0,0 +1,243 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.0/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-hpa.yaml new file mode 100644 index 0000000000..22d06f6b95 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.0/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..0567fe886e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-keda.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-keda.yaml rename to charts/haproxy/haproxy/1.32.0/templates/controller-keda.yaml diff --git a/charts/haproxy/haproxy/1.32.0/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..4fe27fb83c --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.0/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..317ee78cc2 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-pullsecret.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-pullsecret.yaml rename to charts/haproxy/haproxy/1.32.0/templates/controller-pullsecret.yaml diff --git a/charts/haproxy/haproxy/templates/controller-role.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-role.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-role.yaml rename to charts/haproxy/haproxy/1.32.0/templates/controller-role.yaml diff --git a/charts/haproxy/haproxy/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-rolebinding.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-rolebinding.yaml rename to charts/haproxy/haproxy/1.32.0/templates/controller-rolebinding.yaml diff --git a/charts/haproxy/haproxy/1.32.0/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.0/templates/controller-service.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-service.yaml new file mode 100644 index 0000000000..4e44eb6144 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/templates/controller-service.yaml @@ -0,0 +1,114 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.0/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.32.0/templates/controller-servicemonitor.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-servicemonitor.yaml rename to charts/haproxy/haproxy/1.32.0/templates/controller-servicemonitor.yaml diff --git a/charts/haproxy/haproxy/templates/namespace.yaml b/charts/haproxy/haproxy/1.32.0/templates/namespace.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/namespace.yaml rename to charts/haproxy/haproxy/1.32.0/templates/namespace.yaml diff --git a/charts/haproxy/haproxy/1.32.0/values.yaml b/charts/haproxy/haproxy/1.32.0/values.yaml new file mode 100644 index 0000000000..abdaefb568 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.0/values.yaml @@ -0,0 +1,526 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.32.1/.helmignore b/charts/haproxy/haproxy/1.32.1/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.32.1/Chart.yaml b/charts/haproxy/haproxy/1.32.1/Chart.yaml new file mode 100644 index 0000000000..4f37e902d1 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Update CRDs to v1alpha2 (#200) + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.4 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.32.1 diff --git a/charts/haproxy/haproxy/1.32.1/README.md b/charts/haproxy/haproxy/1.32.1/README.md new file mode 100644 index 0000000000..19d1e3f6db --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/README.md @@ -0,0 +1,285 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.32.1/app-readme.md b/charts/haproxy/haproxy/1.32.1/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.32.1/chart-icon.png b/charts/haproxy/haproxy/1.32.1/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.32.1/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.32.1/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.32.1/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.32.1/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.32.1/crds/core.haproxy.org_backends.yaml b/charts/haproxy/haproxy/1.32.1/crds/core.haproxy.org_backends.yaml new file mode 100644 index 0000000000..2947a7084d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/crds/core.haproxy.org_backends.yaml @@ -0,0 +1,903 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: backends.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Backend + plural: backends + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Backend + description: HAProxy backend configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + hash_type: + type: object + properties: + function: + type: string + enum: + - sdbm + - djb2 + - wt6 + - crc32 + method: + type: string + enum: + - map-based + - consistent + modifier: + type: string + enum: + - avalanche + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-keep-alive: + type: string + enum: + - enabled + - disabled + http-no-delay: + type: string + enum: + - enabled + - disabled + http-server-close: + type: string + enum: + - enabled + - disabled + http-use-htx: + type: string + pattern: ^[^\s]+$ + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_proxy: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httpclose: + type: string + enum: + - enabled + - disabled + log_health_checks: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + mode: + type: string + enum: + - http + - tcp + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + name: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + stick_table: + type: object + properties: + expire: + type: integer + nullable: true + keylen: + type: integer + nullable: true + nopurge: + type: boolean + peers: + type: string + pattern: ^[^\s]+$ + size: + type: integer + nullable: true + store: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - ip + - ipv6 + - integer + - string + - binary + tcpka: + type: string + enum: + - enabled + - disabled + tunnel_timeout: + type: integer + nullable: true + diff --git a/charts/haproxy/haproxy/1.32.1/crds/core.haproxy.org_defaults.yaml b/charts/haproxy/haproxy/1.32.1/crds/core.haproxy.org_defaults.yaml new file mode 100644 index 0000000000..03323b323e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/crds/core.haproxy.org_defaults.yaml @@ -0,0 +1,929 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: defaults.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Defaults + plural: defaults + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - config + properties: + config: + title: Defaults + description: HAProxy defaults configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_request: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + backlog: + type: integer + nullable: true + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + clflog: + type: boolean + client_fin_timeout: + type: integer + nullable: true + client_timeout: + type: integer + nullable: true + clitcpka: + type: string + enum: + - enabled + - disabled + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + contstats: + type: string + enum: + - enabled + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_backend: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + disable_h2_upgrade: + type: string + enum: + - enabled + - disabled + dontlognull: + type: string + enum: + - enabled + - disabled + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + error_files: + type: array + items: + type: object + properties: + code: + type: integer + enum: + - 200 + - 400 + - 403 + - 405 + - 408 + - 425 + - 429 + - 500 + - 502 + - 503 + - 504 + file: + type: string + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_client: + type: string + enum: + - enabled + - disabled + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-use-htx: + type: string + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httplog: + type: boolean + load_server_state_from_file: + type: string + enum: + - global + - local + - none + log_format: + type: string + log_format_sd: + type: string + log_health_checks: + type: string + enum: + - enabled + - disabled + log_separate_errors: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + logasap: + type: string + enum: + - enabled + - disabled + maxconn: + type: integer + nullable: true + mode: + type: string + enum: + - tcp + - http + monitor_uri: + type: string + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_fin_timeout: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + tcpka: + type: string + enum: + - enabled + - disabled + tcplog: + type: boolean + tunnel_timeout: + type: integer + nullable: true + unique_id_format: + type: string + unique_id_header: + type: string + diff --git a/charts/haproxy/haproxy/1.32.1/crds/core.haproxy.org_globals.yaml b/charts/haproxy/haproxy/1.32.1/crds/core.haproxy.org_globals.yaml new file mode 100644 index 0000000000..c6554900e9 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/crds/core.haproxy.org_globals.yaml @@ -0,0 +1,438 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: globals.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Global + plural: globals + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + description: HAProxy global configuration + type: object + title: Global + properties: + busy_polling: + type: boolean + ca_base: + type: string + chroot: + type: string + pattern: ^[^\s]+$ + cpu_maps: + type: array + items: + type: object + required: + - process + - cpu_set + properties: + cpu_set: + type: string + process: + type: string + crt_base: + type: string + daemon: + type: string + enum: + - enabled + - disabled + external_check: + type: boolean + gid: + type: integer + group: + type: string + pattern: ^[^\s]+$ + h1_case_adjust: + type: array + items: + type: object + required: + - from + - to + properties: + from: + type: string + to: + type: string + h1_case_adjust_file: + type: string + hard_stop_after: + type: integer + nullable: true + localpeer: + type: string + pattern: ^[^\s]+$ + log_send_hostname: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + param: + type: string + pattern: ^[^\s]+$ + lua_loads: + type: array + items: + type: object + required: + - file + properties: + file: + type: string + pattern: ^[^\s]+$ + lua_prepend_path: + type: array + items: + type: object + required: + - path + properties: + path: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - path + - cpath + master-worker: + type: boolean + max_spread_checks: + type: integer + maxcompcpuusage: + type: integer + maxcomprate: + type: integer + maxconn: + type: integer + maxconnrate: + type: integer + maxpipes: + type: integer + maxsessrate: + type: integer + maxsslconn: + type: integer + maxsslrate: + type: integer + maxzlibmem: + type: integer + nbproc: + type: integer + nbthread: + type: integer + noepoll: + type: boolean + noevports: + type: boolean + nogetaddrinfo: + type: boolean + nokqueue: + type: boolean + nopoll: + type: boolean + noreuseport: + type: boolean + nosplice: + type: boolean + pidfile: + type: string + profiling_tasks: + type: string + enum: + - auto + - on + - off + runtime_apis: + type: array + items: + type: object + required: + - address + properties: + address: + type: string + pattern: '^[^\s]+$' + mode: + type: string + pattern: '^[^\s]+$' + level: + type: string + enum: [user, operator, admin] + process: + type: string + pattern: '^[^\s]+$' + exposeFdListeners: + type: boolean + server_state_base: + type: string + pattern: ^[^\s]+$ + server_state_file: + type: string + pattern: ^[^\s]+$ + spread_checks: + type: integer + ssl_default_bind_ciphers: + type: string + ssl_default_bind_ciphersuites: + type: string + ssl_default_bind_options: + type: string + ssl_default_server_ciphers: + type: string + ssl_default_server_ciphersuites: + type: string + ssl_default_server_options: + type: string + ssl_mode_async: + type: string + enum: + - enabled + - disabled + stats_timeout: + type: integer + nullable: true + tune_options: + type: object + properties: + buffers_limit: + type: integer + nullable: true + buffers_reserve: + type: integer + minimum: 2 + bufsize: + type: integer + comp_maxlevel: + type: integer + fail_alloc: + type: boolean + h2_header_table_size: + type: integer + maximum: 65535 + h2_initial_window_size: + type: integer + nullable: true + h2_max_concurrent_streams: + type: integer + h2_max_frame_size: + type: integer + http_cookielen: + type: integer + http_logurilen: + type: integer + http_maxhdr: + type: integer + maximum: 32767 + minimum: 1 + idle_pool_shared: + type: string + enum: + - enabled + - disabled + idletimer: + type: integer + maximum: 65535 + minimum: 0 + nullable: true + listener_multi_queue: + type: string + enum: + - enabled + - disabled + lua_forced_yield: + type: integer + lua_maxmem: + type: boolean + lua_service_timeout: + type: integer + nullable: true + lua_session_timeout: + type: integer + nullable: true + lua_task_timeout: + type: integer + nullable: true + maxaccept: + type: integer + maxpollevents: + type: integer + maxrewrite: + type: integer + pattern_cache_size: + type: integer + nullable: true + pipesize: + type: integer + pool_high_fd_ratio: + type: integer + pool_low_fd_ratio: + type: integer + rcvbuf_client: + type: integer + nullable: true + rcvbuf_server: + type: integer + nullable: true + recv_enough: + type: integer + runqueue_depth: + type: integer + sched_low_latency: + type: string + enum: + - enabled + - disabled + sndbuf_client: + type: integer + nullable: true + sndbuf_server: + type: integer + nullable: true + ssl_cachesize: + type: integer + nullable: true + ssl_capture_buffer_size: + type: integer + nullable: true + ssl_ctx_cache_size: + type: integer + ssl_default_dh_param: + type: integer + ssl_force_private_cache: + type: boolean + ssl_keylog: + type: string + enum: + - enabled + - disabled + ssl_lifetime: + type: integer + nullable: true + ssl_maxrecord: + type: integer + nullable: true + vars_global_max_size: + type: integer + nullable: true + vars_proc_max_size: + type: integer + nullable: true + vars_reqres_max_size: + type: integer + nullable: true + vars_sess_max_size: + type: integer + nullable: true + vars_txn_max_size: + type: integer + nullable: true + zlib_memlevel: + type: integer + maximum: 9 + minimum: 1 + zlib_windowsize: + type: integer + maximum: 15 + minimum: 8 + tune_ssl_default_dh_param: + type: integer + uid: + type: integer + user: + type: string + pattern: ^[^\s]+$ + log_targets: + type: array + items: + type: object + required: + - address + - facility + properties: + index: + type: integer + nullable: true + address: + type: string + pattern: ^[^\s]+$ + length: + type: integer + format: + type: string + enum: + - rfc3164 + - rfc5424 + - short + - raw + facility: + type: string + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + level: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + minlevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + diff --git a/charts/haproxy/haproxy/1.32.1/questions.yml b/charts/haproxy/haproxy/1.32.1/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.32.1/templates/NOTES.txt b/charts/haproxy/haproxy/1.32.1/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.32.1/templates/_helpers.tpl b/charts/haproxy/haproxy/1.32.1/templates/_helpers.tpl new file mode 100644 index 0000000000..556b32e238 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/_helpers.tpl @@ -0,0 +1,155 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.32.1/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.32.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..12de84d5b2 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/clusterrole.yaml @@ -0,0 +1,120 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.1/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.32.1/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..bf07d60240 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-daemonset.yaml @@ -0,0 +1,248 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-deployment.yaml new file mode 100644 index 0000000000..50e0bf1e6e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-deployment.yaml @@ -0,0 +1,243 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-hpa.yaml new file mode 100644 index 0000000000..22d06f6b95 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..0567fe886e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..4fe27fb83c --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..317ee78cc2 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-role.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-service.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-service.yaml new file mode 100644 index 0000000000..4e44eb6144 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-service.yaml @@ -0,0 +1,114 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.1/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.32.1/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.1/templates/namespace.yaml b/charts/haproxy/haproxy/1.32.1/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.1/values.yaml b/charts/haproxy/haproxy/1.32.1/values.yaml new file mode 100644 index 0000000000..abdaefb568 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.1/values.yaml @@ -0,0 +1,526 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.32.2/.helmignore b/charts/haproxy/haproxy/1.32.2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.32.2/Chart.yaml b/charts/haproxy/haproxy/1.32.2/Chart.yaml new file mode 100644 index 0000000000..085468a922 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.10.5 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.5 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.32.2 diff --git a/charts/haproxy/haproxy/1.32.2/README.md b/charts/haproxy/haproxy/1.32.2/README.md new file mode 100644 index 0000000000..19d1e3f6db --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/README.md @@ -0,0 +1,285 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.32.2/app-readme.md b/charts/haproxy/haproxy/1.32.2/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.32.2/chart-icon.png b/charts/haproxy/haproxy/1.32.2/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.32.2/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.32.2/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.32.2/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.32.2/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.32.2/crds/core.haproxy.org_backends.yaml b/charts/haproxy/haproxy/1.32.2/crds/core.haproxy.org_backends.yaml new file mode 100644 index 0000000000..2947a7084d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/crds/core.haproxy.org_backends.yaml @@ -0,0 +1,903 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: backends.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Backend + plural: backends + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Backend + description: HAProxy backend configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + hash_type: + type: object + properties: + function: + type: string + enum: + - sdbm + - djb2 + - wt6 + - crc32 + method: + type: string + enum: + - map-based + - consistent + modifier: + type: string + enum: + - avalanche + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-keep-alive: + type: string + enum: + - enabled + - disabled + http-no-delay: + type: string + enum: + - enabled + - disabled + http-server-close: + type: string + enum: + - enabled + - disabled + http-use-htx: + type: string + pattern: ^[^\s]+$ + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_proxy: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httpclose: + type: string + enum: + - enabled + - disabled + log_health_checks: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + mode: + type: string + enum: + - http + - tcp + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + name: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + stick_table: + type: object + properties: + expire: + type: integer + nullable: true + keylen: + type: integer + nullable: true + nopurge: + type: boolean + peers: + type: string + pattern: ^[^\s]+$ + size: + type: integer + nullable: true + store: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - ip + - ipv6 + - integer + - string + - binary + tcpka: + type: string + enum: + - enabled + - disabled + tunnel_timeout: + type: integer + nullable: true + diff --git a/charts/haproxy/haproxy/1.32.2/crds/core.haproxy.org_defaults.yaml b/charts/haproxy/haproxy/1.32.2/crds/core.haproxy.org_defaults.yaml new file mode 100644 index 0000000000..03323b323e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/crds/core.haproxy.org_defaults.yaml @@ -0,0 +1,929 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: defaults.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Defaults + plural: defaults + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - config + properties: + config: + title: Defaults + description: HAProxy defaults configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_request: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + backlog: + type: integer + nullable: true + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + clflog: + type: boolean + client_fin_timeout: + type: integer + nullable: true + client_timeout: + type: integer + nullable: true + clitcpka: + type: string + enum: + - enabled + - disabled + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + contstats: + type: string + enum: + - enabled + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_backend: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + disable_h2_upgrade: + type: string + enum: + - enabled + - disabled + dontlognull: + type: string + enum: + - enabled + - disabled + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + error_files: + type: array + items: + type: object + properties: + code: + type: integer + enum: + - 200 + - 400 + - 403 + - 405 + - 408 + - 425 + - 429 + - 500 + - 502 + - 503 + - 504 + file: + type: string + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_client: + type: string + enum: + - enabled + - disabled + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-use-htx: + type: string + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httplog: + type: boolean + load_server_state_from_file: + type: string + enum: + - global + - local + - none + log_format: + type: string + log_format_sd: + type: string + log_health_checks: + type: string + enum: + - enabled + - disabled + log_separate_errors: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + logasap: + type: string + enum: + - enabled + - disabled + maxconn: + type: integer + nullable: true + mode: + type: string + enum: + - tcp + - http + monitor_uri: + type: string + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_fin_timeout: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + tcpka: + type: string + enum: + - enabled + - disabled + tcplog: + type: boolean + tunnel_timeout: + type: integer + nullable: true + unique_id_format: + type: string + unique_id_header: + type: string + diff --git a/charts/haproxy/haproxy/1.32.2/crds/core.haproxy.org_globals.yaml b/charts/haproxy/haproxy/1.32.2/crds/core.haproxy.org_globals.yaml new file mode 100644 index 0000000000..c6554900e9 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/crds/core.haproxy.org_globals.yaml @@ -0,0 +1,438 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: globals.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Global + plural: globals + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + description: HAProxy global configuration + type: object + title: Global + properties: + busy_polling: + type: boolean + ca_base: + type: string + chroot: + type: string + pattern: ^[^\s]+$ + cpu_maps: + type: array + items: + type: object + required: + - process + - cpu_set + properties: + cpu_set: + type: string + process: + type: string + crt_base: + type: string + daemon: + type: string + enum: + - enabled + - disabled + external_check: + type: boolean + gid: + type: integer + group: + type: string + pattern: ^[^\s]+$ + h1_case_adjust: + type: array + items: + type: object + required: + - from + - to + properties: + from: + type: string + to: + type: string + h1_case_adjust_file: + type: string + hard_stop_after: + type: integer + nullable: true + localpeer: + type: string + pattern: ^[^\s]+$ + log_send_hostname: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + param: + type: string + pattern: ^[^\s]+$ + lua_loads: + type: array + items: + type: object + required: + - file + properties: + file: + type: string + pattern: ^[^\s]+$ + lua_prepend_path: + type: array + items: + type: object + required: + - path + properties: + path: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - path + - cpath + master-worker: + type: boolean + max_spread_checks: + type: integer + maxcompcpuusage: + type: integer + maxcomprate: + type: integer + maxconn: + type: integer + maxconnrate: + type: integer + maxpipes: + type: integer + maxsessrate: + type: integer + maxsslconn: + type: integer + maxsslrate: + type: integer + maxzlibmem: + type: integer + nbproc: + type: integer + nbthread: + type: integer + noepoll: + type: boolean + noevports: + type: boolean + nogetaddrinfo: + type: boolean + nokqueue: + type: boolean + nopoll: + type: boolean + noreuseport: + type: boolean + nosplice: + type: boolean + pidfile: + type: string + profiling_tasks: + type: string + enum: + - auto + - on + - off + runtime_apis: + type: array + items: + type: object + required: + - address + properties: + address: + type: string + pattern: '^[^\s]+$' + mode: + type: string + pattern: '^[^\s]+$' + level: + type: string + enum: [user, operator, admin] + process: + type: string + pattern: '^[^\s]+$' + exposeFdListeners: + type: boolean + server_state_base: + type: string + pattern: ^[^\s]+$ + server_state_file: + type: string + pattern: ^[^\s]+$ + spread_checks: + type: integer + ssl_default_bind_ciphers: + type: string + ssl_default_bind_ciphersuites: + type: string + ssl_default_bind_options: + type: string + ssl_default_server_ciphers: + type: string + ssl_default_server_ciphersuites: + type: string + ssl_default_server_options: + type: string + ssl_mode_async: + type: string + enum: + - enabled + - disabled + stats_timeout: + type: integer + nullable: true + tune_options: + type: object + properties: + buffers_limit: + type: integer + nullable: true + buffers_reserve: + type: integer + minimum: 2 + bufsize: + type: integer + comp_maxlevel: + type: integer + fail_alloc: + type: boolean + h2_header_table_size: + type: integer + maximum: 65535 + h2_initial_window_size: + type: integer + nullable: true + h2_max_concurrent_streams: + type: integer + h2_max_frame_size: + type: integer + http_cookielen: + type: integer + http_logurilen: + type: integer + http_maxhdr: + type: integer + maximum: 32767 + minimum: 1 + idle_pool_shared: + type: string + enum: + - enabled + - disabled + idletimer: + type: integer + maximum: 65535 + minimum: 0 + nullable: true + listener_multi_queue: + type: string + enum: + - enabled + - disabled + lua_forced_yield: + type: integer + lua_maxmem: + type: boolean + lua_service_timeout: + type: integer + nullable: true + lua_session_timeout: + type: integer + nullable: true + lua_task_timeout: + type: integer + nullable: true + maxaccept: + type: integer + maxpollevents: + type: integer + maxrewrite: + type: integer + pattern_cache_size: + type: integer + nullable: true + pipesize: + type: integer + pool_high_fd_ratio: + type: integer + pool_low_fd_ratio: + type: integer + rcvbuf_client: + type: integer + nullable: true + rcvbuf_server: + type: integer + nullable: true + recv_enough: + type: integer + runqueue_depth: + type: integer + sched_low_latency: + type: string + enum: + - enabled + - disabled + sndbuf_client: + type: integer + nullable: true + sndbuf_server: + type: integer + nullable: true + ssl_cachesize: + type: integer + nullable: true + ssl_capture_buffer_size: + type: integer + nullable: true + ssl_ctx_cache_size: + type: integer + ssl_default_dh_param: + type: integer + ssl_force_private_cache: + type: boolean + ssl_keylog: + type: string + enum: + - enabled + - disabled + ssl_lifetime: + type: integer + nullable: true + ssl_maxrecord: + type: integer + nullable: true + vars_global_max_size: + type: integer + nullable: true + vars_proc_max_size: + type: integer + nullable: true + vars_reqres_max_size: + type: integer + nullable: true + vars_sess_max_size: + type: integer + nullable: true + vars_txn_max_size: + type: integer + nullable: true + zlib_memlevel: + type: integer + maximum: 9 + minimum: 1 + zlib_windowsize: + type: integer + maximum: 15 + minimum: 8 + tune_ssl_default_dh_param: + type: integer + uid: + type: integer + user: + type: string + pattern: ^[^\s]+$ + log_targets: + type: array + items: + type: object + required: + - address + - facility + properties: + index: + type: integer + nullable: true + address: + type: string + pattern: ^[^\s]+$ + length: + type: integer + format: + type: string + enum: + - rfc3164 + - rfc5424 + - short + - raw + facility: + type: string + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + level: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + minlevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + diff --git a/charts/haproxy/haproxy/1.32.2/questions.yml b/charts/haproxy/haproxy/1.32.2/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.32.2/templates/NOTES.txt b/charts/haproxy/haproxy/1.32.2/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.32.2/templates/_helpers.tpl b/charts/haproxy/haproxy/1.32.2/templates/_helpers.tpl new file mode 100644 index 0000000000..556b32e238 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/_helpers.tpl @@ -0,0 +1,155 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.32.2/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.32.2/templates/clusterrole.yaml new file mode 100644 index 0000000000..12de84d5b2 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/clusterrole.yaml @@ -0,0 +1,120 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.2/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.32.2/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..bf07d60240 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-daemonset.yaml @@ -0,0 +1,248 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-deployment.yaml new file mode 100644 index 0000000000..50e0bf1e6e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-deployment.yaml @@ -0,0 +1,243 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-hpa.yaml new file mode 100644 index 0000000000..22d06f6b95 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..0567fe886e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..4fe27fb83c --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..317ee78cc2 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-role.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-service.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-service.yaml new file mode 100644 index 0000000000..4e44eb6144 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-service.yaml @@ -0,0 +1,114 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.2/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.32.2/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.2/templates/namespace.yaml b/charts/haproxy/haproxy/1.32.2/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.2/values.yaml b/charts/haproxy/haproxy/1.32.2/values.yaml new file mode 100644 index 0000000000..abdaefb568 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.2/values.yaml @@ -0,0 +1,526 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.32.3/.helmignore b/charts/haproxy/haproxy/1.32.3/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.32.3/Chart.yaml b/charts/haproxy/haproxy/1.32.3/Chart.yaml new file mode 100644 index 0000000000..8f723e2f3a --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.10.6 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.6 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.32.3 diff --git a/charts/haproxy/haproxy/1.32.3/README.md b/charts/haproxy/haproxy/1.32.3/README.md new file mode 100644 index 0000000000..19d1e3f6db --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/README.md @@ -0,0 +1,285 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.32.3/app-readme.md b/charts/haproxy/haproxy/1.32.3/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.32.3/chart-icon.png b/charts/haproxy/haproxy/1.32.3/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.32.3/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.32.3/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.32.3/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.32.3/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.32.3/crds/core.haproxy.org_backends.yaml b/charts/haproxy/haproxy/1.32.3/crds/core.haproxy.org_backends.yaml new file mode 100644 index 0000000000..2947a7084d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/crds/core.haproxy.org_backends.yaml @@ -0,0 +1,903 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: backends.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Backend + plural: backends + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Backend + description: HAProxy backend configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + hash_type: + type: object + properties: + function: + type: string + enum: + - sdbm + - djb2 + - wt6 + - crc32 + method: + type: string + enum: + - map-based + - consistent + modifier: + type: string + enum: + - avalanche + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-keep-alive: + type: string + enum: + - enabled + - disabled + http-no-delay: + type: string + enum: + - enabled + - disabled + http-server-close: + type: string + enum: + - enabled + - disabled + http-use-htx: + type: string + pattern: ^[^\s]+$ + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_proxy: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httpclose: + type: string + enum: + - enabled + - disabled + log_health_checks: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + mode: + type: string + enum: + - http + - tcp + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + name: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + stick_table: + type: object + properties: + expire: + type: integer + nullable: true + keylen: + type: integer + nullable: true + nopurge: + type: boolean + peers: + type: string + pattern: ^[^\s]+$ + size: + type: integer + nullable: true + store: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - ip + - ipv6 + - integer + - string + - binary + tcpka: + type: string + enum: + - enabled + - disabled + tunnel_timeout: + type: integer + nullable: true + diff --git a/charts/haproxy/haproxy/1.32.3/crds/core.haproxy.org_defaults.yaml b/charts/haproxy/haproxy/1.32.3/crds/core.haproxy.org_defaults.yaml new file mode 100644 index 0000000000..03323b323e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/crds/core.haproxy.org_defaults.yaml @@ -0,0 +1,929 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: defaults.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Defaults + plural: defaults + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - config + properties: + config: + title: Defaults + description: HAProxy defaults configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_request: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + backlog: + type: integer + nullable: true + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + clflog: + type: boolean + client_fin_timeout: + type: integer + nullable: true + client_timeout: + type: integer + nullable: true + clitcpka: + type: string + enum: + - enabled + - disabled + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + contstats: + type: string + enum: + - enabled + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_backend: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + disable_h2_upgrade: + type: string + enum: + - enabled + - disabled + dontlognull: + type: string + enum: + - enabled + - disabled + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + error_files: + type: array + items: + type: object + properties: + code: + type: integer + enum: + - 200 + - 400 + - 403 + - 405 + - 408 + - 425 + - 429 + - 500 + - 502 + - 503 + - 504 + file: + type: string + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_client: + type: string + enum: + - enabled + - disabled + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-use-htx: + type: string + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httplog: + type: boolean + load_server_state_from_file: + type: string + enum: + - global + - local + - none + log_format: + type: string + log_format_sd: + type: string + log_health_checks: + type: string + enum: + - enabled + - disabled + log_separate_errors: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + logasap: + type: string + enum: + - enabled + - disabled + maxconn: + type: integer + nullable: true + mode: + type: string + enum: + - tcp + - http + monitor_uri: + type: string + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_fin_timeout: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + tcpka: + type: string + enum: + - enabled + - disabled + tcplog: + type: boolean + tunnel_timeout: + type: integer + nullable: true + unique_id_format: + type: string + unique_id_header: + type: string + diff --git a/charts/haproxy/haproxy/1.32.3/crds/core.haproxy.org_globals.yaml b/charts/haproxy/haproxy/1.32.3/crds/core.haproxy.org_globals.yaml new file mode 100644 index 0000000000..c6554900e9 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/crds/core.haproxy.org_globals.yaml @@ -0,0 +1,438 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: globals.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Global + plural: globals + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + description: HAProxy global configuration + type: object + title: Global + properties: + busy_polling: + type: boolean + ca_base: + type: string + chroot: + type: string + pattern: ^[^\s]+$ + cpu_maps: + type: array + items: + type: object + required: + - process + - cpu_set + properties: + cpu_set: + type: string + process: + type: string + crt_base: + type: string + daemon: + type: string + enum: + - enabled + - disabled + external_check: + type: boolean + gid: + type: integer + group: + type: string + pattern: ^[^\s]+$ + h1_case_adjust: + type: array + items: + type: object + required: + - from + - to + properties: + from: + type: string + to: + type: string + h1_case_adjust_file: + type: string + hard_stop_after: + type: integer + nullable: true + localpeer: + type: string + pattern: ^[^\s]+$ + log_send_hostname: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + param: + type: string + pattern: ^[^\s]+$ + lua_loads: + type: array + items: + type: object + required: + - file + properties: + file: + type: string + pattern: ^[^\s]+$ + lua_prepend_path: + type: array + items: + type: object + required: + - path + properties: + path: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - path + - cpath + master-worker: + type: boolean + max_spread_checks: + type: integer + maxcompcpuusage: + type: integer + maxcomprate: + type: integer + maxconn: + type: integer + maxconnrate: + type: integer + maxpipes: + type: integer + maxsessrate: + type: integer + maxsslconn: + type: integer + maxsslrate: + type: integer + maxzlibmem: + type: integer + nbproc: + type: integer + nbthread: + type: integer + noepoll: + type: boolean + noevports: + type: boolean + nogetaddrinfo: + type: boolean + nokqueue: + type: boolean + nopoll: + type: boolean + noreuseport: + type: boolean + nosplice: + type: boolean + pidfile: + type: string + profiling_tasks: + type: string + enum: + - auto + - on + - off + runtime_apis: + type: array + items: + type: object + required: + - address + properties: + address: + type: string + pattern: '^[^\s]+$' + mode: + type: string + pattern: '^[^\s]+$' + level: + type: string + enum: [user, operator, admin] + process: + type: string + pattern: '^[^\s]+$' + exposeFdListeners: + type: boolean + server_state_base: + type: string + pattern: ^[^\s]+$ + server_state_file: + type: string + pattern: ^[^\s]+$ + spread_checks: + type: integer + ssl_default_bind_ciphers: + type: string + ssl_default_bind_ciphersuites: + type: string + ssl_default_bind_options: + type: string + ssl_default_server_ciphers: + type: string + ssl_default_server_ciphersuites: + type: string + ssl_default_server_options: + type: string + ssl_mode_async: + type: string + enum: + - enabled + - disabled + stats_timeout: + type: integer + nullable: true + tune_options: + type: object + properties: + buffers_limit: + type: integer + nullable: true + buffers_reserve: + type: integer + minimum: 2 + bufsize: + type: integer + comp_maxlevel: + type: integer + fail_alloc: + type: boolean + h2_header_table_size: + type: integer + maximum: 65535 + h2_initial_window_size: + type: integer + nullable: true + h2_max_concurrent_streams: + type: integer + h2_max_frame_size: + type: integer + http_cookielen: + type: integer + http_logurilen: + type: integer + http_maxhdr: + type: integer + maximum: 32767 + minimum: 1 + idle_pool_shared: + type: string + enum: + - enabled + - disabled + idletimer: + type: integer + maximum: 65535 + minimum: 0 + nullable: true + listener_multi_queue: + type: string + enum: + - enabled + - disabled + lua_forced_yield: + type: integer + lua_maxmem: + type: boolean + lua_service_timeout: + type: integer + nullable: true + lua_session_timeout: + type: integer + nullable: true + lua_task_timeout: + type: integer + nullable: true + maxaccept: + type: integer + maxpollevents: + type: integer + maxrewrite: + type: integer + pattern_cache_size: + type: integer + nullable: true + pipesize: + type: integer + pool_high_fd_ratio: + type: integer + pool_low_fd_ratio: + type: integer + rcvbuf_client: + type: integer + nullable: true + rcvbuf_server: + type: integer + nullable: true + recv_enough: + type: integer + runqueue_depth: + type: integer + sched_low_latency: + type: string + enum: + - enabled + - disabled + sndbuf_client: + type: integer + nullable: true + sndbuf_server: + type: integer + nullable: true + ssl_cachesize: + type: integer + nullable: true + ssl_capture_buffer_size: + type: integer + nullable: true + ssl_ctx_cache_size: + type: integer + ssl_default_dh_param: + type: integer + ssl_force_private_cache: + type: boolean + ssl_keylog: + type: string + enum: + - enabled + - disabled + ssl_lifetime: + type: integer + nullable: true + ssl_maxrecord: + type: integer + nullable: true + vars_global_max_size: + type: integer + nullable: true + vars_proc_max_size: + type: integer + nullable: true + vars_reqres_max_size: + type: integer + nullable: true + vars_sess_max_size: + type: integer + nullable: true + vars_txn_max_size: + type: integer + nullable: true + zlib_memlevel: + type: integer + maximum: 9 + minimum: 1 + zlib_windowsize: + type: integer + maximum: 15 + minimum: 8 + tune_ssl_default_dh_param: + type: integer + uid: + type: integer + user: + type: string + pattern: ^[^\s]+$ + log_targets: + type: array + items: + type: object + required: + - address + - facility + properties: + index: + type: integer + nullable: true + address: + type: string + pattern: ^[^\s]+$ + length: + type: integer + format: + type: string + enum: + - rfc3164 + - rfc5424 + - short + - raw + facility: + type: string + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + level: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + minlevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + diff --git a/charts/haproxy/haproxy/1.32.3/questions.yml b/charts/haproxy/haproxy/1.32.3/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.32.3/templates/NOTES.txt b/charts/haproxy/haproxy/1.32.3/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.32.3/templates/_helpers.tpl b/charts/haproxy/haproxy/1.32.3/templates/_helpers.tpl new file mode 100644 index 0000000000..556b32e238 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/_helpers.tpl @@ -0,0 +1,155 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.32.3/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.32.3/templates/clusterrole.yaml new file mode 100644 index 0000000000..12de84d5b2 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/clusterrole.yaml @@ -0,0 +1,120 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.3/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.32.3/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..bf07d60240 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-daemonset.yaml @@ -0,0 +1,248 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-deployment.yaml new file mode 100644 index 0000000000..50e0bf1e6e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-deployment.yaml @@ -0,0 +1,243 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-hpa.yaml new file mode 100644 index 0000000000..22d06f6b95 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..0567fe886e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..4fe27fb83c --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..317ee78cc2 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-role.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-service.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-service.yaml new file mode 100644 index 0000000000..4e44eb6144 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-service.yaml @@ -0,0 +1,114 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.3/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.32.3/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.3/templates/namespace.yaml b/charts/haproxy/haproxy/1.32.3/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.3/values.yaml b/charts/haproxy/haproxy/1.32.3/values.yaml new file mode 100644 index 0000000000..abdaefb568 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.3/values.yaml @@ -0,0 +1,526 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.32.4/.helmignore b/charts/haproxy/haproxy/1.32.4/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.32.4/Chart.yaml b/charts/haproxy/haproxy/1.32.4/Chart.yaml new file mode 100644 index 0000000000..7c0dc6ae9f --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.10.6 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.6 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.32.4 diff --git a/charts/haproxy/haproxy/1.32.4/README.md b/charts/haproxy/haproxy/1.32.4/README.md new file mode 100644 index 0000000000..19d1e3f6db --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/README.md @@ -0,0 +1,285 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.32.4/app-readme.md b/charts/haproxy/haproxy/1.32.4/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.32.4/chart-icon.png b/charts/haproxy/haproxy/1.32.4/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.32.4/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.32.4/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.32.4/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.32.4/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.32.4/crds/core.haproxy.org_backends.yaml b/charts/haproxy/haproxy/1.32.4/crds/core.haproxy.org_backends.yaml new file mode 100644 index 0000000000..2947a7084d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/crds/core.haproxy.org_backends.yaml @@ -0,0 +1,903 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: backends.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Backend + plural: backends + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Backend + description: HAProxy backend configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + hash_type: + type: object + properties: + function: + type: string + enum: + - sdbm + - djb2 + - wt6 + - crc32 + method: + type: string + enum: + - map-based + - consistent + modifier: + type: string + enum: + - avalanche + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-keep-alive: + type: string + enum: + - enabled + - disabled + http-no-delay: + type: string + enum: + - enabled + - disabled + http-server-close: + type: string + enum: + - enabled + - disabled + http-use-htx: + type: string + pattern: ^[^\s]+$ + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_proxy: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httpclose: + type: string + enum: + - enabled + - disabled + log_health_checks: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + mode: + type: string + enum: + - http + - tcp + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + name: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + stick_table: + type: object + properties: + expire: + type: integer + nullable: true + keylen: + type: integer + nullable: true + nopurge: + type: boolean + peers: + type: string + pattern: ^[^\s]+$ + size: + type: integer + nullable: true + store: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - ip + - ipv6 + - integer + - string + - binary + tcpka: + type: string + enum: + - enabled + - disabled + tunnel_timeout: + type: integer + nullable: true + diff --git a/charts/haproxy/haproxy/1.32.4/crds/core.haproxy.org_defaults.yaml b/charts/haproxy/haproxy/1.32.4/crds/core.haproxy.org_defaults.yaml new file mode 100644 index 0000000000..03323b323e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/crds/core.haproxy.org_defaults.yaml @@ -0,0 +1,929 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: defaults.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Defaults + plural: defaults + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - config + properties: + config: + title: Defaults + description: HAProxy defaults configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_request: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + backlog: + type: integer + nullable: true + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + clflog: + type: boolean + client_fin_timeout: + type: integer + nullable: true + client_timeout: + type: integer + nullable: true + clitcpka: + type: string + enum: + - enabled + - disabled + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + contstats: + type: string + enum: + - enabled + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_backend: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + disable_h2_upgrade: + type: string + enum: + - enabled + - disabled + dontlognull: + type: string + enum: + - enabled + - disabled + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + error_files: + type: array + items: + type: object + properties: + code: + type: integer + enum: + - 200 + - 400 + - 403 + - 405 + - 408 + - 425 + - 429 + - 500 + - 502 + - 503 + - 504 + file: + type: string + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_client: + type: string + enum: + - enabled + - disabled + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-use-htx: + type: string + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httplog: + type: boolean + load_server_state_from_file: + type: string + enum: + - global + - local + - none + log_format: + type: string + log_format_sd: + type: string + log_health_checks: + type: string + enum: + - enabled + - disabled + log_separate_errors: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + logasap: + type: string + enum: + - enabled + - disabled + maxconn: + type: integer + nullable: true + mode: + type: string + enum: + - tcp + - http + monitor_uri: + type: string + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_fin_timeout: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + tcpka: + type: string + enum: + - enabled + - disabled + tcplog: + type: boolean + tunnel_timeout: + type: integer + nullable: true + unique_id_format: + type: string + unique_id_header: + type: string + diff --git a/charts/haproxy/haproxy/1.32.4/crds/core.haproxy.org_globals.yaml b/charts/haproxy/haproxy/1.32.4/crds/core.haproxy.org_globals.yaml new file mode 100644 index 0000000000..c6554900e9 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/crds/core.haproxy.org_globals.yaml @@ -0,0 +1,438 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: globals.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Global + plural: globals + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + description: HAProxy global configuration + type: object + title: Global + properties: + busy_polling: + type: boolean + ca_base: + type: string + chroot: + type: string + pattern: ^[^\s]+$ + cpu_maps: + type: array + items: + type: object + required: + - process + - cpu_set + properties: + cpu_set: + type: string + process: + type: string + crt_base: + type: string + daemon: + type: string + enum: + - enabled + - disabled + external_check: + type: boolean + gid: + type: integer + group: + type: string + pattern: ^[^\s]+$ + h1_case_adjust: + type: array + items: + type: object + required: + - from + - to + properties: + from: + type: string + to: + type: string + h1_case_adjust_file: + type: string + hard_stop_after: + type: integer + nullable: true + localpeer: + type: string + pattern: ^[^\s]+$ + log_send_hostname: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + param: + type: string + pattern: ^[^\s]+$ + lua_loads: + type: array + items: + type: object + required: + - file + properties: + file: + type: string + pattern: ^[^\s]+$ + lua_prepend_path: + type: array + items: + type: object + required: + - path + properties: + path: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - path + - cpath + master-worker: + type: boolean + max_spread_checks: + type: integer + maxcompcpuusage: + type: integer + maxcomprate: + type: integer + maxconn: + type: integer + maxconnrate: + type: integer + maxpipes: + type: integer + maxsessrate: + type: integer + maxsslconn: + type: integer + maxsslrate: + type: integer + maxzlibmem: + type: integer + nbproc: + type: integer + nbthread: + type: integer + noepoll: + type: boolean + noevports: + type: boolean + nogetaddrinfo: + type: boolean + nokqueue: + type: boolean + nopoll: + type: boolean + noreuseport: + type: boolean + nosplice: + type: boolean + pidfile: + type: string + profiling_tasks: + type: string + enum: + - auto + - on + - off + runtime_apis: + type: array + items: + type: object + required: + - address + properties: + address: + type: string + pattern: '^[^\s]+$' + mode: + type: string + pattern: '^[^\s]+$' + level: + type: string + enum: [user, operator, admin] + process: + type: string + pattern: '^[^\s]+$' + exposeFdListeners: + type: boolean + server_state_base: + type: string + pattern: ^[^\s]+$ + server_state_file: + type: string + pattern: ^[^\s]+$ + spread_checks: + type: integer + ssl_default_bind_ciphers: + type: string + ssl_default_bind_ciphersuites: + type: string + ssl_default_bind_options: + type: string + ssl_default_server_ciphers: + type: string + ssl_default_server_ciphersuites: + type: string + ssl_default_server_options: + type: string + ssl_mode_async: + type: string + enum: + - enabled + - disabled + stats_timeout: + type: integer + nullable: true + tune_options: + type: object + properties: + buffers_limit: + type: integer + nullable: true + buffers_reserve: + type: integer + minimum: 2 + bufsize: + type: integer + comp_maxlevel: + type: integer + fail_alloc: + type: boolean + h2_header_table_size: + type: integer + maximum: 65535 + h2_initial_window_size: + type: integer + nullable: true + h2_max_concurrent_streams: + type: integer + h2_max_frame_size: + type: integer + http_cookielen: + type: integer + http_logurilen: + type: integer + http_maxhdr: + type: integer + maximum: 32767 + minimum: 1 + idle_pool_shared: + type: string + enum: + - enabled + - disabled + idletimer: + type: integer + maximum: 65535 + minimum: 0 + nullable: true + listener_multi_queue: + type: string + enum: + - enabled + - disabled + lua_forced_yield: + type: integer + lua_maxmem: + type: boolean + lua_service_timeout: + type: integer + nullable: true + lua_session_timeout: + type: integer + nullable: true + lua_task_timeout: + type: integer + nullable: true + maxaccept: + type: integer + maxpollevents: + type: integer + maxrewrite: + type: integer + pattern_cache_size: + type: integer + nullable: true + pipesize: + type: integer + pool_high_fd_ratio: + type: integer + pool_low_fd_ratio: + type: integer + rcvbuf_client: + type: integer + nullable: true + rcvbuf_server: + type: integer + nullable: true + recv_enough: + type: integer + runqueue_depth: + type: integer + sched_low_latency: + type: string + enum: + - enabled + - disabled + sndbuf_client: + type: integer + nullable: true + sndbuf_server: + type: integer + nullable: true + ssl_cachesize: + type: integer + nullable: true + ssl_capture_buffer_size: + type: integer + nullable: true + ssl_ctx_cache_size: + type: integer + ssl_default_dh_param: + type: integer + ssl_force_private_cache: + type: boolean + ssl_keylog: + type: string + enum: + - enabled + - disabled + ssl_lifetime: + type: integer + nullable: true + ssl_maxrecord: + type: integer + nullable: true + vars_global_max_size: + type: integer + nullable: true + vars_proc_max_size: + type: integer + nullable: true + vars_reqres_max_size: + type: integer + nullable: true + vars_sess_max_size: + type: integer + nullable: true + vars_txn_max_size: + type: integer + nullable: true + zlib_memlevel: + type: integer + maximum: 9 + minimum: 1 + zlib_windowsize: + type: integer + maximum: 15 + minimum: 8 + tune_ssl_default_dh_param: + type: integer + uid: + type: integer + user: + type: string + pattern: ^[^\s]+$ + log_targets: + type: array + items: + type: object + required: + - address + - facility + properties: + index: + type: integer + nullable: true + address: + type: string + pattern: ^[^\s]+$ + length: + type: integer + format: + type: string + enum: + - rfc3164 + - rfc5424 + - short + - raw + facility: + type: string + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + level: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + minlevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + diff --git a/charts/haproxy/haproxy/1.32.4/questions.yml b/charts/haproxy/haproxy/1.32.4/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.32.4/templates/NOTES.txt b/charts/haproxy/haproxy/1.32.4/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.32.4/templates/_helpers.tpl b/charts/haproxy/haproxy/1.32.4/templates/_helpers.tpl new file mode 100644 index 0000000000..556b32e238 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/_helpers.tpl @@ -0,0 +1,155 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.32.4/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.32.4/templates/clusterrole.yaml new file mode 100644 index 0000000000..12de84d5b2 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/clusterrole.yaml @@ -0,0 +1,120 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.4/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.32.4/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..bf07d60240 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-daemonset.yaml @@ -0,0 +1,248 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-deployment.yaml new file mode 100644 index 0000000000..50e0bf1e6e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-deployment.yaml @@ -0,0 +1,243 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-hpa.yaml new file mode 100644 index 0000000000..22d06f6b95 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..0567fe886e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..4fe27fb83c --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..317ee78cc2 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-role.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-service.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-service.yaml new file mode 100644 index 0000000000..4e44eb6144 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-service.yaml @@ -0,0 +1,114 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.4/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.32.4/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.32.4/templates/namespace.yaml b/charts/haproxy/haproxy/1.32.4/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.32.4/values.yaml b/charts/haproxy/haproxy/1.32.4/values.yaml new file mode 100644 index 0000000000..abdaefb568 --- /dev/null +++ b/charts/haproxy/haproxy/1.32.4/values.yaml @@ -0,0 +1,526 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.33.0/.helmignore b/charts/haproxy/haproxy/1.33.0/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.33.0/Chart.yaml b/charts/haproxy/haproxy/1.33.0/Chart.yaml new file mode 100644 index 0000000000..15e4bb939e --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.10.7 version for base image + - Enable new Prometheus endpoint on tcp/6060 by default + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.7 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.33.0 diff --git a/charts/haproxy/haproxy/1.33.0/README.md b/charts/haproxy/haproxy/1.33.0/README.md new file mode 100644 index 0000000000..19d1e3f6db --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/README.md @@ -0,0 +1,285 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.33.0/app-readme.md b/charts/haproxy/haproxy/1.33.0/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.33.0/chart-icon.png b/charts/haproxy/haproxy/1.33.0/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.33.0/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.33.0/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.33.0/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.33.0/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.33.0/crds/core.haproxy.org_backends.yaml b/charts/haproxy/haproxy/1.33.0/crds/core.haproxy.org_backends.yaml new file mode 100644 index 0000000000..2947a7084d --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/crds/core.haproxy.org_backends.yaml @@ -0,0 +1,903 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: backends.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Backend + plural: backends + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Backend + description: HAProxy backend configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + hash_type: + type: object + properties: + function: + type: string + enum: + - sdbm + - djb2 + - wt6 + - crc32 + method: + type: string + enum: + - map-based + - consistent + modifier: + type: string + enum: + - avalanche + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-keep-alive: + type: string + enum: + - enabled + - disabled + http-no-delay: + type: string + enum: + - enabled + - disabled + http-server-close: + type: string + enum: + - enabled + - disabled + http-use-htx: + type: string + pattern: ^[^\s]+$ + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_proxy: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httpclose: + type: string + enum: + - enabled + - disabled + log_health_checks: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + mode: + type: string + enum: + - http + - tcp + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + name: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + stick_table: + type: object + properties: + expire: + type: integer + nullable: true + keylen: + type: integer + nullable: true + nopurge: + type: boolean + peers: + type: string + pattern: ^[^\s]+$ + size: + type: integer + nullable: true + store: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - ip + - ipv6 + - integer + - string + - binary + tcpka: + type: string + enum: + - enabled + - disabled + tunnel_timeout: + type: integer + nullable: true + diff --git a/charts/haproxy/haproxy/1.33.0/crds/core.haproxy.org_defaults.yaml b/charts/haproxy/haproxy/1.33.0/crds/core.haproxy.org_defaults.yaml new file mode 100644 index 0000000000..03323b323e --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/crds/core.haproxy.org_defaults.yaml @@ -0,0 +1,929 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: defaults.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Defaults + plural: defaults + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - config + properties: + config: + title: Defaults + description: HAProxy defaults configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_request: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + backlog: + type: integer + nullable: true + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + clflog: + type: boolean + client_fin_timeout: + type: integer + nullable: true + client_timeout: + type: integer + nullable: true + clitcpka: + type: string + enum: + - enabled + - disabled + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + contstats: + type: string + enum: + - enabled + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_backend: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + disable_h2_upgrade: + type: string + enum: + - enabled + - disabled + dontlognull: + type: string + enum: + - enabled + - disabled + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + error_files: + type: array + items: + type: object + properties: + code: + type: integer + enum: + - 200 + - 400 + - 403 + - 405 + - 408 + - 425 + - 429 + - 500 + - 502 + - 503 + - 504 + file: + type: string + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_client: + type: string + enum: + - enabled + - disabled + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-use-htx: + type: string + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httplog: + type: boolean + load_server_state_from_file: + type: string + enum: + - global + - local + - none + log_format: + type: string + log_format_sd: + type: string + log_health_checks: + type: string + enum: + - enabled + - disabled + log_separate_errors: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + logasap: + type: string + enum: + - enabled + - disabled + maxconn: + type: integer + nullable: true + mode: + type: string + enum: + - tcp + - http + monitor_uri: + type: string + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_fin_timeout: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + tcpka: + type: string + enum: + - enabled + - disabled + tcplog: + type: boolean + tunnel_timeout: + type: integer + nullable: true + unique_id_format: + type: string + unique_id_header: + type: string + diff --git a/charts/haproxy/haproxy/1.33.0/crds/core.haproxy.org_globals.yaml b/charts/haproxy/haproxy/1.33.0/crds/core.haproxy.org_globals.yaml new file mode 100644 index 0000000000..c6554900e9 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/crds/core.haproxy.org_globals.yaml @@ -0,0 +1,438 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: globals.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Global + plural: globals + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + description: HAProxy global configuration + type: object + title: Global + properties: + busy_polling: + type: boolean + ca_base: + type: string + chroot: + type: string + pattern: ^[^\s]+$ + cpu_maps: + type: array + items: + type: object + required: + - process + - cpu_set + properties: + cpu_set: + type: string + process: + type: string + crt_base: + type: string + daemon: + type: string + enum: + - enabled + - disabled + external_check: + type: boolean + gid: + type: integer + group: + type: string + pattern: ^[^\s]+$ + h1_case_adjust: + type: array + items: + type: object + required: + - from + - to + properties: + from: + type: string + to: + type: string + h1_case_adjust_file: + type: string + hard_stop_after: + type: integer + nullable: true + localpeer: + type: string + pattern: ^[^\s]+$ + log_send_hostname: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + param: + type: string + pattern: ^[^\s]+$ + lua_loads: + type: array + items: + type: object + required: + - file + properties: + file: + type: string + pattern: ^[^\s]+$ + lua_prepend_path: + type: array + items: + type: object + required: + - path + properties: + path: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - path + - cpath + master-worker: + type: boolean + max_spread_checks: + type: integer + maxcompcpuusage: + type: integer + maxcomprate: + type: integer + maxconn: + type: integer + maxconnrate: + type: integer + maxpipes: + type: integer + maxsessrate: + type: integer + maxsslconn: + type: integer + maxsslrate: + type: integer + maxzlibmem: + type: integer + nbproc: + type: integer + nbthread: + type: integer + noepoll: + type: boolean + noevports: + type: boolean + nogetaddrinfo: + type: boolean + nokqueue: + type: boolean + nopoll: + type: boolean + noreuseport: + type: boolean + nosplice: + type: boolean + pidfile: + type: string + profiling_tasks: + type: string + enum: + - auto + - on + - off + runtime_apis: + type: array + items: + type: object + required: + - address + properties: + address: + type: string + pattern: '^[^\s]+$' + mode: + type: string + pattern: '^[^\s]+$' + level: + type: string + enum: [user, operator, admin] + process: + type: string + pattern: '^[^\s]+$' + exposeFdListeners: + type: boolean + server_state_base: + type: string + pattern: ^[^\s]+$ + server_state_file: + type: string + pattern: ^[^\s]+$ + spread_checks: + type: integer + ssl_default_bind_ciphers: + type: string + ssl_default_bind_ciphersuites: + type: string + ssl_default_bind_options: + type: string + ssl_default_server_ciphers: + type: string + ssl_default_server_ciphersuites: + type: string + ssl_default_server_options: + type: string + ssl_mode_async: + type: string + enum: + - enabled + - disabled + stats_timeout: + type: integer + nullable: true + tune_options: + type: object + properties: + buffers_limit: + type: integer + nullable: true + buffers_reserve: + type: integer + minimum: 2 + bufsize: + type: integer + comp_maxlevel: + type: integer + fail_alloc: + type: boolean + h2_header_table_size: + type: integer + maximum: 65535 + h2_initial_window_size: + type: integer + nullable: true + h2_max_concurrent_streams: + type: integer + h2_max_frame_size: + type: integer + http_cookielen: + type: integer + http_logurilen: + type: integer + http_maxhdr: + type: integer + maximum: 32767 + minimum: 1 + idle_pool_shared: + type: string + enum: + - enabled + - disabled + idletimer: + type: integer + maximum: 65535 + minimum: 0 + nullable: true + listener_multi_queue: + type: string + enum: + - enabled + - disabled + lua_forced_yield: + type: integer + lua_maxmem: + type: boolean + lua_service_timeout: + type: integer + nullable: true + lua_session_timeout: + type: integer + nullable: true + lua_task_timeout: + type: integer + nullable: true + maxaccept: + type: integer + maxpollevents: + type: integer + maxrewrite: + type: integer + pattern_cache_size: + type: integer + nullable: true + pipesize: + type: integer + pool_high_fd_ratio: + type: integer + pool_low_fd_ratio: + type: integer + rcvbuf_client: + type: integer + nullable: true + rcvbuf_server: + type: integer + nullable: true + recv_enough: + type: integer + runqueue_depth: + type: integer + sched_low_latency: + type: string + enum: + - enabled + - disabled + sndbuf_client: + type: integer + nullable: true + sndbuf_server: + type: integer + nullable: true + ssl_cachesize: + type: integer + nullable: true + ssl_capture_buffer_size: + type: integer + nullable: true + ssl_ctx_cache_size: + type: integer + ssl_default_dh_param: + type: integer + ssl_force_private_cache: + type: boolean + ssl_keylog: + type: string + enum: + - enabled + - disabled + ssl_lifetime: + type: integer + nullable: true + ssl_maxrecord: + type: integer + nullable: true + vars_global_max_size: + type: integer + nullable: true + vars_proc_max_size: + type: integer + nullable: true + vars_reqres_max_size: + type: integer + nullable: true + vars_sess_max_size: + type: integer + nullable: true + vars_txn_max_size: + type: integer + nullable: true + zlib_memlevel: + type: integer + maximum: 9 + minimum: 1 + zlib_windowsize: + type: integer + maximum: 15 + minimum: 8 + tune_ssl_default_dh_param: + type: integer + uid: + type: integer + user: + type: string + pattern: ^[^\s]+$ + log_targets: + type: array + items: + type: object + required: + - address + - facility + properties: + index: + type: integer + nullable: true + address: + type: string + pattern: ^[^\s]+$ + length: + type: integer + format: + type: string + enum: + - rfc3164 + - rfc5424 + - short + - raw + facility: + type: string + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + level: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + minlevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + diff --git a/charts/haproxy/haproxy/1.33.0/questions.yml b/charts/haproxy/haproxy/1.33.0/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.33.0/templates/NOTES.txt b/charts/haproxy/haproxy/1.33.0/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.33.0/templates/_helpers.tpl b/charts/haproxy/haproxy/1.33.0/templates/_helpers.tpl new file mode 100644 index 0000000000..556b32e238 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/_helpers.tpl @@ -0,0 +1,155 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.33.0/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.33.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..12de84d5b2 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/clusterrole.yaml @@ -0,0 +1,120 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.33.0/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.33.0/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..5057dd8aa4 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-daemonset.yaml @@ -0,0 +1,251 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-deployment.yaml new file mode 100644 index 0000000000..be9a441178 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-deployment.yaml @@ -0,0 +1,246 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-hpa.yaml new file mode 100644 index 0000000000..22d06f6b95 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..0567fe886e --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..4fe27fb83c --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..317ee78cc2 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-role.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-service.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-service.yaml new file mode 100644 index 0000000000..dc05b44eac --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-service.yaml @@ -0,0 +1,123 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.33.0/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.33.0/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.0/templates/namespace.yaml b/charts/haproxy/haproxy/1.33.0/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.33.0/values.yaml b/charts/haproxy/haproxy/1.33.0/values.yaml new file mode 100644 index 0000000000..490c71e8ff --- /dev/null +++ b/charts/haproxy/haproxy/1.33.0/values.yaml @@ -0,0 +1,530 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.33.1/.helmignore b/charts/haproxy/haproxy/1.33.1/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.33.1/Chart.yaml b/charts/haproxy/haproxy/1.33.1/Chart.yaml new file mode 100644 index 0000000000..9c3cc9da33 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.10.8 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.8 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.33.1 diff --git a/charts/haproxy/haproxy/1.33.1/README.md b/charts/haproxy/haproxy/1.33.1/README.md new file mode 100644 index 0000000000..19d1e3f6db --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/README.md @@ -0,0 +1,285 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.33.1/app-readme.md b/charts/haproxy/haproxy/1.33.1/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.33.1/chart-icon.png b/charts/haproxy/haproxy/1.33.1/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.33.1/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.33.1/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.33.1/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.33.1/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.33.1/crds/core.haproxy.org_backends.yaml b/charts/haproxy/haproxy/1.33.1/crds/core.haproxy.org_backends.yaml new file mode 100644 index 0000000000..2947a7084d --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/crds/core.haproxy.org_backends.yaml @@ -0,0 +1,903 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: backends.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Backend + plural: backends + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Backend + description: HAProxy backend configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + hash_type: + type: object + properties: + function: + type: string + enum: + - sdbm + - djb2 + - wt6 + - crc32 + method: + type: string + enum: + - map-based + - consistent + modifier: + type: string + enum: + - avalanche + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-keep-alive: + type: string + enum: + - enabled + - disabled + http-no-delay: + type: string + enum: + - enabled + - disabled + http-server-close: + type: string + enum: + - enabled + - disabled + http-use-htx: + type: string + pattern: ^[^\s]+$ + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_proxy: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httpclose: + type: string + enum: + - enabled + - disabled + log_health_checks: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + mode: + type: string + enum: + - http + - tcp + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + name: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + stick_table: + type: object + properties: + expire: + type: integer + nullable: true + keylen: + type: integer + nullable: true + nopurge: + type: boolean + peers: + type: string + pattern: ^[^\s]+$ + size: + type: integer + nullable: true + store: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - ip + - ipv6 + - integer + - string + - binary + tcpka: + type: string + enum: + - enabled + - disabled + tunnel_timeout: + type: integer + nullable: true + diff --git a/charts/haproxy/haproxy/1.33.1/crds/core.haproxy.org_defaults.yaml b/charts/haproxy/haproxy/1.33.1/crds/core.haproxy.org_defaults.yaml new file mode 100644 index 0000000000..03323b323e --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/crds/core.haproxy.org_defaults.yaml @@ -0,0 +1,929 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: defaults.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Defaults + plural: defaults + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - config + properties: + config: + title: Defaults + description: HAProxy defaults configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_request: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + backlog: + type: integer + nullable: true + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + clflog: + type: boolean + client_fin_timeout: + type: integer + nullable: true + client_timeout: + type: integer + nullable: true + clitcpka: + type: string + enum: + - enabled + - disabled + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + contstats: + type: string + enum: + - enabled + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_backend: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + disable_h2_upgrade: + type: string + enum: + - enabled + - disabled + dontlognull: + type: string + enum: + - enabled + - disabled + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + error_files: + type: array + items: + type: object + properties: + code: + type: integer + enum: + - 200 + - 400 + - 403 + - 405 + - 408 + - 425 + - 429 + - 500 + - 502 + - 503 + - 504 + file: + type: string + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_client: + type: string + enum: + - enabled + - disabled + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-use-htx: + type: string + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httplog: + type: boolean + load_server_state_from_file: + type: string + enum: + - global + - local + - none + log_format: + type: string + log_format_sd: + type: string + log_health_checks: + type: string + enum: + - enabled + - disabled + log_separate_errors: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + logasap: + type: string + enum: + - enabled + - disabled + maxconn: + type: integer + nullable: true + mode: + type: string + enum: + - tcp + - http + monitor_uri: + type: string + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_fin_timeout: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + tcpka: + type: string + enum: + - enabled + - disabled + tcplog: + type: boolean + tunnel_timeout: + type: integer + nullable: true + unique_id_format: + type: string + unique_id_header: + type: string + diff --git a/charts/haproxy/haproxy/1.33.1/crds/core.haproxy.org_globals.yaml b/charts/haproxy/haproxy/1.33.1/crds/core.haproxy.org_globals.yaml new file mode 100644 index 0000000000..c6554900e9 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/crds/core.haproxy.org_globals.yaml @@ -0,0 +1,438 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: globals.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Global + plural: globals + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + description: HAProxy global configuration + type: object + title: Global + properties: + busy_polling: + type: boolean + ca_base: + type: string + chroot: + type: string + pattern: ^[^\s]+$ + cpu_maps: + type: array + items: + type: object + required: + - process + - cpu_set + properties: + cpu_set: + type: string + process: + type: string + crt_base: + type: string + daemon: + type: string + enum: + - enabled + - disabled + external_check: + type: boolean + gid: + type: integer + group: + type: string + pattern: ^[^\s]+$ + h1_case_adjust: + type: array + items: + type: object + required: + - from + - to + properties: + from: + type: string + to: + type: string + h1_case_adjust_file: + type: string + hard_stop_after: + type: integer + nullable: true + localpeer: + type: string + pattern: ^[^\s]+$ + log_send_hostname: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + param: + type: string + pattern: ^[^\s]+$ + lua_loads: + type: array + items: + type: object + required: + - file + properties: + file: + type: string + pattern: ^[^\s]+$ + lua_prepend_path: + type: array + items: + type: object + required: + - path + properties: + path: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - path + - cpath + master-worker: + type: boolean + max_spread_checks: + type: integer + maxcompcpuusage: + type: integer + maxcomprate: + type: integer + maxconn: + type: integer + maxconnrate: + type: integer + maxpipes: + type: integer + maxsessrate: + type: integer + maxsslconn: + type: integer + maxsslrate: + type: integer + maxzlibmem: + type: integer + nbproc: + type: integer + nbthread: + type: integer + noepoll: + type: boolean + noevports: + type: boolean + nogetaddrinfo: + type: boolean + nokqueue: + type: boolean + nopoll: + type: boolean + noreuseport: + type: boolean + nosplice: + type: boolean + pidfile: + type: string + profiling_tasks: + type: string + enum: + - auto + - on + - off + runtime_apis: + type: array + items: + type: object + required: + - address + properties: + address: + type: string + pattern: '^[^\s]+$' + mode: + type: string + pattern: '^[^\s]+$' + level: + type: string + enum: [user, operator, admin] + process: + type: string + pattern: '^[^\s]+$' + exposeFdListeners: + type: boolean + server_state_base: + type: string + pattern: ^[^\s]+$ + server_state_file: + type: string + pattern: ^[^\s]+$ + spread_checks: + type: integer + ssl_default_bind_ciphers: + type: string + ssl_default_bind_ciphersuites: + type: string + ssl_default_bind_options: + type: string + ssl_default_server_ciphers: + type: string + ssl_default_server_ciphersuites: + type: string + ssl_default_server_options: + type: string + ssl_mode_async: + type: string + enum: + - enabled + - disabled + stats_timeout: + type: integer + nullable: true + tune_options: + type: object + properties: + buffers_limit: + type: integer + nullable: true + buffers_reserve: + type: integer + minimum: 2 + bufsize: + type: integer + comp_maxlevel: + type: integer + fail_alloc: + type: boolean + h2_header_table_size: + type: integer + maximum: 65535 + h2_initial_window_size: + type: integer + nullable: true + h2_max_concurrent_streams: + type: integer + h2_max_frame_size: + type: integer + http_cookielen: + type: integer + http_logurilen: + type: integer + http_maxhdr: + type: integer + maximum: 32767 + minimum: 1 + idle_pool_shared: + type: string + enum: + - enabled + - disabled + idletimer: + type: integer + maximum: 65535 + minimum: 0 + nullable: true + listener_multi_queue: + type: string + enum: + - enabled + - disabled + lua_forced_yield: + type: integer + lua_maxmem: + type: boolean + lua_service_timeout: + type: integer + nullable: true + lua_session_timeout: + type: integer + nullable: true + lua_task_timeout: + type: integer + nullable: true + maxaccept: + type: integer + maxpollevents: + type: integer + maxrewrite: + type: integer + pattern_cache_size: + type: integer + nullable: true + pipesize: + type: integer + pool_high_fd_ratio: + type: integer + pool_low_fd_ratio: + type: integer + rcvbuf_client: + type: integer + nullable: true + rcvbuf_server: + type: integer + nullable: true + recv_enough: + type: integer + runqueue_depth: + type: integer + sched_low_latency: + type: string + enum: + - enabled + - disabled + sndbuf_client: + type: integer + nullable: true + sndbuf_server: + type: integer + nullable: true + ssl_cachesize: + type: integer + nullable: true + ssl_capture_buffer_size: + type: integer + nullable: true + ssl_ctx_cache_size: + type: integer + ssl_default_dh_param: + type: integer + ssl_force_private_cache: + type: boolean + ssl_keylog: + type: string + enum: + - enabled + - disabled + ssl_lifetime: + type: integer + nullable: true + ssl_maxrecord: + type: integer + nullable: true + vars_global_max_size: + type: integer + nullable: true + vars_proc_max_size: + type: integer + nullable: true + vars_reqres_max_size: + type: integer + nullable: true + vars_sess_max_size: + type: integer + nullable: true + vars_txn_max_size: + type: integer + nullable: true + zlib_memlevel: + type: integer + maximum: 9 + minimum: 1 + zlib_windowsize: + type: integer + maximum: 15 + minimum: 8 + tune_ssl_default_dh_param: + type: integer + uid: + type: integer + user: + type: string + pattern: ^[^\s]+$ + log_targets: + type: array + items: + type: object + required: + - address + - facility + properties: + index: + type: integer + nullable: true + address: + type: string + pattern: ^[^\s]+$ + length: + type: integer + format: + type: string + enum: + - rfc3164 + - rfc5424 + - short + - raw + facility: + type: string + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + level: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + minlevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + diff --git a/charts/haproxy/haproxy/1.33.1/questions.yml b/charts/haproxy/haproxy/1.33.1/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.33.1/templates/NOTES.txt b/charts/haproxy/haproxy/1.33.1/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.33.1/templates/_helpers.tpl b/charts/haproxy/haproxy/1.33.1/templates/_helpers.tpl new file mode 100644 index 0000000000..556b32e238 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/_helpers.tpl @@ -0,0 +1,155 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.33.1/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.33.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..12de84d5b2 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/clusterrole.yaml @@ -0,0 +1,120 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.33.1/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.33.1/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..5057dd8aa4 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-daemonset.yaml @@ -0,0 +1,251 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-deployment.yaml new file mode 100644 index 0000000000..be9a441178 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-deployment.yaml @@ -0,0 +1,246 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-hpa.yaml new file mode 100644 index 0000000000..22d06f6b95 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..0567fe886e --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..4fe27fb83c --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..317ee78cc2 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-role.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-service.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-service.yaml new file mode 100644 index 0000000000..dc05b44eac --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-service.yaml @@ -0,0 +1,123 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.33.1/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.33.1/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.33.1/templates/namespace.yaml b/charts/haproxy/haproxy/1.33.1/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.33.1/values.yaml b/charts/haproxy/haproxy/1.33.1/values.yaml new file mode 100644 index 0000000000..490c71e8ff --- /dev/null +++ b/charts/haproxy/haproxy/1.33.1/values.yaml @@ -0,0 +1,530 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.34.0/.helmignore b/charts/haproxy/haproxy/1.34.0/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.34.0/Chart.yaml b/charts/haproxy/haproxy/1.34.0/Chart.yaml new file mode 100644 index 0000000000..1e46e96fd1 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.10.9 version for base image + - Set allowPrivilegeEscalation to false by default + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.9 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.34.0 diff --git a/charts/haproxy/haproxy/1.34.0/README.md b/charts/haproxy/haproxy/1.34.0/README.md new file mode 100644 index 0000000000..19d1e3f6db --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/README.md @@ -0,0 +1,285 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.34.0/app-readme.md b/charts/haproxy/haproxy/1.34.0/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.34.0/chart-icon.png b/charts/haproxy/haproxy/1.34.0/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.34.0/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.34.0/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.34.0/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.34.0/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.34.0/crds/core.haproxy.org_backends.yaml b/charts/haproxy/haproxy/1.34.0/crds/core.haproxy.org_backends.yaml new file mode 100644 index 0000000000..2947a7084d --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/crds/core.haproxy.org_backends.yaml @@ -0,0 +1,903 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: backends.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Backend + plural: backends + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Backend + description: HAProxy backend configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + hash_type: + type: object + properties: + function: + type: string + enum: + - sdbm + - djb2 + - wt6 + - crc32 + method: + type: string + enum: + - map-based + - consistent + modifier: + type: string + enum: + - avalanche + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-keep-alive: + type: string + enum: + - enabled + - disabled + http-no-delay: + type: string + enum: + - enabled + - disabled + http-server-close: + type: string + enum: + - enabled + - disabled + http-use-htx: + type: string + pattern: ^[^\s]+$ + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_proxy: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httpclose: + type: string + enum: + - enabled + - disabled + log_health_checks: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + mode: + type: string + enum: + - http + - tcp + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + name: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + stick_table: + type: object + properties: + expire: + type: integer + nullable: true + keylen: + type: integer + nullable: true + nopurge: + type: boolean + peers: + type: string + pattern: ^[^\s]+$ + size: + type: integer + nullable: true + store: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - ip + - ipv6 + - integer + - string + - binary + tcpka: + type: string + enum: + - enabled + - disabled + tunnel_timeout: + type: integer + nullable: true + diff --git a/charts/haproxy/haproxy/1.34.0/crds/core.haproxy.org_defaults.yaml b/charts/haproxy/haproxy/1.34.0/crds/core.haproxy.org_defaults.yaml new file mode 100644 index 0000000000..03323b323e --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/crds/core.haproxy.org_defaults.yaml @@ -0,0 +1,929 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: defaults.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Defaults + plural: defaults + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - config + properties: + config: + title: Defaults + description: HAProxy defaults configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_request: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + backlog: + type: integer + nullable: true + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + clflog: + type: boolean + client_fin_timeout: + type: integer + nullable: true + client_timeout: + type: integer + nullable: true + clitcpka: + type: string + enum: + - enabled + - disabled + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + contstats: + type: string + enum: + - enabled + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_backend: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + disable_h2_upgrade: + type: string + enum: + - enabled + - disabled + dontlognull: + type: string + enum: + - enabled + - disabled + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + error_files: + type: array + items: + type: object + properties: + code: + type: integer + enum: + - 200 + - 400 + - 403 + - 405 + - 408 + - 425 + - 429 + - 500 + - 502 + - 503 + - 504 + file: + type: string + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_client: + type: string + enum: + - enabled + - disabled + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-use-htx: + type: string + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httplog: + type: boolean + load_server_state_from_file: + type: string + enum: + - global + - local + - none + log_format: + type: string + log_format_sd: + type: string + log_health_checks: + type: string + enum: + - enabled + - disabled + log_separate_errors: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + logasap: + type: string + enum: + - enabled + - disabled + maxconn: + type: integer + nullable: true + mode: + type: string + enum: + - tcp + - http + monitor_uri: + type: string + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_fin_timeout: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + tcpka: + type: string + enum: + - enabled + - disabled + tcplog: + type: boolean + tunnel_timeout: + type: integer + nullable: true + unique_id_format: + type: string + unique_id_header: + type: string + diff --git a/charts/haproxy/haproxy/1.34.0/crds/core.haproxy.org_globals.yaml b/charts/haproxy/haproxy/1.34.0/crds/core.haproxy.org_globals.yaml new file mode 100644 index 0000000000..c6554900e9 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/crds/core.haproxy.org_globals.yaml @@ -0,0 +1,438 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: globals.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Global + plural: globals + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + description: HAProxy global configuration + type: object + title: Global + properties: + busy_polling: + type: boolean + ca_base: + type: string + chroot: + type: string + pattern: ^[^\s]+$ + cpu_maps: + type: array + items: + type: object + required: + - process + - cpu_set + properties: + cpu_set: + type: string + process: + type: string + crt_base: + type: string + daemon: + type: string + enum: + - enabled + - disabled + external_check: + type: boolean + gid: + type: integer + group: + type: string + pattern: ^[^\s]+$ + h1_case_adjust: + type: array + items: + type: object + required: + - from + - to + properties: + from: + type: string + to: + type: string + h1_case_adjust_file: + type: string + hard_stop_after: + type: integer + nullable: true + localpeer: + type: string + pattern: ^[^\s]+$ + log_send_hostname: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + param: + type: string + pattern: ^[^\s]+$ + lua_loads: + type: array + items: + type: object + required: + - file + properties: + file: + type: string + pattern: ^[^\s]+$ + lua_prepend_path: + type: array + items: + type: object + required: + - path + properties: + path: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - path + - cpath + master-worker: + type: boolean + max_spread_checks: + type: integer + maxcompcpuusage: + type: integer + maxcomprate: + type: integer + maxconn: + type: integer + maxconnrate: + type: integer + maxpipes: + type: integer + maxsessrate: + type: integer + maxsslconn: + type: integer + maxsslrate: + type: integer + maxzlibmem: + type: integer + nbproc: + type: integer + nbthread: + type: integer + noepoll: + type: boolean + noevports: + type: boolean + nogetaddrinfo: + type: boolean + nokqueue: + type: boolean + nopoll: + type: boolean + noreuseport: + type: boolean + nosplice: + type: boolean + pidfile: + type: string + profiling_tasks: + type: string + enum: + - auto + - on + - off + runtime_apis: + type: array + items: + type: object + required: + - address + properties: + address: + type: string + pattern: '^[^\s]+$' + mode: + type: string + pattern: '^[^\s]+$' + level: + type: string + enum: [user, operator, admin] + process: + type: string + pattern: '^[^\s]+$' + exposeFdListeners: + type: boolean + server_state_base: + type: string + pattern: ^[^\s]+$ + server_state_file: + type: string + pattern: ^[^\s]+$ + spread_checks: + type: integer + ssl_default_bind_ciphers: + type: string + ssl_default_bind_ciphersuites: + type: string + ssl_default_bind_options: + type: string + ssl_default_server_ciphers: + type: string + ssl_default_server_ciphersuites: + type: string + ssl_default_server_options: + type: string + ssl_mode_async: + type: string + enum: + - enabled + - disabled + stats_timeout: + type: integer + nullable: true + tune_options: + type: object + properties: + buffers_limit: + type: integer + nullable: true + buffers_reserve: + type: integer + minimum: 2 + bufsize: + type: integer + comp_maxlevel: + type: integer + fail_alloc: + type: boolean + h2_header_table_size: + type: integer + maximum: 65535 + h2_initial_window_size: + type: integer + nullable: true + h2_max_concurrent_streams: + type: integer + h2_max_frame_size: + type: integer + http_cookielen: + type: integer + http_logurilen: + type: integer + http_maxhdr: + type: integer + maximum: 32767 + minimum: 1 + idle_pool_shared: + type: string + enum: + - enabled + - disabled + idletimer: + type: integer + maximum: 65535 + minimum: 0 + nullable: true + listener_multi_queue: + type: string + enum: + - enabled + - disabled + lua_forced_yield: + type: integer + lua_maxmem: + type: boolean + lua_service_timeout: + type: integer + nullable: true + lua_session_timeout: + type: integer + nullable: true + lua_task_timeout: + type: integer + nullable: true + maxaccept: + type: integer + maxpollevents: + type: integer + maxrewrite: + type: integer + pattern_cache_size: + type: integer + nullable: true + pipesize: + type: integer + pool_high_fd_ratio: + type: integer + pool_low_fd_ratio: + type: integer + rcvbuf_client: + type: integer + nullable: true + rcvbuf_server: + type: integer + nullable: true + recv_enough: + type: integer + runqueue_depth: + type: integer + sched_low_latency: + type: string + enum: + - enabled + - disabled + sndbuf_client: + type: integer + nullable: true + sndbuf_server: + type: integer + nullable: true + ssl_cachesize: + type: integer + nullable: true + ssl_capture_buffer_size: + type: integer + nullable: true + ssl_ctx_cache_size: + type: integer + ssl_default_dh_param: + type: integer + ssl_force_private_cache: + type: boolean + ssl_keylog: + type: string + enum: + - enabled + - disabled + ssl_lifetime: + type: integer + nullable: true + ssl_maxrecord: + type: integer + nullable: true + vars_global_max_size: + type: integer + nullable: true + vars_proc_max_size: + type: integer + nullable: true + vars_reqres_max_size: + type: integer + nullable: true + vars_sess_max_size: + type: integer + nullable: true + vars_txn_max_size: + type: integer + nullable: true + zlib_memlevel: + type: integer + maximum: 9 + minimum: 1 + zlib_windowsize: + type: integer + maximum: 15 + minimum: 8 + tune_ssl_default_dh_param: + type: integer + uid: + type: integer + user: + type: string + pattern: ^[^\s]+$ + log_targets: + type: array + items: + type: object + required: + - address + - facility + properties: + index: + type: integer + nullable: true + address: + type: string + pattern: ^[^\s]+$ + length: + type: integer + format: + type: string + enum: + - rfc3164 + - rfc5424 + - short + - raw + facility: + type: string + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + level: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + minlevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + diff --git a/charts/haproxy/haproxy/1.34.0/questions.yml b/charts/haproxy/haproxy/1.34.0/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.34.0/templates/NOTES.txt b/charts/haproxy/haproxy/1.34.0/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.34.0/templates/_helpers.tpl b/charts/haproxy/haproxy/1.34.0/templates/_helpers.tpl new file mode 100644 index 0000000000..556b32e238 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/_helpers.tpl @@ -0,0 +1,155 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.34.0/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.34.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..12de84d5b2 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/clusterrole.yaml @@ -0,0 +1,120 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.34.0/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.34.0/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..7d88e8d038 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-daemonset.yaml @@ -0,0 +1,251 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-deployment.yaml new file mode 100644 index 0000000000..03c78de2db --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-deployment.yaml @@ -0,0 +1,246 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-hpa.yaml new file mode 100644 index 0000000000..22d06f6b95 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..0567fe886e --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/IngressClass") }} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass" }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..4fe27fb83c --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..055120d927 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if .Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-role.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-service.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-service.yaml new file mode 100644 index 0000000000..dc05b44eac --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-service.yaml @@ -0,0 +1,123 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.34.0/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.34.0/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.0/templates/namespace.yaml b/charts/haproxy/haproxy/1.34.0/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.34.0/values.yaml b/charts/haproxy/haproxy/1.34.0/values.yaml new file mode 100644 index 0000000000..d474af0857 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.0/values.yaml @@ -0,0 +1,535 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.34.1/.helmignore b/charts/haproxy/haproxy/1.34.1/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.34.1/Chart.yaml b/charts/haproxy/haproxy/1.34.1/Chart.yaml new file mode 100644 index 0000000000..eb7ec6bfc6 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + artifacthub.io/changes: | + - Fixes for .Capabilities.APIVersions issues (issues #202 and #211) + - semverCompare fixes for appProtocol + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.9 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.34.1 diff --git a/charts/haproxy/haproxy/1.34.1/README.md b/charts/haproxy/haproxy/1.34.1/README.md new file mode 100644 index 0000000000..19d1e3f6db --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/README.md @@ -0,0 +1,285 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.34.1/app-readme.md b/charts/haproxy/haproxy/1.34.1/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.34.1/chart-icon.png b/charts/haproxy/haproxy/1.34.1/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.34.1/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.34.1/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.34.1/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.34.1/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.34.1/crds/core.haproxy.org_backends.yaml b/charts/haproxy/haproxy/1.34.1/crds/core.haproxy.org_backends.yaml new file mode 100644 index 0000000000..2947a7084d --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/crds/core.haproxy.org_backends.yaml @@ -0,0 +1,903 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: backends.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Backend + plural: backends + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + title: Backend + description: HAProxy backend configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + hash_type: + type: object + properties: + function: + type: string + enum: + - sdbm + - djb2 + - wt6 + - crc32 + method: + type: string + enum: + - map-based + - consistent + modifier: + type: string + enum: + - avalanche + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-keep-alive: + type: string + enum: + - enabled + - disabled + http-no-delay: + type: string + enum: + - enabled + - disabled + http-server-close: + type: string + enum: + - enabled + - disabled + http-use-htx: + type: string + pattern: ^[^\s]+$ + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_proxy: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httpclose: + type: string + enum: + - enabled + - disabled + log_health_checks: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + mode: + type: string + enum: + - http + - tcp + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + name: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + stick_table: + type: object + properties: + expire: + type: integer + nullable: true + keylen: + type: integer + nullable: true + nopurge: + type: boolean + peers: + type: string + pattern: ^[^\s]+$ + size: + type: integer + nullable: true + store: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - ip + - ipv6 + - integer + - string + - binary + tcpka: + type: string + enum: + - enabled + - disabled + tunnel_timeout: + type: integer + nullable: true + diff --git a/charts/haproxy/haproxy/1.34.1/crds/core.haproxy.org_defaults.yaml b/charts/haproxy/haproxy/1.34.1/crds/core.haproxy.org_defaults.yaml new file mode 100644 index 0000000000..03323b323e --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/crds/core.haproxy.org_defaults.yaml @@ -0,0 +1,929 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: defaults.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Defaults + plural: defaults + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + required: + - config + properties: + config: + title: Defaults + description: HAProxy defaults configuration + type: object + properties: + abortonclose: + type: string + enum: + - enabled + - disabled + accept_invalid_http_request: + type: string + enum: + - enabled + - disabled + accept_invalid_http_response: + type: string + enum: + - enabled + - disabled + adv_check: + type: string + enum: + - ssl-hello-chk + - smtpchk + - ldap-check + - mysql-check + - pgsql-check + - tcp-check + - redis-check + - httpchk + allbackups: + type: string + enum: + - enabled + - disabled + backlog: + type: integer + nullable: true + balance: + type: object + required: + - algorithm + properties: + algorithm: + type: string + enum: + - roundrobin + - static-rr + - leastconn + - first + - source + - uri + - url_param + - hdr + - random + - rdp-cookie + hdr_name: + type: string + hdr_use_domain_only: + type: boolean + random_draws: + type: integer + rdp_cookie_name: + type: string + pattern: ^[^\s]+$ + uri_depth: + type: integer + uri_len: + type: integer + uri_path_only: + type: boolean + uri_whole: + type: boolean + url_param: + type: string + pattern: ^[^\s]+$ + url_param_check_post: + type: integer + url_param_max_wait: + type: integer + bind_process: + type: string + pattern: ^[^\s]+$ + check_timeout: + type: integer + nullable: true + clflog: + type: boolean + client_fin_timeout: + type: integer + nullable: true + client_timeout: + type: integer + nullable: true + clitcpka: + type: string + enum: + - enabled + - disabled + compression: + type: object + properties: + algorithms: + type: array + items: + type: string + enum: + - identity + - gzip + - deflate + - raw-deflate + offload: + type: boolean + types: + type: array + items: + type: string + connect_timeout: + type: integer + nullable: true + contstats: + type: string + enum: + - enabled + cookie: + type: object + required: + - name + properties: + domain: + type: array + items: + type: object + properties: + value: + type: string + pattern: ^[^\s]+$ + dynamic: + type: boolean + httponly: + type: boolean + indirect: + type: boolean + maxidle: + type: integer + maxlife: + type: integer + name: + type: string + pattern: ^[^\s]+$ + nocache: + type: boolean + postonly: + type: boolean + preserve: + type: boolean + secure: + type: boolean + type: + type: string + enum: + - rewrite + - insert + - prefix + default_backend: + type: string + pattern: ^[A-Za-z0-9-_.:]+$ + default_server: + type: object + title: Default Server + properties: + address: + type: string + pattern: ^[^\s]+$ + agent-addr: + type: string + pattern: ^[^\s]+$ + agent-check: + type: string + enum: + - enabled + - disabled + agent-inter: + type: integer + nullable: true + agent-port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + agent-send: + type: string + allow_0rtt: + type: boolean + alpn: + type: string + pattern: ^[^\s]+$ + backup: + type: string + enum: + - enabled + - disabled + ca_file: + type: string + check: + type: string + enum: + - enabled + - disabled + check-send-proxy: + type: string + enum: + - enabled + - disabled + check-sni: + type: string + pattern: ^[^\s]+$ + check-ssl: + type: string + enum: + - enabled + - disabled + check_alpn: + type: string + pattern: ^[^\s]+$ + check_proto: + type: string + pattern: ^[^\s]+$ + check_via_socks4: + type: string + enum: + - enabled + - disabled + ciphers: + type: string + ciphersuites: + type: string + cookie: + type: string + pattern: ^[^\s]+$ + crl_file: + type: string + disabled: + type: string + enum: + - enabled + - disabled + downinter: + type: integer + nullable: true + enabled: + type: string + enum: + - enabled + - disabled + error_limit: + type: integer + fall: + type: integer + nullable: true + fastinter: + type: integer + nullable: true + force_sslv3: + type: string + enum: + - enabled + - disabled + force_tlsv10: + type: string + enum: + - enabled + - disabled + force_tlsv11: + type: string + enum: + - enabled + - disabled + force_tlsv12: + type: string + enum: + - enabled + - disabled + force_tlsv13: + type: string + enum: + - enabled + - disabled + health_check_port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + init-addr: + type: string + pattern: ^[^\s]+$ + inter: + type: integer + nullable: true + log_proto: + type: string + enum: + - legacy + - octet-count + max_reuse: + type: integer + nullable: true + maxconn: + type: integer + nullable: true + maxqueue: + type: integer + nullable: true + minconn: + type: integer + nullable: true + name: + type: string + pattern: ^[^\s]+$ + namespace: + type: string + no_sslv3: + type: string + enum: + - enabled + - disabled + no_tlsv10: + type: string + enum: + - enabled + - disabled + no_tlsv11: + type: string + enum: + - enabled + - disabled + no_tlsv12: + type: string + enum: + - enabled + - disabled + no_tlsv13: + type: string + enum: + - enabled + - disabled + no_verifyhost: + type: string + enum: + - enabled + - disabled + npn: + type: string + observe: + type: string + enum: + - layer4 + - layer7 + on-error: + type: string + enum: + - fastinter + - fail-check + - sudden-death + - mark-down + on-marked-down: + type: string + enum: + - shutdown-sessions + on-marked-up: + type: string + enum: + - shutdown-backup-sessions + pool_low_conn: + type: integer + nullable: true + pool_max_conn: + type: integer + nullable: true + pool_purge_delay: + type: integer + nullable: true + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + proto: + type: string + pattern: ^[^\s]+$ + proxy-v2-options: + type: array + items: + type: string + enum: + - ssl + - cert-cn + - ssl-cipher + - cert-sig + - cert-key + - authority + - crc32c + - unique-id + redir: + type: string + resolve-net: + type: string + pattern: ^[^\s]+$ + resolve-prefer: + type: string + pattern: ^[^\s]+$ + enum: + - ipv4 + - ipv6 + resolve_opts: + type: string + pattern: ^[^,\s][^\,]*[^,\s]*$ + resolvers: + type: string + pattern: ^[^\s]+$ + rise: + type: integer + nullable: true + send-proxy: + type: string + enum: + - enabled + - disabled + send-proxy-v2: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl: + type: string + enum: + - enabled + - disabled + send_proxy_v2_ssl_cn: + type: string + enum: + - enabled + - disabled + slowstart: + type: integer + nullable: true + sni: + type: string + pattern: ^[^\s]+$ + socks4: + type: string + pattern: ^[^\s]+$ + source: + type: string + ssl: + type: string + enum: + - enabled + - disabled + ssl_certificate: + type: string + pattern: ^[^\s]+$ + ssl_max_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_min_ver: + type: string + enum: + - SSLv3 + - TLSv1.0 + - TLSv1.1 + - TLSv1.2 + - TLSv1.3 + ssl_reuse: + type: string + enum: + - enabled + - disabled + stick: + type: string + enum: + - enabled + - disabled + tcp_ut: + type: integer + tfo: + type: string + enum: + - enabled + - disabled + tls_tickets: + type: string + enum: + - enabled + - disabled + track: + type: string + verify: + type: string + enum: + - none + - required + verifyhost: + type: string + weight: + type: integer + nullable: true + disable_h2_upgrade: + type: string + enum: + - enabled + - disabled + dontlognull: + type: string + enum: + - enabled + - disabled + dynamic_cookie_key: + type: string + pattern: ^[^\s]+$ + error_files: + type: array + items: + type: object + properties: + code: + type: integer + enum: + - 200 + - 400 + - 403 + - 405 + - 408 + - 425 + - 429 + - 500 + - 502 + - 503 + - 504 + file: + type: string + external_check: + type: string + enum: + - enabled + - disabled + external_check_command: + type: string + pattern: ^[^\s]+$ + external_check_path: + type: string + pattern: ^[^\s]+$ + forwardfor: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + except: + type: string + pattern: ^[^\s]+$ + header: + type: string + pattern: ^[^\s]+$ + ifnone: + type: boolean + h1_case_adjust_bogus_client: + type: string + enum: + - enabled + - disabled + h1_case_adjust_bogus_server: + type: string + enum: + - enabled + - disabled + http-buffer-request: + type: string + enum: + - enabled + - disabled + http-check: + type: object + title: HTTP Check + required: + - index + - type + properties: + addr: + type: string + pattern: ^[^\s]+$ + alpn: + type: string + pattern: ^[^\s]+$ + body: + type: string + body_log_format: + type: string + check_comment: + type: string + default: + type: boolean + error_status: + type: string + enum: + - L7OKC + - L7RSP + - L7STS + - L6RSP + - L4CON + exclamation_mark: + type: boolean + headers: + type: array + items: + type: object + required: + - name + - fmt + properties: + fmt: + type: string + name: + type: string + index: + type: integer + nullable: true + linger: + type: boolean + match: + type: string + pattern: ^[^\s]+$ + enum: + - status + - rstatus + - hdr + - fhdr + - string + - rstring + method: + type: string + min_recv: + type: integer + nullable: true + ok_status: + type: string + enum: + - L7OK + - L7OKC + - L6OK + - L4OK + on_error: + type: string + on_success: + type: string + pattern: + type: string + port: + type: integer + maximum: 65535 + minimum: 1 + nullable: true + port_string: + type: string + proto: + type: string + send_proxy: + type: boolean + sni: + type: string + ssl: + type: boolean + status-code: + type: string + tout_status: + type: string + enum: + - L7TOUT + - L6TOUT + - L4TOUT + type: + type: string + enum: + - comment + - connect + - disable-on-404 + - expect + - send + - send-state + - set-var + - set-var-fmt + - unset-var + uri: + type: string + uri_log_format: + type: string + var_expr: + type: string + var_format: + type: string + var_name: + type: string + pattern: ^[^\s]+$ + var_scope: + type: string + pattern: ^[^\s]+$ + version: + type: string + via_socks4: + type: boolean + http-use-htx: + type: string + enum: + - enabled + - disabled + http_connection_mode: + type: string + enum: + - httpclose + - http-server-close + - http-keep-alive + http_keep_alive_timeout: + type: integer + nullable: true + http_pretend_keepalive: + type: string + enum: + - enabled + - disabled + http_request_timeout: + type: integer + nullable: true + http_reuse: + type: string + enum: + - aggressive + - always + - never + - safe + httpchk_params: + type: object + properties: + method: + type: string + enum: + - HEAD + - PUT + - POST + - GET + - TRACE + - PATCH + uri: + type: string + pattern: ^[^ ]*$ + version: + type: string + httplog: + type: boolean + load_server_state_from_file: + type: string + enum: + - global + - local + - none + log_format: + type: string + log_format_sd: + type: string + log_health_checks: + type: string + enum: + - enabled + - disabled + log_separate_errors: + type: string + enum: + - enabled + - disabled + log_tag: + type: string + pattern: ^[^\s]+$ + logasap: + type: string + enum: + - enabled + - disabled + maxconn: + type: integer + nullable: true + mode: + type: string + enum: + - tcp + - http + monitor_uri: + type: string + mysql_check_params: + type: object + properties: + client_version: + type: string + enum: + - pre-41 + - post-41 + username: + type: string + pgsql_check_params: + type: object + properties: + username: + type: string + queue_timeout: + type: integer + nullable: true + redispatch: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + interval: + type: integer + retries: + type: integer + nullable: true + server_fin_timeout: + type: integer + nullable: true + server_timeout: + type: integer + nullable: true + smtpchk_params: + type: object + properties: + domain: + type: string + hello: + type: string + srvtcpka: + type: string + enum: + - enabled + - disabled + stats_options: + type: object + properties: + stats_admin: + type: boolean + stats_admin_cond: + type: string + enum: + - if + - unless + stats_admin_cond_test: + type: string + stats_enable: + type: boolean + stats_hide_version: + type: boolean + stats_maxconn: + type: integer + minimum: 1 + stats_refresh_delay: + type: integer + nullable: true + stats_show_desc: + type: string + nullable: true + stats_show_legends: + type: boolean + stats_show_node_name: + type: string + pattern: ^[^\s]+$ + nullable: true + stats_uri_prefix: + type: string + pattern: ^[^\s]+$ + tcpka: + type: string + enum: + - enabled + - disabled + tcplog: + type: boolean + tunnel_timeout: + type: integer + nullable: true + unique_id_format: + type: string + unique_id_header: + type: string + diff --git a/charts/haproxy/haproxy/1.34.1/crds/core.haproxy.org_globals.yaml b/charts/haproxy/haproxy/1.34.1/crds/core.haproxy.org_globals.yaml new file mode 100644 index 0000000000..c6554900e9 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/crds/core.haproxy.org_globals.yaml @@ -0,0 +1,438 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: globals.core.haproxy.org +spec: + group: core.haproxy.org + names: + kind: Global + plural: globals + scope: Namespaced + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + config: + description: HAProxy global configuration + type: object + title: Global + properties: + busy_polling: + type: boolean + ca_base: + type: string + chroot: + type: string + pattern: ^[^\s]+$ + cpu_maps: + type: array + items: + type: object + required: + - process + - cpu_set + properties: + cpu_set: + type: string + process: + type: string + crt_base: + type: string + daemon: + type: string + enum: + - enabled + - disabled + external_check: + type: boolean + gid: + type: integer + group: + type: string + pattern: ^[^\s]+$ + h1_case_adjust: + type: array + items: + type: object + required: + - from + - to + properties: + from: + type: string + to: + type: string + h1_case_adjust_file: + type: string + hard_stop_after: + type: integer + nullable: true + localpeer: + type: string + pattern: ^[^\s]+$ + log_send_hostname: + type: object + required: + - enabled + properties: + enabled: + type: string + enum: + - enabled + - disabled + param: + type: string + pattern: ^[^\s]+$ + lua_loads: + type: array + items: + type: object + required: + - file + properties: + file: + type: string + pattern: ^[^\s]+$ + lua_prepend_path: + type: array + items: + type: object + required: + - path + properties: + path: + type: string + pattern: ^[^\s]+$ + type: + type: string + enum: + - path + - cpath + master-worker: + type: boolean + max_spread_checks: + type: integer + maxcompcpuusage: + type: integer + maxcomprate: + type: integer + maxconn: + type: integer + maxconnrate: + type: integer + maxpipes: + type: integer + maxsessrate: + type: integer + maxsslconn: + type: integer + maxsslrate: + type: integer + maxzlibmem: + type: integer + nbproc: + type: integer + nbthread: + type: integer + noepoll: + type: boolean + noevports: + type: boolean + nogetaddrinfo: + type: boolean + nokqueue: + type: boolean + nopoll: + type: boolean + noreuseport: + type: boolean + nosplice: + type: boolean + pidfile: + type: string + profiling_tasks: + type: string + enum: + - auto + - on + - off + runtime_apis: + type: array + items: + type: object + required: + - address + properties: + address: + type: string + pattern: '^[^\s]+$' + mode: + type: string + pattern: '^[^\s]+$' + level: + type: string + enum: [user, operator, admin] + process: + type: string + pattern: '^[^\s]+$' + exposeFdListeners: + type: boolean + server_state_base: + type: string + pattern: ^[^\s]+$ + server_state_file: + type: string + pattern: ^[^\s]+$ + spread_checks: + type: integer + ssl_default_bind_ciphers: + type: string + ssl_default_bind_ciphersuites: + type: string + ssl_default_bind_options: + type: string + ssl_default_server_ciphers: + type: string + ssl_default_server_ciphersuites: + type: string + ssl_default_server_options: + type: string + ssl_mode_async: + type: string + enum: + - enabled + - disabled + stats_timeout: + type: integer + nullable: true + tune_options: + type: object + properties: + buffers_limit: + type: integer + nullable: true + buffers_reserve: + type: integer + minimum: 2 + bufsize: + type: integer + comp_maxlevel: + type: integer + fail_alloc: + type: boolean + h2_header_table_size: + type: integer + maximum: 65535 + h2_initial_window_size: + type: integer + nullable: true + h2_max_concurrent_streams: + type: integer + h2_max_frame_size: + type: integer + http_cookielen: + type: integer + http_logurilen: + type: integer + http_maxhdr: + type: integer + maximum: 32767 + minimum: 1 + idle_pool_shared: + type: string + enum: + - enabled + - disabled + idletimer: + type: integer + maximum: 65535 + minimum: 0 + nullable: true + listener_multi_queue: + type: string + enum: + - enabled + - disabled + lua_forced_yield: + type: integer + lua_maxmem: + type: boolean + lua_service_timeout: + type: integer + nullable: true + lua_session_timeout: + type: integer + nullable: true + lua_task_timeout: + type: integer + nullable: true + maxaccept: + type: integer + maxpollevents: + type: integer + maxrewrite: + type: integer + pattern_cache_size: + type: integer + nullable: true + pipesize: + type: integer + pool_high_fd_ratio: + type: integer + pool_low_fd_ratio: + type: integer + rcvbuf_client: + type: integer + nullable: true + rcvbuf_server: + type: integer + nullable: true + recv_enough: + type: integer + runqueue_depth: + type: integer + sched_low_latency: + type: string + enum: + - enabled + - disabled + sndbuf_client: + type: integer + nullable: true + sndbuf_server: + type: integer + nullable: true + ssl_cachesize: + type: integer + nullable: true + ssl_capture_buffer_size: + type: integer + nullable: true + ssl_ctx_cache_size: + type: integer + ssl_default_dh_param: + type: integer + ssl_force_private_cache: + type: boolean + ssl_keylog: + type: string + enum: + - enabled + - disabled + ssl_lifetime: + type: integer + nullable: true + ssl_maxrecord: + type: integer + nullable: true + vars_global_max_size: + type: integer + nullable: true + vars_proc_max_size: + type: integer + nullable: true + vars_reqres_max_size: + type: integer + nullable: true + vars_sess_max_size: + type: integer + nullable: true + vars_txn_max_size: + type: integer + nullable: true + zlib_memlevel: + type: integer + maximum: 9 + minimum: 1 + zlib_windowsize: + type: integer + maximum: 15 + minimum: 8 + tune_ssl_default_dh_param: + type: integer + uid: + type: integer + user: + type: string + pattern: ^[^\s]+$ + log_targets: + type: array + items: + type: object + required: + - address + - facility + properties: + index: + type: integer + nullable: true + address: + type: string + pattern: ^[^\s]+$ + length: + type: integer + format: + type: string + enum: + - rfc3164 + - rfc5424 + - short + - raw + facility: + type: string + enum: + - kern + - user + - mail + - daemon + - auth + - syslog + - lpr + - news + - uucp + - cron + - auth2 + - ftp + - ntp + - audit + - alert + - cron2 + - local0 + - local1 + - local2 + - local3 + - local4 + - local5 + - local6 + - local7 + level: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + minlevel: + type: string + enum: + - emerg + - alert + - crit + - err + - warning + - notice + - info + - debug + diff --git a/charts/haproxy/haproxy/1.34.1/questions.yml b/charts/haproxy/haproxy/1.34.1/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.34.1/templates/NOTES.txt b/charts/haproxy/haproxy/1.34.1/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.34.1/templates/_helpers.tpl b/charts/haproxy/haproxy/1.34.1/templates/_helpers.tpl new file mode 100644 index 0000000000..556b32e238 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/_helpers.tpl @@ -0,0 +1,155 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.34.1/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.34.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..12de84d5b2 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/clusterrole.yaml @@ -0,0 +1,120 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.34.1/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.34.1/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.34.1/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.1/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..7d88e8d038 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/controller-daemonset.yaml @@ -0,0 +1,251 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.1/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.34.1/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-deployment.yaml new file mode 100644 index 0000000000..03c78de2db --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/controller-deployment.yaml @@ -0,0 +1,246 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-hpa.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-hpa.yaml rename to charts/haproxy/haproxy/1.34.1/templates/controller-hpa.yaml diff --git a/charts/haproxy/haproxy/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-ingressclass.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-ingressclass.yaml rename to charts/haproxy/haproxy/1.34.1/templates/controller-ingressclass.yaml diff --git a/charts/haproxy/haproxy/1.34.1/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-poddisruptionbudget.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-poddisruptionbudget.yaml rename to charts/haproxy/haproxy/1.34.1/templates/controller-poddisruptionbudget.yaml diff --git a/charts/haproxy/haproxy/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-podsecuritypolicy.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-podsecuritypolicy.yaml rename to charts/haproxy/haproxy/1.34.1/templates/controller-podsecuritypolicy.yaml diff --git a/charts/haproxy/haproxy/1.34.1/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.1/templates/controller-role.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.34.1/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.34.1/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.1/templates/controller-service.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-service.yaml new file mode 100644 index 0000000000..3afc7c5161 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/controller-service.yaml @@ -0,0 +1,123 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.1/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.34.1/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.34.1/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.34.1/templates/namespace.yaml b/charts/haproxy/haproxy/1.34.1/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.34.1/values.yaml b/charts/haproxy/haproxy/1.34.1/values.yaml new file mode 100644 index 0000000000..d474af0857 --- /dev/null +++ b/charts/haproxy/haproxy/1.34.1/values.yaml @@ -0,0 +1,535 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.35.0/.helmignore b/charts/haproxy/haproxy/1.35.0/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.35.0/Chart.yaml b/charts/haproxy/haproxy/1.35.0/Chart.yaml new file mode 100644 index 0000000000..3bb32a46a2 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.10.10 version for base image + - Add CRD install/upgrade job for automated CRD management + - Remove default CRDs provided by Chart + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.10 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.35.0 diff --git a/charts/haproxy/haproxy/1.35.0/README.md b/charts/haproxy/haproxy/1.35.0/README.md new file mode 100644 index 0000000000..e5fcd1fb19 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/README.md @@ -0,0 +1,288 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.35.0/app-readme.md b/charts/haproxy/haproxy/1.35.0/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.35.0/chart-icon.png b/charts/haproxy/haproxy/1.35.0/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.35.0/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.35.0/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.35.0/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.35.0/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.35.0/questions.yml b/charts/haproxy/haproxy/1.35.0/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.35.0/templates/NOTES.txt b/charts/haproxy/haproxy/1.35.0/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.35.0/templates/_helpers.tpl b/charts/haproxy/haproxy/1.35.0/templates/_helpers.tpl new file mode 100644 index 0000000000..94079183aa --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified default CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "crdjob" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.35.0/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.35.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..e343832f98 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/clusterrole.yaml @@ -0,0 +1,134 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- if .Values.controller.techdump.enabled }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.0/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.35.0/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..7165dc3979 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-crdjob.yaml @@ -0,0 +1,51 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + restartPolicy: Never + backoffLimit: 0 diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..7d88e8d038 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-daemonset.yaml @@ -0,0 +1,251 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-deployment.yaml new file mode 100644 index 0000000000..03c78de2db --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-deployment.yaml @@ -0,0 +1,246 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-role.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-service.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-service.yaml new file mode 100644 index 0000000000..3afc7c5161 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-service.yaml @@ -0,0 +1,123 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.0/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.35.0/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.0/templates/namespace.yaml b/charts/haproxy/haproxy/1.35.0/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.0/values.yaml b/charts/haproxy/haproxy/1.35.0/values.yaml new file mode 100644 index 0000000000..5c95ccb706 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.0/values.yaml @@ -0,0 +1,540 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s + + ## Techdump + ## Toggle to add the RBAC permissions needed for the techdump tool. + techdump: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.1/.helmignore b/charts/haproxy/haproxy/1.35.1/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.35.1/Chart.yaml b/charts/haproxy/haproxy/1.35.1/Chart.yaml new file mode 100644 index 0000000000..e89bd6fba9 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - CRD job updates and bug fixes + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.10 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.35.1 diff --git a/charts/haproxy/haproxy/1.35.1/README.md b/charts/haproxy/haproxy/1.35.1/README.md new file mode 100644 index 0000000000..e5a88db1c2 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/README.md @@ -0,0 +1,298 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.35.1/app-readme.md b/charts/haproxy/haproxy/1.35.1/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.35.1/chart-icon.png b/charts/haproxy/haproxy/1.35.1/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.35.1/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.35.1/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.35.1/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.35.1/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.35.1/questions.yml b/charts/haproxy/haproxy/1.35.1/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.35.1/templates/NOTES.txt b/charts/haproxy/haproxy/1.35.1/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.35.1/templates/_helpers.tpl b/charts/haproxy/haproxy/1.35.1/templates/_helpers.tpl new file mode 100644 index 0000000000..94079183aa --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified default CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "crdjob" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.35.1/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.35.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..e343832f98 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/clusterrole.yaml @@ -0,0 +1,134 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- if .Values.controller.techdump.enabled }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.1/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.35.1/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..5ca3648d8f --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-crdjob.yaml @@ -0,0 +1,105 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: +{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} + ttlSecondsAfterFinished: 0 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..7d88e8d038 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-daemonset.yaml @@ -0,0 +1,251 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-deployment.yaml new file mode 100644 index 0000000000..03c78de2db --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-deployment.yaml @@ -0,0 +1,246 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-role.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-service.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-service.yaml new file mode 100644 index 0000000000..3afc7c5161 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-service.yaml @@ -0,0 +1,123 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.1/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.35.1/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.1/templates/namespace.yaml b/charts/haproxy/haproxy/1.35.1/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.1/values.yaml b/charts/haproxy/haproxy/1.35.1/values.yaml new file mode 100644 index 0000000000..5c95ccb706 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.1/values.yaml @@ -0,0 +1,540 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s + + ## Techdump + ## Toggle to add the RBAC permissions needed for the techdump tool. + techdump: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.3/.helmignore b/charts/haproxy/haproxy/1.35.3/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.35.3/Chart.yaml b/charts/haproxy/haproxy/1.35.3/Chart.yaml new file mode 100644 index 0000000000..ca517e02d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Increase CRD job cleanup TTL to 120s (#213) + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.10 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.35.3 diff --git a/charts/haproxy/haproxy/1.35.3/README.md b/charts/haproxy/haproxy/1.35.3/README.md new file mode 100644 index 0000000000..e5a88db1c2 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/README.md @@ -0,0 +1,298 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.35.3/app-readme.md b/charts/haproxy/haproxy/1.35.3/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.35.3/chart-icon.png b/charts/haproxy/haproxy/1.35.3/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.35.3/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.35.3/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.35.3/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.35.3/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.35.3/questions.yml b/charts/haproxy/haproxy/1.35.3/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.35.3/templates/NOTES.txt b/charts/haproxy/haproxy/1.35.3/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.35.3/templates/_helpers.tpl b/charts/haproxy/haproxy/1.35.3/templates/_helpers.tpl new file mode 100644 index 0000000000..bea1374a79 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified unique CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.35.3/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.35.3/templates/clusterrole.yaml new file mode 100644 index 0000000000..e343832f98 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/clusterrole.yaml @@ -0,0 +1,134 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- if .Values.controller.techdump.enabled }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.3/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.35.3/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..c1f9a3c6a7 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-crdjob.yaml @@ -0,0 +1,105 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: +{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} + ttlSecondsAfterFinished: 120 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..7d88e8d038 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-daemonset.yaml @@ -0,0 +1,251 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-deployment.yaml new file mode 100644 index 0000000000..03c78de2db --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-deployment.yaml @@ -0,0 +1,246 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-role.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-service.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-service.yaml new file mode 100644 index 0000000000..3afc7c5161 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-service.yaml @@ -0,0 +1,123 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.3/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.35.3/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.3/templates/namespace.yaml b/charts/haproxy/haproxy/1.35.3/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.3/values.yaml b/charts/haproxy/haproxy/1.35.3/values.yaml new file mode 100644 index 0000000000..5c95ccb706 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.3/values.yaml @@ -0,0 +1,540 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s + + ## Techdump + ## Toggle to add the RBAC permissions needed for the techdump tool. + techdump: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.5/.helmignore b/charts/haproxy/haproxy/1.35.5/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.35.5/Chart.yaml b/charts/haproxy/haproxy/1.35.5/Chart.yaml new file mode 100644 index 0000000000..44c31d73b2 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Remove unneeded initContainers from CRD job (#215) + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.10 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.35.5 diff --git a/charts/haproxy/haproxy/1.35.5/README.md b/charts/haproxy/haproxy/1.35.5/README.md new file mode 100644 index 0000000000..e5a88db1c2 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/README.md @@ -0,0 +1,298 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.35.5/app-readme.md b/charts/haproxy/haproxy/1.35.5/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.35.5/chart-icon.png b/charts/haproxy/haproxy/1.35.5/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.35.5/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.35.5/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.35.5/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.35.5/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.35.5/questions.yml b/charts/haproxy/haproxy/1.35.5/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.35.5/templates/NOTES.txt b/charts/haproxy/haproxy/1.35.5/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.35.5/templates/_helpers.tpl b/charts/haproxy/haproxy/1.35.5/templates/_helpers.tpl new file mode 100644 index 0000000000..bea1374a79 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified unique CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.35.5/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.35.5/templates/clusterrole.yaml new file mode 100644 index 0000000000..e343832f98 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/clusterrole.yaml @@ -0,0 +1,134 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- if .Values.controller.techdump.enabled }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.5/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.35.5/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..daf231dfd4 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-crdjob.yaml @@ -0,0 +1,104 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: +{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} + ttlSecondsAfterFinished: 120 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..7d88e8d038 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-daemonset.yaml @@ -0,0 +1,251 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-deployment.yaml new file mode 100644 index 0000000000..03c78de2db --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-deployment.yaml @@ -0,0 +1,246 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumeMounts .Values.aws.licenseConfigSecretName }} + volumeMounts: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- end}} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.controller.extraVolumes .Values.aws.licenseConfigSecretName }} + volumes: + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-role.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-service.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-service.yaml new file mode 100644 index 0000000000..3afc7c5161 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-service.yaml @@ -0,0 +1,123 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..a15bded936 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-serviceaccount.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.5/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.35.5/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.35.5/templates/namespace.yaml b/charts/haproxy/haproxy/1.35.5/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.35.5/values.yaml b/charts/haproxy/haproxy/1.35.5/values.yaml new file mode 100644 index 0000000000..5c95ccb706 --- /dev/null +++ b/charts/haproxy/haproxy/1.35.5/values.yaml @@ -0,0 +1,540 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s + + ## Techdump + ## Toggle to add the RBAC permissions needed for the techdump tool. + techdump: + enabled: false diff --git a/charts/haproxy/haproxy/1.36.1/.helmignore b/charts/haproxy/haproxy/1.36.1/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.36.1/Chart.yaml b/charts/haproxy/haproxy/1.36.1/Chart.yaml new file mode 100644 index 0000000000..93cb25fcb2 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Move automountServiceAccountToken flag from pods to ServiceAccount configuration (fixes for #217) + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.10 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.36.1 diff --git a/charts/haproxy/haproxy/1.36.1/README.md b/charts/haproxy/haproxy/1.36.1/README.md new file mode 100644 index 0000000000..e5a88db1c2 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/README.md @@ -0,0 +1,298 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.36.1/app-readme.md b/charts/haproxy/haproxy/1.36.1/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.36.1/chart-icon.png b/charts/haproxy/haproxy/1.36.1/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.36.1/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.36.1/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.36.1/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.36.1/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.36.1/questions.yml b/charts/haproxy/haproxy/1.36.1/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.36.1/templates/NOTES.txt b/charts/haproxy/haproxy/1.36.1/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.36.1/templates/_helpers.tpl b/charts/haproxy/haproxy/1.36.1/templates/_helpers.tpl new file mode 100644 index 0000000000..bea1374a79 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified unique CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.36.1/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.36.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..e343832f98 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/clusterrole.yaml @@ -0,0 +1,134 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- if .Values.controller.techdump.enabled }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.36.1/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.36.1/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..daf231dfd4 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-crdjob.yaml @@ -0,0 +1,104 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: +{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} + ttlSecondsAfterFinished: 120 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..ee20eb2d58 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-daemonset.yaml @@ -0,0 +1,261 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-deployment.yaml new file mode 100644 index 0000000000..71753220ee --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-deployment.yaml @@ -0,0 +1,256 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-role.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-service.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-service.yaml new file mode 100644 index 0000000000..3afc7c5161 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-service.yaml @@ -0,0 +1,123 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-serviceaccount.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-serviceaccount.yaml rename to charts/haproxy/haproxy/1.36.1/templates/controller-serviceaccount.yaml diff --git a/charts/haproxy/haproxy/1.36.1/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.36.1/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.36.1/templates/namespace.yaml b/charts/haproxy/haproxy/1.36.1/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.36.1/values.yaml b/charts/haproxy/haproxy/1.36.1/values.yaml new file mode 100644 index 0000000000..0d3f4f431a --- /dev/null +++ b/charts/haproxy/haproxy/1.36.1/values.yaml @@ -0,0 +1,541 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + automountServiceAccountToken: true + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s + + ## Techdump + ## Toggle to add the RBAC permissions needed for the techdump tool. + techdump: + enabled: false diff --git a/charts/haproxy/haproxy/1.37.0/.helmignore b/charts/haproxy/haproxy/1.37.0/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.37.0/Chart.yaml b/charts/haproxy/haproxy/1.37.0/Chart.yaml new file mode 100644 index 0000000000..19e418346c --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + artifacthub.io/changes: | + - Allow setting hostIP for daemonset (#220) + - Add missing permissions for v1 CRDs (#222) + - Use Ingress Controller 1.10.11 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.10.11 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.37.0 diff --git a/charts/haproxy/haproxy/1.37.0/README.md b/charts/haproxy/haproxy/1.37.0/README.md new file mode 100644 index 0000000000..e5a88db1c2 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/README.md @@ -0,0 +1,298 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.37.0/app-readme.md b/charts/haproxy/haproxy/1.37.0/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.37.0/chart-icon.png b/charts/haproxy/haproxy/1.37.0/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.37.0/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.37.0/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.37.0/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.37.0/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.37.0/questions.yml b/charts/haproxy/haproxy/1.37.0/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.37.0/templates/NOTES.txt b/charts/haproxy/haproxy/1.37.0/templates/NOTES.txt new file mode 100644 index 0000000000..6028ea0dcf --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/NOTES.txt @@ -0,0 +1,70 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.37.0/templates/_helpers.tpl b/charts/haproxy/haproxy/1.37.0/templates/_helpers.tpl new file mode 100644 index 0000000000..bea1374a79 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified unique CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.37.0/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.37.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..36e079bf60 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/clusterrole.yaml @@ -0,0 +1,144 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - ingress.v1.haproxy.org + - ingress.v1.haproxy.com + resources: + - "*" + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- if .Values.controller.techdump.enabled }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.37.0/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.37.0/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..daf231dfd4 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-crdjob.yaml @@ -0,0 +1,104 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: +{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} + ttlSecondsAfterFinished: 120 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..56b082ace4 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-daemonset.yaml @@ -0,0 +1,268 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-deployment.yaml new file mode 100644 index 0000000000..71753220ee --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-deployment.yaml @@ -0,0 +1,256 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-role.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-service.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-service.yaml new file mode 100644 index 0000000000..3afc7c5161 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-service.yaml @@ -0,0 +1,123 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..70529f7d63 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-serviceaccount.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.37.0/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.37.0/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.37.0/templates/namespace.yaml b/charts/haproxy/haproxy/1.37.0/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.37.0/values.yaml b/charts/haproxy/haproxy/1.37.0/values.yaml new file mode 100644 index 0000000000..71b04ee792 --- /dev/null +++ b/charts/haproxy/haproxy/1.37.0/values.yaml @@ -0,0 +1,542 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + automountServiceAccountToken: true + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## Ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + # ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostIP: null + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s + + ## Techdump + ## Toggle to add the RBAC permissions needed for the techdump tool. + techdump: + enabled: false diff --git a/charts/haproxy/haproxy/1.38.2/.helmignore b/charts/haproxy/haproxy/1.38.2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.38.2/Chart.yaml b/charts/haproxy/haproxy/1.38.2/Chart.yaml new file mode 100644 index 0000000000..e93debc555 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.11.0 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.11.0 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.38.2 diff --git a/charts/haproxy/haproxy/1.38.2/README.md b/charts/haproxy/haproxy/1.38.2/README.md new file mode 100644 index 0000000000..e5a88db1c2 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/README.md @@ -0,0 +1,298 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.38.2/app-readme.md b/charts/haproxy/haproxy/1.38.2/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.38.2/chart-icon.png b/charts/haproxy/haproxy/1.38.2/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.38.2/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.38.2/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.38.2/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.38.2/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.38.2/questions.yml b/charts/haproxy/haproxy/1.38.2/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.38.2/templates/NOTES.txt b/charts/haproxy/haproxy/1.38.2/templates/NOTES.txt new file mode 100644 index 0000000000..6927cf8902 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/NOTES.txt @@ -0,0 +1,105 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ .port }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.38.2/templates/_helpers.tpl b/charts/haproxy/haproxy/1.38.2/templates/_helpers.tpl new file mode 100644 index 0000000000..bea1374a79 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified unique CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.38.2/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.38.2/templates/clusterrole.yaml new file mode 100644 index 0000000000..36e079bf60 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/clusterrole.yaml @@ -0,0 +1,144 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - ingress.v1.haproxy.org + - ingress.v1.haproxy.com + resources: + - "*" + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- if .Values.controller.techdump.enabled }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.38.2/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.38.2/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..daf231dfd4 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-crdjob.yaml @@ -0,0 +1,104 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: +{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} + ttlSecondsAfterFinished: 120 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..1c8594c5e6 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-daemonset.yaml @@ -0,0 +1,279 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-deployment.yaml new file mode 100644 index 0000000000..990f70c147 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-deployment.yaml @@ -0,0 +1,261 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-role.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..2c0f52a07d --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-service.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-service.yaml new file mode 100644 index 0000000000..d6b4b71d15 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-service.yaml @@ -0,0 +1,138 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.quic }} + - name: quic + port: {{ .Values.controller.service.ports.https }} + protocol: UDP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.quic }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if .Values.controller.service.loadBalancerClass}} + loadBalancerClass: "{{ .Values.controller.service.loadBalancerClass }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..70529f7d63 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-serviceaccount.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.38.2/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.38.2/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.2/templates/namespace.yaml b/charts/haproxy/haproxy/1.38.2/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.38.2/values.yaml b/charts/haproxy/haproxy/1.38.2/values.yaml new file mode 100644 index 0000000000..b3bdb0181a --- /dev/null +++ b/charts/haproxy/haproxy/1.38.2/values.yaml @@ -0,0 +1,554 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + automountServiceAccountToken: true + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + # - --disable-ipv4 + # - --disable-ipv6 + # - --disable-http + # - --disable-https + # - --disable-quic + # - --sync-period=10s + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + quic: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + quic: quic + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Class of load balancer implementation + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: null + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostIP: null + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s + + ## Techdump + ## Toggle to add the RBAC permissions needed for the techdump tool. + techdump: + enabled: false diff --git a/charts/haproxy/haproxy/1.38.5/.helmignore b/charts/haproxy/haproxy/1.38.5/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.38.5/Chart.yaml b/charts/haproxy/haproxy/1.38.5/Chart.yaml new file mode 100644 index 0000000000..7867e6d185 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.11.2 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.11.2 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.22.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.38.5 diff --git a/charts/haproxy/haproxy/1.38.5/README.md b/charts/haproxy/haproxy/1.38.5/README.md new file mode 100644 index 0000000000..e5a88db1c2 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/README.md @@ -0,0 +1,298 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.38.5/app-readme.md b/charts/haproxy/haproxy/1.38.5/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.38.5/chart-icon.png b/charts/haproxy/haproxy/1.38.5/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.38.5/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.38.5/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.38.5/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.38.5/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.38.5/questions.yml b/charts/haproxy/haproxy/1.38.5/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.38.5/templates/NOTES.txt b/charts/haproxy/haproxy/1.38.5/templates/NOTES.txt new file mode 100644 index 0000000000..0c37a87d1b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/NOTES.txt @@ -0,0 +1,109 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ .port }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.38.5/templates/_helpers.tpl b/charts/haproxy/haproxy/1.38.5/templates/_helpers.tpl new file mode 100644 index 0000000000..bea1374a79 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified unique CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.38.5/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.38.5/templates/clusterrole.yaml new file mode 100644 index 0000000000..36e079bf60 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/clusterrole.yaml @@ -0,0 +1,144 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - ingress.v1.haproxy.org + - ingress.v1.haproxy.com + resources: + - "*" + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- if .Values.controller.techdump.enabled }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.38.5/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.38.5/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..daf231dfd4 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-crdjob.yaml @@ -0,0 +1,104 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: +{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} + ttlSecondsAfterFinished: 120 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..2495248996 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-daemonset.yaml @@ -0,0 +1,283 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-deployment.yaml new file mode 100644 index 0000000000..12b7242f45 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-deployment.yaml @@ -0,0 +1,265 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-role.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..7c97ceae81 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.metrics.labels }} +{{ toYaml .Values.controller.service.metrics.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.metrics.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-service.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-service.yaml new file mode 100644 index 0000000000..efb20692ef --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-service.yaml @@ -0,0 +1,138 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + port: {{ .Values.controller.service.ports.https }} + protocol: UDP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.quic }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if .Values.controller.service.loadBalancerClass}} + loadBalancerClass: "{{ .Values.controller.service.loadBalancerClass }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..70529f7d63 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-serviceaccount.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.38.5/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.38.5/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.38.5/templates/namespace.yaml b/charts/haproxy/haproxy/1.38.5/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.38.5/values.yaml b/charts/haproxy/haproxy/1.38.5/values.yaml new file mode 100644 index 0000000000..3cd4ffd452 --- /dev/null +++ b/charts/haproxy/haproxy/1.38.5/values.yaml @@ -0,0 +1,565 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + automountServiceAccountToken: true + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + # - --disable-ipv4 + # - --disable-ipv6 + # - --disable-http + # - --disable-https + # - --disable-quic + # - --sync-period=10s + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + quic: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + quic: quic + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Class of load balancer implementation + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: null + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller Metrics Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + metrics: + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostIP: null + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s + + ## Techdump + ## Toggle to add the RBAC permissions needed for the techdump tool. + techdump: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.0/.helmignore b/charts/haproxy/haproxy/1.39.0/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.39.0/Chart.yaml b/charts/haproxy/haproxy/1.39.0/Chart.yaml new file mode 100644 index 0000000000..32b4eca536 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.11.3 version for base image + - Add more permissions needed for techdump tool + - Parametrize metrics service type (#231) + - Require K8s >= 1.23.0 + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.11.3 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.23.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.39.0 diff --git a/charts/haproxy/haproxy/1.39.0/README.md b/charts/haproxy/haproxy/1.39.0/README.md new file mode 100644 index 0000000000..e5a88db1c2 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/README.md @@ -0,0 +1,298 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.39.0/app-readme.md b/charts/haproxy/haproxy/1.39.0/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.39.0/chart-icon.png b/charts/haproxy/haproxy/1.39.0/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.39.0/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.39.0/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.39.0/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.39.0/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.39.0/questions.yml b/charts/haproxy/haproxy/1.39.0/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.39.0/templates/NOTES.txt b/charts/haproxy/haproxy/1.39.0/templates/NOTES.txt new file mode 100644 index 0000000000..0c37a87d1b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/NOTES.txt @@ -0,0 +1,109 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ .port }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.39.0/templates/_helpers.tpl b/charts/haproxy/haproxy/1.39.0/templates/_helpers.tpl new file mode 100644 index 0000000000..bea1374a79 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified unique CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.39.0/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.39.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..c3e0f0b4be --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/clusterrole.yaml @@ -0,0 +1,145 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - ingress.v1.haproxy.org + - ingress.v1.haproxy.com + resources: + - "*" + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +{{- if .Values.controller.techdump.enabled }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list + - watch +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.0/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.39.0/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..daf231dfd4 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-crdjob.yaml @@ -0,0 +1,104 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: +{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} + ttlSecondsAfterFinished: 120 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..2495248996 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-daemonset.yaml @@ -0,0 +1,283 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-deployment.yaml new file mode 100644 index 0000000000..12b7242f45 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-deployment.yaml @@ -0,0 +1,265 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-role.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-service-metrics.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-service-metrics.yaml rename to charts/haproxy/haproxy/1.39.0/templates/controller-service-metrics.yaml diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-service.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-service.yaml new file mode 100644 index 0000000000..efb20692ef --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-service.yaml @@ -0,0 +1,138 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + port: {{ .Values.controller.service.ports.https }} + protocol: UDP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.quic }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if .Values.controller.service.loadBalancerClass}} + loadBalancerClass: "{{ .Values.controller.service.loadBalancerClass }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..70529f7d63 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-serviceaccount.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.0/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.39.0/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.0/templates/namespace.yaml b/charts/haproxy/haproxy/1.39.0/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.0/values.yaml b/charts/haproxy/haproxy/1.39.0/values.yaml new file mode 100644 index 0000000000..5decd4024c --- /dev/null +++ b/charts/haproxy/haproxy/1.39.0/values.yaml @@ -0,0 +1,567 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + automountServiceAccountToken: true + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + # - --disable-ipv4 + # - --disable-ipv6 + # - --disable-http + # - --disable-https + # - --disable-quic + # - --sync-period=10s + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + quic: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + quic: quic + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Class of load balancer implementation + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: null + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller Metrics Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + metrics: + type: ClusterIP # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostIP: null + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s + + ## Techdump + ## Toggle to add the RBAC permissions needed for the techdump tool. + techdump: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.1/.helmignore b/charts/haproxy/haproxy/1.39.1/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.39.1/Chart.yaml b/charts/haproxy/haproxy/1.39.1/Chart.yaml new file mode 100644 index 0000000000..8cbb729993 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Remove techdump toggle entirely + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.11.3 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.23.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.39.1 diff --git a/charts/haproxy/haproxy/1.39.1/README.md b/charts/haproxy/haproxy/1.39.1/README.md new file mode 100644 index 0000000000..e5a88db1c2 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/README.md @@ -0,0 +1,298 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.39.1/app-readme.md b/charts/haproxy/haproxy/1.39.1/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.39.1/chart-icon.png b/charts/haproxy/haproxy/1.39.1/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.39.1/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.39.1/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.39.1/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.39.1/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.39.1/questions.yml b/charts/haproxy/haproxy/1.39.1/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.39.1/templates/NOTES.txt b/charts/haproxy/haproxy/1.39.1/templates/NOTES.txt new file mode 100644 index 0000000000..b3e3b463d1 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/NOTES.txt @@ -0,0 +1,109 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ .port }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.39.1/templates/_helpers.tpl b/charts/haproxy/haproxy/1.39.1/templates/_helpers.tpl new file mode 100644 index 0000000000..bea1374a79 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified unique CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.39.1/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.39.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..999c4c8efc --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/clusterrole.yaml @@ -0,0 +1,143 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - ingress.v1.haproxy.org + - ingress.v1.haproxy.com + resources: + - "*" + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list + - watch +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.1/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.39.1/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..daf231dfd4 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-crdjob.yaml @@ -0,0 +1,104 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: +{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} + ttlSecondsAfterFinished: 120 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..06110d6c5f --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-daemonset.yaml @@ -0,0 +1,283 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-deployment.yaml new file mode 100644 index 0000000000..abd8b12aa2 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-deployment.yaml @@ -0,0 +1,265 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-role.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..7ccb2310a1 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.metrics.labels }} +{{ toYaml .Values.controller.service.metrics.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.metrics.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: {{ .Values.controller.service.metrics.type }} + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-service.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-service.yaml new file mode 100644 index 0000000000..efb20692ef --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-service.yaml @@ -0,0 +1,138 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + port: {{ .Values.controller.service.ports.https }} + protocol: UDP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.quic }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if .Values.controller.service.loadBalancerClass}} + loadBalancerClass: "{{ .Values.controller.service.loadBalancerClass }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..70529f7d63 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-serviceaccount.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.1/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.39.1/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.1/templates/namespace.yaml b/charts/haproxy/haproxy/1.39.1/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.1/values.yaml b/charts/haproxy/haproxy/1.39.1/values.yaml new file mode 100644 index 0000000000..b7ae90a36f --- /dev/null +++ b/charts/haproxy/haproxy/1.39.1/values.yaml @@ -0,0 +1,562 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + automountServiceAccountToken: true + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + # - --disable-ipv4 + # - --disable-ipv6 + # - --disable-http + # - --disable-https + # - --disable-quic + # - --sync-period=10s + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + quic: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + quic: quic + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Class of load balancer implementation + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: null + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller Metrics Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + metrics: + type: ClusterIP # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostIP: null + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.39.2/.helmignore b/charts/haproxy/haproxy/1.39.2/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.39.2/Chart.yaml b/charts/haproxy/haproxy/1.39.2/Chart.yaml new file mode 100644 index 0000000000..148678631c --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Allow setting resources requests or limits on crdjob (#236) + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.11.3 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.23.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.39.2 diff --git a/charts/haproxy/haproxy/1.39.2/README.md b/charts/haproxy/haproxy/1.39.2/README.md new file mode 100644 index 0000000000..e5a88db1c2 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/README.md @@ -0,0 +1,298 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.39.2/app-readme.md b/charts/haproxy/haproxy/1.39.2/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.39.2/chart-icon.png b/charts/haproxy/haproxy/1.39.2/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.39.2/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.39.2/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.39.2/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.39.2/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.39.2/questions.yml b/charts/haproxy/haproxy/1.39.2/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.39.2/templates/NOTES.txt b/charts/haproxy/haproxy/1.39.2/templates/NOTES.txt new file mode 100644 index 0000000000..b3e3b463d1 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/NOTES.txt @@ -0,0 +1,109 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ .port }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.39.2/templates/_helpers.tpl b/charts/haproxy/haproxy/1.39.2/templates/_helpers.tpl new file mode 100644 index 0000000000..bea1374a79 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified unique CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.39.2/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.39.2/templates/clusterrole.yaml new file mode 100644 index 0000000000..999c4c8efc --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/clusterrole.yaml @@ -0,0 +1,143 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - ingress.v1.haproxy.org + - ingress.v1.haproxy.com + resources: + - "*" + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list + - watch +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.2/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.39.2/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..3b7d8f6401 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-crdjob.yaml @@ -0,0 +1,106 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: +{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} + ttlSecondsAfterFinished: 120 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..06110d6c5f --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-daemonset.yaml @@ -0,0 +1,283 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-deployment.yaml new file mode 100644 index 0000000000..abd8b12aa2 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-deployment.yaml @@ -0,0 +1,265 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-role.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..7ccb2310a1 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.metrics.labels }} +{{ toYaml .Values.controller.service.metrics.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.metrics.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: {{ .Values.controller.service.metrics.type }} + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-service.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-service.yaml new file mode 100644 index 0000000000..efb20692ef --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-service.yaml @@ -0,0 +1,138 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + port: {{ .Values.controller.service.ports.https }} + protocol: UDP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.quic }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if .Values.controller.service.loadBalancerClass}} + loadBalancerClass: "{{ .Values.controller.service.loadBalancerClass }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..70529f7d63 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-serviceaccount.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.2/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.39.2/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.2/templates/namespace.yaml b/charts/haproxy/haproxy/1.39.2/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.2/values.yaml b/charts/haproxy/haproxy/1.39.2/values.yaml new file mode 100644 index 0000000000..b7ae90a36f --- /dev/null +++ b/charts/haproxy/haproxy/1.39.2/values.yaml @@ -0,0 +1,562 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + automountServiceAccountToken: true + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + # - --disable-ipv4 + # - --disable-ipv6 + # - --disable-http + # - --disable-https + # - --disable-quic + # - --sync-period=10s + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + quic: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + quic: quic + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Class of load balancer implementation + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: null + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller Metrics Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + metrics: + type: ClusterIP # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostIP: null + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.39.3/.helmignore b/charts/haproxy/haproxy/1.39.3/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.39.3/Chart.yaml b/charts/haproxy/haproxy/1.39.3/Chart.yaml new file mode 100644 index 0000000000..4f694b487f --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 1.11.4 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.11.4 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.23.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.39.3 diff --git a/charts/haproxy/haproxy/1.39.3/README.md b/charts/haproxy/haproxy/1.39.3/README.md new file mode 100644 index 0000000000..e5a88db1c2 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/README.md @@ -0,0 +1,298 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +By default Helm chart will install several [custom resource definitions](https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress/crds) in the cluster if they are missing. + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.39.3/app-readme.md b/charts/haproxy/haproxy/1.39.3/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.39.3/chart-icon.png b/charts/haproxy/haproxy/1.39.3/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.39.3/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.39.3/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.39.3/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.39.3/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.39.3/questions.yml b/charts/haproxy/haproxy/1.39.3/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.39.3/templates/NOTES.txt b/charts/haproxy/haproxy/1.39.3/templates/NOTES.txt new file mode 100644 index 0000000000..b3e3b463d1 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/NOTES.txt @@ -0,0 +1,109 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ .port }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.39.3/templates/_helpers.tpl b/charts/haproxy/haproxy/1.39.3/templates/_helpers.tpl new file mode 100644 index 0000000000..bea1374a79 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/_helpers.tpl @@ -0,0 +1,162 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified unique CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.39.3/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.39.3/templates/clusterrole.yaml new file mode 100644 index 0000000000..999c4c8efc --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/clusterrole.yaml @@ -0,0 +1,143 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - ingress.v1.haproxy.org + - ingress.v1.haproxy.com + resources: + - "*" + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list + - watch +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.3/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.39.3/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..3b7d8f6401 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-crdjob.yaml @@ -0,0 +1,106 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: +{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} + ttlSecondsAfterFinished: 120 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..06110d6c5f --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-daemonset.yaml @@ -0,0 +1,283 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-deployment.yaml new file mode 100644 index 0000000000..abd8b12aa2 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-deployment.yaml @@ -0,0 +1,265 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-role.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..7ccb2310a1 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.metrics.labels }} +{{ toYaml .Values.controller.service.metrics.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.metrics.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: {{ .Values.controller.service.metrics.type }} + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-service.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-service.yaml new file mode 100644 index 0000000000..efb20692ef --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-service.yaml @@ -0,0 +1,138 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + port: {{ .Values.controller.service.ports.https }} + protocol: UDP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.quic }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if .Values.controller.service.loadBalancerClass}} + loadBalancerClass: "{{ .Values.controller.service.loadBalancerClass }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..70529f7d63 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-serviceaccount.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.3/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.39.3/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.3/templates/namespace.yaml b/charts/haproxy/haproxy/1.39.3/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.3/values.yaml b/charts/haproxy/haproxy/1.39.3/values.yaml new file mode 100644 index 0000000000..b7ae90a36f --- /dev/null +++ b/charts/haproxy/haproxy/1.39.3/values.yaml @@ -0,0 +1,562 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + automountServiceAccountToken: true + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "{{ .Chart.AppVersion }}" + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + # - --disable-ipv4 + # - --disable-ipv6 + # - --disable-http + # - --disable-https + # - --disable-quic + # - --sync-period=10s + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + quic: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + quic: quic + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Class of load balancer implementation + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: null + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller Metrics Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + metrics: + type: ClusterIP # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostIP: null + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s diff --git a/charts/haproxy/haproxy/1.39.4/.helmignore b/charts/haproxy/haproxy/1.39.4/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.39.4/Chart.yaml b/charts/haproxy/haproxy/1.39.4/Chart.yaml new file mode 100644 index 0000000000..2012af0e66 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Replace tpl with default for Ingress Controller image tag (#244) + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 1.11.4 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.23.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.39.4 diff --git a/charts/haproxy/haproxy/README.md b/charts/haproxy/haproxy/1.39.4/README.md similarity index 100% rename from charts/haproxy/haproxy/README.md rename to charts/haproxy/haproxy/1.39.4/README.md diff --git a/charts/haproxy/haproxy/1.39.4/app-readme.md b/charts/haproxy/haproxy/1.39.4/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.39.4/chart-icon.png b/charts/haproxy/haproxy/1.39.4/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.39.4/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.39.4/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/ci/daemonset-unprivileged-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/daemonset-unprivileged-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/daemonset-unprivileged-values.yaml rename to charts/haproxy/haproxy/1.39.4/ci/daemonset-unprivileged-values.yaml diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.39.4/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/ci/deployment-unprivileged-values.yaml b/charts/haproxy/haproxy/1.39.4/ci/deployment-unprivileged-values.yaml similarity index 100% rename from charts/haproxy/haproxy/ci/deployment-unprivileged-values.yaml rename to charts/haproxy/haproxy/1.39.4/ci/deployment-unprivileged-values.yaml diff --git a/charts/haproxy/haproxy/1.39.4/questions.yml b/charts/haproxy/haproxy/1.39.4/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.39.4/templates/NOTES.txt b/charts/haproxy/haproxy/1.39.4/templates/NOTES.txt new file mode 100644 index 0000000000..54105c60c6 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/NOTES.txt @@ -0,0 +1,109 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ .port }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/templates/_helpers.tpl b/charts/haproxy/haproxy/1.39.4/templates/_helpers.tpl similarity index 100% rename from charts/haproxy/haproxy/templates/_helpers.tpl rename to charts/haproxy/haproxy/1.39.4/templates/_helpers.tpl diff --git a/charts/haproxy/haproxy/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.39.4/templates/clusterrole.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/clusterrole.yaml rename to charts/haproxy/haproxy/1.39.4/templates/clusterrole.yaml diff --git a/charts/haproxy/haproxy/1.39.4/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.39.4/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-crdjob.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-crdjob.yaml rename to charts/haproxy/haproxy/1.39.4/templates/controller-crdjob.yaml diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..671a61bae6 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-daemonset.yaml @@ -0,0 +1,288 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- if .Values.controller.allowPrivilegedPorts }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" +{{- end }} +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-deployment.yaml new file mode 100644 index 0000000000..6653aecca8 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-deployment.yaml @@ -0,0 +1,281 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- if .Values.controller.allowPrivilegedPorts }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" +{{- end }} +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- if eq .Values.controller.sync.mode "fetch" }} + {{- if .Values.controller.sync.fetchParams.period }} + - --proxy-k8s-fetch-period={{ .Values.controller.sync.fetchParams.period }} + {{- end }} + {{- if eq .Values.controller.sync.fetchParams.source "k8s" }} + - --k8s-api-sync-type=k8s + {{- else if eq .Values.controller.sync.fetchParams.source "proxy" }} + - --k8s-api-sync-type=proxy + - --proxy-svc-label-selector={{ .Values.controller.sync.proxyParams.proxySvcLabelSelector }} + {{- end }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-proxy-deployment.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-proxy-deployment.yaml new file mode 100644 index 0000000000..5a6b0021b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-proxy-deployment.yaml @@ -0,0 +1,276 @@ +{{/* +Copyright 2024 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.serviceProxyName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.sync.proxyParams.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- if .Values.controller.allowPrivilegedPorts }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" +{{- end }} +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} + - --proxy-server-mode + - --k8s-api-sync-type=k8s + - --proxy-svc-label-selector={{ .Values.controller.sync.proxyParams.proxySvcLabelSelector }} +{{- if .Values.controller.sync.fetchParams.period }} + - --proxy-k8s-fetch-period={{ .Values.controller.sync.fetchParams.period }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-proxy-service.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-proxy-service.yaml new file mode 100644 index 0000000000..3864528f14 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-proxy-service.yaml @@ -0,0 +1,61 @@ +{{/* +Copyright 2024 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceProxyName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{ (split ":" .Values.controller.sync.proxyParams.proxySvcLabelSelector)._0 }}: {{ (split ":" .Values.controller.sync.proxyParams.proxySvcLabelSelector)._1 }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-role.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..7ccb2310a1 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.metrics.labels }} +{{ toYaml .Values.controller.service.metrics.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.metrics.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: {{ .Values.controller.service.metrics.type }} + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-service.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-service.yaml new file mode 100644 index 0000000000..efb20692ef --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-service.yaml @@ -0,0 +1,138 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + port: {{ .Values.controller.service.ports.https }} + protocol: UDP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.quic }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if .Values.controller.service.loadBalancerClass}} + loadBalancerClass: "{{ .Values.controller.service.loadBalancerClass }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..70529f7d63 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-serviceaccount.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.39.4/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.39.4/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.39.4/templates/namespace.yaml b/charts/haproxy/haproxy/1.39.4/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.39.4/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/values.yaml b/charts/haproxy/haproxy/1.39.4/values.yaml similarity index 100% rename from charts/haproxy/haproxy/values.yaml rename to charts/haproxy/haproxy/1.39.4/values.yaml diff --git a/charts/haproxy/haproxy/1.40.0/.helmignore b/charts/haproxy/haproxy/1.40.0/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/1.40.0/Chart.yaml b/charts/haproxy/haproxy/1.40.0/Chart.yaml new file mode 100644 index 0000000000..10f2e5b31b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/changes: | + - Use Ingress Controller 3.0.0 version for base image + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HAProxy Kubernetes Ingress Controller + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: haproxy +apiVersion: v2 +appVersion: 3.0.0 +description: A Helm chart for HAProxy Kubernetes Ingress Controller +home: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress +icon: https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/chart-icon.png +keywords: +- ingress +- haproxy +kubeVersion: '>=1.23.0-0' +maintainers: +- email: dkorunic@haproxy.com + name: Dinko Korunic +name: haproxy +sources: +- https://github.com/haproxytech/kubernetes-ingress +type: application +version: 1.40.0 diff --git a/charts/haproxy/haproxy/1.40.0/README.md b/charts/haproxy/haproxy/1.40.0/README.md new file mode 100644 index 0000000000..2be5b7835c --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/README.md @@ -0,0 +1,296 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.40.0/app-readme.md b/charts/haproxy/haproxy/1.40.0/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.40.0/chart-icon.png b/charts/haproxy/haproxy/1.40.0/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.40.0/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.40.0/ci/daemonset-unprivileged-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/daemonset-unprivileged-values.yaml new file mode 100644 index 0000000000..0311d62c19 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/daemonset-unprivileged-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + unprivileged: true + allowPrivilegedPorts: true diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.40.0/ci/deployment-unprivileged-values.yaml b/charts/haproxy/haproxy/1.40.0/ci/deployment-unprivileged-values.yaml new file mode 100644 index 0000000000..475f8b3f6e --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/ci/deployment-unprivileged-values.yaml @@ -0,0 +1,3 @@ +controller: + unprivileged: true + allowPrivilegedPorts: true diff --git a/charts/haproxy/haproxy/1.40.0/questions.yml b/charts/haproxy/haproxy/1.40.0/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/1.40.0/templates/NOTES.txt b/charts/haproxy/haproxy/1.40.0/templates/NOTES.txt new file mode 100644 index 0000000000..54105c60c6 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/NOTES.txt @@ -0,0 +1,109 @@ +HAProxy Kubernetes Ingress Controller has been successfully installed. + +Controller image deployed is: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}". +Your controller is of a "{{ .Values.controller.kind }}" kind. Your controller service is running as a "{{ .Values.controller.service.type }}" type. +{{- if .Values.rbac.create}} +RBAC authorization is enabled. +{{- else}} +RBAC authorization is disabled. +{{- end}} +{{- if .Values.controller.ingressClass}} +Controller ingress.class is set to "{{ .Values.controller.ingressClass }}" so make sure to use same annotation for +Ingress resource. +{{- end}} +{{- if .Values.controller.gatewayControllerName}} +Controller Gateway Controller Name is set to "{{ .Values.controller.gatewayControllerName }}" so make sure +that Gateway API CRDs are installed in Kubernetes. +{{- end}} + +Service ports mapped are: +{{- if eq .Values.controller.kind "Deployment" }} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- end }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP +{{- end }} +{{- end }} +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +{{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP +{{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP +{{- if $useHostPort }} + hostPort: {{ .port }} +{{- end }} +{{- if $hostIP }} + hostIP: {{ $hostIP }} +{{- end }} +{{- end }} +{{- end }} + +Node IP can be found with: + $ kubectl --namespace {{ include "kubernetes-ingress.namespace" . }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}" + +The following ingress resource routes traffic to pods that match the following: + * service name: web + * client's Host header: webdemo.com + * path begins with / + + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: web-ingress + namespace: default + annotations: + ingress.class: "haproxy" + spec: + rules: + - host: webdemo.com + http: + paths: + - path: / + backend: + serviceName: web + servicePort: 80 + +In case that you are using multi-ingress controller environment, make sure to use ingress.class annotation and match it +with helm chart option controller.ingressClass. + +For more examples and up to date documentation, please visit: + * Helm chart documentation: https://github.com/haproxytech/helm-charts/tree/main/kubernetes-ingress + * Controller documentation: https://www.haproxy.com/documentation/kubernetes/latest/ + * Annotation reference: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + * Image parameters reference: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md diff --git a/charts/haproxy/haproxy/1.40.0/templates/_helpers.tpl b/charts/haproxy/haproxy/1.40.0/templates/_helpers.tpl new file mode 100644 index 0000000000..b26683bdb4 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/_helpers.tpl @@ -0,0 +1,169 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified unique CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the proxy pods. +*/}} +{{- define "kubernetes-ingress.serviceProxyName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 58 | trimSuffix "-") "proxy" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.40.0/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.40.0/templates/clusterrole.yaml new file mode 100644 index 0000000000..e106b0b34d --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/clusterrole.yaml @@ -0,0 +1,151 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - ingress.v1.haproxy.org + - ingress.v1.haproxy.com + resources: + - "*" + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list + - watch +{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }} +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - "*" +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.40.0/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.40.0/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..bddc564bd0 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-crdjob.yaml @@ -0,0 +1,106 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: +{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} + ttlSecondsAfterFinished: 120 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-daemonset.yaml new file mode 100644 index 0000000000..671a61bae6 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-daemonset.yaml @@ -0,0 +1,288 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "DaemonSet" }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork -}} +{{- $useHostPort := .Values.controller.daemonset.useHostPort -}} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- $hostIP := .Values.controller.daemonset.hostIP -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- with .Values.controller.strategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if $useHostNetwork }} + hostNetwork: true + {{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- if .Values.controller.allowPrivilegedPorts }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" +{{- end }} +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ index $hostPorts $key | default $value }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- if $useHostPort }} + hostPort: {{ .Values.controller.daemonset.hostPorts.https }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .port }} + protocol: TCP + {{- if $useHostPort }} + hostPort: {{ .port }} + {{- end }} + {{- if $hostIP }} + hostIP: {{ $hostIP }} + {{- end }} + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-deployment.yaml new file mode 100644 index 0000000000..6653aecca8 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-deployment.yaml @@ -0,0 +1,281 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if eq .Values.controller.kind "Deployment" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- if .Values.controller.allowPrivilegedPorts }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" +{{- end }} +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} +{{- if eq .Values.controller.sync.mode "fetch" }} + {{- if .Values.controller.sync.fetchParams.period }} + - --proxy-k8s-fetch-period={{ .Values.controller.sync.fetchParams.period }} + {{- end }} + {{- if eq .Values.controller.sync.fetchParams.source "k8s" }} + - --k8s-api-sync-type=k8s + {{- else if eq .Values.controller.sync.fetchParams.source "proxy" }} + - --k8s-api-sync-type=proxy + - --proxy-svc-label-selector={{ .Values.controller.sync.proxyParams.proxySvcLabelSelector }} + {{- end }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-proxy-deployment.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-proxy-deployment.yaml new file mode 100644 index 0000000000..5a6b0021b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-proxy-deployment.yaml @@ -0,0 +1,276 @@ +{{/* +Copyright 2024 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kubernetes-ingress.serviceProxyName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.extraLabels }} +{{ toYaml .Values.controller.extraLabels | indent 4 }} + {{- end }} +spec: + {{- if and (not .Values.controller.autoscaling.enabled) (not .Values.controller.keda.enabled) }} + replicas: {{ .Values.controller.sync.proxyParams.replicaCount }} + {{- end }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- with .Values.controller.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + enableServiceLinks: {{ .Values.controller.enableServiceLinks }} + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} +{{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.controller.dnsConfig }} + dnsConfig: +{{ toYaml .Values.controller.dnsConfig | indent 8 }} +{{- end }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- if .Values.controller.allowPrivilegedPorts }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" +{{- end }} +{{- end }} + containers: + - name: {{ include "kubernetes-ingress.name" . }}-{{ .Values.controller.name }} + image: "{{ .Values.controller.image.repository }}:{{ tpl .Values.controller.image.tag . }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: +{{- if .Values.controller.defaultTLSSecret.enabled -}} +{{- if and .Values.controller.defaultTLSSecret.secret .Values.controller.defaultTLSSecret.secretNamespace }} + - --default-ssl-certificate={{ tpl .Values.controller.defaultTLSSecret.secretNamespace . }}/{{ .Values.controller.defaultTLSSecret.secret }} +{{- else }} + - --default-ssl-certificate={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} +{{- end }} +{{- end }} + - --configmap={{ include "kubernetes-ingress.namespace" . }}/{{ include "kubernetes-ingress.fullname" . }} + - --http-bind-port={{ .Values.controller.containerPort.http }} + - --https-bind-port={{ .Values.controller.containerPort.https }} +{{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - --quic-bind-port={{ .Values.controller.containerPort.https }} + - --quic-announce-port={{ .Values.controller.service.ports.https }} +{{- end }} +{{- if .Values.controller.ingressClass }} + - --ingress.class={{ .Values.controller.ingressClass }} +{{- end }} +{{- if and .Values.controller.kubernetesGateway.enabled .Values.controller.kubernetesGateway.gatewayControllerName }} + - --gateway-controller-name={{ .Values.controller.kubernetesGateway.gatewayControllerName }} +{{- end }} +{{- if .Values.controller.publishService.enabled }} + - --publish-service={{ include "kubernetes-ingress.publishServicePath" . }} +{{- end }} +{{- if .Values.controller.logging.level }} + - --log={{ .Values.controller.logging.level }} +{{- end }} +{{- if .Values.controller.service.enablePorts.prometheus }} + - --prometheus +{{- end }} + - --proxy-server-mode + - --k8s-api-sync-type=k8s + - --proxy-svc-label-selector={{ .Values.controller.sync.proxyParams.proxySvcLabelSelector }} +{{- if .Values.controller.sync.fetchParams.period }} + - --proxy-k8s-fetch-period={{ .Values.controller.sync.fetchParams.period }} +{{- end }} +{{- range .Values.controller.extraArgs }} + - {{ . }} +{{- end }} + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- end }} + ports: + {{- range $key, $value := .Values.controller.containerPort }} + - name: {{ $key }} + containerPort: {{ $value }} + protocol: TCP + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + containerPort: {{ .Values.controller.containerPort.https }} + protocol: UDP + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + containerPort: {{ .targetPort }} + protocol: TCP + {{- end }} + {{- with .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + {{- with .Values.controller.startupProbe }} + startupProbe: + {{- toYaml . | trim | nindent 12 }} + {{- end }} + env: + {{- if .Values.aws.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.aws.licenseConfigSecretName }} + key: iam_role + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.extraEnvs -}} + {{- toYaml .Values.controller.extraEnvs | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- if .Values.controller.lifecycle }} + lifecycle: + {{- if eq "string" (printf "%T" .Values.controller.lifecycle) }} +{{ tpl .Values.controller.lifecycle . | indent 12 }} + {{- else }} +{{ toYaml .Values.controller.lifecycle | indent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + subPath: tmp + - name: tmp + mountPath: /run + subPath: run + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + readOnly: true + mountPath: /var/run/secrets/product-license + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumeMounts) }} +{{ tpl .Values.controller.extraVolumeMounts . | indent 12 }} + {{- else if gt (len .Values.controller.extraVolumeMounts) 0 }} +{{ toYaml .Values.controller.extraVolumeMounts | indent 12 }} + {{- end }} + {{- if .Values.controller.extraContainers }} + {{- if eq "string" (printf "%T" .Values.controller.extraContainers) }} +{{ tpl .Values.controller.extraContainers . | indent 8 }} + {{- else }} +{{ toYaml .Values.controller.extraContainers | indent 8 }} + {{- end }} + {{- end }} + volumes: + - name: tmp + {{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }} + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.aws.licenseConfigSecretName }} + - name: aws-product-license + secret: + secretName: {{ .Values.aws.licenseConfigSecretName }} + optional: true + {{- end }} + {{- if eq "string" (printf "%T" .Values.controller.extraVolumes) }} +{{ tpl .Values.controller.extraVolumes . | indent 8 }} + {{- else if gt (len .Values.controller.extraVolumes) 0 }} +{{ toYaml .Values.controller.extraVolumes | indent 8 }} + {{- end }} + {{- with.Values.controller.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/templates/controller-proxy-service.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-proxy-service.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-proxy-service.yaml rename to charts/haproxy/haproxy/1.40.0/templates/controller-proxy-service.yaml diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-role.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..7ccb2310a1 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.metrics.labels }} +{{ toYaml .Values.controller.service.metrics.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.metrics.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: {{ .Values.controller.service.metrics.type }} + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-service.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-service.yaml new file mode 100644 index 0000000000..efb20692ef --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-service.yaml @@ -0,0 +1,138 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + {{ with .Values.controller.service.clusterIP }}clusterIP: {{ . }}{{ end }} + type: {{ .Values.controller.service.type }} + {{- if .Values.controller.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} + {{- end }} + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if and (semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version) .Values.controller.service.enablePorts.quic }} + - name: quic + port: {{ .Values.controller.service.ports.https }} + protocol: UDP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.quic }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.stat }} + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.prometheus }} + - name: prometheus + port: {{ .Values.controller.service.ports.prometheus }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.prometheus }} + {{- if .Values.controller.service.nodePorts.prometheus }} + nodePort: {{ .Values.controller.service.nodePorts.prometheus }} + {{- end }} + {{- end }} + {{- range .Values.controller.service.tcpPorts }} + - name: {{ .name }}-tcp + port: {{ .port }} + protocol: TCP + targetPort: {{ .targetPort }} + {{- if .nodePort }} + nodePort: {{ .nodePort }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- if .Values.controller.service.ipFamilies }} + ipFamilies: +{{- toYaml .Values.controller.service.ipFamilies | nindent 4 }} +{{- end }} +{{- if .Values.controller.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy | quote }} +{{- end }} + externalIPs: +{{- if .Values.controller.service.externalIPs }} +{{ toYaml .Values.controller.service.externalIPs | indent 4 }} +{{- end -}} +{{- if (eq .Values.controller.service.type "LoadBalancer") }} +{{- if .Values.controller.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.controller.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if .Values.controller.service.loadBalancerClass}} + loadBalancerClass: "{{ .Values.controller.service.loadBalancerClass }}" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..70529f7d63 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-serviceaccount.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.40.0/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.40.0/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.0/templates/namespace.yaml b/charts/haproxy/haproxy/1.40.0/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.40.0/values.yaml b/charts/haproxy/haproxy/1.40.0/values.yaml new file mode 100644 index 0000000000..0a7bd339b9 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.0/values.yaml @@ -0,0 +1,583 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + automountServiceAccountToken: true + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "" # overrides the image tag whose default is the chart appVersion + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Allow privileged port binding without root privileges + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ + ## Note: this feature enables net.ipv4.ip_unprivileged_port_start=0 sysctl when running in unprivileged mode + allowPrivilegedPorts: false + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + # - --disable-ipv4 + # - --disable-ipv6 + # - --disable-http + # - --disable-https + # - --disable-quic + # - --sync-period=10s + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + ## Careful: this block will be ignored if you use config.cr-global. + ## In this case, move your logging config in entry spec.log_targets in your CR. + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + quic: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + quic: quic + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Class of load balancer implementation + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: null + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller Metrics Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + metrics: + type: ClusterIP # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostIP: null + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s + + ## Controller sync mode with Kubernetes + ## Note: requires Enterprise Kubernetes Ingress Controller + ## Possible values: 'default' or 'fetch' + ## - 'default': the sync is done based on K8s informers (event based) + ## - 'fetch': the controller pulls data periodically (from K8s or from proxy) + sync: + mode: default # can be 'default' or 'fetch' + fetchParams: # Mandatory if mode is 'fetch' + # period: 3s # optional, default is 5s + source: k8s # possible values are: 'proxy', 'k8s' + proxyParams: # Mandatory if source is 'proxy' + replicaCount: 3 # number of replicas of the proxy, mandatory if source is 'proxy' + proxySvcLabelSelector: run:haproxy-ingress-proxy # label selector of the proxy service, mandatory if source is 'proxy' diff --git a/charts/haproxy/haproxy/1.40.1/.helmignore b/charts/haproxy/haproxy/1.40.1/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/haproxy/haproxy/Chart.yaml b/charts/haproxy/haproxy/1.40.1/Chart.yaml similarity index 100% rename from charts/haproxy/haproxy/Chart.yaml rename to charts/haproxy/haproxy/1.40.1/Chart.yaml diff --git a/charts/haproxy/haproxy/1.40.1/README.md b/charts/haproxy/haproxy/1.40.1/README.md new file mode 100644 index 0000000000..2be5b7835c --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/README.md @@ -0,0 +1,296 @@ +# ![HAProxy](https://github.com/haproxytech/kubernetes-ingress/raw/master/assets/images/haproxy-weblogo-210x49.png "HAProxy") + +## HAProxy Kubernetes Ingress Controller + +An ingress controller is a Kubernetes resource that routes traffic from outside your cluster to services within the cluster. HAProxy Kubernetes Ingress Controller uses ConfigMap to store the haproxy configuration. + +Detailed documentation can be found within the [Official Documentation](https://www.haproxy.com/documentation/kubernetes/latest/). + +Additional configuration details can be found in [annotation reference](https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation) and in image [arguments reference](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md). + +## Introduction + +This chart bootstraps an HAProxy kubernetes-ingress deployment/daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +### Prerequisites + +- Kubernetes 1.22+ (recommended 1.24+) +- Helm 3.6+ (recommended 3.7+) + +## Before you begin + +### Setting up a Kubernetes Cluster + +The quickest way to setup a Kubernetes cluster is with [Azure Kubernetes Service](https://azure.microsoft.com/en-us/services/kubernetes-service/), [AWS Elastic Kubernetes Service](https://aws.amazon.com/eks/) or [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine/) using their respective quick-start guides. + +For setting up Kubernetes on other cloud platforms or bare-metal servers refer to the Kubernetes [getting started guide](http://kubernetes.io/docs/getting-started-guides/). + +### Install Helm + +Get the latest [Helm release](https://github.com/helm/helm#install). + +### Adding Helm chart repo + +Once you have Helm installed, add the repo as follows: + +```console +helm repo add haproxytech https://haproxytech.github.io/helm-charts + +helm repo update +``` + +## Installing the chart + +To install the chart with Helm v3 as _my-release_ deployment: + +```console +helm install my-release haproxytech/kubernetes-ingress +``` + +**_NOTE_**: To install the chart with Helm v2 (legacy Helm) the syntax requires adding deployment name to `--name` parameter: + +```console +helm install haproxytech/kubernetes-ingress \ + --name my-release +``` + +### Installing with unique name + +To auto-generate controller and its resources names when installing, use the following: + +```console +helm install haproxytech/kubernetes-ingress \ + --generate-name +``` + +### Installing from a private registry + +To install the chart using a private registry for controller into a separate namespace _prod_. + +**_NOTE_**: Helm v3 requires namespace to be precreated (eg. with `kubectl create namespace prod`) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.imageCredentials.registry=myregistry.domain.com \ + --set controller.imageCredentials.username=MYUSERNAME \ + --set controller.imageCredentials.password=MYPASSWORD +``` + +Alternatively, use a pre-configured (existing) imagePullSecret in the same namespace: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --namespace prod \ + --set controller.image.tag=SOMETAG \ + --set controller.existingImagePullSecret name-of-existing-image-pull-secret +``` + +### Using values from YAML file + +As opposed to using many `--set` invocations, much simpler approach is to define value overrides in a separate YAML file and specify them when invoking Helm: + +_mylb.yaml_: + +```yaml +controller: + kind: DaemonSet + ingressClass: haproxy + service: + type: LoadBalancer + annotations: + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 +``` + +And invoking Helm becomes (compare to the previous example): + +```console +helm install my-ingress -f mylb.yml haproxytech/kubernetes-ingress +``` + +A typical YAML file for TCP services looks like (provided that configmap "[default/tcp](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md)" was created) : + +```yaml +controller: + service: + tcpPorts: + - name: mysql + port: 3306 + targetPort: 3306 + extraArgs: + - --configmap-tcp-services=default/tcp +``` + +### Installing as DaemonSet + +Default controller mode is [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/), but it is possible to use [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) as well: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet +``` + +### Installing in multi-ingress environment + +It is also possible to set controller ingress class to be used in [multi-ingress environments](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers): + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy +``` + +**_NOTE_**: make sure your Ingress routes have corresponding `ingress.class: haproxy` annotation. + +### Installing Gateway API support + +[Gateway API support](https://gateway-api.sigs.k8s.io/) can be installed and used wth controller. Supported features can seen in [Ingress Controller documentation](https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md) + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.gatewayControllerName=haproxy.org/gateway-controller +``` + +**_NOTE_**: Gateway API is not part of the default k8s API so it needs to be installed. + +### Installing with service annotations + +On some environments like EKS and GKE there might be a need to pass service annotations. Syntax can become a little tedious however: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.kind=DaemonSet \ + --set controller.ingressClass=haproxy \ + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-internal"="0.0.0.0/0" \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" +``` + +**_NOTE_**: With helm `--set` it is needed to put quotes and escape dots in the annotation key and commas in the value string. + +### Installing with Horizontal Pod Autoscaler (HPA) + +[HPA](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) automatically scales number of replicas in Deployment or Replication Controller and adjusts replica count for the controller: + +```console +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.autoscaling.enabled=true +``` + +### Installing the ServiceMonitor + +If you're using the [Prometheus Operator](https://github.com/prometheus-operator/prometheus-operator), you can automatically install the `ServiceMonitor` definition in order to automate the scraping options according to your needs. + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +helm install my-ingress haproxytech/kubernetes-ingress \ + --set controller.serviceMonitor.enabled=true +``` + +### Installing with Kubernetes Event-driven Autoscaling (KEDA) + +[KEDA](https://keda.sh/docs/2.3/concepts/scaling-deployments/) is an improved scaling solution built on top of HPA which allows autoscaling criteria based on information from any event source including Prometheus metrics collected from HAProxy native Prometheus Exporter. + +To enable KEDA, you will also need to install Prometheus Operator and ServiceMonitor enabled (serverAddress has to match `prometheus-kube-prometheus-prometheus` service IP): + +_mykeda.yaml_: + +```yaml +controller: + kind: Deployment + serviceMonitor: + enabled: true + keda: + enabled: true + minReplicas: 1 + maxReplicas: 5 + triggers: + - type: prometheus + metadata: + serverAddress: http://10.96.206.247:9090 + metricName: haproxy_frontend_current_sessions + threshold: "100" + query: sum(rate(haproxy_frontend_current_sessions{proxy="http"}[2m])) +``` + +Note: Other options to trigger scaling can be found in Prometheus [native exporter documentation](https://github.com/haproxy/haproxy/blob/master/addons/promex/README), but some ideas are: + +- `haproxy_process_idle_time_percent` +- `haproxy_frontend_current_sessions` +- `haproxy_backend_current_queue` + +And to install: + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add kedacore https://kedacore.github.io/charts + +helm repo update + +helm install prometheus prometheus-community/kube-prometheus-stack \ + --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + +kubectl create namespace keda +helm install keda kedacore/keda --namespace keda + +helm install mytest haproxytech/kubernetes-ingress -f mykeda.yaml +``` + +## Installing on Azure Managed Kubernetes Service (AKS) + +By default Azure LB sends probe to `/` and expects HTTP status codes of 200-399 to consider Pod healthy, which means probes end up on default HTTP backend returning HTTP 404 status code. Since v1.20 AKS service annotation `service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path` can be used to override health probe behaviour and we recommend using the following annotation on AKS to target `/healthz` endpoint for health probes: + +```console +helm install ... + --set controller.service.type=LoadBalancer \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz +``` + +## Upgrading the chart + +To upgrade the _my-release_ deployment: + +```console +helm upgrade my-release haproxytech/kubernetes-ingress +``` + +By default Helm [does not upgrade](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) CRDs during an upgrade, so before doing an upgrade it is mandatory to upgrade CRDs to the latest version by hand **before** doing a Helm chart upgrade. + +```console +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_defaults.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_globals.yaml +kubectl apply -f https://raw.githubusercontent.com/haproxytech/helm-charts/main/kubernetes-ingress/crds/core.haproxy.org_backends.yaml +``` + +Note: from Helm Chart 1.35.0, Helm Chart contains CRD install/upgrade job that will take care of both installing and +upgrading CRDs accordingly. + +## Uninstalling the chart + +To uninstall/delete the _my-release_ deployment: + +```console +helm delete my-release +``` + +## Debugging + +It is possible to generate a set of YAML files for testing/debugging: + +```console +helm install my-release haproxytech/kubernetes-ingress \ + --debug \ + --dry-run +``` + +## Contributing + +We welcome all contributions. Please refer to [guidelines](../CONTRIBUTING.md) on how to make a contribution. diff --git a/charts/haproxy/haproxy/1.40.1/app-readme.md b/charts/haproxy/haproxy/1.40.1/app-readme.md new file mode 100644 index 0000000000..aae3d1bd81 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/app-readme.md @@ -0,0 +1,8 @@ +# HAProxy +[HAProxy](https://www.haproxy.org/) is the world's fastest and most widely used software load balancer. HAProxy allows organizations to deliver websites and applications with the utmost performance, observability, and security at any scale and in any environment. + +# HAProxy Enterprise +[HAProxy Enterprise](https://www.haproxy.com/products/haproxy-enterprise-edition/) is an enterprise-class version of HAProxy providing a robust and reliable code base with cutting edge features, an enterprise suite of add-ons, expert support, and professional services. At its core, it incorporates feature backports from the HAProxy development branch for customers who require immediate access to the latest functionality in a hardened version of code. + +## Introduction +This chart bootstraps the [HAProxy Ingress Controller](https://github.com/haproxytech/kubernetes-ingress) or the [HAProxy Enterprise Ingress Controller](https://www.haproxy.com/products/haproxy-enterprise-kubernetes-ingress-controller/) using the [Helm](https://helm.sh) package manager. diff --git a/charts/haproxy/haproxy/1.40.1/chart-icon.png b/charts/haproxy/haproxy/1.40.1/chart-icon.png new file mode 100644 index 0000000000..1c7acc4309 Binary files /dev/null and b/charts/haproxy/haproxy/1.40.1/chart-icon.png differ diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-customconfig-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-customconfig-values.yaml new file mode 100644 index 0000000000..116158a14b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-customconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-customnodeport-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-customnodeport-values.yaml new file mode 100644 index 0000000000..c9de04c16f --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-customnodeport-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-default-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-default-values.yaml new file mode 100644 index 0000000000..ddb25623a3 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-default-values.yaml @@ -0,0 +1,2 @@ +controller: + kind: DaemonSet diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..3a1687a33d --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-disableddefaultbackend-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..362fbb9828 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-disabledsecretconfig-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-enableports-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-enableports-values.yaml new file mode 100644 index 0000000000..9a41dac521 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-enableports-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-extraargs-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-extraargs-values.yaml new file mode 100644 index 0000000000..691acbc442 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-extraargs-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-extraenvs-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-extraenvs-values.yaml new file mode 100644 index 0000000000..35294fad23 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-extraenvs-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-hostport-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-hostport-values.yaml new file mode 100644 index 0000000000..45042ea50b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-hostport-values.yaml @@ -0,0 +1,8 @@ +controller: + kind: DaemonSet + daemonset: + useHostPort: true + hostPorts: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-ingressclass-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-ingressclass-values.yaml new file mode 100644 index 0000000000..15b3daed24 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-ingressclass-values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-ipfamily-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-ipfamily-values.yaml new file mode 100644 index 0000000000..cc8a976315 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-ipfamily-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..026f75b481 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-kubernetesgateway-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-nodeport-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-nodeport-values.yaml new file mode 100644 index 0000000000..ebc8f10202 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-nodeport-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-privileged-ports.values.yaml new file mode 100644 index 0000000000..1efe9a70ec --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-privileged-ports.values.yaml @@ -0,0 +1,6 @@ +controller: + kind: DaemonSet + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-publishservice-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-publishservice-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-publishservice-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-serviceannotation-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-serviceannotation-values.yaml new file mode 100644 index 0000000000..b538cb5424 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-serviceannotation-values.yaml @@ -0,0 +1,5 @@ +controller: + kind: DaemonSet + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-strategy-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-strategy-values.yaml new file mode 100644 index 0000000000..ed45d7adc8 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-strategy-values.yaml @@ -0,0 +1,7 @@ +controller: + kind: DaemonSet + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.40.1/ci/daemonset-unprivileged-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/daemonset-unprivileged-values.yaml new file mode 100644 index 0000000000..0311d62c19 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/daemonset-unprivileged-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + unprivileged: true + allowPrivilegedPorts: true diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-customconfig-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-customconfig-values.yaml new file mode 100644 index 0000000000..12c48d22d7 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-customconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + config: + rate-limit: "ON" diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-customnodeport-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-customnodeport-values.yaml new file mode 100644 index 0000000000..f044362aa9 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-customnodeport-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + type: NodePort + ports: + 8000: 10000 + 8001: 10001 diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-default-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-default-values.yaml new file mode 100644 index 0000000000..792d600548 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-default-values.yaml @@ -0,0 +1 @@ +# diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-disableddefaultbackend-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-disableddefaultbackend-values.yaml new file mode 100644 index 0000000000..ba2a61ebe0 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-disableddefaultbackend-values.yaml @@ -0,0 +1,2 @@ +defaultBackend: + enabled: false diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-disabledsecretconfig-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-disabledsecretconfig-values.yaml new file mode 100644 index 0000000000..767645997d --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-disabledsecretconfig-values.yaml @@ -0,0 +1,3 @@ +controller: + defaultTLSSecret: + enabled: false diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-enableports-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-enableports-values.yaml new file mode 100644 index 0000000000..03ff297b4d --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-enableports-values.yaml @@ -0,0 +1,6 @@ +controller: + service: + enablePorts: + http: false + https: true + stat: false diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-extraargs-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-extraargs-values.yaml new file mode 100644 index 0000000000..d0e1dbe733 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-extraargs-values.yaml @@ -0,0 +1,3 @@ +controller: + extraArgs: + - --namespace-whitelist=default diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-extraenvs-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-extraenvs-values.yaml new file mode 100644 index 0000000000..1f9e30c165 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-extraenvs-values.yaml @@ -0,0 +1,6 @@ +controller: + extraEnvs: + - name: TEST_STR1 + value: foo + - name: TEST_STR2 + value: baz diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-hpa-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-hpa-values.yaml new file mode 100644 index 0000000000..f3a570187b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-hpa-values.yaml @@ -0,0 +1,13 @@ +controller: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +defaultBackend: + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-ingressclass-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-ingressclass-values.yaml new file mode 100644 index 0000000000..6f4f1fcdc5 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-ingressclass-values.yaml @@ -0,0 +1,5 @@ +controller: + ingressClass: haproxy + ingressClassResource: + enabled: true + default: true diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-ipfamily-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-ipfamily-values.yaml new file mode 100644 index 0000000000..6776d901d5 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-ipfamily-values.yaml @@ -0,0 +1,4 @@ +controller: + service: + ipFamilies: [IPv4] + ipFamilyPolicy: SingleStack diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-kubernetesgateway-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-kubernetesgateway-values.yaml new file mode 100644 index 0000000000..c78bea2b37 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-kubernetesgateway-values.yaml @@ -0,0 +1,4 @@ +controller: + kubernetesGateway: + enabled: true + gatewayControllerName: haproxy.org/gateway-controller diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-nodeport-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-nodeport-values.yaml new file mode 100644 index 0000000000..ffdc47b2d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-nodeport-values.yaml @@ -0,0 +1,3 @@ +controller: + service: + type: NodePort diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-privileged-ports.values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-privileged-ports.values.yaml new file mode 100644 index 0000000000..b1dc2bb7d0 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-privileged-ports.values.yaml @@ -0,0 +1,5 @@ +controller: + containerPort: + http: 80 + https: 443 + stat: 1024 diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-publishservice-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-publishservice-values.yaml new file mode 100644 index 0000000000..6d8bf9bf7b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-publishservice-values.yaml @@ -0,0 +1,4 @@ +controller: + kind: DaemonSet + publishService: + enabled: true diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-replicacount-unset.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-replicacount-unset.yaml new file mode 100644 index 0000000000..78ee300605 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-replicacount-unset.yaml @@ -0,0 +1,5 @@ +controller: + replicaCount: null + +defaultBackend: + replicaCount: null diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-strategy-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-strategy-values.yaml new file mode 100644 index 0000000000..939312a07c --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-strategy-values.yaml @@ -0,0 +1,6 @@ +controller: + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 diff --git a/charts/haproxy/haproxy/1.40.1/ci/deployment-unprivileged-values.yaml b/charts/haproxy/haproxy/1.40.1/ci/deployment-unprivileged-values.yaml new file mode 100644 index 0000000000..475f8b3f6e --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/ci/deployment-unprivileged-values.yaml @@ -0,0 +1,3 @@ +controller: + unprivileged: true + allowPrivilegedPorts: true diff --git a/charts/haproxy/haproxy/1.40.1/questions.yml b/charts/haproxy/haproxy/1.40.1/questions.yml new file mode 100644 index 0000000000..232b1f6743 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/questions.yml @@ -0,0 +1,72 @@ +questions: +- variable: imageDefault + default: true + description: "Use default Docker image" + label: Use Default Image + type: boolean + group: "Settings" + show_subquestion_if: false + subquestions: + - variable: controller.image.tag + default: "1.7.2" + description: "HAProxy Ingress Controller Tag" + type: string + label: HAProxy Ingress Controller Tag +- variable: controller.kind + type: enum + options: + - "DaemonSet" + - "Deployment" + default: "Deployment" + description: "Deployment Type" + label: Deployment Type + group: "Settings" +- variable: controller.service.type + type: enum + options: + - "LoadBalancer" + - "NodePort" + default: "NodePort" + description: "Service Type for HAProxy Ingress Controller" + label: Service Type + group: "Settings" +- variable: controller.ingressClass + default: "" + description: "Ingress Class for targeting this controller" + label: Ingress Class + type: string + group: "Settings" +- variable: controller.defaultTLSSecret.secret + default: "" + description: "Default TLS certificate secret" + label: TLS Certificate Secret + type: string + group: "Settings" +- variable: enableEnterprise + default: false + description: "Use HAProxy Enterprise" + label: Enable + type: boolean + group: "HAProxy Enterprise" + show_subquestion_if: true + subquestions: + - variable: controller.imageCredentials.registry + type: string + default: "kubernetes-registry.haproxy.com" + description: "HAProxy Enterprise Registtry" + label: Registry + - variable: controller.image.repository + type: string + default: "kubernetes-registry.haproxy.com/hapee-ingress" + description: "HAProxy Enterprise Registry" + label: Repository + - variable: controller.imageCredentials.username + type: string + default: "MYUSERNAME" + description: "HAProxy Enterprise Username" + label: Username + - variable: controller.imageCredentials.password + type: string + default: "MYPASSWORD" + description: "HAProxy Enterprise Password" + label: Password diff --git a/charts/haproxy/haproxy/templates/NOTES.txt b/charts/haproxy/haproxy/1.40.1/templates/NOTES.txt similarity index 100% rename from charts/haproxy/haproxy/templates/NOTES.txt rename to charts/haproxy/haproxy/1.40.1/templates/NOTES.txt diff --git a/charts/haproxy/haproxy/1.40.1/templates/_helpers.tpl b/charts/haproxy/haproxy/1.40.1/templates/_helpers.tpl new file mode 100644 index 0000000000..b26683bdb4 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/_helpers.tpl @@ -0,0 +1,169 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "kubernetes-ingress.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kubernetes-ingress.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kubernetes-ingress.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kubernetes-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Encode an imagePullSecret string. +*/}} +{{- define "kubernetes-ingress.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.controller.imageCredentials.registry (printf "%s:%s" .Values.controller.imageCredentials.username .Values.controller.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Encode an imagePullSecret string for the default backend. +*/}} +{{- define "kubernetes-ingress.defaultBackend.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.defaultBackend.imageCredentials.registry (printf "%s:%s" .Values.defaultBackend.imageCredentials.username .Values.defaultBackend.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{/* +Generate default certificate for HAProxy. +*/}} +{{- define "kubernetes-ingress.gen-certs" -}} +{{- $ca := genCA "kubernetes-ingress-ca" 365 -}} +{{- $cn := printf "%s.%s" .Release.Name (include "kubernetes-ingress.namespace" .) -}} +{{- $cert := genSignedCert $cn nil nil 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end -}} + +{{/* +Create the name of the controller service account to use. +*/}} +{{- define "kubernetes-ingress.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kubernetes-ingress.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "kubernetes-ingress.defaultBackend.serviceAccountName" -}} +{{- if or .Values.serviceAccount.create .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +*/}} +{{- define "kubernetes-ingress.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default cert secret name. +*/}} +{{- define "kubernetes-ingress.defaultTLSSecret.fullname" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" .) "default-cert" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. +By default this will use the / matching the controller's service name. +Users can provide an override for an explicit service they want to use via `.Values.controller.publishService.pathOverride` +*/}} +{{- define "kubernetes-ingress.publishServicePath" -}} +{{- $defServicePath := printf "%s/%s" (include "kubernetes-ingress.namespace" .) (include "kubernetes-ingress.fullname" .) -}} +{{- $servicePath := default $defServicePath .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the syslog-server annotation +*/}} +{{- define "kubernetes-ingress.syslogServer" -}} +{{- range $key, $val := .Values.controller.logging.traffic -}} +{{- printf "%s:%s, " $key $val }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified ServiceMonitor name. +*/}} +{{- define "kubernetes-ingress.serviceMonitorName" -}} +{{- default (include "kubernetes-ingress.fullname" .) .Values.controller.serviceMonitor.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the Service metrics. +*/}} +{{- define "kubernetes-ingress.serviceMetricsName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 56 | trimSuffix "-") "metrics" }} +{{- end -}} + +{{/* +Create a default fully qualified unique CRD job name. +*/}} +{{- define "kubernetes-ingress.crdjob.fullname" -}} +{{- printf "%s-%s-%d" (include "kubernetes-ingress.fullname" .) "crdjob" .Release.Revision | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a FQDN for the proxy pods. +*/}} +{{- define "kubernetes-ingress.serviceProxyName" -}} +{{- printf "%s-%s" (include "kubernetes-ingress.fullname" . | trunc 58 | trimSuffix "-") "proxy" }} +{{- end -}} + +{{/* vim: set filetype=mustache: */}} diff --git a/charts/haproxy/haproxy/1.40.1/templates/clusterrole.yaml b/charts/haproxy/haproxy/1.40.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..e106b0b34d --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/clusterrole.yaml @@ -0,0 +1,151 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - services + - namespaces + - events + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + - ingresses/status + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - core.haproxy.org + resources: + - '*' + verbs: + - get + - list + - watch + - update +- apiGroups: + - ingress.v1.haproxy.org + - ingress.v1.haproxy.com + resources: + - "*" + verbs: + - get + - list + - watch + - update +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{- if .Values.controller.kubernetesGateway.enabled }} +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - referencegrants + - gateways + - gatewayclasses + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - "gateway.networking.k8s.io" + resources: + - gatewayclasses/status + - gateways/status + - tcproutes/status + verbs: + - update +{{- end }} +- apiGroups: + - "apps" + resources: + - replicasets + - deployments + - daemonsets + verbs: + - get + - list + - watch +{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }} +- apiGroups: + - "coordination.k8s.io" + resources: + - leases + verbs: + - "*" +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.40.1/templates/clusterrolebinding.yaml b/charts/haproxy/haproxy/1.40.1/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..43a65c2d88 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} + diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-configmap.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-configmap.yaml new file mode 100644 index 0000000000..d50399b2b6 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-configmap.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.configAnnotations }} + annotations: +{{ toYaml .Values.controller.configAnnotations | indent 4 }} +{{- end }} +data: +{{- if .Values.controller.logging.traffic }} + syslog-server: {{ include "kubernetes-ingress.syslogServer" . }} +{{- end }} +{{- if .Values.controller.config }} +{{ toYaml .Values.controller.config | indent 2 }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-crdjob.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-crdjob.yaml new file mode 100644 index 0000000000..bddc564bd0 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-crdjob.yaml @@ -0,0 +1,106 @@ +{{/* +Copyright 2023 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: HookSucceeded +spec: +{{- if or (.Capabilities.APIVersions.Has "batch/v1alpha1") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} + ttlSecondsAfterFinished: 120 +{{- end }} + backoffLimit: 0 + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.crdjob.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.podLabels }} +{{ toYaml .Values.controller.podLabels | indent 8 }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + annotations: +{{ toYaml .Values.controller.podAnnotations | indent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ include "kubernetes-ingress.serviceAccountName" . }} +{{- if .Values.controller.imageCredentials.registry }} + imagePullSecrets: + - name: {{ include "kubernetes-ingress.fullname" . }} +{{- else if .Values.controller.existingImagePullSecret }} + imagePullSecrets: + - name: {{ .Values.controller.existingImagePullSecret }} +{{- end }} +{{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} +{{- end }} +{{- if .Values.controller.runtimeClassName }} + runtimeClassName: {{ .Values.controller.runtimeClassName }} +{{- end }} +{{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} + containers: + - name: crd + image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + command: + - /haproxy-ingress-controller + - --job-check-crd + {{- if .Values.controller.unprivileged }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/haproxy/haproxy/templates/controller-daemonset.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-daemonset.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-daemonset.yaml rename to charts/haproxy/haproxy/1.40.1/templates/controller-daemonset.yaml diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-defaultcertsecret.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-defaultcertsecret.yaml new file mode 100644 index 0000000000..2b438058fc --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-defaultcertsecret.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.defaultTLSSecret.enabled }} +{{- if and (not .Values.controller.defaultTLSSecret.secret) .Values.controller.defaultTLSSecret.secretNamespace }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ include "kubernetes-ingress.defaultTLSSecret.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: +{{ ( include "kubernetes-ingress.gen-certs" . ) | indent 2 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/haproxy/haproxy/templates/controller-deployment.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-deployment.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-deployment.yaml rename to charts/haproxy/haproxy/1.40.1/templates/controller-deployment.yaml diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-hpa.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-hpa.yaml new file mode 100644 index 0000000000..3f596c0f11 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-hpa.yaml @@ -0,0 +1,68 @@ +{{/* +Copyright 2020 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled }} +{{- if not .Values.controller.keda.enabled }} +{{- if or (.Capabilities.APIVersions.Has "autoscaling/v2") (semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: autoscaling/v2 +{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }} +apiVersion: autoscaling/v2beta2 +{{- else }} + {{- fail "ERROR: You must have autoscaling/v2 or autoscaling/v2beta2 to use HorizontalPodAutoscaler" }} +{{- end }} +kind: HorizontalPodAutoscaler +metadata: +{{- if .Values.controller.autoscaling.annotations }} + annotations: +{{ toYaml .Values.controller.autoscaling.annotations | indent 4 }} +{{- end }} + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kubernetes-ingress.fullname" . }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} + metrics: + {{- if .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.controller.autoscaling.custom }} + {{- toYaml .Values.controller.autoscaling.custom | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-ingressclass.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-ingressclass.yaml new file mode 100644 index 0000000000..361fc7b17b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-ingressclass.yaml @@ -0,0 +1,46 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version }} +{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") (semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: IngressClass +metadata: + name: {{ .Values.controller.ingressClassResource.name }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.ingressClassResource.default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: +{{- if not .Values.controller.ingressClass }} + controller: haproxy.org/ingress-controller +{{- else }} + controller: haproxy.org/ingress-controller/{{ .Values.controller.ingressClass }} +{{- end }} + {{- if .Values.controller.ingressClassResource.parameters }} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-keda.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-keda.yaml new file mode 100644 index 0000000000..78487cec49 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-keda.yaml @@ -0,0 +1,52 @@ +{{/* +Copyright 2021 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled }} +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.keda.scaledObject.annotations }} + annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + name: {{ include "kubernetes-ingress.fullname" . }} + pollingInterval: {{ .Values.controller.keda.pollingInterval }} + cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} + minReplicaCount: {{ .Values.controller.keda.minReplicas }} + maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} + triggers: +{{- with .Values.controller.keda.triggers }} +{{ toYaml . | indent 2 }} +{{ end }} + advanced: + restoreToOriginalReplicaCount: {{ .Values.controller.keda.restoreToOriginalReplicaCount }} +{{- if .Values.controller.keda.behavior }} + horizontalPodAutoscalerConfig: + behavior: +{{ with .Values.controller.keda.behavior -}} +{{ toYaml . | indent 8 }} +{{ end }} +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-poddisruptionbudget.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-poddisruptionbudget.yaml new file mode 100644 index 0000000000..54229c0846 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-poddisruptionbudget.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.PodDisruptionBudget.enable }} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +spec: + {{- if .Values.controller.PodDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.controller.PodDisruptionBudget.maxUnavailable }} + {{- end }} + {{- if .Values.controller.PodDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.controller.PodDisruptionBudget.minAvailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-podsecuritypolicy.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..6507c50722 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-podsecuritypolicy.yaml @@ -0,0 +1,86 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- $useHostNetwork := .Values.controller.daemonset.useHostNetwork }} +{{- $useHostPort := .Values.controller.daemonset.useHostPort }} +{{- $hostPorts := .Values.controller.daemonset.hostPorts -}} +{{- if or (.Capabilities.APIVersions.Has "policy/v1/PodSecurityPolicy") (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodSecurityPolicy +metadata: +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + name: {{ include "kubernetes-ingress.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + allowPrivilegeEscalation: {{ .Values.controller.allowPrivilegeEscalation }} + allowedCapabilities: + - NET_BIND_SERVICE + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 +{{- if $useHostNetwork }} + hostNetwork: true +{{- end }} +{{- if or $useHostPort $useHostNetwork }} + hostPorts: +{{- range $key, $value := .Values.controller.containerPort }} + - min: {{ $value }} + max: {{ $value }} +{{- end }} +{{- range .Values.controller.service.tcpPorts }} + - min: {{ .port }} + max: {{ .port }} +{{- end }} +{{- end }} + hostIPC: false + hostPID: false + privileged: false + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: + - configMap + - downwardAPI + - secret +{{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/templates/controller-proxy-deployment.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-proxy-deployment.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-proxy-deployment.yaml rename to charts/haproxy/haproxy/1.40.1/templates/controller-proxy-deployment.yaml diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-proxy-service.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-proxy-service.yaml new file mode 100644 index 0000000000..161072a29e --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-proxy-service.yaml @@ -0,0 +1,73 @@ +{{/* +Copyright 2024 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (eq .Values.controller.sync.mode "fetch") (eq .Values.controller.sync.fetchParams.source "proxy") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceProxyName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{ (split ":" .Values.controller.sync.proxyParams.proxySvcLabelSelector)._0 }}: {{ (split ":" .Values.controller.sync.proxyParams.proxySvcLabelSelector)._1 }} +{{- if .Values.controller.service.labels }} +{{ toYaml .Values.controller.service.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: ClusterIP + {{- if .Values.controller.service.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }} + {{- end }} + ports: + {{- if .Values.controller.service.enablePorts.http }} + - name: http + port: {{ .Values.controller.service.ports.http }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: http + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.http }} + {{- if .Values.controller.service.nodePorts.http }} + nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.controller.service.enablePorts.https }} + - name: https + port: {{ .Values.controller.service.ports.https }} + protocol: TCP + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + appProtocol: https + {{- end }} + targetPort: {{ .Values.controller.service.targetPorts.https }} + {{- if .Values.controller.service.nodePorts.https }} + nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.serviceProxyName" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.controller.service.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.sessionAffinity }} + {{- end }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-pullsecret.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-pullsecret.yaml new file mode 100644 index 0000000000..d9a0ec9102 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-pullsecret.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.controller.imageCredentials.registry }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "kubernetes-ingress.imagePullSecret" . }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-role.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-role.yaml new file mode 100644 index 0000000000..542968c58a --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-role.yaml @@ -0,0 +1,38 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- apiGroups: + - "policy" + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "kubernetes-ingress.fullname" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-rolebinding.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-rolebinding.yaml new file mode 100644 index 0000000000..db4475285e --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-rolebinding.yaml @@ -0,0 +1,37 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kubernetes-ingress.fullname" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kubernetes-ingress.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-service-metrics.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-service-metrics.yaml new file mode 100644 index 0000000000..7ccb2310a1 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-service-metrics.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +The following Service resource will be created upon certain conditions: +- The ServiceMonitor integration is enabled +- A Service resource must be created +- The stats port is not exposed +- The Service is type LoadBalancer + +The reason for that is that the Ingress Controller would make it available to the outside +sensitive data such as its metrics, and the operator wants to keep these data private +(such as the value of "controller.service.enablePorts.stat=false"). + +To let the Prometheus Operator being able to scrape the metrics, an additional service +is going to be created, allowing it to expose of these in the internal Kubernetes networking. +*/}} +{{- if and (.Values.controller.serviceMonitor.enabled) (.Values.controller.service.enabled) (not .Values.controller.service.enablePorts.stat) (eq .Values.controller.service.type "LoadBalancer") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kubernetes-ingress.serviceMetricsName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if .Values.controller.service.metrics.labels }} +{{ toYaml .Values.controller.service.metrics.labels | indent 4 }} +{{- end }} + annotations: +{{- range $key, $value := .Values.controller.service.metrics.annotations }} + {{ $key }}: {{ $value | quote }} +{{- end }} +spec: + type: {{ .Values.controller.service.metrics.type }} + ports: + - name: stat + port: {{ .Values.controller.service.ports.stat }} + protocol: TCP + targetPort: {{ .Values.controller.service.targetPorts.stat }} + {{- if .Values.controller.service.nodePorts.stat }} + nodePort: {{ .Values.controller.service.nodePorts.stat }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/templates/controller-service.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-service.yaml similarity index 100% rename from charts/haproxy/haproxy/templates/controller-service.yaml rename to charts/haproxy/haproxy/1.40.1/templates/controller-service.yaml diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-serviceaccount.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-serviceaccount.yaml new file mode 100644 index 0000000000..70529f7d63 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-serviceaccount.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if or .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kubernetes-ingress.serviceAccountName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.40.1/templates/controller-servicemonitor.yaml b/charts/haproxy/haproxy/1.40.1/templates/controller-servicemonitor.yaml new file mode 100644 index 0000000000..87529fcd02 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/controller-servicemonitor.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright 2019 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "kubernetes-ingress.serviceMonitorName" . }} + namespace: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + {{- if .Values.controller.serviceMonitor.extraLabels }} + {{ toYaml .Values.controller.serviceMonitor.extraLabels | nindent 4 }} + {{- end }} +spec: + endpoints: + {{ .Values.controller.serviceMonitor.endpoints | toYaml | nindent 4 }} + namespaceSelector: + matchNames: + - {{ include "kubernetes-ingress.namespace" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/haproxy/haproxy/1.40.1/templates/namespace.yaml b/charts/haproxy/haproxy/1.40.1/templates/namespace.yaml new file mode 100644 index 0000000000..5b7713a72b --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/templates/namespace.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2022 HAProxy Technologies LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.namespace.create -}} +apiVersion: v1 +kind: Namespace +metadata: + name: {{ include "kubernetes-ingress.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "kubernetes-ingress.name" . }} + helm.sh/chart: {{ include "kubernetes-ingress.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} diff --git a/charts/haproxy/haproxy/1.40.1/values.yaml b/charts/haproxy/haproxy/1.40.1/values.yaml new file mode 100644 index 0000000000..0a7bd339b9 --- /dev/null +++ b/charts/haproxy/haproxy/1.40.1/values.yaml @@ -0,0 +1,583 @@ +# Copyright 2019 HAProxy Technologies LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +## Default values for kubernetes-ingress Chart for HAProxy Ingress Controller +## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + +podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default + # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + enabled: false + +## Enable RBAC Authorization +## ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +rbac: + create: true + +## Create namespace +## https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/ +namespace: + create: false + +## Configure Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +serviceAccount: + create: true + name: + automountServiceAccountToken: true + +## Namespace override +## Allow the release namespace to be overridden for multi-namespace deployments in combined charts +# namespaceOverride: haproxytech + +## AWS Market Place integration +## Allows installation of the HAPEE Ingress Controller on AWS EKS and EKS-Anywhere. +## ref: https://docs.aws.amazon.com/marketplace/latest/userguide/container-anywhere-license-manager-integration.html +aws: + ## Name of the Secret deployed in the desired namespace containing the AWS license files + licenseConfigSecretName: "" + +## Controller default values +controller: + name: controller + image: + repository: haproxytech/kubernetes-ingress # can be changed to use CE or EE Controller images + tag: "" # overrides the image tag whose default is the chart appVersion + pullPolicy: IfNotPresent + + ## Deployment or DaemonSet pod mode + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + kind: Deployment # can be 'Deployment' or 'DaemonSet' + replicaCount: 2 + + ## minReadySeconds setting of Deployment or DaemonSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds + minReadySeconds: 0 + + ## Running container without root privileges + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + unprivileged: true + + ## Allow privileged port binding without root privileges + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ + ## Note: this feature enables net.ipv4.ip_unprivileged_port_start=0 sysctl when running in unprivileged mode + allowPrivilegedPorts: false + + ## Restricts container syscalls + ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ + enableRuntimeDefaultSeccompProfile: true + + ## Privilege escalation + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + allowPrivilegeEscalation: false + + ## Init Containers + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + # - name: sysctl + # image: "busybox:musl" + # command: + # - /bin/sh + # - -c + # - sysctl -w net.core.somaxconn=65536 + # securityContext: + # privileged: true + + ## Pod termination grace period + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 60 + + ## Private Registry configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imageCredentials: + registry: null + username: null + password: null + existingImagePullSecret: null + + ## Controller Container listener port configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/ + ## Note: If binding to privileged ports, allowPrivilegeEscalation will be required for NET_BIND_SERVICE to apply + containerPort: + http: 8080 + https: 8443 + stat: 1024 + + ## Controller Container liveness/readiness probe configuration + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + startupProbe: + failureThreshold: 20 + initialDelaySeconds: 0 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + httpGet: + path: /healthz + port: 1042 + scheme: HTTP + + ## IngressClass: + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md + + # k8s >= 1.18: IngressClass resource used, in multi-ingress environments, to select ingress resources to implement. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class + # Note: Uses ingressClass as name for the Ingress Class object if enabled + ingressClassResource: + name: haproxy + default: false + parameters: {} + + # k8s < 1.18: Ingress Class used, in multi-ingress environments, for ingress.class annotation to select ingress resources to implement. + # k8s >= 1.18: Ingress Class used to target specific HAProxy Ingress Controller in multi-ingress envionments + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/#using-multiple-ingress-controllers + ingressClass: haproxy # typically "haproxy" or null to receive all events + + # Gateway API controller, not available in K8s as default but can be installed + # ref: https://gateway-api.sigs.k8s.io/ + # ref: https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller + kubernetesGateway: + enabled: false + gatewayControllerName: haproxy.org/gateway-controller + + ## Additional labels to add to the deployment or daemonset metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + extraLabels: {} + # key: value + + ## Additional labels to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + podLabels: {} + # key: value + + ## Additional annotations to add to the pod container metadata + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + podAnnotations: {} + # key: value + + ## Allows to enable/disable environment variables for finding services + ## ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service + ## Note: Possible performance issues in large clusters: https://github.com/kubernetes/kubernetes/issues/92615 + enableServiceLinks: true + + ## Ingress TLS secret, if it is enabled and secret is null then controller will use auto-generated secret, otherwise + ## secret needs to contain name of the Secret object which has been created manually + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## ref: https://kubernetes.io/docs/concepts/configuration/secret/ + defaultTLSSecret: + enabled: true + secretNamespace: '{{ include "kubernetes-ingress.namespace" . }}' + secret: null + + ## Compute Resources for controller container + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + resources: + # limits: + # cpu: 250m + # memory: 400Mi + requests: + cpu: 250m + memory: 400Mi + + ## Horizontal Pod Scaler + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + ## HPA annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + # annotationKey: value + + ## Custom metrics (example) + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics + # custom: + # - type: Pods + # pods: + # metricName: haproxy_backend_current_sessions + # targetAverageValue: 2000 + + ## Kubernetes Event-driven Autoscaling: KEDA 2.x + ## ref: https://keda.sh/docs/2.3/concepts/scaling-deployments/ + ## Note: mutually exclusive with HPA, enabling KEDA disables HPA + ## Node: requires serviceMonitor enabled + keda: + enabled: false + minReplicas: 2 + maxReplicas: 20 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Percent + # value: 100 + # periodSeconds: 15 + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: haproxy_process_idle_time_percent + # threshold: '50' + # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{container="kubernetes-ingress-controller",service="mytest-kubernetes-ingress"}[2m])) + + ## Pod Disruption Budget + ## Only to be used with Deployment kind + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + PodDisruptionBudget: + enable: false + # maxUnavailable: 1 + # minAvailable: 1 + + ## Pod Node assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector: {} + + ## Node Taints and Tolerations for pod-node cheduling through attraction/repelling + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node Affinity for pod-node scheduling constraints + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + + ## Topology spread constraints (only used in kind: Deployment) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/name: kubernetes-ingress + # app.kubernetes.io/instance: kubernetes-ingress + + ## Pod DNS Config + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + dnsConfig: {} + + ## Pod DNS Policy + ## Change this to ClusterFirstWithHostNet in case you have useHostNetwork set to true + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: ClusterFirst + + ## Additional command line arguments to pass to Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + extraArgs: [] + # - --namespace-whitelist=default + # - --namespace-whitelist=namespace1 + # - --namespace-blacklist=namespace2 + # - --disable-ipv4 + # - --disable-ipv6 + # - --disable-http + # - --disable-https + # - --disable-quic + # - --sync-period=10s + + ## Custom configuration for Controller + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation + config: {} + # timeout-connect: "250ms" + # servers-increment: "10" + # servers-increment-max-disabled: "10" + # rate-limit: "ON" + # rate-limit-expire: "1m" + # rate-limit-interval: "10s" + # rate-limit-size: "100k" + + ## Extra annotation for custom configmap for Controller + configAnnotations: {} + # annotationKey: value + + ## Controller Logging configuration + ## Careful: this block will be ignored if you use config.cr-global. + ## In this case, move your logging config in entry spec.log_targets in your CR. + logging: + ## Controller logging level + ## This only relevant to Controller logs + level: info + + ## HAProxy traffic logs + ## ref: https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#logging + traffic: {} + # address: "stdout" + # format: "raw" + # facility: "daemon" + + ## Mirrors the address of the service's endpoints to the + ## load-balancer status of all Ingress objects it satisfies. + publishService: + enabled: true + ## + ## Override of the publish service + ## Must be / + pathOverride: "" + + ## Controller Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + service: + enabled: true # set to false when controller.kind is 'DaemonSet' and controller.daemonset.useHostPorts is true + + type: NodePort # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Health check node port + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + healthCheckNodePort: 0 + + ## Service nodePorts to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## If empty, random ports will be used + nodePorts: {} + # http: 31080 + # https: 31443 + # stat: 31024 + # prometheus: 36060 + + ## Service ports to use for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ports: + http: 80 + https: 443 + stat: 1024 + prometheus: 6060 + + ## The controller service ports for http, https and stat can be disabled by + ## setting below to false - this could be useful when only deploying haproxy + ## as a TCP loadbalancer + ## Note: At least one port (http, https, stat or from tcpPorts) has to be enabled + enablePorts: + http: true + https: true + quic: true + stat: true + prometheus: true + + ## Target port mappings for http, https and stat + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + targetPorts: + http: http + https: https + quic: quic + stat: stat + prometheus: prometheus + + ## Additional tcp ports to expose + ## This is especially useful for TCP services: + ## https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md + tcpPorts: [] + # - name: http-alt + # port: 8080 + # targetPort: http-alt + # nodePort: 32080 + + ## Set external traffic policy + ## Default is "Cluster", setting it to "Local" preserves source IP + ## ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "Local" + + ## Expose service via external IPs that route to one or more cluster nodes + externalIPs: [] + + ## LoadBalancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + + ## Source IP ranges permitted to access Network Load Balancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + loadBalancerSourceRanges: [] + + ## Class of load balancer implementation + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: null + + ## Service ClusterIP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # clusterIP: "" + + ## IPv4/IPv6 dual-stack + ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + ## + # ipFamilies: [IPv4, IPv6] + # ipFamilyPolicy: PreferDualStack + + ## Service session affinity + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + # sessionAffinity: "" + + ## Controller Metrics Service configuration + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + metrics: + type: ClusterIP # can be 'ClusterIP', 'NodePort' or 'LoadBalancer' + + ## Service annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + annotations: {} + + ## Service labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + labels: {} + + ## Controller DaemonSet configuration + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ + daemonset: + useHostNetwork: false # also modify dnsPolicy accordingly + useHostPort: false + hostIP: null + hostPorts: + http: 80 + https: 443 + stat: 1024 + + ## Controller deployment strategy definition + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + strategy: + type: RollingUpdate + + ## Controller Pod PriorityClass + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + priorityClassName: "" + + ## Pod runtime class name + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + runtimeClassName: "" + + ## Controller container lifecycle handlers + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: {} + ## Example preStop for graceful shutdown + # preStop: + # exec: + # command: ["/bin/sh", "-c", "kill -USR1 $(pidof haproxy); while killall -0 haproxy; do sleep 1; done"] + + ## Set additional environment variables + extraEnvs: [] + ## Set TZ env to configure timezone on controller containers + # - name: TZ + # value: "Etc/UTC" + + ## Add additional containers + extraContainers: [] + ## Example sidecar + # - name: sidecar + # image: alpine # alpine is a simple Linux OS image + # command: ["/bin/sh"] + # args: ["-c", "while true; do date; sleep 5;done"] + + ## Additional volumeMounts to the controller main container + extraVolumeMounts: [] + ## Example empty volume mounts when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # mountPath: /etc/haproxy + # - name: tmp + # mountPath: /tmp + # - name: var-state-haproxy + # mountPath: /var/state/haproxy + + ## Additional volumes to the controller pod + extraVolumes: [] + ## Example empty volumes when using securityContext->readOnlyRootFilesystem + # - name: etc-haproxy + # emptyDir: {} + # - name: tmp + # emptyDir: {} + # - name: var-state-haproxy + # emptyDir: {} + + ## ServiceMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## Note: requires Prometheus Operator to be able to work, for example: + ## helm install prometheus prometheus-community/kube-prometheus-stack \ + ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ + ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false + serviceMonitor: + ## Toggle the ServiceMonitor true if you have Prometheus Operator installed and configured + enabled: false + + ## Specify the labels to add to the ServiceMonitors to be selected for target discovery + extraLabels: {} + + ## Specify the endpoints + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor + endpoints: + - port: stat + path: /metrics + scheme: http + interval: 30s + + ## Controller sync mode with Kubernetes + ## Note: requires Enterprise Kubernetes Ingress Controller + ## Possible values: 'default' or 'fetch' + ## - 'default': the sync is done based on K8s informers (event based) + ## - 'fetch': the controller pulls data periodically (from K8s or from proxy) + sync: + mode: default # can be 'default' or 'fetch' + fetchParams: # Mandatory if mode is 'fetch' + # period: 3s # optional, default is 5s + source: k8s # possible values are: 'proxy', 'k8s' + proxyParams: # Mandatory if source is 'proxy' + replicaCount: 3 # number of replicas of the proxy, mandatory if source is 'proxy' + proxySvcLabelSelector: run:haproxy-ingress-proxy # label selector of the proxy service, mandatory if source is 'proxy' diff --git a/charts/harbor/harbor/.helmignore b/charts/harbor/harbor/1.12.3/.helmignore similarity index 100% rename from charts/harbor/harbor/.helmignore rename to charts/harbor/harbor/1.12.3/.helmignore diff --git a/charts/harbor/harbor/1.12.3/Chart.yaml b/charts/harbor/harbor/1.12.3/Chart.yaml new file mode 100644 index 0000000000..6e427f2c9e --- /dev/null +++ b/charts/harbor/harbor/1.12.3/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Harbor + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: harbor +apiVersion: v1 +appVersion: 2.8.3 +description: An open source trusted cloud native registry that stores, signs, and + scans content +home: https://goharbor.io +icon: https://raw.githubusercontent.com/goharbor/website/master/static/img/logos/harbor-icon-color.png +keywords: +- docker +- registry +- harbor +maintainers: +- email: yinw@vmware.com + name: Wenkai Yin +- email: hweiwei@vmware.com + name: Weiwei He +- email: yshengwen@vmware.com + name: Shengwen Yu +name: harbor +sources: +- https://github.com/goharbor/harbor +- https://github.com/goharbor/harbor-helm +version: 1.12.3 diff --git a/charts/harbor/harbor/LICENSE b/charts/harbor/harbor/1.12.3/LICENSE similarity index 100% rename from charts/harbor/harbor/LICENSE rename to charts/harbor/harbor/1.12.3/LICENSE diff --git a/charts/harbor/harbor/1.12.3/README.md b/charts/harbor/harbor/1.12.3/README.md new file mode 100644 index 0000000000..ff353d564d --- /dev/null +++ b/charts/harbor/harbor/1.12.3/README.md @@ -0,0 +1,420 @@ +# Helm Chart for Harbor + +**Notes:** The master branch is in heavy development, please use the other stable versions instead. A highly available solution for Harbor based on chart can be find [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. + +This repository, including the issues, focuses on deploying Harbor chart via helm. For functionality issues or Harbor questions, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor) + +## Introduction + +This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. + +## Prerequisites + +- Kubernetes cluster 1.20+ +- Helm v3.2.0+ + +## Installation + +### Add Helm repository + +```bash +helm repo add harbor https://helm.goharbor.io +``` + +### Configure the chart + +The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first). + +#### Configure how to expose Harbor service + +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. + **Notes:** if TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for details. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. + +#### Configure the external URL + +The external URL for Harbor core service is used to: + +1. populate the docker/helm commands showed on portal +2. populate the token service URL returned to docker/notary client + +Format: `protocol://domain[:port]`. Usually: + +- if service exposed via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` +- if service exposed via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` +- if service exposed via `NodePort`, the `domain` should be the IP address of one Kubernetes node +- if service exposed via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider + +If Harbor is deployed behind the proxy, set it as the URL of proxy. + +#### Configure how to persist data + +- **Disable**: The data does not survive the termination of a pod. +- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you already have existing persistent volumes to use. +- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. + +#### Configure the other items listed in [configuration](#configuration) section + +### Install the chart + +Install the Harbor helm chart with a release name `my-release`: +```bash +helm install my-release harbor/harbor +``` + +## Uninstallation + +To uninstall/delete the `my-release` deployment: +```bash +helm uninstall my-release +``` + +## Configuration + +The following table lists the configurable parameters of the Harbor chart and the default values. + +| Parameter | Description | Default | +| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| **Expose** | | | +| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | +| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | +| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | +| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | +| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | +| `expose.tls.secret.notarySecretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key. Only needed when the `expose.type` is `ingress` | | +| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | +| `expose.ingress.hosts.notary` | The host of Harbor Notary service in ingress rule | `notary.harbor.domain` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` | +| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | | +| `expose.ingress.annotations` | The annotations used commonly for ingresses | | +| `expose.ingress.harbor.annotations` | The annotations specific to harbor ingress | {} | +| `expose.ingress.harbor.labels` | The labels specific to harbor ingress | {} | +| `expose.ingress.notary.annotations` | The annotations specific to notary ingress | {} | +| `expose.ingress.notary.labels` | The labels specific to notary ingress | {} | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} | +| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.clusterIP.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` | +| `expose.nodePort.ports.notary.port` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` | +| `expose.nodePort.ports.notary.nodePort` | The node port Notary listens on. Only needed when `notary.enabled` is set to `true` | `30004` | +| `expose.loadBalancer.name` | The name of service | `harbor` | +| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` | +| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` | +| `expose.loadBalancer.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | | +| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | +| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | +| **Internal TLS** | | | +| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` | +| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` | +| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | | +| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | +| **IPFamily** | | | +| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| **Persistence** | | | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | | +|`persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | +| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | +| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | +| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | +| **General** | | | +| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | +| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | | +| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | +| `imagePullPolicy` | The image pull policy | | +| `imagePullSecrets` | The imagePullSecrets names for all deployments | | +| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | +| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `existingSecretAdminPassword` | The name of secret where admin password can be found. | | +| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` | +| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | +| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | +| `proxy.httpProxy` | The URL of the HTTP proxy server | | +| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | +| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | +| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | +| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | +| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.revisionHistoryLimit` | The revision history limit | `10` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| `nginx.priorityClassName` | The priority class to run the pod as | | +| **Portal** | | | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.revisionHistoryLimit` | The revision history limit | `10` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| `portal.priorityClassName` | The priority class to run the pod as | | +| **Core** | | | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.revisionHistoryLimit` | The revision history limit | `10` | +| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.serviceAnnotations` | Annotations to add to the core service | `{}` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | +| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | | +| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | | +| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | +| `core.priorityClassName` | The priority class to run the pod as | | +| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | +| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | +| **Jobservice** | | | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.revisionHistoryLimit` | The revision history limit | `10` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` | +| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` | +| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` | +| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` | +| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` | +| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.priorityClassName` | The priority class to run the pod as | | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| **Registry** | | | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | `dev` | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | `dev` | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | +| `registry.replicas` | The replica count | `1` | +| `registry.revisionHistoryLimit` | The revision history limit | `10` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.priorityClassName` | The priority class to run the pod as | | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `registry.credentials.username` | The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | +| `registry.credentials.password` | The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | +| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` | +| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | +| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | +| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | +| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | +| `registry.upload_purging.interval` | The interval of the purge operations | `24h` | +| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | +| **[Trivy][trivy]** | | | +| `trivy.enabled` | The flag to enable Trivy scanner | `true` | +| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | +| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | +| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | +| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `trivy.replicas` | The number of Pod replicas | `1` | +| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | +| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | +| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | +| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | +| `trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | +| `trivy.priorityClassName` | The priority class to run the pod as | | +| **Notary** | | | +| `notary.enabled` | Enable Notary? | `true` | +| `notary.server.image.repository` | Repository for notary server image | `goharbor/notary-server-photon` | +| `notary.server.image.tag` | Tag for notary server image | `dev` | +| `notary.server.replicas` | The replica count | `1` | +| `notary.server.resources` | The [resources] to allocate for container | undefined | +| `notary.server.priorityClassName` | The priority class to run the pod as | | +| `notary.server.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `notary.signer.image.repository` | Repository for notary signer image | `goharbor/notary-signer-photon` | +| `notary.signer.image.tag` | Tag for notary signer image | `dev` | +| `notary.signer.replicas` | The replica count | `1` | +| `notary.signer.resources` | The [resources] to allocate for container | undefined | +| `notary.signer.priorityClassName` | The priority class to run the pod as | | +| `notary.signer.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `notary.nodeSelector` | Node labels for pod assignment | `{}` | +| `notary.tolerations` | Tolerations for pod assignment | `[]` | +| `notary.affinity` | Node/Pod affinities | `{}` | +| `notary.podAnnotations` | Annotations to add to the notary pod | `{}` | +| `notary.serviceAnnotations` | Annotations to add to the notary service | `{}` | +| `notary.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `ca.crt`, `tls.crt` and `tls.key` that contain the CA, certificate and private key. They will be generated if not set. | | +| **Database** | | | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined | +| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.internal.priorityClassName` | The priority class to run the pod as | | +| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | +| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.notaryServerDatabase` | The database used by Notary server | `notary_server` | +| `database.external.notarySignerDatabase` | The database used by Notary signer | `notary_signer` | +| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | +| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | +| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | +| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | | | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.internal.priorityClassName` | The priority class to run the pod as | | +| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | +| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.external.username` | The username of external Redis | | +| `redis.external.password` | The password of external Redis | | +| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | +| **Exporter** | | | +| `exporter.replicas` | The replica count | `1` | +| `exporter.revisionHistoryLimit` | The revision history limit | `10` | +| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` | +| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` | +| `exporter.image.tag` | Tag for exporter image | `dev` | +| `exporter.nodeSelector` | Node labels for pod assignment | `{}` | +| `exporter.tolerations` | Tolerations for pod assignment | `[]` | +| `exporter.affinity` | Node/Pod affinities | `{}` | +| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` | +| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` | +| `exporter.priorityClassName` | The priority class to run the pod as | | +| **Metrics** | | | +| `metrics.enabled` | if enable harbor metrics | `false` | +| `metrics.core.path` | the url path for core metrics | `/metrics` | +| `metrics.core.port` | the port for core metrics | `8001` | +| `metrics.registry.path` | the url path for registry metrics | `/metrics` | +| `metrics.registry.port` | the port for registry metrics | `8001` | +| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` | +| `metrics.exporter.port` | the port for exporter metrics | `8001` | +| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` | +| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` | +| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` | +| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` | +| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` | +| **Trace** | | | +| `trace.enabled` | Enable tracing or not | `false` | +| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` | +| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` | +| `trace.namespace` | Namespace used to differentiate different harbor services | | +| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | | +| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` | +| `trace.jaeger.username` | The username of jaeger | | +| `trace.jaeger.password` | The password of jaeger | | +| `trace.jaeger.agent_host` | The agent host of jaeger | | +| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` | +| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` | +| `trace.otel.url_path` | The URL path of otel | `/v1/traces` | +| `trace.otel.compression` | Whether enable compression or not for otel | `false` | +| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` | +| `trace.otel.timeout` | The timeout in seconds of otel | `10` | +| **Cache** | | | +| `cache.enabled` | Enable cache layer or not | `false` | +| `cache.expireHours` | The expire hours of cache layer | `24` | + +[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +[trivy]: https://github.com/aquasecurity/trivy +[trivy-db]: https://github.com/aquasecurity/trivy-db +[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting diff --git a/charts/harbor/harbor/1.12.3/conf/notary-server.json b/charts/harbor/harbor/1.12.3/conf/notary-server.json new file mode 100644 index 0000000000..b3c2624134 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/conf/notary-server.json @@ -0,0 +1,28 @@ +{ + "server": { + "http_addr": ":4443" + }, + "trust_service": { + "type": "remote", + "hostname": "{{ template "harbor.notary-signer" . }}", + "port": "7899", + "tls_ca_file": "/etc/ssl/notary/ca.crt", + "key_algorithm": "ecdsa" + }, + "logging": { + "level": "{{ .Values.logLevel }}" + }, + "storage": { + "backend": "postgres", + "db_url": "{{ template "harbor.database.notaryServer" . }}" + }, + "auth": { + "type": "token", + "options": { + "realm": "{{ .Values.externalURL }}/service/token", + "service": "harbor-notary", + "issuer": "harbor-token-issuer", + "rootcertbundle": "/root.crt" + } + } +} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.3/conf/notary-signer.json b/charts/harbor/harbor/1.12.3/conf/notary-signer.json new file mode 100644 index 0000000000..75a4d68bdb --- /dev/null +++ b/charts/harbor/harbor/1.12.3/conf/notary-signer.json @@ -0,0 +1,15 @@ +{ + "server": { + "grpc_addr": ":7899", + "tls_cert_file": "/etc/ssl/notary/tls.crt", + "tls_key_file": "/etc/ssl/notary/tls.key" + }, + "logging": { + "level": "{{ .Values.logLevel }}" + }, + "storage": { + "backend": "postgres", + "db_url": "{{ template "harbor.database.notarySigner" . }}", + "default_alias": "defaultalias" + } +} \ No newline at end of file diff --git a/charts/harbor/harbor/templates/NOTES.txt b/charts/harbor/harbor/1.12.3/templates/NOTES.txt similarity index 100% rename from charts/harbor/harbor/templates/NOTES.txt rename to charts/harbor/harbor/1.12.3/templates/NOTES.txt diff --git a/charts/harbor/harbor/1.12.3/templates/_helpers.tpl b/charts/harbor/harbor/1.12.3/templates/_helpers.tpl new file mode 100644 index 0000000000..eb467e773e --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/_helpers.tpl @@ -0,0 +1,570 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "harbor.name" -}} +{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "harbor.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default "harbor" .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Helm required labels */}} +{{- define "harbor.labels" -}} +heritage: {{ .Release.Service }} +release: {{ .Release.Name }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{/* matchLabels */}} +{{- define "harbor.matchLabels" -}} +release: {{ .Release.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{- define "harbor.autoGenCert" -}} + {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForIngress" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForNginx" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.host" -}} + {{- if eq .Values.database.type "internal" -}} + {{- template "harbor.database" . }} + {{- else -}} + {{- .Values.database.external.host -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.port" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "5432" -}} + {{- else -}} + {{- .Values.database.external.port -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.username" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "postgres" -}} + {{- else -}} + {{- .Values.database.external.username -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.rawPassword" -}} + {{- if eq .Values.database.type "internal" -}} + {{- .Values.database.internal.password -}} + {{- else -}} + {{- .Values.database.external.password -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.escapedRawPassword" -}} + {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} +{{- end -}} + +{{- define "harbor.database.encryptedPassword" -}} + {{- include "harbor.database.rawPassword" . | b64enc | quote -}} +{{- end -}} + +{{- define "harbor.database.coreDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "registry" -}} + {{- else -}} + {{- .Values.database.external.coreDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.notaryServerDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "notaryserver" -}} + {{- else -}} + {{- .Values.database.external.notaryServerDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.notarySignerDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "notarysigner" -}} + {{- else -}} + {{- .Values.database.external.notarySignerDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.sslmode" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "disable" -}} + {{- else -}} + {{- .Values.database.external.sslmode -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.notaryServer" -}} +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} +{{- end -}} + +{{- define "harbor.database.notarySigner" -}} +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} +{{- end -}} + +{{- define "harbor.redis.scheme" -}} + {{- with .Values.redis }} + {{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }} + {{- end }} +{{- end -}} + +/*host:port*/ +{{- define "harbor.redis.addr" -}} + {{- with .Values.redis }} + {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.masterSet" -}} + {{- with .Values.redis }} + {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.password" -}} + {{- with .Values.redis }} + {{- ternary "" .external.password (eq .type "internal") }} + {{- end }} +{{- end -}} + +/*scheme://[:password@]host:port[/master_set]*/ +{{- define "harbor.redis.url" -}} + {{- with .Values.redis }} + {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }} + {{- $cred := ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }} + {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCore" -}} + {{- with .Values.redis }} + {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index*/ +{{- define "harbor.redis.urlForJobservice" -}} + {{- with .Values.redis }} + {{- $index := ternary "1" .external.jobserviceDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForRegistry" -}} + {{- with .Values.redis }} + {{- $index := ternary "2" .external.registryDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForTrivy" -}} + {{- with .Values.redis }} + {{- $index := ternary "5" .external.trivyAdapterIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.dbForRegistry" -}} + {{- with .Values.redis }} + {{- ternary "2" .external.registryDatabaseIndex (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.portal" -}} + {{- printf "%s-portal" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.core" -}} + {{- printf "%s-core" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.redis" -}} + {{- printf "%s-redis" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.jobservice" -}} + {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registry" -}} + {{- printf "%s-registry" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registryCtl" -}} + {{- printf "%s-registryctl" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.database" -}} + {{- printf "%s-database" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.trivy" -}} + {{- printf "%s-trivy" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.notary-server" -}} + {{- printf "%s-notary-server" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.notary-signer" -}} + {{- printf "%s-notary-signer" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.nginx" -}} + {{- printf "%s-nginx" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.exporter" -}} + {{- printf "%s-exporter" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress" -}} + {{- printf "%s-ingress" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress-notary" -}} + {{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.noProxy" -}} + {{- printf "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.notary-server" .) (include "harbor.notary-signer" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}} +{{- end -}} + +{{- define "harbor.caBundleVolume" -}} +- name: ca-bundle-certs + secret: + secretName: {{ .Values.caBundleSecretName }} +{{- end -}} + +{{- define "harbor.caBundleVolumeMount" -}} +- name: ca-bundle-certs + mountPath: /harbor_cust_cert/custom-ca.crt + subPath: ca.crt +{{- end -}} + +{{/* scheme for all components except notary because it only support http mode */}} +{{- define "harbor.component.scheme" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "https" -}} + {{- else -}} + {{- printf "http" -}} + {{- end -}} +{{- end -}} + +{{/* core component container port */}} +{{- define "harbor.core.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* core component service port */}} +{{- define "harbor.core.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component container port */}} +{{- define "harbor.jobservice.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component service port */}} +{{- define "harbor.jobservice.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* portal component container port */}} +{{- define "harbor.portal.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* portal component service port */}} +{{- define "harbor.portal.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* registry component container port */}} +{{- define "harbor.registry.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registry component service port */}} +{{- define "harbor.registry.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component container port */}} +{{- define "harbor.registryctl.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component service port */}} +{{- define "harbor.registryctl.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component container port */}} +{{- define "harbor.trivy.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component service port */}} +{{- define "harbor.trivy.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* CORE_URL */}} +{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}} +{{- define "harbor.coreURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}} +{{- end -}} + +{{/* JOBSERVICE_URL */}} +{{- define "harbor.jobserviceURL" -}} + {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}} +{{- end -}} + +{{/* PORTAL_URL */}} +{{- define "harbor.portalURL" -}} + {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}} +{{- end -}} + +{{/* REGISTRY_URL */}} +{{- define "harbor.registryURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}} +{{- end -}} + +{{/* REGISTRY_CONTROLLER_URL */}} +{{- define "harbor.registryControllerURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}} +{{- end -}} + +{{/* TOKEN_SERVICE_URL */}} +{{- define "harbor.tokenServiceURL" -}} + {{- printf "%s/service/token" (include "harbor.coreURL" .) -}} +{{- end -}} + +{{/* TRIVY_ADAPTER_URL */}} +{{- define "harbor.trivyAdapterURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}} +{{- end -}} + +{{- define "harbor.internalTLS.core.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.core.secretName -}} + {{- else -}} + {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.jobservice.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.jobservice.secretName -}} + {{- else -}} + {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.portal.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.portal.secretName -}} + {{- else -}} + {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.registry.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.registry.secretName -}} + {{- else -}} + {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.trivy.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.trivy.secretName -}} + {{- else -}} + {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsCoreSecretForIngress" -}} + {{- if eq .Values.expose.tls.certSource "none" -}} + {{- printf "" -}} + {{- else if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.ingress" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsNotarySecretForIngress" -}} + {{- if eq .Values.expose.tls.certSource "none" -}} + {{- printf "" -}} + {{- else if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.notarySecretName -}} + {{- else -}} + {{- include "harbor.ingress" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsSecretForNginx" -}} + {{- if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.nginx" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.metricsPortName" -}} + {{- if .Values.internalTLS.enabled }} + {{- printf "https-metrics" -}} + {{- else -}} + {{- printf "http-metrics" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.traceEnvs" -}} + TRACE_ENABLED: "{{ .Values.trace.enabled }}" + TRACE_SAMPLE_RATE: "{{ .Values.trace.sample_rate }}" + TRACE_NAMESPACE: "{{ .Values.trace.namespace }}" + {{- if .Values.trace.attributes }} + TRACE_ATTRIBUTES: "{{ .Values.trace.attributes | toJson }}" + {{- end }} + {{- if eq .Values.trace.provider "jaeger" }} + TRACE_JAEGER_ENDPOINT: "{{ .Values.trace.jaeger.endpoint }}" + TRACE_JAEGER_USERNAME: "{{ .Values.trace.jaeger.username }}" + TRACE_JAEGER_AGENT_HOSTNAME: "{{ .Values.trace.jaeger.agent_host }}" + TRACE_JAEGER_AGENT_PORT: "{{ .Values.trace.jaeger.agent_port }}" + {{- else }} + TRACE_OTEL_ENDPOINT: "{{ .Values.trace.otel.endpoint }}" + TRACE_OTEL_URL_PATH: "{{ .Values.trace.otel.url_path }}" + TRACE_OTEL_COMPRESSION: "{{ .Values.trace.otel.compression }}" + TRACE_OTEL_INSECURE: "{{ .Values.trace.otel.insecure }}" + TRACE_OTEL_TIMEOUT: "{{ .Values.trace.otel.timeout }}" + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForCore" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-core" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForJobservice" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-jobservice" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForRegistryCtl" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-registryctl" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceJaegerPassword" -}} + {{- if and .Values.trace.enabled (eq .Values.trace.provider "jaeger") }} + TRACE_JAEGER_PASSWORD: "{{ .Values.trace.jaeger.password | default "" | b64enc }}" + {{- end }} +{{- end -}} + +{{/* Allow KubeVersion to be overridden. */}} +{{- define "harbor.ingress.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}} +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.3/templates/core/core-cm.yaml b/charts/harbor/harbor/1.12.3/templates/core/core-cm.yaml new file mode 100644 index 0000000000..adecb1ceb4 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/core/core-cm.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + app.conf: |+ + appname = Harbor + runmode = prod + enablegzip = true + + [prod] + httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} + PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" + DATABASE_TYPE: "postgresql" + POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" + POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" + POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" + POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" + POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" + EXT_ENDPOINT: "{{ .Values.externalURL }}" + CORE_URL: "{{ template "harbor.coreURL" . }}" + JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + WITH_NOTARY: "{{ .Values.notary.enabled }}" + NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443" + CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}" + WITH_TRIVY: {{ .Values.trivy.enabled | quote }} + TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}" + REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" + LOG_LEVEL: "{{ .Values.logLevel }}" + CONFIG_PATH: "/etc/core/app.conf" + CHART_CACHE_DRIVER: "redis" + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}" + PORTAL_URL: "{{ template "harbor.portalURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + {{- if .Values.uaaSecretName }} + UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt" + {{- end }} + {{- if has "core" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory" + {{- if .Values.metrics.enabled}} + METRIC_ENABLE: "true" + METRIC_PATH: "{{ .Values.metrics.core.path }}" + METRIC_PORT: "{{ .Values.metrics.core.port }}" + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: core + {{- end }} + + {{- if hasKey .Values.core "gcTimeWindowHours" }} + #make the GC time window configurable for testing + GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}" + {{- end }} + {{- template "harbor.traceEnvsForCore" . }} + + {{- if .Values.core.artifactPullAsyncFlushDuration | quote }} + ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration }} + {{- end }} + + {{- if .Values.core.gdpr}} + {{- if .Values.core.gdpr.deleteUser}} + GDPR_DELETE_USER: "true" + {{- end }} + {{- end }} + + {{- if .Values.cache.enabled }} + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} diff --git a/charts/harbor/harbor/1.12.3/templates/core/core-dpl.yaml b/charts/harbor/harbor/1.12.3/templates/core/core-dpl.yaml new file mode 100644 index 0000000000..2ca8b0c5e5 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/core/core-dpl.yaml @@ -0,0 +1,221 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: core +spec: + replicas: {{ .Values.core.replicas }} + revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: core + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: core + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.core.podAnnotations }} +{{ toYaml .Values.core.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: core + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.core.startupProbe.enabled }} + startupProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 360 + initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }} + periodSeconds: 10 + {{- end }} + livenessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: "{{ template "harbor.jobservice" . }}" + key: JOBSERVICE_SECRET + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/core/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/core/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/core/ca.crt + {{- end }} + {{- if .Values.database.external.existingSecret }} + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + - name: secret-key + mountPath: /etc/core/key + subPath: key + - name: token-service-private-key + mountPath: /etc/core/private_key.pem + subPath: tls.key + {{- if .Values.expose.tls.enabled }} + - name: ca-download + mountPath: /etc/core/ca + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + mountPath: /etc/core/auth-ca/auth-ca.crt + subPath: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + {{- end }} + - name: psc + mountPath: /etc/core/token + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} +{{- if .Values.core.resources }} + resources: +{{ toYaml .Values.core.resources | indent 10 }} +{{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + - name: secret-key + secret: + {{- if .Values.existingSecretSecretKey }} + secretName: {{ .Values.existingSecretSecretKey }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + items: + - key: secretKey + path: key + - name: token-service-private-key + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: ca-download + secret: + {{- if .Values.caSecretName }} + secretName: {{ .Values.caSecretName }} + {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }} + secretName: "{{ template "harbor.ingress" . }}" + {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + secret: + secretName: {{ .Values.uaaSecretName }} + items: + - key: ca.crt + path: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + - name: psc + emptyDir: {} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.core.priorityClassName }} + priorityClassName: {{ .Values.core.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.12.3/templates/core/core-pre-upgrade-job.yaml b/charts/harbor/harbor/1.12.3/templates/core/core-pre-upgrade-job.yaml new file mode 100644 index 0000000000..43c9d3596d --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/core/core-pre-upgrade-job.yaml @@ -0,0 +1,74 @@ +{{- if .Values.enableMigrateHelmHook }} +apiVersion: batch/v1 +kind: Job +metadata: + name: migration-job + labels: +{{ include "harbor.labels" . | indent 4 }} + component: migrator + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" +spec: + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: migrator + spec: + restartPolicy: Never + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 120 + containers: + - name: core-job + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/harbor/harbor_core", "-mode=migrate"] + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + {{- if .Values.database.external.existingSecret }} + env: + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.3/templates/core/core-secret.yaml b/charts/harbor/harbor/1.12.3/templates/core/core-secret.yaml new file mode 100644 index 0000000000..20f835b1d8 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/core/core-secret.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.existingSecretSecretKey }} + secretKey: {{ .Values.secretKey | b64enc | quote }} + {{- end }} + secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.core.secretName }} + {{- $ca := genCA "harbor-token-ca" 365 }} + tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }} + tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }} + {{- end }} + {{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} + {{- end }} + {{- if not .Values.database.external.existingSecret }} + POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/templates/core/core-svc.yaml b/charts/harbor/harbor/1.12.3/templates/core/core-svc.yaml similarity index 100% rename from charts/harbor/harbor/templates/core/core-svc.yaml rename to charts/harbor/harbor/1.12.3/templates/core/core-svc.yaml diff --git a/charts/harbor/harbor/templates/core/core-tls.yaml b/charts/harbor/harbor/1.12.3/templates/core/core-tls.yaml similarity index 100% rename from charts/harbor/harbor/templates/core/core-tls.yaml rename to charts/harbor/harbor/1.12.3/templates/core/core-tls.yaml diff --git a/charts/harbor/harbor/templates/database/database-secret.yaml b/charts/harbor/harbor/1.12.3/templates/database/database-secret.yaml similarity index 100% rename from charts/harbor/harbor/templates/database/database-secret.yaml rename to charts/harbor/harbor/1.12.3/templates/database/database-secret.yaml diff --git a/charts/harbor/harbor/1.12.3/templates/database/database-ss.yaml b/charts/harbor/harbor/1.12.3/templates/database/database-ss.yaml new file mode 100644 index 0000000000..733243c71c --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/database/database-ss.yaml @@ -0,0 +1,162 @@ +{{- if eq .Values.database.type "internal" -}} +{{- $database := .Values.persistence.persistentVolumeClaim.database -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: database +spec: + replicas: 1 + serviceName: "{{ template "harbor.database" . }}" + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: database + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: database + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }} +{{- if .Values.database.podAnnotations }} +{{ toYaml .Values.database.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.database.internal.serviceAccountName }} + serviceAccountName: {{ .Values.database.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + initContainers: + # as we change the data directory to a sub folder to support psp, the init container here + # is used to migrate the existing data. See https://github.com/goharbor/harbor-helm/issues/756 + # for more detail. + # we may remove it after several releases + - name: "data-migrator" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"] +{{- if .Values.database.internal.initContainer.migrator.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + # with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume + # this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph + # use this init container to correct the permission + # as "fsGroup" applied before the init container running, the container has enough permission to execute the command + - name: "data-permissions-ensurer" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"] +{{- if .Values.database.internal.initContainer.permissions.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + containers: + - name: database + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 300 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.livenessProbe.timeoutSeconds }} + readinessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 1 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.readinessProbe.timeoutSeconds }} +{{- if .Values.database.internal.resources }} + resources: +{{ toYaml .Values.database.internal.resources | indent 10 }} +{{- end }} + envFrom: + - secretRef: + name: "{{ template "harbor.database" . }}" + env: + # put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled + # more detail refer to https://github.com/goharbor/harbor-helm/issues/756 + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + - name: shm-volume + mountPath: /dev/shm + volumes: + - name: shm-volume + emptyDir: + medium: Memory + sizeLimit: {{ .Values.database.internal.shmSizeLimit }} + {{- if not .Values.persistence.enabled }} + - name: "database-data" + emptyDir: {} + {{- else if $database.existingClaim }} + - name: "database-data" + persistentVolumeClaim: + claimName: {{ $database.existingClaim }} + {{- end -}} + {{- with .Values.database.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.database.internal.priorityClassName }} + priorityClassName: {{ .Values.database.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $database.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: "database-data" + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $database.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $database.accessMode | quote }}] + {{- if $database.storageClass }} + {{- if (eq "-" $database.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $database.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $database.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/templates/database/database-svc.yaml b/charts/harbor/harbor/1.12.3/templates/database/database-svc.yaml similarity index 100% rename from charts/harbor/harbor/templates/database/database-svc.yaml rename to charts/harbor/harbor/1.12.3/templates/database/database-svc.yaml diff --git a/charts/harbor/harbor/templates/exporter/exporter-cm-env.yaml b/charts/harbor/harbor/1.12.3/templates/exporter/exporter-cm-env.yaml similarity index 100% rename from charts/harbor/harbor/templates/exporter/exporter-cm-env.yaml rename to charts/harbor/harbor/1.12.3/templates/exporter/exporter-cm-env.yaml diff --git a/charts/harbor/harbor/1.12.3/templates/exporter/exporter-dpl.yaml b/charts/harbor/harbor/1.12.3/templates/exporter/exporter-dpl.yaml new file mode 100644 index 0000000000..5ff36f48a6 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/exporter/exporter-dpl.yaml @@ -0,0 +1,117 @@ +{{- if .Values.metrics.enabled}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: exporter +spec: + replicas: {{ .Values.exporter.replicas }} + revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: exporter + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: exporter + annotations: +{{- if .Values.exporter.podAnnotations }} +{{ toYaml .Values.exporter.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.exporter.serviceAccountName }} + serviceAccountName: {{ .Values.exporter.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }} + containers: + - name: exporter + image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 30 + periodSeconds: 10 + args: ["-log-level", "{{ .Values.logLevel }}"] + envFrom: + - configMapRef: + name: "{{ template "harbor.exporter" . }}-env" + - secretRef: + name: "{{ template "harbor.exporter" . }}" + env: + {{- if .Values.database.external.existingSecret }} + - name: HARBOR_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} +{{- if .Values.exporter.resources }} + resources: +{{ toYaml .Values.exporter.resources | indent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + # There are some metric data are collectd from harbor core. + # When internal TLS is enabled, the Exporter need the CA file to collect these data. + {{- end }} + volumes: + - name: config + secret: + secretName: "{{ template "harbor.exporter" . }}" + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.exporter.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.exporter.priorityClassName }} + priorityClassName: {{ .Values.exporter.priorityClassName }} + {{- end }} +{{ end }} diff --git a/charts/harbor/harbor/templates/exporter/exporter-secret.yaml b/charts/harbor/harbor/1.12.3/templates/exporter/exporter-secret.yaml similarity index 100% rename from charts/harbor/harbor/templates/exporter/exporter-secret.yaml rename to charts/harbor/harbor/1.12.3/templates/exporter/exporter-secret.yaml diff --git a/charts/harbor/harbor/templates/exporter/exporter-svc.yaml b/charts/harbor/harbor/1.12.3/templates/exporter/exporter-svc.yaml similarity index 100% rename from charts/harbor/harbor/templates/exporter/exporter-svc.yaml rename to charts/harbor/harbor/1.12.3/templates/exporter/exporter-svc.yaml diff --git a/charts/harbor/harbor/1.12.3/templates/ingress/ingress.yaml b/charts/harbor/harbor/1.12.3/templates/ingress/ingress.yaml new file mode 100644 index 0000000000..eedd13604a --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/ingress/ingress.yaml @@ -0,0 +1,209 @@ +{{- if eq .Values.expose.type "ingress" }} +{{- $ingress := .Values.expose.ingress -}} +{{- $tls := .Values.expose.tls -}} +{{- if eq .Values.expose.ingress.controller "gce" }} + {{- $_ := set . "portal_path" "/*" -}} + {{- $_ := set . "api_path" "/api/*" -}} + {{- $_ := set . "service_path" "/service/*" -}} + {{- $_ := set . "v2_path" "/v2/*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} + {{- $_ := set . "controller_path" "/c/*" -}} + {{- $_ := set . "notary_path" "/" -}} +{{- else if eq .Values.expose.ingress.controller "ncp" }} + {{- $_ := set . "portal_path" "/.*" -}} + {{- $_ := set . "api_path" "/api/.*" -}} + {{- $_ := set . "service_path" "/service/.*" -}} + {{- $_ := set . "v2_path" "/v2/.*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} + {{- $_ := set . "controller_path" "/c/.*" -}} + {{- $_ := set . "notary_path" "/.*" -}} +{{- else }} + {{- $_ := set . "portal_path" "/" -}} + {{- $_ := set . "api_path" "/api/" -}} + {{- $_ := set . "service_path" "/service/" -}} + {{- $_ := set . "v2_path" "/v2/" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/" -}} + {{- $_ := set . "controller_path" "/c/" -}} + {{- $_ := set . "notary_path" "/" -}} +{{- end }} + +--- +{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: extensions/v1beta1 +{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if $ingress.harbor.labels }} +{{ toYaml $ingress.harbor.labels | indent 4 }} +{{- end }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} +{{- if .Values.internalTLS.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +{{- end }} +{{- if eq .Values.expose.ingress.controller "ncp" }} + ncp/use-regex: "true" + {{- if $tls.enabled }} + ncp/http-redirect: "true" + {{- end }} +{{- end }} +{{- if $ingress.harbor.annotations }} +{{ toYaml $ingress.harbor.annotations | indent 4 }} +{{- end }} +spec: + {{- if $ingress.className }} + ingressClassName: {{ $ingress.className }} + {{- end }} + {{- if $tls.enabled }} + tls: + - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} + {{- if $ingress.hosts.core }} + hosts: + - {{ $ingress.hosts.core }} + {{- end }} + {{- end }} + rules: + - http: + paths: +{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} + - path: {{ .api_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + backend: + serviceName: {{ template "harbor.portal" . }} + servicePort: {{ template "harbor.portal.servicePort" . }} +{{- else }} + - path: {{ .api_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.portal" . }} + port: + number: {{ template "harbor.portal.servicePort" . }} +{{- end }} + {{- if $ingress.hosts.core }} + host: {{ $ingress.hosts.core }} + {{- end }} + +{{- if .Values.notary.enabled }} +--- +{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: extensions/v1beta1 +{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "harbor.ingress-notary" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if $ingress.notary.labels }} +{{ toYaml $ingress.notary.labels | indent 4 }} +{{- end }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} +{{- if eq .Values.expose.ingress.controller "ncp" }} + ncp/use-regex: "true" + {{- if $tls.enabled }} + ncp/http-redirect: "true" + {{- end }} +{{- end }} +{{- if $ingress.notary.annotations }} +{{ toYaml $ingress.notary.annotations | indent 4 }} +{{- end }} +spec: + {{- if $ingress.className }} + ingressClassName: {{ $ingress.className }} + {{- end }} + {{- if $tls.enabled }} + tls: + - secretName: {{ template "harbor.tlsNotarySecretForIngress" . }} + {{- if $ingress.hosts.notary }} + hosts: + - {{ $ingress.hosts.notary }} + {{- end }} + {{- end }} + rules: + - http: + paths: + - path: {{ .notary_path }} +{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} + backend: + serviceName: {{ template "harbor.notary-server" . }} + servicePort: 4443 +{{- else }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.notary-server" . }} + port: + number: 4443 +{{- end -}} + {{- if $ingress.hosts.notary }} + host: {{ $ingress.hosts.notary }} + {{- end }} +{{- end }} + +{{- end }} diff --git a/charts/harbor/harbor/1.12.3/templates/ingress/secret.yaml b/charts/harbor/harbor/1.12.3/templates/ingress/secret.yaml new file mode 100644 index 0000000000..0d89af99ac --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/ingress/secret.yaml @@ -0,0 +1,15 @@ +{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/templates/internal/auto-tls.yaml b/charts/harbor/harbor/1.12.3/templates/internal/auto-tls.yaml similarity index 100% rename from charts/harbor/harbor/templates/internal/auto-tls.yaml rename to charts/harbor/harbor/1.12.3/templates/internal/auto-tls.yaml diff --git a/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-cm-env.yaml b/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-cm-env.yaml new file mode 100644 index 0000000000..50de1dc868 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-cm-env.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + CORE_URL: "{{ template "harbor.coreURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + + JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "{{ .Values.jobservice.notification.webhook_job_max_retry }}" + JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "{{ .Values.jobservice.notification.webhook_job_http_client_timeout }}" + + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.metrics.enabled}} + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: jobservice + {{- end }} + {{- template "harbor.traceEnvsForJobservice" . }} + {{- if .Values.cache.enabled }} + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} diff --git a/charts/harbor/harbor/templates/jobservice/jobservice-cm.yaml b/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-cm.yaml similarity index 100% rename from charts/harbor/harbor/templates/jobservice/jobservice-cm.yaml rename to charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-cm.yaml diff --git a/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-dpl.yaml b/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-dpl.yaml new file mode 100644 index 0000000000..32df454b10 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-dpl.yaml @@ -0,0 +1,150 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + replicas: {{ .Values.jobservice.replicas }} + revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: jobservice + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: jobservice + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} + checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.jobservice.podAnnotations }} +{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.jobservice.serviceAccountName }} + serviceAccountName: {{ .Values.jobservice.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: jobservice + image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.jobservice.resources }} + resources: +{{ toYaml .Values.jobservice.resources | indent 10 }} +{{- end }} + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/jobservice/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/jobservice/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/jobservice/ca.crt + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.jobservice" . }}-env" + - secretRef: + name: "{{ template "harbor.jobservice" . }}" + ports: + - containerPort: {{ template "harbor.jobservice.containerPort" . }} + volumeMounts: + - name: jobservice-config + mountPath: /etc/jobservice/config.yml + subPath: config.yml + - name: job-logs + mountPath: /var/log/jobs + subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.subPath }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + mountPath: /etc/harbor/ssl/jobservice + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: jobservice-config + configMap: + name: "{{ template "harbor.jobservice" . }}" + - name: job-logs + {{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.jobservice.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.jobservice.priorityClassName }} + priorityClassName: {{ .Values.jobservice.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-pvc.yaml b/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-pvc.yaml new file mode 100644 index 0000000000..a6b8b8bd38 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-pvc.yaml @@ -0,0 +1,30 @@ +{{- $jobLog := .Values.persistence.persistentVolumeClaim.jobservice.jobLog -}} +{{- if and .Values.persistence.enabled (not $jobLog.existingClaim) (has "file" .Values.jobservice.jobLoggers) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.jobservice" . }} + annotations: + {{- range $key, $value := $jobLog.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + accessModes: + - {{ $jobLog.accessMode }} + resources: + requests: + storage: {{ $jobLog.size }} + {{- if $jobLog.storageClass }} + {{- if eq "-" $jobLog.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $jobLog.storageClass }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-secrets.yaml b/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-secrets.yaml new file mode 100644 index 0000000000..3dfa6bd5e6 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-secrets.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/templates/jobservice/jobservice-svc.yaml b/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-svc.yaml similarity index 100% rename from charts/harbor/harbor/templates/jobservice/jobservice-svc.yaml rename to charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-svc.yaml diff --git a/charts/harbor/harbor/templates/jobservice/jobservice-tls.yaml b/charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-tls.yaml similarity index 100% rename from charts/harbor/harbor/templates/jobservice/jobservice-tls.yaml rename to charts/harbor/harbor/1.12.3/templates/jobservice/jobservice-tls.yaml diff --git a/charts/harbor/harbor/1.12.3/templates/metrics/metrics-svcmon.yaml b/charts/harbor/harbor/1.12.3/templates/metrics/metrics-svcmon.yaml new file mode 100644 index 0000000000..ad8522974d --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/metrics/metrics-svcmon.yaml @@ -0,0 +1,28 @@ +{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "harbor.fullname" . }} + labels: {{ include "harbor.labels" . | nindent 4 }} +{{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} +{{- end }} +spec: + jobLabel: app.kubernetes.io/name + endpoints: + - port: {{ template "harbor.metricsPortName" . }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + honorLabels: true +{{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: +{{ tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | indent 4) . }} +{{- end }} +{{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: +{{ toYaml .Values.metrics.serviceMonitor.relabelings | indent 4 }} +{{- end }} + selector: + matchLabels: {{ include "harbor.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/harbor/harbor/templates/nginx/configmap-http.yaml b/charts/harbor/harbor/1.12.3/templates/nginx/configmap-http.yaml similarity index 100% rename from charts/harbor/harbor/templates/nginx/configmap-http.yaml rename to charts/harbor/harbor/1.12.3/templates/nginx/configmap-http.yaml diff --git a/charts/harbor/harbor/1.12.3/templates/nginx/configmap-https.yaml b/charts/harbor/harbor/1.12.3/templates/nginx/configmap-https.yaml new file mode 100644 index 0000000000..74c667e009 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/nginx/configmap-https.yaml @@ -0,0 +1,230 @@ +{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}"; + } + + {{- if .Values.notary.enabled }} + upstream notary-server { + server {{ template "harbor.notary-server" . }}:4443; + } + {{- end }} + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + {{- if .Values.notary.enabled }} + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 4443 ssl; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:4443 ssl; + {{- end }} + server_tokens off; + # ssl + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html + ssl_protocols tlsv1.2; + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:ssl:10m; + + # disable any limits to avoid http 413 for large image uploads + client_max_body_size 0; + + # required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + location /v2/ { + proxy_pass http://notary-server/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + + proxy_send_timeout 900; + proxy_read_timeout 900; + } + } + {{- end }} + + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8443 ssl; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8443 ssl; + {{- end }} + # server_name harbordomain.com; + server_tokens off; + # SSL + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2; + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + # Add extra headers + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; HttpOnly; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end}} + #server_name harbordomain.com; + return 301 https://$host$request_uri; + } + } +{{- end }} diff --git a/charts/harbor/harbor/1.12.3/templates/nginx/deployment.yaml b/charts/harbor/harbor/1.12.3/templates/nginx/deployment.yaml new file mode 100644 index 0000000000..bc1de0abfe --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/nginx/deployment.yaml @@ -0,0 +1,109 @@ +{{- if ne .Values.expose.type "ingress" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: nginx +spec: + replicas: {{ .Values.nginx.replicas }} + revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: nginx + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: nginx + annotations: + {{- if not .Values.expose.tls.enabled }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }} + {{- else }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} + {{- end }} + {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} + checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }} + {{- end }} +{{- if .Values.nginx.podAnnotations }} +{{ toYaml .Values.nginx.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- if .Values.nginx.serviceAccountName }} + serviceAccountName: {{ .Values.nginx.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.nginx.automountServiceAccountToken | default false }} + containers: + - name: nginx + image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + {{- $_ := set . "scheme" "HTTP" -}} + {{- $_ := set . "port" "8080" -}} + {{- if .Values.expose.tls.enabled }} + {{- $_ := set . "scheme" "HTTPS" -}} + {{- $_ := set . "port" "8443" -}} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.nginx.resources }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} +{{- end }} + ports: + - containerPort: 8080 + - containerPort: 8443 + - containerPort: 4443 + volumeMounts: + - name: config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.expose.tls.enabled }} + - name: certificate + mountPath: /etc/nginx/cert + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.nginx" . }} + {{- if .Values.expose.tls.enabled }} + - name: certificate + secret: + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- with .Values.nginx.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.nginx.priorityClassName }} + priorityClassName: {{ .Values.nginx.priorityClassName }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/templates/nginx/secret.yaml b/charts/harbor/harbor/1.12.3/templates/nginx/secret.yaml similarity index 100% rename from charts/harbor/harbor/templates/nginx/secret.yaml rename to charts/harbor/harbor/1.12.3/templates/nginx/secret.yaml diff --git a/charts/harbor/harbor/1.12.3/templates/nginx/service.yaml b/charts/harbor/harbor/1.12.3/templates/nginx/service.yaml new file mode 100644 index 0000000000..df4da0944a --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/nginx/service.yaml @@ -0,0 +1,96 @@ +{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} +apiVersion: v1 +kind: Service +metadata: +{{- if eq .Values.expose.type "clusterIP" }} +{{- $clusterIP := .Values.expose.clusterIP }} + name: {{ $clusterIP.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $clusterIP.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: http + port: {{ $clusterIP.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $clusterIP.ports.httpsPort }} + targetPort: 8443 + {{- end }} + {{- if .Values.notary.enabled }} + - name: notary + port: {{ $clusterIP.ports.notaryPort }} + targetPort: 4443 + {{- end }} +{{- else if eq .Values.expose.type "nodePort" }} +{{- $nodePort := .Values.expose.nodePort }} + name: {{ $nodePort.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: NodePort + ports: + - name: http + port: {{ $nodePort.ports.http.port }} + targetPort: 8080 + {{- if $nodePort.ports.http.nodePort }} + nodePort: {{ $nodePort.ports.http.nodePort }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $nodePort.ports.https.port }} + targetPort: 8443 + {{- if $nodePort.ports.https.nodePort }} + nodePort: {{ $nodePort.ports.https.nodePort }} + {{- end }} + {{- end }} + {{- if .Values.notary.enabled }} + - name: notary + port: {{ $nodePort.ports.notary.port }} + targetPort: 4443 + {{- if $nodePort.ports.notary.nodePort }} + nodePort: {{ $nodePort.ports.notary.nodePort }} + {{- end }} + {{- end }} +{{- else if eq .Values.expose.type "loadBalancer" }} +{{- $loadBalancer := .Values.expose.loadBalancer }} + name: {{ $loadBalancer.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $loadBalancer.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: LoadBalancer + {{- with $loadBalancer.sourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $loadBalancer.IP }} + loadBalancerIP: {{ $loadBalancer.IP }} + {{- end }} + ports: + - name: http + port: {{ $loadBalancer.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $loadBalancer.ports.httpsPort }} + targetPort: 8443 + {{- end }} + {{- if .Values.notary.enabled }} + - name: notary + port: {{ $loadBalancer.ports.notaryPort }} + targetPort: 4443 + {{- end }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: nginx +{{- end }} diff --git a/charts/harbor/harbor/1.12.3/templates/notary/notary-secret.yaml b/charts/harbor/harbor/1.12.3/templates/notary/notary-secret.yaml new file mode 100644 index 0000000000..6de63dd8c5 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/notary/notary-secret.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.notary.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.notary-server" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: notary +type: Opaque +data: + {{- if not .Values.notary.secretName }} + {{- $ca := genCA "harbor-notary-ca" 365 }} + {{- $cert := genSignedCert (include "harbor.notary-signer" .) nil (list (include "harbor.notary-signer" .)) 365 $ca }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + {{- end }} + server.json: {{ tpl (.Files.Get "conf/notary-server.json") . | b64enc }} + signer.json: {{ tpl (.Files.Get "conf/notary-signer.json") . | b64enc }} + NOTARY_SERVER_DB_URL: {{ include "harbor.database.notaryServer" . | b64enc }} + NOTARY_SIGNER_DB_URL: {{ include "harbor.database.notarySigner" . | b64enc }} +{{- end }} diff --git a/charts/harbor/harbor/1.12.3/templates/notary/notary-server.yaml b/charts/harbor/harbor/1.12.3/templates/notary/notary-server.yaml new file mode 100644 index 0000000000..64cfd293f2 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/notary/notary-server.yaml @@ -0,0 +1,111 @@ +{{ if .Values.notary.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.notary-server" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: notary-server +spec: + replicas: {{ .Values.notary.server.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: notary-server + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: notary-server + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if .Values.notary.server.podAnnotations }} +{{ toYaml .Values.notary.server.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.notary.server.serviceAccountName }} + serviceAccountName: {{ .Values.notary.server.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.notary.server.automountServiceAccountToken | default false }} + containers: + - name: notary-server + image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /_notary_server/health + scheme: "HTTP" + port: 4443 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /_notary_server/health + scheme: "HTTP" + port: 4443 + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.notary.server.resources }} + resources: +{{ toYaml .Values.notary.server.resources | indent 10 }} +{{- end }} + env: + - name: MIGRATIONS_PATH + value: migrations/server/postgresql + - name: DB_URL + valueFrom: + secretKeyRef: + name: {{ template "harbor.notary-server" . }} + key: NOTARY_SERVER_DB_URL + volumeMounts: + - name: config + mountPath: /etc/notary/server-config.postgres.json + subPath: server.json + - name: token-service-certificate + mountPath: /root.crt + subPath: tls.crt + - name: signer-certificate + mountPath: /etc/ssl/notary/ca.crt + subPath: ca.crt + volumes: + - name: config + secret: + secretName: "{{ template "harbor.notary-server" . }}" + - name: token-service-certificate + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + - name: signer-certificate + secret: + {{- if .Values.notary.secretName }} + secretName: {{ .Values.notary.secretName }} + {{- else }} + secretName: {{ template "harbor.notary-server" . }} + {{- end }} + {{- with .Values.notary.server.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.server.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.server.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.notary.server.priorityClassName }} + priorityClassName: {{ .Values.notary.server.priorityClassName }} + {{- end }} +{{ end }} diff --git a/charts/harbor/harbor/1.12.3/templates/notary/notary-signer.yaml b/charts/harbor/harbor/1.12.3/templates/notary/notary-signer.yaml new file mode 100644 index 0000000000..d94e4909bf --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/notary/notary-signer.yaml @@ -0,0 +1,105 @@ +{{ if .Values.notary.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.notary-signer" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: notary-signer +spec: + replicas: {{ .Values.notary.signer.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: notary-signer + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: notary-signer + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }} +{{- if .Values.notary.signer.podAnnotations }} +{{ toYaml .Values.notary.signer.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.notary.signer.serviceAccountName }} + serviceAccountName: {{ .Values.notary.signer.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.notary.signer.automountServiceAccountToken | default false }} + containers: + - name: notary-signer + image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + scheme: "HTTPS" + port: 7899 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: "HTTPS" + port: 7899 + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.notary.signer.resources }} + resources: +{{ toYaml .Values.notary.signer.resources | indent 10 }} +{{- end }} + env: + - name: MIGRATIONS_PATH + value: migrations/signer/postgresql + - name: DB_URL + valueFrom: + secretKeyRef: + name: {{ template "harbor.notary-server" . }} + key: NOTARY_SIGNER_DB_URL + - name: NOTARY_SIGNER_DEFAULTALIAS + value: defaultalias + volumeMounts: + - name: config + mountPath: /etc/notary/signer-config.postgres.json + subPath: signer.json + - name: signer-certificate + mountPath: /etc/ssl/notary/tls.crt + subPath: tls.crt + - name: signer-certificate + mountPath: /etc/ssl/notary/tls.key + subPath: tls.key + volumes: + - name: config + secret: + secretName: "{{ template "harbor.notary-server" . }}" + - name: signer-certificate + secret: + {{- if .Values.notary.secretName }} + secretName: {{ .Values.notary.secretName }} + {{- else }} + secretName: {{ template "harbor.notary-server" . }} + {{- end }} + {{- with .Values.notary.signer.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.signer.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.signer.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.notary.signer.priorityClassName }} + priorityClassName: {{ .Values.notary.signer.priorityClassName }} + {{- end }} +{{ end }} diff --git a/charts/harbor/harbor/1.12.3/templates/notary/notary-svc.yaml b/charts/harbor/harbor/1.12.3/templates/notary/notary-svc.yaml new file mode 100644 index 0000000000..b6aa42d89e --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/notary/notary-svc.yaml @@ -0,0 +1,35 @@ +{{ if .Values.notary.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.notary-server" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.notary.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - port: 4443 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: notary-server + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.notary-signer" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 7899 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: notary-signer +{{ end }} diff --git a/charts/harbor/harbor/1.12.3/templates/portal/configmap.yaml b/charts/harbor/harbor/1.12.3/templates/portal/configmap.yaml new file mode 100644 index 0000000000..1cea8ab63f --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/portal/configmap.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + server { + {{- if .Values.internalTLS.enabled }} + {{- if .Values.ipFamily.ipv4.enabled}} + listen {{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + # SSL + ssl_certificate /etc/harbor/ssl/portal/tls.crt; + ssl_certificate_key /etc/harbor/ssl/portal/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2; + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + {{- else }} + {{- if .Values.ipFamily.ipv4.enabled }} + listen {{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- end }} + server_name localhost; + root /usr/share/nginx/html; + index index.html index.htm; + include /etc/nginx/mime.types; + gzip on; + gzip_min_length 1000; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + location /devcenter-api-2.0 { + try_files $uri $uri/ /swagger-ui-index.html; + } + location / { + try_files $uri $uri/ /index.html; + } + location = /index.html { + add_header Cache-Control "no-store, no-cache, must-revalidate"; + } + } + } diff --git a/charts/harbor/harbor/1.12.3/templates/portal/deployment.yaml b/charts/harbor/harbor/1.12.3/templates/portal/deployment.yaml new file mode 100644 index 0000000000..d3469deef4 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/portal/deployment.yaml @@ -0,0 +1,97 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: portal +spec: + replicas: {{ .Values.portal.replicas }} + revisionHistoryLimit: {{ .Values.portal.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: portal + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: portal + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }} +{{- end }} + checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }} +{{- if .Values.portal.podAnnotations }} +{{ toYaml .Values.portal.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if .Values.portal.serviceAccountName }} + serviceAccountName: {{ .Values.portal.serviceAccountName }} +{{- end }} + automountServiceAccountToken: {{ .Values.portal.automountServiceAccountToken | default false }} + containers: + - name: portal + image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.portal.resources }} + resources: +{{ toYaml .Values.portal.resources | indent 10 }} +{{- end }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 + ports: + - containerPort: {{ template "harbor.portal.containerPort" . }} + volumeMounts: + - name: portal-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + mountPath: /etc/harbor/ssl/portal + {{- end }} + volumes: + - name: portal-config + configMap: + name: "{{ template "harbor.portal" . }}" + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.portal.secretName" . }} + {{- end }} + {{- with .Values.portal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.portal.priorityClassName }} + priorityClassName: {{ .Values.portal.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.12.3/templates/portal/service.yaml b/charts/harbor/harbor/1.12.3/templates/portal/service.yaml new file mode 100644 index 0000000000..ff4eda435b --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/portal/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - port: {{ template "harbor.portal.servicePort" . }} + targetPort: {{ template "harbor.portal.containerPort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: portal diff --git a/charts/harbor/harbor/templates/portal/tls.yaml b/charts/harbor/harbor/1.12.3/templates/portal/tls.yaml similarity index 100% rename from charts/harbor/harbor/templates/portal/tls.yaml rename to charts/harbor/harbor/1.12.3/templates/portal/tls.yaml diff --git a/charts/harbor/harbor/templates/redis/service.yaml b/charts/harbor/harbor/1.12.3/templates/redis/service.yaml similarity index 100% rename from charts/harbor/harbor/templates/redis/service.yaml rename to charts/harbor/harbor/1.12.3/templates/redis/service.yaml diff --git a/charts/harbor/harbor/1.12.3/templates/redis/statefulset.yaml b/charts/harbor/harbor/1.12.3/templates/redis/statefulset.yaml new file mode 100644 index 0000000000..74b7581fd8 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/redis/statefulset.yaml @@ -0,0 +1,109 @@ +{{- if eq .Values.redis.type "internal" -}} +{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: redis +spec: + replicas: 1 + serviceName: {{ template "harbor.redis" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: redis + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: redis +{{- if .Values.redis.podAnnotations }} + annotations: +{{ toYaml .Values.redis.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.redis.internal.serviceAccountName }} + serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: redis + image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.redis.internal.resources }} + resources: +{{ toYaml .Values.redis.internal.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: data + mountPath: /var/lib/redis + subPath: {{ $redis.subPath }} + {{- if not .Values.persistence.enabled }} + volumes: + - name: data + emptyDir: {} + {{- else if $redis.existingClaim }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ $redis.existingClaim }} + {{- end -}} + {{- with .Values.redis.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.redis.internal.priorityClassName }} + priorityClassName: {{ .Values.redis.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $redis.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $redis.accessMode | quote }}] + {{- if $redis.storageClass }} + {{- if (eq "-" $redis.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $redis.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $redis.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/templates/registry/registry-cm.yaml b/charts/harbor/harbor/1.12.3/templates/registry/registry-cm.yaml similarity index 100% rename from charts/harbor/harbor/templates/registry/registry-cm.yaml rename to charts/harbor/harbor/1.12.3/templates/registry/registry-cm.yaml diff --git a/charts/harbor/harbor/1.12.3/templates/registry/registry-dpl.yaml b/charts/harbor/harbor/1.12.3/templates/registry/registry-dpl.yaml new file mode 100644 index 0000000000..118a165d46 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/registry/registry-dpl.yaml @@ -0,0 +1,317 @@ +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $type := $storage.type }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + replicas: {{ .Values.registry.replicas }} + revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: registry + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: registry + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.registry.podAnnotations }} +{{ toYaml .Values.registry.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch +{{- if .Values.registry.serviceAccountName }} + serviceAccountName: {{ .Values.registry.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.registry.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: registry + image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.registry.resources }} + resources: +{{ toYaml .Values.registry.registry.resources | indent 10 }} +{{- end }} + args: ["serve", "/etc/registry/config.yml"] + envFrom: + - secretRef: + name: "{{ template "harbor.registry" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} + ports: + - containerPort: {{ template "harbor.registry.containerPort" . }} + - containerPort: 5001 + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-htpasswd + mountPath: /etc/registry/passwd + subPath: passwd + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + mountPath: /etc/registry/pk.pem + subPath: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + - name: registryctl + image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.controller.resources }} + resources: +{{ toYaml .Values.registry.controller.resources | indent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.registryCtl" . }}" + - secretRef: + name: "{{ template "harbor.registry" . }}" + - secretRef: + name: "{{ template "harbor.registryCtl" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.jobservice" . }} + key: JOBSERVICE_SECRET + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} + ports: + - containerPort: {{ template "harbor.registryctl.containerPort" . }} + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: registry-config + mountPath: /etc/registryctl/config.yml + subPath: ctl-config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: registry-htpasswd + secret: + {{- if not .Values.registry.credentials.existingSecret }} + secretName: {{ template "harbor.registry" . }}-htpasswd + {{ else }} + secretName: {{ .Values.registry.credentials.existingSecret }} + {{- end }} + items: + - key: REGISTRY_HTPASSWD + path: passwd + - name: registry-config + configMap: + name: "{{ template "harbor.registry" . }}" + - name: registry-data + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.registry.secretName" . }} + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + secret: + {{- if and (eq $type "gcs") $storage.gcs.existingSecret }} + secretName: {{ $storage.gcs.existingSecret }} + {{- else }} + secretName: {{ template "harbor.registry" . }} + {{- end }} + items: + - key: GCS_KEY_DATA + path: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + secret: + secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + secret: + secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }} + items: + - key: CLOUDFRONT_KEY_DATA + path: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.registry.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.registry.priorityClassName }} + priorityClassName: {{ .Values.registry.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.12.3/templates/registry/registry-pvc.yaml b/charts/harbor/harbor/1.12.3/templates/registry/registry-pvc.yaml new file mode 100644 index 0000000000..2112e22877 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/registry/registry-pvc.yaml @@ -0,0 +1,32 @@ +{{- if .Values.persistence.enabled }} +{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} +{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.registry" . }} + annotations: + {{- range $key, $value := $registry.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + accessModes: + - {{ $registry.accessMode }} + resources: + requests: + storage: {{ $registry.size }} + {{- if $registry.storageClass }} + {{- if eq "-" $registry.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $registry.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.3/templates/registry/registry-secret.yaml b/charts/harbor/harbor/1.12.3/templates/registry/registry-secret.yaml new file mode 100644 index 0000000000..529462906e --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/registry/registry-secret.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.redis.external.existingSecret }} + REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} + {{- end }} + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if and (eq $type "azure") (not $storage.azure.existingSecret) }} + REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} + {{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }} + GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} + {{- else if eq $type "s3" }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }} + REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} + {{- end }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }} + REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} + {{- end }} + {{- else if eq $type "swift" }} + REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} + {{- if $storage.swift.secretkey }} + REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} + {{- end }} + {{- if $storage.swift.accesskey }} + REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} + {{- end }} + {{- else if eq $type "oss" }} + REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} + {{- end }} +{{- if not .Values.registry.credentials.existingSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}-htpasswd" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if .Values.registry.credentials.htpasswdString }} + REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }} + {{- else }} + REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/templates/registry/registry-svc.yaml b/charts/harbor/harbor/1.12.3/templates/registry/registry-svc.yaml similarity index 100% rename from charts/harbor/harbor/templates/registry/registry-svc.yaml rename to charts/harbor/harbor/1.12.3/templates/registry/registry-svc.yaml diff --git a/charts/harbor/harbor/templates/registry/registry-tls.yaml b/charts/harbor/harbor/1.12.3/templates/registry/registry-tls.yaml similarity index 100% rename from charts/harbor/harbor/templates/registry/registry-tls.yaml rename to charts/harbor/harbor/1.12.3/templates/registry/registry-tls.yaml diff --git a/charts/harbor/harbor/templates/registry/registryctl-cm.yaml b/charts/harbor/harbor/1.12.3/templates/registry/registryctl-cm.yaml similarity index 100% rename from charts/harbor/harbor/templates/registry/registryctl-cm.yaml rename to charts/harbor/harbor/1.12.3/templates/registry/registryctl-cm.yaml diff --git a/charts/harbor/harbor/templates/registry/registryctl-secret.yaml b/charts/harbor/harbor/1.12.3/templates/registry/registryctl-secret.yaml similarity index 100% rename from charts/harbor/harbor/templates/registry/registryctl-secret.yaml rename to charts/harbor/harbor/1.12.3/templates/registry/registryctl-secret.yaml diff --git a/charts/harbor/harbor/templates/trivy/trivy-secret.yaml b/charts/harbor/harbor/1.12.3/templates/trivy/trivy-secret.yaml similarity index 100% rename from charts/harbor/harbor/templates/trivy/trivy-secret.yaml rename to charts/harbor/harbor/1.12.3/templates/trivy/trivy-secret.yaml diff --git a/charts/harbor/harbor/1.12.3/templates/trivy/trivy-sts.yaml b/charts/harbor/harbor/1.12.3/templates/trivy/trivy-sts.yaml new file mode 100644 index 0000000000..37b19ac2d3 --- /dev/null +++ b/charts/harbor/harbor/1.12.3/templates/trivy/trivy-sts.yaml @@ -0,0 +1,206 @@ +{{- if .Values.trivy.enabled }} +{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: trivy +spec: + replicas: {{ .Values.trivy.replicas }} + serviceName: {{ template "harbor.trivy" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: trivy + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: trivy + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.trivy.podAnnotations }} +{{ toYaml .Values.trivy.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.trivy.serviceAccountName }} + serviceAccountName: {{ .Values.trivy.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }} + containers: + - name: trivy + image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + env: + {{- if has "trivy" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + - name: "SCANNER_LOG_LEVEL" + value: {{ .Values.logLevel | quote }} + - name: "SCANNER_TRIVY_CACHE_DIR" + value: "/home/scanner/.cache/trivy" + - name: "SCANNER_TRIVY_REPORTS_DIR" + value: "/home/scanner/.cache/reports" + - name: "SCANNER_TRIVY_DEBUG_MODE" + value: {{ .Values.trivy.debugMode | quote }} + - name: "SCANNER_TRIVY_VULN_TYPE" + value: {{ .Values.trivy.vulnType | quote }} + - name: "SCANNER_TRIVY_TIMEOUT" + value: {{ .Values.trivy.timeout | quote }} + - name: "SCANNER_TRIVY_GITHUB_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: gitHubToken + - name: "SCANNER_TRIVY_SEVERITY" + value: {{ .Values.trivy.severity | quote }} + - name: "SCANNER_TRIVY_IGNORE_UNFIXED" + value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_UPDATE" + value: {{ .Values.trivy.skipUpdate | default false | quote }} + - name: "SCANNER_TRIVY_OFFLINE_SCAN" + value: {{ .Values.trivy.offlineScan | default false | quote }} + - name: "SCANNER_TRIVY_SECURITY_CHECKS" + value: {{ .Values.trivy.securityCheck | quote }} + - name: "SCANNER_TRIVY_INSECURE" + value: {{ .Values.trivy.insecure | default false | quote }} + - name: SCANNER_API_SERVER_ADDR + value: ":{{ template "harbor.trivy.containerPort" . }}" + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: SCANNER_API_SERVER_TLS_KEY + value: /etc/harbor/ssl/trivy/tls.key + - name: SCANNER_API_SERVER_TLS_CERTIFICATE + value: /etc/harbor/ssl/trivy/tls.crt + {{- end }} + - name: "SCANNER_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_STORE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_JOB_QUEUE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + ports: + - name: api-server + containerPort: {{ template "harbor.trivy.containerPort" . }} + volumeMounts: + - name: data + mountPath: /home/scanner/.cache + subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} + readOnly: false + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + mountPath: /etc/harbor/ssl/trivy + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 10 }} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/healthy + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + readinessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/ready + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + resources: +{{ toYaml .Values.trivy.resources | indent 12 }} + {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} + volumes: + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.trivy.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: "data" + emptyDir: {} + {{- else if $trivy.existingClaim }} + - name: "data" + persistentVolumeClaim: + claimName: {{ $trivy.existingClaim }} + {{- end }} + {{- end }} + {{- with .Values.trivy.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.trivy.priorityClassName }} + priorityClassName: {{ .Values.trivy.priorityClassName }} + {{- end }} +{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $trivy.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $trivy.accessMode | quote }}] + {{- if $trivy.storageClass }} + {{- if (eq "-" $trivy.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $trivy.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $trivy.size | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/templates/trivy/trivy-svc.yaml b/charts/harbor/harbor/1.12.3/templates/trivy/trivy-svc.yaml similarity index 100% rename from charts/harbor/harbor/templates/trivy/trivy-svc.yaml rename to charts/harbor/harbor/1.12.3/templates/trivy/trivy-svc.yaml diff --git a/charts/harbor/harbor/templates/trivy/trivy-tls.yaml b/charts/harbor/harbor/1.12.3/templates/trivy/trivy-tls.yaml similarity index 100% rename from charts/harbor/harbor/templates/trivy/trivy-tls.yaml rename to charts/harbor/harbor/1.12.3/templates/trivy/trivy-tls.yaml diff --git a/charts/harbor/harbor/1.12.3/values.yaml b/charts/harbor/harbor/1.12.3/values.yaml new file mode 100644 index 0000000000..d8f4319ffc --- /dev/null +++ b/charts/harbor/harbor/1.12.3/values.yaml @@ -0,0 +1,944 @@ +expose: + # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer" + # and fill the information in the corresponding section + type: ingress + tls: + # Enable TLS or not. + # Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress" + # Note: if the "expose.type" is "ingress" and TLS is disabled, + # the port must be included in the command when pulling/pushing images. + # Refer to https://github.com/goharbor/harbor/issues/5291 for details. + enabled: true + # The source of the tls certificate. Set as "auto", "secret" + # or "none" and fill the information in the corresponding section + # 1) auto: generate the tls certificate automatically + # 2) secret: read the tls certificate from the specified secret. + # The tls certificate can be generated manually or by cert manager + # 3) none: configure no tls certificate for the ingress. If the default + # tls certificate is configured in the ingress controller, choose this option + certSource: auto + auto: + # The common name used to generate the certificate, it's necessary + # when the type isn't "ingress" + commonName: "" + secret: + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + secretName: "" + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + # Only needed when the "expose.type" is "ingress". + notarySecretName: "" + ingress: + hosts: + core: core.harbor.domain + notary: notary.harbor.domain + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + # set to `alb` if using the ALB ingress controller + # set to `f5-bigip` if using the F5 BIG-IP ingress controller + controller: default + ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress + kubeVersionOverride: "" + className: "" + annotations: + # note different ingress controllers may require a different ssl-redirect annotation + # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + notary: + # notary ingress-specific annotations + annotations: {} + # notary ingress-specific labels + labels: {} + harbor: + # harbor ingress-specific annotations + annotations: {} + # harbor ingress-specific labels + labels: {} + clusterIP: + # The name of ClusterIP service + name: harbor + # Annotations on the ClusterIP service + annotations: {} + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + # The service port Notary listens on. Only needed when notary.enabled + # is set to true + notaryPort: 4443 + nodePort: + # The name of NodePort service + name: harbor + ports: + http: + # The service port Harbor listens on when serving HTTP + port: 80 + # The node port Harbor listens on when serving HTTP + nodePort: 30002 + https: + # The service port Harbor listens on when serving HTTPS + port: 443 + # The node port Harbor listens on when serving HTTPS + nodePort: 30003 + # Only needed when notary.enabled is set to true + notary: + # The service port Notary listens on + port: 4443 + # The node port Notary listens on + nodePort: 30004 + loadBalancer: + # The name of LoadBalancer service + name: harbor + # Set the IP if the LoadBalancer supports assigning IP + IP: "" + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + # The service port Notary listens on. Only needed when notary.enabled + # is set to true + notaryPort: 4443 + annotations: {} + sourceRanges: [] + +# The external URL for Harbor core service. It is used to +# 1) populate the docker/helm commands showed on portal +# 2) populate the token service URL returned to docker/notary client +# +# Format: protocol://domain[:port]. Usually: +# 1) if "expose.type" is "ingress", the "domain" should be +# the value of "expose.ingress.hosts.core" +# 2) if "expose.type" is "clusterIP", the "domain" should be +# the value of "expose.clusterIP.name" +# 3) if "expose.type" is "nodePort", the "domain" should be +# the IP address of k8s node +# +# If Harbor is deployed behind the proxy, set it as the URL of proxy +externalURL: https://core.harbor.domain + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each components tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +ipFamily: + # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component + ipv6: + enabled: true + # ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component + ipv4: + enabled: true + +# The persistence is enabled by default and a default StorageClass +# is needed in the k8s cluster to provision volumes dynamically. +# Specify another StorageClass in the "storageClass" or set "existingClaim" +# if you already have existing persistent volumes to use +# +# For storing images and charts, you can also use "azure", "gcs", "s3", +# "swift" or "oss". Set it in the "imageChartStorage" section +persistence: + enabled: true + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + # (this does not apply for PVCs that are created for internal database + # and redis components, i.e. they are never deleted automatically) + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used (the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + jobservice: + jobLog: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + trivy: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + # Define which storage backend is used for registry to store + # images and charts. Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage + # for the detail. + imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect + # for the detail. + disableredirect: false + # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. + # The secret must contain keys named "ca.crt" which will be injected into the trust store + # of registry's containers. + # caBundleSecretName: + + # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", + # "oss" and fill the information needed in the corresponding section. The type + # must be "filesystem" if you want to use persistent volumes for registry + type: filesystem + filesystem: + rootdirectory: /storage + #maxthreads: 100 + azure: + accountname: accountname + accountkey: base64encodedaccountkey + container: containername + #realm: core.windows.net + # To use existing secret, the key must be AZURE_STORAGE_ACCESS_KEY + existingSecret: "" + gcs: + bucket: bucketname + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file + #rootdirectory: /gcs/object/name/prefix + #chunksize: "5242880" + # To use existing secret, the key must be gcs-key.json + existingSecret: "" + useWorkloadIdentity: false + s3: + # Set an existing secret for S3 accesskey and secretkey + # keys in the secret should be REGISTRY_STORAGE_S3_ACCESSKEY and REGISTRY_STORAGE_S3_SECRETKEY for registry + #existingSecret: "" + region: us-west-1 + bucket: bucketname + #accesskey: awsaccesskey + #secretkey: awssecretkey + #regionendpoint: http://myobjects.local + #encrypt: false + #keyid: mykeyid + #secure: true + #skipverify: false + #v4auth: true + #chunksize: "5242880" + #rootdirectory: /s3/object/name/prefix + #storageclass: STANDARD + #multipartcopychunksize: "33554432" + #multipartcopymaxconcurrency: 100 + #multipartcopythresholdsize: "33554432" + swift: + authurl: https://storage.myprovider.com/v3/auth + username: username + password: password + container: containername + #region: fr + #tenant: tenantname + #tenantid: tenantid + #domain: domainname + #domainid: domainid + #trustid: trustid + #insecureskipverify: false + #chunksize: 5M + #prefix: + #secretkey: secretkey + #accesskey: accesskey + #authversion: 3 + #endpointtype: public + #tempurlcontainerkey: false + #tempurlmethods: + oss: + accesskeyid: accesskeyid + accesskeysecret: accesskeysecret + region: regionname + bucket: bucketname + #endpoint: endpoint + #internal: false + #encrypt: false + #secure: true + #chunksize: 10M + #rootdirectory: rootdirectory + +imagePullPolicy: IfNotPresent + +# Use this set to assign a list of default pullSecrets +imagePullSecrets: +# - name: docker-registry-secret +# - name: internal-registry-secret + +# The update strategy for deployments with persistent volumes(jobservice, registry): "RollingUpdate" or "Recreate" +# Set it as "Recreate" when "RWM" for volumes isn't supported +updateStrategy: + type: RollingUpdate + +# debug, info, warning, error or fatal +logLevel: info + +# The initial password of Harbor admin. Change it from portal after launching Harbor +# or give an existing secret for it +# key in secret is given via (default to HARBOR_ADMIN_PASSWORD) +# existingSecretAdminPassword: +existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD +harborAdminPassword: "Harbor12345" + +# The name of the secret which contains key named "ca.crt". Setting this enables the +# download link on portal to download the CA certificate when the certificate isn't +# generated automatically +caSecretName: "" + +# The secret key used for encryption. Must be a string of 16 chars. +secretKey: "not-a-secure-key" +# If using existingSecretSecretKey, the key must be secretKey +existingSecretSecretKey: "" + +# The proxy settings for updating trivy vulnerabilities from the Internet and replicating +# artifacts from/to the registries that cannot be reached directly +proxy: + httpProxy: + httpsProxy: + noProxy: 127.0.0.1,localhost,.local,.internal + components: + - core + - jobservice + - trivy + +# Run the migration job via helm hook +enableMigrateHelmHook: false + +# The custom ca bundle secret, the secret must contain key named "ca.crt" +# which will be injected into the trust store for core, jobservice, registry, trivy components +# caBundleSecretName: "" + +## UAA Authentication Options +# If you're using UAA for authentication behind a self-signed +# certificate you will need to provide the CA Cert. +# Set uaaSecretName below to provide a pre-created secret that +# contains a base64 encoded CA Certificate named `ca.crt`. +# uaaSecretName: + +# If service exposed via "ingress", the Nginx will not be used +nginx: + image: + repository: goharbor/nginx-photon + tag: v2.8.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + +portal: + image: + repository: goharbor/harbor-portal + tag: v2.8.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + +core: + image: + repository: goharbor/harbor-core + tag: v2.8.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + ## Startup probe values + startupProbe: + enabled: true + initialDelaySeconds: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## Additional service annotations + serviceAnnotations: {} + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named: + # "tls.key" - the private key + # "tls.crt" - the certificate + secretName: "" + # If not specifying a preexisting secret, a secret can be created from tokenKey and tokenCert and used instead. + # If none of secretName, tokenKey, and tokenCert are specified, an ephemeral key and certificate will be autogenerated. + # tokenKey and tokenCert must BOTH be set or BOTH unset. + # The tokenKey value is formatted as a multiline string containing a PEM-encoded RSA key, indented one more than tokenKey on the following line. + tokenKey: | + # If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line. + tokenCert: | + # The XSRF key. Will be generated automatically if it isn't specified + xsrfKey: "" + ## The priority class to run the pod as + priorityClassName: + # The time duration for async update artifact pull_time and repository + # pull_count, the unit is second. Will be 10 seconds if it isn't set. + # eg. artifactPullAsyncFlushDuration: 10 + artifactPullAsyncFlushDuration: + gdpr: + deleteUser: false + +jobservice: + image: + repository: goharbor/harbor-jobservice + tag: v2.8.3 + replicas: 1 + revisionHistoryLimit: 10 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLoggers: + - file + # - database + # - stdout + # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) + loggerSweeperDuration: 14 #days + notification: + webhook_job_max_retry: 3 + webhook_job_http_client_timeout: 3 # in seconds + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: 24 + # the max time for execution in running state without new task created + max_dangling_hours: 168 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + ## The priority class to run the pod as + priorityClassName: + +registry: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + registry: + image: + repository: goharbor/registry-photon + tag: v2.8.3 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + controller: + image: + repository: goharbor/harbor-registryctl + tag: v2.8.3 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + replicas: 1 + revisionHistoryLimit: 10 + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. + relativeurls: false + credentials: + username: "harbor_registry_user" + password: "harbor_registry_password" + # If using existingSecret, the key must be REGISTRY_PASSWD and REGISTRY_HTPASSWD + existingSecret: "" + # Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. + # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string + middleware: + enabled: false + type: cloudFront + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + # that allows access to CloudFront + privateKeySecret: "my-secret" + # enable purge _upload directories + upload_purging: + enabled: true + # remove files in _upload directories which exist for a period of time, default is one week. + age: 168h + # the interval of the purge operations + interval: 24h + dryrun: false + +trivy: + # enabled the flag to enable Trivy scanner + enabled: true + image: + # repository the repository for Trivy adapter image + repository: goharbor/trivy-adapter-photon + # tag the tag for Trivy adapter image + tag: v2.8.3 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + # replicas the number of Pod replicas + replicas: 1 + # debugMode the flag to enable Trivy debug mode with more verbose scanning log + debugMode: false + # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. + vulnType: "os,library" + # severity a comma-separated list of severities to be checked + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + # ignoreUnfixed the flag to display only fixed vulnerabilities + ignoreUnfixed: false + # insecure the flag to skip verifying registry certificate + insecure: false + # gitHubToken the GitHub access token to download Trivy DB + # + # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. + # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached + # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update + # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. + # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + gitHubToken: "" + # skipUpdate the flag to disable Trivy DB downloads from GitHub + # + # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the + # `/home/scanner/.cache/trivy/db/trivy.db` path. + skipUpdate: false + # The offlineScan option prevents Trivy from sending API requests to identify dependencies. + # + # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. + # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't + # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode. + # It would work if all the dependencies are in local. + # This option doesn’t affect DB download. You need to specify skipUpdate as well as offlineScan in an air-gapped environment. + offlineScan: false + # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. + securityCheck: "vuln" + # The duration to wait for scan completion + timeout: 5m0s + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + +notary: + enabled: true + server: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/notary-server-photon + tag: v2.8.3 + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + ## Additional service annotations + serviceAnnotations: {} + signer: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/notary-signer-photon + tag: v2.8.3 + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate authority, certificate and private key for notary + # communications. + # The secret must contain keys named ca.crt, tls.crt and tls.key that + # contain the CA, certificate and private key. + # They will be generated if not set. + secretName: "" + +database: + # if external database is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-db + tag: v2.8.3 + # The initial superuser password for internal database + password: "changeit" + # The size limit for Shared memory, pgSQL use it for shared_buffer + # More details see: + # https://github.com/goharbor/harbor/issues/15034 + shmSizeLimit: 512Mi + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + # The timeout used in livenessProbe; 1 to 5 seconds + livenessProbe: + timeoutSeconds: 1 + # The timeout used in readinessProbe; 1 to 5 seconds + readinessProbe: + timeoutSeconds: 1 + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + initContainer: + migrator: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + permissions: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + external: + host: "192.168.0.1" + port: "5432" + username: "user" + password: "password" + coreDatabase: "registry" + notaryServerDatabase: "notary_server" + notarySignerDatabase: "notary_signer" + # if using existing secret, the key must be "password" + existingSecret: "" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "disable" + # The maximum number of connections in the idle connection pool per pod (core+exporter). + # If it <=0, no idle connections are retained. + maxIdleConns: 100 + # The maximum number of open connections to the database per pod (core+exporter). + # If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgre of harbor. + maxOpenConns: 900 + ## Additional deployment annotations + podAnnotations: {} + +redis: + # if external Redis is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/redis-photon + tag: v2.8.3 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + external: + # support redis, redis+sentinel + # addr for redis: : + # addr for redis+sentinel: :,:,: + addr: "192.168.0.2:6379" + # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel + sentinelMasterSet: "" + # The "coreDatabaseIndex" must be "0" as the library Harbor + # used doesn't support configuring it + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # username field can be an empty string and it will be authenticated against the default user + username: "" + password: "" + # If using existingSecret, the key must be REDIS_PASSWORD + existingSecret: "" + ## Additional deployment annotations + podAnnotations: {} + +exporter: + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + podAnnotations: {} + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-exporter + tag: v2.8.3 + nodeSelector: {} + tolerations: [] + affinity: {} + cacheDuration: 23 + cacheCleanInterval: 14400 + ## The priority class to run the pod as + priorityClassName: + +metrics: + enabled: false + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + ## Create prometheus serviceMonitor to scrape harbor metrics. + ## This requires the monitoring.coreos.com/v1 CRD. Please see + ## https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## + serviceMonitor: + enabled: false + additionalLabels: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # Metric relabel configs to apply to samples before ingestion. + metricRelabelings: + [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + # Relabel configs to apply to samples before ingestion. + relabelings: + [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +trace: + enabled: false + # trace provider: jaeger or otel + # jaeger should be 1.26+ + provider: jaeger + # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth + sample_rate: 1 + # namespace used to differentiate different harbor services + # namespace: + # attributes is a key value dict contains user defined attributes used to initialize trace provider + # attributes: + # application: harbor + jaeger: + # jaeger supports two modes: + # collector mode(uncomment endpoint and uncomment username, password if needed) + # agent mode(uncomment agent_host and agent_port) + endpoint: http://hostname:14268/api/traces + # username: + # password: + # agent_host: hostname + # export trace data by jaeger.thrift in compact mode + # agent_port: 6831 + otel: + endpoint: hostname:4318 + url_path: /v1/traces + compression: false + insecure: true + # timeout is in seconds + timeout: 10 + +# cache layer configurations +# if this feature enabled, harbor will cache the resource +# `project/project_metadata/repository/artifact/manifest` in the redis +# which help to improve the performance of high concurrent pulling manifest. +cache: + # default is not enabled. + enabled: false + # default keep cache for one day. + expireHours: 24 diff --git a/charts/harbor/harbor/1.12.4/.helmignore b/charts/harbor/harbor/1.12.4/.helmignore new file mode 100644 index 0000000000..b4424fd59b --- /dev/null +++ b/charts/harbor/harbor/1.12.4/.helmignore @@ -0,0 +1,6 @@ +.github/* +docs/* +.git/* +.gitignore +CONTRIBUTING.md +test/* \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/Chart.yaml b/charts/harbor/harbor/1.12.4/Chart.yaml new file mode 100644 index 0000000000..7a69cca9f4 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Harbor + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: harbor +apiVersion: v1 +appVersion: 2.8.4 +description: An open source trusted cloud native registry that stores, signs, and + scans content +home: https://goharbor.io +icon: https://raw.githubusercontent.com/goharbor/website/master/static/img/logos/harbor-icon-color.png +keywords: +- docker +- registry +- harbor +maintainers: +- email: yinw@vmware.com + name: Wenkai Yin +- email: hweiwei@vmware.com + name: Weiwei He +- email: yshengwen@vmware.com + name: Shengwen Yu +name: harbor +sources: +- https://github.com/goharbor/harbor +- https://github.com/goharbor/harbor-helm +version: 1.12.4 diff --git a/charts/harbor/harbor/1.12.4/LICENSE b/charts/harbor/harbor/1.12.4/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/charts/harbor/harbor/1.12.4/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/harbor/harbor/1.12.4/README.md b/charts/harbor/harbor/1.12.4/README.md new file mode 100644 index 0000000000..85cc537c67 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/README.md @@ -0,0 +1,427 @@ +# Helm Chart for Harbor + +**Notes:** The master branch is in heavy development, please use the other stable versions instead. A highly available solution for Harbor based on chart can be find [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. + +This repository, including the issues, focuses on deploying Harbor chart via helm. For functionality issues or Harbor questions, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor) + +## Introduction + +This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. + +## Prerequisites + +- Kubernetes cluster 1.20+ +- Helm v3.2.0+ + +## Installation + +### Add Helm repository + +```bash +helm repo add harbor https://helm.goharbor.io +``` + +### Configure the chart + +The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first). + +#### Configure how to expose Harbor service + +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. + **Notes:** if TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for details. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. + +#### Configure the external URL + +The external URL for Harbor core service is used to: + +1. populate the docker/helm commands showed on portal +2. populate the token service URL returned to docker/notary client + +Format: `protocol://domain[:port]`. Usually: + +- if service exposed via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` +- if service exposed via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` +- if service exposed via `NodePort`, the `domain` should be the IP address of one Kubernetes node +- if service exposed via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider + +If Harbor is deployed behind the proxy, set it as the URL of proxy. + +#### Configure how to persist data + +- **Disable**: The data does not survive the termination of a pod. +- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you already have existing persistent volumes to use. +- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. + +#### Configure the other items listed in [configuration](#configuration) section + +### Install the chart + +Install the Harbor helm chart with a release name `my-release`: +```bash +helm install my-release harbor/harbor +``` + +## Uninstallation + +To uninstall/delete the `my-release` deployment: +```bash +helm uninstall my-release +``` + +## Configuration + +The following table lists the configurable parameters of the Harbor chart and the default values. + +| Parameter | Description | Default | +| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| **Expose** | | | +| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | +| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | +| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | +| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | +| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | +| `expose.tls.secret.notarySecretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key. Only needed when the `expose.type` is `ingress` | | +| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | +| `expose.ingress.hosts.notary` | The host of Harbor Notary service in ingress rule | `notary.harbor.domain` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` | +| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | | +| `expose.ingress.annotations` | The annotations used commonly for ingresses | | +| `expose.ingress.harbor.annotations` | The annotations specific to harbor ingress | {} | +| `expose.ingress.harbor.labels` | The labels specific to harbor ingress | {} | +| `expose.ingress.notary.annotations` | The annotations specific to notary ingress | {} | +| `expose.ingress.notary.labels` | The labels specific to notary ingress | {} | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} | +| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.clusterIP.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` | +| `expose.nodePort.ports.notary.port` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | `4443` | +| `expose.nodePort.ports.notary.nodePort` | The node port Notary listens on. Only needed when `notary.enabled` is set to `true` | `30004` | +| `expose.loadBalancer.name` | The name of service | `harbor` | +| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` | +| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` | +| `expose.loadBalancer.ports.notaryPort` | The service port Notary listens on. Only needed when `notary.enabled` is set to `true` | | +| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | +| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | +| **Internal TLS** | | | +| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` | +| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` | +| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | | +| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | +| **IPFamily** | | | +| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| **Persistence** | | | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | | +|`persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | +| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | +| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | +| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | +| **General** | | | +| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | +| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | | +| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | +| `imagePullPolicy` | The image pull policy | | +| `imagePullSecrets` | The imagePullSecrets names for all deployments | | +| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | +| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `existingSecretAdminPassword` | The name of secret where admin password can be found. | | +| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` | +| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | +| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | +| `proxy.httpProxy` | The URL of the HTTP proxy server | | +| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | +| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | +| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | +| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | +| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.revisionHistoryLimit` | The revision history limit | `10` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| `nginx.priorityClassName` | The priority class to run the pod as | | +| **Portal** | | | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.revisionHistoryLimit` | The revision history limit | `10` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| `portal.priorityClassName` | The priority class to run the pod as | | +| **Core** | | | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.revisionHistoryLimit` | The revision history limit | `10` | +| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.serviceAnnotations` | Annotations to add to the core service | `{}` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | +| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | | +| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | | +| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | +| `core.priorityClassName` | The priority class to run the pod as | | +| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | +| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | +| **Jobservice** | | | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.revisionHistoryLimit` | The revision history limit | `10` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` | +| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` | +| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` | +| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` | +| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` | +| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.priorityClassName` | The priority class to run the pod as | | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| **Registry** | | | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | `dev` | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | `dev` | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | +| `registry.replicas` | The replica count | `1` | +| `registry.revisionHistoryLimit` | The revision history limit | `10` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.priorityClassName` | The priority class to run the pod as | | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `registry.credentials.username` | The username for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | +| `registry.credentials.password` | The password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | +| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` | +| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | +| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | +| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | +| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | +| `registry.upload_purging.interval` | The interval of the purge operations | `24h` | +| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | +| **[Trivy][trivy]** | | | +| `trivy.enabled` | The flag to enable Trivy scanner | `true` | +| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | +| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | +| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | +| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `trivy.replicas` | The number of Pod replicas | `1` | +| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | +| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | +| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | +| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | +| `trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | +| `trivy.priorityClassName` | The priority class to run the pod as | | +| **Notary** | | | +| `notary.enabled` | Enable Notary? | `true` | +| `notary.server.image.repository` | Repository for notary server image | `goharbor/notary-server-photon` | +| `notary.server.image.tag` | Tag for notary server image | `dev` | +| `notary.server.replicas` | The replica count | `1` | +| `notary.server.resources` | The [resources] to allocate for container | undefined | +| `notary.server.priorityClassName` | The priority class to run the pod as | | +| `notary.server.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `notary.signer.image.repository` | Repository for notary signer image | `goharbor/notary-signer-photon` | +| `notary.signer.image.tag` | Tag for notary signer image | `dev` | +| `notary.signer.replicas` | The replica count | `1` | +| `notary.signer.resources` | The [resources] to allocate for container | undefined | +| `notary.signer.priorityClassName` | The priority class to run the pod as | | +| `notary.signer.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `notary.nodeSelector` | Node labels for pod assignment | `{}` | +| `notary.tolerations` | Tolerations for pod assignment | `[]` | +| `notary.affinity` | Node/Pod affinities | `{}` | +| `notary.podAnnotations` | Annotations to add to the notary pod | `{}` | +| `notary.serviceAnnotations` | Annotations to add to the notary service | `{}` | +| `notary.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate authority, certificate and private key for notary communications. The secret must contain keys named `ca.crt`, `tls.crt` and `tls.key` that contain the CA, certificate and private key. They will be generated if not set. | | +| **Database** | | | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined | +| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.internal.priorityClassName` | The priority class to run the pod as | | +| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | +| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.notaryServerDatabase` | The database used by Notary server | `notary_server` | +| `database.external.notarySignerDatabase` | The database used by Notary signer | `notary_signer` | +| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | +| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | +| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | +| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | | | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.internal.priorityClassName` | The priority class to run the pod as | | +| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | +| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.username` | The username of external Redis | | +| `redis.external.password` | The password of external Redis | | +| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | +| **Exporter** | | | +| `exporter.replicas` | The replica count | `1` | +| `exporter.revisionHistoryLimit` | The revision history limit | `10` | +| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` | +| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` | +| `exporter.image.tag` | Tag for exporter image | `dev` | +| `exporter.nodeSelector` | Node labels for pod assignment | `{}` | +| `exporter.tolerations` | Tolerations for pod assignment | `[]` | +| `exporter.affinity` | Node/Pod affinities | `{}` | +| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` | +| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` | +| `exporter.priorityClassName` | The priority class to run the pod as | | +| **Metrics** | | | +| `metrics.enabled` | if enable harbor metrics | `false` | +| `metrics.core.path` | the url path for core metrics | `/metrics` | +| `metrics.core.port` | the port for core metrics | `8001` | +| `metrics.registry.path` | the url path for registry metrics | `/metrics` | +| `metrics.registry.port` | the port for registry metrics | `8001` | +| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` | +| `metrics.exporter.port` | the port for exporter metrics | `8001` | +| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` | +| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` | +| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` | +| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` | +| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` | +| **Trace** | | | +| `trace.enabled` | Enable tracing or not | `false` | +| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` | +| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` | +| `trace.namespace` | Namespace used to differentiate different harbor services | | +| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | | +| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` | +| `trace.jaeger.username` | The username of jaeger | | +| `trace.jaeger.password` | The password of jaeger | | +| `trace.jaeger.agent_host` | The agent host of jaeger | | +| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` | +| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` | +| `trace.otel.url_path` | The URL path of otel | `/v1/traces` | +| `trace.otel.compression` | Whether enable compression or not for otel | `false` | +| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` | +| `trace.otel.timeout` | The timeout in seconds of otel | `10` | +| **Cache** | | | +| `cache.enabled` | Enable cache layer or not | `false` | +| `cache.expireHours` | The expire hours of cache layer | `24` | + +[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +[trivy]: https://github.com/aquasecurity/trivy +[trivy-db]: https://github.com/aquasecurity/trivy-db +[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting diff --git a/charts/harbor/harbor/1.12.4/conf/notary-server.json b/charts/harbor/harbor/1.12.4/conf/notary-server.json new file mode 100644 index 0000000000..b3c2624134 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/conf/notary-server.json @@ -0,0 +1,28 @@ +{ + "server": { + "http_addr": ":4443" + }, + "trust_service": { + "type": "remote", + "hostname": "{{ template "harbor.notary-signer" . }}", + "port": "7899", + "tls_ca_file": "/etc/ssl/notary/ca.crt", + "key_algorithm": "ecdsa" + }, + "logging": { + "level": "{{ .Values.logLevel }}" + }, + "storage": { + "backend": "postgres", + "db_url": "{{ template "harbor.database.notaryServer" . }}" + }, + "auth": { + "type": "token", + "options": { + "realm": "{{ .Values.externalURL }}/service/token", + "service": "harbor-notary", + "issuer": "harbor-token-issuer", + "rootcertbundle": "/root.crt" + } + } +} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/conf/notary-signer.json b/charts/harbor/harbor/1.12.4/conf/notary-signer.json new file mode 100644 index 0000000000..75a4d68bdb --- /dev/null +++ b/charts/harbor/harbor/1.12.4/conf/notary-signer.json @@ -0,0 +1,15 @@ +{ + "server": { + "grpc_addr": ":7899", + "tls_cert_file": "/etc/ssl/notary/tls.crt", + "tls_key_file": "/etc/ssl/notary/tls.key" + }, + "logging": { + "level": "{{ .Values.logLevel }}" + }, + "storage": { + "backend": "postgres", + "db_url": "{{ template "harbor.database.notarySigner" . }}", + "default_alias": "defaultalias" + } +} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/NOTES.txt b/charts/harbor/harbor/1.12.4/templates/NOTES.txt new file mode 100644 index 0000000000..0980c08a35 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/NOTES.txt @@ -0,0 +1,3 @@ +Please wait for several minutes for Harbor deployment to complete. +Then you should be able to visit the Harbor portal at {{ .Values.externalURL }} +For more details, please visit https://github.com/goharbor/harbor diff --git a/charts/harbor/harbor/1.12.4/templates/_helpers.tpl b/charts/harbor/harbor/1.12.4/templates/_helpers.tpl new file mode 100644 index 0000000000..130ad5c04a --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/_helpers.tpl @@ -0,0 +1,586 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "harbor.name" -}} +{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "harbor.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default "harbor" .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Helm required labels */}} +{{- define "harbor.labels" -}} +heritage: {{ .Release.Service }} +release: {{ .Release.Name }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{/* matchLabels */}} +{{- define "harbor.matchLabels" -}} +release: {{ .Release.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{- define "harbor.autoGenCert" -}} + {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForIngress" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForNginx" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.host" -}} + {{- if eq .Values.database.type "internal" -}} + {{- template "harbor.database" . }} + {{- else -}} + {{- .Values.database.external.host -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.port" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "5432" -}} + {{- else -}} + {{- .Values.database.external.port -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.username" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "postgres" -}} + {{- else -}} + {{- .Values.database.external.username -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.rawPassword" -}} + {{- if eq .Values.database.type "internal" -}} + {{- .Values.database.internal.password -}} + {{- else -}} + {{- .Values.database.external.password -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.escapedRawPassword" -}} + {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} +{{- end -}} + +{{- define "harbor.database.encryptedPassword" -}} + {{- include "harbor.database.rawPassword" . | b64enc | quote -}} +{{- end -}} + +{{- define "harbor.database.coreDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "registry" -}} + {{- else -}} + {{- .Values.database.external.coreDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.notaryServerDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "notaryserver" -}} + {{- else -}} + {{- .Values.database.external.notaryServerDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.notarySignerDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "notarysigner" -}} + {{- else -}} + {{- .Values.database.external.notarySignerDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.sslmode" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "disable" -}} + {{- else -}} + {{- .Values.database.external.sslmode -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.notaryServer" -}} +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} +{{- end -}} + +{{- define "harbor.database.notarySigner" -}} +postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.escapedRawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }} +{{- end -}} + +{{- define "harbor.redis.scheme" -}} + {{- with .Values.redis }} + {{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }} + {{- end }} +{{- end -}} + +/*host:port*/ +{{- define "harbor.redis.addr" -}} + {{- with .Values.redis }} + {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.masterSet" -}} + {{- with .Values.redis }} + {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.password" -}} + {{- with .Values.redis }} + {{- ternary "" .external.password (eq .type "internal") }} + {{- end }} +{{- end -}} + +/*scheme://[:password@]host:port[/master_set]*/ +{{- define "harbor.redis.url" -}} + {{- with .Values.redis }} + {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }} + {{- $cred := ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }} + {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCore" -}} + {{- with .Values.redis }} + {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index*/ +{{- define "harbor.redis.urlForJobservice" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.jobserviceDatabaseIndex .external.jobserviceDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForRegistry" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForTrivy" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.trivyAdapterIndex .external.trivyAdapterIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForHarbor" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.harborDatabaseIndex .external.harborDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCache" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.cacheLayerDatabaseIndex .external.cacheLayerDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.dbForRegistry" -}} + {{- with .Values.redis }} + {{- ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.portal" -}} + {{- printf "%s-portal" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.core" -}} + {{- printf "%s-core" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.redis" -}} + {{- printf "%s-redis" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.jobservice" -}} + {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registry" -}} + {{- printf "%s-registry" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registryCtl" -}} + {{- printf "%s-registryctl" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.database" -}} + {{- printf "%s-database" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.trivy" -}} + {{- printf "%s-trivy" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.notary-server" -}} + {{- printf "%s-notary-server" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.notary-signer" -}} + {{- printf "%s-notary-signer" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.nginx" -}} + {{- printf "%s-nginx" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.exporter" -}} + {{- printf "%s-exporter" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress" -}} + {{- printf "%s-ingress" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress-notary" -}} + {{- printf "%s-ingress-notary" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.noProxy" -}} + {{- printf "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.notary-server" .) (include "harbor.notary-signer" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}} +{{- end -}} + +{{- define "harbor.caBundleVolume" -}} +- name: ca-bundle-certs + secret: + secretName: {{ .Values.caBundleSecretName }} +{{- end -}} + +{{- define "harbor.caBundleVolumeMount" -}} +- name: ca-bundle-certs + mountPath: /harbor_cust_cert/custom-ca.crt + subPath: ca.crt +{{- end -}} + +{{/* scheme for all components except notary because it only support http mode */}} +{{- define "harbor.component.scheme" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "https" -}} + {{- else -}} + {{- printf "http" -}} + {{- end -}} +{{- end -}} + +{{/* core component container port */}} +{{- define "harbor.core.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* core component service port */}} +{{- define "harbor.core.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component container port */}} +{{- define "harbor.jobservice.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component service port */}} +{{- define "harbor.jobservice.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* portal component container port */}} +{{- define "harbor.portal.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* portal component service port */}} +{{- define "harbor.portal.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* registry component container port */}} +{{- define "harbor.registry.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registry component service port */}} +{{- define "harbor.registry.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component container port */}} +{{- define "harbor.registryctl.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component service port */}} +{{- define "harbor.registryctl.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component container port */}} +{{- define "harbor.trivy.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component service port */}} +{{- define "harbor.trivy.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* CORE_URL */}} +{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}} +{{- define "harbor.coreURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}} +{{- end -}} + +{{/* JOBSERVICE_URL */}} +{{- define "harbor.jobserviceURL" -}} + {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}} +{{- end -}} + +{{/* PORTAL_URL */}} +{{- define "harbor.portalURL" -}} + {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}} +{{- end -}} + +{{/* REGISTRY_URL */}} +{{- define "harbor.registryURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}} +{{- end -}} + +{{/* REGISTRY_CONTROLLER_URL */}} +{{- define "harbor.registryControllerURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}} +{{- end -}} + +{{/* TOKEN_SERVICE_URL */}} +{{- define "harbor.tokenServiceURL" -}} + {{- printf "%s/service/token" (include "harbor.coreURL" .) -}} +{{- end -}} + +{{/* TRIVY_ADAPTER_URL */}} +{{- define "harbor.trivyAdapterURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}} +{{- end -}} + +{{- define "harbor.internalTLS.core.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.core.secretName -}} + {{- else -}} + {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.jobservice.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.jobservice.secretName -}} + {{- else -}} + {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.portal.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.portal.secretName -}} + {{- else -}} + {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.registry.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.registry.secretName -}} + {{- else -}} + {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.trivy.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.trivy.secretName -}} + {{- else -}} + {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsCoreSecretForIngress" -}} + {{- if eq .Values.expose.tls.certSource "none" -}} + {{- printf "" -}} + {{- else if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.ingress" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsNotarySecretForIngress" -}} + {{- if eq .Values.expose.tls.certSource "none" -}} + {{- printf "" -}} + {{- else if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.notarySecretName -}} + {{- else -}} + {{- include "harbor.ingress" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsSecretForNginx" -}} + {{- if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.nginx" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.metricsPortName" -}} + {{- if .Values.internalTLS.enabled }} + {{- printf "https-metrics" -}} + {{- else -}} + {{- printf "http-metrics" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.traceEnvs" -}} + TRACE_ENABLED: "{{ .Values.trace.enabled }}" + TRACE_SAMPLE_RATE: "{{ .Values.trace.sample_rate }}" + TRACE_NAMESPACE: "{{ .Values.trace.namespace }}" + {{- if .Values.trace.attributes }} + TRACE_ATTRIBUTES: "{{ .Values.trace.attributes | toJson }}" + {{- end }} + {{- if eq .Values.trace.provider "jaeger" }} + TRACE_JAEGER_ENDPOINT: "{{ .Values.trace.jaeger.endpoint }}" + TRACE_JAEGER_USERNAME: "{{ .Values.trace.jaeger.username }}" + TRACE_JAEGER_AGENT_HOSTNAME: "{{ .Values.trace.jaeger.agent_host }}" + TRACE_JAEGER_AGENT_PORT: "{{ .Values.trace.jaeger.agent_port }}" + {{- else }} + TRACE_OTEL_ENDPOINT: "{{ .Values.trace.otel.endpoint }}" + TRACE_OTEL_URL_PATH: "{{ .Values.trace.otel.url_path }}" + TRACE_OTEL_COMPRESSION: "{{ .Values.trace.otel.compression }}" + TRACE_OTEL_INSECURE: "{{ .Values.trace.otel.insecure }}" + TRACE_OTEL_TIMEOUT: "{{ .Values.trace.otel.timeout }}" + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForCore" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-core" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForJobservice" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-jobservice" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForRegistryCtl" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-registryctl" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceJaegerPassword" -}} + {{- if and .Values.trace.enabled (eq .Values.trace.provider "jaeger") }} + TRACE_JAEGER_PASSWORD: "{{ .Values.trace.jaeger.password | default "" | b64enc }}" + {{- end }} +{{- end -}} + +{{/* Allow KubeVersion to be overridden. */}} +{{- define "harbor.ingress.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}} +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/core/core-cm.yaml b/charts/harbor/harbor/1.12.4/templates/core/core-cm.yaml new file mode 100644 index 0000000000..96562cc066 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/core/core-cm.yaml @@ -0,0 +1,85 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + app.conf: |+ + appname = Harbor + runmode = prod + enablegzip = true + + [prod] + httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} + PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" + DATABASE_TYPE: "postgresql" + POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" + POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" + POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" + POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" + POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" + EXT_ENDPOINT: "{{ .Values.externalURL }}" + CORE_URL: "{{ template "harbor.coreURL" . }}" + JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + WITH_NOTARY: "{{ .Values.notary.enabled }}" + NOTARY_URL: "http://{{ template "harbor.notary-server" . }}:4443" + CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}" + WITH_TRIVY: {{ .Values.trivy.enabled | quote }} + TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}" + REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" + LOG_LEVEL: "{{ .Values.logLevel }}" + CONFIG_PATH: "/etc/core/app.conf" + CHART_CACHE_DRIVER: "redis" + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}" + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.harborDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.harborDatabaseIndex) }} + _REDIS_URL_HARBOR: "{{ template "harbor.redis.urlForHarbor" . }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} + PORTAL_URL: "{{ template "harbor.portalURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + {{- if .Values.uaaSecretName }} + UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt" + {{- end }} + {{- if has "core" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory" + {{- if .Values.metrics.enabled}} + METRIC_ENABLE: "true" + METRIC_PATH: "{{ .Values.metrics.core.path }}" + METRIC_PORT: "{{ .Values.metrics.core.port }}" + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: core + {{- end }} + + {{- if hasKey .Values.core "gcTimeWindowHours" }} + #make the GC time window configurable for testing + GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}" + {{- end }} + {{- template "harbor.traceEnvsForCore" . }} + + {{- if .Values.core.artifactPullAsyncFlushDuration | quote }} + ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration }} + {{- end }} + + {{- if .Values.core.gdpr}} + {{- if .Values.core.gdpr.deleteUser}} + GDPR_DELETE_USER: "true" + {{- end }} + {{- end }} + + {{- if .Values.cache.enabled }} + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/core/core-dpl.yaml b/charts/harbor/harbor/1.12.4/templates/core/core-dpl.yaml new file mode 100644 index 0000000000..2ca8b0c5e5 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/core/core-dpl.yaml @@ -0,0 +1,221 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: core +spec: + replicas: {{ .Values.core.replicas }} + revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: core + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: core + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.core.podAnnotations }} +{{ toYaml .Values.core.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: core + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.core.startupProbe.enabled }} + startupProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 360 + initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }} + periodSeconds: 10 + {{- end }} + livenessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: "{{ template "harbor.jobservice" . }}" + key: JOBSERVICE_SECRET + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/core/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/core/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/core/ca.crt + {{- end }} + {{- if .Values.database.external.existingSecret }} + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + - name: secret-key + mountPath: /etc/core/key + subPath: key + - name: token-service-private-key + mountPath: /etc/core/private_key.pem + subPath: tls.key + {{- if .Values.expose.tls.enabled }} + - name: ca-download + mountPath: /etc/core/ca + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + mountPath: /etc/core/auth-ca/auth-ca.crt + subPath: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + {{- end }} + - name: psc + mountPath: /etc/core/token + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} +{{- if .Values.core.resources }} + resources: +{{ toYaml .Values.core.resources | indent 10 }} +{{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + - name: secret-key + secret: + {{- if .Values.existingSecretSecretKey }} + secretName: {{ .Values.existingSecretSecretKey }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + items: + - key: secretKey + path: key + - name: token-service-private-key + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: ca-download + secret: + {{- if .Values.caSecretName }} + secretName: {{ .Values.caSecretName }} + {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }} + secretName: "{{ template "harbor.ingress" . }}" + {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + secret: + secretName: {{ .Values.uaaSecretName }} + items: + - key: ca.crt + path: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + - name: psc + emptyDir: {} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.core.priorityClassName }} + priorityClassName: {{ .Values.core.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/core/core-pre-upgrade-job.yaml b/charts/harbor/harbor/1.12.4/templates/core/core-pre-upgrade-job.yaml new file mode 100644 index 0000000000..43c9d3596d --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/core/core-pre-upgrade-job.yaml @@ -0,0 +1,74 @@ +{{- if .Values.enableMigrateHelmHook }} +apiVersion: batch/v1 +kind: Job +metadata: + name: migration-job + labels: +{{ include "harbor.labels" . | indent 4 }} + component: migrator + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" +spec: + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: migrator + spec: + restartPolicy: Never + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 120 + containers: + - name: core-job + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/harbor/harbor_core", "-mode=migrate"] + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + {{- if .Values.database.external.existingSecret }} + env: + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/core/core-secret.yaml b/charts/harbor/harbor/1.12.4/templates/core/core-secret.yaml new file mode 100644 index 0000000000..20f835b1d8 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/core/core-secret.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.existingSecretSecretKey }} + secretKey: {{ .Values.secretKey | b64enc | quote }} + {{- end }} + secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.core.secretName }} + {{- $ca := genCA "harbor-token-ca" 365 }} + tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }} + tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }} + {{- end }} + {{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} + {{- end }} + {{- if not .Values.database.external.existingSecret }} + POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/1.12.4/templates/core/core-svc.yaml b/charts/harbor/harbor/1.12.4/templates/core/core-svc.yaml new file mode 100644 index 0000000000..0d2cfb2915 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/core/core-svc.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.core.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - name: {{ ternary "https-web" "http-web" .Values.internalTLS.enabled }} + port: {{ template "harbor.core.servicePort" . }} + targetPort: {{ template "harbor.core.containerPort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.core.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: core diff --git a/charts/harbor/harbor/1.12.4/templates/core/core-tls.yaml b/charts/harbor/harbor/1.12.4/templates/core/core-tls.yaml new file mode 100644 index 0000000000..c52148f0d9 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/core/core-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/database/database-secret.yaml b/charts/harbor/harbor/1.12.4/templates/database/database-secret.yaml new file mode 100644 index 0000000000..864aff4a18 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/database/database-secret.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end -}} diff --git a/charts/harbor/harbor/1.12.4/templates/database/database-ss.yaml b/charts/harbor/harbor/1.12.4/templates/database/database-ss.yaml new file mode 100644 index 0000000000..733243c71c --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/database/database-ss.yaml @@ -0,0 +1,162 @@ +{{- if eq .Values.database.type "internal" -}} +{{- $database := .Values.persistence.persistentVolumeClaim.database -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: database +spec: + replicas: 1 + serviceName: "{{ template "harbor.database" . }}" + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: database + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: database + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }} +{{- if .Values.database.podAnnotations }} +{{ toYaml .Values.database.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.database.internal.serviceAccountName }} + serviceAccountName: {{ .Values.database.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + initContainers: + # as we change the data directory to a sub folder to support psp, the init container here + # is used to migrate the existing data. See https://github.com/goharbor/harbor-helm/issues/756 + # for more detail. + # we may remove it after several releases + - name: "data-migrator" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"] +{{- if .Values.database.internal.initContainer.migrator.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + # with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume + # this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph + # use this init container to correct the permission + # as "fsGroup" applied before the init container running, the container has enough permission to execute the command + - name: "data-permissions-ensurer" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"] +{{- if .Values.database.internal.initContainer.permissions.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + containers: + - name: database + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 300 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.livenessProbe.timeoutSeconds }} + readinessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 1 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.readinessProbe.timeoutSeconds }} +{{- if .Values.database.internal.resources }} + resources: +{{ toYaml .Values.database.internal.resources | indent 10 }} +{{- end }} + envFrom: + - secretRef: + name: "{{ template "harbor.database" . }}" + env: + # put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled + # more detail refer to https://github.com/goharbor/harbor-helm/issues/756 + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + - name: shm-volume + mountPath: /dev/shm + volumes: + - name: shm-volume + emptyDir: + medium: Memory + sizeLimit: {{ .Values.database.internal.shmSizeLimit }} + {{- if not .Values.persistence.enabled }} + - name: "database-data" + emptyDir: {} + {{- else if $database.existingClaim }} + - name: "database-data" + persistentVolumeClaim: + claimName: {{ $database.existingClaim }} + {{- end -}} + {{- with .Values.database.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.database.internal.priorityClassName }} + priorityClassName: {{ .Values.database.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $database.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: "database-data" + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $database.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $database.accessMode | quote }}] + {{- if $database.storageClass }} + {{- if (eq "-" $database.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $database.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $database.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/1.12.4/templates/database/database-svc.yaml b/charts/harbor/harbor/1.12.4/templates/database/database-svc.yaml new file mode 100644 index 0000000000..6475048cd9 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/database/database-svc.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 5432 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: database +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/exporter/exporter-cm-env.yaml b/charts/harbor/harbor/1.12.4/templates/exporter/exporter-cm-env.yaml new file mode 100644 index 0000000000..0bf4e7d905 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/exporter/exporter-cm-env.yaml @@ -0,0 +1,35 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.exporter" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + LOG_LEVEL: "{{ .Values.logLevel }}" + HARBOR_EXPORTER_PORT: "{{ .Values.metrics.exporter.port }}" + HARBOR_EXPORTER_METRICS_PATH: "{{ .Values.metrics.exporter.path }}" + HARBOR_EXPORTER_METRICS_ENABLED: "{{ .Values.metrics.enabled }}" + HARBOR_EXPORTER_CACHE_TIME: "{{ .Values.exporter.cacheDuration }}" + HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "{{ .Values.exporter.cacheCleanInterval }}" + HARBOR_METRIC_NAMESPACE: harbor + HARBOR_METRIC_SUBSYSTEM: exporter + HARBOR_REDIS_URL: "{{ template "harbor.redis.urlForJobservice" . }}" + HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace + HARBOR_REDIS_TIMEOUT: "3600" + HARBOR_SERVICE_SCHEME: "{{ template "harbor.component.scheme" . }}" + HARBOR_SERVICE_HOST: "{{ template "harbor.core" . }}" + HARBOR_SERVICE_PORT: "{{ template "harbor.core.servicePort" . }}" + HARBOR_DATABASE_HOST: "{{ template "harbor.database.host" . }}" + HARBOR_DATABASE_PORT: "{{ template "harbor.database.port" . }}" + HARBOR_DATABASE_USERNAME: "{{ template "harbor.database.username" . }}" + HARBOR_DATABASE_DBNAME: "{{ template "harbor.database.coreDatabase" . }}" + HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" +{{- end}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/exporter/exporter-dpl.yaml b/charts/harbor/harbor/1.12.4/templates/exporter/exporter-dpl.yaml new file mode 100644 index 0000000000..5ff36f48a6 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/exporter/exporter-dpl.yaml @@ -0,0 +1,117 @@ +{{- if .Values.metrics.enabled}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: exporter +spec: + replicas: {{ .Values.exporter.replicas }} + revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: exporter + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: exporter + annotations: +{{- if .Values.exporter.podAnnotations }} +{{ toYaml .Values.exporter.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.exporter.serviceAccountName }} + serviceAccountName: {{ .Values.exporter.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }} + containers: + - name: exporter + image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 30 + periodSeconds: 10 + args: ["-log-level", "{{ .Values.logLevel }}"] + envFrom: + - configMapRef: + name: "{{ template "harbor.exporter" . }}-env" + - secretRef: + name: "{{ template "harbor.exporter" . }}" + env: + {{- if .Values.database.external.existingSecret }} + - name: HARBOR_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} +{{- if .Values.exporter.resources }} + resources: +{{ toYaml .Values.exporter.resources | indent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + # There are some metric data are collectd from harbor core. + # When internal TLS is enabled, the Exporter need the CA file to collect these data. + {{- end }} + volumes: + - name: config + secret: + secretName: "{{ template "harbor.exporter" . }}" + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.exporter.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.exporter.priorityClassName }} + priorityClassName: {{ .Values.exporter.priorityClassName }} + {{- end }} +{{ end }} diff --git a/charts/harbor/harbor/1.12.4/templates/exporter/exporter-secret.yaml b/charts/harbor/harbor/1.12.4/templates/exporter/exporter-secret.yaml new file mode 100644 index 0000000000..434a1bf689 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/exporter/exporter-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: +{{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} +{{- end }} +{{- if not .Values.database.external.existingSecret }} + HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/exporter/exporter-svc.yaml b/charts/harbor/harbor/1.12.4/templates/exporter/exporter-svc.yaml new file mode 100644 index 0000000000..4a6f3fdec6 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/exporter/exporter-svc.yaml @@ -0,0 +1,15 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.exporter" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.exporter.port }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: exporter +{{ end }} diff --git a/charts/harbor/harbor/1.12.4/templates/ingress/ingress.yaml b/charts/harbor/harbor/1.12.4/templates/ingress/ingress.yaml new file mode 100644 index 0000000000..eedd13604a --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/ingress/ingress.yaml @@ -0,0 +1,209 @@ +{{- if eq .Values.expose.type "ingress" }} +{{- $ingress := .Values.expose.ingress -}} +{{- $tls := .Values.expose.tls -}} +{{- if eq .Values.expose.ingress.controller "gce" }} + {{- $_ := set . "portal_path" "/*" -}} + {{- $_ := set . "api_path" "/api/*" -}} + {{- $_ := set . "service_path" "/service/*" -}} + {{- $_ := set . "v2_path" "/v2/*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} + {{- $_ := set . "controller_path" "/c/*" -}} + {{- $_ := set . "notary_path" "/" -}} +{{- else if eq .Values.expose.ingress.controller "ncp" }} + {{- $_ := set . "portal_path" "/.*" -}} + {{- $_ := set . "api_path" "/api/.*" -}} + {{- $_ := set . "service_path" "/service/.*" -}} + {{- $_ := set . "v2_path" "/v2/.*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} + {{- $_ := set . "controller_path" "/c/.*" -}} + {{- $_ := set . "notary_path" "/.*" -}} +{{- else }} + {{- $_ := set . "portal_path" "/" -}} + {{- $_ := set . "api_path" "/api/" -}} + {{- $_ := set . "service_path" "/service/" -}} + {{- $_ := set . "v2_path" "/v2/" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/" -}} + {{- $_ := set . "controller_path" "/c/" -}} + {{- $_ := set . "notary_path" "/" -}} +{{- end }} + +--- +{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: extensions/v1beta1 +{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if $ingress.harbor.labels }} +{{ toYaml $ingress.harbor.labels | indent 4 }} +{{- end }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} +{{- if .Values.internalTLS.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +{{- end }} +{{- if eq .Values.expose.ingress.controller "ncp" }} + ncp/use-regex: "true" + {{- if $tls.enabled }} + ncp/http-redirect: "true" + {{- end }} +{{- end }} +{{- if $ingress.harbor.annotations }} +{{ toYaml $ingress.harbor.annotations | indent 4 }} +{{- end }} +spec: + {{- if $ingress.className }} + ingressClassName: {{ $ingress.className }} + {{- end }} + {{- if $tls.enabled }} + tls: + - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} + {{- if $ingress.hosts.core }} + hosts: + - {{ $ingress.hosts.core }} + {{- end }} + {{- end }} + rules: + - http: + paths: +{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} + - path: {{ .api_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + backend: + serviceName: {{ template "harbor.portal" . }} + servicePort: {{ template "harbor.portal.servicePort" . }} +{{- else }} + - path: {{ .api_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.portal" . }} + port: + number: {{ template "harbor.portal.servicePort" . }} +{{- end }} + {{- if $ingress.hosts.core }} + host: {{ $ingress.hosts.core }} + {{- end }} + +{{- if .Values.notary.enabled }} +--- +{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: extensions/v1beta1 +{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "harbor.ingress-notary" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if $ingress.notary.labels }} +{{ toYaml $ingress.notary.labels | indent 4 }} +{{- end }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} +{{- if eq .Values.expose.ingress.controller "ncp" }} + ncp/use-regex: "true" + {{- if $tls.enabled }} + ncp/http-redirect: "true" + {{- end }} +{{- end }} +{{- if $ingress.notary.annotations }} +{{ toYaml $ingress.notary.annotations | indent 4 }} +{{- end }} +spec: + {{- if $ingress.className }} + ingressClassName: {{ $ingress.className }} + {{- end }} + {{- if $tls.enabled }} + tls: + - secretName: {{ template "harbor.tlsNotarySecretForIngress" . }} + {{- if $ingress.hosts.notary }} + hosts: + - {{ $ingress.hosts.notary }} + {{- end }} + {{- end }} + rules: + - http: + paths: + - path: {{ .notary_path }} +{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} + backend: + serviceName: {{ template "harbor.notary-server" . }} + servicePort: 4443 +{{- else }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.notary-server" . }} + port: + number: 4443 +{{- end -}} + {{- if $ingress.hosts.notary }} + host: {{ $ingress.hosts.notary }} + {{- end }} +{{- end }} + +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/ingress/secret.yaml b/charts/harbor/harbor/1.12.4/templates/ingress/secret.yaml new file mode 100644 index 0000000000..0d89af99ac --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/ingress/secret.yaml @@ -0,0 +1,15 @@ +{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core .Values.expose.ingress.hosts.notary) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/internal/auto-tls.yaml b/charts/harbor/harbor/1.12.4/templates/internal/auto-tls.yaml new file mode 100644 index 0000000000..da5f5e2c7b --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/internal/auto-tls.yaml @@ -0,0 +1,81 @@ +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} +{{- $ca := genCA "harbor-internal-ca" 365 }} +{{- $coreCN := (include "harbor.core" .) }} +{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }} +{{- $jsCN := (include "harbor.jobservice" .) }} +{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }} +{{- $regCN := (include "harbor.registry" .) }} +{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }} +{{- $portalCN := (include "harbor.portal" .) }} +{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $coreCrt.Cert | b64enc | quote }} + tls.key: {{ $coreCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $jsCrt.Cert | b64enc | quote }} + tls.key: {{ $jsCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $regCrt.Cert | b64enc | quote }} + tls.key: {{ $regCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $portalCrt.Cert | b64enc | quote }} + tls.key: {{ $portalCrt.Key | b64enc | quote }} + +{{- if and .Values.trivy.enabled}} +--- +{{- $trivyCN := (include "harbor.trivy" .) }} +{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $trivyCrt.Cert | b64enc | quote }} + tls.key: {{ $trivyCrt.Key | b64enc | quote }} +{{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/templates/jobservice/jobservice-cm-env.yaml b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-cm-env.yaml similarity index 100% rename from charts/harbor/harbor/templates/jobservice/jobservice-cm-env.yaml rename to charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-cm-env.yaml diff --git a/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-cm.yaml b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-cm.yaml new file mode 100644 index 0000000000..8211c62209 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-cm.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + #Server listening port + protocol: "{{ template "harbor.component.scheme" . }}" + port: {{ template "harbor.jobservice.containerPort". }} + {{- if .Values.internalTLS.enabled }} + https_config: + cert: "/etc/harbor/ssl/jobservice/tls.crt" + key: "/etc/harbor/ssl/jobservice/tls.key" + {{- end }} + worker_pool: + workers: {{ .Values.jobservice.maxJobWorkers }} + backend: "redis" + redis_pool: + redis_url: "{{ template "harbor.redis.urlForJobservice" . }}" + namespace: "harbor_job_service_namespace" + idle_timeout_second: 3600 + job_loggers: + {{- if has "file" .Values.jobservice.jobLoggers }} + - name: "FILE" + level: {{ .Values.logLevel | upper }} + settings: # Customized settings of logger + base_dir: "/var/log/jobs" + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + settings: # Customized settings of sweeper + work_dir: "/var/log/jobs" + {{- end }} + {{- if has "database" .Values.jobservice.jobLoggers }} + - name: "DB" + level: {{ .Values.logLevel | upper }} + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + {{- end }} + {{- if has "stdout" .Values.jobservice.jobLoggers }} + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + {{- end }} + metric: + enabled: {{ .Values.metrics.enabled }} + path: {{ .Values.metrics.jobservice.path }} + port: {{ .Values.metrics.jobservice.port }} + #Loggers for the job service + loggers: + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: {{ .Values.jobservice.reaper.max_update_hours }} + # the max time for execution in running state without new task created + max_dangling_hours: {{ .Values.jobservice.reaper.max_dangling_hours }} diff --git a/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-dpl.yaml b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-dpl.yaml new file mode 100644 index 0000000000..32df454b10 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-dpl.yaml @@ -0,0 +1,150 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + replicas: {{ .Values.jobservice.replicas }} + revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: jobservice + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: jobservice + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} + checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.jobservice.podAnnotations }} +{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.jobservice.serviceAccountName }} + serviceAccountName: {{ .Values.jobservice.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: jobservice + image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.jobservice.resources }} + resources: +{{ toYaml .Values.jobservice.resources | indent 10 }} +{{- end }} + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/jobservice/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/jobservice/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/jobservice/ca.crt + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.jobservice" . }}-env" + - secretRef: + name: "{{ template "harbor.jobservice" . }}" + ports: + - containerPort: {{ template "harbor.jobservice.containerPort" . }} + volumeMounts: + - name: jobservice-config + mountPath: /etc/jobservice/config.yml + subPath: config.yml + - name: job-logs + mountPath: /var/log/jobs + subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.subPath }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + mountPath: /etc/harbor/ssl/jobservice + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: jobservice-config + configMap: + name: "{{ template "harbor.jobservice" . }}" + - name: job-logs + {{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.jobservice.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.jobservice.priorityClassName }} + priorityClassName: {{ .Values.jobservice.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-pvc.yaml b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-pvc.yaml new file mode 100644 index 0000000000..a6b8b8bd38 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-pvc.yaml @@ -0,0 +1,30 @@ +{{- $jobLog := .Values.persistence.persistentVolumeClaim.jobservice.jobLog -}} +{{- if and .Values.persistence.enabled (not $jobLog.existingClaim) (has "file" .Values.jobservice.jobLoggers) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.jobservice" . }} + annotations: + {{- range $key, $value := $jobLog.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + accessModes: + - {{ $jobLog.accessMode }} + resources: + requests: + storage: {{ $jobLog.size }} + {{- if $jobLog.storageClass }} + {{- if eq "-" $jobLog.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $jobLog.storageClass }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-secrets.yaml b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-secrets.yaml new file mode 100644 index 0000000000..3dfa6bd5e6 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-secrets.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-svc.yaml b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-svc.yaml new file mode 100644 index 0000000000..d2b7a47fd4 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-svc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-jobservice" "http-jobservice" .Values.internalTLS.enabled }} + port: {{ template "harbor.jobservice.servicePort" . }} + targetPort: {{ template "harbor.jobservice.containerPort" . }} +{{- if .Values.metrics.enabled }} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.jobservice.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: jobservice diff --git a/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-tls.yaml b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-tls.yaml new file mode 100644 index 0000000000..234cb39995 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/jobservice/jobservice-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/metrics/metrics-svcmon.yaml b/charts/harbor/harbor/1.12.4/templates/metrics/metrics-svcmon.yaml new file mode 100644 index 0000000000..ad8522974d --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/metrics/metrics-svcmon.yaml @@ -0,0 +1,28 @@ +{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "harbor.fullname" . }} + labels: {{ include "harbor.labels" . | nindent 4 }} +{{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} +{{- end }} +spec: + jobLabel: app.kubernetes.io/name + endpoints: + - port: {{ template "harbor.metricsPortName" . }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + honorLabels: true +{{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: +{{ tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | indent 4) . }} +{{- end }} +{{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: +{{ toYaml .Values.metrics.serviceMonitor.relabelings | indent 4 }} +{{- end }} + selector: + matchLabels: {{ include "harbor.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/nginx/configmap-http.yaml b/charts/harbor/harbor/1.12.4/templates/nginx/configmap-http.yaml new file mode 100644 index 0000000000..c4b8354d06 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/nginx/configmap-http.yaml @@ -0,0 +1,150 @@ +{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled}} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end }} + server_tokens off; + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # Add extra headers + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + proxy_send_timeout 900; + proxy_read_timeout 900; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + } +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/nginx/configmap-https.yaml b/charts/harbor/harbor/1.12.4/templates/nginx/configmap-https.yaml new file mode 100644 index 0000000000..74c667e009 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/nginx/configmap-https.yaml @@ -0,0 +1,230 @@ +{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}"; + } + + {{- if .Values.notary.enabled }} + upstream notary-server { + server {{ template "harbor.notary-server" . }}:4443; + } + {{- end }} + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + {{- if .Values.notary.enabled }} + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 4443 ssl; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:4443 ssl; + {{- end }} + server_tokens off; + # ssl + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html + ssl_protocols tlsv1.2; + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:ssl:10m; + + # disable any limits to avoid http 413 for large image uploads + client_max_body_size 0; + + # required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + location /v2/ { + proxy_pass http://notary-server/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + + proxy_send_timeout 900; + proxy_read_timeout 900; + } + } + {{- end }} + + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8443 ssl; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8443 ssl; + {{- end }} + # server_name harbordomain.com; + server_tokens off; + # SSL + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2; + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + # Add extra headers + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; HttpOnly; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end}} + #server_name harbordomain.com; + return 301 https://$host$request_uri; + } + } +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/nginx/deployment.yaml b/charts/harbor/harbor/1.12.4/templates/nginx/deployment.yaml new file mode 100644 index 0000000000..bc1de0abfe --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/nginx/deployment.yaml @@ -0,0 +1,109 @@ +{{- if ne .Values.expose.type "ingress" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: nginx +spec: + replicas: {{ .Values.nginx.replicas }} + revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: nginx + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: nginx + annotations: + {{- if not .Values.expose.tls.enabled }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }} + {{- else }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} + {{- end }} + {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} + checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }} + {{- end }} +{{- if .Values.nginx.podAnnotations }} +{{ toYaml .Values.nginx.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- if .Values.nginx.serviceAccountName }} + serviceAccountName: {{ .Values.nginx.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.nginx.automountServiceAccountToken | default false }} + containers: + - name: nginx + image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + {{- $_ := set . "scheme" "HTTP" -}} + {{- $_ := set . "port" "8080" -}} + {{- if .Values.expose.tls.enabled }} + {{- $_ := set . "scheme" "HTTPS" -}} + {{- $_ := set . "port" "8443" -}} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.nginx.resources }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} +{{- end }} + ports: + - containerPort: 8080 + - containerPort: 8443 + - containerPort: 4443 + volumeMounts: + - name: config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.expose.tls.enabled }} + - name: certificate + mountPath: /etc/nginx/cert + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.nginx" . }} + {{- if .Values.expose.tls.enabled }} + - name: certificate + secret: + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- with .Values.nginx.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.nginx.priorityClassName }} + priorityClassName: {{ .Values.nginx.priorityClassName }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/nginx/secret.yaml b/charts/harbor/harbor/1.12.4/templates/nginx/secret.yaml new file mode 100644 index 0000000000..c819c556d9 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/nginx/secret.yaml @@ -0,0 +1,23 @@ +{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} + {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- else }} + {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/nginx/service.yaml b/charts/harbor/harbor/1.12.4/templates/nginx/service.yaml new file mode 100644 index 0000000000..df4da0944a --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/nginx/service.yaml @@ -0,0 +1,96 @@ +{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} +apiVersion: v1 +kind: Service +metadata: +{{- if eq .Values.expose.type "clusterIP" }} +{{- $clusterIP := .Values.expose.clusterIP }} + name: {{ $clusterIP.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $clusterIP.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: http + port: {{ $clusterIP.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $clusterIP.ports.httpsPort }} + targetPort: 8443 + {{- end }} + {{- if .Values.notary.enabled }} + - name: notary + port: {{ $clusterIP.ports.notaryPort }} + targetPort: 4443 + {{- end }} +{{- else if eq .Values.expose.type "nodePort" }} +{{- $nodePort := .Values.expose.nodePort }} + name: {{ $nodePort.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: NodePort + ports: + - name: http + port: {{ $nodePort.ports.http.port }} + targetPort: 8080 + {{- if $nodePort.ports.http.nodePort }} + nodePort: {{ $nodePort.ports.http.nodePort }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $nodePort.ports.https.port }} + targetPort: 8443 + {{- if $nodePort.ports.https.nodePort }} + nodePort: {{ $nodePort.ports.https.nodePort }} + {{- end }} + {{- end }} + {{- if .Values.notary.enabled }} + - name: notary + port: {{ $nodePort.ports.notary.port }} + targetPort: 4443 + {{- if $nodePort.ports.notary.nodePort }} + nodePort: {{ $nodePort.ports.notary.nodePort }} + {{- end }} + {{- end }} +{{- else if eq .Values.expose.type "loadBalancer" }} +{{- $loadBalancer := .Values.expose.loadBalancer }} + name: {{ $loadBalancer.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $loadBalancer.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: LoadBalancer + {{- with $loadBalancer.sourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $loadBalancer.IP }} + loadBalancerIP: {{ $loadBalancer.IP }} + {{- end }} + ports: + - name: http + port: {{ $loadBalancer.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $loadBalancer.ports.httpsPort }} + targetPort: 8443 + {{- end }} + {{- if .Values.notary.enabled }} + - name: notary + port: {{ $loadBalancer.ports.notaryPort }} + targetPort: 4443 + {{- end }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: nginx +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/notary/notary-secret.yaml b/charts/harbor/harbor/1.12.4/templates/notary/notary-secret.yaml new file mode 100644 index 0000000000..6de63dd8c5 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/notary/notary-secret.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.notary.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.notary-server" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: notary +type: Opaque +data: + {{- if not .Values.notary.secretName }} + {{- $ca := genCA "harbor-notary-ca" 365 }} + {{- $cert := genSignedCert (include "harbor.notary-signer" .) nil (list (include "harbor.notary-signer" .)) 365 $ca }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + {{- end }} + server.json: {{ tpl (.Files.Get "conf/notary-server.json") . | b64enc }} + signer.json: {{ tpl (.Files.Get "conf/notary-signer.json") . | b64enc }} + NOTARY_SERVER_DB_URL: {{ include "harbor.database.notaryServer" . | b64enc }} + NOTARY_SIGNER_DB_URL: {{ include "harbor.database.notarySigner" . | b64enc }} +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/notary/notary-server.yaml b/charts/harbor/harbor/1.12.4/templates/notary/notary-server.yaml new file mode 100644 index 0000000000..64cfd293f2 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/notary/notary-server.yaml @@ -0,0 +1,111 @@ +{{ if .Values.notary.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.notary-server" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: notary-server +spec: + replicas: {{ .Values.notary.server.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: notary-server + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: notary-server + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if .Values.notary.server.podAnnotations }} +{{ toYaml .Values.notary.server.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.notary.server.serviceAccountName }} + serviceAccountName: {{ .Values.notary.server.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.notary.server.automountServiceAccountToken | default false }} + containers: + - name: notary-server + image: {{ .Values.notary.server.image.repository }}:{{ .Values.notary.server.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /_notary_server/health + scheme: "HTTP" + port: 4443 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /_notary_server/health + scheme: "HTTP" + port: 4443 + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.notary.server.resources }} + resources: +{{ toYaml .Values.notary.server.resources | indent 10 }} +{{- end }} + env: + - name: MIGRATIONS_PATH + value: migrations/server/postgresql + - name: DB_URL + valueFrom: + secretKeyRef: + name: {{ template "harbor.notary-server" . }} + key: NOTARY_SERVER_DB_URL + volumeMounts: + - name: config + mountPath: /etc/notary/server-config.postgres.json + subPath: server.json + - name: token-service-certificate + mountPath: /root.crt + subPath: tls.crt + - name: signer-certificate + mountPath: /etc/ssl/notary/ca.crt + subPath: ca.crt + volumes: + - name: config + secret: + secretName: "{{ template "harbor.notary-server" . }}" + - name: token-service-certificate + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + - name: signer-certificate + secret: + {{- if .Values.notary.secretName }} + secretName: {{ .Values.notary.secretName }} + {{- else }} + secretName: {{ template "harbor.notary-server" . }} + {{- end }} + {{- with .Values.notary.server.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.server.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.server.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.notary.server.priorityClassName }} + priorityClassName: {{ .Values.notary.server.priorityClassName }} + {{- end }} +{{ end }} diff --git a/charts/harbor/harbor/1.12.4/templates/notary/notary-signer.yaml b/charts/harbor/harbor/1.12.4/templates/notary/notary-signer.yaml new file mode 100644 index 0000000000..d94e4909bf --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/notary/notary-signer.yaml @@ -0,0 +1,105 @@ +{{ if .Values.notary.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.notary-signer" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: notary-signer +spec: + replicas: {{ .Values.notary.signer.replicas }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: notary-signer + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: notary-signer + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/notary/notary-secret.yaml") . | sha256sum }} +{{- if .Values.notary.signer.podAnnotations }} +{{ toYaml .Values.notary.signer.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.notary.signer.serviceAccountName }} + serviceAccountName: {{ .Values.notary.signer.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.notary.signer.automountServiceAccountToken | default false }} + containers: + - name: notary-signer + image: {{ .Values.notary.signer.image.repository }}:{{ .Values.notary.signer.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + scheme: "HTTPS" + port: 7899 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: "HTTPS" + port: 7899 + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.notary.signer.resources }} + resources: +{{ toYaml .Values.notary.signer.resources | indent 10 }} +{{- end }} + env: + - name: MIGRATIONS_PATH + value: migrations/signer/postgresql + - name: DB_URL + valueFrom: + secretKeyRef: + name: {{ template "harbor.notary-server" . }} + key: NOTARY_SIGNER_DB_URL + - name: NOTARY_SIGNER_DEFAULTALIAS + value: defaultalias + volumeMounts: + - name: config + mountPath: /etc/notary/signer-config.postgres.json + subPath: signer.json + - name: signer-certificate + mountPath: /etc/ssl/notary/tls.crt + subPath: tls.crt + - name: signer-certificate + mountPath: /etc/ssl/notary/tls.key + subPath: tls.key + volumes: + - name: config + secret: + secretName: "{{ template "harbor.notary-server" . }}" + - name: signer-certificate + secret: + {{- if .Values.notary.secretName }} + secretName: {{ .Values.notary.secretName }} + {{- else }} + secretName: {{ template "harbor.notary-server" . }} + {{- end }} + {{- with .Values.notary.signer.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.signer.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.notary.signer.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.notary.signer.priorityClassName }} + priorityClassName: {{ .Values.notary.signer.priorityClassName }} + {{- end }} +{{ end }} diff --git a/charts/harbor/harbor/1.12.4/templates/notary/notary-svc.yaml b/charts/harbor/harbor/1.12.4/templates/notary/notary-svc.yaml new file mode 100644 index 0000000000..b6aa42d89e --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/notary/notary-svc.yaml @@ -0,0 +1,35 @@ +{{ if .Values.notary.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.notary-server" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.notary.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - port: 4443 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: notary-server + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.notary-signer" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 7899 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: notary-signer +{{ end }} diff --git a/charts/harbor/harbor/1.12.4/templates/portal/configmap.yaml b/charts/harbor/harbor/1.12.4/templates/portal/configmap.yaml new file mode 100644 index 0000000000..1cea8ab63f --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/portal/configmap.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + server { + {{- if .Values.internalTLS.enabled }} + {{- if .Values.ipFamily.ipv4.enabled}} + listen {{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + # SSL + ssl_certificate /etc/harbor/ssl/portal/tls.crt; + ssl_certificate_key /etc/harbor/ssl/portal/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2; + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + {{- else }} + {{- if .Values.ipFamily.ipv4.enabled }} + listen {{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- end }} + server_name localhost; + root /usr/share/nginx/html; + index index.html index.htm; + include /etc/nginx/mime.types; + gzip on; + gzip_min_length 1000; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + location /devcenter-api-2.0 { + try_files $uri $uri/ /swagger-ui-index.html; + } + location / { + try_files $uri $uri/ /index.html; + } + location = /index.html { + add_header Cache-Control "no-store, no-cache, must-revalidate"; + } + } + } diff --git a/charts/harbor/harbor/1.12.4/templates/portal/deployment.yaml b/charts/harbor/harbor/1.12.4/templates/portal/deployment.yaml new file mode 100644 index 0000000000..d3469deef4 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/portal/deployment.yaml @@ -0,0 +1,97 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: portal +spec: + replicas: {{ .Values.portal.replicas }} + revisionHistoryLimit: {{ .Values.portal.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: portal + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: portal + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }} +{{- end }} + checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }} +{{- if .Values.portal.podAnnotations }} +{{ toYaml .Values.portal.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if .Values.portal.serviceAccountName }} + serviceAccountName: {{ .Values.portal.serviceAccountName }} +{{- end }} + automountServiceAccountToken: {{ .Values.portal.automountServiceAccountToken | default false }} + containers: + - name: portal + image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.portal.resources }} + resources: +{{ toYaml .Values.portal.resources | indent 10 }} +{{- end }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 + ports: + - containerPort: {{ template "harbor.portal.containerPort" . }} + volumeMounts: + - name: portal-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + mountPath: /etc/harbor/ssl/portal + {{- end }} + volumes: + - name: portal-config + configMap: + name: "{{ template "harbor.portal" . }}" + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.portal.secretName" . }} + {{- end }} + {{- with .Values.portal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.portal.priorityClassName }} + priorityClassName: {{ .Values.portal.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/portal/service.yaml b/charts/harbor/harbor/1.12.4/templates/portal/service.yaml new file mode 100644 index 0000000000..ff4eda435b --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/portal/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - port: {{ template "harbor.portal.servicePort" . }} + targetPort: {{ template "harbor.portal.containerPort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: portal diff --git a/charts/harbor/harbor/1.12.4/templates/portal/tls.yaml b/charts/harbor/harbor/1.12.4/templates/portal/tls.yaml new file mode 100644 index 0000000000..de63f4e813 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/portal/tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/redis/service.yaml b/charts/harbor/harbor/1.12.4/templates/redis/service.yaml new file mode 100644 index 0000000000..79c95c3e05 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/redis/service.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.redis.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 6379 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: redis +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/redis/statefulset.yaml b/charts/harbor/harbor/1.12.4/templates/redis/statefulset.yaml new file mode 100644 index 0000000000..74b7581fd8 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/redis/statefulset.yaml @@ -0,0 +1,109 @@ +{{- if eq .Values.redis.type "internal" -}} +{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: redis +spec: + replicas: 1 + serviceName: {{ template "harbor.redis" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: redis + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: redis +{{- if .Values.redis.podAnnotations }} + annotations: +{{ toYaml .Values.redis.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.redis.internal.serviceAccountName }} + serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: redis + image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.redis.internal.resources }} + resources: +{{ toYaml .Values.redis.internal.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: data + mountPath: /var/lib/redis + subPath: {{ $redis.subPath }} + {{- if not .Values.persistence.enabled }} + volumes: + - name: data + emptyDir: {} + {{- else if $redis.existingClaim }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ $redis.existingClaim }} + {{- end -}} + {{- with .Values.redis.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.redis.internal.priorityClassName }} + priorityClassName: {{ .Values.redis.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $redis.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $redis.accessMode | quote }}] + {{- if $redis.storageClass }} + {{- if (eq "-" $redis.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $redis.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $redis.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/1.12.4/templates/registry/registry-cm.yaml b/charts/harbor/harbor/1.12.4/templates/registry/registry-cm.yaml new file mode 100644 index 0000000000..4f7056c384 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/registry/registry-cm.yaml @@ -0,0 +1,246 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + version: 0.1 + log: + {{- if eq .Values.logLevel "warning" }} + level: warn + {{- else if eq .Values.logLevel "fatal" }} + level: error + {{- else }} + level: {{ .Values.logLevel }} + {{- end }} + fields: + service: registry + storage: + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if eq $type "filesystem" }} + filesystem: + rootdirectory: {{ $storage.filesystem.rootdirectory }} + {{- if $storage.filesystem.maxthreads }} + maxthreads: {{ $storage.filesystem.maxthreads }} + {{- end }} + {{- else if eq $type "azure" }} + azure: + accountname: {{ $storage.azure.accountname }} + container: {{ $storage.azure.container }} + {{- if $storage.azure.realm }} + realm: {{ $storage.azure.realm }} + {{- end }} + {{- else if eq $type "gcs" }} + gcs: + bucket: {{ $storage.gcs.bucket }} + {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }} + keyfile: /etc/registry/gcs-key.json + {{- end }} + {{- if $storage.gcs.rootdirectory }} + rootdirectory: {{ $storage.gcs.rootdirectory }} + {{- end }} + {{- if $storage.gcs.chunksize }} + chunksize: {{ $storage.gcs.chunksize }} + {{- end }} + {{- else if eq $type "s3" }} + s3: + region: {{ $storage.s3.region }} + bucket: {{ $storage.s3.bucket }} + {{- if $storage.s3.regionendpoint }} + regionendpoint: {{ $storage.s3.regionendpoint }} + {{- end }} + {{- if $storage.s3.encrypt }} + encrypt: {{ $storage.s3.encrypt }} + {{- end }} + {{- if $storage.s3.keyid }} + keyid: {{ $storage.s3.keyid }} + {{- end }} + {{- if $storage.s3.secure }} + secure: {{ $storage.s3.secure }} + {{- end }} + {{- if and $storage.s3.secure $storage.s3.skipverify }} + skipverify: {{ $storage.s3.skipverify }} + {{- end }} + {{- if $storage.s3.v4auth }} + v4auth: {{ $storage.s3.v4auth }} + {{- end }} + {{- if $storage.s3.chunksize }} + chunksize: {{ $storage.s3.chunksize }} + {{- end }} + {{- if $storage.s3.rootdirectory }} + rootdirectory: {{ $storage.s3.rootdirectory }} + {{- end }} + {{- if $storage.s3.storageclass }} + storageclass: {{ $storage.s3.storageclass }} + {{- end }} + {{- if $storage.s3.multipartcopychunksize }} + multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }} + {{- end }} + {{- if $storage.s3.multipartcopymaxconcurrency }} + multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }} + {{- end }} + {{- if $storage.s3.multipartcopythresholdsize }} + multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }} + {{- end }} + {{- else if eq $type "swift" }} + swift: + authurl: {{ $storage.swift.authurl }} + username: {{ $storage.swift.username }} + container: {{ $storage.swift.container }} + {{- if $storage.swift.region }} + region: {{ $storage.swift.region }} + {{- end }} + {{- if $storage.swift.tenant }} + tenant: {{ $storage.swift.tenant }} + {{- end }} + {{- if $storage.swift.tenantid }} + tenantid: {{ $storage.swift.tenantid }} + {{- end }} + {{- if $storage.swift.domain }} + domain: {{ $storage.swift.domain }} + {{- end }} + {{- if $storage.swift.domainid }} + domainid: {{ $storage.swift.domainid }} + {{- end }} + {{- if $storage.swift.trustid }} + trustid: {{ $storage.swift.trustid }} + {{- end }} + {{- if $storage.swift.insecureskipverify }} + insecureskipverify: {{ $storage.swift.insecureskipverify }} + {{- end }} + {{- if $storage.swift.chunksize }} + chunksize: {{ $storage.swift.chunksize }} + {{- end }} + {{- if $storage.swift.prefix }} + prefix: {{ $storage.swift.prefix }} + {{- end }} + {{- if $storage.swift.authversion }} + authversion: {{ $storage.swift.authversion }} + {{- end }} + {{- if $storage.swift.endpointtype }} + endpointtype: {{ $storage.swift.endpointtype }} + {{- end }} + {{- if $storage.swift.tempurlcontainerkey }} + tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} + {{- end }} + {{- if $storage.swift.tempurlmethods }} + tempurlmethods: {{ $storage.swift.tempurlmethods }} + {{- end }} + {{- else if eq $type "oss" }} + oss: + accesskeyid: {{ $storage.oss.accesskeyid }} + region: {{ $storage.oss.region }} + bucket: {{ $storage.oss.bucket }} + {{- if $storage.oss.endpoint }} + endpoint: {{ $storage.oss.bucket }}.{{ $storage.oss.endpoint }} + {{- end }} + {{- if $storage.oss.internal }} + internal: {{ $storage.oss.internal }} + {{- end }} + {{- if $storage.oss.encrypt }} + encrypt: {{ $storage.oss.encrypt }} + {{- end }} + {{- if $storage.oss.secure }} + secure: {{ $storage.oss.secure }} + {{- end }} + {{- if $storage.oss.chunksize }} + chunksize: {{ $storage.oss.chunksize }} + {{- end }} + {{- if $storage.oss.rootdirectory }} + rootdirectory: {{ $storage.oss.rootdirectory }} + {{- end }} + {{- end }} + cache: + layerinfo: redis + maintenance: + uploadpurging: + {{- if .Values.registry.upload_purging.enabled }} + enabled: true + age: {{ .Values.registry.upload_purging.age }} + interval: {{ .Values.registry.upload_purging.interval }} + dryrun: {{ .Values.registry.upload_purging.dryrun }} + {{- else }} + enabled: false + {{- end }} + delete: + enabled: true + redirect: + disable: {{ $storage.disableredirect }} + redis: + addr: {{ template "harbor.redis.addr" . }} + {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }} + sentinelMasterSet: {{ template "harbor.redis.masterSet" . }} + {{- end }} + db: {{ template "harbor.redis.dbForRegistry" . }} + {{- if not (eq (include "harbor.redis.password" .) "") }} + password: {{ template "harbor.redis.password" . }} + {{- end }} + readtimeout: 10s + writetimeout: 10s + dialtimeout: 10s + pool: + maxidle: 100 + maxactive: 500 + idletimeout: 60s + http: + addr: :{{ template "harbor.registry.containerPort" . }} + relativeurls: {{ .Values.registry.relativeurls }} + {{- if .Values.internalTLS.enabled }} + tls: + certificate: /etc/harbor/ssl/registry/tls.crt + key: /etc/harbor/ssl/registry/tls.key + minimumtls: tls1.2 + {{- end }} + # set via environment variable + # secret: placeholder + debug: + {{- if .Values.metrics.enabled}} + addr: :{{ .Values.metrics.registry.port }} + prometheus: + enabled: true + path: {{ .Values.metrics.registry.path }} + {{- else }} + addr: localhost:5001 + {{- end }} + auth: + htpasswd: + realm: harbor-registry-basic-realm + path: /etc/registry/passwd + validation: + disabled: true + compatibility: + schema1: + enabled: true + + {{- if .Values.registry.middleware.enabled }} + {{- $middleware := .Values.registry.middleware }} + {{- $middlewareType := $middleware.type }} + {{- if eq $middlewareType "cloudFront" }} + middleware: + storage: + - name: cloudfront + options: + baseurl: {{ $middleware.cloudFront.baseurl }} + privatekey: /etc/registry/pk.pem + keypairid: {{ $middleware.cloudFront.keypairid }} + duration: {{ $middleware.cloudFront.duration }} + ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }} + {{- end }} + {{- end }} + ctl-config.yml: |+ + --- + {{- if .Values.internalTLS.enabled }} + protocol: "https" + port: 8443 + https_config: + cert: "/etc/harbor/ssl/registry/tls.crt" + key: "/etc/harbor/ssl/registry/tls.key" + {{- else }} + protocol: "http" + port: 8080 + {{- end }} + log_level: {{ .Values.logLevel }} + registry_config: "/etc/registry/config.yml" diff --git a/charts/harbor/harbor/1.12.4/templates/registry/registry-dpl.yaml b/charts/harbor/harbor/1.12.4/templates/registry/registry-dpl.yaml new file mode 100644 index 0000000000..118a165d46 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/registry/registry-dpl.yaml @@ -0,0 +1,317 @@ +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $type := $storage.type }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + replicas: {{ .Values.registry.replicas }} + revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: registry + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: registry + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.registry.podAnnotations }} +{{ toYaml .Values.registry.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch +{{- if .Values.registry.serviceAccountName }} + serviceAccountName: {{ .Values.registry.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.registry.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: registry + image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.registry.resources }} + resources: +{{ toYaml .Values.registry.registry.resources | indent 10 }} +{{- end }} + args: ["serve", "/etc/registry/config.yml"] + envFrom: + - secretRef: + name: "{{ template "harbor.registry" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} + ports: + - containerPort: {{ template "harbor.registry.containerPort" . }} + - containerPort: 5001 + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-htpasswd + mountPath: /etc/registry/passwd + subPath: passwd + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + mountPath: /etc/registry/pk.pem + subPath: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + - name: registryctl + image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.controller.resources }} + resources: +{{ toYaml .Values.registry.controller.resources | indent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.registryCtl" . }}" + - secretRef: + name: "{{ template "harbor.registry" . }}" + - secretRef: + name: "{{ template "harbor.registryCtl" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.jobservice" . }} + key: JOBSERVICE_SECRET + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} + ports: + - containerPort: {{ template "harbor.registryctl.containerPort" . }} + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: registry-config + mountPath: /etc/registryctl/config.yml + subPath: ctl-config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: registry-htpasswd + secret: + {{- if not .Values.registry.credentials.existingSecret }} + secretName: {{ template "harbor.registry" . }}-htpasswd + {{ else }} + secretName: {{ .Values.registry.credentials.existingSecret }} + {{- end }} + items: + - key: REGISTRY_HTPASSWD + path: passwd + - name: registry-config + configMap: + name: "{{ template "harbor.registry" . }}" + - name: registry-data + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.registry.secretName" . }} + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + secret: + {{- if and (eq $type "gcs") $storage.gcs.existingSecret }} + secretName: {{ $storage.gcs.existingSecret }} + {{- else }} + secretName: {{ template "harbor.registry" . }} + {{- end }} + items: + - key: GCS_KEY_DATA + path: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + secret: + secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + secret: + secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }} + items: + - key: CLOUDFRONT_KEY_DATA + path: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.registry.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.registry.priorityClassName }} + priorityClassName: {{ .Values.registry.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/registry/registry-pvc.yaml b/charts/harbor/harbor/1.12.4/templates/registry/registry-pvc.yaml new file mode 100644 index 0000000000..2112e22877 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/registry/registry-pvc.yaml @@ -0,0 +1,32 @@ +{{- if .Values.persistence.enabled }} +{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} +{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.registry" . }} + annotations: + {{- range $key, $value := $registry.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + accessModes: + - {{ $registry.accessMode }} + resources: + requests: + storage: {{ $registry.size }} + {{- if $registry.storageClass }} + {{- if eq "-" $registry.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $registry.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/registry/registry-secret.yaml b/charts/harbor/harbor/1.12.4/templates/registry/registry-secret.yaml new file mode 100644 index 0000000000..529462906e --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/registry/registry-secret.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.redis.external.existingSecret }} + REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} + {{- end }} + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if and (eq $type "azure") (not $storage.azure.existingSecret) }} + REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} + {{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }} + GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} + {{- else if eq $type "s3" }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }} + REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} + {{- end }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }} + REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} + {{- end }} + {{- else if eq $type "swift" }} + REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} + {{- if $storage.swift.secretkey }} + REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} + {{- end }} + {{- if $storage.swift.accesskey }} + REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} + {{- end }} + {{- else if eq $type "oss" }} + REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} + {{- end }} +{{- if not .Values.registry.credentials.existingSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}-htpasswd" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if .Values.registry.credentials.htpasswdString }} + REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }} + {{- else }} + REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/registry/registry-svc.yaml b/charts/harbor/harbor/1.12.4/templates/registry/registry-svc.yaml new file mode 100644 index 0000000000..749690ea03 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/registry/registry-svc.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-registry" "http-registry" .Values.internalTLS.enabled }} + port: {{ template "harbor.registry.servicePort" . }} + + - name: {{ ternary "https-controller" "http-controller" .Values.internalTLS.enabled }} + port: {{ template "harbor.registryctl.servicePort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.registry.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: registry \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/registry/registry-tls.yaml b/charts/harbor/harbor/1.12.4/templates/registry/registry-tls.yaml new file mode 100644 index 0000000000..9d1862c417 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/registry/registry-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/registry/registryctl-cm.yaml b/charts/harbor/harbor/1.12.4/templates/registry/registryctl-cm.yaml new file mode 100644 index 0000000000..87aa5ffe24 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/registry/registryctl-cm.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- template "harbor.traceEnvsForRegistryCtl" . }} diff --git a/charts/harbor/harbor/1.12.4/templates/registry/registryctl-secret.yaml b/charts/harbor/harbor/1.12.4/templates/registry/registryctl-secret.yaml new file mode 100644 index 0000000000..70097703e9 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/registry/registryctl-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- template "harbor.traceJaegerPassword" . }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.12.4/templates/trivy/trivy-secret.yaml b/charts/harbor/harbor/1.12.4/templates/trivy/trivy-secret.yaml new file mode 100644 index 0000000000..84652c7498 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/trivy/trivy-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.trivy.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }} + gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }} +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/trivy/trivy-sts.yaml b/charts/harbor/harbor/1.12.4/templates/trivy/trivy-sts.yaml new file mode 100644 index 0000000000..37b19ac2d3 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/trivy/trivy-sts.yaml @@ -0,0 +1,206 @@ +{{- if .Values.trivy.enabled }} +{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: trivy +spec: + replicas: {{ .Values.trivy.replicas }} + serviceName: {{ template "harbor.trivy" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: trivy + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: trivy + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.trivy.podAnnotations }} +{{ toYaml .Values.trivy.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.trivy.serviceAccountName }} + serviceAccountName: {{ .Values.trivy.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }} + containers: + - name: trivy + image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + env: + {{- if has "trivy" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + - name: "SCANNER_LOG_LEVEL" + value: {{ .Values.logLevel | quote }} + - name: "SCANNER_TRIVY_CACHE_DIR" + value: "/home/scanner/.cache/trivy" + - name: "SCANNER_TRIVY_REPORTS_DIR" + value: "/home/scanner/.cache/reports" + - name: "SCANNER_TRIVY_DEBUG_MODE" + value: {{ .Values.trivy.debugMode | quote }} + - name: "SCANNER_TRIVY_VULN_TYPE" + value: {{ .Values.trivy.vulnType | quote }} + - name: "SCANNER_TRIVY_TIMEOUT" + value: {{ .Values.trivy.timeout | quote }} + - name: "SCANNER_TRIVY_GITHUB_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: gitHubToken + - name: "SCANNER_TRIVY_SEVERITY" + value: {{ .Values.trivy.severity | quote }} + - name: "SCANNER_TRIVY_IGNORE_UNFIXED" + value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_UPDATE" + value: {{ .Values.trivy.skipUpdate | default false | quote }} + - name: "SCANNER_TRIVY_OFFLINE_SCAN" + value: {{ .Values.trivy.offlineScan | default false | quote }} + - name: "SCANNER_TRIVY_SECURITY_CHECKS" + value: {{ .Values.trivy.securityCheck | quote }} + - name: "SCANNER_TRIVY_INSECURE" + value: {{ .Values.trivy.insecure | default false | quote }} + - name: SCANNER_API_SERVER_ADDR + value: ":{{ template "harbor.trivy.containerPort" . }}" + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: SCANNER_API_SERVER_TLS_KEY + value: /etc/harbor/ssl/trivy/tls.key + - name: SCANNER_API_SERVER_TLS_CERTIFICATE + value: /etc/harbor/ssl/trivy/tls.crt + {{- end }} + - name: "SCANNER_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_STORE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_JOB_QUEUE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + ports: + - name: api-server + containerPort: {{ template "harbor.trivy.containerPort" . }} + volumeMounts: + - name: data + mountPath: /home/scanner/.cache + subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} + readOnly: false + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + mountPath: /etc/harbor/ssl/trivy + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 10 }} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/healthy + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + readinessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/ready + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + resources: +{{ toYaml .Values.trivy.resources | indent 12 }} + {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} + volumes: + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.trivy.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: "data" + emptyDir: {} + {{- else if $trivy.existingClaim }} + - name: "data" + persistentVolumeClaim: + claimName: {{ $trivy.existingClaim }} + {{- end }} + {{- end }} + {{- with .Values.trivy.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.trivy.priorityClassName }} + priorityClassName: {{ .Values.trivy.priorityClassName }} + {{- end }} +{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $trivy.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $trivy.accessMode | quote }}] + {{- if $trivy.storageClass }} + {{- if (eq "-" $trivy.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $trivy.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $trivy.size | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/templates/trivy/trivy-svc.yaml b/charts/harbor/harbor/1.12.4/templates/trivy/trivy-svc.yaml new file mode 100644 index 0000000000..24daf094e8 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/trivy/trivy-svc.yaml @@ -0,0 +1,16 @@ +{{ if .Values.trivy.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.trivy" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-trivy" "http-trivy" .Values.internalTLS.enabled }} + protocol: TCP + port: {{ template "harbor.trivy.servicePort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: trivy +{{ end }} diff --git a/charts/harbor/harbor/1.12.4/templates/trivy/trivy-tls.yaml b/charts/harbor/harbor/1.12.4/templates/trivy/trivy-tls.yaml new file mode 100644 index 0000000000..a9c8330c37 --- /dev/null +++ b/charts/harbor/harbor/1.12.4/templates/trivy/trivy-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.12.4/values.yaml b/charts/harbor/harbor/1.12.4/values.yaml new file mode 100644 index 0000000000..11d2c4a57d --- /dev/null +++ b/charts/harbor/harbor/1.12.4/values.yaml @@ -0,0 +1,958 @@ +expose: + # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer" + # and fill the information in the corresponding section + type: ingress + tls: + # Enable TLS or not. + # Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress" + # Note: if the "expose.type" is "ingress" and TLS is disabled, + # the port must be included in the command when pulling/pushing images. + # Refer to https://github.com/goharbor/harbor/issues/5291 for details. + enabled: true + # The source of the tls certificate. Set as "auto", "secret" + # or "none" and fill the information in the corresponding section + # 1) auto: generate the tls certificate automatically + # 2) secret: read the tls certificate from the specified secret. + # The tls certificate can be generated manually or by cert manager + # 3) none: configure no tls certificate for the ingress. If the default + # tls certificate is configured in the ingress controller, choose this option + certSource: auto + auto: + # The common name used to generate the certificate, it's necessary + # when the type isn't "ingress" + commonName: "" + secret: + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + secretName: "" + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + # Only needed when the "expose.type" is "ingress". + notarySecretName: "" + ingress: + hosts: + core: core.harbor.domain + notary: notary.harbor.domain + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + # set to `alb` if using the ALB ingress controller + # set to `f5-bigip` if using the F5 BIG-IP ingress controller + controller: default + ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress + kubeVersionOverride: "" + className: "" + annotations: + # note different ingress controllers may require a different ssl-redirect annotation + # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + notary: + # notary ingress-specific annotations + annotations: {} + # notary ingress-specific labels + labels: {} + harbor: + # harbor ingress-specific annotations + annotations: {} + # harbor ingress-specific labels + labels: {} + clusterIP: + # The name of ClusterIP service + name: harbor + # Annotations on the ClusterIP service + annotations: {} + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + # The service port Notary listens on. Only needed when notary.enabled + # is set to true + notaryPort: 4443 + nodePort: + # The name of NodePort service + name: harbor + ports: + http: + # The service port Harbor listens on when serving HTTP + port: 80 + # The node port Harbor listens on when serving HTTP + nodePort: 30002 + https: + # The service port Harbor listens on when serving HTTPS + port: 443 + # The node port Harbor listens on when serving HTTPS + nodePort: 30003 + # Only needed when notary.enabled is set to true + notary: + # The service port Notary listens on + port: 4443 + # The node port Notary listens on + nodePort: 30004 + loadBalancer: + # The name of LoadBalancer service + name: harbor + # Set the IP if the LoadBalancer supports assigning IP + IP: "" + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + # The service port Notary listens on. Only needed when notary.enabled + # is set to true + notaryPort: 4443 + annotations: {} + sourceRanges: [] + +# The external URL for Harbor core service. It is used to +# 1) populate the docker/helm commands showed on portal +# 2) populate the token service URL returned to docker/notary client +# +# Format: protocol://domain[:port]. Usually: +# 1) if "expose.type" is "ingress", the "domain" should be +# the value of "expose.ingress.hosts.core" +# 2) if "expose.type" is "clusterIP", the "domain" should be +# the value of "expose.clusterIP.name" +# 3) if "expose.type" is "nodePort", the "domain" should be +# the IP address of k8s node +# +# If Harbor is deployed behind the proxy, set it as the URL of proxy +externalURL: https://core.harbor.domain + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each components tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +ipFamily: + # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component + ipv6: + enabled: true + # ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component + ipv4: + enabled: true + +# The persistence is enabled by default and a default StorageClass +# is needed in the k8s cluster to provision volumes dynamically. +# Specify another StorageClass in the "storageClass" or set "existingClaim" +# if you already have existing persistent volumes to use +# +# For storing images and charts, you can also use "azure", "gcs", "s3", +# "swift" or "oss". Set it in the "imageChartStorage" section +persistence: + enabled: true + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + # (this does not apply for PVCs that are created for internal database + # and redis components, i.e. they are never deleted automatically) + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used (the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + jobservice: + jobLog: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + trivy: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + # Define which storage backend is used for registry to store + # images and charts. Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage + # for the detail. + imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect + # for the detail. + disableredirect: false + # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. + # The secret must contain keys named "ca.crt" which will be injected into the trust store + # of registry's containers. + # caBundleSecretName: + + # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", + # "oss" and fill the information needed in the corresponding section. The type + # must be "filesystem" if you want to use persistent volumes for registry + type: filesystem + filesystem: + rootdirectory: /storage + #maxthreads: 100 + azure: + accountname: accountname + accountkey: base64encodedaccountkey + container: containername + #realm: core.windows.net + # To use existing secret, the key must be AZURE_STORAGE_ACCESS_KEY + existingSecret: "" + gcs: + bucket: bucketname + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file + #rootdirectory: /gcs/object/name/prefix + #chunksize: "5242880" + # To use existing secret, the key must be gcs-key.json + existingSecret: "" + useWorkloadIdentity: false + s3: + # Set an existing secret for S3 accesskey and secretkey + # keys in the secret should be REGISTRY_STORAGE_S3_ACCESSKEY and REGISTRY_STORAGE_S3_SECRETKEY for registry + #existingSecret: "" + region: us-west-1 + bucket: bucketname + #accesskey: awsaccesskey + #secretkey: awssecretkey + #regionendpoint: http://myobjects.local + #encrypt: false + #keyid: mykeyid + #secure: true + #skipverify: false + #v4auth: true + #chunksize: "5242880" + #rootdirectory: /s3/object/name/prefix + #storageclass: STANDARD + #multipartcopychunksize: "33554432" + #multipartcopymaxconcurrency: 100 + #multipartcopythresholdsize: "33554432" + swift: + authurl: https://storage.myprovider.com/v3/auth + username: username + password: password + container: containername + #region: fr + #tenant: tenantname + #tenantid: tenantid + #domain: domainname + #domainid: domainid + #trustid: trustid + #insecureskipverify: false + #chunksize: 5M + #prefix: + #secretkey: secretkey + #accesskey: accesskey + #authversion: 3 + #endpointtype: public + #tempurlcontainerkey: false + #tempurlmethods: + oss: + accesskeyid: accesskeyid + accesskeysecret: accesskeysecret + region: regionname + bucket: bucketname + #endpoint: endpoint + #internal: false + #encrypt: false + #secure: true + #chunksize: 10M + #rootdirectory: rootdirectory + +imagePullPolicy: IfNotPresent + +# Use this set to assign a list of default pullSecrets +imagePullSecrets: +# - name: docker-registry-secret +# - name: internal-registry-secret + +# The update strategy for deployments with persistent volumes(jobservice, registry): "RollingUpdate" or "Recreate" +# Set it as "Recreate" when "RWM" for volumes isn't supported +updateStrategy: + type: RollingUpdate + +# debug, info, warning, error or fatal +logLevel: info + +# The initial password of Harbor admin. Change it from portal after launching Harbor +# or give an existing secret for it +# key in secret is given via (default to HARBOR_ADMIN_PASSWORD) +# existingSecretAdminPassword: +existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD +harborAdminPassword: "Harbor12345" + +# The name of the secret which contains key named "ca.crt". Setting this enables the +# download link on portal to download the CA certificate when the certificate isn't +# generated automatically +caSecretName: "" + +# The secret key used for encryption. Must be a string of 16 chars. +secretKey: "not-a-secure-key" +# If using existingSecretSecretKey, the key must be secretKey +existingSecretSecretKey: "" + +# The proxy settings for updating trivy vulnerabilities from the Internet and replicating +# artifacts from/to the registries that cannot be reached directly +proxy: + httpProxy: + httpsProxy: + noProxy: 127.0.0.1,localhost,.local,.internal + components: + - core + - jobservice + - trivy + +# Run the migration job via helm hook +enableMigrateHelmHook: false + +# The custom ca bundle secret, the secret must contain key named "ca.crt" +# which will be injected into the trust store for core, jobservice, registry, trivy components +# caBundleSecretName: "" + +## UAA Authentication Options +# If you're using UAA for authentication behind a self-signed +# certificate you will need to provide the CA Cert. +# Set uaaSecretName below to provide a pre-created secret that +# contains a base64 encoded CA Certificate named `ca.crt`. +# uaaSecretName: + +# If service exposed via "ingress", the Nginx will not be used +nginx: + image: + repository: goharbor/nginx-photon + tag: v2.8.4 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + +portal: + image: + repository: goharbor/harbor-portal + tag: v2.8.4 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + +core: + image: + repository: goharbor/harbor-core + tag: v2.8.4 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + ## Startup probe values + startupProbe: + enabled: true + initialDelaySeconds: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## Additional service annotations + serviceAnnotations: {} + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named: + # "tls.key" - the private key + # "tls.crt" - the certificate + secretName: "" + # If not specifying a preexisting secret, a secret can be created from tokenKey and tokenCert and used instead. + # If none of secretName, tokenKey, and tokenCert are specified, an ephemeral key and certificate will be autogenerated. + # tokenKey and tokenCert must BOTH be set or BOTH unset. + # The tokenKey value is formatted as a multiline string containing a PEM-encoded RSA key, indented one more than tokenKey on the following line. + tokenKey: | + # If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line. + tokenCert: | + # The XSRF key. Will be generated automatically if it isn't specified + xsrfKey: "" + ## The priority class to run the pod as + priorityClassName: + # The time duration for async update artifact pull_time and repository + # pull_count, the unit is second. Will be 10 seconds if it isn't set. + # eg. artifactPullAsyncFlushDuration: 10 + artifactPullAsyncFlushDuration: + gdpr: + deleteUser: false + +jobservice: + image: + repository: goharbor/harbor-jobservice + tag: v2.8.4 + replicas: 1 + revisionHistoryLimit: 10 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLoggers: + - file + # - database + # - stdout + # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) + loggerSweeperDuration: 14 #days + notification: + webhook_job_max_retry: 3 + webhook_job_http_client_timeout: 3 # in seconds + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: 24 + # the max time for execution in running state without new task created + max_dangling_hours: 168 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + ## The priority class to run the pod as + priorityClassName: + +registry: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + registry: + image: + repository: goharbor/registry-photon + tag: v2.8.4 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + controller: + image: + repository: goharbor/harbor-registryctl + tag: v2.8.4 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + replicas: 1 + revisionHistoryLimit: 10 + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. + relativeurls: false + credentials: + username: "harbor_registry_user" + password: "harbor_registry_password" + # If using existingSecret, the key must be REGISTRY_PASSWD and REGISTRY_HTPASSWD + existingSecret: "" + # Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. + # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string + middleware: + enabled: false + type: cloudFront + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + # that allows access to CloudFront + privateKeySecret: "my-secret" + # enable purge _upload directories + upload_purging: + enabled: true + # remove files in _upload directories which exist for a period of time, default is one week. + age: 168h + # the interval of the purge operations + interval: 24h + dryrun: false + +trivy: + # enabled the flag to enable Trivy scanner + enabled: true + image: + # repository the repository for Trivy adapter image + repository: goharbor/trivy-adapter-photon + # tag the tag for Trivy adapter image + tag: v2.8.4 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + # replicas the number of Pod replicas + replicas: 1 + # debugMode the flag to enable Trivy debug mode with more verbose scanning log + debugMode: false + # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. + vulnType: "os,library" + # severity a comma-separated list of severities to be checked + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + # ignoreUnfixed the flag to display only fixed vulnerabilities + ignoreUnfixed: false + # insecure the flag to skip verifying registry certificate + insecure: false + # gitHubToken the GitHub access token to download Trivy DB + # + # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. + # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached + # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update + # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. + # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + gitHubToken: "" + # skipUpdate the flag to disable Trivy DB downloads from GitHub + # + # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the + # `/home/scanner/.cache/trivy/db/trivy.db` path. + skipUpdate: false + # The offlineScan option prevents Trivy from sending API requests to identify dependencies. + # + # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. + # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't + # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode. + # It would work if all the dependencies are in local. + # This option doesn’t affect DB download. You need to specify skipUpdate as well as offlineScan in an air-gapped environment. + offlineScan: false + # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. + securityCheck: "vuln" + # The duration to wait for scan completion + timeout: 5m0s + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + +notary: + enabled: true + server: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/notary-server-photon + tag: v2.8.4 + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + ## Additional service annotations + serviceAnnotations: {} + signer: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/notary-signer-photon + tag: v2.8.4 + replicas: 1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## Additional deployment annotations + podAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate authority, certificate and private key for notary + # communications. + # The secret must contain keys named ca.crt, tls.crt and tls.key that + # contain the CA, certificate and private key. + # They will be generated if not set. + secretName: "" + +database: + # if external database is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-db + tag: v2.8.4 + # The initial superuser password for internal database + password: "changeit" + # The size limit for Shared memory, pgSQL use it for shared_buffer + # More details see: + # https://github.com/goharbor/harbor/issues/15034 + shmSizeLimit: 512Mi + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + # The timeout used in livenessProbe; 1 to 5 seconds + livenessProbe: + timeoutSeconds: 1 + # The timeout used in readinessProbe; 1 to 5 seconds + readinessProbe: + timeoutSeconds: 1 + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + initContainer: + migrator: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + permissions: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + external: + host: "192.168.0.1" + port: "5432" + username: "user" + password: "password" + coreDatabase: "registry" + notaryServerDatabase: "notary_server" + notarySignerDatabase: "notary_signer" + # if using existing secret, the key must be "password" + existingSecret: "" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "disable" + # The maximum number of connections in the idle connection pool per pod (core+exporter). + # If it <=0, no idle connections are retained. + maxIdleConns: 100 + # The maximum number of open connections to the database per pod (core+exporter). + # If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgre of harbor. + maxOpenConns: 900 + ## Additional deployment annotations + podAnnotations: {} + +redis: + # if external Redis is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/redis-photon + tag: v2.8.4 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + # # jobserviceDatabaseIndex defaults to "1" + # # registryDatabaseIndex defaults to "2" + # # trivyAdapterIndex defaults to "5" + # # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + external: + # support redis, redis+sentinel + # addr for redis: : + # addr for redis+sentinel: :,:,: + addr: "192.168.0.2:6379" + # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel + sentinelMasterSet: "" + # The "coreDatabaseIndex" must be "0" as the library Harbor + # used doesn't support configuring it + # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + # username field can be an empty string, and it will be authenticated against the default user + username: "" + password: "" + # If using existingSecret, the key must be REDIS_PASSWORD + existingSecret: "" + ## Additional deployment annotations + podAnnotations: {} + +exporter: + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + podAnnotations: {} + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-exporter + tag: v2.8.4 + nodeSelector: {} + tolerations: [] + affinity: {} + cacheDuration: 23 + cacheCleanInterval: 14400 + ## The priority class to run the pod as + priorityClassName: + +metrics: + enabled: false + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + ## Create prometheus serviceMonitor to scrape harbor metrics. + ## This requires the monitoring.coreos.com/v1 CRD. Please see + ## https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md + ## + serviceMonitor: + enabled: false + additionalLabels: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # Metric relabel configs to apply to samples before ingestion. + metricRelabelings: + [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + # Relabel configs to apply to samples before ingestion. + relabelings: + [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +trace: + enabled: false + # trace provider: jaeger or otel + # jaeger should be 1.26+ + provider: jaeger + # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth + sample_rate: 1 + # namespace used to differentiate different harbor services + # namespace: + # attributes is a key value dict contains user defined attributes used to initialize trace provider + # attributes: + # application: harbor + jaeger: + # jaeger supports two modes: + # collector mode(uncomment endpoint and uncomment username, password if needed) + # agent mode(uncomment agent_host and agent_port) + endpoint: http://hostname:14268/api/traces + # username: + # password: + # agent_host: hostname + # export trace data by jaeger.thrift in compact mode + # agent_port: 6831 + otel: + endpoint: hostname:4318 + url_path: /v1/traces + compression: false + insecure: true + # timeout is in seconds + timeout: 10 + +# cache layer configurations +# if this feature enabled, harbor will cache the resource +# `project/project_metadata/repository/artifact/manifest` in the redis +# which help to improve the performance of high concurrent pulling manifest. +cache: + # default is not enabled. + enabled: false + # default keep cache for one day. + expireHours: 24 diff --git a/charts/harbor/harbor/1.13.0/.helmignore b/charts/harbor/harbor/1.13.0/.helmignore new file mode 100644 index 0000000000..b4424fd59b --- /dev/null +++ b/charts/harbor/harbor/1.13.0/.helmignore @@ -0,0 +1,6 @@ +.github/* +docs/* +.git/* +.gitignore +CONTRIBUTING.md +test/* \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/Chart.yaml b/charts/harbor/harbor/1.13.0/Chart.yaml new file mode 100644 index 0000000000..6b093bb1a8 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Harbor + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: harbor +apiVersion: v1 +appVersion: 2.9.0 +description: An open source trusted cloud native registry that stores, signs, and + scans content +home: https://goharbor.io +icon: https://raw.githubusercontent.com/goharbor/website/main/static/img/logos/harbor-icon-color.png +keywords: +- docker +- registry +- harbor +maintainers: +- email: yinw@vmware.com + name: Wenkai Yin +- email: hweiwei@vmware.com + name: Weiwei He +- email: yshengwen@vmware.com + name: Shengwen Yu +name: harbor +sources: +- https://github.com/goharbor/harbor +- https://github.com/goharbor/harbor-helm +version: 1.13.0 diff --git a/charts/harbor/harbor/1.13.0/LICENSE b/charts/harbor/harbor/1.13.0/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/charts/harbor/harbor/1.13.0/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/harbor/harbor/1.13.0/README.md b/charts/harbor/harbor/1.13.0/README.md new file mode 100644 index 0000000000..f30598cc00 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/README.md @@ -0,0 +1,407 @@ +# Helm Chart for Harbor + +**Notes:** The master branch is in heavy development, please use the other stable versions instead. A highly available solution for Harbor based on chart can be found [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. + +This repository, including the issues, focuses on deploying Harbor chart via helm. For functionality issues or Harbor questions, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor) + +## Introduction + +This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. + +## Prerequisites + +- Kubernetes cluster 1.20+ +- Helm v3.2.0+ + +## Installation + +### Add Helm repository + +```bash +helm repo add harbor https://helm.goharbor.io +``` + +### Configure the chart + +The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first). + +#### Configure how to expose Harbor service + +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. + **Notes:** if TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for details. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. + +#### Configure the external URL + +The external URL for Harbor core service is used to: + +1. populate the docker/helm commands showed on portal +2. populate the token service URL returned to docker client + +Format: `protocol://domain[:port]`. Usually: + +- if service exposed via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` +- if service exposed via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` +- if service exposed via `NodePort`, the `domain` should be the IP address of one Kubernetes node +- if service exposed via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider + +If Harbor is deployed behind the proxy, set it as the URL of proxy. + +#### Configure how to persist data + +- **Disable**: The data does not survive the termination of a pod. +- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you already have existing persistent volumes to use. +- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. + +#### Configure the other items listed in [configuration](#configuration) section + +### Install the chart + +Install the Harbor helm chart with a release name `my-release`: +```bash +helm install my-release harbor/harbor +``` + +## Uninstallation + +To uninstall/delete the `my-release` deployment: +```bash +helm uninstall my-release +``` + +## Configuration + +The following table lists the configurable parameters of the Harbor chart and the default values. + +| Parameter | Description | Default | +| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| **Expose** | | | +| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | +| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | +| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | +| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | +| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | +| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` | +| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | | +| `expose.ingress.annotations` | The annotations used commonly for ingresses | | +| `expose.ingress.harbor.annotations` | The annotations specific to harbor ingress | {} | +| `expose.ingress.harbor.labels` | The labels specific to harbor ingress | {} | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} | +| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` | +| `expose.loadBalancer.name` | The name of service | `harbor` | +| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` | +| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` | +| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | +| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | +| **Internal TLS** | | | +| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` | +| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false` +| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` | +| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | | +| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | +| **IPFamily** | | | +| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| **Persistence** | | | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | | +|`persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | +| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | +| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | +| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | +| **General** | | | +| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | +| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | | +| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | +| `imagePullPolicy` | The image pull policy | | +| `imagePullSecrets` | The imagePullSecrets names for all deployments | | +| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | +| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `existingSecretAdminPassword` | The name of secret where admin password can be found. | | +| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` | +| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | +| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | +| `proxy.httpProxy` | The URL of the HTTP proxy server | | +| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | +| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | +| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | +| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | +| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.revisionHistoryLimit` | The revision history limit | `10` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| `nginx.priorityClassName` | The priority class to run the pod as | | +| **Portal** | | | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.revisionHistoryLimit` | The revision history limit | `10` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| `portal.priorityClassName` | The priority class to run the pod as | | +| **Core** | | | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.revisionHistoryLimit` | The revision history limit | `10` | +| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.serviceAnnotations` | Annotations to add to the core service | `{}` | +| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | | +| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | +| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | | +| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | | +| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | +| `core.priorityClassName` | The priority class to run the pod as | | +| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | +| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | +| **Jobservice** | | | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.revisionHistoryLimit` | The revision history limit | `10` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` | +| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` | +| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` | +| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` | +| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` | +| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.priorityClassName` | The priority class to run the pod as | | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| **Registry** | | | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | `dev` | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | `dev` | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | +| `registry.replicas` | The replica count | `1` | +| `registry.revisionHistoryLimit` | The revision history limit | `10` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.priorityClassName` | The priority class to run the pod as | | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | +| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | +| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` | +| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | +| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | +| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | +| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | +| `registry.upload_purging.interval` | The interval of the purge operations | `24h` | +| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | +| **[Trivy][trivy]** | | | +| `trivy.enabled` | The flag to enable Trivy scanner | `true` | +| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | +| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | +| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | +| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `trivy.replicas` | The number of Pod replicas | `1` | +| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | +| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | +| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | +| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | +| `trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | +| `trivy.priorityClassName` | The priority class to run the pod as | | +| `trivy.topologySpreadConstraints` | The priority class to run the pod as | | +| **Database** | | | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined | +| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.internal.priorityClassName` | The priority class to run the pod as | | +| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | +| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | +| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | +| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | +| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | | | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.internal.priorityClassName` | The priority class to run the pod as | | +| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | +| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.username` | The username of external Redis | | +| `redis.external.password` | The password of external Redis | | +| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | +| **Exporter** | | | +| `exporter.replicas` | The replica count | `1` | +| `exporter.revisionHistoryLimit` | The revision history limit | `10` | +| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` | +| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` | +| `exporter.image.tag` | Tag for exporter image | `dev` | +| `exporter.nodeSelector` | Node labels for pod assignment | `{}` | +| `exporter.tolerations` | Tolerations for pod assignment | `[]` | +| `exporter.affinity` | Node/Pod affinities | `{}` | +| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` | +| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` | +| `exporter.priorityClassName` | The priority class to run the pod as | | +| **Metrics** | | | +| `metrics.enabled` | if enable harbor metrics | `false` | +| `metrics.core.path` | the url path for core metrics | `/metrics` | +| `metrics.core.port` | the port for core metrics | `8001` | +| `metrics.registry.path` | the url path for registry metrics | `/metrics` | +| `metrics.registry.port` | the port for registry metrics | `8001` | +| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` | +| `metrics.exporter.port` | the port for exporter metrics | `8001` | +| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` | +| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` | +| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` | +| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` | +| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` | +| **Trace** | | | +| `trace.enabled` | Enable tracing or not | `false` | +| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` | +| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` | +| `trace.namespace` | Namespace used to differentiate different harbor services | | +| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | | +| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` | +| `trace.jaeger.username` | The username of jaeger | | +| `trace.jaeger.password` | The password of jaeger | | +| `trace.jaeger.agent_host` | The agent host of jaeger | | +| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` | +| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` | +| `trace.otel.url_path` | The URL path of otel | `/v1/traces` | +| `trace.otel.compression` | Whether enable compression or not for otel | `false` | +| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` | +| `trace.otel.timeout` | The timeout in seconds of otel | `10` | +| **Cache** | | | +| `cache.enabled` | Enable cache layer or not | `false` | +| `cache.expireHours` | The expire hours of cache layer | `24` | + +[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +[trivy]: https://github.com/aquasecurity/trivy +[trivy-db]: https://github.com/aquasecurity/trivy-db +[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting diff --git a/charts/harbor/harbor/1.13.0/templates/NOTES.txt b/charts/harbor/harbor/1.13.0/templates/NOTES.txt new file mode 100644 index 0000000000..0980c08a35 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/NOTES.txt @@ -0,0 +1,3 @@ +Please wait for several minutes for Harbor deployment to complete. +Then you should be able to visit the Harbor portal at {{ .Values.externalURL }} +For more details, please visit https://github.com/goharbor/harbor diff --git a/charts/harbor/harbor/1.13.0/templates/_helpers.tpl b/charts/harbor/harbor/1.13.0/templates/_helpers.tpl new file mode 100644 index 0000000000..95a28a6c5e --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/_helpers.tpl @@ -0,0 +1,540 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "harbor.name" -}} +{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "harbor.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default "harbor" .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Helm required labels */}} +{{- define "harbor.labels" -}} +heritage: {{ .Release.Service }} +release: {{ .Release.Name }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{/* matchLabels */}} +{{- define "harbor.matchLabels" -}} +release: {{ .Release.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{- define "harbor.autoGenCert" -}} + {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForIngress" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForNginx" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.host" -}} + {{- if eq .Values.database.type "internal" -}} + {{- template "harbor.database" . }} + {{- else -}} + {{- .Values.database.external.host -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.port" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "5432" -}} + {{- else -}} + {{- .Values.database.external.port -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.username" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "postgres" -}} + {{- else -}} + {{- .Values.database.external.username -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.rawPassword" -}} + {{- if eq .Values.database.type "internal" -}} + {{- .Values.database.internal.password -}} + {{- else -}} + {{- .Values.database.external.password -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.escapedRawPassword" -}} + {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} +{{- end -}} + +{{- define "harbor.database.encryptedPassword" -}} + {{- include "harbor.database.rawPassword" . | b64enc | quote -}} +{{- end -}} + +{{- define "harbor.database.coreDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "registry" -}} + {{- else -}} + {{- .Values.database.external.coreDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.sslmode" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "disable" -}} + {{- else -}} + {{- .Values.database.external.sslmode -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.redis.scheme" -}} + {{- with .Values.redis }} + {{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }} + {{- end }} +{{- end -}} + +/*host:port*/ +{{- define "harbor.redis.addr" -}} + {{- with .Values.redis }} + {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.masterSet" -}} + {{- with .Values.redis }} + {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.password" -}} + {{- with .Values.redis }} + {{- ternary "" .external.password (eq .type "internal") }} + {{- end }} +{{- end -}} + +/*scheme://[:password@]host:port[/master_set]*/ +{{- define "harbor.redis.url" -}} + {{- with .Values.redis }} + {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }} + {{- $cred := ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }} + {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) $cred (include "harbor.redis.addr" $) $path -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCore" -}} + {{- with .Values.redis }} + {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index*/ +{{- define "harbor.redis.urlForJobservice" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.jobserviceDatabaseIndex .external.jobserviceDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForRegistry" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForTrivy" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.trivyAdapterIndex .external.trivyAdapterIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForHarbor" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.harborDatabaseIndex .external.harborDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCache" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.cacheLayerDatabaseIndex .external.cacheLayerDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.dbForRegistry" -}} + {{- with .Values.redis }} + {{- ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.portal" -}} + {{- printf "%s-portal" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.core" -}} + {{- printf "%s-core" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.redis" -}} + {{- printf "%s-redis" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.jobservice" -}} + {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registry" -}} + {{- printf "%s-registry" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registryCtl" -}} + {{- printf "%s-registryctl" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.database" -}} + {{- printf "%s-database" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.trivy" -}} + {{- printf "%s-trivy" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.nginx" -}} + {{- printf "%s-nginx" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.exporter" -}} + {{- printf "%s-exporter" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress" -}} + {{- printf "%s-ingress" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.noProxy" -}} + {{- printf "%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}} +{{- end -}} + +{{- define "harbor.caBundleVolume" -}} +- name: ca-bundle-certs + secret: + secretName: {{ .Values.caBundleSecretName }} +{{- end -}} + +{{- define "harbor.caBundleVolumeMount" -}} +- name: ca-bundle-certs + mountPath: /harbor_cust_cert/custom-ca.crt + subPath: ca.crt +{{- end -}} + +{{/* scheme for all components because it only support http mode */}} +{{- define "harbor.component.scheme" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "https" -}} + {{- else -}} + {{- printf "http" -}} + {{- end -}} +{{- end -}} + +{{/* core component container port */}} +{{- define "harbor.core.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* core component service port */}} +{{- define "harbor.core.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component container port */}} +{{- define "harbor.jobservice.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component service port */}} +{{- define "harbor.jobservice.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* portal component container port */}} +{{- define "harbor.portal.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* portal component service port */}} +{{- define "harbor.portal.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* registry component container port */}} +{{- define "harbor.registry.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registry component service port */}} +{{- define "harbor.registry.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component container port */}} +{{- define "harbor.registryctl.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component service port */}} +{{- define "harbor.registryctl.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component container port */}} +{{- define "harbor.trivy.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component service port */}} +{{- define "harbor.trivy.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* CORE_URL */}} +{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}} +{{- define "harbor.coreURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}} +{{- end -}} + +{{/* JOBSERVICE_URL */}} +{{- define "harbor.jobserviceURL" -}} + {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}} +{{- end -}} + +{{/* PORTAL_URL */}} +{{- define "harbor.portalURL" -}} + {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}} +{{- end -}} + +{{/* REGISTRY_URL */}} +{{- define "harbor.registryURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}} +{{- end -}} + +{{/* REGISTRY_CONTROLLER_URL */}} +{{- define "harbor.registryControllerURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}} +{{- end -}} + +{{/* TOKEN_SERVICE_URL */}} +{{- define "harbor.tokenServiceURL" -}} + {{- printf "%s/service/token" (include "harbor.coreURL" .) -}} +{{- end -}} + +{{/* TRIVY_ADAPTER_URL */}} +{{- define "harbor.trivyAdapterURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}} +{{- end -}} + +{{- define "harbor.internalTLS.core.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.core.secretName -}} + {{- else -}} + {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.jobservice.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.jobservice.secretName -}} + {{- else -}} + {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.portal.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.portal.secretName -}} + {{- else -}} + {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.registry.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.registry.secretName -}} + {{- else -}} + {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.trivy.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.trivy.secretName -}} + {{- else -}} + {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsCoreSecretForIngress" -}} + {{- if eq .Values.expose.tls.certSource "none" -}} + {{- printf "" -}} + {{- else if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.ingress" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsSecretForNginx" -}} + {{- if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.nginx" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.metricsPortName" -}} + {{- if .Values.internalTLS.enabled }} + {{- printf "https-metrics" -}} + {{- else -}} + {{- printf "http-metrics" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.traceEnvs" -}} + TRACE_ENABLED: "{{ .Values.trace.enabled }}" + TRACE_SAMPLE_RATE: "{{ .Values.trace.sample_rate }}" + TRACE_NAMESPACE: "{{ .Values.trace.namespace }}" + {{- if .Values.trace.attributes }} + TRACE_ATTRIBUTES: {{ .Values.trace.attributes | toJson | squote }} + {{- end }} + {{- if eq .Values.trace.provider "jaeger" }} + TRACE_JAEGER_ENDPOINT: "{{ .Values.trace.jaeger.endpoint }}" + TRACE_JAEGER_USERNAME: "{{ .Values.trace.jaeger.username }}" + TRACE_JAEGER_AGENT_HOSTNAME: "{{ .Values.trace.jaeger.agent_host }}" + TRACE_JAEGER_AGENT_PORT: "{{ .Values.trace.jaeger.agent_port }}" + {{- else }} + TRACE_OTEL_ENDPOINT: "{{ .Values.trace.otel.endpoint }}" + TRACE_OTEL_URL_PATH: "{{ .Values.trace.otel.url_path }}" + TRACE_OTEL_COMPRESSION: "{{ .Values.trace.otel.compression }}" + TRACE_OTEL_INSECURE: "{{ .Values.trace.otel.insecure }}" + TRACE_OTEL_TIMEOUT: "{{ .Values.trace.otel.timeout }}" + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForCore" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-core" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForJobservice" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-jobservice" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForRegistryCtl" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-registryctl" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceJaegerPassword" -}} + {{- if and .Values.trace.enabled (eq .Values.trace.provider "jaeger") }} + TRACE_JAEGER_PASSWORD: "{{ .Values.trace.jaeger.password | default "" | b64enc }}" + {{- end }} +{{- end -}} + +{{/* Allow KubeVersion to be overridden. */}} +{{- define "harbor.ingress.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}} +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/core/core-cm.yaml b/charts/harbor/harbor/1.13.0/templates/core/core-cm.yaml new file mode 100644 index 0000000000..7d284c899d --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/core/core-cm.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + app.conf: |+ + appname = Harbor + runmode = prod + enablegzip = true + + [prod] + httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} + PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" + DATABASE_TYPE: "postgresql" + POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" + POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" + POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" + POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" + POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" + EXT_ENDPOINT: "{{ .Values.externalURL }}" + CORE_URL: "{{ template "harbor.coreURL" . }}" + JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}" + WITH_TRIVY: {{ .Values.trivy.enabled | quote }} + TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}" + REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" + LOG_LEVEL: "{{ .Values.logLevel }}" + CONFIG_PATH: "/etc/core/app.conf" + CHART_CACHE_DRIVER: "redis" + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}" + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.harborDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.harborDatabaseIndex) }} + _REDIS_URL_HARBOR: "{{ template "harbor.redis.urlForHarbor" . }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} + PORTAL_URL: "{{ template "harbor.portalURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + {{- if .Values.uaaSecretName }} + UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt" + {{- end }} + {{- if has "core" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory" + {{- if .Values.metrics.enabled}} + METRIC_ENABLE: "true" + METRIC_PATH: "{{ .Values.metrics.core.path }}" + METRIC_PORT: "{{ .Values.metrics.core.port }}" + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: core + {{- end }} + + {{- if hasKey .Values.core "gcTimeWindowHours" }} + #make the GC time window configurable for testing + GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}" + {{- end }} + {{- template "harbor.traceEnvsForCore" . }} + + {{- if .Values.core.artifactPullAsyncFlushDuration | quote }} + ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration }} + {{- end }} + + {{- if .Values.core.gdpr}} + {{- if .Values.core.gdpr.deleteUser}} + GDPR_DELETE_USER: "true" + {{- end }} + {{- end }} + + {{- if .Values.cache.enabled }} + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + + {{- if .Values.core.quotaUpdateProvider }} + QUOTA_UPDATE_PROVIDER: "{{ .Values.core.quotaUpdateProvider }}" + {{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/core/core-dpl.yaml b/charts/harbor/harbor/1.13.0/templates/core/core-dpl.yaml new file mode 100644 index 0000000000..8d202498db --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/core/core-dpl.yaml @@ -0,0 +1,237 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: core +spec: + replicas: {{ .Values.core.replicas }} + revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: core + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: core +{{- if .Values.core.podLabels }} +{{ toYaml .Values.core.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.core.podAnnotations }} +{{ toYaml .Values.core.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.core.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: core +{{- end }} +{{- end }} + containers: + - name: core + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.core.startupProbe.enabled }} + startupProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 360 + initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }} + periodSeconds: 10 + {{- end }} + livenessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: "{{ template "harbor.jobservice" . }}" + key: JOBSERVICE_SECRET + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/core/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/core/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/core/ca.crt + {{- end }} + {{- if .Values.database.external.existingSecret }} + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} +{{- with .Values.core.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + - name: secret-key + mountPath: /etc/core/key + subPath: key + - name: token-service-private-key + mountPath: /etc/core/private_key.pem + subPath: tls.key + {{- if .Values.expose.tls.enabled }} + - name: ca-download + mountPath: /etc/core/ca + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + mountPath: /etc/core/auth-ca/auth-ca.crt + subPath: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + {{- end }} + - name: psc + mountPath: /etc/core/token + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} +{{- if .Values.core.resources }} + resources: +{{ toYaml .Values.core.resources | indent 10 }} +{{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + - name: secret-key + secret: + {{- if .Values.existingSecretSecretKey }} + secretName: {{ .Values.existingSecretSecretKey }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + items: + - key: secretKey + path: key + - name: token-service-private-key + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: ca-download + secret: + {{- if .Values.caSecretName }} + secretName: {{ .Values.caSecretName }} + {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }} + secretName: "{{ template "harbor.ingress" . }}" + {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + secret: + secretName: {{ .Values.uaaSecretName }} + items: + - key: ca.crt + path: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + - name: psc + emptyDir: {} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.core.priorityClassName }} + priorityClassName: {{ .Values.core.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.13.0/templates/core/core-pre-upgrade-job.yaml b/charts/harbor/harbor/1.13.0/templates/core/core-pre-upgrade-job.yaml new file mode 100644 index 0000000000..43c9d3596d --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/core/core-pre-upgrade-job.yaml @@ -0,0 +1,74 @@ +{{- if .Values.enableMigrateHelmHook }} +apiVersion: batch/v1 +kind: Job +metadata: + name: migration-job + labels: +{{ include "harbor.labels" . | indent 4 }} + component: migrator + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" +spec: + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: migrator + spec: + restartPolicy: Never + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 120 + containers: + - name: core-job + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/harbor/harbor_core", "-mode=migrate"] + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + {{- if .Values.database.external.existingSecret }} + env: + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/core/core-secret.yaml b/charts/harbor/harbor/1.13.0/templates/core/core-secret.yaml new file mode 100644 index 0000000000..23b352b475 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/core/core-secret.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.existingSecretSecretKey }} + secretKey: {{ .Values.secretKey | b64enc | quote }} + {{- end }} + secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.core.secretName }} + {{- $ca := genCA "harbor-token-ca" 365 }} + tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }} + tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }} + {{- end }} + {{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} + {{- end }} + {{- if not .Values.database.external.existingSecret }} + POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }} +{{- if .Values.core.configureUserSettings }} + CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }} +{{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/1.13.0/templates/core/core-svc.yaml b/charts/harbor/harbor/1.13.0/templates/core/core-svc.yaml new file mode 100644 index 0000000000..0d2cfb2915 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/core/core-svc.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.core.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - name: {{ ternary "https-web" "http-web" .Values.internalTLS.enabled }} + port: {{ template "harbor.core.servicePort" . }} + targetPort: {{ template "harbor.core.containerPort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.core.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: core diff --git a/charts/harbor/harbor/1.13.0/templates/core/core-tls.yaml b/charts/harbor/harbor/1.13.0/templates/core/core-tls.yaml new file mode 100644 index 0000000000..c52148f0d9 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/core/core-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/database/database-secret.yaml b/charts/harbor/harbor/1.13.0/templates/database/database-secret.yaml new file mode 100644 index 0000000000..864aff4a18 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/database/database-secret.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end -}} diff --git a/charts/harbor/harbor/1.13.0/templates/database/database-ss.yaml b/charts/harbor/harbor/1.13.0/templates/database/database-ss.yaml new file mode 100644 index 0000000000..3b08b07ef1 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/database/database-ss.yaml @@ -0,0 +1,168 @@ +{{- if eq .Values.database.type "internal" -}} +{{- $database := .Values.persistence.persistentVolumeClaim.database -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: database +spec: + replicas: 1 + serviceName: "{{ template "harbor.database" . }}" + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: database + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: database +{{- if .Values.database.podLabels }} +{{ toYaml .Values.database.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }} +{{- if .Values.database.podAnnotations }} +{{ toYaml .Values.database.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.database.internal.serviceAccountName }} + serviceAccountName: {{ .Values.database.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + initContainers: + # as we change the data directory to a sub folder to support psp, the init container here + # is used to migrate the existing data. See https://github.com/goharbor/harbor-helm/issues/756 + # for more detail. + # we may remove it after several releases + - name: "data-migrator" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"] +{{- if .Values.database.internal.initContainer.migrator.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + # with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume + # this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph + # use this init container to correct the permission + # as "fsGroup" applied before the init container running, the container has enough permission to execute the command + - name: "data-permissions-ensurer" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"] +{{- if .Values.database.internal.initContainer.permissions.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + containers: + - name: database + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 300 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.livenessProbe.timeoutSeconds }} + readinessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 1 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.readinessProbe.timeoutSeconds }} +{{- if .Values.database.internal.resources }} + resources: +{{ toYaml .Values.database.internal.resources | indent 10 }} +{{- end }} + envFrom: + - secretRef: + name: "{{ template "harbor.database" . }}" + env: + # put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled + # more detail refer to https://github.com/goharbor/harbor-helm/issues/756 + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" +{{- with .Values.database.internal.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + - name: shm-volume + mountPath: /dev/shm + volumes: + - name: shm-volume + emptyDir: + medium: Memory + sizeLimit: {{ .Values.database.internal.shmSizeLimit }} + {{- if not .Values.persistence.enabled }} + - name: "database-data" + emptyDir: {} + {{- else if $database.existingClaim }} + - name: "database-data" + persistentVolumeClaim: + claimName: {{ $database.existingClaim }} + {{- end -}} + {{- with .Values.database.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.database.internal.priorityClassName }} + priorityClassName: {{ .Values.database.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $database.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: "database-data" + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $database.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $database.accessMode | quote }}] + {{- if $database.storageClass }} + {{- if (eq "-" $database.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $database.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $database.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/1.13.0/templates/database/database-svc.yaml b/charts/harbor/harbor/1.13.0/templates/database/database-svc.yaml new file mode 100644 index 0000000000..6475048cd9 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/database/database-svc.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 5432 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: database +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/exporter/exporter-cm-env.yaml b/charts/harbor/harbor/1.13.0/templates/exporter/exporter-cm-env.yaml new file mode 100644 index 0000000000..0bf4e7d905 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/exporter/exporter-cm-env.yaml @@ -0,0 +1,35 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.exporter" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + LOG_LEVEL: "{{ .Values.logLevel }}" + HARBOR_EXPORTER_PORT: "{{ .Values.metrics.exporter.port }}" + HARBOR_EXPORTER_METRICS_PATH: "{{ .Values.metrics.exporter.path }}" + HARBOR_EXPORTER_METRICS_ENABLED: "{{ .Values.metrics.enabled }}" + HARBOR_EXPORTER_CACHE_TIME: "{{ .Values.exporter.cacheDuration }}" + HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "{{ .Values.exporter.cacheCleanInterval }}" + HARBOR_METRIC_NAMESPACE: harbor + HARBOR_METRIC_SUBSYSTEM: exporter + HARBOR_REDIS_URL: "{{ template "harbor.redis.urlForJobservice" . }}" + HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace + HARBOR_REDIS_TIMEOUT: "3600" + HARBOR_SERVICE_SCHEME: "{{ template "harbor.component.scheme" . }}" + HARBOR_SERVICE_HOST: "{{ template "harbor.core" . }}" + HARBOR_SERVICE_PORT: "{{ template "harbor.core.servicePort" . }}" + HARBOR_DATABASE_HOST: "{{ template "harbor.database.host" . }}" + HARBOR_DATABASE_PORT: "{{ template "harbor.database.port" . }}" + HARBOR_DATABASE_USERNAME: "{{ template "harbor.database.username" . }}" + HARBOR_DATABASE_DBNAME: "{{ template "harbor.database.coreDatabase" . }}" + HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" +{{- end}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/exporter/exporter-dpl.yaml b/charts/harbor/harbor/1.13.0/templates/exporter/exporter-dpl.yaml new file mode 100644 index 0000000000..6d2e1f53ac --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/exporter/exporter-dpl.yaml @@ -0,0 +1,139 @@ +{{- if .Values.metrics.enabled}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: exporter +spec: + replicas: {{ .Values.exporter.replicas }} + revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: exporter + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: exporter +{{- if .Values.exporter.podLabels }} +{{ toYaml .Values.exporter.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.exporter.podAnnotations }} +{{ toYaml .Values.exporter.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.exporter.serviceAccountName }} + serviceAccountName: {{ .Values.exporter.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }} +{{- with .Values.exporter.topologySpreadConstraints }} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: exporter +{{- end }} +{{- end }} + containers: + - name: exporter + image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 30 + periodSeconds: 10 + args: ["-log-level", "{{ .Values.logLevel }}"] + envFrom: + - configMapRef: + name: "{{ template "harbor.exporter" . }}-env" + - secretRef: + name: "{{ template "harbor.exporter" . }}" + env: + {{- if .Values.database.external.existingSecret }} + - name: HARBOR_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} +{{- if .Values.exporter.resources }} + resources: +{{ toYaml .Values.exporter.resources | indent 10 }} +{{- end }} +{{- with .Values.exporter.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + # There are some metric data are collectd from harbor core. + # When internal TLS is enabled, the Exporter need the CA file to collect these data. + {{- end }} + volumes: + - name: config + secret: + secretName: "{{ template "harbor.exporter" . }}" + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.exporter.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.exporter.priorityClassName }} + priorityClassName: {{ .Values.exporter.priorityClassName }} + {{- end }} +{{ end }} diff --git a/charts/harbor/harbor/1.13.0/templates/exporter/exporter-secret.yaml b/charts/harbor/harbor/1.13.0/templates/exporter/exporter-secret.yaml new file mode 100644 index 0000000000..434a1bf689 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/exporter/exporter-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: +{{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} +{{- end }} +{{- if not .Values.database.external.existingSecret }} + HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.0/templates/exporter/exporter-svc.yaml b/charts/harbor/harbor/1.13.0/templates/exporter/exporter-svc.yaml new file mode 100644 index 0000000000..4a6f3fdec6 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/exporter/exporter-svc.yaml @@ -0,0 +1,15 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.exporter" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.exporter.port }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: exporter +{{ end }} diff --git a/charts/harbor/harbor/1.13.0/templates/ingress/ingress.yaml b/charts/harbor/harbor/1.13.0/templates/ingress/ingress.yaml new file mode 100644 index 0000000000..e4c06939c6 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/ingress/ingress.yaml @@ -0,0 +1,145 @@ +{{- if eq .Values.expose.type "ingress" }} +{{- $ingress := .Values.expose.ingress -}} +{{- $tls := .Values.expose.tls -}} +{{- if eq .Values.expose.ingress.controller "gce" }} + {{- $_ := set . "portal_path" "/*" -}} + {{- $_ := set . "api_path" "/api/*" -}} + {{- $_ := set . "service_path" "/service/*" -}} + {{- $_ := set . "v2_path" "/v2/*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} + {{- $_ := set . "controller_path" "/c/*" -}} +{{- else if eq .Values.expose.ingress.controller "ncp" }} + {{- $_ := set . "portal_path" "/.*" -}} + {{- $_ := set . "api_path" "/api/.*" -}} + {{- $_ := set . "service_path" "/service/.*" -}} + {{- $_ := set . "v2_path" "/v2/.*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} + {{- $_ := set . "controller_path" "/c/.*" -}} +{{- else }} + {{- $_ := set . "portal_path" "/" -}} + {{- $_ := set . "api_path" "/api/" -}} + {{- $_ := set . "service_path" "/service/" -}} + {{- $_ := set . "v2_path" "/v2/" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/" -}} + {{- $_ := set . "controller_path" "/c/" -}} +{{- end }} + +--- +{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: extensions/v1beta1 +{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if $ingress.harbor.labels }} +{{ toYaml $ingress.harbor.labels | indent 4 }} +{{- end }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} +{{- if .Values.internalTLS.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +{{- end }} +{{- if eq .Values.expose.ingress.controller "ncp" }} + ncp/use-regex: "true" + {{- if $tls.enabled }} + ncp/http-redirect: "true" + {{- end }} +{{- end }} +{{- if $ingress.harbor.annotations }} +{{ toYaml $ingress.harbor.annotations | indent 4 }} +{{- end }} +spec: + {{- if $ingress.className }} + ingressClassName: {{ $ingress.className }} + {{- end }} + {{- if $tls.enabled }} + tls: + - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} + {{- if $ingress.hosts.core }} + hosts: + - {{ $ingress.hosts.core }} + {{- end }} + {{- end }} + rules: + - http: + paths: +{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} + - path: {{ .api_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + backend: + serviceName: {{ template "harbor.portal" . }} + servicePort: {{ template "harbor.portal.servicePort" . }} +{{- else }} + - path: {{ .api_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.portal" . }} + port: + number: {{ template "harbor.portal.servicePort" . }} +{{- end }} + {{- if $ingress.hosts.core }} + host: {{ $ingress.hosts.core }} + {{- end }} + +{{- end }} diff --git a/charts/harbor/harbor/templates/ingress/secret.yaml b/charts/harbor/harbor/1.13.0/templates/ingress/secret.yaml similarity index 100% rename from charts/harbor/harbor/templates/ingress/secret.yaml rename to charts/harbor/harbor/1.13.0/templates/ingress/secret.yaml diff --git a/charts/harbor/harbor/1.13.0/templates/internal/auto-tls.yaml b/charts/harbor/harbor/1.13.0/templates/internal/auto-tls.yaml new file mode 100644 index 0000000000..da5f5e2c7b --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/internal/auto-tls.yaml @@ -0,0 +1,81 @@ +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} +{{- $ca := genCA "harbor-internal-ca" 365 }} +{{- $coreCN := (include "harbor.core" .) }} +{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }} +{{- $jsCN := (include "harbor.jobservice" .) }} +{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }} +{{- $regCN := (include "harbor.registry" .) }} +{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }} +{{- $portalCN := (include "harbor.portal" .) }} +{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $coreCrt.Cert | b64enc | quote }} + tls.key: {{ $coreCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $jsCrt.Cert | b64enc | quote }} + tls.key: {{ $jsCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $regCrt.Cert | b64enc | quote }} + tls.key: {{ $regCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $portalCrt.Cert | b64enc | quote }} + tls.key: {{ $portalCrt.Key | b64enc | quote }} + +{{- if and .Values.trivy.enabled}} +--- +{{- $trivyCN := (include "harbor.trivy" .) }} +{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $trivyCrt.Cert | b64enc | quote }} + tls.key: {{ $trivyCrt.Key | b64enc | quote }} +{{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-cm-env.yaml b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-cm-env.yaml new file mode 100644 index 0000000000..8411c7a47c --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-cm-env.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + CORE_URL: "{{ template "harbor.coreURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + + JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "{{ .Values.jobservice.notification.webhook_job_max_retry }}" + JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "{{ .Values.jobservice.notification.webhook_job_http_client_timeout }}" + + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.metrics.enabled}} + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: jobservice + {{- end }} + {{- template "harbor.traceEnvsForJobservice" . }} + {{- if .Values.cache.enabled }} + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} diff --git a/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-cm.yaml b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-cm.yaml new file mode 100644 index 0000000000..8211c62209 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-cm.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + #Server listening port + protocol: "{{ template "harbor.component.scheme" . }}" + port: {{ template "harbor.jobservice.containerPort". }} + {{- if .Values.internalTLS.enabled }} + https_config: + cert: "/etc/harbor/ssl/jobservice/tls.crt" + key: "/etc/harbor/ssl/jobservice/tls.key" + {{- end }} + worker_pool: + workers: {{ .Values.jobservice.maxJobWorkers }} + backend: "redis" + redis_pool: + redis_url: "{{ template "harbor.redis.urlForJobservice" . }}" + namespace: "harbor_job_service_namespace" + idle_timeout_second: 3600 + job_loggers: + {{- if has "file" .Values.jobservice.jobLoggers }} + - name: "FILE" + level: {{ .Values.logLevel | upper }} + settings: # Customized settings of logger + base_dir: "/var/log/jobs" + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + settings: # Customized settings of sweeper + work_dir: "/var/log/jobs" + {{- end }} + {{- if has "database" .Values.jobservice.jobLoggers }} + - name: "DB" + level: {{ .Values.logLevel | upper }} + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + {{- end }} + {{- if has "stdout" .Values.jobservice.jobLoggers }} + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + {{- end }} + metric: + enabled: {{ .Values.metrics.enabled }} + path: {{ .Values.metrics.jobservice.path }} + port: {{ .Values.metrics.jobservice.port }} + #Loggers for the job service + loggers: + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: {{ .Values.jobservice.reaper.max_update_hours }} + # the max time for execution in running state without new task created + max_dangling_hours: {{ .Values.jobservice.reaper.max_dangling_hours }} diff --git a/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-dpl.yaml b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-dpl.yaml new file mode 100644 index 0000000000..32df97db76 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-dpl.yaml @@ -0,0 +1,166 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + replicas: {{ .Values.jobservice.replicas }} + revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: jobservice + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: jobservice +{{- if .Values.jobservice.podLabels }} +{{ toYaml .Values.jobservice.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} + checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.jobservice.podAnnotations }} +{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.jobservice.serviceAccountName }} + serviceAccountName: {{ .Values.jobservice.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.jobservice.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: jobservice +{{- end }} +{{- end }} + containers: + - name: jobservice + image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.jobservice.resources }} + resources: +{{ toYaml .Values.jobservice.resources | indent 10 }} +{{- end }} + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/jobservice/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/jobservice/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/jobservice/ca.crt + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} +{{- with .Values.jobservice.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.jobservice" . }}-env" + - secretRef: + name: "{{ template "harbor.jobservice" . }}" + ports: + - containerPort: {{ template "harbor.jobservice.containerPort" . }} + volumeMounts: + - name: jobservice-config + mountPath: /etc/jobservice/config.yml + subPath: config.yml + - name: job-logs + mountPath: /var/log/jobs + subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.subPath }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + mountPath: /etc/harbor/ssl/jobservice + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: jobservice-config + configMap: + name: "{{ template "harbor.jobservice" . }}" + - name: job-logs + {{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.jobservice.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.jobservice.priorityClassName }} + priorityClassName: {{ .Values.jobservice.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-pvc.yaml b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-pvc.yaml new file mode 100644 index 0000000000..a6b8b8bd38 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-pvc.yaml @@ -0,0 +1,30 @@ +{{- $jobLog := .Values.persistence.persistentVolumeClaim.jobservice.jobLog -}} +{{- if and .Values.persistence.enabled (not $jobLog.existingClaim) (has "file" .Values.jobservice.jobLoggers) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.jobservice" . }} + annotations: + {{- range $key, $value := $jobLog.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + accessModes: + - {{ $jobLog.accessMode }} + resources: + requests: + storage: {{ $jobLog.size }} + {{- if $jobLog.storageClass }} + {{- if eq "-" $jobLog.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $jobLog.storageClass }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-secrets.yaml b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-secrets.yaml new file mode 100644 index 0000000000..3dfa6bd5e6 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-secrets.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-svc.yaml b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-svc.yaml new file mode 100644 index 0000000000..d2b7a47fd4 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-svc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-jobservice" "http-jobservice" .Values.internalTLS.enabled }} + port: {{ template "harbor.jobservice.servicePort" . }} + targetPort: {{ template "harbor.jobservice.containerPort" . }} +{{- if .Values.metrics.enabled }} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.jobservice.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: jobservice diff --git a/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-tls.yaml b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-tls.yaml new file mode 100644 index 0000000000..234cb39995 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/jobservice/jobservice-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/templates/metrics/metrics-svcmon.yaml b/charts/harbor/harbor/1.13.0/templates/metrics/metrics-svcmon.yaml similarity index 100% rename from charts/harbor/harbor/templates/metrics/metrics-svcmon.yaml rename to charts/harbor/harbor/1.13.0/templates/metrics/metrics-svcmon.yaml diff --git a/charts/harbor/harbor/1.13.0/templates/nginx/configmap-http.yaml b/charts/harbor/harbor/1.13.0/templates/nginx/configmap-http.yaml new file mode 100644 index 0000000000..c4b8354d06 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/nginx/configmap-http.yaml @@ -0,0 +1,150 @@ +{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled}} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end }} + server_tokens off; + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # Add extra headers + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + proxy_send_timeout 900; + proxy_read_timeout 900; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + } +{{- end }} diff --git a/charts/harbor/harbor/templates/nginx/configmap-https.yaml b/charts/harbor/harbor/1.13.0/templates/nginx/configmap-https.yaml similarity index 100% rename from charts/harbor/harbor/templates/nginx/configmap-https.yaml rename to charts/harbor/harbor/1.13.0/templates/nginx/configmap-https.yaml diff --git a/charts/harbor/harbor/1.13.0/templates/nginx/deployment.yaml b/charts/harbor/harbor/1.13.0/templates/nginx/deployment.yaml new file mode 100644 index 0000000000..8290d497b6 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/nginx/deployment.yaml @@ -0,0 +1,126 @@ +{{- if ne .Values.expose.type "ingress" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: nginx +spec: + replicas: {{ .Values.nginx.replicas }} + revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: nginx + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: nginx +{{- if .Values.nginx.podLabels }} +{{ toYaml .Values.nginx.podLabels | indent 8 }} +{{- end }} + annotations: + {{- if not .Values.expose.tls.enabled }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }} + {{- else }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} + {{- end }} + {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} + checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }} + {{- end }} +{{- if .Values.nginx.podAnnotations }} +{{ toYaml .Values.nginx.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- if .Values.nginx.serviceAccountName }} + serviceAccountName: {{ .Values.nginx.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.nginx.automountServiceAccountToken | default false }} +{{- with .Values.nginx.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: nginx +{{- end }} +{{- end }} + containers: + - name: nginx + image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + {{- $_ := set . "scheme" "HTTP" -}} + {{- $_ := set . "port" "8080" -}} + {{- if .Values.expose.tls.enabled }} + {{- $_ := set . "scheme" "HTTPS" -}} + {{- $_ := set . "port" "8443" -}} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.nginx.resources }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} +{{- end }} +{{- with .Values.nginx.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: 8080 + - containerPort: 8443 + - containerPort: 4443 + volumeMounts: + - name: config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.expose.tls.enabled }} + - name: certificate + mountPath: /etc/nginx/cert + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.nginx" . }} + {{- if .Values.expose.tls.enabled }} + - name: certificate + secret: + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- with .Values.nginx.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.nginx.priorityClassName }} + priorityClassName: {{ .Values.nginx.priorityClassName }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.0/templates/nginx/secret.yaml b/charts/harbor/harbor/1.13.0/templates/nginx/secret.yaml new file mode 100644 index 0000000000..c819c556d9 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/nginx/secret.yaml @@ -0,0 +1,23 @@ +{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} + {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- else }} + {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/nginx/service.yaml b/charts/harbor/harbor/1.13.0/templates/nginx/service.yaml new file mode 100644 index 0000000000..12021bfd1a --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/nginx/service.yaml @@ -0,0 +1,78 @@ +{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} +apiVersion: v1 +kind: Service +metadata: +{{- if eq .Values.expose.type "clusterIP" }} +{{- $clusterIP := .Values.expose.clusterIP }} + name: {{ $clusterIP.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $clusterIP.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: http + port: {{ $clusterIP.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $clusterIP.ports.httpsPort }} + targetPort: 8443 + {{- end }} +{{- else if eq .Values.expose.type "nodePort" }} +{{- $nodePort := .Values.expose.nodePort }} + name: {{ $nodePort.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: NodePort + ports: + - name: http + port: {{ $nodePort.ports.http.port }} + targetPort: 8080 + {{- if $nodePort.ports.http.nodePort }} + nodePort: {{ $nodePort.ports.http.nodePort }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $nodePort.ports.https.port }} + targetPort: 8443 + {{- if $nodePort.ports.https.nodePort }} + nodePort: {{ $nodePort.ports.https.nodePort }} + {{- end }} + {{- end }} +{{- else if eq .Values.expose.type "loadBalancer" }} +{{- $loadBalancer := .Values.expose.loadBalancer }} + name: {{ $loadBalancer.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $loadBalancer.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: LoadBalancer + {{- with $loadBalancer.sourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $loadBalancer.IP }} + loadBalancerIP: {{ $loadBalancer.IP }} + {{- end }} + ports: + - name: http + port: {{ $loadBalancer.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $loadBalancer.ports.httpsPort }} + targetPort: 8443 + {{- end }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: nginx +{{- end }} diff --git a/charts/harbor/harbor/templates/portal/configmap.yaml b/charts/harbor/harbor/1.13.0/templates/portal/configmap.yaml similarity index 100% rename from charts/harbor/harbor/templates/portal/configmap.yaml rename to charts/harbor/harbor/1.13.0/templates/portal/configmap.yaml diff --git a/charts/harbor/harbor/1.13.0/templates/portal/deployment.yaml b/charts/harbor/harbor/1.13.0/templates/portal/deployment.yaml new file mode 100644 index 0000000000..959a3fd7b5 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/portal/deployment.yaml @@ -0,0 +1,114 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: portal +spec: + replicas: {{ .Values.portal.replicas }} + revisionHistoryLimit: {{ .Values.portal.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: portal + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: portal +{{- if .Values.portal.podLabels }} +{{ toYaml .Values.portal.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }} +{{- end }} + checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }} +{{- if .Values.portal.podAnnotations }} +{{ toYaml .Values.portal.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if .Values.portal.serviceAccountName }} + serviceAccountName: {{ .Values.portal.serviceAccountName }} +{{- end }} + automountServiceAccountToken: {{ .Values.portal.automountServiceAccountToken | default false }} +{{- with .Values.portal.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: portal +{{- end }} +{{- end }} + containers: + - name: portal + image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.portal.resources }} + resources: +{{ toYaml .Values.portal.resources | indent 10 }} +{{- end }} +{{- with .Values.portal.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 + ports: + - containerPort: {{ template "harbor.portal.containerPort" . }} + volumeMounts: + - name: portal-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + mountPath: /etc/harbor/ssl/portal + {{- end }} + volumes: + - name: portal-config + configMap: + name: "{{ template "harbor.portal" . }}" + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.portal.secretName" . }} + {{- end }} + {{- with .Values.portal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.portal.priorityClassName }} + priorityClassName: {{ .Values.portal.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.13.0/templates/portal/service.yaml b/charts/harbor/harbor/1.13.0/templates/portal/service.yaml new file mode 100644 index 0000000000..ff4eda435b --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/portal/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - port: {{ template "harbor.portal.servicePort" . }} + targetPort: {{ template "harbor.portal.containerPort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: portal diff --git a/charts/harbor/harbor/1.13.0/templates/portal/tls.yaml b/charts/harbor/harbor/1.13.0/templates/portal/tls.yaml new file mode 100644 index 0000000000..de63f4e813 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/portal/tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.0/templates/redis/service.yaml b/charts/harbor/harbor/1.13.0/templates/redis/service.yaml new file mode 100644 index 0000000000..79c95c3e05 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/redis/service.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.redis.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 6379 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: redis +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/redis/statefulset.yaml b/charts/harbor/harbor/1.13.0/templates/redis/statefulset.yaml new file mode 100644 index 0000000000..371b0fd5aa --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/redis/statefulset.yaml @@ -0,0 +1,116 @@ +{{- if eq .Values.redis.type "internal" -}} +{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: redis +spec: + replicas: 1 + serviceName: {{ template "harbor.redis" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: redis + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: redis +{{- if .Values.redis.podLabels }} +{{ toYaml .Values.redis.podLabels | indent 8 }} +{{- end }} +{{- if .Values.redis.podAnnotations }} + annotations: +{{ toYaml .Values.redis.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.redis.internal.serviceAccountName }} + serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: redis + image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.redis.internal.resources }} + resources: +{{ toYaml .Values.redis.internal.resources | indent 10 }} +{{- end }} +{{- with .Values.redis.internal.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - name: data + mountPath: /var/lib/redis + subPath: {{ $redis.subPath }} + {{- if not .Values.persistence.enabled }} + volumes: + - name: data + emptyDir: {} + {{- else if $redis.existingClaim }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ $redis.existingClaim }} + {{- end -}} + {{- with .Values.redis.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.redis.internal.priorityClassName }} + priorityClassName: {{ .Values.redis.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $redis.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $redis.accessMode | quote }}] + {{- if $redis.storageClass }} + {{- if (eq "-" $redis.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $redis.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $redis.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/1.13.0/templates/registry/registry-cm.yaml b/charts/harbor/harbor/1.13.0/templates/registry/registry-cm.yaml new file mode 100644 index 0000000000..4f7056c384 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/registry/registry-cm.yaml @@ -0,0 +1,246 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + version: 0.1 + log: + {{- if eq .Values.logLevel "warning" }} + level: warn + {{- else if eq .Values.logLevel "fatal" }} + level: error + {{- else }} + level: {{ .Values.logLevel }} + {{- end }} + fields: + service: registry + storage: + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if eq $type "filesystem" }} + filesystem: + rootdirectory: {{ $storage.filesystem.rootdirectory }} + {{- if $storage.filesystem.maxthreads }} + maxthreads: {{ $storage.filesystem.maxthreads }} + {{- end }} + {{- else if eq $type "azure" }} + azure: + accountname: {{ $storage.azure.accountname }} + container: {{ $storage.azure.container }} + {{- if $storage.azure.realm }} + realm: {{ $storage.azure.realm }} + {{- end }} + {{- else if eq $type "gcs" }} + gcs: + bucket: {{ $storage.gcs.bucket }} + {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }} + keyfile: /etc/registry/gcs-key.json + {{- end }} + {{- if $storage.gcs.rootdirectory }} + rootdirectory: {{ $storage.gcs.rootdirectory }} + {{- end }} + {{- if $storage.gcs.chunksize }} + chunksize: {{ $storage.gcs.chunksize }} + {{- end }} + {{- else if eq $type "s3" }} + s3: + region: {{ $storage.s3.region }} + bucket: {{ $storage.s3.bucket }} + {{- if $storage.s3.regionendpoint }} + regionendpoint: {{ $storage.s3.regionendpoint }} + {{- end }} + {{- if $storage.s3.encrypt }} + encrypt: {{ $storage.s3.encrypt }} + {{- end }} + {{- if $storage.s3.keyid }} + keyid: {{ $storage.s3.keyid }} + {{- end }} + {{- if $storage.s3.secure }} + secure: {{ $storage.s3.secure }} + {{- end }} + {{- if and $storage.s3.secure $storage.s3.skipverify }} + skipverify: {{ $storage.s3.skipverify }} + {{- end }} + {{- if $storage.s3.v4auth }} + v4auth: {{ $storage.s3.v4auth }} + {{- end }} + {{- if $storage.s3.chunksize }} + chunksize: {{ $storage.s3.chunksize }} + {{- end }} + {{- if $storage.s3.rootdirectory }} + rootdirectory: {{ $storage.s3.rootdirectory }} + {{- end }} + {{- if $storage.s3.storageclass }} + storageclass: {{ $storage.s3.storageclass }} + {{- end }} + {{- if $storage.s3.multipartcopychunksize }} + multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }} + {{- end }} + {{- if $storage.s3.multipartcopymaxconcurrency }} + multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }} + {{- end }} + {{- if $storage.s3.multipartcopythresholdsize }} + multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }} + {{- end }} + {{- else if eq $type "swift" }} + swift: + authurl: {{ $storage.swift.authurl }} + username: {{ $storage.swift.username }} + container: {{ $storage.swift.container }} + {{- if $storage.swift.region }} + region: {{ $storage.swift.region }} + {{- end }} + {{- if $storage.swift.tenant }} + tenant: {{ $storage.swift.tenant }} + {{- end }} + {{- if $storage.swift.tenantid }} + tenantid: {{ $storage.swift.tenantid }} + {{- end }} + {{- if $storage.swift.domain }} + domain: {{ $storage.swift.domain }} + {{- end }} + {{- if $storage.swift.domainid }} + domainid: {{ $storage.swift.domainid }} + {{- end }} + {{- if $storage.swift.trustid }} + trustid: {{ $storage.swift.trustid }} + {{- end }} + {{- if $storage.swift.insecureskipverify }} + insecureskipverify: {{ $storage.swift.insecureskipverify }} + {{- end }} + {{- if $storage.swift.chunksize }} + chunksize: {{ $storage.swift.chunksize }} + {{- end }} + {{- if $storage.swift.prefix }} + prefix: {{ $storage.swift.prefix }} + {{- end }} + {{- if $storage.swift.authversion }} + authversion: {{ $storage.swift.authversion }} + {{- end }} + {{- if $storage.swift.endpointtype }} + endpointtype: {{ $storage.swift.endpointtype }} + {{- end }} + {{- if $storage.swift.tempurlcontainerkey }} + tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} + {{- end }} + {{- if $storage.swift.tempurlmethods }} + tempurlmethods: {{ $storage.swift.tempurlmethods }} + {{- end }} + {{- else if eq $type "oss" }} + oss: + accesskeyid: {{ $storage.oss.accesskeyid }} + region: {{ $storage.oss.region }} + bucket: {{ $storage.oss.bucket }} + {{- if $storage.oss.endpoint }} + endpoint: {{ $storage.oss.bucket }}.{{ $storage.oss.endpoint }} + {{- end }} + {{- if $storage.oss.internal }} + internal: {{ $storage.oss.internal }} + {{- end }} + {{- if $storage.oss.encrypt }} + encrypt: {{ $storage.oss.encrypt }} + {{- end }} + {{- if $storage.oss.secure }} + secure: {{ $storage.oss.secure }} + {{- end }} + {{- if $storage.oss.chunksize }} + chunksize: {{ $storage.oss.chunksize }} + {{- end }} + {{- if $storage.oss.rootdirectory }} + rootdirectory: {{ $storage.oss.rootdirectory }} + {{- end }} + {{- end }} + cache: + layerinfo: redis + maintenance: + uploadpurging: + {{- if .Values.registry.upload_purging.enabled }} + enabled: true + age: {{ .Values.registry.upload_purging.age }} + interval: {{ .Values.registry.upload_purging.interval }} + dryrun: {{ .Values.registry.upload_purging.dryrun }} + {{- else }} + enabled: false + {{- end }} + delete: + enabled: true + redirect: + disable: {{ $storage.disableredirect }} + redis: + addr: {{ template "harbor.redis.addr" . }} + {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }} + sentinelMasterSet: {{ template "harbor.redis.masterSet" . }} + {{- end }} + db: {{ template "harbor.redis.dbForRegistry" . }} + {{- if not (eq (include "harbor.redis.password" .) "") }} + password: {{ template "harbor.redis.password" . }} + {{- end }} + readtimeout: 10s + writetimeout: 10s + dialtimeout: 10s + pool: + maxidle: 100 + maxactive: 500 + idletimeout: 60s + http: + addr: :{{ template "harbor.registry.containerPort" . }} + relativeurls: {{ .Values.registry.relativeurls }} + {{- if .Values.internalTLS.enabled }} + tls: + certificate: /etc/harbor/ssl/registry/tls.crt + key: /etc/harbor/ssl/registry/tls.key + minimumtls: tls1.2 + {{- end }} + # set via environment variable + # secret: placeholder + debug: + {{- if .Values.metrics.enabled}} + addr: :{{ .Values.metrics.registry.port }} + prometheus: + enabled: true + path: {{ .Values.metrics.registry.path }} + {{- else }} + addr: localhost:5001 + {{- end }} + auth: + htpasswd: + realm: harbor-registry-basic-realm + path: /etc/registry/passwd + validation: + disabled: true + compatibility: + schema1: + enabled: true + + {{- if .Values.registry.middleware.enabled }} + {{- $middleware := .Values.registry.middleware }} + {{- $middlewareType := $middleware.type }} + {{- if eq $middlewareType "cloudFront" }} + middleware: + storage: + - name: cloudfront + options: + baseurl: {{ $middleware.cloudFront.baseurl }} + privatekey: /etc/registry/pk.pem + keypairid: {{ $middleware.cloudFront.keypairid }} + duration: {{ $middleware.cloudFront.duration }} + ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }} + {{- end }} + {{- end }} + ctl-config.yml: |+ + --- + {{- if .Values.internalTLS.enabled }} + protocol: "https" + port: 8443 + https_config: + cert: "/etc/harbor/ssl/registry/tls.crt" + key: "/etc/harbor/ssl/registry/tls.key" + {{- else }} + protocol: "http" + port: 8080 + {{- end }} + log_level: {{ .Values.logLevel }} + registry_config: "/etc/registry/config.yml" diff --git a/charts/harbor/harbor/1.13.0/templates/registry/registry-dpl.yaml b/charts/harbor/harbor/1.13.0/templates/registry/registry-dpl.yaml new file mode 100644 index 0000000000..fddba9fa8b --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/registry/registry-dpl.yaml @@ -0,0 +1,340 @@ +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $type := $storage.type }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + replicas: {{ .Values.registry.replicas }} + revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: registry + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: registry +{{- if .Values.registry.podLabels }} +{{ toYaml .Values.registry.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.registry.podAnnotations }} +{{ toYaml .Values.registry.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch +{{- if .Values.registry.serviceAccountName }} + serviceAccountName: {{ .Values.registry.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.registry.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.registry.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: registry +{{- end }} +{{- end }} + containers: + - name: registry + image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.registry.resources }} + resources: +{{ toYaml .Values.registry.registry.resources | indent 10 }} +{{- end }} + args: ["serve", "/etc/registry/config.yml"] + envFrom: + - secretRef: + name: "{{ template "harbor.registry" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} +{{- with .Values.registry.registry.extraEnvVars }} +{{- toYaml . | nindent 8 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.registry.containerPort" . }} + - containerPort: 5001 + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-htpasswd + mountPath: /etc/registry/passwd + subPath: passwd + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + mountPath: /etc/registry/pk.pem + subPath: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + - name: registryctl + image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.controller.resources }} + resources: +{{ toYaml .Values.registry.controller.resources | indent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.registryCtl" . }}" + - secretRef: + name: "{{ template "harbor.registry" . }}" + - secretRef: + name: "{{ template "harbor.registryCtl" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.jobservice" . }} + key: JOBSERVICE_SECRET + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} +{{- with .Values.registry.controller.extraEnvVars }} +{{- toYaml . | nindent 8 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.registryctl.containerPort" . }} + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: registry-config + mountPath: /etc/registryctl/config.yml + subPath: ctl-config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: registry-htpasswd + secret: + {{- if not .Values.registry.credentials.existingSecret }} + secretName: {{ template "harbor.registry" . }}-htpasswd + {{ else }} + secretName: {{ .Values.registry.credentials.existingSecret }} + {{- end }} + items: + - key: REGISTRY_HTPASSWD + path: passwd + - name: registry-config + configMap: + name: "{{ template "harbor.registry" . }}" + - name: registry-data + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.registry.secretName" . }} + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + secret: + {{- if and (eq $type "gcs") $storage.gcs.existingSecret }} + secretName: {{ $storage.gcs.existingSecret }} + {{- else }} + secretName: {{ template "harbor.registry" . }} + {{- end }} + items: + - key: GCS_KEY_DATA + path: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + secret: + secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + secret: + secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }} + items: + - key: CLOUDFRONT_KEY_DATA + path: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.registry.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.registry.priorityClassName }} + priorityClassName: {{ .Values.registry.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.13.0/templates/registry/registry-pvc.yaml b/charts/harbor/harbor/1.13.0/templates/registry/registry-pvc.yaml new file mode 100644 index 0000000000..2112e22877 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/registry/registry-pvc.yaml @@ -0,0 +1,32 @@ +{{- if .Values.persistence.enabled }} +{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} +{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.registry" . }} + annotations: + {{- range $key, $value := $registry.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + accessModes: + - {{ $registry.accessMode }} + resources: + requests: + storage: {{ $registry.size }} + {{- if $registry.storageClass }} + {{- if eq "-" $registry.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $registry.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/registry/registry-secret.yaml b/charts/harbor/harbor/1.13.0/templates/registry/registry-secret.yaml new file mode 100644 index 0000000000..529462906e --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/registry/registry-secret.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.redis.external.existingSecret }} + REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} + {{- end }} + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if and (eq $type "azure") (not $storage.azure.existingSecret) }} + REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} + {{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }} + GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} + {{- else if eq $type "s3" }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }} + REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} + {{- end }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }} + REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} + {{- end }} + {{- else if eq $type "swift" }} + REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} + {{- if $storage.swift.secretkey }} + REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} + {{- end }} + {{- if $storage.swift.accesskey }} + REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} + {{- end }} + {{- else if eq $type "oss" }} + REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} + {{- end }} +{{- if not .Values.registry.credentials.existingSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}-htpasswd" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if .Values.registry.credentials.htpasswdString }} + REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }} + {{- else }} + REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.0/templates/registry/registry-svc.yaml b/charts/harbor/harbor/1.13.0/templates/registry/registry-svc.yaml new file mode 100644 index 0000000000..749690ea03 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/registry/registry-svc.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-registry" "http-registry" .Values.internalTLS.enabled }} + port: {{ template "harbor.registry.servicePort" . }} + + - name: {{ ternary "https-controller" "http-controller" .Values.internalTLS.enabled }} + port: {{ template "harbor.registryctl.servicePort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.registry.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: registry \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/registry/registry-tls.yaml b/charts/harbor/harbor/1.13.0/templates/registry/registry-tls.yaml new file mode 100644 index 0000000000..9d1862c417 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/registry/registry-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/registry/registryctl-cm.yaml b/charts/harbor/harbor/1.13.0/templates/registry/registryctl-cm.yaml new file mode 100644 index 0000000000..87aa5ffe24 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/registry/registryctl-cm.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- template "harbor.traceEnvsForRegistryCtl" . }} diff --git a/charts/harbor/harbor/1.13.0/templates/registry/registryctl-secret.yaml b/charts/harbor/harbor/1.13.0/templates/registry/registryctl-secret.yaml new file mode 100644 index 0000000000..70097703e9 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/registry/registryctl-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- template "harbor.traceJaegerPassword" . }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.0/templates/trivy/trivy-secret.yaml b/charts/harbor/harbor/1.13.0/templates/trivy/trivy-secret.yaml new file mode 100644 index 0000000000..84652c7498 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/trivy/trivy-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.trivy.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }} + gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.0/templates/trivy/trivy-sts.yaml b/charts/harbor/harbor/1.13.0/templates/trivy/trivy-sts.yaml new file mode 100644 index 0000000000..aba23c9e8a --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/trivy/trivy-sts.yaml @@ -0,0 +1,222 @@ +{{- if .Values.trivy.enabled }} +{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: trivy +spec: + replicas: {{ .Values.trivy.replicas }} + serviceName: {{ template "harbor.trivy" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: trivy + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: trivy +{{- if .Values.trivy.podLabels }} +{{ toYaml .Values.trivy.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.trivy.podAnnotations }} +{{ toYaml .Values.trivy.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.trivy.serviceAccountName }} + serviceAccountName: {{ .Values.trivy.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }} +{{- with .Values.trivy.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: trivy +{{- end }} +{{- end }} + containers: + - name: trivy + image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + env: + {{- if has "trivy" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + - name: "SCANNER_LOG_LEVEL" + value: {{ .Values.logLevel | quote }} + - name: "SCANNER_TRIVY_CACHE_DIR" + value: "/home/scanner/.cache/trivy" + - name: "SCANNER_TRIVY_REPORTS_DIR" + value: "/home/scanner/.cache/reports" + - name: "SCANNER_TRIVY_DEBUG_MODE" + value: {{ .Values.trivy.debugMode | quote }} + - name: "SCANNER_TRIVY_VULN_TYPE" + value: {{ .Values.trivy.vulnType | quote }} + - name: "SCANNER_TRIVY_TIMEOUT" + value: {{ .Values.trivy.timeout | quote }} + - name: "SCANNER_TRIVY_GITHUB_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: gitHubToken + - name: "SCANNER_TRIVY_SEVERITY" + value: {{ .Values.trivy.severity | quote }} + - name: "SCANNER_TRIVY_IGNORE_UNFIXED" + value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_UPDATE" + value: {{ .Values.trivy.skipUpdate | default false | quote }} + - name: "SCANNER_TRIVY_OFFLINE_SCAN" + value: {{ .Values.trivy.offlineScan | default false | quote }} + - name: "SCANNER_TRIVY_SECURITY_CHECKS" + value: {{ .Values.trivy.securityCheck | quote }} + - name: "SCANNER_TRIVY_INSECURE" + value: {{ .Values.trivy.insecure | default false | quote }} + - name: SCANNER_API_SERVER_ADDR + value: ":{{ template "harbor.trivy.containerPort" . }}" + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: SCANNER_API_SERVER_TLS_KEY + value: /etc/harbor/ssl/trivy/tls.key + - name: SCANNER_API_SERVER_TLS_CERTIFICATE + value: /etc/harbor/ssl/trivy/tls.crt + {{- end }} + - name: "SCANNER_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_STORE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_JOB_QUEUE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL +{{- with .Values.trivy.extraEnvVars }} +{{- toYaml . | nindent 12 }} +{{- end }} + ports: + - name: api-server + containerPort: {{ template "harbor.trivy.containerPort" . }} + volumeMounts: + - name: data + mountPath: /home/scanner/.cache + subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} + readOnly: false + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + mountPath: /etc/harbor/ssl/trivy + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 10 }} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/healthy + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + readinessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/ready + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + resources: +{{ toYaml .Values.trivy.resources | indent 12 }} + {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} + volumes: + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.trivy.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: "data" + emptyDir: {} + {{- else if $trivy.existingClaim }} + - name: "data" + persistentVolumeClaim: + claimName: {{ $trivy.existingClaim }} + {{- end }} + {{- end }} + {{- with .Values.trivy.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.trivy.priorityClassName }} + priorityClassName: {{ .Values.trivy.priorityClassName }} + {{- end }} +{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $trivy.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $trivy.accessMode | quote }}] + {{- if $trivy.storageClass }} + {{- if (eq "-" $trivy.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $trivy.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $trivy.size | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.0/templates/trivy/trivy-svc.yaml b/charts/harbor/harbor/1.13.0/templates/trivy/trivy-svc.yaml new file mode 100644 index 0000000000..24daf094e8 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/trivy/trivy-svc.yaml @@ -0,0 +1,16 @@ +{{ if .Values.trivy.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.trivy" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-trivy" "http-trivy" .Values.internalTLS.enabled }} + protocol: TCP + port: {{ template "harbor.trivy.servicePort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: trivy +{{ end }} diff --git a/charts/harbor/harbor/1.13.0/templates/trivy/trivy-tls.yaml b/charts/harbor/harbor/1.13.0/templates/trivy/trivy-tls.yaml new file mode 100644 index 0000000000..a9c8330c37 --- /dev/null +++ b/charts/harbor/harbor/1.13.0/templates/trivy/trivy-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.0/values.yaml b/charts/harbor/harbor/1.13.0/values.yaml new file mode 100644 index 0000000000..1160c94ebe --- /dev/null +++ b/charts/harbor/harbor/1.13.0/values.yaml @@ -0,0 +1,962 @@ +expose: + # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer" + # and fill the information in the corresponding section + type: ingress + tls: + # Enable TLS or not. + # Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress" + # Note: if the "expose.type" is "ingress" and TLS is disabled, + # the port must be included in the command when pulling/pushing images. + # Refer to https://github.com/goharbor/harbor/issues/5291 for details. + enabled: true + # The source of the tls certificate. Set as "auto", "secret" + # or "none" and fill the information in the corresponding section + # 1) auto: generate the tls certificate automatically + # 2) secret: read the tls certificate from the specified secret. + # The tls certificate can be generated manually or by cert manager + # 3) none: configure no tls certificate for the ingress. If the default + # tls certificate is configured in the ingress controller, choose this option + certSource: auto + auto: + # The common name used to generate the certificate, it's necessary + # when the type isn't "ingress" + commonName: "" + secret: + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + secretName: "" + ingress: + hosts: + core: core.harbor.domain + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + # set to `alb` if using the ALB ingress controller + # set to `f5-bigip` if using the F5 BIG-IP ingress controller + controller: default + ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress + kubeVersionOverride: "" + className: "" + annotations: + # note different ingress controllers may require a different ssl-redirect annotation + # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + harbor: + # harbor ingress-specific annotations + annotations: {} + # harbor ingress-specific labels + labels: {} + clusterIP: + # The name of ClusterIP service + name: harbor + # Annotations on the ClusterIP service + annotations: {} + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + nodePort: + # The name of NodePort service + name: harbor + ports: + http: + # The service port Harbor listens on when serving HTTP + port: 80 + # The node port Harbor listens on when serving HTTP + nodePort: 30002 + https: + # The service port Harbor listens on when serving HTTPS + port: 443 + # The node port Harbor listens on when serving HTTPS + nodePort: 30003 + loadBalancer: + # The name of LoadBalancer service + name: harbor + # Set the IP if the LoadBalancer supports assigning IP + IP: "" + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + annotations: {} + sourceRanges: [] + +# The external URL for Harbor core service. It is used to +# 1) populate the docker/helm commands showed on portal +# 2) populate the token service URL returned to docker client +# +# Format: protocol://domain[:port]. Usually: +# 1) if "expose.type" is "ingress", the "domain" should be +# the value of "expose.ingress.hosts.core" +# 2) if "expose.type" is "clusterIP", the "domain" should be +# the value of "expose.clusterIP.name" +# 3) if "expose.type" is "nodePort", the "domain" should be +# the IP address of k8s node +# +# If Harbor is deployed behind the proxy, set it as the URL of proxy +externalURL: https://core.harbor.domain + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each component tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # enable strong ssl ciphers (default: false) + strong_ssl_ciphers: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +ipFamily: + # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component + ipv6: + enabled: true + # ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component + ipv4: + enabled: true + +# The persistence is enabled by default and a default StorageClass +# is needed in the k8s cluster to provision volumes dynamically. +# Specify another StorageClass in the "storageClass" or set "existingClaim" +# if you already have existing persistent volumes to use +# +# For storing images and charts, you can also use "azure", "gcs", "s3", +# "swift" or "oss". Set it in the "imageChartStorage" section +persistence: + enabled: true + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + # (this does not apply for PVCs that are created for internal database + # and redis components, i.e. they are never deleted automatically) + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used (the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + jobservice: + jobLog: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + trivy: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + # Define which storage backend is used for registry to store + # images and charts. Refer to + # https://github.com/distribution/distribution/blob/main/docs/configuration.md#storage + # for the detail. + imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/distribution/distribution/blob/main/docs/configuration.md#redirect + # for the detail. + disableredirect: false + # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. + # The secret must contain keys named "ca.crt" which will be injected into the trust store + # of registry's containers. + # caBundleSecretName: + + # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", + # "oss" and fill the information needed in the corresponding section. The type + # must be "filesystem" if you want to use persistent volumes for registry + type: filesystem + filesystem: + rootdirectory: /storage + #maxthreads: 100 + azure: + accountname: accountname + accountkey: base64encodedaccountkey + container: containername + #realm: core.windows.net + # To use existing secret, the key must be AZURE_STORAGE_ACCESS_KEY + existingSecret: "" + gcs: + bucket: bucketname + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file + #rootdirectory: /gcs/object/name/prefix + #chunksize: "5242880" + # To use existing secret, the key must be GCS_KEY_DATA + existingSecret: "" + useWorkloadIdentity: false + s3: + # Set an existing secret for S3 accesskey and secretkey + # keys in the secret should be REGISTRY_STORAGE_S3_ACCESSKEY and REGISTRY_STORAGE_S3_SECRETKEY for registry + #existingSecret: "" + region: us-west-1 + bucket: bucketname + #accesskey: awsaccesskey + #secretkey: awssecretkey + #regionendpoint: http://myobjects.local + #encrypt: false + #keyid: mykeyid + #secure: true + #skipverify: false + #v4auth: true + #chunksize: "5242880" + #rootdirectory: /s3/object/name/prefix + #storageclass: STANDARD + #multipartcopychunksize: "33554432" + #multipartcopymaxconcurrency: 100 + #multipartcopythresholdsize: "33554432" + swift: + authurl: https://storage.myprovider.com/v3/auth + username: username + password: password + container: containername + #region: fr + #tenant: tenantname + #tenantid: tenantid + #domain: domainname + #domainid: domainid + #trustid: trustid + #insecureskipverify: false + #chunksize: 5M + #prefix: + #secretkey: secretkey + #accesskey: accesskey + #authversion: 3 + #endpointtype: public + #tempurlcontainerkey: false + #tempurlmethods: + oss: + accesskeyid: accesskeyid + accesskeysecret: accesskeysecret + region: regionname + bucket: bucketname + #endpoint: endpoint + #internal: false + #encrypt: false + #secure: true + #chunksize: 10M + #rootdirectory: rootdirectory + +imagePullPolicy: IfNotPresent + +# Use this set to assign a list of default pullSecrets +imagePullSecrets: +# - name: docker-registry-secret +# - name: internal-registry-secret + +# The update strategy for deployments with persistent volumes(jobservice, registry): "RollingUpdate" or "Recreate" +# Set it as "Recreate" when "RWM" for volumes isn't supported +updateStrategy: + type: RollingUpdate + +# debug, info, warning, error or fatal +logLevel: info + +# The initial password of Harbor admin. Change it from portal after launching Harbor +# or give an existing secret for it +# key in secret is given via (default to HARBOR_ADMIN_PASSWORD) +# existingSecretAdminPassword: +existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD +harborAdminPassword: "Harbor12345" + +# The name of the secret which contains key named "ca.crt". Setting this enables the +# download link on portal to download the CA certificate when the certificate isn't +# generated automatically +caSecretName: "" + +# The secret key used for encryption. Must be a string of 16 chars. +secretKey: "not-a-secure-key" +# If using existingSecretSecretKey, the key must be secretKey +existingSecretSecretKey: "" + +# The proxy settings for updating trivy vulnerabilities from the Internet and replicating +# artifacts from/to the registries that cannot be reached directly +proxy: + httpProxy: + httpsProxy: + noProxy: 127.0.0.1,localhost,.local,.internal + components: + - core + - jobservice + - trivy + +# Run the migration job via helm hook +enableMigrateHelmHook: false + +# The custom ca bundle secret, the secret must contain key named "ca.crt" +# which will be injected into the trust store for core, jobservice, registry, trivy components +# caBundleSecretName: "" + +## UAA Authentication Options +# If you're using UAA for authentication behind a self-signed +# certificate you will need to provide the CA Cert. +# Set uaaSecretName below to provide a pre-created secret that +# contains a base64 encoded CA Certificate named `ca.crt`. +# uaaSecretName: + +# If service exposed via "ingress", the Nginx will not be used +nginx: + image: + repository: goharbor/nginx-photon + tag: v2.9.0 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +portal: + image: + repository: goharbor/harbor-portal + tag: v2.9.0 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +core: + image: + repository: goharbor/harbor-core + tag: v2.9.0 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + ## Startup probe values + startupProbe: + enabled: true + initialDelaySeconds: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## Additional service annotations + serviceAnnotations: {} + ## User settings configuration json string + configureUserSettings: + # The provider for updating project quota(usage), there are 2 options, redis or db. + # By default it is implemented by db but you can configure it to redis which + # can improve the performance of high concurrent pushing to the same project, + # and reduce the database connections spike and occupies. + # Using redis will bring up some delay for quota usage updation for display, so only + # suggest switch provider to redis if you were ran into the db connections spike around + # the scenario of high concurrent pushing to same project, no improvment for other scenes. + quotaUpdateProvider: db # Or redis + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Fill in the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named: + # "tls.key" - the private key + # "tls.crt" - the certificate + secretName: "" + # If not specifying a preexisting secret, a secret can be created from tokenKey and tokenCert and used instead. + # If none of secretName, tokenKey, and tokenCert are specified, an ephemeral key and certificate will be autogenerated. + # tokenKey and tokenCert must BOTH be set or BOTH unset. + # The tokenKey value is formatted as a multiline string containing a PEM-encoded RSA key, indented one more than tokenKey on the following line. + tokenKey: | + # If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line. + tokenCert: | + # The XSRF key. Will be generated automatically if it isn't specified + xsrfKey: "" + ## The priority class to run the pod as + priorityClassName: + # The time duration for async update artifact pull_time and repository + # pull_count, the unit is second. Will be 10 seconds if it isn't set. + # eg. artifactPullAsyncFlushDuration: 10 + artifactPullAsyncFlushDuration: + gdpr: + deleteUser: false + +jobservice: + image: + repository: goharbor/harbor-jobservice + tag: v2.9.0 + replicas: 1 + revisionHistoryLimit: 10 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLoggers: + - file + # - database + # - stdout + # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) + loggerSweeperDuration: 14 #days + notification: + webhook_job_max_retry: 3 + webhook_job_http_client_timeout: 3 # in seconds + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: 24 + # the max time for execution in running state without new task created + max_dangling_hours: 168 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + ## The priority class to run the pod as + priorityClassName: + +registry: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + registry: + image: + repository: goharbor/registry-photon + tag: v2.9.0 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + controller: + image: + repository: goharbor/harbor-registryctl + tag: v2.9.0 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + replicas: 1 + revisionHistoryLimit: 10 + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/distribution/distribution/blob/main/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. + relativeurls: false + credentials: + username: "harbor_registry_user" + password: "harbor_registry_password" + # If using existingSecret, the key must be REGISTRY_PASSWD and REGISTRY_HTPASSWD + existingSecret: "" + # Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. + # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string + middleware: + enabled: false + type: cloudFront + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + # that allows access to CloudFront + privateKeySecret: "my-secret" + # enable purge _upload directories + upload_purging: + enabled: true + # remove files in _upload directories which exist for a period of time, default is one week. + age: 168h + # the interval of the purge operations + interval: 24h + dryrun: false + +trivy: + # enabled the flag to enable Trivy scanner + enabled: true + image: + # repository the repository for Trivy adapter image + repository: goharbor/trivy-adapter-photon + # tag the tag for Trivy adapter image + tag: v2.9.0 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + # replicas the number of Pod replicas + replicas: 1 + # debugMode the flag to enable Trivy debug mode with more verbose scanning log + debugMode: false + # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. + vulnType: "os,library" + # severity a comma-separated list of severities to be checked + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + # ignoreUnfixed the flag to display only fixed vulnerabilities + ignoreUnfixed: false + # insecure the flag to skip verifying registry certificate + insecure: false + # gitHubToken the GitHub access token to download Trivy DB + # + # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. + # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached + # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update + # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. + # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + gitHubToken: "" + # skipUpdate the flag to disable Trivy DB downloads from GitHub + # + # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the + # `/home/scanner/.cache/trivy/db/trivy.db` path. + skipUpdate: false + # The offlineScan option prevents Trivy from sending API requests to identify dependencies. + # + # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. + # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't + # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode. + # It would work if all the dependencies are in local. + # This option doesn’t affect DB download. You need to specify skipUpdate as well as offlineScan in an air-gapped environment. + offlineScan: false + # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. + securityCheck: "vuln" + # The duration to wait for scan completion + timeout: 5m0s + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +database: + # if external database is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-db + tag: v2.9.0 + # The initial superuser password for internal database + password: "changeit" + # The size limit for Shared memory, pgSQL use it for shared_buffer + # More details see: + # https://github.com/goharbor/harbor/issues/15034 + shmSizeLimit: 512Mi + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + # The timeout used in livenessProbe; 1 to 5 seconds + livenessProbe: + timeoutSeconds: 1 + # The timeout used in readinessProbe; 1 to 5 seconds + readinessProbe: + timeoutSeconds: 1 + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + initContainer: + migrator: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + permissions: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + external: + host: "192.168.0.1" + port: "5432" + username: "user" + password: "password" + coreDatabase: "registry" + # if using existing secret, the key must be "password" + existingSecret: "" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "disable" + # The maximum number of connections in the idle connection pool per pod (core+exporter). + # If it <=0, no idle connections are retained. + maxIdleConns: 100 + # The maximum number of open connections to the database per pod (core+exporter). + # If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgre of harbor. + maxOpenConns: 900 + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + +redis: + # if external Redis is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/redis-photon + tag: v2.9.0 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + # # jobserviceDatabaseIndex defaults to "1" + # # registryDatabaseIndex defaults to "2" + # # trivyAdapterIndex defaults to "5" + # # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + external: + # support redis, redis+sentinel + # addr for redis: : + # addr for redis+sentinel: :,:,: + addr: "192.168.0.2:6379" + # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel + sentinelMasterSet: "" + # The "coreDatabaseIndex" must be "0" as the library Harbor + # used doesn't support configuring it + # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + # username field can be an empty string, and it will be authenticated against the default user + username: "" + password: "" + # If using existingSecret, the key must be REDIS_PASSWORD + existingSecret: "" + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + +exporter: + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-exporter + tag: v2.9.0 + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + cacheDuration: 23 + cacheCleanInterval: 14400 + ## The priority class to run the pod as + priorityClassName: + +metrics: + enabled: false + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + ## Create prometheus serviceMonitor to scrape harbor metrics. + ## This requires the monitoring.coreos.com/v1 CRD. Please see + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md + ## + serviceMonitor: + enabled: false + additionalLabels: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # Metric relabel configs to apply to samples before ingestion. + metricRelabelings: + [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + # Relabel configs to apply to samples before ingestion. + relabelings: + [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +trace: + enabled: false + # trace provider: jaeger or otel + # jaeger should be 1.26+ + provider: jaeger + # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth + sample_rate: 1 + # namespace used to differentiate different harbor services + # namespace: + # attributes is a key value dict contains user defined attributes used to initialize trace provider + # attributes: + # application: harbor + jaeger: + # jaeger supports two modes: + # collector mode(uncomment endpoint and uncomment username, password if needed) + # agent mode(uncomment agent_host and agent_port) + endpoint: http://hostname:14268/api/traces + # username: + # password: + # agent_host: hostname + # export trace data by jaeger.thrift in compact mode + # agent_port: 6831 + otel: + endpoint: hostname:4318 + url_path: /v1/traces + compression: false + insecure: true + # timeout is in seconds + timeout: 10 + +# cache layer configurations +# if this feature enabled, harbor will cache the resource +# `project/project_metadata/repository/artifact/manifest` in the redis +# which help to improve the performance of high concurrent pulling manifest. +cache: + # default is not enabled. + enabled: false + # default keep cache for one day. + expireHours: 24 diff --git a/charts/harbor/harbor/1.13.1/.helmignore b/charts/harbor/harbor/1.13.1/.helmignore new file mode 100644 index 0000000000..b4424fd59b --- /dev/null +++ b/charts/harbor/harbor/1.13.1/.helmignore @@ -0,0 +1,6 @@ +.github/* +docs/* +.git/* +.gitignore +CONTRIBUTING.md +test/* \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/Chart.yaml b/charts/harbor/harbor/1.13.1/Chart.yaml new file mode 100644 index 0000000000..1203998e16 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Harbor + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: harbor +apiVersion: v1 +appVersion: 2.9.1 +description: An open source trusted cloud native registry that stores, signs, and + scans content +home: https://goharbor.io +icon: https://raw.githubusercontent.com/goharbor/website/main/static/img/logos/harbor-icon-color.png +keywords: +- docker +- registry +- harbor +maintainers: +- email: yinw@vmware.com + name: Wenkai Yin +- email: hweiwei@vmware.com + name: Weiwei He +- email: yshengwen@vmware.com + name: Shengwen Yu +name: harbor +sources: +- https://github.com/goharbor/harbor +- https://github.com/goharbor/harbor-helm +version: 1.13.1 diff --git a/charts/harbor/harbor/1.13.1/LICENSE b/charts/harbor/harbor/1.13.1/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/charts/harbor/harbor/1.13.1/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/harbor/harbor/1.13.1/README.md b/charts/harbor/harbor/1.13.1/README.md new file mode 100644 index 0000000000..f30598cc00 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/README.md @@ -0,0 +1,407 @@ +# Helm Chart for Harbor + +**Notes:** The master branch is in heavy development, please use the other stable versions instead. A highly available solution for Harbor based on chart can be found [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. + +This repository, including the issues, focuses on deploying Harbor chart via helm. For functionality issues or Harbor questions, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor) + +## Introduction + +This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. + +## Prerequisites + +- Kubernetes cluster 1.20+ +- Helm v3.2.0+ + +## Installation + +### Add Helm repository + +```bash +helm repo add harbor https://helm.goharbor.io +``` + +### Configure the chart + +The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first). + +#### Configure how to expose Harbor service + +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. + **Notes:** if TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for details. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. + +#### Configure the external URL + +The external URL for Harbor core service is used to: + +1. populate the docker/helm commands showed on portal +2. populate the token service URL returned to docker client + +Format: `protocol://domain[:port]`. Usually: + +- if service exposed via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` +- if service exposed via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` +- if service exposed via `NodePort`, the `domain` should be the IP address of one Kubernetes node +- if service exposed via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider + +If Harbor is deployed behind the proxy, set it as the URL of proxy. + +#### Configure how to persist data + +- **Disable**: The data does not survive the termination of a pod. +- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you already have existing persistent volumes to use. +- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. + +#### Configure the other items listed in [configuration](#configuration) section + +### Install the chart + +Install the Harbor helm chart with a release name `my-release`: +```bash +helm install my-release harbor/harbor +``` + +## Uninstallation + +To uninstall/delete the `my-release` deployment: +```bash +helm uninstall my-release +``` + +## Configuration + +The following table lists the configurable parameters of the Harbor chart and the default values. + +| Parameter | Description | Default | +| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| **Expose** | | | +| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | +| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | +| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | +| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | +| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | +| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` | +| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | | +| `expose.ingress.annotations` | The annotations used commonly for ingresses | | +| `expose.ingress.harbor.annotations` | The annotations specific to harbor ingress | {} | +| `expose.ingress.harbor.labels` | The labels specific to harbor ingress | {} | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} | +| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` | +| `expose.loadBalancer.name` | The name of service | `harbor` | +| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` | +| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` | +| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | +| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | +| **Internal TLS** | | | +| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` | +| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false` +| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` | +| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | | +| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | +| **IPFamily** | | | +| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| **Persistence** | | | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | | +|`persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | +| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | +| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | +| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | +| **General** | | | +| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | +| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | | +| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | +| `imagePullPolicy` | The image pull policy | | +| `imagePullSecrets` | The imagePullSecrets names for all deployments | | +| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | +| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `existingSecretAdminPassword` | The name of secret where admin password can be found. | | +| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` | +| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | +| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | +| `proxy.httpProxy` | The URL of the HTTP proxy server | | +| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | +| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | +| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | +| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | +| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.revisionHistoryLimit` | The revision history limit | `10` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| `nginx.priorityClassName` | The priority class to run the pod as | | +| **Portal** | | | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.revisionHistoryLimit` | The revision history limit | `10` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| `portal.priorityClassName` | The priority class to run the pod as | | +| **Core** | | | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.revisionHistoryLimit` | The revision history limit | `10` | +| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.serviceAnnotations` | Annotations to add to the core service | `{}` | +| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | | +| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | +| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | | +| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | | +| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | +| `core.priorityClassName` | The priority class to run the pod as | | +| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | +| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | +| **Jobservice** | | | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.revisionHistoryLimit` | The revision history limit | `10` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` | +| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` | +| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` | +| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` | +| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` | +| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.priorityClassName` | The priority class to run the pod as | | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| **Registry** | | | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | `dev` | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | `dev` | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | +| `registry.replicas` | The replica count | `1` | +| `registry.revisionHistoryLimit` | The revision history limit | `10` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.priorityClassName` | The priority class to run the pod as | | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | +| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | +| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` | +| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | +| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | +| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | +| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | +| `registry.upload_purging.interval` | The interval of the purge operations | `24h` | +| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | +| **[Trivy][trivy]** | | | +| `trivy.enabled` | The flag to enable Trivy scanner | `true` | +| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | +| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | +| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | +| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `trivy.replicas` | The number of Pod replicas | `1` | +| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | +| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | +| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | +| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | +| `trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | +| `trivy.priorityClassName` | The priority class to run the pod as | | +| `trivy.topologySpreadConstraints` | The priority class to run the pod as | | +| **Database** | | | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined | +| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.internal.priorityClassName` | The priority class to run the pod as | | +| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | +| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | +| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | +| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | +| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | | | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.internal.priorityClassName` | The priority class to run the pod as | | +| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | +| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.username` | The username of external Redis | | +| `redis.external.password` | The password of external Redis | | +| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | +| **Exporter** | | | +| `exporter.replicas` | The replica count | `1` | +| `exporter.revisionHistoryLimit` | The revision history limit | `10` | +| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` | +| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` | +| `exporter.image.tag` | Tag for exporter image | `dev` | +| `exporter.nodeSelector` | Node labels for pod assignment | `{}` | +| `exporter.tolerations` | Tolerations for pod assignment | `[]` | +| `exporter.affinity` | Node/Pod affinities | `{}` | +| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` | +| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` | +| `exporter.priorityClassName` | The priority class to run the pod as | | +| **Metrics** | | | +| `metrics.enabled` | if enable harbor metrics | `false` | +| `metrics.core.path` | the url path for core metrics | `/metrics` | +| `metrics.core.port` | the port for core metrics | `8001` | +| `metrics.registry.path` | the url path for registry metrics | `/metrics` | +| `metrics.registry.port` | the port for registry metrics | `8001` | +| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` | +| `metrics.exporter.port` | the port for exporter metrics | `8001` | +| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` | +| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` | +| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` | +| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` | +| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` | +| **Trace** | | | +| `trace.enabled` | Enable tracing or not | `false` | +| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` | +| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` | +| `trace.namespace` | Namespace used to differentiate different harbor services | | +| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | | +| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` | +| `trace.jaeger.username` | The username of jaeger | | +| `trace.jaeger.password` | The password of jaeger | | +| `trace.jaeger.agent_host` | The agent host of jaeger | | +| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` | +| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` | +| `trace.otel.url_path` | The URL path of otel | `/v1/traces` | +| `trace.otel.compression` | Whether enable compression or not for otel | `false` | +| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` | +| `trace.otel.timeout` | The timeout in seconds of otel | `10` | +| **Cache** | | | +| `cache.enabled` | Enable cache layer or not | `false` | +| `cache.expireHours` | The expire hours of cache layer | `24` | + +[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +[trivy]: https://github.com/aquasecurity/trivy +[trivy-db]: https://github.com/aquasecurity/trivy-db +[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting diff --git a/charts/harbor/harbor/1.13.1/templates/NOTES.txt b/charts/harbor/harbor/1.13.1/templates/NOTES.txt new file mode 100644 index 0000000000..0980c08a35 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/NOTES.txt @@ -0,0 +1,3 @@ +Please wait for several minutes for Harbor deployment to complete. +Then you should be able to visit the Harbor portal at {{ .Values.externalURL }} +For more details, please visit https://github.com/goharbor/harbor diff --git a/charts/harbor/harbor/1.13.1/templates/_helpers.tpl b/charts/harbor/harbor/1.13.1/templates/_helpers.tpl new file mode 100644 index 0000000000..6ee24fee80 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/_helpers.tpl @@ -0,0 +1,554 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "harbor.name" -}} +{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "harbor.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default "harbor" .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Helm required labels */}} +{{- define "harbor.labels" -}} +heritage: {{ .Release.Service }} +release: {{ .Release.Name }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{/* matchLabels */}} +{{- define "harbor.matchLabels" -}} +release: {{ .Release.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{- define "harbor.autoGenCert" -}} + {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForIngress" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForNginx" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.host" -}} + {{- if eq .Values.database.type "internal" -}} + {{- template "harbor.database" . }} + {{- else -}} + {{- .Values.database.external.host -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.port" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "5432" -}} + {{- else -}} + {{- .Values.database.external.port -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.username" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "postgres" -}} + {{- else -}} + {{- .Values.database.external.username -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.rawPassword" -}} + {{- if eq .Values.database.type "internal" -}} + {{- .Values.database.internal.password -}} + {{- else -}} + {{- .Values.database.external.password -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.escapedRawPassword" -}} + {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} +{{- end -}} + +{{- define "harbor.database.encryptedPassword" -}} + {{- include "harbor.database.rawPassword" . | b64enc | quote -}} +{{- end -}} + +{{- define "harbor.database.coreDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "registry" -}} + {{- else -}} + {{- .Values.database.external.coreDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.sslmode" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "disable" -}} + {{- else -}} + {{- .Values.database.external.sslmode -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.redis.scheme" -}} + {{- with .Values.redis }} + {{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }} + {{- end }} +{{- end -}} + +/*host:port*/ +{{- define "harbor.redis.addr" -}} + {{- with .Values.redis }} + {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.masterSet" -}} + {{- with .Values.redis }} + {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.password" -}} + {{- with .Values.redis }} + {{- ternary "" .external.password (eq .type "internal") }} + {{- end }} +{{- end -}} + + +{{- define "harbor.redis.pwdfromsecret" -}} + {{- (lookup "v1" "Secret" .Release.Namespace (.Values.redis.external.existingSecret)).data.REDIS_PASSWORD | b64dec }} +{{- end -}} + +{{- define "harbor.redis.cred" -}} + {{- with .Values.redis }} + {{- if (and (eq .type "external" ) (.external.existingSecret)) }} + {{- printf ":%s@" (include "harbor.redis.pwdfromsecret" $) }} + {{- else }} + {{- ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }} + {{- end }} + {{- end }} +{{- end -}} + +/*scheme://[:password@]host:port[/master_set]*/ +{{- define "harbor.redis.url" -}} + {{- with .Values.redis }} + {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }} + {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) (include "harbor.redis.cred" $) (include "harbor.redis.addr" $) $path -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCore" -}} + {{- with .Values.redis }} + {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index*/ +{{- define "harbor.redis.urlForJobservice" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.jobserviceDatabaseIndex .external.jobserviceDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForRegistry" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForTrivy" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.trivyAdapterIndex .external.trivyAdapterIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForHarbor" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.harborDatabaseIndex .external.harborDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCache" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.cacheLayerDatabaseIndex .external.cacheLayerDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.dbForRegistry" -}} + {{- with .Values.redis }} + {{- ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.portal" -}} + {{- printf "%s-portal" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.core" -}} + {{- printf "%s-core" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.redis" -}} + {{- printf "%s-redis" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.jobservice" -}} + {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registry" -}} + {{- printf "%s-registry" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registryCtl" -}} + {{- printf "%s-registryctl" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.database" -}} + {{- printf "%s-database" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.trivy" -}} + {{- printf "%s-trivy" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.nginx" -}} + {{- printf "%s-nginx" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.exporter" -}} + {{- printf "%s-exporter" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress" -}} + {{- printf "%s-ingress" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.noProxy" -}} + {{- printf "%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}} +{{- end -}} + +{{- define "harbor.caBundleVolume" -}} +- name: ca-bundle-certs + secret: + secretName: {{ .Values.caBundleSecretName }} +{{- end -}} + +{{- define "harbor.caBundleVolumeMount" -}} +- name: ca-bundle-certs + mountPath: /harbor_cust_cert/custom-ca.crt + subPath: ca.crt +{{- end -}} + +{{/* scheme for all components because it only support http mode */}} +{{- define "harbor.component.scheme" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "https" -}} + {{- else -}} + {{- printf "http" -}} + {{- end -}} +{{- end -}} + +{{/* core component container port */}} +{{- define "harbor.core.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* core component service port */}} +{{- define "harbor.core.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component container port */}} +{{- define "harbor.jobservice.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component service port */}} +{{- define "harbor.jobservice.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* portal component container port */}} +{{- define "harbor.portal.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* portal component service port */}} +{{- define "harbor.portal.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* registry component container port */}} +{{- define "harbor.registry.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registry component service port */}} +{{- define "harbor.registry.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component container port */}} +{{- define "harbor.registryctl.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component service port */}} +{{- define "harbor.registryctl.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component container port */}} +{{- define "harbor.trivy.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component service port */}} +{{- define "harbor.trivy.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* CORE_URL */}} +{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}} +{{- define "harbor.coreURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}} +{{- end -}} + +{{/* JOBSERVICE_URL */}} +{{- define "harbor.jobserviceURL" -}} + {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}} +{{- end -}} + +{{/* PORTAL_URL */}} +{{- define "harbor.portalURL" -}} + {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}} +{{- end -}} + +{{/* REGISTRY_URL */}} +{{- define "harbor.registryURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}} +{{- end -}} + +{{/* REGISTRY_CONTROLLER_URL */}} +{{- define "harbor.registryControllerURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}} +{{- end -}} + +{{/* TOKEN_SERVICE_URL */}} +{{- define "harbor.tokenServiceURL" -}} + {{- printf "%s/service/token" (include "harbor.coreURL" .) -}} +{{- end -}} + +{{/* TRIVY_ADAPTER_URL */}} +{{- define "harbor.trivyAdapterURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}} +{{- end -}} + +{{- define "harbor.internalTLS.core.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.core.secretName -}} + {{- else -}} + {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.jobservice.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.jobservice.secretName -}} + {{- else -}} + {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.portal.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.portal.secretName -}} + {{- else -}} + {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.registry.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.registry.secretName -}} + {{- else -}} + {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.trivy.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.trivy.secretName -}} + {{- else -}} + {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsCoreSecretForIngress" -}} + {{- if eq .Values.expose.tls.certSource "none" -}} + {{- printf "" -}} + {{- else if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.ingress" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsSecretForNginx" -}} + {{- if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.nginx" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.metricsPortName" -}} + {{- if .Values.internalTLS.enabled }} + {{- printf "https-metrics" -}} + {{- else -}} + {{- printf "http-metrics" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.traceEnvs" -}} + TRACE_ENABLED: "{{ .Values.trace.enabled }}" + TRACE_SAMPLE_RATE: "{{ .Values.trace.sample_rate }}" + TRACE_NAMESPACE: "{{ .Values.trace.namespace }}" + {{- if .Values.trace.attributes }} + TRACE_ATTRIBUTES: {{ .Values.trace.attributes | toJson | squote }} + {{- end }} + {{- if eq .Values.trace.provider "jaeger" }} + TRACE_JAEGER_ENDPOINT: "{{ .Values.trace.jaeger.endpoint }}" + TRACE_JAEGER_USERNAME: "{{ .Values.trace.jaeger.username }}" + TRACE_JAEGER_AGENT_HOSTNAME: "{{ .Values.trace.jaeger.agent_host }}" + TRACE_JAEGER_AGENT_PORT: "{{ .Values.trace.jaeger.agent_port }}" + {{- else }} + TRACE_OTEL_ENDPOINT: "{{ .Values.trace.otel.endpoint }}" + TRACE_OTEL_URL_PATH: "{{ .Values.trace.otel.url_path }}" + TRACE_OTEL_COMPRESSION: "{{ .Values.trace.otel.compression }}" + TRACE_OTEL_INSECURE: "{{ .Values.trace.otel.insecure }}" + TRACE_OTEL_TIMEOUT: "{{ .Values.trace.otel.timeout }}" + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForCore" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-core" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForJobservice" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-jobservice" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForRegistryCtl" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-registryctl" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceJaegerPassword" -}} + {{- if and .Values.trace.enabled (eq .Values.trace.provider "jaeger") }} + TRACE_JAEGER_PASSWORD: "{{ .Values.trace.jaeger.password | default "" | b64enc }}" + {{- end }} +{{- end -}} + +{{/* Allow KubeVersion to be overridden. */}} +{{- define "harbor.ingress.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}} +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/core/core-cm.yaml b/charts/harbor/harbor/1.13.1/templates/core/core-cm.yaml new file mode 100644 index 0000000000..7d284c899d --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/core/core-cm.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + app.conf: |+ + appname = Harbor + runmode = prod + enablegzip = true + + [prod] + httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} + PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" + DATABASE_TYPE: "postgresql" + POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" + POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" + POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" + POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" + POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" + EXT_ENDPOINT: "{{ .Values.externalURL }}" + CORE_URL: "{{ template "harbor.coreURL" . }}" + JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}" + WITH_TRIVY: {{ .Values.trivy.enabled | quote }} + TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}" + REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" + LOG_LEVEL: "{{ .Values.logLevel }}" + CONFIG_PATH: "/etc/core/app.conf" + CHART_CACHE_DRIVER: "redis" + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}" + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.harborDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.harborDatabaseIndex) }} + _REDIS_URL_HARBOR: "{{ template "harbor.redis.urlForHarbor" . }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} + PORTAL_URL: "{{ template "harbor.portalURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + {{- if .Values.uaaSecretName }} + UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt" + {{- end }} + {{- if has "core" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory" + {{- if .Values.metrics.enabled}} + METRIC_ENABLE: "true" + METRIC_PATH: "{{ .Values.metrics.core.path }}" + METRIC_PORT: "{{ .Values.metrics.core.port }}" + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: core + {{- end }} + + {{- if hasKey .Values.core "gcTimeWindowHours" }} + #make the GC time window configurable for testing + GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}" + {{- end }} + {{- template "harbor.traceEnvsForCore" . }} + + {{- if .Values.core.artifactPullAsyncFlushDuration | quote }} + ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration }} + {{- end }} + + {{- if .Values.core.gdpr}} + {{- if .Values.core.gdpr.deleteUser}} + GDPR_DELETE_USER: "true" + {{- end }} + {{- end }} + + {{- if .Values.cache.enabled }} + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + + {{- if .Values.core.quotaUpdateProvider }} + QUOTA_UPDATE_PROVIDER: "{{ .Values.core.quotaUpdateProvider }}" + {{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/core/core-dpl.yaml b/charts/harbor/harbor/1.13.1/templates/core/core-dpl.yaml new file mode 100644 index 0000000000..8d202498db --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/core/core-dpl.yaml @@ -0,0 +1,237 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: core +spec: + replicas: {{ .Values.core.replicas }} + revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: core + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: core +{{- if .Values.core.podLabels }} +{{ toYaml .Values.core.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.core.podAnnotations }} +{{ toYaml .Values.core.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.core.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: core +{{- end }} +{{- end }} + containers: + - name: core + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.core.startupProbe.enabled }} + startupProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 360 + initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }} + periodSeconds: 10 + {{- end }} + livenessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: "{{ template "harbor.jobservice" . }}" + key: JOBSERVICE_SECRET + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/core/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/core/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/core/ca.crt + {{- end }} + {{- if .Values.database.external.existingSecret }} + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} +{{- with .Values.core.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + - name: secret-key + mountPath: /etc/core/key + subPath: key + - name: token-service-private-key + mountPath: /etc/core/private_key.pem + subPath: tls.key + {{- if .Values.expose.tls.enabled }} + - name: ca-download + mountPath: /etc/core/ca + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + mountPath: /etc/core/auth-ca/auth-ca.crt + subPath: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + {{- end }} + - name: psc + mountPath: /etc/core/token + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} +{{- if .Values.core.resources }} + resources: +{{ toYaml .Values.core.resources | indent 10 }} +{{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + - name: secret-key + secret: + {{- if .Values.existingSecretSecretKey }} + secretName: {{ .Values.existingSecretSecretKey }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + items: + - key: secretKey + path: key + - name: token-service-private-key + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: ca-download + secret: + {{- if .Values.caSecretName }} + secretName: {{ .Values.caSecretName }} + {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }} + secretName: "{{ template "harbor.ingress" . }}" + {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + secret: + secretName: {{ .Values.uaaSecretName }} + items: + - key: ca.crt + path: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + - name: psc + emptyDir: {} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.core.priorityClassName }} + priorityClassName: {{ .Values.core.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/core/core-pre-upgrade-job.yaml b/charts/harbor/harbor/1.13.1/templates/core/core-pre-upgrade-job.yaml new file mode 100644 index 0000000000..43c9d3596d --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/core/core-pre-upgrade-job.yaml @@ -0,0 +1,74 @@ +{{- if .Values.enableMigrateHelmHook }} +apiVersion: batch/v1 +kind: Job +metadata: + name: migration-job + labels: +{{ include "harbor.labels" . | indent 4 }} + component: migrator + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" +spec: + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: migrator + spec: + restartPolicy: Never + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 120 + containers: + - name: core-job + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/harbor/harbor_core", "-mode=migrate"] + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + {{- if .Values.database.external.existingSecret }} + env: + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/core/core-secret.yaml b/charts/harbor/harbor/1.13.1/templates/core/core-secret.yaml new file mode 100644 index 0000000000..23b352b475 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/core/core-secret.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.existingSecretSecretKey }} + secretKey: {{ .Values.secretKey | b64enc | quote }} + {{- end }} + secret: {{ .Values.core.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.core.secretName }} + {{- $ca := genCA "harbor-token-ca" 365 }} + tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }} + tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }} + {{- end }} + {{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} + {{- end }} + {{- if not .Values.database.external.existingSecret }} + POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + CSRF_KEY: {{ .Values.core.xsrfKey | default (randAlphaNum 32) | b64enc | quote }} +{{- if .Values.core.configureUserSettings }} + CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }} +{{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/1.13.1/templates/core/core-svc.yaml b/charts/harbor/harbor/1.13.1/templates/core/core-svc.yaml new file mode 100644 index 0000000000..0d2cfb2915 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/core/core-svc.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.core.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - name: {{ ternary "https-web" "http-web" .Values.internalTLS.enabled }} + port: {{ template "harbor.core.servicePort" . }} + targetPort: {{ template "harbor.core.containerPort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.core.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: core diff --git a/charts/harbor/harbor/1.13.1/templates/core/core-tls.yaml b/charts/harbor/harbor/1.13.1/templates/core/core-tls.yaml new file mode 100644 index 0000000000..c52148f0d9 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/core/core-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/database/database-secret.yaml b/charts/harbor/harbor/1.13.1/templates/database/database-secret.yaml new file mode 100644 index 0000000000..864aff4a18 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/database/database-secret.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end -}} diff --git a/charts/harbor/harbor/1.13.1/templates/database/database-ss.yaml b/charts/harbor/harbor/1.13.1/templates/database/database-ss.yaml new file mode 100644 index 0000000000..3b08b07ef1 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/database/database-ss.yaml @@ -0,0 +1,168 @@ +{{- if eq .Values.database.type "internal" -}} +{{- $database := .Values.persistence.persistentVolumeClaim.database -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: database +spec: + replicas: 1 + serviceName: "{{ template "harbor.database" . }}" + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: database + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: database +{{- if .Values.database.podLabels }} +{{ toYaml .Values.database.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }} +{{- if .Values.database.podAnnotations }} +{{ toYaml .Values.database.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.database.internal.serviceAccountName }} + serviceAccountName: {{ .Values.database.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + initContainers: + # as we change the data directory to a sub folder to support psp, the init container here + # is used to migrate the existing data. See https://github.com/goharbor/harbor-helm/issues/756 + # for more detail. + # we may remove it after several releases + - name: "data-migrator" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"] +{{- if .Values.database.internal.initContainer.migrator.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + # with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume + # this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph + # use this init container to correct the permission + # as "fsGroup" applied before the init container running, the container has enough permission to execute the command + - name: "data-permissions-ensurer" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"] +{{- if .Values.database.internal.initContainer.permissions.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + containers: + - name: database + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 300 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.livenessProbe.timeoutSeconds }} + readinessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 1 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.readinessProbe.timeoutSeconds }} +{{- if .Values.database.internal.resources }} + resources: +{{ toYaml .Values.database.internal.resources | indent 10 }} +{{- end }} + envFrom: + - secretRef: + name: "{{ template "harbor.database" . }}" + env: + # put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled + # more detail refer to https://github.com/goharbor/harbor-helm/issues/756 + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" +{{- with .Values.database.internal.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + - name: shm-volume + mountPath: /dev/shm + volumes: + - name: shm-volume + emptyDir: + medium: Memory + sizeLimit: {{ .Values.database.internal.shmSizeLimit }} + {{- if not .Values.persistence.enabled }} + - name: "database-data" + emptyDir: {} + {{- else if $database.existingClaim }} + - name: "database-data" + persistentVolumeClaim: + claimName: {{ $database.existingClaim }} + {{- end -}} + {{- with .Values.database.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.database.internal.priorityClassName }} + priorityClassName: {{ .Values.database.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $database.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: "database-data" + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $database.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $database.accessMode | quote }}] + {{- if $database.storageClass }} + {{- if (eq "-" $database.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $database.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $database.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/1.13.1/templates/database/database-svc.yaml b/charts/harbor/harbor/1.13.1/templates/database/database-svc.yaml new file mode 100644 index 0000000000..6475048cd9 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/database/database-svc.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 5432 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: database +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/exporter/exporter-cm-env.yaml b/charts/harbor/harbor/1.13.1/templates/exporter/exporter-cm-env.yaml new file mode 100644 index 0000000000..0bf4e7d905 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/exporter/exporter-cm-env.yaml @@ -0,0 +1,35 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.exporter" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + LOG_LEVEL: "{{ .Values.logLevel }}" + HARBOR_EXPORTER_PORT: "{{ .Values.metrics.exporter.port }}" + HARBOR_EXPORTER_METRICS_PATH: "{{ .Values.metrics.exporter.path }}" + HARBOR_EXPORTER_METRICS_ENABLED: "{{ .Values.metrics.enabled }}" + HARBOR_EXPORTER_CACHE_TIME: "{{ .Values.exporter.cacheDuration }}" + HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "{{ .Values.exporter.cacheCleanInterval }}" + HARBOR_METRIC_NAMESPACE: harbor + HARBOR_METRIC_SUBSYSTEM: exporter + HARBOR_REDIS_URL: "{{ template "harbor.redis.urlForJobservice" . }}" + HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace + HARBOR_REDIS_TIMEOUT: "3600" + HARBOR_SERVICE_SCHEME: "{{ template "harbor.component.scheme" . }}" + HARBOR_SERVICE_HOST: "{{ template "harbor.core" . }}" + HARBOR_SERVICE_PORT: "{{ template "harbor.core.servicePort" . }}" + HARBOR_DATABASE_HOST: "{{ template "harbor.database.host" . }}" + HARBOR_DATABASE_PORT: "{{ template "harbor.database.port" . }}" + HARBOR_DATABASE_USERNAME: "{{ template "harbor.database.username" . }}" + HARBOR_DATABASE_DBNAME: "{{ template "harbor.database.coreDatabase" . }}" + HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" +{{- end}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/exporter/exporter-dpl.yaml b/charts/harbor/harbor/1.13.1/templates/exporter/exporter-dpl.yaml new file mode 100644 index 0000000000..6d2e1f53ac --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/exporter/exporter-dpl.yaml @@ -0,0 +1,139 @@ +{{- if .Values.metrics.enabled}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: exporter +spec: + replicas: {{ .Values.exporter.replicas }} + revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: exporter + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: exporter +{{- if .Values.exporter.podLabels }} +{{ toYaml .Values.exporter.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.exporter.podAnnotations }} +{{ toYaml .Values.exporter.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.exporter.serviceAccountName }} + serviceAccountName: {{ .Values.exporter.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }} +{{- with .Values.exporter.topologySpreadConstraints }} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: exporter +{{- end }} +{{- end }} + containers: + - name: exporter + image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 30 + periodSeconds: 10 + args: ["-log-level", "{{ .Values.logLevel }}"] + envFrom: + - configMapRef: + name: "{{ template "harbor.exporter" . }}-env" + - secretRef: + name: "{{ template "harbor.exporter" . }}" + env: + {{- if .Values.database.external.existingSecret }} + - name: HARBOR_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} +{{- if .Values.exporter.resources }} + resources: +{{ toYaml .Values.exporter.resources | indent 10 }} +{{- end }} +{{- with .Values.exporter.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + # There are some metric data are collectd from harbor core. + # When internal TLS is enabled, the Exporter need the CA file to collect these data. + {{- end }} + volumes: + - name: config + secret: + secretName: "{{ template "harbor.exporter" . }}" + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.exporter.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.exporter.priorityClassName }} + priorityClassName: {{ .Values.exporter.priorityClassName }} + {{- end }} +{{ end }} diff --git a/charts/harbor/harbor/1.13.1/templates/exporter/exporter-secret.yaml b/charts/harbor/harbor/1.13.1/templates/exporter/exporter-secret.yaml new file mode 100644 index 0000000000..434a1bf689 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/exporter/exporter-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: +{{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} +{{- end }} +{{- if not .Values.database.external.existingSecret }} + HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/exporter/exporter-svc.yaml b/charts/harbor/harbor/1.13.1/templates/exporter/exporter-svc.yaml new file mode 100644 index 0000000000..4a6f3fdec6 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/exporter/exporter-svc.yaml @@ -0,0 +1,15 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.exporter" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.exporter.port }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: exporter +{{ end }} diff --git a/charts/harbor/harbor/1.13.1/templates/ingress/ingress.yaml b/charts/harbor/harbor/1.13.1/templates/ingress/ingress.yaml new file mode 100644 index 0000000000..e4c06939c6 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/ingress/ingress.yaml @@ -0,0 +1,145 @@ +{{- if eq .Values.expose.type "ingress" }} +{{- $ingress := .Values.expose.ingress -}} +{{- $tls := .Values.expose.tls -}} +{{- if eq .Values.expose.ingress.controller "gce" }} + {{- $_ := set . "portal_path" "/*" -}} + {{- $_ := set . "api_path" "/api/*" -}} + {{- $_ := set . "service_path" "/service/*" -}} + {{- $_ := set . "v2_path" "/v2/*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} + {{- $_ := set . "controller_path" "/c/*" -}} +{{- else if eq .Values.expose.ingress.controller "ncp" }} + {{- $_ := set . "portal_path" "/.*" -}} + {{- $_ := set . "api_path" "/api/.*" -}} + {{- $_ := set . "service_path" "/service/.*" -}} + {{- $_ := set . "v2_path" "/v2/.*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} + {{- $_ := set . "controller_path" "/c/.*" -}} +{{- else }} + {{- $_ := set . "portal_path" "/" -}} + {{- $_ := set . "api_path" "/api/" -}} + {{- $_ := set . "service_path" "/service/" -}} + {{- $_ := set . "v2_path" "/v2/" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/" -}} + {{- $_ := set . "controller_path" "/c/" -}} +{{- end }} + +--- +{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: extensions/v1beta1 +{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if $ingress.harbor.labels }} +{{ toYaml $ingress.harbor.labels | indent 4 }} +{{- end }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} +{{- if .Values.internalTLS.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +{{- end }} +{{- if eq .Values.expose.ingress.controller "ncp" }} + ncp/use-regex: "true" + {{- if $tls.enabled }} + ncp/http-redirect: "true" + {{- end }} +{{- end }} +{{- if $ingress.harbor.annotations }} +{{ toYaml $ingress.harbor.annotations | indent 4 }} +{{- end }} +spec: + {{- if $ingress.className }} + ingressClassName: {{ $ingress.className }} + {{- end }} + {{- if $tls.enabled }} + tls: + - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} + {{- if $ingress.hosts.core }} + hosts: + - {{ $ingress.hosts.core }} + {{- end }} + {{- end }} + rules: + - http: + paths: +{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} + - path: {{ .api_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + backend: + serviceName: {{ template "harbor.portal" . }} + servicePort: {{ template "harbor.portal.servicePort" . }} +{{- else }} + - path: {{ .api_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.portal" . }} + port: + number: {{ template "harbor.portal.servicePort" . }} +{{- end }} + {{- if $ingress.hosts.core }} + host: {{ $ingress.hosts.core }} + {{- end }} + +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/ingress/secret.yaml b/charts/harbor/harbor/1.13.1/templates/ingress/secret.yaml new file mode 100644 index 0000000000..41507b3dd9 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/ingress/secret.yaml @@ -0,0 +1,15 @@ +{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/internal/auto-tls.yaml b/charts/harbor/harbor/1.13.1/templates/internal/auto-tls.yaml new file mode 100644 index 0000000000..da5f5e2c7b --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/internal/auto-tls.yaml @@ -0,0 +1,81 @@ +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} +{{- $ca := genCA "harbor-internal-ca" 365 }} +{{- $coreCN := (include "harbor.core" .) }} +{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }} +{{- $jsCN := (include "harbor.jobservice" .) }} +{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }} +{{- $regCN := (include "harbor.registry" .) }} +{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }} +{{- $portalCN := (include "harbor.portal" .) }} +{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $coreCrt.Cert | b64enc | quote }} + tls.key: {{ $coreCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $jsCrt.Cert | b64enc | quote }} + tls.key: {{ $jsCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $regCrt.Cert | b64enc | quote }} + tls.key: {{ $regCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $portalCrt.Cert | b64enc | quote }} + tls.key: {{ $portalCrt.Key | b64enc | quote }} + +{{- if and .Values.trivy.enabled}} +--- +{{- $trivyCN := (include "harbor.trivy" .) }} +{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $trivyCrt.Cert | b64enc | quote }} + tls.key: {{ $trivyCrt.Key | b64enc | quote }} +{{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-cm-env.yaml b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-cm-env.yaml new file mode 100644 index 0000000000..8411c7a47c --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-cm-env.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + CORE_URL: "{{ template "harbor.coreURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + + JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "{{ .Values.jobservice.notification.webhook_job_max_retry }}" + JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "{{ .Values.jobservice.notification.webhook_job_http_client_timeout }}" + + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.metrics.enabled}} + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: jobservice + {{- end }} + {{- template "harbor.traceEnvsForJobservice" . }} + {{- if .Values.cache.enabled }} + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-cm.yaml b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-cm.yaml new file mode 100644 index 0000000000..8211c62209 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-cm.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + #Server listening port + protocol: "{{ template "harbor.component.scheme" . }}" + port: {{ template "harbor.jobservice.containerPort". }} + {{- if .Values.internalTLS.enabled }} + https_config: + cert: "/etc/harbor/ssl/jobservice/tls.crt" + key: "/etc/harbor/ssl/jobservice/tls.key" + {{- end }} + worker_pool: + workers: {{ .Values.jobservice.maxJobWorkers }} + backend: "redis" + redis_pool: + redis_url: "{{ template "harbor.redis.urlForJobservice" . }}" + namespace: "harbor_job_service_namespace" + idle_timeout_second: 3600 + job_loggers: + {{- if has "file" .Values.jobservice.jobLoggers }} + - name: "FILE" + level: {{ .Values.logLevel | upper }} + settings: # Customized settings of logger + base_dir: "/var/log/jobs" + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + settings: # Customized settings of sweeper + work_dir: "/var/log/jobs" + {{- end }} + {{- if has "database" .Values.jobservice.jobLoggers }} + - name: "DB" + level: {{ .Values.logLevel | upper }} + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + {{- end }} + {{- if has "stdout" .Values.jobservice.jobLoggers }} + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + {{- end }} + metric: + enabled: {{ .Values.metrics.enabled }} + path: {{ .Values.metrics.jobservice.path }} + port: {{ .Values.metrics.jobservice.port }} + #Loggers for the job service + loggers: + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: {{ .Values.jobservice.reaper.max_update_hours }} + # the max time for execution in running state without new task created + max_dangling_hours: {{ .Values.jobservice.reaper.max_dangling_hours }} diff --git a/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-dpl.yaml b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-dpl.yaml new file mode 100644 index 0000000000..32df97db76 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-dpl.yaml @@ -0,0 +1,166 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + replicas: {{ .Values.jobservice.replicas }} + revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: jobservice + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: jobservice +{{- if .Values.jobservice.podLabels }} +{{ toYaml .Values.jobservice.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} + checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.jobservice.podAnnotations }} +{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.jobservice.serviceAccountName }} + serviceAccountName: {{ .Values.jobservice.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.jobservice.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: jobservice +{{- end }} +{{- end }} + containers: + - name: jobservice + image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.jobservice.resources }} + resources: +{{ toYaml .Values.jobservice.resources | indent 10 }} +{{- end }} + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/jobservice/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/jobservice/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/jobservice/ca.crt + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} +{{- with .Values.jobservice.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.jobservice" . }}-env" + - secretRef: + name: "{{ template "harbor.jobservice" . }}" + ports: + - containerPort: {{ template "harbor.jobservice.containerPort" . }} + volumeMounts: + - name: jobservice-config + mountPath: /etc/jobservice/config.yml + subPath: config.yml + - name: job-logs + mountPath: /var/log/jobs + subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.subPath }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + mountPath: /etc/harbor/ssl/jobservice + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: jobservice-config + configMap: + name: "{{ template "harbor.jobservice" . }}" + - name: job-logs + {{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.jobservice.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.jobservice.priorityClassName }} + priorityClassName: {{ .Values.jobservice.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-pvc.yaml b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-pvc.yaml new file mode 100644 index 0000000000..a6b8b8bd38 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-pvc.yaml @@ -0,0 +1,30 @@ +{{- $jobLog := .Values.persistence.persistentVolumeClaim.jobservice.jobLog -}} +{{- if and .Values.persistence.enabled (not $jobLog.existingClaim) (has "file" .Values.jobservice.jobLoggers) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.jobservice" . }} + annotations: + {{- range $key, $value := $jobLog.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + accessModes: + - {{ $jobLog.accessMode }} + resources: + requests: + storage: {{ $jobLog.size }} + {{- if $jobLog.storageClass }} + {{- if eq "-" $jobLog.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $jobLog.storageClass }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-secrets.yaml b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-secrets.yaml new file mode 100644 index 0000000000..3dfa6bd5e6 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-secrets.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-svc.yaml b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-svc.yaml new file mode 100644 index 0000000000..d2b7a47fd4 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-svc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-jobservice" "http-jobservice" .Values.internalTLS.enabled }} + port: {{ template "harbor.jobservice.servicePort" . }} + targetPort: {{ template "harbor.jobservice.containerPort" . }} +{{- if .Values.metrics.enabled }} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.jobservice.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: jobservice diff --git a/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-tls.yaml b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-tls.yaml new file mode 100644 index 0000000000..234cb39995 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/jobservice/jobservice-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/metrics/metrics-svcmon.yaml b/charts/harbor/harbor/1.13.1/templates/metrics/metrics-svcmon.yaml new file mode 100644 index 0000000000..1122ef01ef --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/metrics/metrics-svcmon.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "harbor.fullname" . }} + labels: {{ include "harbor.labels" . | nindent 4 }} +{{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} +{{- end }} +spec: + jobLabel: app.kubernetes.io/name + endpoints: + - port: {{ template "harbor.metricsPortName" . }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + honorLabels: true +{{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: +{{ tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | indent 4) . }} +{{- end }} +{{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: +{{ toYaml .Values.metrics.serviceMonitor.relabelings | indent 4 }} +{{- end }} + selector: + matchLabels: {{ include "harbor.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/nginx/configmap-http.yaml b/charts/harbor/harbor/1.13.1/templates/nginx/configmap-http.yaml new file mode 100644 index 0000000000..c4b8354d06 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/nginx/configmap-http.yaml @@ -0,0 +1,150 @@ +{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled}} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end }} + server_tokens off; + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # Add extra headers + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + proxy_send_timeout 900; + proxy_read_timeout 900; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + } +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/nginx/configmap-https.yaml b/charts/harbor/harbor/1.13.1/templates/nginx/configmap-https.yaml new file mode 100644 index 0000000000..56c943a619 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/nginx/configmap-https.yaml @@ -0,0 +1,187 @@ +{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}"; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8443 ssl; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8443 ssl; + {{- end }} + # server_name harbordomain.com; + server_tokens off; + # SSL + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + # Add extra headers + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; HttpOnly; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end}} + #server_name harbordomain.com; + return 301 https://$host$request_uri; + } + } +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/nginx/deployment.yaml b/charts/harbor/harbor/1.13.1/templates/nginx/deployment.yaml new file mode 100644 index 0000000000..8290d497b6 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/nginx/deployment.yaml @@ -0,0 +1,126 @@ +{{- if ne .Values.expose.type "ingress" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: nginx +spec: + replicas: {{ .Values.nginx.replicas }} + revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: nginx + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: nginx +{{- if .Values.nginx.podLabels }} +{{ toYaml .Values.nginx.podLabels | indent 8 }} +{{- end }} + annotations: + {{- if not .Values.expose.tls.enabled }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }} + {{- else }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} + {{- end }} + {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} + checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }} + {{- end }} +{{- if .Values.nginx.podAnnotations }} +{{ toYaml .Values.nginx.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- if .Values.nginx.serviceAccountName }} + serviceAccountName: {{ .Values.nginx.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.nginx.automountServiceAccountToken | default false }} +{{- with .Values.nginx.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: nginx +{{- end }} +{{- end }} + containers: + - name: nginx + image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + {{- $_ := set . "scheme" "HTTP" -}} + {{- $_ := set . "port" "8080" -}} + {{- if .Values.expose.tls.enabled }} + {{- $_ := set . "scheme" "HTTPS" -}} + {{- $_ := set . "port" "8443" -}} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.nginx.resources }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} +{{- end }} +{{- with .Values.nginx.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: 8080 + - containerPort: 8443 + - containerPort: 4443 + volumeMounts: + - name: config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.expose.tls.enabled }} + - name: certificate + mountPath: /etc/nginx/cert + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.nginx" . }} + {{- if .Values.expose.tls.enabled }} + - name: certificate + secret: + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- with .Values.nginx.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.nginx.priorityClassName }} + priorityClassName: {{ .Values.nginx.priorityClassName }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/nginx/secret.yaml b/charts/harbor/harbor/1.13.1/templates/nginx/secret.yaml new file mode 100644 index 0000000000..c819c556d9 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/nginx/secret.yaml @@ -0,0 +1,23 @@ +{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} + {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- else }} + {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/nginx/service.yaml b/charts/harbor/harbor/1.13.1/templates/nginx/service.yaml new file mode 100644 index 0000000000..12021bfd1a --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/nginx/service.yaml @@ -0,0 +1,78 @@ +{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} +apiVersion: v1 +kind: Service +metadata: +{{- if eq .Values.expose.type "clusterIP" }} +{{- $clusterIP := .Values.expose.clusterIP }} + name: {{ $clusterIP.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $clusterIP.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: ClusterIP + ports: + - name: http + port: {{ $clusterIP.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $clusterIP.ports.httpsPort }} + targetPort: 8443 + {{- end }} +{{- else if eq .Values.expose.type "nodePort" }} +{{- $nodePort := .Values.expose.nodePort }} + name: {{ $nodePort.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: NodePort + ports: + - name: http + port: {{ $nodePort.ports.http.port }} + targetPort: 8080 + {{- if $nodePort.ports.http.nodePort }} + nodePort: {{ $nodePort.ports.http.nodePort }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $nodePort.ports.https.port }} + targetPort: 8443 + {{- if $nodePort.ports.https.nodePort }} + nodePort: {{ $nodePort.ports.https.nodePort }} + {{- end }} + {{- end }} +{{- else if eq .Values.expose.type "loadBalancer" }} +{{- $loadBalancer := .Values.expose.loadBalancer }} + name: {{ $loadBalancer.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $loadBalancer.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: LoadBalancer + {{- with $loadBalancer.sourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $loadBalancer.IP }} + loadBalancerIP: {{ $loadBalancer.IP }} + {{- end }} + ports: + - name: http + port: {{ $loadBalancer.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $loadBalancer.ports.httpsPort }} + targetPort: 8443 + {{- end }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: nginx +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/portal/configmap.yaml b/charts/harbor/harbor/1.13.1/templates/portal/configmap.yaml new file mode 100644 index 0000000000..7b2118e721 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/portal/configmap.yaml @@ -0,0 +1,67 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + server { + {{- if .Values.internalTLS.enabled }} + {{- if .Values.ipFamily.ipv4.enabled}} + listen {{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + # SSL + ssl_certificate /etc/harbor/ssl/portal/tls.crt; + ssl_certificate_key /etc/harbor/ssl/portal/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + {{- else }} + {{- if .Values.ipFamily.ipv4.enabled }} + listen {{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- end }} + server_name localhost; + root /usr/share/nginx/html; + index index.html index.htm; + include /etc/nginx/mime.types; + gzip on; + gzip_min_length 1000; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + location /devcenter-api-2.0 { + try_files $uri $uri/ /swagger-ui-index.html; + } + location / { + try_files $uri $uri/ /index.html; + } + location = /index.html { + add_header Cache-Control "no-store, no-cache, must-revalidate"; + } + } + } diff --git a/charts/harbor/harbor/1.13.1/templates/portal/deployment.yaml b/charts/harbor/harbor/1.13.1/templates/portal/deployment.yaml new file mode 100644 index 0000000000..959a3fd7b5 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/portal/deployment.yaml @@ -0,0 +1,114 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: portal +spec: + replicas: {{ .Values.portal.replicas }} + revisionHistoryLimit: {{ .Values.portal.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: portal + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: portal +{{- if .Values.portal.podLabels }} +{{ toYaml .Values.portal.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }} +{{- end }} + checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }} +{{- if .Values.portal.podAnnotations }} +{{ toYaml .Values.portal.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if .Values.portal.serviceAccountName }} + serviceAccountName: {{ .Values.portal.serviceAccountName }} +{{- end }} + automountServiceAccountToken: {{ .Values.portal.automountServiceAccountToken | default false }} +{{- with .Values.portal.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: portal +{{- end }} +{{- end }} + containers: + - name: portal + image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.portal.resources }} + resources: +{{ toYaml .Values.portal.resources | indent 10 }} +{{- end }} +{{- with .Values.portal.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 + ports: + - containerPort: {{ template "harbor.portal.containerPort" . }} + volumeMounts: + - name: portal-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + mountPath: /etc/harbor/ssl/portal + {{- end }} + volumes: + - name: portal-config + configMap: + name: "{{ template "harbor.portal" . }}" + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.portal.secretName" . }} + {{- end }} + {{- with .Values.portal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.portal.priorityClassName }} + priorityClassName: {{ .Values.portal.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/portal/service.yaml b/charts/harbor/harbor/1.13.1/templates/portal/service.yaml new file mode 100644 index 0000000000..ff4eda435b --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/portal/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - port: {{ template "harbor.portal.servicePort" . }} + targetPort: {{ template "harbor.portal.containerPort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: portal diff --git a/charts/harbor/harbor/1.13.1/templates/portal/tls.yaml b/charts/harbor/harbor/1.13.1/templates/portal/tls.yaml new file mode 100644 index 0000000000..de63f4e813 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/portal/tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/redis/service.yaml b/charts/harbor/harbor/1.13.1/templates/redis/service.yaml new file mode 100644 index 0000000000..79c95c3e05 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/redis/service.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.redis.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 6379 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: redis +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/redis/statefulset.yaml b/charts/harbor/harbor/1.13.1/templates/redis/statefulset.yaml new file mode 100644 index 0000000000..371b0fd5aa --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/redis/statefulset.yaml @@ -0,0 +1,116 @@ +{{- if eq .Values.redis.type "internal" -}} +{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: redis +spec: + replicas: 1 + serviceName: {{ template "harbor.redis" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: redis + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: redis +{{- if .Values.redis.podLabels }} +{{ toYaml .Values.redis.podLabels | indent 8 }} +{{- end }} +{{- if .Values.redis.podAnnotations }} + annotations: +{{ toYaml .Values.redis.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.redis.internal.serviceAccountName }} + serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: redis + image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.redis.internal.resources }} + resources: +{{ toYaml .Values.redis.internal.resources | indent 10 }} +{{- end }} +{{- with .Values.redis.internal.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - name: data + mountPath: /var/lib/redis + subPath: {{ $redis.subPath }} + {{- if not .Values.persistence.enabled }} + volumes: + - name: data + emptyDir: {} + {{- else if $redis.existingClaim }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ $redis.existingClaim }} + {{- end -}} + {{- with .Values.redis.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.redis.internal.priorityClassName }} + priorityClassName: {{ .Values.redis.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $redis.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $redis.accessMode | quote }}] + {{- if $redis.storageClass }} + {{- if (eq "-" $redis.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $redis.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $redis.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/1.13.1/templates/registry/registry-cm.yaml b/charts/harbor/harbor/1.13.1/templates/registry/registry-cm.yaml new file mode 100644 index 0000000000..4f7056c384 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/registry/registry-cm.yaml @@ -0,0 +1,246 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + version: 0.1 + log: + {{- if eq .Values.logLevel "warning" }} + level: warn + {{- else if eq .Values.logLevel "fatal" }} + level: error + {{- else }} + level: {{ .Values.logLevel }} + {{- end }} + fields: + service: registry + storage: + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if eq $type "filesystem" }} + filesystem: + rootdirectory: {{ $storage.filesystem.rootdirectory }} + {{- if $storage.filesystem.maxthreads }} + maxthreads: {{ $storage.filesystem.maxthreads }} + {{- end }} + {{- else if eq $type "azure" }} + azure: + accountname: {{ $storage.azure.accountname }} + container: {{ $storage.azure.container }} + {{- if $storage.azure.realm }} + realm: {{ $storage.azure.realm }} + {{- end }} + {{- else if eq $type "gcs" }} + gcs: + bucket: {{ $storage.gcs.bucket }} + {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }} + keyfile: /etc/registry/gcs-key.json + {{- end }} + {{- if $storage.gcs.rootdirectory }} + rootdirectory: {{ $storage.gcs.rootdirectory }} + {{- end }} + {{- if $storage.gcs.chunksize }} + chunksize: {{ $storage.gcs.chunksize }} + {{- end }} + {{- else if eq $type "s3" }} + s3: + region: {{ $storage.s3.region }} + bucket: {{ $storage.s3.bucket }} + {{- if $storage.s3.regionendpoint }} + regionendpoint: {{ $storage.s3.regionendpoint }} + {{- end }} + {{- if $storage.s3.encrypt }} + encrypt: {{ $storage.s3.encrypt }} + {{- end }} + {{- if $storage.s3.keyid }} + keyid: {{ $storage.s3.keyid }} + {{- end }} + {{- if $storage.s3.secure }} + secure: {{ $storage.s3.secure }} + {{- end }} + {{- if and $storage.s3.secure $storage.s3.skipverify }} + skipverify: {{ $storage.s3.skipverify }} + {{- end }} + {{- if $storage.s3.v4auth }} + v4auth: {{ $storage.s3.v4auth }} + {{- end }} + {{- if $storage.s3.chunksize }} + chunksize: {{ $storage.s3.chunksize }} + {{- end }} + {{- if $storage.s3.rootdirectory }} + rootdirectory: {{ $storage.s3.rootdirectory }} + {{- end }} + {{- if $storage.s3.storageclass }} + storageclass: {{ $storage.s3.storageclass }} + {{- end }} + {{- if $storage.s3.multipartcopychunksize }} + multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }} + {{- end }} + {{- if $storage.s3.multipartcopymaxconcurrency }} + multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }} + {{- end }} + {{- if $storage.s3.multipartcopythresholdsize }} + multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }} + {{- end }} + {{- else if eq $type "swift" }} + swift: + authurl: {{ $storage.swift.authurl }} + username: {{ $storage.swift.username }} + container: {{ $storage.swift.container }} + {{- if $storage.swift.region }} + region: {{ $storage.swift.region }} + {{- end }} + {{- if $storage.swift.tenant }} + tenant: {{ $storage.swift.tenant }} + {{- end }} + {{- if $storage.swift.tenantid }} + tenantid: {{ $storage.swift.tenantid }} + {{- end }} + {{- if $storage.swift.domain }} + domain: {{ $storage.swift.domain }} + {{- end }} + {{- if $storage.swift.domainid }} + domainid: {{ $storage.swift.domainid }} + {{- end }} + {{- if $storage.swift.trustid }} + trustid: {{ $storage.swift.trustid }} + {{- end }} + {{- if $storage.swift.insecureskipverify }} + insecureskipverify: {{ $storage.swift.insecureskipverify }} + {{- end }} + {{- if $storage.swift.chunksize }} + chunksize: {{ $storage.swift.chunksize }} + {{- end }} + {{- if $storage.swift.prefix }} + prefix: {{ $storage.swift.prefix }} + {{- end }} + {{- if $storage.swift.authversion }} + authversion: {{ $storage.swift.authversion }} + {{- end }} + {{- if $storage.swift.endpointtype }} + endpointtype: {{ $storage.swift.endpointtype }} + {{- end }} + {{- if $storage.swift.tempurlcontainerkey }} + tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} + {{- end }} + {{- if $storage.swift.tempurlmethods }} + tempurlmethods: {{ $storage.swift.tempurlmethods }} + {{- end }} + {{- else if eq $type "oss" }} + oss: + accesskeyid: {{ $storage.oss.accesskeyid }} + region: {{ $storage.oss.region }} + bucket: {{ $storage.oss.bucket }} + {{- if $storage.oss.endpoint }} + endpoint: {{ $storage.oss.bucket }}.{{ $storage.oss.endpoint }} + {{- end }} + {{- if $storage.oss.internal }} + internal: {{ $storage.oss.internal }} + {{- end }} + {{- if $storage.oss.encrypt }} + encrypt: {{ $storage.oss.encrypt }} + {{- end }} + {{- if $storage.oss.secure }} + secure: {{ $storage.oss.secure }} + {{- end }} + {{- if $storage.oss.chunksize }} + chunksize: {{ $storage.oss.chunksize }} + {{- end }} + {{- if $storage.oss.rootdirectory }} + rootdirectory: {{ $storage.oss.rootdirectory }} + {{- end }} + {{- end }} + cache: + layerinfo: redis + maintenance: + uploadpurging: + {{- if .Values.registry.upload_purging.enabled }} + enabled: true + age: {{ .Values.registry.upload_purging.age }} + interval: {{ .Values.registry.upload_purging.interval }} + dryrun: {{ .Values.registry.upload_purging.dryrun }} + {{- else }} + enabled: false + {{- end }} + delete: + enabled: true + redirect: + disable: {{ $storage.disableredirect }} + redis: + addr: {{ template "harbor.redis.addr" . }} + {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }} + sentinelMasterSet: {{ template "harbor.redis.masterSet" . }} + {{- end }} + db: {{ template "harbor.redis.dbForRegistry" . }} + {{- if not (eq (include "harbor.redis.password" .) "") }} + password: {{ template "harbor.redis.password" . }} + {{- end }} + readtimeout: 10s + writetimeout: 10s + dialtimeout: 10s + pool: + maxidle: 100 + maxactive: 500 + idletimeout: 60s + http: + addr: :{{ template "harbor.registry.containerPort" . }} + relativeurls: {{ .Values.registry.relativeurls }} + {{- if .Values.internalTLS.enabled }} + tls: + certificate: /etc/harbor/ssl/registry/tls.crt + key: /etc/harbor/ssl/registry/tls.key + minimumtls: tls1.2 + {{- end }} + # set via environment variable + # secret: placeholder + debug: + {{- if .Values.metrics.enabled}} + addr: :{{ .Values.metrics.registry.port }} + prometheus: + enabled: true + path: {{ .Values.metrics.registry.path }} + {{- else }} + addr: localhost:5001 + {{- end }} + auth: + htpasswd: + realm: harbor-registry-basic-realm + path: /etc/registry/passwd + validation: + disabled: true + compatibility: + schema1: + enabled: true + + {{- if .Values.registry.middleware.enabled }} + {{- $middleware := .Values.registry.middleware }} + {{- $middlewareType := $middleware.type }} + {{- if eq $middlewareType "cloudFront" }} + middleware: + storage: + - name: cloudfront + options: + baseurl: {{ $middleware.cloudFront.baseurl }} + privatekey: /etc/registry/pk.pem + keypairid: {{ $middleware.cloudFront.keypairid }} + duration: {{ $middleware.cloudFront.duration }} + ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }} + {{- end }} + {{- end }} + ctl-config.yml: |+ + --- + {{- if .Values.internalTLS.enabled }} + protocol: "https" + port: 8443 + https_config: + cert: "/etc/harbor/ssl/registry/tls.crt" + key: "/etc/harbor/ssl/registry/tls.key" + {{- else }} + protocol: "http" + port: 8080 + {{- end }} + log_level: {{ .Values.logLevel }} + registry_config: "/etc/registry/config.yml" diff --git a/charts/harbor/harbor/1.13.1/templates/registry/registry-dpl.yaml b/charts/harbor/harbor/1.13.1/templates/registry/registry-dpl.yaml new file mode 100644 index 0000000000..b9c97ff892 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/registry/registry-dpl.yaml @@ -0,0 +1,347 @@ +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $type := $storage.type }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + replicas: {{ .Values.registry.replicas }} + revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: registry + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: registry +{{- if .Values.registry.podLabels }} +{{ toYaml .Values.registry.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.registry.podAnnotations }} +{{ toYaml .Values.registry.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch +{{- if .Values.registry.serviceAccountName }} + serviceAccountName: {{ .Values.registry.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.registry.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.registry.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: registry +{{- end }} +{{- end }} + containers: + - name: registry + image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.registry.resources }} + resources: +{{ toYaml .Values.registry.registry.resources | indent 10 }} +{{- end }} + args: ["serve", "/etc/registry/config.yml"] + envFrom: + - secretRef: + name: "{{ template "harbor.registry" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} +{{- with .Values.registry.registry.extraEnvVars }} +{{- toYaml . | nindent 8 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.registry.containerPort" . }} + - containerPort: 5001 + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-htpasswd + mountPath: /etc/registry/passwd + subPath: passwd + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + mountPath: /etc/registry/pk.pem + subPath: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + - name: registryctl + image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.controller.resources }} + resources: +{{ toYaml .Values.registry.controller.resources | indent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.registryCtl" . }}" + - secretRef: + name: "{{ template "harbor.registry" . }}" + - secretRef: + name: "{{ template "harbor.registryCtl" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.core" . }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "harbor.jobservice" . }} + key: JOBSERVICE_SECRET + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} +{{- with .Values.registry.controller.extraEnvVars }} +{{- toYaml . | nindent 8 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.registryctl.containerPort" . }} + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: registry-config + mountPath: /etc/registryctl/config.yml + subPath: ctl-config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: registry-htpasswd + secret: + {{- if not .Values.registry.credentials.existingSecret }} + secretName: {{ template "harbor.registry" . }}-htpasswd + {{ else }} + secretName: {{ .Values.registry.credentials.existingSecret }} + {{- end }} + items: + - key: REGISTRY_HTPASSWD + path: passwd + - name: registry-config + configMap: + name: "{{ template "harbor.registry" . }}" + - name: registry-data + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.registry.secretName" . }} + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + secret: + {{- if and (eq $type "gcs") $storage.gcs.existingSecret }} + secretName: {{ $storage.gcs.existingSecret }} + {{- else }} + secretName: {{ template "harbor.registry" . }} + {{- end }} + items: + - key: GCS_KEY_DATA + path: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + secret: + secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + secret: + secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }} + items: + - key: CLOUDFRONT_KEY_DATA + path: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.registry.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.registry.priorityClassName }} + priorityClassName: {{ .Values.registry.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/registry/registry-pvc.yaml b/charts/harbor/harbor/1.13.1/templates/registry/registry-pvc.yaml new file mode 100644 index 0000000000..2112e22877 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/registry/registry-pvc.yaml @@ -0,0 +1,32 @@ +{{- if .Values.persistence.enabled }} +{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} +{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.registry" . }} + annotations: + {{- range $key, $value := $registry.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + accessModes: + - {{ $registry.accessMode }} + resources: + requests: + storage: {{ $registry.size }} + {{- if $registry.storageClass }} + {{- if eq "-" $registry.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $registry.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/registry/registry-secret.yaml b/charts/harbor/harbor/1.13.1/templates/registry/registry-secret.yaml new file mode 100644 index 0000000000..529462906e --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/registry/registry-secret.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (randAlphaNum 16) | b64enc | quote }} + {{- if not .Values.redis.external.existingSecret }} + REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} + {{- end }} + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if and (eq $type "azure") (not $storage.azure.existingSecret) }} + REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} + {{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }} + GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} + {{- else if eq $type "s3" }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }} + REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} + {{- end }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }} + REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} + {{- end }} + {{- else if eq $type "swift" }} + REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} + {{- if $storage.swift.secretkey }} + REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} + {{- end }} + {{- if $storage.swift.accesskey }} + REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} + {{- end }} + {{- else if eq $type "oss" }} + REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} + {{- end }} +{{- if not .Values.registry.credentials.existingSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}-htpasswd" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if .Values.registry.credentials.htpasswdString }} + REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }} + {{- else }} + REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/registry/registry-svc.yaml b/charts/harbor/harbor/1.13.1/templates/registry/registry-svc.yaml new file mode 100644 index 0000000000..749690ea03 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/registry/registry-svc.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-registry" "http-registry" .Values.internalTLS.enabled }} + port: {{ template "harbor.registry.servicePort" . }} + + - name: {{ ternary "https-controller" "http-controller" .Values.internalTLS.enabled }} + port: {{ template "harbor.registryctl.servicePort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.registry.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: registry \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/registry/registry-tls.yaml b/charts/harbor/harbor/1.13.1/templates/registry/registry-tls.yaml new file mode 100644 index 0000000000..9d1862c417 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/registry/registry-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/registry/registryctl-cm.yaml b/charts/harbor/harbor/1.13.1/templates/registry/registryctl-cm.yaml new file mode 100644 index 0000000000..87aa5ffe24 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/registry/registryctl-cm.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- template "harbor.traceEnvsForRegistryCtl" . }} diff --git a/charts/harbor/harbor/1.13.1/templates/registry/registryctl-secret.yaml b/charts/harbor/harbor/1.13.1/templates/registry/registryctl-secret.yaml new file mode 100644 index 0000000000..70097703e9 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/registry/registryctl-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- template "harbor.traceJaegerPassword" . }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.13.1/templates/trivy/trivy-secret.yaml b/charts/harbor/harbor/1.13.1/templates/trivy/trivy-secret.yaml new file mode 100644 index 0000000000..84652c7498 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/trivy/trivy-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.trivy.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }} + gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/trivy/trivy-sts.yaml b/charts/harbor/harbor/1.13.1/templates/trivy/trivy-sts.yaml new file mode 100644 index 0000000000..aba23c9e8a --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/trivy/trivy-sts.yaml @@ -0,0 +1,222 @@ +{{- if .Values.trivy.enabled }} +{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: trivy +spec: + replicas: {{ .Values.trivy.replicas }} + serviceName: {{ template "harbor.trivy" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: trivy + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: trivy +{{- if .Values.trivy.podLabels }} +{{ toYaml .Values.trivy.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.trivy.podAnnotations }} +{{ toYaml .Values.trivy.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.trivy.serviceAccountName }} + serviceAccountName: {{ .Values.trivy.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }} +{{- with .Values.trivy.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: trivy +{{- end }} +{{- end }} + containers: + - name: trivy + image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + env: + {{- if has "trivy" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + - name: "SCANNER_LOG_LEVEL" + value: {{ .Values.logLevel | quote }} + - name: "SCANNER_TRIVY_CACHE_DIR" + value: "/home/scanner/.cache/trivy" + - name: "SCANNER_TRIVY_REPORTS_DIR" + value: "/home/scanner/.cache/reports" + - name: "SCANNER_TRIVY_DEBUG_MODE" + value: {{ .Values.trivy.debugMode | quote }} + - name: "SCANNER_TRIVY_VULN_TYPE" + value: {{ .Values.trivy.vulnType | quote }} + - name: "SCANNER_TRIVY_TIMEOUT" + value: {{ .Values.trivy.timeout | quote }} + - name: "SCANNER_TRIVY_GITHUB_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: gitHubToken + - name: "SCANNER_TRIVY_SEVERITY" + value: {{ .Values.trivy.severity | quote }} + - name: "SCANNER_TRIVY_IGNORE_UNFIXED" + value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_UPDATE" + value: {{ .Values.trivy.skipUpdate | default false | quote }} + - name: "SCANNER_TRIVY_OFFLINE_SCAN" + value: {{ .Values.trivy.offlineScan | default false | quote }} + - name: "SCANNER_TRIVY_SECURITY_CHECKS" + value: {{ .Values.trivy.securityCheck | quote }} + - name: "SCANNER_TRIVY_INSECURE" + value: {{ .Values.trivy.insecure | default false | quote }} + - name: SCANNER_API_SERVER_ADDR + value: ":{{ template "harbor.trivy.containerPort" . }}" + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: SCANNER_API_SERVER_TLS_KEY + value: /etc/harbor/ssl/trivy/tls.key + - name: SCANNER_API_SERVER_TLS_CERTIFICATE + value: /etc/harbor/ssl/trivy/tls.crt + {{- end }} + - name: "SCANNER_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_STORE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_JOB_QUEUE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL +{{- with .Values.trivy.extraEnvVars }} +{{- toYaml . | nindent 12 }} +{{- end }} + ports: + - name: api-server + containerPort: {{ template "harbor.trivy.containerPort" . }} + volumeMounts: + - name: data + mountPath: /home/scanner/.cache + subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} + readOnly: false + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + mountPath: /etc/harbor/ssl/trivy + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 10 }} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/healthy + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + readinessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/ready + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + resources: +{{ toYaml .Values.trivy.resources | indent 12 }} + {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} + volumes: + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.trivy.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: "data" + emptyDir: {} + {{- else if $trivy.existingClaim }} + - name: "data" + persistentVolumeClaim: + claimName: {{ $trivy.existingClaim }} + {{- end }} + {{- end }} + {{- with .Values.trivy.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.trivy.priorityClassName }} + priorityClassName: {{ .Values.trivy.priorityClassName }} + {{- end }} +{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $trivy.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $trivy.accessMode | quote }}] + {{- if $trivy.storageClass }} + {{- if (eq "-" $trivy.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $trivy.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $trivy.size | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/templates/trivy/trivy-svc.yaml b/charts/harbor/harbor/1.13.1/templates/trivy/trivy-svc.yaml new file mode 100644 index 0000000000..24daf094e8 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/trivy/trivy-svc.yaml @@ -0,0 +1,16 @@ +{{ if .Values.trivy.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.trivy" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-trivy" "http-trivy" .Values.internalTLS.enabled }} + protocol: TCP + port: {{ template "harbor.trivy.servicePort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: trivy +{{ end }} diff --git a/charts/harbor/harbor/1.13.1/templates/trivy/trivy-tls.yaml b/charts/harbor/harbor/1.13.1/templates/trivy/trivy-tls.yaml new file mode 100644 index 0000000000..a9c8330c37 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/templates/trivy/trivy-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.13.1/values.yaml b/charts/harbor/harbor/1.13.1/values.yaml new file mode 100644 index 0000000000..3da298bc49 --- /dev/null +++ b/charts/harbor/harbor/1.13.1/values.yaml @@ -0,0 +1,963 @@ +expose: + # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer" + # and fill the information in the corresponding section + type: ingress + tls: + # Enable TLS or not. + # Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress" + # Note: if the "expose.type" is "ingress" and TLS is disabled, + # the port must be included in the command when pulling/pushing images. + # Refer to https://github.com/goharbor/harbor/issues/5291 for details. + enabled: true + # The source of the tls certificate. Set as "auto", "secret" + # or "none" and fill the information in the corresponding section + # 1) auto: generate the tls certificate automatically + # 2) secret: read the tls certificate from the specified secret. + # The tls certificate can be generated manually or by cert manager + # 3) none: configure no tls certificate for the ingress. If the default + # tls certificate is configured in the ingress controller, choose this option + certSource: auto + auto: + # The common name used to generate the certificate, it's necessary + # when the type isn't "ingress" + commonName: "" + secret: + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + secretName: "" + ingress: + hosts: + core: core.harbor.domain + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + # set to `alb` if using the ALB ingress controller + # set to `f5-bigip` if using the F5 BIG-IP ingress controller + controller: default + ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress + kubeVersionOverride: "" + className: "" + annotations: + # note different ingress controllers may require a different ssl-redirect annotation + # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + harbor: + # harbor ingress-specific annotations + annotations: {} + # harbor ingress-specific labels + labels: {} + clusterIP: + # The name of ClusterIP service + name: harbor + # Annotations on the ClusterIP service + annotations: {} + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + nodePort: + # The name of NodePort service + name: harbor + ports: + http: + # The service port Harbor listens on when serving HTTP + port: 80 + # The node port Harbor listens on when serving HTTP + nodePort: 30002 + https: + # The service port Harbor listens on when serving HTTPS + port: 443 + # The node port Harbor listens on when serving HTTPS + nodePort: 30003 + loadBalancer: + # The name of LoadBalancer service + name: harbor + # Set the IP if the LoadBalancer supports assigning IP + IP: "" + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + annotations: {} + sourceRanges: [] + +# The external URL for Harbor core service. It is used to +# 1) populate the docker/helm commands showed on portal +# 2) populate the token service URL returned to docker client +# +# Format: protocol://domain[:port]. Usually: +# 1) if "expose.type" is "ingress", the "domain" should be +# the value of "expose.ingress.hosts.core" +# 2) if "expose.type" is "clusterIP", the "domain" should be +# the value of "expose.clusterIP.name" +# 3) if "expose.type" is "nodePort", the "domain" should be +# the IP address of k8s node +# +# If Harbor is deployed behind the proxy, set it as the URL of proxy +externalURL: https://core.harbor.domain + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each component tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # enable strong ssl ciphers (default: false) + strong_ssl_ciphers: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +ipFamily: + # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component + ipv6: + enabled: true + # ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component + ipv4: + enabled: true + +# The persistence is enabled by default and a default StorageClass +# is needed in the k8s cluster to provision volumes dynamically. +# Specify another StorageClass in the "storageClass" or set "existingClaim" +# if you already have existing persistent volumes to use +# +# For storing images and charts, you can also use "azure", "gcs", "s3", +# "swift" or "oss". Set it in the "imageChartStorage" section +persistence: + enabled: true + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + # (this does not apply for PVCs that are created for internal database + # and redis components, i.e. they are never deleted automatically) + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used (the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + jobservice: + jobLog: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + trivy: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + # Define which storage backend is used for registry to store + # images and charts. Refer to + # https://github.com/distribution/distribution/blob/main/docs/configuration.md#storage + # for the detail. + imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/distribution/distribution/blob/main/docs/configuration.md#redirect + # for the detail. + disableredirect: false + # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. + # The secret must contain keys named "ca.crt" which will be injected into the trust store + # of registry's containers. + # caBundleSecretName: + + # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", + # "oss" and fill the information needed in the corresponding section. The type + # must be "filesystem" if you want to use persistent volumes for registry + type: filesystem + filesystem: + rootdirectory: /storage + #maxthreads: 100 + azure: + accountname: accountname + accountkey: base64encodedaccountkey + container: containername + #realm: core.windows.net + # To use existing secret, the key must be AZURE_STORAGE_ACCESS_KEY + existingSecret: "" + gcs: + bucket: bucketname + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file + #rootdirectory: /gcs/object/name/prefix + #chunksize: "5242880" + # To use existing secret, the key must be GCS_KEY_DATA + existingSecret: "" + useWorkloadIdentity: false + s3: + # Set an existing secret for S3 accesskey and secretkey + # keys in the secret should be REGISTRY_STORAGE_S3_ACCESSKEY and REGISTRY_STORAGE_S3_SECRETKEY for registry + #existingSecret: "" + region: us-west-1 + bucket: bucketname + #accesskey: awsaccesskey + #secretkey: awssecretkey + #regionendpoint: http://myobjects.local + #encrypt: false + #keyid: mykeyid + #secure: true + #skipverify: false + #v4auth: true + #chunksize: "5242880" + #rootdirectory: /s3/object/name/prefix + #storageclass: STANDARD + #multipartcopychunksize: "33554432" + #multipartcopymaxconcurrency: 100 + #multipartcopythresholdsize: "33554432" + swift: + authurl: https://storage.myprovider.com/v3/auth + username: username + password: password + container: containername + #region: fr + #tenant: tenantname + #tenantid: tenantid + #domain: domainname + #domainid: domainid + #trustid: trustid + #insecureskipverify: false + #chunksize: 5M + #prefix: + #secretkey: secretkey + #accesskey: accesskey + #authversion: 3 + #endpointtype: public + #tempurlcontainerkey: false + #tempurlmethods: + oss: + accesskeyid: accesskeyid + accesskeysecret: accesskeysecret + region: regionname + bucket: bucketname + #endpoint: endpoint + #internal: false + #encrypt: false + #secure: true + #chunksize: 10M + #rootdirectory: rootdirectory + +imagePullPolicy: IfNotPresent + +# Use this set to assign a list of default pullSecrets +imagePullSecrets: +# - name: docker-registry-secret +# - name: internal-registry-secret + +# The update strategy for deployments with persistent volumes(jobservice, registry): "RollingUpdate" or "Recreate" +# Set it as "Recreate" when "RWM" for volumes isn't supported +updateStrategy: + type: RollingUpdate + +# debug, info, warning, error or fatal +logLevel: info + +# The initial password of Harbor admin. Change it from portal after launching Harbor +# or give an existing secret for it +# key in secret is given via (default to HARBOR_ADMIN_PASSWORD) +# existingSecretAdminPassword: +existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD +harborAdminPassword: "Harbor12345" + +# The name of the secret which contains key named "ca.crt". Setting this enables the +# download link on portal to download the CA certificate when the certificate isn't +# generated automatically +caSecretName: "" + +# The secret key used for encryption. Must be a string of 16 chars. +secretKey: "not-a-secure-key" +# If using existingSecretSecretKey, the key must be secretKey +existingSecretSecretKey: "" + +# The proxy settings for updating trivy vulnerabilities from the Internet and replicating +# artifacts from/to the registries that cannot be reached directly +proxy: + httpProxy: + httpsProxy: + noProxy: 127.0.0.1,localhost,.local,.internal + components: + - core + - jobservice + - trivy + +# Run the migration job via helm hook +enableMigrateHelmHook: false + +# The custom ca bundle secret, the secret must contain key named "ca.crt" +# which will be injected into the trust store for core, jobservice, registry, trivy components +# caBundleSecretName: "" + +## UAA Authentication Options +# If you're using UAA for authentication behind a self-signed +# certificate you will need to provide the CA Cert. +# Set uaaSecretName below to provide a pre-created secret that +# contains a base64 encoded CA Certificate named `ca.crt`. +# uaaSecretName: + +# If service exposed via "ingress", the Nginx will not be used +nginx: + image: + repository: goharbor/nginx-photon + tag: v2.9.1 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +portal: + image: + repository: goharbor/harbor-portal + tag: v2.9.1 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +core: + image: + repository: goharbor/harbor-core + tag: v2.9.1 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + ## Startup probe values + startupProbe: + enabled: true + initialDelaySeconds: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## Additional service annotations + serviceAnnotations: {} + ## User settings configuration json string + configureUserSettings: + # The provider for updating project quota(usage), there are 2 options, redis or db. + # By default it is implemented by db but you can configure it to redis which + # can improve the performance of high concurrent pushing to the same project, + # and reduce the database connections spike and occupies. + # Using redis will bring up some delay for quota usage updation for display, so only + # suggest switch provider to redis if you were ran into the db connections spike around + # the scenario of high concurrent pushing to same project, no improvment for other scenes. + quotaUpdateProvider: db # Or redis + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Fill in the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named: + # "tls.key" - the private key + # "tls.crt" - the certificate + secretName: "" + # If not specifying a preexisting secret, a secret can be created from tokenKey and tokenCert and used instead. + # If none of secretName, tokenKey, and tokenCert are specified, an ephemeral key and certificate will be autogenerated. + # tokenKey and tokenCert must BOTH be set or BOTH unset. + # The tokenKey value is formatted as a multiline string containing a PEM-encoded RSA key, indented one more than tokenKey on the following line. + tokenKey: | + # If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line. + tokenCert: | + # The XSRF key. Will be generated automatically if it isn't specified + xsrfKey: "" + ## The priority class to run the pod as + priorityClassName: + # The time duration for async update artifact pull_time and repository + # pull_count, the unit is second. Will be 10 seconds if it isn't set. + # eg. artifactPullAsyncFlushDuration: 10 + artifactPullAsyncFlushDuration: + gdpr: + deleteUser: false + +jobservice: + image: + repository: goharbor/harbor-jobservice + tag: v2.9.1 + replicas: 1 + revisionHistoryLimit: 10 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLoggers: + - file + # - database + # - stdout + # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) + loggerSweeperDuration: 14 #days + notification: + webhook_job_max_retry: 3 + webhook_job_http_client_timeout: 3 # in seconds + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: 24 + # the max time for execution in running state without new task created + max_dangling_hours: 168 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + ## The priority class to run the pod as + priorityClassName: + +registry: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + registry: + image: + repository: goharbor/registry-photon + tag: v2.9.1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + controller: + image: + repository: goharbor/harbor-registryctl + tag: v2.9.1 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + replicas: 1 + revisionHistoryLimit: 10 + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/distribution/distribution/blob/main/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. + relativeurls: false + credentials: + username: "harbor_registry_user" + password: "harbor_registry_password" + # If using existingSecret, the key must be REGISTRY_PASSWD and REGISTRY_HTPASSWD + existingSecret: "" + # Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. + # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string + middleware: + enabled: false + type: cloudFront + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + # that allows access to CloudFront + privateKeySecret: "my-secret" + # enable purge _upload directories + upload_purging: + enabled: true + # remove files in _upload directories which exist for a period of time, default is one week. + age: 168h + # the interval of the purge operations + interval: 24h + dryrun: false + +trivy: + # enabled the flag to enable Trivy scanner + enabled: true + image: + # repository the repository for Trivy adapter image + repository: goharbor/trivy-adapter-photon + # tag the tag for Trivy adapter image + tag: v2.9.1 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + # replicas the number of Pod replicas + replicas: 1 + # debugMode the flag to enable Trivy debug mode with more verbose scanning log + debugMode: false + # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. + vulnType: "os,library" + # severity a comma-separated list of severities to be checked + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + # ignoreUnfixed the flag to display only fixed vulnerabilities + ignoreUnfixed: false + # insecure the flag to skip verifying registry certificate + insecure: false + # gitHubToken the GitHub access token to download Trivy DB + # + # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. + # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached + # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update + # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. + # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + gitHubToken: "" + # skipUpdate the flag to disable Trivy DB downloads from GitHub + # + # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the + # `/home/scanner/.cache/trivy/db/trivy.db` path. + skipUpdate: false + # The offlineScan option prevents Trivy from sending API requests to identify dependencies. + # + # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. + # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't + # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode. + # It would work if all the dependencies are in local. + # This option doesn’t affect DB download. You need to specify skipUpdate as well as offlineScan in an air-gapped environment. + offlineScan: false + # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. + securityCheck: "vuln" + # The duration to wait for scan completion + timeout: 5m0s + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +database: + # if external database is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-db + tag: v2.9.1 + # The initial superuser password for internal database + password: "changeit" + # The size limit for Shared memory, pgSQL use it for shared_buffer + # More details see: + # https://github.com/goharbor/harbor/issues/15034 + shmSizeLimit: 512Mi + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + # The timeout used in livenessProbe; 1 to 5 seconds + livenessProbe: + timeoutSeconds: 1 + # The timeout used in readinessProbe; 1 to 5 seconds + readinessProbe: + timeoutSeconds: 1 + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + initContainer: + migrator: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + permissions: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + external: + host: "192.168.0.1" + port: "5432" + username: "user" + password: "password" + coreDatabase: "registry" + # if using existing secret, the key must be "password" + existingSecret: "" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "disable" + # The maximum number of connections in the idle connection pool per pod (core+exporter). + # If it <=0, no idle connections are retained. + maxIdleConns: 100 + # The maximum number of open connections to the database per pod (core+exporter). + # If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgre of harbor. + maxOpenConns: 900 + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + +redis: + # if external Redis is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/redis-photon + tag: v2.9.1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + # # jobserviceDatabaseIndex defaults to "1" + # # registryDatabaseIndex defaults to "2" + # # trivyAdapterIndex defaults to "5" + # # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + external: + # support redis, redis+sentinel + # addr for redis: : + # addr for redis+sentinel: :,:,: + addr: "192.168.0.2:6379" + # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel + sentinelMasterSet: "" + # The "coreDatabaseIndex" must be "0" as the library Harbor + # used doesn't support configuring it + # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + # username field can be an empty string, and it will be authenticated against the default user + username: "" + password: "" + # If using existingSecret, the key must be REDIS_PASSWORD + existingSecret: "" + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + +exporter: + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-exporter + tag: v2.9.1 + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + cacheDuration: 23 + cacheCleanInterval: 14400 + ## The priority class to run the pod as + priorityClassName: + +metrics: + enabled: false + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + ## Create prometheus serviceMonitor to scrape harbor metrics. + ## This requires the monitoring.coreos.com/v1 CRD. Please see + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md + ## + serviceMonitor: + enabled: false + additionalLabels: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # Metric relabel configs to apply to samples before ingestion. + metricRelabelings: + [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + # Relabel configs to apply to samples before ingestion. + relabelings: + [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +trace: + enabled: false + # trace provider: jaeger or otel + # jaeger should be 1.26+ + provider: jaeger + # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth + sample_rate: 1 + # namespace used to differentiate different harbor services + # namespace: + # attributes is a key value dict contains user defined attributes used to initialize trace provider + # attributes: + # application: harbor + jaeger: + # jaeger supports two modes: + # collector mode(uncomment endpoint and uncomment username, password if needed) + # agent mode(uncomment agent_host and agent_port) + endpoint: http://hostname:14268/api/traces + # username: + # password: + # agent_host: hostname + # export trace data by jaeger.thrift in compact mode + # agent_port: 6831 + otel: + endpoint: hostname:4318 + url_path: /v1/traces + compression: false + insecure: true + # timeout is in seconds + timeout: 10 + +# cache layer configurations +# if this feature enabled, harbor will cache the resource +# `project/project_metadata/repository/artifact/manifest` in the redis +# which help to improve the performance of high concurrent pulling manifest. +cache: + # default is not enabled. + enabled: false + # default keep cache for one day. + expireHours: 24 diff --git a/charts/harbor/harbor/1.14.0/.helmignore b/charts/harbor/harbor/1.14.0/.helmignore new file mode 100644 index 0000000000..b4424fd59b --- /dev/null +++ b/charts/harbor/harbor/1.14.0/.helmignore @@ -0,0 +1,6 @@ +.github/* +docs/* +.git/* +.gitignore +CONTRIBUTING.md +test/* \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/Chart.yaml b/charts/harbor/harbor/1.14.0/Chart.yaml new file mode 100644 index 0000000000..c2acd24b28 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Harbor + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: harbor +apiVersion: v1 +appVersion: 2.10.0 +description: An open source trusted cloud native registry that stores, signs, and + scans content +home: https://goharbor.io +icon: https://raw.githubusercontent.com/goharbor/website/main/static/img/logos/harbor-icon-color.png +keywords: +- docker +- registry +- harbor +maintainers: +- email: yinw@vmware.com + name: Wenkai Yin +- email: hweiwei@vmware.com + name: Weiwei He +- email: yshengwen@vmware.com + name: Shengwen Yu +name: harbor +sources: +- https://github.com/goharbor/harbor +- https://github.com/goharbor/harbor-helm +version: 1.14.0 diff --git a/charts/harbor/harbor/1.14.0/LICENSE b/charts/harbor/harbor/1.14.0/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/charts/harbor/harbor/1.14.0/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/harbor/harbor/1.14.0/README.md b/charts/harbor/harbor/1.14.0/README.md new file mode 100644 index 0000000000..c69f54c035 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/README.md @@ -0,0 +1,408 @@ +# Helm Chart for Harbor + +**Notes:** The master branch is in heavy development, please use the other stable versions instead. A highly available solution for Harbor based on chart can be found [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. + +This repository, including the issues, focuses on deploying Harbor chart via helm. For functionality issues or Harbor questions, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor) + +## Introduction + +This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. + +## Prerequisites + +- Kubernetes cluster 1.20+ +- Helm v3.2.0+ + +## Installation + +### Add Helm repository + +```bash +helm repo add harbor https://helm.goharbor.io +``` + +### Configure the chart + +The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first). + +#### Configure how to expose Harbor service + +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. + **Notes:** if TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for details. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. + +#### Configure the external URL + +The external URL for Harbor core service is used to: + +1. populate the docker/helm commands showed on portal +2. populate the token service URL returned to docker client + +Format: `protocol://domain[:port]`. Usually: + +- if service exposed via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` +- if service exposed via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` +- if service exposed via `NodePort`, the `domain` should be the IP address of one Kubernetes node +- if service exposed via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider + +If Harbor is deployed behind the proxy, set it as the URL of proxy. + +#### Configure how to persist data + +- **Disable**: The data does not survive the termination of a pod. +- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you already have existing persistent volumes to use. +- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. + +#### Configure the other items listed in [configuration](#configuration) section + +### Install the chart + +Install the Harbor helm chart with a release name `my-release`: +```bash +helm install my-release harbor/harbor +``` + +## Uninstallation + +To uninstall/delete the `my-release` deployment: +```bash +helm uninstall my-release +``` + +## Configuration + +The following table lists the configurable parameters of the Harbor chart and the default values. + +| Parameter | Description | Default | +| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| **Expose** | | | +| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | +| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | +| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | +| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | +| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | +| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` | +| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | | +| `expose.ingress.annotations` | The annotations used commonly for ingresses | | +| `expose.ingress.harbor.annotations` | The annotations specific to harbor ingress | {} | +| `expose.ingress.harbor.labels` | The labels specific to harbor ingress | {} | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} | +| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` | +| `expose.loadBalancer.name` | The name of service | `harbor` | +| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` | +| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` | +| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | +| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | +| **Internal TLS** | | | +| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` | +| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false` +| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` | +| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | | +| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | +| **IPFamily** | | | +| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| **Persistence** | | | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | | +|`persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | +| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | +| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | +| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | +| **General** | | | +| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | +| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | | +| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | +| `imagePullPolicy` | The image pull policy | | +| `imagePullSecrets` | The imagePullSecrets names for all deployments | | +| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | +| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `existingSecretAdminPassword` | The name of secret where admin password can be found. | | +| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` | +| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | +| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | +| `proxy.httpProxy` | The URL of the HTTP proxy server | | +| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | +| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | +| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | +| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | +| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.revisionHistoryLimit` | The revision history limit | `10` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| `nginx.priorityClassName` | The priority class to run the pod as | | +| **Portal** | | | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.revisionHistoryLimit` | The revision history limit | `10` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` | +| `portal.priorityClassName` | The priority class to run the pod as | | +| **Core** | | | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.revisionHistoryLimit` | The revision history limit | `10` | +| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.serviceAnnotations` | Annotations to add to the core service | `{}` | +| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | | +| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | +| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | | +| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | | +| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | +| `core.priorityClassName` | The priority class to run the pod as | | +| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | +| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | +| **Jobservice** | | | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.revisionHistoryLimit` | The revision history limit | `10` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` | +| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` | +| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` | +| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` | +| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` | +| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.priorityClassName` | The priority class to run the pod as | | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| **Registry** | | | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | `dev` | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | `dev` | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | +| `registry.replicas` | The replica count | `1` | +| `registry.revisionHistoryLimit` | The revision history limit | `10` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.priorityClassName` | The priority class to run the pod as | | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | +| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | +| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` | +| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | +| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | +| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | +| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | +| `registry.upload_purging.interval` | The interval of the purge operations | `24h` | +| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | +| **[Trivy][trivy]** | | | +| `trivy.enabled` | The flag to enable Trivy scanner | `true` | +| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | +| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | +| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | +| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `trivy.replicas` | The number of Pod replicas | `1` | +| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | +| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | +| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | +| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | +| `trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | +| `trivy.priorityClassName` | The priority class to run the pod as | | +| `trivy.topologySpreadConstraints` | The priority class to run the pod as | | +| **Database** | | | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined | +| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.internal.priorityClassName` | The priority class to run the pod as | | +| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | +| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | +| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | +| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | +| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | | | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.internal.priorityClassName` | The priority class to run the pod as | | +| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | +| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.username` | The username of external Redis | | +| `redis.external.password` | The password of external Redis | | +| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | +| **Exporter** | | | +| `exporter.replicas` | The replica count | `1` | +| `exporter.revisionHistoryLimit` | The revision history limit | `10` | +| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` | +| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` | +| `exporter.image.tag` | Tag for exporter image | `dev` | +| `exporter.nodeSelector` | Node labels for pod assignment | `{}` | +| `exporter.tolerations` | Tolerations for pod assignment | `[]` | +| `exporter.affinity` | Node/Pod affinities | `{}` | +| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` | +| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` | +| `exporter.priorityClassName` | The priority class to run the pod as | | +| **Metrics** | | | +| `metrics.enabled` | if enable harbor metrics | `false` | +| `metrics.core.path` | the url path for core metrics | `/metrics` | +| `metrics.core.port` | the port for core metrics | `8001` | +| `metrics.registry.path` | the url path for registry metrics | `/metrics` | +| `metrics.registry.port` | the port for registry metrics | `8001` | +| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` | +| `metrics.exporter.port` | the port for exporter metrics | `8001` | +| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` | +| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` | +| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` | +| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` | +| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` | +| **Trace** | | | +| `trace.enabled` | Enable tracing or not | `false` | +| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` | +| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` | +| `trace.namespace` | Namespace used to differentiate different harbor services | | +| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | | +| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` | +| `trace.jaeger.username` | The username of jaeger | | +| `trace.jaeger.password` | The password of jaeger | | +| `trace.jaeger.agent_host` | The agent host of jaeger | | +| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` | +| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` | +| `trace.otel.url_path` | The URL path of otel | `/v1/traces` | +| `trace.otel.compression` | Whether enable compression or not for otel | `false` | +| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` | +| `trace.otel.timeout` | The timeout in seconds of otel | `10` | +| **Cache** | | | +| `cache.enabled` | Enable cache layer or not | `false` | +| `cache.expireHours` | The expire hours of cache layer | `24` | + +[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +[trivy]: https://github.com/aquasecurity/trivy +[trivy-db]: https://github.com/aquasecurity/trivy-db +[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting diff --git a/charts/harbor/harbor/1.14.0/templates/NOTES.txt b/charts/harbor/harbor/1.14.0/templates/NOTES.txt new file mode 100644 index 0000000000..0980c08a35 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/NOTES.txt @@ -0,0 +1,3 @@ +Please wait for several minutes for Harbor deployment to complete. +Then you should be able to visit the Harbor portal at {{ .Values.externalURL }} +For more details, please visit https://github.com/goharbor/harbor diff --git a/charts/harbor/harbor/1.14.0/templates/_helpers.tpl b/charts/harbor/harbor/1.14.0/templates/_helpers.tpl new file mode 100644 index 0000000000..8fce623dbc --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/_helpers.tpl @@ -0,0 +1,566 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "harbor.name" -}} +{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "harbor.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default "harbor" .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Helm required labels */}} +{{- define "harbor.labels" -}} +heritage: {{ .Release.Service }} +release: {{ .Release.Name }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{/* matchLabels */}} +{{- define "harbor.matchLabels" -}} +release: {{ .Release.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{/* Helper for printing values from existing secrets*/}} +{{- define "harbor.secretKeyHelper" -}} + {{- if and (not (empty .data)) (hasKey .data .key) }} + {{- index .data .key | b64dec -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCert" -}} + {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForIngress" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForNginx" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.host" -}} + {{- if eq .Values.database.type "internal" -}} + {{- template "harbor.database" . }} + {{- else -}} + {{- .Values.database.external.host -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.port" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "5432" -}} + {{- else -}} + {{- .Values.database.external.port -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.username" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "postgres" -}} + {{- else -}} + {{- .Values.database.external.username -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.rawPassword" -}} + {{- if eq .Values.database.type "internal" -}} + {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.database" .) -}} + {{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}} + {{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD") | b64dec -}} + {{- else -}} + {{- .Values.database.internal.password -}} + {{- end -}} + {{- else -}} + {{- .Values.database.external.password -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.escapedRawPassword" -}} + {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} +{{- end -}} + +{{- define "harbor.database.encryptedPassword" -}} + {{- include "harbor.database.rawPassword" . | b64enc | quote -}} +{{- end -}} + +{{- define "harbor.database.coreDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "registry" -}} + {{- else -}} + {{- .Values.database.external.coreDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.sslmode" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "disable" -}} + {{- else -}} + {{- .Values.database.external.sslmode -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.redis.scheme" -}} + {{- with .Values.redis }} + {{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }} + {{- end }} +{{- end -}} + +/*host:port*/ +{{- define "harbor.redis.addr" -}} + {{- with .Values.redis }} + {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.masterSet" -}} + {{- with .Values.redis }} + {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.password" -}} + {{- with .Values.redis }} + {{- ternary "" .external.password (eq .type "internal") }} + {{- end }} +{{- end -}} + + +{{- define "harbor.redis.pwdfromsecret" -}} + {{- (lookup "v1" "Secret" .Release.Namespace (.Values.redis.external.existingSecret)).data.REDIS_PASSWORD | b64dec }} +{{- end -}} + +{{- define "harbor.redis.cred" -}} + {{- with .Values.redis }} + {{- if (and (eq .type "external" ) (.external.existingSecret)) }} + {{- printf ":%s@" (include "harbor.redis.pwdfromsecret" $) }} + {{- else }} + {{- ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }} + {{- end }} + {{- end }} +{{- end -}} + +/*scheme://[:password@]host:port[/master_set]*/ +{{- define "harbor.redis.url" -}} + {{- with .Values.redis }} + {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }} + {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) (include "harbor.redis.cred" $) (include "harbor.redis.addr" $) $path -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCore" -}} + {{- with .Values.redis }} + {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index*/ +{{- define "harbor.redis.urlForJobservice" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.jobserviceDatabaseIndex .external.jobserviceDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForRegistry" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForTrivy" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.trivyAdapterIndex .external.trivyAdapterIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForHarbor" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.harborDatabaseIndex .external.harborDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCache" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.cacheLayerDatabaseIndex .external.cacheLayerDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.dbForRegistry" -}} + {{- with .Values.redis }} + {{- ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.portal" -}} + {{- printf "%s-portal" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.core" -}} + {{- printf "%s-core" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.redis" -}} + {{- printf "%s-redis" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.jobservice" -}} + {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registry" -}} + {{- printf "%s-registry" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registryCtl" -}} + {{- printf "%s-registryctl" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.database" -}} + {{- printf "%s-database" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.trivy" -}} + {{- printf "%s-trivy" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.nginx" -}} + {{- printf "%s-nginx" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.exporter" -}} + {{- printf "%s-exporter" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress" -}} + {{- printf "%s-ingress" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.noProxy" -}} + {{- printf "%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}} +{{- end -}} + +{{- define "harbor.caBundleVolume" -}} +- name: ca-bundle-certs + secret: + secretName: {{ .Values.caBundleSecretName }} +{{- end -}} + +{{- define "harbor.caBundleVolumeMount" -}} +- name: ca-bundle-certs + mountPath: /harbor_cust_cert/custom-ca.crt + subPath: ca.crt +{{- end -}} + +{{/* scheme for all components because it only support http mode */}} +{{- define "harbor.component.scheme" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "https" -}} + {{- else -}} + {{- printf "http" -}} + {{- end -}} +{{- end -}} + +{{/* core component container port */}} +{{- define "harbor.core.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* core component service port */}} +{{- define "harbor.core.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component container port */}} +{{- define "harbor.jobservice.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component service port */}} +{{- define "harbor.jobservice.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* portal component container port */}} +{{- define "harbor.portal.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* portal component service port */}} +{{- define "harbor.portal.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* registry component container port */}} +{{- define "harbor.registry.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registry component service port */}} +{{- define "harbor.registry.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component container port */}} +{{- define "harbor.registryctl.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component service port */}} +{{- define "harbor.registryctl.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component container port */}} +{{- define "harbor.trivy.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component service port */}} +{{- define "harbor.trivy.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* CORE_URL */}} +{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}} +{{- define "harbor.coreURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}} +{{- end -}} + +{{/* JOBSERVICE_URL */}} +{{- define "harbor.jobserviceURL" -}} + {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}} +{{- end -}} + +{{/* PORTAL_URL */}} +{{- define "harbor.portalURL" -}} + {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}} +{{- end -}} + +{{/* REGISTRY_URL */}} +{{- define "harbor.registryURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}} +{{- end -}} + +{{/* REGISTRY_CONTROLLER_URL */}} +{{- define "harbor.registryControllerURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}} +{{- end -}} + +{{/* TOKEN_SERVICE_URL */}} +{{- define "harbor.tokenServiceURL" -}} + {{- printf "%s/service/token" (include "harbor.coreURL" .) -}} +{{- end -}} + +{{/* TRIVY_ADAPTER_URL */}} +{{- define "harbor.trivyAdapterURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}} +{{- end -}} + +{{- define "harbor.internalTLS.core.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.core.secretName -}} + {{- else -}} + {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.jobservice.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.jobservice.secretName -}} + {{- else -}} + {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.portal.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.portal.secretName -}} + {{- else -}} + {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.registry.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.registry.secretName -}} + {{- else -}} + {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.trivy.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.trivy.secretName -}} + {{- else -}} + {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsCoreSecretForIngress" -}} + {{- if eq .Values.expose.tls.certSource "none" -}} + {{- printf "" -}} + {{- else if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.ingress" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsSecretForNginx" -}} + {{- if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.nginx" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.metricsPortName" -}} + {{- if .Values.internalTLS.enabled }} + {{- printf "https-metrics" -}} + {{- else -}} + {{- printf "http-metrics" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.traceEnvs" -}} + TRACE_ENABLED: "{{ .Values.trace.enabled }}" + TRACE_SAMPLE_RATE: "{{ .Values.trace.sample_rate }}" + TRACE_NAMESPACE: "{{ .Values.trace.namespace }}" + {{- if .Values.trace.attributes }} + TRACE_ATTRIBUTES: {{ .Values.trace.attributes | toJson | squote }} + {{- end }} + {{- if eq .Values.trace.provider "jaeger" }} + TRACE_JAEGER_ENDPOINT: "{{ .Values.trace.jaeger.endpoint }}" + TRACE_JAEGER_USERNAME: "{{ .Values.trace.jaeger.username }}" + TRACE_JAEGER_AGENT_HOSTNAME: "{{ .Values.trace.jaeger.agent_host }}" + TRACE_JAEGER_AGENT_PORT: "{{ .Values.trace.jaeger.agent_port }}" + {{- else }} + TRACE_OTEL_ENDPOINT: "{{ .Values.trace.otel.endpoint }}" + TRACE_OTEL_URL_PATH: "{{ .Values.trace.otel.url_path }}" + TRACE_OTEL_COMPRESSION: "{{ .Values.trace.otel.compression }}" + TRACE_OTEL_INSECURE: "{{ .Values.trace.otel.insecure }}" + TRACE_OTEL_TIMEOUT: "{{ .Values.trace.otel.timeout }}" + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForCore" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-core" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForJobservice" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-jobservice" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForRegistryCtl" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-registryctl" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceJaegerPassword" -}} + {{- if and .Values.trace.enabled (eq .Values.trace.provider "jaeger") }} + TRACE_JAEGER_PASSWORD: "{{ .Values.trace.jaeger.password | default "" | b64enc }}" + {{- end }} +{{- end -}} + +{{/* Allow KubeVersion to be overridden. */}} +{{- define "harbor.ingress.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}} +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/core/core-cm.yaml b/charts/harbor/harbor/1.14.0/templates/core/core-cm.yaml new file mode 100644 index 0000000000..65237eb00a --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/core/core-cm.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + app.conf: |+ + appname = Harbor + runmode = prod + enablegzip = true + + [prod] + httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} + PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" + DATABASE_TYPE: "postgresql" + POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" + POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" + POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" + POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" + POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" + EXT_ENDPOINT: "{{ .Values.externalURL }}" + CORE_URL: "{{ template "harbor.coreURL" . }}" + JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}" + WITH_TRIVY: {{ .Values.trivy.enabled | quote }} + TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}" + REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" + LOG_LEVEL: "{{ .Values.logLevel }}" + CONFIG_PATH: "/etc/core/app.conf" + CHART_CACHE_DRIVER: "redis" + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}" + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.harborDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.harborDatabaseIndex) }} + _REDIS_URL_HARBOR: "{{ template "harbor.redis.urlForHarbor" . }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} + PORTAL_URL: "{{ template "harbor.portalURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + {{- if .Values.uaaSecretName }} + UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt" + {{- end }} + {{- if has "core" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory" + {{- if .Values.metrics.enabled}} + METRIC_ENABLE: "true" + METRIC_PATH: "{{ .Values.metrics.core.path }}" + METRIC_PORT: "{{ .Values.metrics.core.port }}" + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: core + {{- end }} + + {{- if hasKey .Values.core "gcTimeWindowHours" }} + #make the GC time window configurable for testing + GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}" + {{- end }} + {{- template "harbor.traceEnvsForCore" . }} + + {{- if .Values.core.artifactPullAsyncFlushDuration }} + ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration | quote }} + {{- end }} + + {{- if .Values.core.gdpr}} + {{- if .Values.core.gdpr.deleteUser}} + GDPR_DELETE_USER: "true" + {{- end }} + {{- end }} + + {{- if .Values.cache.enabled }} + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + + {{- if .Values.core.quotaUpdateProvider }} + QUOTA_UPDATE_PROVIDER: "{{ .Values.core.quotaUpdateProvider }}" + {{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/core/core-dpl.yaml b/charts/harbor/harbor/1.14.0/templates/core/core-dpl.yaml new file mode 100644 index 0000000000..9a92b45a4f --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/core/core-dpl.yaml @@ -0,0 +1,248 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: core +spec: + replicas: {{ .Values.core.replicas }} + revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: core + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: core +{{- if .Values.core.podLabels }} +{{ toYaml .Values.core.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.core.podAnnotations }} +{{ toYaml .Values.core.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.core.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: core +{{- end }} +{{- end }} + containers: + - name: core + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.core.startupProbe.enabled }} + startupProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 360 + initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }} + periodSeconds: 10 + {{- end }} + livenessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }} + {{- if .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- else }} + key: JOBSERVICE_SECRET + {{- end }} + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/core/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/core/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/core/ca.crt + {{- end }} + {{- if .Values.database.external.existingSecret }} + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} + {{- if .Values.core.existingXsrfSecret }} + - name: CSRF_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.core.existingXsrfSecret }} + key: {{ .Values.core.existingXsrfSecretKey }} + {{- end }} +{{- with .Values.core.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + - name: secret-key + mountPath: /etc/core/key + subPath: key + - name: token-service-private-key + mountPath: /etc/core/private_key.pem + subPath: tls.key + {{- if .Values.expose.tls.enabled }} + - name: ca-download + mountPath: /etc/core/ca + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + mountPath: /etc/core/auth-ca/auth-ca.crt + subPath: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + {{- end }} + - name: psc + mountPath: /etc/core/token + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} +{{- if .Values.core.resources }} + resources: +{{ toYaml .Values.core.resources | indent 10 }} +{{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + - name: secret-key + secret: + {{- if .Values.existingSecretSecretKey }} + secretName: {{ .Values.existingSecretSecretKey }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + items: + - key: secretKey + path: key + - name: token-service-private-key + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: ca-download + secret: + {{- if .Values.caSecretName }} + secretName: {{ .Values.caSecretName }} + {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }} + secretName: "{{ template "harbor.ingress" . }}" + {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + secret: + secretName: {{ .Values.uaaSecretName }} + items: + - key: ca.crt + path: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + - name: psc + emptyDir: {} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.core.priorityClassName }} + priorityClassName: {{ .Values.core.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/core/core-pre-upgrade-job.yaml b/charts/harbor/harbor/1.14.0/templates/core/core-pre-upgrade-job.yaml new file mode 100644 index 0000000000..43c9d3596d --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/core/core-pre-upgrade-job.yaml @@ -0,0 +1,74 @@ +{{- if .Values.enableMigrateHelmHook }} +apiVersion: batch/v1 +kind: Job +metadata: + name: migration-job + labels: +{{ include "harbor.labels" . | indent 4 }} + component: migrator + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" +spec: + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: migrator + spec: + restartPolicy: Never + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 120 + containers: + - name: core-job + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/harbor/harbor_core", "-mode=migrate"] + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + {{- if .Values.database.external.existingSecret }} + env: + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/templates/core/core-secret.yaml b/charts/harbor/harbor/1.14.0/templates/core/core-secret.yaml similarity index 100% rename from charts/harbor/harbor/templates/core/core-secret.yaml rename to charts/harbor/harbor/1.14.0/templates/core/core-secret.yaml diff --git a/charts/harbor/harbor/1.14.0/templates/core/core-svc.yaml b/charts/harbor/harbor/1.14.0/templates/core/core-svc.yaml new file mode 100644 index 0000000000..0d2cfb2915 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/core/core-svc.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.core.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - name: {{ ternary "https-web" "http-web" .Values.internalTLS.enabled }} + port: {{ template "harbor.core.servicePort" . }} + targetPort: {{ template "harbor.core.containerPort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.core.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: core diff --git a/charts/harbor/harbor/1.14.0/templates/core/core-tls.yaml b/charts/harbor/harbor/1.14.0/templates/core/core-tls.yaml new file mode 100644 index 0000000000..c52148f0d9 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/core/core-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/database/database-secret.yaml b/charts/harbor/harbor/1.14.0/templates/database/database-secret.yaml new file mode 100644 index 0000000000..864aff4a18 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/database/database-secret.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end -}} diff --git a/charts/harbor/harbor/1.14.0/templates/database/database-ss.yaml b/charts/harbor/harbor/1.14.0/templates/database/database-ss.yaml new file mode 100644 index 0000000000..3b08b07ef1 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/database/database-ss.yaml @@ -0,0 +1,168 @@ +{{- if eq .Values.database.type "internal" -}} +{{- $database := .Values.persistence.persistentVolumeClaim.database -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: database +spec: + replicas: 1 + serviceName: "{{ template "harbor.database" . }}" + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: database + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: database +{{- if .Values.database.podLabels }} +{{ toYaml .Values.database.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }} +{{- if .Values.database.podAnnotations }} +{{ toYaml .Values.database.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.database.internal.serviceAccountName }} + serviceAccountName: {{ .Values.database.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + initContainers: + # as we change the data directory to a sub folder to support psp, the init container here + # is used to migrate the existing data. See https://github.com/goharbor/harbor-helm/issues/756 + # for more detail. + # we may remove it after several releases + - name: "data-migrator" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"] +{{- if .Values.database.internal.initContainer.migrator.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + # with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume + # this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph + # use this init container to correct the permission + # as "fsGroup" applied before the init container running, the container has enough permission to execute the command + - name: "data-permissions-ensurer" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"] +{{- if .Values.database.internal.initContainer.permissions.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + containers: + - name: database + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 300 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.livenessProbe.timeoutSeconds }} + readinessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 1 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.readinessProbe.timeoutSeconds }} +{{- if .Values.database.internal.resources }} + resources: +{{ toYaml .Values.database.internal.resources | indent 10 }} +{{- end }} + envFrom: + - secretRef: + name: "{{ template "harbor.database" . }}" + env: + # put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled + # more detail refer to https://github.com/goharbor/harbor-helm/issues/756 + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" +{{- with .Values.database.internal.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + - name: shm-volume + mountPath: /dev/shm + volumes: + - name: shm-volume + emptyDir: + medium: Memory + sizeLimit: {{ .Values.database.internal.shmSizeLimit }} + {{- if not .Values.persistence.enabled }} + - name: "database-data" + emptyDir: {} + {{- else if $database.existingClaim }} + - name: "database-data" + persistentVolumeClaim: + claimName: {{ $database.existingClaim }} + {{- end -}} + {{- with .Values.database.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.database.internal.priorityClassName }} + priorityClassName: {{ .Values.database.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $database.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: "database-data" + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $database.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $database.accessMode | quote }}] + {{- if $database.storageClass }} + {{- if (eq "-" $database.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $database.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $database.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/1.14.0/templates/database/database-svc.yaml b/charts/harbor/harbor/1.14.0/templates/database/database-svc.yaml new file mode 100644 index 0000000000..6475048cd9 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/database/database-svc.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 5432 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: database +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/exporter/exporter-cm-env.yaml b/charts/harbor/harbor/1.14.0/templates/exporter/exporter-cm-env.yaml new file mode 100644 index 0000000000..0bf4e7d905 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/exporter/exporter-cm-env.yaml @@ -0,0 +1,35 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.exporter" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + LOG_LEVEL: "{{ .Values.logLevel }}" + HARBOR_EXPORTER_PORT: "{{ .Values.metrics.exporter.port }}" + HARBOR_EXPORTER_METRICS_PATH: "{{ .Values.metrics.exporter.path }}" + HARBOR_EXPORTER_METRICS_ENABLED: "{{ .Values.metrics.enabled }}" + HARBOR_EXPORTER_CACHE_TIME: "{{ .Values.exporter.cacheDuration }}" + HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "{{ .Values.exporter.cacheCleanInterval }}" + HARBOR_METRIC_NAMESPACE: harbor + HARBOR_METRIC_SUBSYSTEM: exporter + HARBOR_REDIS_URL: "{{ template "harbor.redis.urlForJobservice" . }}" + HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace + HARBOR_REDIS_TIMEOUT: "3600" + HARBOR_SERVICE_SCHEME: "{{ template "harbor.component.scheme" . }}" + HARBOR_SERVICE_HOST: "{{ template "harbor.core" . }}" + HARBOR_SERVICE_PORT: "{{ template "harbor.core.servicePort" . }}" + HARBOR_DATABASE_HOST: "{{ template "harbor.database.host" . }}" + HARBOR_DATABASE_PORT: "{{ template "harbor.database.port" . }}" + HARBOR_DATABASE_USERNAME: "{{ template "harbor.database.username" . }}" + HARBOR_DATABASE_DBNAME: "{{ template "harbor.database.coreDatabase" . }}" + HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" +{{- end}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/exporter/exporter-dpl.yaml b/charts/harbor/harbor/1.14.0/templates/exporter/exporter-dpl.yaml new file mode 100644 index 0000000000..6d2e1f53ac --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/exporter/exporter-dpl.yaml @@ -0,0 +1,139 @@ +{{- if .Values.metrics.enabled}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: exporter +spec: + replicas: {{ .Values.exporter.replicas }} + revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: exporter + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: exporter +{{- if .Values.exporter.podLabels }} +{{ toYaml .Values.exporter.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.exporter.podAnnotations }} +{{ toYaml .Values.exporter.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.exporter.serviceAccountName }} + serviceAccountName: {{ .Values.exporter.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }} +{{- with .Values.exporter.topologySpreadConstraints }} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: exporter +{{- end }} +{{- end }} + containers: + - name: exporter + image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 30 + periodSeconds: 10 + args: ["-log-level", "{{ .Values.logLevel }}"] + envFrom: + - configMapRef: + name: "{{ template "harbor.exporter" . }}-env" + - secretRef: + name: "{{ template "harbor.exporter" . }}" + env: + {{- if .Values.database.external.existingSecret }} + - name: HARBOR_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} +{{- if .Values.exporter.resources }} + resources: +{{ toYaml .Values.exporter.resources | indent 10 }} +{{- end }} +{{- with .Values.exporter.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + # There are some metric data are collectd from harbor core. + # When internal TLS is enabled, the Exporter need the CA file to collect these data. + {{- end }} + volumes: + - name: config + secret: + secretName: "{{ template "harbor.exporter" . }}" + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.exporter.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.exporter.priorityClassName }} + priorityClassName: {{ .Values.exporter.priorityClassName }} + {{- end }} +{{ end }} diff --git a/charts/harbor/harbor/1.14.0/templates/exporter/exporter-secret.yaml b/charts/harbor/harbor/1.14.0/templates/exporter/exporter-secret.yaml new file mode 100644 index 0000000000..434a1bf689 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/exporter/exporter-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: +{{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} +{{- end }} +{{- if not .Values.database.external.existingSecret }} + HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/exporter/exporter-svc.yaml b/charts/harbor/harbor/1.14.0/templates/exporter/exporter-svc.yaml new file mode 100644 index 0000000000..4a6f3fdec6 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/exporter/exporter-svc.yaml @@ -0,0 +1,15 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.exporter" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.exporter.port }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: exporter +{{ end }} diff --git a/charts/harbor/harbor/1.14.0/templates/ingress/ingress.yaml b/charts/harbor/harbor/1.14.0/templates/ingress/ingress.yaml new file mode 100644 index 0000000000..e4c06939c6 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/ingress/ingress.yaml @@ -0,0 +1,145 @@ +{{- if eq .Values.expose.type "ingress" }} +{{- $ingress := .Values.expose.ingress -}} +{{- $tls := .Values.expose.tls -}} +{{- if eq .Values.expose.ingress.controller "gce" }} + {{- $_ := set . "portal_path" "/*" -}} + {{- $_ := set . "api_path" "/api/*" -}} + {{- $_ := set . "service_path" "/service/*" -}} + {{- $_ := set . "v2_path" "/v2/*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} + {{- $_ := set . "controller_path" "/c/*" -}} +{{- else if eq .Values.expose.ingress.controller "ncp" }} + {{- $_ := set . "portal_path" "/.*" -}} + {{- $_ := set . "api_path" "/api/.*" -}} + {{- $_ := set . "service_path" "/service/.*" -}} + {{- $_ := set . "v2_path" "/v2/.*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} + {{- $_ := set . "controller_path" "/c/.*" -}} +{{- else }} + {{- $_ := set . "portal_path" "/" -}} + {{- $_ := set . "api_path" "/api/" -}} + {{- $_ := set . "service_path" "/service/" -}} + {{- $_ := set . "v2_path" "/v2/" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/" -}} + {{- $_ := set . "controller_path" "/c/" -}} +{{- end }} + +--- +{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: extensions/v1beta1 +{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if $ingress.harbor.labels }} +{{ toYaml $ingress.harbor.labels | indent 4 }} +{{- end }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} +{{- if .Values.internalTLS.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +{{- end }} +{{- if eq .Values.expose.ingress.controller "ncp" }} + ncp/use-regex: "true" + {{- if $tls.enabled }} + ncp/http-redirect: "true" + {{- end }} +{{- end }} +{{- if $ingress.harbor.annotations }} +{{ toYaml $ingress.harbor.annotations | indent 4 }} +{{- end }} +spec: + {{- if $ingress.className }} + ingressClassName: {{ $ingress.className }} + {{- end }} + {{- if $tls.enabled }} + tls: + - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} + {{- if $ingress.hosts.core }} + hosts: + - {{ $ingress.hosts.core }} + {{- end }} + {{- end }} + rules: + - http: + paths: +{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} + - path: {{ .api_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + backend: + serviceName: {{ template "harbor.portal" . }} + servicePort: {{ template "harbor.portal.servicePort" . }} +{{- else }} + - path: {{ .api_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.portal" . }} + port: + number: {{ template "harbor.portal.servicePort" . }} +{{- end }} + {{- if $ingress.hosts.core }} + host: {{ $ingress.hosts.core }} + {{- end }} + +{{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/ingress/secret.yaml b/charts/harbor/harbor/1.14.0/templates/ingress/secret.yaml new file mode 100644 index 0000000000..41507b3dd9 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/ingress/secret.yaml @@ -0,0 +1,15 @@ +{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/internal/auto-tls.yaml b/charts/harbor/harbor/1.14.0/templates/internal/auto-tls.yaml new file mode 100644 index 0000000000..da5f5e2c7b --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/internal/auto-tls.yaml @@ -0,0 +1,81 @@ +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} +{{- $ca := genCA "harbor-internal-ca" 365 }} +{{- $coreCN := (include "harbor.core" .) }} +{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }} +{{- $jsCN := (include "harbor.jobservice" .) }} +{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }} +{{- $regCN := (include "harbor.registry" .) }} +{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }} +{{- $portalCN := (include "harbor.portal" .) }} +{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $coreCrt.Cert | b64enc | quote }} + tls.key: {{ $coreCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $jsCrt.Cert | b64enc | quote }} + tls.key: {{ $jsCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $regCrt.Cert | b64enc | quote }} + tls.key: {{ $regCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $portalCrt.Cert | b64enc | quote }} + tls.key: {{ $portalCrt.Key | b64enc | quote }} + +{{- if and .Values.trivy.enabled}} +--- +{{- $trivyCN := (include "harbor.trivy" .) }} +{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $trivyCrt.Cert | b64enc | quote }} + tls.key: {{ $trivyCrt.Key | b64enc | quote }} +{{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-cm-env.yaml b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-cm-env.yaml new file mode 100644 index 0000000000..8411c7a47c --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-cm-env.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + CORE_URL: "{{ template "harbor.coreURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + + JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "{{ .Values.jobservice.notification.webhook_job_max_retry }}" + JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "{{ .Values.jobservice.notification.webhook_job_http_client_timeout }}" + + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.metrics.enabled}} + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: jobservice + {{- end }} + {{- template "harbor.traceEnvsForJobservice" . }} + {{- if .Values.cache.enabled }} + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-cm.yaml b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-cm.yaml new file mode 100644 index 0000000000..8211c62209 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-cm.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + #Server listening port + protocol: "{{ template "harbor.component.scheme" . }}" + port: {{ template "harbor.jobservice.containerPort". }} + {{- if .Values.internalTLS.enabled }} + https_config: + cert: "/etc/harbor/ssl/jobservice/tls.crt" + key: "/etc/harbor/ssl/jobservice/tls.key" + {{- end }} + worker_pool: + workers: {{ .Values.jobservice.maxJobWorkers }} + backend: "redis" + redis_pool: + redis_url: "{{ template "harbor.redis.urlForJobservice" . }}" + namespace: "harbor_job_service_namespace" + idle_timeout_second: 3600 + job_loggers: + {{- if has "file" .Values.jobservice.jobLoggers }} + - name: "FILE" + level: {{ .Values.logLevel | upper }} + settings: # Customized settings of logger + base_dir: "/var/log/jobs" + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + settings: # Customized settings of sweeper + work_dir: "/var/log/jobs" + {{- end }} + {{- if has "database" .Values.jobservice.jobLoggers }} + - name: "DB" + level: {{ .Values.logLevel | upper }} + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + {{- end }} + {{- if has "stdout" .Values.jobservice.jobLoggers }} + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + {{- end }} + metric: + enabled: {{ .Values.metrics.enabled }} + path: {{ .Values.metrics.jobservice.path }} + port: {{ .Values.metrics.jobservice.port }} + #Loggers for the job service + loggers: + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: {{ .Values.jobservice.reaper.max_update_hours }} + # the max time for execution in running state without new task created + max_dangling_hours: {{ .Values.jobservice.reaper.max_dangling_hours }} diff --git a/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-dpl.yaml b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-dpl.yaml new file mode 100644 index 0000000000..e39e77e6ed --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-dpl.yaml @@ -0,0 +1,173 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + replicas: {{ .Values.jobservice.replicas }} + revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: jobservice + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: jobservice +{{- if .Values.jobservice.podLabels }} +{{ toYaml .Values.jobservice.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} + checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.jobservice.podAnnotations }} +{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.jobservice.serviceAccountName }} + serviceAccountName: {{ .Values.jobservice.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.jobservice.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: jobservice +{{- end }} +{{- end }} + containers: + - name: jobservice + image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.jobservice.resources }} + resources: +{{ toYaml .Values.jobservice.resources | indent 10 }} +{{- end }} + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} + key: secret + {{- if .Values.jobservice.existingSecret }} + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/jobservice/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/jobservice/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/jobservice/ca.crt + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} +{{- with .Values.jobservice.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.jobservice" . }}-env" + - secretRef: + name: "{{ template "harbor.jobservice" . }}" + ports: + - containerPort: {{ template "harbor.jobservice.containerPort" . }} + volumeMounts: + - name: jobservice-config + mountPath: /etc/jobservice/config.yml + subPath: config.yml + - name: job-logs + mountPath: /var/log/jobs + subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.subPath }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + mountPath: /etc/harbor/ssl/jobservice + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: jobservice-config + configMap: + name: "{{ template "harbor.jobservice" . }}" + - name: job-logs + {{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.jobservice.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.jobservice.priorityClassName }} + priorityClassName: {{ .Values.jobservice.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-pvc.yaml b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-pvc.yaml new file mode 100644 index 0000000000..a6b8b8bd38 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-pvc.yaml @@ -0,0 +1,30 @@ +{{- $jobLog := .Values.persistence.persistentVolumeClaim.jobservice.jobLog -}} +{{- if and .Values.persistence.enabled (not $jobLog.existingClaim) (has "file" .Values.jobservice.jobLoggers) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.jobservice" . }} + annotations: + {{- range $key, $value := $jobLog.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + accessModes: + - {{ $jobLog.accessMode }} + resources: + requests: + storage: {{ $jobLog.size }} + {{- if $jobLog.storageClass }} + {{- if eq "-" $jobLog.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $jobLog.storageClass }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/templates/jobservice/jobservice-secrets.yaml b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-secrets.yaml similarity index 100% rename from charts/harbor/harbor/templates/jobservice/jobservice-secrets.yaml rename to charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-secrets.yaml diff --git a/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-svc.yaml b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-svc.yaml new file mode 100644 index 0000000000..d2b7a47fd4 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-svc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-jobservice" "http-jobservice" .Values.internalTLS.enabled }} + port: {{ template "harbor.jobservice.servicePort" . }} + targetPort: {{ template "harbor.jobservice.containerPort" . }} +{{- if .Values.metrics.enabled }} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.jobservice.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: jobservice diff --git a/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-tls.yaml b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-tls.yaml new file mode 100644 index 0000000000..234cb39995 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/jobservice/jobservice-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/metrics/metrics-svcmon.yaml b/charts/harbor/harbor/1.14.0/templates/metrics/metrics-svcmon.yaml new file mode 100644 index 0000000000..1122ef01ef --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/metrics/metrics-svcmon.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "harbor.fullname" . }} + labels: {{ include "harbor.labels" . | nindent 4 }} +{{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} +{{- end }} +spec: + jobLabel: app.kubernetes.io/name + endpoints: + - port: {{ template "harbor.metricsPortName" . }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + honorLabels: true +{{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: +{{ tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | indent 4) . }} +{{- end }} +{{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: +{{ toYaml .Values.metrics.serviceMonitor.relabelings | indent 4 }} +{{- end }} + selector: + matchLabels: {{ include "harbor.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/nginx/configmap-http.yaml b/charts/harbor/harbor/1.14.0/templates/nginx/configmap-http.yaml new file mode 100644 index 0000000000..c4b8354d06 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/nginx/configmap-http.yaml @@ -0,0 +1,150 @@ +{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled}} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end }} + server_tokens off; + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # Add extra headers + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + proxy_send_timeout 900; + proxy_read_timeout 900; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + } +{{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/nginx/configmap-https.yaml b/charts/harbor/harbor/1.14.0/templates/nginx/configmap-https.yaml new file mode 100644 index 0000000000..56c943a619 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/nginx/configmap-https.yaml @@ -0,0 +1,187 @@ +{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}"; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8443 ssl; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8443 ssl; + {{- end }} + # server_name harbordomain.com; + server_tokens off; + # SSL + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + # Add extra headers + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; HttpOnly; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end}} + #server_name harbordomain.com; + return 301 https://$host$request_uri; + } + } +{{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/nginx/deployment.yaml b/charts/harbor/harbor/1.14.0/templates/nginx/deployment.yaml new file mode 100644 index 0000000000..8290d497b6 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/nginx/deployment.yaml @@ -0,0 +1,126 @@ +{{- if ne .Values.expose.type "ingress" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: nginx +spec: + replicas: {{ .Values.nginx.replicas }} + revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: nginx + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: nginx +{{- if .Values.nginx.podLabels }} +{{ toYaml .Values.nginx.podLabels | indent 8 }} +{{- end }} + annotations: + {{- if not .Values.expose.tls.enabled }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }} + {{- else }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} + {{- end }} + {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} + checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }} + {{- end }} +{{- if .Values.nginx.podAnnotations }} +{{ toYaml .Values.nginx.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- if .Values.nginx.serviceAccountName }} + serviceAccountName: {{ .Values.nginx.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.nginx.automountServiceAccountToken | default false }} +{{- with .Values.nginx.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: nginx +{{- end }} +{{- end }} + containers: + - name: nginx + image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + {{- $_ := set . "scheme" "HTTP" -}} + {{- $_ := set . "port" "8080" -}} + {{- if .Values.expose.tls.enabled }} + {{- $_ := set . "scheme" "HTTPS" -}} + {{- $_ := set . "port" "8443" -}} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.nginx.resources }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} +{{- end }} +{{- with .Values.nginx.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: 8080 + - containerPort: 8443 + - containerPort: 4443 + volumeMounts: + - name: config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.expose.tls.enabled }} + - name: certificate + mountPath: /etc/nginx/cert + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.nginx" . }} + {{- if .Values.expose.tls.enabled }} + - name: certificate + secret: + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- with .Values.nginx.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.nginx.priorityClassName }} + priorityClassName: {{ .Values.nginx.priorityClassName }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/nginx/secret.yaml b/charts/harbor/harbor/1.14.0/templates/nginx/secret.yaml new file mode 100644 index 0000000000..c819c556d9 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/nginx/secret.yaml @@ -0,0 +1,23 @@ +{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} + {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- else }} + {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/nginx/service.yaml b/charts/harbor/harbor/1.14.0/templates/nginx/service.yaml new file mode 100644 index 0000000000..205a805ea4 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/nginx/service.yaml @@ -0,0 +1,81 @@ +{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} +apiVersion: v1 +kind: Service +metadata: +{{- if eq .Values.expose.type "clusterIP" }} +{{- $clusterIP := .Values.expose.clusterIP }} + name: {{ $clusterIP.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $clusterIP.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: ClusterIP + {{- if .Values.expose.clusterIP.staticClusterIP }} + clusterIP: {{ .Values.expose.clusterIP.staticClusterIP }} + {{- end }} + ports: + - name: http + port: {{ $clusterIP.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $clusterIP.ports.httpsPort }} + targetPort: 8443 + {{- end }} +{{- else if eq .Values.expose.type "nodePort" }} +{{- $nodePort := .Values.expose.nodePort }} + name: {{ $nodePort.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: NodePort + ports: + - name: http + port: {{ $nodePort.ports.http.port }} + targetPort: 8080 + {{- if $nodePort.ports.http.nodePort }} + nodePort: {{ $nodePort.ports.http.nodePort }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $nodePort.ports.https.port }} + targetPort: 8443 + {{- if $nodePort.ports.https.nodePort }} + nodePort: {{ $nodePort.ports.https.nodePort }} + {{- end }} + {{- end }} +{{- else if eq .Values.expose.type "loadBalancer" }} +{{- $loadBalancer := .Values.expose.loadBalancer }} + name: {{ $loadBalancer.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $loadBalancer.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: LoadBalancer + {{- with $loadBalancer.sourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $loadBalancer.IP }} + loadBalancerIP: {{ $loadBalancer.IP }} + {{- end }} + ports: + - name: http + port: {{ $loadBalancer.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $loadBalancer.ports.httpsPort }} + targetPort: 8443 + {{- end }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: nginx +{{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/portal/configmap.yaml b/charts/harbor/harbor/1.14.0/templates/portal/configmap.yaml new file mode 100644 index 0000000000..7b2118e721 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/portal/configmap.yaml @@ -0,0 +1,67 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + server { + {{- if .Values.internalTLS.enabled }} + {{- if .Values.ipFamily.ipv4.enabled}} + listen {{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + # SSL + ssl_certificate /etc/harbor/ssl/portal/tls.crt; + ssl_certificate_key /etc/harbor/ssl/portal/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + {{- else }} + {{- if .Values.ipFamily.ipv4.enabled }} + listen {{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- end }} + server_name localhost; + root /usr/share/nginx/html; + index index.html index.htm; + include /etc/nginx/mime.types; + gzip on; + gzip_min_length 1000; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + location /devcenter-api-2.0 { + try_files $uri $uri/ /swagger-ui-index.html; + } + location / { + try_files $uri $uri/ /index.html; + } + location = /index.html { + add_header Cache-Control "no-store, no-cache, must-revalidate"; + } + } + } diff --git a/charts/harbor/harbor/1.14.0/templates/portal/deployment.yaml b/charts/harbor/harbor/1.14.0/templates/portal/deployment.yaml new file mode 100644 index 0000000000..959a3fd7b5 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/portal/deployment.yaml @@ -0,0 +1,114 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: portal +spec: + replicas: {{ .Values.portal.replicas }} + revisionHistoryLimit: {{ .Values.portal.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: portal + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: portal +{{- if .Values.portal.podLabels }} +{{ toYaml .Values.portal.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }} +{{- end }} + checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }} +{{- if .Values.portal.podAnnotations }} +{{ toYaml .Values.portal.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if .Values.portal.serviceAccountName }} + serviceAccountName: {{ .Values.portal.serviceAccountName }} +{{- end }} + automountServiceAccountToken: {{ .Values.portal.automountServiceAccountToken | default false }} +{{- with .Values.portal.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: portal +{{- end }} +{{- end }} + containers: + - name: portal + image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.portal.resources }} + resources: +{{ toYaml .Values.portal.resources | indent 10 }} +{{- end }} +{{- with .Values.portal.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 + ports: + - containerPort: {{ template "harbor.portal.containerPort" . }} + volumeMounts: + - name: portal-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + mountPath: /etc/harbor/ssl/portal + {{- end }} + volumes: + - name: portal-config + configMap: + name: "{{ template "harbor.portal" . }}" + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.portal.secretName" . }} + {{- end }} + {{- with .Values.portal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.portal.priorityClassName }} + priorityClassName: {{ .Values.portal.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/templates/portal/service.yaml b/charts/harbor/harbor/1.14.0/templates/portal/service.yaml similarity index 100% rename from charts/harbor/harbor/templates/portal/service.yaml rename to charts/harbor/harbor/1.14.0/templates/portal/service.yaml diff --git a/charts/harbor/harbor/1.14.0/templates/portal/tls.yaml b/charts/harbor/harbor/1.14.0/templates/portal/tls.yaml new file mode 100644 index 0000000000..de63f4e813 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/portal/tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/redis/service.yaml b/charts/harbor/harbor/1.14.0/templates/redis/service.yaml new file mode 100644 index 0000000000..79c95c3e05 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/redis/service.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.redis.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 6379 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: redis +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/redis/statefulset.yaml b/charts/harbor/harbor/1.14.0/templates/redis/statefulset.yaml new file mode 100644 index 0000000000..371b0fd5aa --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/redis/statefulset.yaml @@ -0,0 +1,116 @@ +{{- if eq .Values.redis.type "internal" -}} +{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: redis +spec: + replicas: 1 + serviceName: {{ template "harbor.redis" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: redis + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: redis +{{- if .Values.redis.podLabels }} +{{ toYaml .Values.redis.podLabels | indent 8 }} +{{- end }} +{{- if .Values.redis.podAnnotations }} + annotations: +{{ toYaml .Values.redis.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.redis.internal.serviceAccountName }} + serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: redis + image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.redis.internal.resources }} + resources: +{{ toYaml .Values.redis.internal.resources | indent 10 }} +{{- end }} +{{- with .Values.redis.internal.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - name: data + mountPath: /var/lib/redis + subPath: {{ $redis.subPath }} + {{- if not .Values.persistence.enabled }} + volumes: + - name: data + emptyDir: {} + {{- else if $redis.existingClaim }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ $redis.existingClaim }} + {{- end -}} + {{- with .Values.redis.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.redis.internal.priorityClassName }} + priorityClassName: {{ .Values.redis.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $redis.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $redis.accessMode | quote }}] + {{- if $redis.storageClass }} + {{- if (eq "-" $redis.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $redis.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $redis.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/1.14.0/templates/registry/registry-cm.yaml b/charts/harbor/harbor/1.14.0/templates/registry/registry-cm.yaml new file mode 100644 index 0000000000..4f7056c384 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/registry/registry-cm.yaml @@ -0,0 +1,246 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + version: 0.1 + log: + {{- if eq .Values.logLevel "warning" }} + level: warn + {{- else if eq .Values.logLevel "fatal" }} + level: error + {{- else }} + level: {{ .Values.logLevel }} + {{- end }} + fields: + service: registry + storage: + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if eq $type "filesystem" }} + filesystem: + rootdirectory: {{ $storage.filesystem.rootdirectory }} + {{- if $storage.filesystem.maxthreads }} + maxthreads: {{ $storage.filesystem.maxthreads }} + {{- end }} + {{- else if eq $type "azure" }} + azure: + accountname: {{ $storage.azure.accountname }} + container: {{ $storage.azure.container }} + {{- if $storage.azure.realm }} + realm: {{ $storage.azure.realm }} + {{- end }} + {{- else if eq $type "gcs" }} + gcs: + bucket: {{ $storage.gcs.bucket }} + {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }} + keyfile: /etc/registry/gcs-key.json + {{- end }} + {{- if $storage.gcs.rootdirectory }} + rootdirectory: {{ $storage.gcs.rootdirectory }} + {{- end }} + {{- if $storage.gcs.chunksize }} + chunksize: {{ $storage.gcs.chunksize }} + {{- end }} + {{- else if eq $type "s3" }} + s3: + region: {{ $storage.s3.region }} + bucket: {{ $storage.s3.bucket }} + {{- if $storage.s3.regionendpoint }} + regionendpoint: {{ $storage.s3.regionendpoint }} + {{- end }} + {{- if $storage.s3.encrypt }} + encrypt: {{ $storage.s3.encrypt }} + {{- end }} + {{- if $storage.s3.keyid }} + keyid: {{ $storage.s3.keyid }} + {{- end }} + {{- if $storage.s3.secure }} + secure: {{ $storage.s3.secure }} + {{- end }} + {{- if and $storage.s3.secure $storage.s3.skipverify }} + skipverify: {{ $storage.s3.skipverify }} + {{- end }} + {{- if $storage.s3.v4auth }} + v4auth: {{ $storage.s3.v4auth }} + {{- end }} + {{- if $storage.s3.chunksize }} + chunksize: {{ $storage.s3.chunksize }} + {{- end }} + {{- if $storage.s3.rootdirectory }} + rootdirectory: {{ $storage.s3.rootdirectory }} + {{- end }} + {{- if $storage.s3.storageclass }} + storageclass: {{ $storage.s3.storageclass }} + {{- end }} + {{- if $storage.s3.multipartcopychunksize }} + multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }} + {{- end }} + {{- if $storage.s3.multipartcopymaxconcurrency }} + multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }} + {{- end }} + {{- if $storage.s3.multipartcopythresholdsize }} + multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }} + {{- end }} + {{- else if eq $type "swift" }} + swift: + authurl: {{ $storage.swift.authurl }} + username: {{ $storage.swift.username }} + container: {{ $storage.swift.container }} + {{- if $storage.swift.region }} + region: {{ $storage.swift.region }} + {{- end }} + {{- if $storage.swift.tenant }} + tenant: {{ $storage.swift.tenant }} + {{- end }} + {{- if $storage.swift.tenantid }} + tenantid: {{ $storage.swift.tenantid }} + {{- end }} + {{- if $storage.swift.domain }} + domain: {{ $storage.swift.domain }} + {{- end }} + {{- if $storage.swift.domainid }} + domainid: {{ $storage.swift.domainid }} + {{- end }} + {{- if $storage.swift.trustid }} + trustid: {{ $storage.swift.trustid }} + {{- end }} + {{- if $storage.swift.insecureskipverify }} + insecureskipverify: {{ $storage.swift.insecureskipverify }} + {{- end }} + {{- if $storage.swift.chunksize }} + chunksize: {{ $storage.swift.chunksize }} + {{- end }} + {{- if $storage.swift.prefix }} + prefix: {{ $storage.swift.prefix }} + {{- end }} + {{- if $storage.swift.authversion }} + authversion: {{ $storage.swift.authversion }} + {{- end }} + {{- if $storage.swift.endpointtype }} + endpointtype: {{ $storage.swift.endpointtype }} + {{- end }} + {{- if $storage.swift.tempurlcontainerkey }} + tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} + {{- end }} + {{- if $storage.swift.tempurlmethods }} + tempurlmethods: {{ $storage.swift.tempurlmethods }} + {{- end }} + {{- else if eq $type "oss" }} + oss: + accesskeyid: {{ $storage.oss.accesskeyid }} + region: {{ $storage.oss.region }} + bucket: {{ $storage.oss.bucket }} + {{- if $storage.oss.endpoint }} + endpoint: {{ $storage.oss.bucket }}.{{ $storage.oss.endpoint }} + {{- end }} + {{- if $storage.oss.internal }} + internal: {{ $storage.oss.internal }} + {{- end }} + {{- if $storage.oss.encrypt }} + encrypt: {{ $storage.oss.encrypt }} + {{- end }} + {{- if $storage.oss.secure }} + secure: {{ $storage.oss.secure }} + {{- end }} + {{- if $storage.oss.chunksize }} + chunksize: {{ $storage.oss.chunksize }} + {{- end }} + {{- if $storage.oss.rootdirectory }} + rootdirectory: {{ $storage.oss.rootdirectory }} + {{- end }} + {{- end }} + cache: + layerinfo: redis + maintenance: + uploadpurging: + {{- if .Values.registry.upload_purging.enabled }} + enabled: true + age: {{ .Values.registry.upload_purging.age }} + interval: {{ .Values.registry.upload_purging.interval }} + dryrun: {{ .Values.registry.upload_purging.dryrun }} + {{- else }} + enabled: false + {{- end }} + delete: + enabled: true + redirect: + disable: {{ $storage.disableredirect }} + redis: + addr: {{ template "harbor.redis.addr" . }} + {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }} + sentinelMasterSet: {{ template "harbor.redis.masterSet" . }} + {{- end }} + db: {{ template "harbor.redis.dbForRegistry" . }} + {{- if not (eq (include "harbor.redis.password" .) "") }} + password: {{ template "harbor.redis.password" . }} + {{- end }} + readtimeout: 10s + writetimeout: 10s + dialtimeout: 10s + pool: + maxidle: 100 + maxactive: 500 + idletimeout: 60s + http: + addr: :{{ template "harbor.registry.containerPort" . }} + relativeurls: {{ .Values.registry.relativeurls }} + {{- if .Values.internalTLS.enabled }} + tls: + certificate: /etc/harbor/ssl/registry/tls.crt + key: /etc/harbor/ssl/registry/tls.key + minimumtls: tls1.2 + {{- end }} + # set via environment variable + # secret: placeholder + debug: + {{- if .Values.metrics.enabled}} + addr: :{{ .Values.metrics.registry.port }} + prometheus: + enabled: true + path: {{ .Values.metrics.registry.path }} + {{- else }} + addr: localhost:5001 + {{- end }} + auth: + htpasswd: + realm: harbor-registry-basic-realm + path: /etc/registry/passwd + validation: + disabled: true + compatibility: + schema1: + enabled: true + + {{- if .Values.registry.middleware.enabled }} + {{- $middleware := .Values.registry.middleware }} + {{- $middlewareType := $middleware.type }} + {{- if eq $middlewareType "cloudFront" }} + middleware: + storage: + - name: cloudfront + options: + baseurl: {{ $middleware.cloudFront.baseurl }} + privatekey: /etc/registry/pk.pem + keypairid: {{ $middleware.cloudFront.keypairid }} + duration: {{ $middleware.cloudFront.duration }} + ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }} + {{- end }} + {{- end }} + ctl-config.yml: |+ + --- + {{- if .Values.internalTLS.enabled }} + protocol: "https" + port: 8443 + https_config: + cert: "/etc/harbor/ssl/registry/tls.crt" + key: "/etc/harbor/ssl/registry/tls.key" + {{- else }} + protocol: "http" + port: 8080 + {{- end }} + log_level: {{ .Values.logLevel }} + registry_config: "/etc/registry/config.yml" diff --git a/charts/harbor/harbor/1.14.0/templates/registry/registry-dpl.yaml b/charts/harbor/harbor/1.14.0/templates/registry/registry-dpl.yaml new file mode 100644 index 0000000000..dc4a833477 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/registry/registry-dpl.yaml @@ -0,0 +1,419 @@ +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $type := $storage.type }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + replicas: {{ .Values.registry.replicas }} + revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: registry + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: registry +{{- if .Values.registry.podLabels }} +{{ toYaml .Values.registry.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.registry.podAnnotations }} +{{ toYaml .Values.registry.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch +{{- if .Values.registry.serviceAccountName }} + serviceAccountName: {{ .Values.registry.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.registry.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.registry.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: registry +{{- end }} +{{- end }} + containers: + - name: registry + image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.registry.resources }} + resources: +{{ toYaml .Values.registry.registry.resources | indent 10 }} +{{- end }} + args: ["serve", "/etc/registry/config.yml"] + envFrom: + - secretRef: + name: "{{ template "harbor.registry" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + {{- if .Values.registry.existingSecret }} + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.registry.existingSecret }} + key: {{ .Values.registry.existingSecretKey }} + {{- end }} + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} + {{- if .Values.persistence.imageChartStorage.swift.existingSecret }} + - name: REGISTRY_STORAGE_SWIFT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_PASSWORD + - name: REGISTRY_STORAGE_SWIFT_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_SECRETKEY + optional: true + - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_ACCESSKEY + optional: true + {{- end }} + {{- if .Values.persistence.imageChartStorage.oss.existingSecret }} + - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }} + key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + optional: true + {{- end}} +{{- with .Values.registry.registry.extraEnvVars }} +{{- toYaml . | nindent 8 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.registry.containerPort" . }} + - containerPort: 5001 + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-htpasswd + mountPath: /etc/registry/passwd + subPath: passwd + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + mountPath: /etc/registry/pk.pem + subPath: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + - name: registryctl + image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.controller.resources }} + resources: +{{ toYaml .Values.registry.controller.resources | indent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.registryCtl" . }}" + - secretRef: + name: "{{ template "harbor.registry" . }}" + - secretRef: + name: "{{ template "harbor.registryCtl" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + {{- if .Values.registry.existingSecret }} + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.registry.existingSecret }} + key: {{ .Values.registry.existingSecretKey }} + {{- end }} + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }} + {{- if .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- else }} + key: JOBSERVICE_SECRET + {{- end }} + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} + {{- if .Values.persistence.imageChartStorage.swift.existingSecret }} + - name: REGISTRY_STORAGE_SWIFT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_PASSWORD + - name: REGISTRY_STORAGE_SWIFT_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_SECRETKEY + optional: true + - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_ACCESSKEY + optional: true + {{- end }} + {{- if .Values.persistence.imageChartStorage.oss.existingSecret }} + - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }} + key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + optional: true + {{- end}} +{{- with .Values.registry.controller.extraEnvVars }} +{{- toYaml . | nindent 8 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.registryctl.containerPort" . }} + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: registry-config + mountPath: /etc/registryctl/config.yml + subPath: ctl-config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: registry-htpasswd + secret: + {{- if not .Values.registry.credentials.existingSecret }} + secretName: {{ template "harbor.registry" . }}-htpasswd + {{ else }} + secretName: {{ .Values.registry.credentials.existingSecret }} + {{- end }} + items: + - key: REGISTRY_HTPASSWD + path: passwd + - name: registry-config + configMap: + name: "{{ template "harbor.registry" . }}" + - name: registry-data + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.registry.secretName" . }} + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + secret: + {{- if and (eq $type "gcs") $storage.gcs.existingSecret }} + secretName: {{ $storage.gcs.existingSecret }} + {{- else }} + secretName: {{ template "harbor.registry" . }} + {{- end }} + items: + - key: GCS_KEY_DATA + path: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + secret: + secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + secret: + secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }} + items: + - key: CLOUDFRONT_KEY_DATA + path: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.registry.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.registry.priorityClassName }} + priorityClassName: {{ .Values.registry.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/registry/registry-pvc.yaml b/charts/harbor/harbor/1.14.0/templates/registry/registry-pvc.yaml new file mode 100644 index 0000000000..2112e22877 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/registry/registry-pvc.yaml @@ -0,0 +1,32 @@ +{{- if .Values.persistence.enabled }} +{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} +{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.registry" . }} + annotations: + {{- range $key, $value := $registry.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + accessModes: + - {{ $registry.accessMode }} + resources: + requests: + storage: {{ $registry.size }} + {{- if $registry.storageClass }} + {{- if eq "-" $registry.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $registry.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/templates/registry/registry-secret.yaml b/charts/harbor/harbor/1.14.0/templates/registry/registry-secret.yaml similarity index 100% rename from charts/harbor/harbor/templates/registry/registry-secret.yaml rename to charts/harbor/harbor/1.14.0/templates/registry/registry-secret.yaml diff --git a/charts/harbor/harbor/1.14.0/templates/registry/registry-svc.yaml b/charts/harbor/harbor/1.14.0/templates/registry/registry-svc.yaml new file mode 100644 index 0000000000..749690ea03 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/registry/registry-svc.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-registry" "http-registry" .Values.internalTLS.enabled }} + port: {{ template "harbor.registry.servicePort" . }} + + - name: {{ ternary "https-controller" "http-controller" .Values.internalTLS.enabled }} + port: {{ template "harbor.registryctl.servicePort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.registry.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: registry \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/registry/registry-tls.yaml b/charts/harbor/harbor/1.14.0/templates/registry/registry-tls.yaml new file mode 100644 index 0000000000..9d1862c417 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/registry/registry-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/registry/registryctl-cm.yaml b/charts/harbor/harbor/1.14.0/templates/registry/registryctl-cm.yaml new file mode 100644 index 0000000000..87aa5ffe24 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/registry/registryctl-cm.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- template "harbor.traceEnvsForRegistryCtl" . }} diff --git a/charts/harbor/harbor/1.14.0/templates/registry/registryctl-secret.yaml b/charts/harbor/harbor/1.14.0/templates/registry/registryctl-secret.yaml new file mode 100644 index 0000000000..70097703e9 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/registry/registryctl-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- template "harbor.traceJaegerPassword" . }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.0/templates/trivy/trivy-secret.yaml b/charts/harbor/harbor/1.14.0/templates/trivy/trivy-secret.yaml new file mode 100644 index 0000000000..84652c7498 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/trivy/trivy-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.trivy.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }} + gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/trivy/trivy-sts.yaml b/charts/harbor/harbor/1.14.0/templates/trivy/trivy-sts.yaml new file mode 100644 index 0000000000..aba23c9e8a --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/trivy/trivy-sts.yaml @@ -0,0 +1,222 @@ +{{- if .Values.trivy.enabled }} +{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: trivy +spec: + replicas: {{ .Values.trivy.replicas }} + serviceName: {{ template "harbor.trivy" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: trivy + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: trivy +{{- if .Values.trivy.podLabels }} +{{ toYaml .Values.trivy.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.trivy.podAnnotations }} +{{ toYaml .Values.trivy.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.trivy.serviceAccountName }} + serviceAccountName: {{ .Values.trivy.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }} +{{- with .Values.trivy.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: trivy +{{- end }} +{{- end }} + containers: + - name: trivy + image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + env: + {{- if has "trivy" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + - name: "SCANNER_LOG_LEVEL" + value: {{ .Values.logLevel | quote }} + - name: "SCANNER_TRIVY_CACHE_DIR" + value: "/home/scanner/.cache/trivy" + - name: "SCANNER_TRIVY_REPORTS_DIR" + value: "/home/scanner/.cache/reports" + - name: "SCANNER_TRIVY_DEBUG_MODE" + value: {{ .Values.trivy.debugMode | quote }} + - name: "SCANNER_TRIVY_VULN_TYPE" + value: {{ .Values.trivy.vulnType | quote }} + - name: "SCANNER_TRIVY_TIMEOUT" + value: {{ .Values.trivy.timeout | quote }} + - name: "SCANNER_TRIVY_GITHUB_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: gitHubToken + - name: "SCANNER_TRIVY_SEVERITY" + value: {{ .Values.trivy.severity | quote }} + - name: "SCANNER_TRIVY_IGNORE_UNFIXED" + value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_UPDATE" + value: {{ .Values.trivy.skipUpdate | default false | quote }} + - name: "SCANNER_TRIVY_OFFLINE_SCAN" + value: {{ .Values.trivy.offlineScan | default false | quote }} + - name: "SCANNER_TRIVY_SECURITY_CHECKS" + value: {{ .Values.trivy.securityCheck | quote }} + - name: "SCANNER_TRIVY_INSECURE" + value: {{ .Values.trivy.insecure | default false | quote }} + - name: SCANNER_API_SERVER_ADDR + value: ":{{ template "harbor.trivy.containerPort" . }}" + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: SCANNER_API_SERVER_TLS_KEY + value: /etc/harbor/ssl/trivy/tls.key + - name: SCANNER_API_SERVER_TLS_CERTIFICATE + value: /etc/harbor/ssl/trivy/tls.crt + {{- end }} + - name: "SCANNER_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_STORE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_JOB_QUEUE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL +{{- with .Values.trivy.extraEnvVars }} +{{- toYaml . | nindent 12 }} +{{- end }} + ports: + - name: api-server + containerPort: {{ template "harbor.trivy.containerPort" . }} + volumeMounts: + - name: data + mountPath: /home/scanner/.cache + subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} + readOnly: false + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + mountPath: /etc/harbor/ssl/trivy + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 10 }} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/healthy + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + readinessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/ready + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + resources: +{{ toYaml .Values.trivy.resources | indent 12 }} + {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} + volumes: + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.trivy.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: "data" + emptyDir: {} + {{- else if $trivy.existingClaim }} + - name: "data" + persistentVolumeClaim: + claimName: {{ $trivy.existingClaim }} + {{- end }} + {{- end }} + {{- with .Values.trivy.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.trivy.priorityClassName }} + priorityClassName: {{ .Values.trivy.priorityClassName }} + {{- end }} +{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $trivy.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $trivy.accessMode | quote }}] + {{- if $trivy.storageClass }} + {{- if (eq "-" $trivy.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $trivy.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $trivy.size | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.0/templates/trivy/trivy-svc.yaml b/charts/harbor/harbor/1.14.0/templates/trivy/trivy-svc.yaml new file mode 100644 index 0000000000..24daf094e8 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/trivy/trivy-svc.yaml @@ -0,0 +1,16 @@ +{{ if .Values.trivy.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.trivy" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-trivy" "http-trivy" .Values.internalTLS.enabled }} + protocol: TCP + port: {{ template "harbor.trivy.servicePort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: trivy +{{ end }} diff --git a/charts/harbor/harbor/1.14.0/templates/trivy/trivy-tls.yaml b/charts/harbor/harbor/1.14.0/templates/trivy/trivy-tls.yaml new file mode 100644 index 0000000000..a9c8330c37 --- /dev/null +++ b/charts/harbor/harbor/1.14.0/templates/trivy/trivy-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.0/values.yaml b/charts/harbor/harbor/1.14.0/values.yaml new file mode 100644 index 0000000000..4edd63fa8c --- /dev/null +++ b/charts/harbor/harbor/1.14.0/values.yaml @@ -0,0 +1,987 @@ +expose: + # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer" + # and fill the information in the corresponding section + type: ingress + tls: + # Enable TLS or not. + # Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress" + # Note: if the "expose.type" is "ingress" and TLS is disabled, + # the port must be included in the command when pulling/pushing images. + # Refer to https://github.com/goharbor/harbor/issues/5291 for details. + enabled: true + # The source of the tls certificate. Set as "auto", "secret" + # or "none" and fill the information in the corresponding section + # 1) auto: generate the tls certificate automatically + # 2) secret: read the tls certificate from the specified secret. + # The tls certificate can be generated manually or by cert manager + # 3) none: configure no tls certificate for the ingress. If the default + # tls certificate is configured in the ingress controller, choose this option + certSource: auto + auto: + # The common name used to generate the certificate, it's necessary + # when the type isn't "ingress" + commonName: "" + secret: + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + secretName: "" + ingress: + hosts: + core: core.harbor.domain + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + # set to `alb` if using the ALB ingress controller + # set to `f5-bigip` if using the F5 BIG-IP ingress controller + controller: default + ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress + kubeVersionOverride: "" + className: "" + annotations: + # note different ingress controllers may require a different ssl-redirect annotation + # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + harbor: + # harbor ingress-specific annotations + annotations: {} + # harbor ingress-specific labels + labels: {} + clusterIP: + # The name of ClusterIP service + name: harbor + # The ip address of the ClusterIP service (leave empty for acquiring dynamic ip) + staticClusterIP: "" + # Annotations on the ClusterIP service + annotations: {} + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + nodePort: + # The name of NodePort service + name: harbor + ports: + http: + # The service port Harbor listens on when serving HTTP + port: 80 + # The node port Harbor listens on when serving HTTP + nodePort: 30002 + https: + # The service port Harbor listens on when serving HTTPS + port: 443 + # The node port Harbor listens on when serving HTTPS + nodePort: 30003 + loadBalancer: + # The name of LoadBalancer service + name: harbor + # Set the IP if the LoadBalancer supports assigning IP + IP: "" + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + annotations: {} + sourceRanges: [] + +# The external URL for Harbor core service. It is used to +# 1) populate the docker/helm commands showed on portal +# 2) populate the token service URL returned to docker client +# +# Format: protocol://domain[:port]. Usually: +# 1) if "expose.type" is "ingress", the "domain" should be +# the value of "expose.ingress.hosts.core" +# 2) if "expose.type" is "clusterIP", the "domain" should be +# the value of "expose.clusterIP.name" +# 3) if "expose.type" is "nodePort", the "domain" should be +# the IP address of k8s node +# +# If Harbor is deployed behind the proxy, set it as the URL of proxy +externalURL: https://core.harbor.domain + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each component tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # enable strong ssl ciphers (default: false) + strong_ssl_ciphers: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +ipFamily: + # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component + ipv6: + enabled: true + # ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component + ipv4: + enabled: true + +# The persistence is enabled by default and a default StorageClass +# is needed in the k8s cluster to provision volumes dynamically. +# Specify another StorageClass in the "storageClass" or set "existingClaim" +# if you already have existing persistent volumes to use +# +# For storing images and charts, you can also use "azure", "gcs", "s3", +# "swift" or "oss". Set it in the "imageChartStorage" section +persistence: + enabled: true + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + # (this does not apply for PVCs that are created for internal database + # and redis components, i.e. they are never deleted automatically) + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used (the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + jobservice: + jobLog: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + trivy: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + # Define which storage backend is used for registry to store + # images and charts. Refer to + # https://github.com/distribution/distribution/blob/main/docs/configuration.md#storage + # for the detail. + imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/distribution/distribution/blob/main/docs/configuration.md#redirect + # for the detail. + disableredirect: false + # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. + # The secret must contain keys named "ca.crt" which will be injected into the trust store + # of registry's containers. + # caBundleSecretName: + + # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", + # "oss" and fill the information needed in the corresponding section. The type + # must be "filesystem" if you want to use persistent volumes for registry + type: filesystem + filesystem: + rootdirectory: /storage + #maxthreads: 100 + azure: + accountname: accountname + accountkey: base64encodedaccountkey + container: containername + #realm: core.windows.net + # To use existing secret, the key must be AZURE_STORAGE_ACCESS_KEY + existingSecret: "" + gcs: + bucket: bucketname + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file + #rootdirectory: /gcs/object/name/prefix + #chunksize: "5242880" + # To use existing secret, the key must be GCS_KEY_DATA + existingSecret: "" + useWorkloadIdentity: false + s3: + # Set an existing secret for S3 accesskey and secretkey + # keys in the secret should be REGISTRY_STORAGE_S3_ACCESSKEY and REGISTRY_STORAGE_S3_SECRETKEY for registry + #existingSecret: "" + region: us-west-1 + bucket: bucketname + #accesskey: awsaccesskey + #secretkey: awssecretkey + #regionendpoint: http://myobjects.local + #encrypt: false + #keyid: mykeyid + #secure: true + #skipverify: false + #v4auth: true + #chunksize: "5242880" + #rootdirectory: /s3/object/name/prefix + #storageclass: STANDARD + #multipartcopychunksize: "33554432" + #multipartcopymaxconcurrency: 100 + #multipartcopythresholdsize: "33554432" + swift: + authurl: https://storage.myprovider.com/v3/auth + username: username + password: password + container: containername + # keys in existing secret must be REGISTRY_STORAGE_SWIFT_PASSWORD, REGISTRY_STORAGE_SWIFT_SECRETKEY, REGISTRY_STORAGE_SWIFT_ACCESSKEY + existingSecret: "" + #region: fr + #tenant: tenantname + #tenantid: tenantid + #domain: domainname + #domainid: domainid + #trustid: trustid + #insecureskipverify: false + #chunksize: 5M + #prefix: + #secretkey: secretkey + #accesskey: accesskey + #authversion: 3 + #endpointtype: public + #tempurlcontainerkey: false + #tempurlmethods: + oss: + accesskeyid: accesskeyid + accesskeysecret: accesskeysecret + region: regionname + bucket: bucketname + # key in existingSecret must be REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + existingSecret: "" + #endpoint: endpoint + #internal: false + #encrypt: false + #secure: true + #chunksize: 10M + #rootdirectory: rootdirectory + +imagePullPolicy: IfNotPresent + +# Use this set to assign a list of default pullSecrets +imagePullSecrets: +# - name: docker-registry-secret +# - name: internal-registry-secret + +# The update strategy for deployments with persistent volumes(jobservice, registry): "RollingUpdate" or "Recreate" +# Set it as "Recreate" when "RWM" for volumes isn't supported +updateStrategy: + type: RollingUpdate + +# debug, info, warning, error or fatal +logLevel: info + +# The initial password of Harbor admin. Change it from portal after launching Harbor +# or give an existing secret for it +# key in secret is given via (default to HARBOR_ADMIN_PASSWORD) +# existingSecretAdminPassword: +existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD +harborAdminPassword: "Harbor12345" + +# The name of the secret which contains key named "ca.crt". Setting this enables the +# download link on portal to download the CA certificate when the certificate isn't +# generated automatically +caSecretName: "" + +# The secret key used for encryption. Must be a string of 16 chars. +secretKey: "not-a-secure-key" +# If using existingSecretSecretKey, the key must be secretKey +existingSecretSecretKey: "" + +# The proxy settings for updating trivy vulnerabilities from the Internet and replicating +# artifacts from/to the registries that cannot be reached directly +proxy: + httpProxy: + httpsProxy: + noProxy: 127.0.0.1,localhost,.local,.internal + components: + - core + - jobservice + - trivy + +# Run the migration job via helm hook +enableMigrateHelmHook: false + +# The custom ca bundle secret, the secret must contain key named "ca.crt" +# which will be injected into the trust store for core, jobservice, registry, trivy components +# caBundleSecretName: "" + +## UAA Authentication Options +# If you're using UAA for authentication behind a self-signed +# certificate you will need to provide the CA Cert. +# Set uaaSecretName below to provide a pre-created secret that +# contains a base64 encoded CA Certificate named `ca.crt`. +# uaaSecretName: + +# If service exposed via "ingress", the Nginx will not be used +nginx: + image: + repository: goharbor/nginx-photon + tag: v2.10.0 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +portal: + image: + repository: goharbor/harbor-portal + tag: v2.10.0 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## Additional service annotations + serviceAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + +core: + image: + repository: goharbor/harbor-core + tag: v2.10.0 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + ## Startup probe values + startupProbe: + enabled: true + initialDelaySeconds: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## Additional service annotations + serviceAnnotations: {} + ## User settings configuration json string + configureUserSettings: + # The provider for updating project quota(usage), there are 2 options, redis or db. + # By default it is implemented by db but you can configure it to redis which + # can improve the performance of high concurrent pushing to the same project, + # and reduce the database connections spike and occupies. + # Using redis will bring up some delay for quota usage updation for display, so only + # suggest switch provider to redis if you were ran into the db connections spike around + # the scenario of high concurrent pushing to same project, no improvment for other scenes. + quotaUpdateProvider: db # Or redis + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. Alternatively set existingSecret to use an existing secret + # Must be a string of 16 chars. + secret: "" + # Fill in the name of a kubernetes secret if you want to use your own + # If using existingSecret, the key must be secret + existingSecret: "" + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named: + # "tls.key" - the private key + # "tls.crt" - the certificate + secretName: "" + # If not specifying a preexisting secret, a secret can be created from tokenKey and tokenCert and used instead. + # If none of secretName, tokenKey, and tokenCert are specified, an ephemeral key and certificate will be autogenerated. + # tokenKey and tokenCert must BOTH be set or BOTH unset. + # The tokenKey value is formatted as a multiline string containing a PEM-encoded RSA key, indented one more than tokenKey on the following line. + tokenKey: | + # If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line. + tokenCert: | + # The XSRF key. Will be generated automatically if it isn't specified + xsrfKey: "" + # If using existingSecret, the key is defined by core.existingXsrfSecretKey + existingXsrfSecret: "" + # If using existingSecret, the key + existingXsrfSecretKey: CSRF_KEY + ## The priority class to run the pod as + priorityClassName: + # The time duration for async update artifact pull_time and repository + # pull_count, the unit is second. Will be 10 seconds if it isn't set. + # eg. artifactPullAsyncFlushDuration: 10 + artifactPullAsyncFlushDuration: + gdpr: + deleteUser: false + +jobservice: + image: + repository: goharbor/harbor-jobservice + tag: v2.10.0 + replicas: 1 + revisionHistoryLimit: 10 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLoggers: + - file + # - database + # - stdout + # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) + loggerSweeperDuration: 14 #days + notification: + webhook_job_max_retry: 3 + webhook_job_http_client_timeout: 3 # in seconds + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: 24 + # the max time for execution in running state without new task created + max_dangling_hours: 168 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Use an existing secret resource + existingSecret: "" + # Key within the existing secret for the job service secret + existingSecretKey: JOBSERVICE_SECRET + ## The priority class to run the pod as + priorityClassName: + +registry: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + registry: + image: + repository: goharbor/registry-photon + tag: v2.10.0 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + controller: + image: + repository: goharbor/harbor-registryctl + tag: v2.10.0 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + replicas: 1 + revisionHistoryLimit: 10 + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/distribution/distribution/blob/main/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Use an existing secret resource + existingSecret: "" + # Key within the existing secret for the registry service secret + existingSecretKey: REGISTRY_HTTP_SECRET + # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. + relativeurls: false + credentials: + username: "harbor_registry_user" + password: "harbor_registry_password" + # If using existingSecret, the key must be REGISTRY_PASSWD and REGISTRY_HTPASSWD + existingSecret: "" + # Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. + # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string + htpasswdString: "" + middleware: + enabled: false + type: cloudFront + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + # that allows access to CloudFront + privateKeySecret: "my-secret" + # enable purge _upload directories + upload_purging: + enabled: true + # remove files in _upload directories which exist for a period of time, default is one week. + age: 168h + # the interval of the purge operations + interval: 24h + dryrun: false + +trivy: + # enabled the flag to enable Trivy scanner + enabled: true + image: + # repository the repository for Trivy adapter image + repository: goharbor/trivy-adapter-photon + # tag the tag for Trivy adapter image + tag: v2.10.0 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + # replicas the number of Pod replicas + replicas: 1 + # debugMode the flag to enable Trivy debug mode with more verbose scanning log + debugMode: false + # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. + vulnType: "os,library" + # severity a comma-separated list of severities to be checked + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + # ignoreUnfixed the flag to display only fixed vulnerabilities + ignoreUnfixed: false + # insecure the flag to skip verifying registry certificate + insecure: false + # gitHubToken the GitHub access token to download Trivy DB + # + # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. + # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached + # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update + # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. + # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + gitHubToken: "" + # skipUpdate the flag to disable Trivy DB downloads from GitHub + # + # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the + # `/home/scanner/.cache/trivy/db/trivy.db` path. + skipUpdate: false + # The offlineScan option prevents Trivy from sending API requests to identify dependencies. + # + # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. + # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't + # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode. + # It would work if all the dependencies are in local. + # This option doesn’t affect DB download. You need to specify skipUpdate as well as offlineScan in an air-gapped environment. + offlineScan: false + # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. + securityCheck: "vuln" + # The duration to wait for scan completion + timeout: 5m0s + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +database: + # if external database is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-db + tag: v2.10.0 + # The initial superuser password for internal database + password: "changeit" + # The size limit for Shared memory, pgSQL use it for shared_buffer + # More details see: + # https://github.com/goharbor/harbor/issues/15034 + shmSizeLimit: 512Mi + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + # The timeout used in livenessProbe; 1 to 5 seconds + livenessProbe: + timeoutSeconds: 1 + # The timeout used in readinessProbe; 1 to 5 seconds + readinessProbe: + timeoutSeconds: 1 + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + initContainer: + migrator: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + permissions: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + external: + host: "192.168.0.1" + port: "5432" + username: "user" + password: "password" + coreDatabase: "registry" + # if using existing secret, the key must be "password" + existingSecret: "" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "disable" + # The maximum number of connections in the idle connection pool per pod (core+exporter). + # If it <=0, no idle connections are retained. + maxIdleConns: 100 + # The maximum number of open connections to the database per pod (core+exporter). + # If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgre of harbor. + maxOpenConns: 900 + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + +redis: + # if external Redis is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/redis-photon + tag: v2.10.0 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + # # jobserviceDatabaseIndex defaults to "1" + # # registryDatabaseIndex defaults to "2" + # # trivyAdapterIndex defaults to "5" + # # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + external: + # support redis, redis+sentinel + # addr for redis: : + # addr for redis+sentinel: :,:,: + addr: "192.168.0.2:6379" + # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel + sentinelMasterSet: "" + # The "coreDatabaseIndex" must be "0" as the library Harbor + # used doesn't support configuring it + # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + # username field can be an empty string, and it will be authenticated against the default user + username: "" + password: "" + # If using existingSecret, the key must be REDIS_PASSWORD + existingSecret: "" + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + +exporter: + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-exporter + tag: v2.10.0 + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + cacheDuration: 23 + cacheCleanInterval: 14400 + ## The priority class to run the pod as + priorityClassName: + +metrics: + enabled: false + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + ## Create prometheus serviceMonitor to scrape harbor metrics. + ## This requires the monitoring.coreos.com/v1 CRD. Please see + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md + ## + serviceMonitor: + enabled: false + additionalLabels: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # Metric relabel configs to apply to samples before ingestion. + metricRelabelings: + [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + # Relabel configs to apply to samples before ingestion. + relabelings: + [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +trace: + enabled: false + # trace provider: jaeger or otel + # jaeger should be 1.26+ + provider: jaeger + # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth + sample_rate: 1 + # namespace used to differentiate different harbor services + # namespace: + # attributes is a key value dict contains user defined attributes used to initialize trace provider + # attributes: + # application: harbor + jaeger: + # jaeger supports two modes: + # collector mode(uncomment endpoint and uncomment username, password if needed) + # agent mode(uncomment agent_host and agent_port) + endpoint: http://hostname:14268/api/traces + # username: + # password: + # agent_host: hostname + # export trace data by jaeger.thrift in compact mode + # agent_port: 6831 + otel: + endpoint: hostname:4318 + url_path: /v1/traces + compression: false + insecure: true + # timeout is in seconds + timeout: 10 + +# cache layer configurations +# if this feature enabled, harbor will cache the resource +# `project/project_metadata/repository/artifact/manifest` in the redis +# which help to improve the performance of high concurrent pulling manifest. +cache: + # default is not enabled. + enabled: false + # default keep cache for one day. + expireHours: 24 diff --git a/charts/harbor/harbor/1.14.1/.helmignore b/charts/harbor/harbor/1.14.1/.helmignore new file mode 100644 index 0000000000..b4424fd59b --- /dev/null +++ b/charts/harbor/harbor/1.14.1/.helmignore @@ -0,0 +1,6 @@ +.github/* +docs/* +.git/* +.gitignore +CONTRIBUTING.md +test/* \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/Chart.yaml b/charts/harbor/harbor/1.14.1/Chart.yaml new file mode 100644 index 0000000000..e077f02120 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Harbor + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: harbor +apiVersion: v1 +appVersion: 2.10.1 +description: An open source trusted cloud native registry that stores, signs, and + scans content +home: https://goharbor.io +icon: https://raw.githubusercontent.com/goharbor/website/main/static/img/logos/harbor-icon-color.png +keywords: +- docker +- registry +- harbor +maintainers: +- email: yinw@vmware.com + name: Wenkai Yin +- email: hweiwei@vmware.com + name: Weiwei He +- email: yshengwen@vmware.com + name: Shengwen Yu +name: harbor +sources: +- https://github.com/goharbor/harbor +- https://github.com/goharbor/harbor-helm +version: 1.14.1 diff --git a/charts/harbor/harbor/1.14.1/LICENSE b/charts/harbor/harbor/1.14.1/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/charts/harbor/harbor/1.14.1/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/harbor/harbor/1.14.1/README.md b/charts/harbor/harbor/1.14.1/README.md new file mode 100644 index 0000000000..472324a3ff --- /dev/null +++ b/charts/harbor/harbor/1.14.1/README.md @@ -0,0 +1,411 @@ +# Helm Chart for Harbor + +**Notes:** The master branch is in heavy development, please use the other stable versions instead. A highly available solution for Harbor based on chart can be found [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. + +This repository, including the issues, focuses on deploying Harbor chart via helm. For functionality issues or Harbor questions, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor) + +## Introduction + +This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. + +## Prerequisites + +- Kubernetes cluster 1.20+ +- Helm v3.2.0+ + +## Installation + +### Add Helm repository + +```bash +helm repo add harbor https://helm.goharbor.io +``` + +### Configure the chart + +The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first). + +#### Configure how to expose Harbor service + +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. + **Notes:** if TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for details. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. + +#### Configure the external URL + +The external URL for Harbor core service is used to: + +1. populate the docker/helm commands showed on portal +2. populate the token service URL returned to docker client + +Format: `protocol://domain[:port]`. Usually: + +- if service exposed via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` +- if service exposed via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` +- if service exposed via `NodePort`, the `domain` should be the IP address of one Kubernetes node +- if service exposed via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider + +If Harbor is deployed behind the proxy, set it as the URL of proxy. + +#### Configure how to persist data + +- **Disable**: The data does not survive the termination of a pod. +- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you already have existing persistent volumes to use. +- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. + +#### Configure the other items listed in [configuration](#configuration) section + +### Install the chart + +Install the Harbor helm chart with a release name `my-release`: +```bash +helm install my-release harbor/harbor +``` + +## Uninstallation + +To uninstall/delete the `my-release` deployment: +```bash +helm uninstall my-release +``` + +## Configuration + +The following table lists the configurable parameters of the Harbor chart and the default values. + +| Parameter | Description | Default | +| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| **Expose** | | | +| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | +| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | +| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | +| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | +| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | +| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` | +| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | | +| `expose.ingress.annotations` | The annotations used commonly for ingresses | | +| `expose.ingress.harbor.annotations` | The annotations specific to harbor ingress | {} | +| `expose.ingress.harbor.labels` | The labels specific to harbor ingress | {} | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} | +| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` | +| `expose.loadBalancer.name` | The name of service | `harbor` | +| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` | +| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` | +| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | +| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | +| **Internal TLS** | | | +| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` | +| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false` +| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` | +| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | | +| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | +| **IPFamily** | | | +| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| **Persistence** | | | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | | +|`persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | +| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | +| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | +| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | +| **General** | | | +| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | +| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | | +| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | +| `imagePullPolicy` | The image pull policy | | +| `imagePullSecrets` | The imagePullSecrets names for all deployments | | +| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | +| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `existingSecretAdminPassword` | The name of secret where admin password can be found. | | +| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` | +| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | +| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | +| `proxy.httpProxy` | The URL of the HTTP proxy server | | +| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | +| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | +| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | +| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | +| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.revisionHistoryLimit` | The revision history limit | `10` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| `nginx.priorityClassName` | The priority class to run the pod as | | +| **Portal** | | | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.revisionHistoryLimit` | The revision history limit | `10` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` | +| `portal.priorityClassName` | The priority class to run the pod as | | +| **Core** | | | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.revisionHistoryLimit` | The revision history limit | `10` | +| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.serviceAnnotations` | Annotations to add to the core service | `{}` | +| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | | +| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | +| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | | +| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | | +| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | +| `core.priorityClassName` | The priority class to run the pod as | | +| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | +| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | +| `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` | +| **Jobservice** | | | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.revisionHistoryLimit` | The revision history limit | `10` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` | +| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` | +| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` | +| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` | +| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` | +| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.priorityClassName` | The priority class to run the pod as | | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| **Registry** | | | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | `dev` | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | `dev` | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | +| `registry.replicas` | The replica count | `1` | +| `registry.revisionHistoryLimit` | The revision history limit | `10` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.priorityClassName` | The priority class to run the pod as | | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | +| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | +| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` | +| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | +| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | +| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | +| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | +| `registry.upload_purging.interval` | The interval of the purge operations | `24h` | +| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | +| **[Trivy][trivy]** | | | +| `trivy.enabled` | The flag to enable Trivy scanner | `true` | +| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | +| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | +| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | +| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `trivy.replicas` | The number of Pod replicas | `1` | +| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | +| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | +| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` | +| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | +| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | +| `trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | +| `trivy.priorityClassName` | The priority class to run the pod as | | +| `trivy.topologySpreadConstraints` | The priority class to run the pod as | | +| **Database** | | | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined | +| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.internal.priorityClassName` | The priority class to run the pod as | | +| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | +| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | +| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | +| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | +| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | | | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.internal.priorityClassName` | The priority class to run the pod as | | +| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | +| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.username` | The username of external Redis | | +| `redis.external.password` | The password of external Redis | | +| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | +| **Exporter** | | | +| `exporter.replicas` | The replica count | `1` | +| `exporter.revisionHistoryLimit` | The revision history limit | `10` | +| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` | +| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` | +| `exporter.image.tag` | Tag for exporter image | `dev` | +| `exporter.nodeSelector` | Node labels for pod assignment | `{}` | +| `exporter.tolerations` | Tolerations for pod assignment | `[]` | +| `exporter.affinity` | Node/Pod affinities | `{}` | +| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` | +| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` | +| `exporter.priorityClassName` | The priority class to run the pod as | | +| **Metrics** | | | +| `metrics.enabled` | if enable harbor metrics | `false` | +| `metrics.core.path` | the url path for core metrics | `/metrics` | +| `metrics.core.port` | the port for core metrics | `8001` | +| `metrics.registry.path` | the url path for registry metrics | `/metrics` | +| `metrics.registry.port` | the port for registry metrics | `8001` | +| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` | +| `metrics.exporter.port` | the port for exporter metrics | `8001` | +| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` | +| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` | +| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` | +| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` | +| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` | +| **Trace** | | | +| `trace.enabled` | Enable tracing or not | `false` | +| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` | +| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` | +| `trace.namespace` | Namespace used to differentiate different harbor services | | +| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | | +| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` | +| `trace.jaeger.username` | The username of jaeger | | +| `trace.jaeger.password` | The password of jaeger | | +| `trace.jaeger.agent_host` | The agent host of jaeger | | +| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` | +| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` | +| `trace.otel.url_path` | The URL path of otel | `/v1/traces` | +| `trace.otel.compression` | Whether enable compression or not for otel | `false` | +| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` | +| `trace.otel.timeout` | The timeout in seconds of otel | `10` | +| **Cache** | | | +| `cache.enabled` | Enable cache layer or not | `false` | +| `cache.expireHours` | The expire hours of cache layer | `24` | + +[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +[trivy]: https://github.com/aquasecurity/trivy +[trivy-db]: https://github.com/aquasecurity/trivy-db +[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db +[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting diff --git a/charts/harbor/harbor/1.14.1/templates/NOTES.txt b/charts/harbor/harbor/1.14.1/templates/NOTES.txt new file mode 100644 index 0000000000..0980c08a35 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/NOTES.txt @@ -0,0 +1,3 @@ +Please wait for several minutes for Harbor deployment to complete. +Then you should be able to visit the Harbor portal at {{ .Values.externalURL }} +For more details, please visit https://github.com/goharbor/harbor diff --git a/charts/harbor/harbor/1.14.1/templates/_helpers.tpl b/charts/harbor/harbor/1.14.1/templates/_helpers.tpl new file mode 100644 index 0000000000..b3430a1f36 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/_helpers.tpl @@ -0,0 +1,566 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "harbor.name" -}} +{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "harbor.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default "harbor" .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Helm required labels */}} +{{- define "harbor.labels" -}} +heritage: {{ .Release.Service }} +release: {{ .Release.Name }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{/* matchLabels */}} +{{- define "harbor.matchLabels" -}} +release: {{ .Release.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{/* Helper for printing values from existing secrets*/}} +{{- define "harbor.secretKeyHelper" -}} + {{- if and (not (empty .data)) (hasKey .data .key) }} + {{- index .data .key | b64dec -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCert" -}} + {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForIngress" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForNginx" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.host" -}} + {{- if eq .Values.database.type "internal" -}} + {{- template "harbor.database" . }} + {{- else -}} + {{- .Values.database.external.host -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.port" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "5432" -}} + {{- else -}} + {{- .Values.database.external.port -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.username" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "postgres" -}} + {{- else -}} + {{- .Values.database.external.username -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.rawPassword" -}} + {{- if eq .Values.database.type "internal" -}} + {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.database" .) -}} + {{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}} + {{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD" | b64dec) -}} + {{- else -}} + {{- .Values.database.internal.password -}} + {{- end -}} + {{- else -}} + {{- .Values.database.external.password -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.escapedRawPassword" -}} + {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} +{{- end -}} + +{{- define "harbor.database.encryptedPassword" -}} + {{- include "harbor.database.rawPassword" . | b64enc | quote -}} +{{- end -}} + +{{- define "harbor.database.coreDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "registry" -}} + {{- else -}} + {{- .Values.database.external.coreDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.sslmode" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "disable" -}} + {{- else -}} + {{- .Values.database.external.sslmode -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.redis.scheme" -}} + {{- with .Values.redis }} + {{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }} + {{- end }} +{{- end -}} + +/*host:port*/ +{{- define "harbor.redis.addr" -}} + {{- with .Values.redis }} + {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.masterSet" -}} + {{- with .Values.redis }} + {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.password" -}} + {{- with .Values.redis }} + {{- ternary "" .external.password (eq .type "internal") }} + {{- end }} +{{- end -}} + + +{{- define "harbor.redis.pwdfromsecret" -}} + {{- (lookup "v1" "Secret" .Release.Namespace (.Values.redis.external.existingSecret)).data.REDIS_PASSWORD | b64dec }} +{{- end -}} + +{{- define "harbor.redis.cred" -}} + {{- with .Values.redis }} + {{- if (and (eq .type "external" ) (.external.existingSecret)) }} + {{- printf ":%s@" (include "harbor.redis.pwdfromsecret" $) }} + {{- else }} + {{- ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }} + {{- end }} + {{- end }} +{{- end -}} + +/*scheme://[:password@]host:port[/master_set]*/ +{{- define "harbor.redis.url" -}} + {{- with .Values.redis }} + {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }} + {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) (include "harbor.redis.cred" $) (include "harbor.redis.addr" $) $path -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCore" -}} + {{- with .Values.redis }} + {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index*/ +{{- define "harbor.redis.urlForJobservice" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.jobserviceDatabaseIndex .external.jobserviceDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForRegistry" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForTrivy" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.trivyAdapterIndex .external.trivyAdapterIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForHarbor" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.harborDatabaseIndex .external.harborDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCache" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.cacheLayerDatabaseIndex .external.cacheLayerDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.dbForRegistry" -}} + {{- with .Values.redis }} + {{- ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.portal" -}} + {{- printf "%s-portal" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.core" -}} + {{- printf "%s-core" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.redis" -}} + {{- printf "%s-redis" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.jobservice" -}} + {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registry" -}} + {{- printf "%s-registry" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registryCtl" -}} + {{- printf "%s-registryctl" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.database" -}} + {{- printf "%s-database" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.trivy" -}} + {{- printf "%s-trivy" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.nginx" -}} + {{- printf "%s-nginx" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.exporter" -}} + {{- printf "%s-exporter" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress" -}} + {{- printf "%s-ingress" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.noProxy" -}} + {{- printf "%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}} +{{- end -}} + +{{- define "harbor.caBundleVolume" -}} +- name: ca-bundle-certs + secret: + secretName: {{ .Values.caBundleSecretName }} +{{- end -}} + +{{- define "harbor.caBundleVolumeMount" -}} +- name: ca-bundle-certs + mountPath: /harbor_cust_cert/custom-ca.crt + subPath: ca.crt +{{- end -}} + +{{/* scheme for all components because it only support http mode */}} +{{- define "harbor.component.scheme" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "https" -}} + {{- else -}} + {{- printf "http" -}} + {{- end -}} +{{- end -}} + +{{/* core component container port */}} +{{- define "harbor.core.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* core component service port */}} +{{- define "harbor.core.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component container port */}} +{{- define "harbor.jobservice.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component service port */}} +{{- define "harbor.jobservice.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* portal component container port */}} +{{- define "harbor.portal.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* portal component service port */}} +{{- define "harbor.portal.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* registry component container port */}} +{{- define "harbor.registry.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registry component service port */}} +{{- define "harbor.registry.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component container port */}} +{{- define "harbor.registryctl.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component service port */}} +{{- define "harbor.registryctl.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component container port */}} +{{- define "harbor.trivy.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component service port */}} +{{- define "harbor.trivy.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* CORE_URL */}} +{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}} +{{- define "harbor.coreURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}} +{{- end -}} + +{{/* JOBSERVICE_URL */}} +{{- define "harbor.jobserviceURL" -}} + {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}} +{{- end -}} + +{{/* PORTAL_URL */}} +{{- define "harbor.portalURL" -}} + {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}} +{{- end -}} + +{{/* REGISTRY_URL */}} +{{- define "harbor.registryURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}} +{{- end -}} + +{{/* REGISTRY_CONTROLLER_URL */}} +{{- define "harbor.registryControllerURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}} +{{- end -}} + +{{/* TOKEN_SERVICE_URL */}} +{{- define "harbor.tokenServiceURL" -}} + {{- printf "%s/service/token" (include "harbor.coreURL" .) -}} +{{- end -}} + +{{/* TRIVY_ADAPTER_URL */}} +{{- define "harbor.trivyAdapterURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}} +{{- end -}} + +{{- define "harbor.internalTLS.core.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.core.secretName -}} + {{- else -}} + {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.jobservice.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.jobservice.secretName -}} + {{- else -}} + {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.portal.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.portal.secretName -}} + {{- else -}} + {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.registry.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.registry.secretName -}} + {{- else -}} + {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.trivy.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.trivy.secretName -}} + {{- else -}} + {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsCoreSecretForIngress" -}} + {{- if eq .Values.expose.tls.certSource "none" -}} + {{- printf "" -}} + {{- else if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.ingress" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsSecretForNginx" -}} + {{- if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.nginx" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.metricsPortName" -}} + {{- if .Values.internalTLS.enabled }} + {{- printf "https-metrics" -}} + {{- else -}} + {{- printf "http-metrics" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.traceEnvs" -}} + TRACE_ENABLED: "{{ .Values.trace.enabled }}" + TRACE_SAMPLE_RATE: "{{ .Values.trace.sample_rate }}" + TRACE_NAMESPACE: "{{ .Values.trace.namespace }}" + {{- if .Values.trace.attributes }} + TRACE_ATTRIBUTES: {{ .Values.trace.attributes | toJson | squote }} + {{- end }} + {{- if eq .Values.trace.provider "jaeger" }} + TRACE_JAEGER_ENDPOINT: "{{ .Values.trace.jaeger.endpoint }}" + TRACE_JAEGER_USERNAME: "{{ .Values.trace.jaeger.username }}" + TRACE_JAEGER_AGENT_HOSTNAME: "{{ .Values.trace.jaeger.agent_host }}" + TRACE_JAEGER_AGENT_PORT: "{{ .Values.trace.jaeger.agent_port }}" + {{- else }} + TRACE_OTEL_ENDPOINT: "{{ .Values.trace.otel.endpoint }}" + TRACE_OTEL_URL_PATH: "{{ .Values.trace.otel.url_path }}" + TRACE_OTEL_COMPRESSION: "{{ .Values.trace.otel.compression }}" + TRACE_OTEL_INSECURE: "{{ .Values.trace.otel.insecure }}" + TRACE_OTEL_TIMEOUT: "{{ .Values.trace.otel.timeout }}" + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForCore" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-core" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForJobservice" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-jobservice" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForRegistryCtl" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-registryctl" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceJaegerPassword" -}} + {{- if and .Values.trace.enabled (eq .Values.trace.provider "jaeger") }} + TRACE_JAEGER_PASSWORD: "{{ .Values.trace.jaeger.password | default "" | b64enc }}" + {{- end }} +{{- end -}} + +{{/* Allow KubeVersion to be overridden. */}} +{{- define "harbor.ingress.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}} +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/templates/core/core-cm.yaml b/charts/harbor/harbor/1.14.1/templates/core/core-cm.yaml similarity index 100% rename from charts/harbor/harbor/templates/core/core-cm.yaml rename to charts/harbor/harbor/1.14.1/templates/core/core-cm.yaml diff --git a/charts/harbor/harbor/1.14.1/templates/core/core-dpl.yaml b/charts/harbor/harbor/1.14.1/templates/core/core-dpl.yaml new file mode 100644 index 0000000000..9a92b45a4f --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/core/core-dpl.yaml @@ -0,0 +1,248 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: core +spec: + replicas: {{ .Values.core.replicas }} + revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: core + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: core +{{- if .Values.core.podLabels }} +{{ toYaml .Values.core.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.core.podAnnotations }} +{{ toYaml .Values.core.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.core.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: core +{{- end }} +{{- end }} + containers: + - name: core + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.core.startupProbe.enabled }} + startupProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 360 + initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }} + periodSeconds: 10 + {{- end }} + livenessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }} + {{- if .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- else }} + key: JOBSERVICE_SECRET + {{- end }} + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/core/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/core/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/core/ca.crt + {{- end }} + {{- if .Values.database.external.existingSecret }} + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} + {{- if .Values.core.existingXsrfSecret }} + - name: CSRF_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.core.existingXsrfSecret }} + key: {{ .Values.core.existingXsrfSecretKey }} + {{- end }} +{{- with .Values.core.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + - name: secret-key + mountPath: /etc/core/key + subPath: key + - name: token-service-private-key + mountPath: /etc/core/private_key.pem + subPath: tls.key + {{- if .Values.expose.tls.enabled }} + - name: ca-download + mountPath: /etc/core/ca + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + mountPath: /etc/core/auth-ca/auth-ca.crt + subPath: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + {{- end }} + - name: psc + mountPath: /etc/core/token + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} +{{- if .Values.core.resources }} + resources: +{{ toYaml .Values.core.resources | indent 10 }} +{{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + - name: secret-key + secret: + {{- if .Values.existingSecretSecretKey }} + secretName: {{ .Values.existingSecretSecretKey }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + items: + - key: secretKey + path: key + - name: token-service-private-key + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: ca-download + secret: + {{- if .Values.caSecretName }} + secretName: {{ .Values.caSecretName }} + {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }} + secretName: "{{ template "harbor.ingress" . }}" + {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + secret: + secretName: {{ .Values.uaaSecretName }} + items: + - key: ca.crt + path: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + - name: psc + emptyDir: {} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.core.priorityClassName }} + priorityClassName: {{ .Values.core.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/core/core-pre-upgrade-job.yaml b/charts/harbor/harbor/1.14.1/templates/core/core-pre-upgrade-job.yaml new file mode 100644 index 0000000000..43c9d3596d --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/core/core-pre-upgrade-job.yaml @@ -0,0 +1,74 @@ +{{- if .Values.enableMigrateHelmHook }} +apiVersion: batch/v1 +kind: Job +metadata: + name: migration-job + labels: +{{ include "harbor.labels" . | indent 4 }} + component: migrator + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" +spec: + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: migrator + spec: + restartPolicy: Never + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 120 + containers: + - name: core-job + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/harbor/harbor_core", "-mode=migrate"] + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + {{- if .Values.database.external.existingSecret }} + env: + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/core/core-secret.yaml b/charts/harbor/harbor/1.14.1/templates/core/core-secret.yaml new file mode 100644 index 0000000000..62a41fce80 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/core/core-secret.yaml @@ -0,0 +1,36 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.core" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.existingSecretSecretKey }} + secretKey: {{ .Values.secretKey | b64enc | quote }} + {{- end }} + {{- if not .Values.core.existingSecret }} + secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} + {{- if not .Values.core.secretName }} + {{- $ca := genCA "harbor-token-ca" 365 }} + tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }} + tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }} + {{- end }} + {{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} + {{- end }} + {{- if not .Values.database.external.existingSecret }} + POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + {{- if not .Values.core.existingXsrfSecret }} + CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }} + {{- end }} +{{- if .Values.core.configureUserSettings }} + CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }} +{{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/1.14.1/templates/core/core-svc.yaml b/charts/harbor/harbor/1.14.1/templates/core/core-svc.yaml new file mode 100644 index 0000000000..0d2cfb2915 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/core/core-svc.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.core.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - name: {{ ternary "https-web" "http-web" .Values.internalTLS.enabled }} + port: {{ template "harbor.core.servicePort" . }} + targetPort: {{ template "harbor.core.containerPort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.core.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: core diff --git a/charts/harbor/harbor/1.14.1/templates/core/core-tls.yaml b/charts/harbor/harbor/1.14.1/templates/core/core-tls.yaml new file mode 100644 index 0000000000..c52148f0d9 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/core/core-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/database/database-secret.yaml b/charts/harbor/harbor/1.14.1/templates/database/database-secret.yaml new file mode 100644 index 0000000000..864aff4a18 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/database/database-secret.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end -}} diff --git a/charts/harbor/harbor/1.14.1/templates/database/database-ss.yaml b/charts/harbor/harbor/1.14.1/templates/database/database-ss.yaml new file mode 100644 index 0000000000..3b08b07ef1 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/database/database-ss.yaml @@ -0,0 +1,168 @@ +{{- if eq .Values.database.type "internal" -}} +{{- $database := .Values.persistence.persistentVolumeClaim.database -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: database +spec: + replicas: 1 + serviceName: "{{ template "harbor.database" . }}" + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: database + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: database +{{- if .Values.database.podLabels }} +{{ toYaml .Values.database.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }} +{{- if .Values.database.podAnnotations }} +{{ toYaml .Values.database.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.database.internal.serviceAccountName }} + serviceAccountName: {{ .Values.database.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + initContainers: + # as we change the data directory to a sub folder to support psp, the init container here + # is used to migrate the existing data. See https://github.com/goharbor/harbor-helm/issues/756 + # for more detail. + # we may remove it after several releases + - name: "data-migrator" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"] +{{- if .Values.database.internal.initContainer.migrator.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + # with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume + # this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph + # use this init container to correct the permission + # as "fsGroup" applied before the init container running, the container has enough permission to execute the command + - name: "data-permissions-ensurer" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"] +{{- if .Values.database.internal.initContainer.permissions.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + containers: + - name: database + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 300 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.livenessProbe.timeoutSeconds }} + readinessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 1 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.readinessProbe.timeoutSeconds }} +{{- if .Values.database.internal.resources }} + resources: +{{ toYaml .Values.database.internal.resources | indent 10 }} +{{- end }} + envFrom: + - secretRef: + name: "{{ template "harbor.database" . }}" + env: + # put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled + # more detail refer to https://github.com/goharbor/harbor-helm/issues/756 + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" +{{- with .Values.database.internal.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + - name: shm-volume + mountPath: /dev/shm + volumes: + - name: shm-volume + emptyDir: + medium: Memory + sizeLimit: {{ .Values.database.internal.shmSizeLimit }} + {{- if not .Values.persistence.enabled }} + - name: "database-data" + emptyDir: {} + {{- else if $database.existingClaim }} + - name: "database-data" + persistentVolumeClaim: + claimName: {{ $database.existingClaim }} + {{- end -}} + {{- with .Values.database.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.database.internal.priorityClassName }} + priorityClassName: {{ .Values.database.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $database.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: "database-data" + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $database.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $database.accessMode | quote }}] + {{- if $database.storageClass }} + {{- if (eq "-" $database.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $database.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $database.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/1.14.1/templates/database/database-svc.yaml b/charts/harbor/harbor/1.14.1/templates/database/database-svc.yaml new file mode 100644 index 0000000000..6475048cd9 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/database/database-svc.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 5432 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: database +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/exporter/exporter-cm-env.yaml b/charts/harbor/harbor/1.14.1/templates/exporter/exporter-cm-env.yaml new file mode 100644 index 0000000000..0bf4e7d905 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/exporter/exporter-cm-env.yaml @@ -0,0 +1,35 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.exporter" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + LOG_LEVEL: "{{ .Values.logLevel }}" + HARBOR_EXPORTER_PORT: "{{ .Values.metrics.exporter.port }}" + HARBOR_EXPORTER_METRICS_PATH: "{{ .Values.metrics.exporter.path }}" + HARBOR_EXPORTER_METRICS_ENABLED: "{{ .Values.metrics.enabled }}" + HARBOR_EXPORTER_CACHE_TIME: "{{ .Values.exporter.cacheDuration }}" + HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "{{ .Values.exporter.cacheCleanInterval }}" + HARBOR_METRIC_NAMESPACE: harbor + HARBOR_METRIC_SUBSYSTEM: exporter + HARBOR_REDIS_URL: "{{ template "harbor.redis.urlForJobservice" . }}" + HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace + HARBOR_REDIS_TIMEOUT: "3600" + HARBOR_SERVICE_SCHEME: "{{ template "harbor.component.scheme" . }}" + HARBOR_SERVICE_HOST: "{{ template "harbor.core" . }}" + HARBOR_SERVICE_PORT: "{{ template "harbor.core.servicePort" . }}" + HARBOR_DATABASE_HOST: "{{ template "harbor.database.host" . }}" + HARBOR_DATABASE_PORT: "{{ template "harbor.database.port" . }}" + HARBOR_DATABASE_USERNAME: "{{ template "harbor.database.username" . }}" + HARBOR_DATABASE_DBNAME: "{{ template "harbor.database.coreDatabase" . }}" + HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" +{{- end}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/exporter/exporter-dpl.yaml b/charts/harbor/harbor/1.14.1/templates/exporter/exporter-dpl.yaml new file mode 100644 index 0000000000..6d2e1f53ac --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/exporter/exporter-dpl.yaml @@ -0,0 +1,139 @@ +{{- if .Values.metrics.enabled}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: exporter +spec: + replicas: {{ .Values.exporter.replicas }} + revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: exporter + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: exporter +{{- if .Values.exporter.podLabels }} +{{ toYaml .Values.exporter.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.exporter.podAnnotations }} +{{ toYaml .Values.exporter.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.exporter.serviceAccountName }} + serviceAccountName: {{ .Values.exporter.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }} +{{- with .Values.exporter.topologySpreadConstraints }} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: exporter +{{- end }} +{{- end }} + containers: + - name: exporter + image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 30 + periodSeconds: 10 + args: ["-log-level", "{{ .Values.logLevel }}"] + envFrom: + - configMapRef: + name: "{{ template "harbor.exporter" . }}-env" + - secretRef: + name: "{{ template "harbor.exporter" . }}" + env: + {{- if .Values.database.external.existingSecret }} + - name: HARBOR_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} +{{- if .Values.exporter.resources }} + resources: +{{ toYaml .Values.exporter.resources | indent 10 }} +{{- end }} +{{- with .Values.exporter.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + # There are some metric data are collectd from harbor core. + # When internal TLS is enabled, the Exporter need the CA file to collect these data. + {{- end }} + volumes: + - name: config + secret: + secretName: "{{ template "harbor.exporter" . }}" + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.exporter.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.exporter.priorityClassName }} + priorityClassName: {{ .Values.exporter.priorityClassName }} + {{- end }} +{{ end }} diff --git a/charts/harbor/harbor/1.14.1/templates/exporter/exporter-secret.yaml b/charts/harbor/harbor/1.14.1/templates/exporter/exporter-secret.yaml new file mode 100644 index 0000000000..434a1bf689 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/exporter/exporter-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: +{{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} +{{- end }} +{{- if not .Values.database.external.existingSecret }} + HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/exporter/exporter-svc.yaml b/charts/harbor/harbor/1.14.1/templates/exporter/exporter-svc.yaml new file mode 100644 index 0000000000..4a6f3fdec6 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/exporter/exporter-svc.yaml @@ -0,0 +1,15 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.exporter" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.exporter.port }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: exporter +{{ end }} diff --git a/charts/harbor/harbor/1.14.1/templates/ingress/ingress.yaml b/charts/harbor/harbor/1.14.1/templates/ingress/ingress.yaml new file mode 100644 index 0000000000..e4c06939c6 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/ingress/ingress.yaml @@ -0,0 +1,145 @@ +{{- if eq .Values.expose.type "ingress" }} +{{- $ingress := .Values.expose.ingress -}} +{{- $tls := .Values.expose.tls -}} +{{- if eq .Values.expose.ingress.controller "gce" }} + {{- $_ := set . "portal_path" "/*" -}} + {{- $_ := set . "api_path" "/api/*" -}} + {{- $_ := set . "service_path" "/service/*" -}} + {{- $_ := set . "v2_path" "/v2/*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} + {{- $_ := set . "controller_path" "/c/*" -}} +{{- else if eq .Values.expose.ingress.controller "ncp" }} + {{- $_ := set . "portal_path" "/.*" -}} + {{- $_ := set . "api_path" "/api/.*" -}} + {{- $_ := set . "service_path" "/service/.*" -}} + {{- $_ := set . "v2_path" "/v2/.*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} + {{- $_ := set . "controller_path" "/c/.*" -}} +{{- else }} + {{- $_ := set . "portal_path" "/" -}} + {{- $_ := set . "api_path" "/api/" -}} + {{- $_ := set . "service_path" "/service/" -}} + {{- $_ := set . "v2_path" "/v2/" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/" -}} + {{- $_ := set . "controller_path" "/c/" -}} +{{- end }} + +--- +{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: extensions/v1beta1 +{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if $ingress.harbor.labels }} +{{ toYaml $ingress.harbor.labels | indent 4 }} +{{- end }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} +{{- if .Values.internalTLS.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +{{- end }} +{{- if eq .Values.expose.ingress.controller "ncp" }} + ncp/use-regex: "true" + {{- if $tls.enabled }} + ncp/http-redirect: "true" + {{- end }} +{{- end }} +{{- if $ingress.harbor.annotations }} +{{ toYaml $ingress.harbor.annotations | indent 4 }} +{{- end }} +spec: + {{- if $ingress.className }} + ingressClassName: {{ $ingress.className }} + {{- end }} + {{- if $tls.enabled }} + tls: + - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} + {{- if $ingress.hosts.core }} + hosts: + - {{ $ingress.hosts.core }} + {{- end }} + {{- end }} + rules: + - http: + paths: +{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} + - path: {{ .api_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + backend: + serviceName: {{ template "harbor.portal" . }} + servicePort: {{ template "harbor.portal.servicePort" . }} +{{- else }} + - path: {{ .api_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.portal" . }} + port: + number: {{ template "harbor.portal.servicePort" . }} +{{- end }} + {{- if $ingress.hosts.core }} + host: {{ $ingress.hosts.core }} + {{- end }} + +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/ingress/secret.yaml b/charts/harbor/harbor/1.14.1/templates/ingress/secret.yaml new file mode 100644 index 0000000000..41507b3dd9 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/ingress/secret.yaml @@ -0,0 +1,15 @@ +{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/internal/auto-tls.yaml b/charts/harbor/harbor/1.14.1/templates/internal/auto-tls.yaml new file mode 100644 index 0000000000..da5f5e2c7b --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/internal/auto-tls.yaml @@ -0,0 +1,81 @@ +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} +{{- $ca := genCA "harbor-internal-ca" 365 }} +{{- $coreCN := (include "harbor.core" .) }} +{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }} +{{- $jsCN := (include "harbor.jobservice" .) }} +{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }} +{{- $regCN := (include "harbor.registry" .) }} +{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }} +{{- $portalCN := (include "harbor.portal" .) }} +{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $coreCrt.Cert | b64enc | quote }} + tls.key: {{ $coreCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $jsCrt.Cert | b64enc | quote }} + tls.key: {{ $jsCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $regCrt.Cert | b64enc | quote }} + tls.key: {{ $regCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $portalCrt.Cert | b64enc | quote }} + tls.key: {{ $portalCrt.Key | b64enc | quote }} + +{{- if and .Values.trivy.enabled}} +--- +{{- $trivyCN := (include "harbor.trivy" .) }} +{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $trivyCrt.Cert | b64enc | quote }} + tls.key: {{ $trivyCrt.Key | b64enc | quote }} +{{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-cm-env.yaml b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-cm-env.yaml new file mode 100644 index 0000000000..8411c7a47c --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-cm-env.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + CORE_URL: "{{ template "harbor.coreURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + + JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "{{ .Values.jobservice.notification.webhook_job_max_retry }}" + JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "{{ .Values.jobservice.notification.webhook_job_http_client_timeout }}" + + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.metrics.enabled}} + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: jobservice + {{- end }} + {{- template "harbor.traceEnvsForJobservice" . }} + {{- if .Values.cache.enabled }} + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-cm.yaml b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-cm.yaml new file mode 100644 index 0000000000..8211c62209 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-cm.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + #Server listening port + protocol: "{{ template "harbor.component.scheme" . }}" + port: {{ template "harbor.jobservice.containerPort". }} + {{- if .Values.internalTLS.enabled }} + https_config: + cert: "/etc/harbor/ssl/jobservice/tls.crt" + key: "/etc/harbor/ssl/jobservice/tls.key" + {{- end }} + worker_pool: + workers: {{ .Values.jobservice.maxJobWorkers }} + backend: "redis" + redis_pool: + redis_url: "{{ template "harbor.redis.urlForJobservice" . }}" + namespace: "harbor_job_service_namespace" + idle_timeout_second: 3600 + job_loggers: + {{- if has "file" .Values.jobservice.jobLoggers }} + - name: "FILE" + level: {{ .Values.logLevel | upper }} + settings: # Customized settings of logger + base_dir: "/var/log/jobs" + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + settings: # Customized settings of sweeper + work_dir: "/var/log/jobs" + {{- end }} + {{- if has "database" .Values.jobservice.jobLoggers }} + - name: "DB" + level: {{ .Values.logLevel | upper }} + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + {{- end }} + {{- if has "stdout" .Values.jobservice.jobLoggers }} + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + {{- end }} + metric: + enabled: {{ .Values.metrics.enabled }} + path: {{ .Values.metrics.jobservice.path }} + port: {{ .Values.metrics.jobservice.port }} + #Loggers for the job service + loggers: + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: {{ .Values.jobservice.reaper.max_update_hours }} + # the max time for execution in running state without new task created + max_dangling_hours: {{ .Values.jobservice.reaper.max_dangling_hours }} diff --git a/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-dpl.yaml b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-dpl.yaml new file mode 100644 index 0000000000..e39e77e6ed --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-dpl.yaml @@ -0,0 +1,173 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + replicas: {{ .Values.jobservice.replicas }} + revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: jobservice + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: jobservice +{{- if .Values.jobservice.podLabels }} +{{ toYaml .Values.jobservice.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} + checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.jobservice.podAnnotations }} +{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.jobservice.serviceAccountName }} + serviceAccountName: {{ .Values.jobservice.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.jobservice.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: jobservice +{{- end }} +{{- end }} + containers: + - name: jobservice + image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.jobservice.resources }} + resources: +{{ toYaml .Values.jobservice.resources | indent 10 }} +{{- end }} + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} + key: secret + {{- if .Values.jobservice.existingSecret }} + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/jobservice/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/jobservice/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/jobservice/ca.crt + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} +{{- with .Values.jobservice.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.jobservice" . }}-env" + - secretRef: + name: "{{ template "harbor.jobservice" . }}" + ports: + - containerPort: {{ template "harbor.jobservice.containerPort" . }} + volumeMounts: + - name: jobservice-config + mountPath: /etc/jobservice/config.yml + subPath: config.yml + - name: job-logs + mountPath: /var/log/jobs + subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.subPath }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + mountPath: /etc/harbor/ssl/jobservice + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: jobservice-config + configMap: + name: "{{ template "harbor.jobservice" . }}" + - name: job-logs + {{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.jobservice.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.jobservice.priorityClassName }} + priorityClassName: {{ .Values.jobservice.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-pvc.yaml b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-pvc.yaml new file mode 100644 index 0000000000..a6b8b8bd38 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-pvc.yaml @@ -0,0 +1,30 @@ +{{- $jobLog := .Values.persistence.persistentVolumeClaim.jobservice.jobLog -}} +{{- if and .Values.persistence.enabled (not $jobLog.existingClaim) (has "file" .Values.jobservice.jobLoggers) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.jobservice" . }} + annotations: + {{- range $key, $value := $jobLog.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + accessModes: + - {{ $jobLog.accessMode }} + resources: + requests: + storage: {{ $jobLog.size }} + {{- if $jobLog.storageClass }} + {{- if eq "-" $jobLog.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $jobLog.storageClass }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-secrets.yaml b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-secrets.yaml new file mode 100644 index 0000000000..eeb00bde00 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-secrets.yaml @@ -0,0 +1,16 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.jobservice" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.jobservice.existingSecret }} + JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (include "harbor.secretKeyHelper" (dict "key" "JOBSERVICE_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-svc.yaml b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-svc.yaml new file mode 100644 index 0000000000..d2b7a47fd4 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-svc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-jobservice" "http-jobservice" .Values.internalTLS.enabled }} + port: {{ template "harbor.jobservice.servicePort" . }} + targetPort: {{ template "harbor.jobservice.containerPort" . }} +{{- if .Values.metrics.enabled }} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.jobservice.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: jobservice diff --git a/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-tls.yaml b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-tls.yaml new file mode 100644 index 0000000000..234cb39995 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/jobservice/jobservice-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/metrics/metrics-svcmon.yaml b/charts/harbor/harbor/1.14.1/templates/metrics/metrics-svcmon.yaml new file mode 100644 index 0000000000..1122ef01ef --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/metrics/metrics-svcmon.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "harbor.fullname" . }} + labels: {{ include "harbor.labels" . | nindent 4 }} +{{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} +{{- end }} +spec: + jobLabel: app.kubernetes.io/name + endpoints: + - port: {{ template "harbor.metricsPortName" . }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + honorLabels: true +{{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: +{{ tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | indent 4) . }} +{{- end }} +{{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: +{{ toYaml .Values.metrics.serviceMonitor.relabelings | indent 4 }} +{{- end }} + selector: + matchLabels: {{ include "harbor.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/nginx/configmap-http.yaml b/charts/harbor/harbor/1.14.1/templates/nginx/configmap-http.yaml new file mode 100644 index 0000000000..c4b8354d06 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/nginx/configmap-http.yaml @@ -0,0 +1,150 @@ +{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled}} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end }} + server_tokens off; + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # Add extra headers + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + proxy_send_timeout 900; + proxy_read_timeout 900; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + } +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/nginx/configmap-https.yaml b/charts/harbor/harbor/1.14.1/templates/nginx/configmap-https.yaml new file mode 100644 index 0000000000..56c943a619 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/nginx/configmap-https.yaml @@ -0,0 +1,187 @@ +{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}"; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8443 ssl; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8443 ssl; + {{- end }} + # server_name harbordomain.com; + server_tokens off; + # SSL + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + # Add extra headers + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; HttpOnly; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end}} + #server_name harbordomain.com; + return 301 https://$host$request_uri; + } + } +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/nginx/deployment.yaml b/charts/harbor/harbor/1.14.1/templates/nginx/deployment.yaml new file mode 100644 index 0000000000..8290d497b6 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/nginx/deployment.yaml @@ -0,0 +1,126 @@ +{{- if ne .Values.expose.type "ingress" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: nginx +spec: + replicas: {{ .Values.nginx.replicas }} + revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: nginx + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: nginx +{{- if .Values.nginx.podLabels }} +{{ toYaml .Values.nginx.podLabels | indent 8 }} +{{- end }} + annotations: + {{- if not .Values.expose.tls.enabled }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }} + {{- else }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} + {{- end }} + {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} + checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }} + {{- end }} +{{- if .Values.nginx.podAnnotations }} +{{ toYaml .Values.nginx.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- if .Values.nginx.serviceAccountName }} + serviceAccountName: {{ .Values.nginx.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.nginx.automountServiceAccountToken | default false }} +{{- with .Values.nginx.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: nginx +{{- end }} +{{- end }} + containers: + - name: nginx + image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + {{- $_ := set . "scheme" "HTTP" -}} + {{- $_ := set . "port" "8080" -}} + {{- if .Values.expose.tls.enabled }} + {{- $_ := set . "scheme" "HTTPS" -}} + {{- $_ := set . "port" "8443" -}} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.nginx.resources }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} +{{- end }} +{{- with .Values.nginx.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: 8080 + - containerPort: 8443 + - containerPort: 4443 + volumeMounts: + - name: config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.expose.tls.enabled }} + - name: certificate + mountPath: /etc/nginx/cert + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.nginx" . }} + {{- if .Values.expose.tls.enabled }} + - name: certificate + secret: + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- with .Values.nginx.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.nginx.priorityClassName }} + priorityClassName: {{ .Values.nginx.priorityClassName }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/nginx/secret.yaml b/charts/harbor/harbor/1.14.1/templates/nginx/secret.yaml new file mode 100644 index 0000000000..c819c556d9 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/nginx/secret.yaml @@ -0,0 +1,23 @@ +{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} + {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- else }} + {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/nginx/service.yaml b/charts/harbor/harbor/1.14.1/templates/nginx/service.yaml new file mode 100644 index 0000000000..205a805ea4 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/nginx/service.yaml @@ -0,0 +1,81 @@ +{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} +apiVersion: v1 +kind: Service +metadata: +{{- if eq .Values.expose.type "clusterIP" }} +{{- $clusterIP := .Values.expose.clusterIP }} + name: {{ $clusterIP.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $clusterIP.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: ClusterIP + {{- if .Values.expose.clusterIP.staticClusterIP }} + clusterIP: {{ .Values.expose.clusterIP.staticClusterIP }} + {{- end }} + ports: + - name: http + port: {{ $clusterIP.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $clusterIP.ports.httpsPort }} + targetPort: 8443 + {{- end }} +{{- else if eq .Values.expose.type "nodePort" }} +{{- $nodePort := .Values.expose.nodePort }} + name: {{ $nodePort.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: NodePort + ports: + - name: http + port: {{ $nodePort.ports.http.port }} + targetPort: 8080 + {{- if $nodePort.ports.http.nodePort }} + nodePort: {{ $nodePort.ports.http.nodePort }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $nodePort.ports.https.port }} + targetPort: 8443 + {{- if $nodePort.ports.https.nodePort }} + nodePort: {{ $nodePort.ports.https.nodePort }} + {{- end }} + {{- end }} +{{- else if eq .Values.expose.type "loadBalancer" }} +{{- $loadBalancer := .Values.expose.loadBalancer }} + name: {{ $loadBalancer.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $loadBalancer.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: LoadBalancer + {{- with $loadBalancer.sourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $loadBalancer.IP }} + loadBalancerIP: {{ $loadBalancer.IP }} + {{- end }} + ports: + - name: http + port: {{ $loadBalancer.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $loadBalancer.ports.httpsPort }} + targetPort: 8443 + {{- end }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: nginx +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/portal/configmap.yaml b/charts/harbor/harbor/1.14.1/templates/portal/configmap.yaml new file mode 100644 index 0000000000..7b2118e721 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/portal/configmap.yaml @@ -0,0 +1,67 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + server { + {{- if .Values.internalTLS.enabled }} + {{- if .Values.ipFamily.ipv4.enabled}} + listen {{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + # SSL + ssl_certificate /etc/harbor/ssl/portal/tls.crt; + ssl_certificate_key /etc/harbor/ssl/portal/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + {{- else }} + {{- if .Values.ipFamily.ipv4.enabled }} + listen {{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- end }} + server_name localhost; + root /usr/share/nginx/html; + index index.html index.htm; + include /etc/nginx/mime.types; + gzip on; + gzip_min_length 1000; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + location /devcenter-api-2.0 { + try_files $uri $uri/ /swagger-ui-index.html; + } + location / { + try_files $uri $uri/ /index.html; + } + location = /index.html { + add_header Cache-Control "no-store, no-cache, must-revalidate"; + } + } + } diff --git a/charts/harbor/harbor/1.14.1/templates/portal/deployment.yaml b/charts/harbor/harbor/1.14.1/templates/portal/deployment.yaml new file mode 100644 index 0000000000..959a3fd7b5 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/portal/deployment.yaml @@ -0,0 +1,114 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: portal +spec: + replicas: {{ .Values.portal.replicas }} + revisionHistoryLimit: {{ .Values.portal.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: portal + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: portal +{{- if .Values.portal.podLabels }} +{{ toYaml .Values.portal.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }} +{{- end }} + checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }} +{{- if .Values.portal.podAnnotations }} +{{ toYaml .Values.portal.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if .Values.portal.serviceAccountName }} + serviceAccountName: {{ .Values.portal.serviceAccountName }} +{{- end }} + automountServiceAccountToken: {{ .Values.portal.automountServiceAccountToken | default false }} +{{- with .Values.portal.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: portal +{{- end }} +{{- end }} + containers: + - name: portal + image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.portal.resources }} + resources: +{{ toYaml .Values.portal.resources | indent 10 }} +{{- end }} +{{- with .Values.portal.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 + ports: + - containerPort: {{ template "harbor.portal.containerPort" . }} + volumeMounts: + - name: portal-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + mountPath: /etc/harbor/ssl/portal + {{- end }} + volumes: + - name: portal-config + configMap: + name: "{{ template "harbor.portal" . }}" + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.portal.secretName" . }} + {{- end }} + {{- with .Values.portal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.portal.priorityClassName }} + priorityClassName: {{ .Values.portal.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/portal/service.yaml b/charts/harbor/harbor/1.14.1/templates/portal/service.yaml new file mode 100644 index 0000000000..d00026da46 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/portal/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.portal.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - port: {{ template "harbor.portal.servicePort" . }} + targetPort: {{ template "harbor.portal.containerPort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: portal diff --git a/charts/harbor/harbor/1.14.1/templates/portal/tls.yaml b/charts/harbor/harbor/1.14.1/templates/portal/tls.yaml new file mode 100644 index 0000000000..de63f4e813 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/portal/tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/redis/service.yaml b/charts/harbor/harbor/1.14.1/templates/redis/service.yaml new file mode 100644 index 0000000000..79c95c3e05 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/redis/service.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.redis.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 6379 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: redis +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/redis/statefulset.yaml b/charts/harbor/harbor/1.14.1/templates/redis/statefulset.yaml new file mode 100644 index 0000000000..371b0fd5aa --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/redis/statefulset.yaml @@ -0,0 +1,116 @@ +{{- if eq .Values.redis.type "internal" -}} +{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: redis +spec: + replicas: 1 + serviceName: {{ template "harbor.redis" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: redis + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: redis +{{- if .Values.redis.podLabels }} +{{ toYaml .Values.redis.podLabels | indent 8 }} +{{- end }} +{{- if .Values.redis.podAnnotations }} + annotations: +{{ toYaml .Values.redis.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.redis.internal.serviceAccountName }} + serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: redis + image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.redis.internal.resources }} + resources: +{{ toYaml .Values.redis.internal.resources | indent 10 }} +{{- end }} +{{- with .Values.redis.internal.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - name: data + mountPath: /var/lib/redis + subPath: {{ $redis.subPath }} + {{- if not .Values.persistence.enabled }} + volumes: + - name: data + emptyDir: {} + {{- else if $redis.existingClaim }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ $redis.existingClaim }} + {{- end -}} + {{- with .Values.redis.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.redis.internal.priorityClassName }} + priorityClassName: {{ .Values.redis.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $redis.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $redis.accessMode | quote }}] + {{- if $redis.storageClass }} + {{- if (eq "-" $redis.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $redis.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $redis.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/1.14.1/templates/registry/registry-cm.yaml b/charts/harbor/harbor/1.14.1/templates/registry/registry-cm.yaml new file mode 100644 index 0000000000..4f7056c384 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/registry/registry-cm.yaml @@ -0,0 +1,246 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + version: 0.1 + log: + {{- if eq .Values.logLevel "warning" }} + level: warn + {{- else if eq .Values.logLevel "fatal" }} + level: error + {{- else }} + level: {{ .Values.logLevel }} + {{- end }} + fields: + service: registry + storage: + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if eq $type "filesystem" }} + filesystem: + rootdirectory: {{ $storage.filesystem.rootdirectory }} + {{- if $storage.filesystem.maxthreads }} + maxthreads: {{ $storage.filesystem.maxthreads }} + {{- end }} + {{- else if eq $type "azure" }} + azure: + accountname: {{ $storage.azure.accountname }} + container: {{ $storage.azure.container }} + {{- if $storage.azure.realm }} + realm: {{ $storage.azure.realm }} + {{- end }} + {{- else if eq $type "gcs" }} + gcs: + bucket: {{ $storage.gcs.bucket }} + {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }} + keyfile: /etc/registry/gcs-key.json + {{- end }} + {{- if $storage.gcs.rootdirectory }} + rootdirectory: {{ $storage.gcs.rootdirectory }} + {{- end }} + {{- if $storage.gcs.chunksize }} + chunksize: {{ $storage.gcs.chunksize }} + {{- end }} + {{- else if eq $type "s3" }} + s3: + region: {{ $storage.s3.region }} + bucket: {{ $storage.s3.bucket }} + {{- if $storage.s3.regionendpoint }} + regionendpoint: {{ $storage.s3.regionendpoint }} + {{- end }} + {{- if $storage.s3.encrypt }} + encrypt: {{ $storage.s3.encrypt }} + {{- end }} + {{- if $storage.s3.keyid }} + keyid: {{ $storage.s3.keyid }} + {{- end }} + {{- if $storage.s3.secure }} + secure: {{ $storage.s3.secure }} + {{- end }} + {{- if and $storage.s3.secure $storage.s3.skipverify }} + skipverify: {{ $storage.s3.skipverify }} + {{- end }} + {{- if $storage.s3.v4auth }} + v4auth: {{ $storage.s3.v4auth }} + {{- end }} + {{- if $storage.s3.chunksize }} + chunksize: {{ $storage.s3.chunksize }} + {{- end }} + {{- if $storage.s3.rootdirectory }} + rootdirectory: {{ $storage.s3.rootdirectory }} + {{- end }} + {{- if $storage.s3.storageclass }} + storageclass: {{ $storage.s3.storageclass }} + {{- end }} + {{- if $storage.s3.multipartcopychunksize }} + multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }} + {{- end }} + {{- if $storage.s3.multipartcopymaxconcurrency }} + multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }} + {{- end }} + {{- if $storage.s3.multipartcopythresholdsize }} + multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }} + {{- end }} + {{- else if eq $type "swift" }} + swift: + authurl: {{ $storage.swift.authurl }} + username: {{ $storage.swift.username }} + container: {{ $storage.swift.container }} + {{- if $storage.swift.region }} + region: {{ $storage.swift.region }} + {{- end }} + {{- if $storage.swift.tenant }} + tenant: {{ $storage.swift.tenant }} + {{- end }} + {{- if $storage.swift.tenantid }} + tenantid: {{ $storage.swift.tenantid }} + {{- end }} + {{- if $storage.swift.domain }} + domain: {{ $storage.swift.domain }} + {{- end }} + {{- if $storage.swift.domainid }} + domainid: {{ $storage.swift.domainid }} + {{- end }} + {{- if $storage.swift.trustid }} + trustid: {{ $storage.swift.trustid }} + {{- end }} + {{- if $storage.swift.insecureskipverify }} + insecureskipverify: {{ $storage.swift.insecureskipverify }} + {{- end }} + {{- if $storage.swift.chunksize }} + chunksize: {{ $storage.swift.chunksize }} + {{- end }} + {{- if $storage.swift.prefix }} + prefix: {{ $storage.swift.prefix }} + {{- end }} + {{- if $storage.swift.authversion }} + authversion: {{ $storage.swift.authversion }} + {{- end }} + {{- if $storage.swift.endpointtype }} + endpointtype: {{ $storage.swift.endpointtype }} + {{- end }} + {{- if $storage.swift.tempurlcontainerkey }} + tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} + {{- end }} + {{- if $storage.swift.tempurlmethods }} + tempurlmethods: {{ $storage.swift.tempurlmethods }} + {{- end }} + {{- else if eq $type "oss" }} + oss: + accesskeyid: {{ $storage.oss.accesskeyid }} + region: {{ $storage.oss.region }} + bucket: {{ $storage.oss.bucket }} + {{- if $storage.oss.endpoint }} + endpoint: {{ $storage.oss.bucket }}.{{ $storage.oss.endpoint }} + {{- end }} + {{- if $storage.oss.internal }} + internal: {{ $storage.oss.internal }} + {{- end }} + {{- if $storage.oss.encrypt }} + encrypt: {{ $storage.oss.encrypt }} + {{- end }} + {{- if $storage.oss.secure }} + secure: {{ $storage.oss.secure }} + {{- end }} + {{- if $storage.oss.chunksize }} + chunksize: {{ $storage.oss.chunksize }} + {{- end }} + {{- if $storage.oss.rootdirectory }} + rootdirectory: {{ $storage.oss.rootdirectory }} + {{- end }} + {{- end }} + cache: + layerinfo: redis + maintenance: + uploadpurging: + {{- if .Values.registry.upload_purging.enabled }} + enabled: true + age: {{ .Values.registry.upload_purging.age }} + interval: {{ .Values.registry.upload_purging.interval }} + dryrun: {{ .Values.registry.upload_purging.dryrun }} + {{- else }} + enabled: false + {{- end }} + delete: + enabled: true + redirect: + disable: {{ $storage.disableredirect }} + redis: + addr: {{ template "harbor.redis.addr" . }} + {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }} + sentinelMasterSet: {{ template "harbor.redis.masterSet" . }} + {{- end }} + db: {{ template "harbor.redis.dbForRegistry" . }} + {{- if not (eq (include "harbor.redis.password" .) "") }} + password: {{ template "harbor.redis.password" . }} + {{- end }} + readtimeout: 10s + writetimeout: 10s + dialtimeout: 10s + pool: + maxidle: 100 + maxactive: 500 + idletimeout: 60s + http: + addr: :{{ template "harbor.registry.containerPort" . }} + relativeurls: {{ .Values.registry.relativeurls }} + {{- if .Values.internalTLS.enabled }} + tls: + certificate: /etc/harbor/ssl/registry/tls.crt + key: /etc/harbor/ssl/registry/tls.key + minimumtls: tls1.2 + {{- end }} + # set via environment variable + # secret: placeholder + debug: + {{- if .Values.metrics.enabled}} + addr: :{{ .Values.metrics.registry.port }} + prometheus: + enabled: true + path: {{ .Values.metrics.registry.path }} + {{- else }} + addr: localhost:5001 + {{- end }} + auth: + htpasswd: + realm: harbor-registry-basic-realm + path: /etc/registry/passwd + validation: + disabled: true + compatibility: + schema1: + enabled: true + + {{- if .Values.registry.middleware.enabled }} + {{- $middleware := .Values.registry.middleware }} + {{- $middlewareType := $middleware.type }} + {{- if eq $middlewareType "cloudFront" }} + middleware: + storage: + - name: cloudfront + options: + baseurl: {{ $middleware.cloudFront.baseurl }} + privatekey: /etc/registry/pk.pem + keypairid: {{ $middleware.cloudFront.keypairid }} + duration: {{ $middleware.cloudFront.duration }} + ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }} + {{- end }} + {{- end }} + ctl-config.yml: |+ + --- + {{- if .Values.internalTLS.enabled }} + protocol: "https" + port: 8443 + https_config: + cert: "/etc/harbor/ssl/registry/tls.crt" + key: "/etc/harbor/ssl/registry/tls.key" + {{- else }} + protocol: "http" + port: 8080 + {{- end }} + log_level: {{ .Values.logLevel }} + registry_config: "/etc/registry/config.yml" diff --git a/charts/harbor/harbor/1.14.1/templates/registry/registry-dpl.yaml b/charts/harbor/harbor/1.14.1/templates/registry/registry-dpl.yaml new file mode 100644 index 0000000000..dc4a833477 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/registry/registry-dpl.yaml @@ -0,0 +1,419 @@ +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $type := $storage.type }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + replicas: {{ .Values.registry.replicas }} + revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: registry + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: registry +{{- if .Values.registry.podLabels }} +{{ toYaml .Values.registry.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.registry.podAnnotations }} +{{ toYaml .Values.registry.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch +{{- if .Values.registry.serviceAccountName }} + serviceAccountName: {{ .Values.registry.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.registry.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.registry.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: registry +{{- end }} +{{- end }} + containers: + - name: registry + image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.registry.resources }} + resources: +{{ toYaml .Values.registry.registry.resources | indent 10 }} +{{- end }} + args: ["serve", "/etc/registry/config.yml"] + envFrom: + - secretRef: + name: "{{ template "harbor.registry" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + {{- if .Values.registry.existingSecret }} + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.registry.existingSecret }} + key: {{ .Values.registry.existingSecretKey }} + {{- end }} + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} + {{- if .Values.persistence.imageChartStorage.swift.existingSecret }} + - name: REGISTRY_STORAGE_SWIFT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_PASSWORD + - name: REGISTRY_STORAGE_SWIFT_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_SECRETKEY + optional: true + - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_ACCESSKEY + optional: true + {{- end }} + {{- if .Values.persistence.imageChartStorage.oss.existingSecret }} + - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }} + key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + optional: true + {{- end}} +{{- with .Values.registry.registry.extraEnvVars }} +{{- toYaml . | nindent 8 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.registry.containerPort" . }} + - containerPort: 5001 + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-htpasswd + mountPath: /etc/registry/passwd + subPath: passwd + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + mountPath: /etc/registry/pk.pem + subPath: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + - name: registryctl + image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.controller.resources }} + resources: +{{ toYaml .Values.registry.controller.resources | indent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.registryCtl" . }}" + - secretRef: + name: "{{ template "harbor.registry" . }}" + - secretRef: + name: "{{ template "harbor.registryCtl" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + {{- if .Values.registry.existingSecret }} + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.registry.existingSecret }} + key: {{ .Values.registry.existingSecretKey }} + {{- end }} + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }} + {{- if .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- else }} + key: JOBSERVICE_SECRET + {{- end }} + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} + {{- if .Values.persistence.imageChartStorage.swift.existingSecret }} + - name: REGISTRY_STORAGE_SWIFT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_PASSWORD + - name: REGISTRY_STORAGE_SWIFT_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_SECRETKEY + optional: true + - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_ACCESSKEY + optional: true + {{- end }} + {{- if .Values.persistence.imageChartStorage.oss.existingSecret }} + - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }} + key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + optional: true + {{- end}} +{{- with .Values.registry.controller.extraEnvVars }} +{{- toYaml . | nindent 8 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.registryctl.containerPort" . }} + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: registry-config + mountPath: /etc/registryctl/config.yml + subPath: ctl-config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: registry-htpasswd + secret: + {{- if not .Values.registry.credentials.existingSecret }} + secretName: {{ template "harbor.registry" . }}-htpasswd + {{ else }} + secretName: {{ .Values.registry.credentials.existingSecret }} + {{- end }} + items: + - key: REGISTRY_HTPASSWD + path: passwd + - name: registry-config + configMap: + name: "{{ template "harbor.registry" . }}" + - name: registry-data + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.registry.secretName" . }} + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + secret: + {{- if and (eq $type "gcs") $storage.gcs.existingSecret }} + secretName: {{ $storage.gcs.existingSecret }} + {{- else }} + secretName: {{ template "harbor.registry" . }} + {{- end }} + items: + - key: GCS_KEY_DATA + path: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + secret: + secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + secret: + secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }} + items: + - key: CLOUDFRONT_KEY_DATA + path: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.registry.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.registry.priorityClassName }} + priorityClassName: {{ .Values.registry.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/registry/registry-pvc.yaml b/charts/harbor/harbor/1.14.1/templates/registry/registry-pvc.yaml new file mode 100644 index 0000000000..2112e22877 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/registry/registry-pvc.yaml @@ -0,0 +1,32 @@ +{{- if .Values.persistence.enabled }} +{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} +{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.registry" . }} + annotations: + {{- range $key, $value := $registry.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + accessModes: + - {{ $registry.accessMode }} + resources: + requests: + storage: {{ $registry.size }} + {{- if $registry.storageClass }} + {{- if eq "-" $registry.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $registry.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/registry/registry-secret.yaml b/charts/harbor/harbor/1.14.1/templates/registry/registry-secret.yaml new file mode 100644 index 0000000000..e853a9cbec --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/registry/registry-secret.yaml @@ -0,0 +1,55 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.registry" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.registry.existingSecret }} + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (include "harbor.secretKeyHelper" (dict "key" "REGISTRY_HTTP_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} + {{- if not .Values.redis.external.existingSecret }} + REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} + {{- end }} + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if and (eq $type "azure") (not $storage.azure.existingSecret) }} + REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} + {{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }} + GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} + {{- else if eq $type "s3" }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }} + REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} + {{- end }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }} + REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} + {{- end }} + {{- else if and (eq $type "swift") (not ($storage.swift.existingSecret)) }} + REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} + {{- if $storage.swift.secretkey }} + REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} + {{- end }} + {{- if $storage.swift.accesskey }} + REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} + {{- end }} + {{- else if and (eq $type "oss") ((not ($storage.oss.existingSecret))) }} + REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} + {{- end }} +{{- if not .Values.registry.credentials.existingSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}-htpasswd" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if .Values.registry.credentials.htpasswdString }} + REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }} + {{- else }} + REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/registry/registry-svc.yaml b/charts/harbor/harbor/1.14.1/templates/registry/registry-svc.yaml new file mode 100644 index 0000000000..749690ea03 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/registry/registry-svc.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-registry" "http-registry" .Values.internalTLS.enabled }} + port: {{ template "harbor.registry.servicePort" . }} + + - name: {{ ternary "https-controller" "http-controller" .Values.internalTLS.enabled }} + port: {{ template "harbor.registryctl.servicePort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.registry.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: registry \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/registry/registry-tls.yaml b/charts/harbor/harbor/1.14.1/templates/registry/registry-tls.yaml new file mode 100644 index 0000000000..9d1862c417 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/registry/registry-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/registry/registryctl-cm.yaml b/charts/harbor/harbor/1.14.1/templates/registry/registryctl-cm.yaml new file mode 100644 index 0000000000..87aa5ffe24 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/registry/registryctl-cm.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- template "harbor.traceEnvsForRegistryCtl" . }} diff --git a/charts/harbor/harbor/1.14.1/templates/registry/registryctl-secret.yaml b/charts/harbor/harbor/1.14.1/templates/registry/registryctl-secret.yaml new file mode 100644 index 0000000000..70097703e9 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/registry/registryctl-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- template "harbor.traceJaegerPassword" . }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.1/templates/trivy/trivy-secret.yaml b/charts/harbor/harbor/1.14.1/templates/trivy/trivy-secret.yaml new file mode 100644 index 0000000000..84652c7498 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/trivy/trivy-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.trivy.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }} + gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/trivy/trivy-sts.yaml b/charts/harbor/harbor/1.14.1/templates/trivy/trivy-sts.yaml new file mode 100644 index 0000000000..7ee4e1068f --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/trivy/trivy-sts.yaml @@ -0,0 +1,224 @@ +{{- if .Values.trivy.enabled }} +{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: trivy +spec: + replicas: {{ .Values.trivy.replicas }} + serviceName: {{ template "harbor.trivy" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: trivy + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: trivy +{{- if .Values.trivy.podLabels }} +{{ toYaml .Values.trivy.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.trivy.podAnnotations }} +{{ toYaml .Values.trivy.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.trivy.serviceAccountName }} + serviceAccountName: {{ .Values.trivy.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }} +{{- with .Values.trivy.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: trivy +{{- end }} +{{- end }} + containers: + - name: trivy + image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + env: + {{- if has "trivy" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + - name: "SCANNER_LOG_LEVEL" + value: {{ .Values.logLevel | quote }} + - name: "SCANNER_TRIVY_CACHE_DIR" + value: "/home/scanner/.cache/trivy" + - name: "SCANNER_TRIVY_REPORTS_DIR" + value: "/home/scanner/.cache/reports" + - name: "SCANNER_TRIVY_DEBUG_MODE" + value: {{ .Values.trivy.debugMode | quote }} + - name: "SCANNER_TRIVY_VULN_TYPE" + value: {{ .Values.trivy.vulnType | quote }} + - name: "SCANNER_TRIVY_TIMEOUT" + value: {{ .Values.trivy.timeout | quote }} + - name: "SCANNER_TRIVY_GITHUB_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: gitHubToken + - name: "SCANNER_TRIVY_SEVERITY" + value: {{ .Values.trivy.severity | quote }} + - name: "SCANNER_TRIVY_IGNORE_UNFIXED" + value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_UPDATE" + value: {{ .Values.trivy.skipUpdate | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" + value: {{ .Values.trivy.skipJavaDBUpdate | default false | quote }} + - name: "SCANNER_TRIVY_OFFLINE_SCAN" + value: {{ .Values.trivy.offlineScan | default false | quote }} + - name: "SCANNER_TRIVY_SECURITY_CHECKS" + value: {{ .Values.trivy.securityCheck | quote }} + - name: "SCANNER_TRIVY_INSECURE" + value: {{ .Values.trivy.insecure | default false | quote }} + - name: SCANNER_API_SERVER_ADDR + value: ":{{ template "harbor.trivy.containerPort" . }}" + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: SCANNER_API_SERVER_TLS_KEY + value: /etc/harbor/ssl/trivy/tls.key + - name: SCANNER_API_SERVER_TLS_CERTIFICATE + value: /etc/harbor/ssl/trivy/tls.crt + {{- end }} + - name: "SCANNER_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_STORE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_JOB_QUEUE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL +{{- with .Values.trivy.extraEnvVars }} +{{- toYaml . | nindent 12 }} +{{- end }} + ports: + - name: api-server + containerPort: {{ template "harbor.trivy.containerPort" . }} + volumeMounts: + - name: data + mountPath: /home/scanner/.cache + subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} + readOnly: false + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + mountPath: /etc/harbor/ssl/trivy + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 10 }} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/healthy + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + readinessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/ready + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + resources: +{{ toYaml .Values.trivy.resources | indent 12 }} + {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} + volumes: + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.trivy.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: "data" + emptyDir: {} + {{- else if $trivy.existingClaim }} + - name: "data" + persistentVolumeClaim: + claimName: {{ $trivy.existingClaim }} + {{- end }} + {{- end }} + {{- with .Values.trivy.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.trivy.priorityClassName }} + priorityClassName: {{ .Values.trivy.priorityClassName }} + {{- end }} +{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $trivy.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $trivy.accessMode | quote }}] + {{- if $trivy.storageClass }} + {{- if (eq "-" $trivy.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $trivy.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $trivy.size | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/templates/trivy/trivy-svc.yaml b/charts/harbor/harbor/1.14.1/templates/trivy/trivy-svc.yaml new file mode 100644 index 0000000000..24daf094e8 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/trivy/trivy-svc.yaml @@ -0,0 +1,16 @@ +{{ if .Values.trivy.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.trivy" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-trivy" "http-trivy" .Values.internalTLS.enabled }} + protocol: TCP + port: {{ template "harbor.trivy.servicePort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: trivy +{{ end }} diff --git a/charts/harbor/harbor/1.14.1/templates/trivy/trivy-tls.yaml b/charts/harbor/harbor/1.14.1/templates/trivy/trivy-tls.yaml new file mode 100644 index 0000000000..a9c8330c37 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/templates/trivy/trivy-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.1/values.yaml b/charts/harbor/harbor/1.14.1/values.yaml new file mode 100644 index 0000000000..49e9d458d6 --- /dev/null +++ b/charts/harbor/harbor/1.14.1/values.yaml @@ -0,0 +1,992 @@ +expose: + # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer" + # and fill the information in the corresponding section + type: ingress + tls: + # Enable TLS or not. + # Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress" + # Note: if the "expose.type" is "ingress" and TLS is disabled, + # the port must be included in the command when pulling/pushing images. + # Refer to https://github.com/goharbor/harbor/issues/5291 for details. + enabled: true + # The source of the tls certificate. Set as "auto", "secret" + # or "none" and fill the information in the corresponding section + # 1) auto: generate the tls certificate automatically + # 2) secret: read the tls certificate from the specified secret. + # The tls certificate can be generated manually or by cert manager + # 3) none: configure no tls certificate for the ingress. If the default + # tls certificate is configured in the ingress controller, choose this option + certSource: auto + auto: + # The common name used to generate the certificate, it's necessary + # when the type isn't "ingress" + commonName: "" + secret: + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + secretName: "" + ingress: + hosts: + core: core.harbor.domain + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + # set to `alb` if using the ALB ingress controller + # set to `f5-bigip` if using the F5 BIG-IP ingress controller + controller: default + ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress + kubeVersionOverride: "" + className: "" + annotations: + # note different ingress controllers may require a different ssl-redirect annotation + # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + harbor: + # harbor ingress-specific annotations + annotations: {} + # harbor ingress-specific labels + labels: {} + clusterIP: + # The name of ClusterIP service + name: harbor + # The ip address of the ClusterIP service (leave empty for acquiring dynamic ip) + staticClusterIP: "" + # Annotations on the ClusterIP service + annotations: {} + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + nodePort: + # The name of NodePort service + name: harbor + ports: + http: + # The service port Harbor listens on when serving HTTP + port: 80 + # The node port Harbor listens on when serving HTTP + nodePort: 30002 + https: + # The service port Harbor listens on when serving HTTPS + port: 443 + # The node port Harbor listens on when serving HTTPS + nodePort: 30003 + loadBalancer: + # The name of LoadBalancer service + name: harbor + # Set the IP if the LoadBalancer supports assigning IP + IP: "" + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + annotations: {} + sourceRanges: [] + +# The external URL for Harbor core service. It is used to +# 1) populate the docker/helm commands showed on portal +# 2) populate the token service URL returned to docker client +# +# Format: protocol://domain[:port]. Usually: +# 1) if "expose.type" is "ingress", the "domain" should be +# the value of "expose.ingress.hosts.core" +# 2) if "expose.type" is "clusterIP", the "domain" should be +# the value of "expose.clusterIP.name" +# 3) if "expose.type" is "nodePort", the "domain" should be +# the IP address of k8s node +# +# If Harbor is deployed behind the proxy, set it as the URL of proxy +externalURL: https://core.harbor.domain + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each component tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # enable strong ssl ciphers (default: false) + strong_ssl_ciphers: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +ipFamily: + # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component + ipv6: + enabled: true + # ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component + ipv4: + enabled: true + +# The persistence is enabled by default and a default StorageClass +# is needed in the k8s cluster to provision volumes dynamically. +# Specify another StorageClass in the "storageClass" or set "existingClaim" +# if you already have existing persistent volumes to use +# +# For storing images and charts, you can also use "azure", "gcs", "s3", +# "swift" or "oss". Set it in the "imageChartStorage" section +persistence: + enabled: true + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + # (this does not apply for PVCs that are created for internal database + # and redis components, i.e. they are never deleted automatically) + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used (the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + jobservice: + jobLog: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + trivy: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + # Define which storage backend is used for registry to store + # images and charts. Refer to + # https://github.com/distribution/distribution/blob/main/docs/configuration.md#storage + # for the detail. + imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/distribution/distribution/blob/main/docs/configuration.md#redirect + # for the detail. + disableredirect: false + # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. + # The secret must contain keys named "ca.crt" which will be injected into the trust store + # of registry's containers. + # caBundleSecretName: + + # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", + # "oss" and fill the information needed in the corresponding section. The type + # must be "filesystem" if you want to use persistent volumes for registry + type: filesystem + filesystem: + rootdirectory: /storage + #maxthreads: 100 + azure: + accountname: accountname + accountkey: base64encodedaccountkey + container: containername + #realm: core.windows.net + # To use existing secret, the key must be AZURE_STORAGE_ACCESS_KEY + existingSecret: "" + gcs: + bucket: bucketname + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file + #rootdirectory: /gcs/object/name/prefix + #chunksize: "5242880" + # To use existing secret, the key must be GCS_KEY_DATA + existingSecret: "" + useWorkloadIdentity: false + s3: + # Set an existing secret for S3 accesskey and secretkey + # keys in the secret should be REGISTRY_STORAGE_S3_ACCESSKEY and REGISTRY_STORAGE_S3_SECRETKEY for registry + #existingSecret: "" + region: us-west-1 + bucket: bucketname + #accesskey: awsaccesskey + #secretkey: awssecretkey + #regionendpoint: http://myobjects.local + #encrypt: false + #keyid: mykeyid + #secure: true + #skipverify: false + #v4auth: true + #chunksize: "5242880" + #rootdirectory: /s3/object/name/prefix + #storageclass: STANDARD + #multipartcopychunksize: "33554432" + #multipartcopymaxconcurrency: 100 + #multipartcopythresholdsize: "33554432" + swift: + authurl: https://storage.myprovider.com/v3/auth + username: username + password: password + container: containername + # keys in existing secret must be REGISTRY_STORAGE_SWIFT_PASSWORD, REGISTRY_STORAGE_SWIFT_SECRETKEY, REGISTRY_STORAGE_SWIFT_ACCESSKEY + existingSecret: "" + #region: fr + #tenant: tenantname + #tenantid: tenantid + #domain: domainname + #domainid: domainid + #trustid: trustid + #insecureskipverify: false + #chunksize: 5M + #prefix: + #secretkey: secretkey + #accesskey: accesskey + #authversion: 3 + #endpointtype: public + #tempurlcontainerkey: false + #tempurlmethods: + oss: + accesskeyid: accesskeyid + accesskeysecret: accesskeysecret + region: regionname + bucket: bucketname + # key in existingSecret must be REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + existingSecret: "" + #endpoint: endpoint + #internal: false + #encrypt: false + #secure: true + #chunksize: 10M + #rootdirectory: rootdirectory + +imagePullPolicy: IfNotPresent + +# Use this set to assign a list of default pullSecrets +imagePullSecrets: +# - name: docker-registry-secret +# - name: internal-registry-secret + +# The update strategy for deployments with persistent volumes(jobservice, registry): "RollingUpdate" or "Recreate" +# Set it as "Recreate" when "RWM" for volumes isn't supported +updateStrategy: + type: RollingUpdate + +# debug, info, warning, error or fatal +logLevel: info + +# The initial password of Harbor admin. Change it from portal after launching Harbor +# or give an existing secret for it +# key in secret is given via (default to HARBOR_ADMIN_PASSWORD) +# existingSecretAdminPassword: +existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD +harborAdminPassword: "Harbor12345" + +# The name of the secret which contains key named "ca.crt". Setting this enables the +# download link on portal to download the CA certificate when the certificate isn't +# generated automatically +caSecretName: "" + +# The secret key used for encryption. Must be a string of 16 chars. +secretKey: "not-a-secure-key" +# If using existingSecretSecretKey, the key must be secretKey +existingSecretSecretKey: "" + +# The proxy settings for updating trivy vulnerabilities from the Internet and replicating +# artifacts from/to the registries that cannot be reached directly +proxy: + httpProxy: + httpsProxy: + noProxy: 127.0.0.1,localhost,.local,.internal + components: + - core + - jobservice + - trivy + +# Run the migration job via helm hook +enableMigrateHelmHook: false + +# The custom ca bundle secret, the secret must contain key named "ca.crt" +# which will be injected into the trust store for core, jobservice, registry, trivy components +# caBundleSecretName: "" + +## UAA Authentication Options +# If you're using UAA for authentication behind a self-signed +# certificate you will need to provide the CA Cert. +# Set uaaSecretName below to provide a pre-created secret that +# contains a base64 encoded CA Certificate named `ca.crt`. +# uaaSecretName: + +# If service exposed via "ingress", the Nginx will not be used +nginx: + image: + repository: goharbor/nginx-photon + tag: v2.10.1 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +portal: + image: + repository: goharbor/harbor-portal + tag: v2.10.1 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## Additional service annotations + serviceAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + +core: + image: + repository: goharbor/harbor-core + tag: v2.10.1 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + ## Startup probe values + startupProbe: + enabled: true + initialDelaySeconds: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## Additional service annotations + serviceAnnotations: {} + ## User settings configuration json string + configureUserSettings: + # The provider for updating project quota(usage), there are 2 options, redis or db. + # By default it is implemented by db but you can configure it to redis which + # can improve the performance of high concurrent pushing to the same project, + # and reduce the database connections spike and occupies. + # Using redis will bring up some delay for quota usage updation for display, so only + # suggest switch provider to redis if you were ran into the db connections spike around + # the scenario of high concurrent pushing to same project, no improvment for other scenes. + quotaUpdateProvider: db # Or redis + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. Alternatively set existingSecret to use an existing secret + # Must be a string of 16 chars. + secret: "" + # Fill in the name of a kubernetes secret if you want to use your own + # If using existingSecret, the key must be secret + existingSecret: "" + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named: + # "tls.key" - the private key + # "tls.crt" - the certificate + secretName: "" + # If not specifying a preexisting secret, a secret can be created from tokenKey and tokenCert and used instead. + # If none of secretName, tokenKey, and tokenCert are specified, an ephemeral key and certificate will be autogenerated. + # tokenKey and tokenCert must BOTH be set or BOTH unset. + # The tokenKey value is formatted as a multiline string containing a PEM-encoded RSA key, indented one more than tokenKey on the following line. + tokenKey: | + # If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line. + tokenCert: | + # The XSRF key. Will be generated automatically if it isn't specified + xsrfKey: "" + # If using existingSecret, the key is defined by core.existingXsrfSecretKey + existingXsrfSecret: "" + # If using existingSecret, the key + existingXsrfSecretKey: CSRF_KEY + ## The priority class to run the pod as + priorityClassName: + # The time duration for async update artifact pull_time and repository + # pull_count, the unit is second. Will be 10 seconds if it isn't set. + # eg. artifactPullAsyncFlushDuration: 10 + artifactPullAsyncFlushDuration: + gdpr: + deleteUser: false + auditLogsCompliant: false + +jobservice: + image: + repository: goharbor/harbor-jobservice + tag: v2.10.1 + replicas: 1 + revisionHistoryLimit: 10 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLoggers: + - file + # - database + # - stdout + # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) + loggerSweeperDuration: 14 #days + notification: + webhook_job_max_retry: 3 + webhook_job_http_client_timeout: 3 # in seconds + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: 24 + # the max time for execution in running state without new task created + max_dangling_hours: 168 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Use an existing secret resource + existingSecret: "" + # Key within the existing secret for the job service secret + existingSecretKey: JOBSERVICE_SECRET + ## The priority class to run the pod as + priorityClassName: + +registry: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + registry: + image: + repository: goharbor/registry-photon + tag: v2.10.1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + controller: + image: + repository: goharbor/harbor-registryctl + tag: v2.10.1 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + replicas: 1 + revisionHistoryLimit: 10 + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/distribution/distribution/blob/main/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Use an existing secret resource + existingSecret: "" + # Key within the existing secret for the registry service secret + existingSecretKey: REGISTRY_HTTP_SECRET + # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. + relativeurls: false + credentials: + username: "harbor_registry_user" + password: "harbor_registry_password" + # If using existingSecret, the key must be REGISTRY_PASSWD and REGISTRY_HTPASSWD + existingSecret: "" + # Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. + # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string + htpasswdString: "" + middleware: + enabled: false + type: cloudFront + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + # that allows access to CloudFront + privateKeySecret: "my-secret" + # enable purge _upload directories + upload_purging: + enabled: true + # remove files in _upload directories which exist for a period of time, default is one week. + age: 168h + # the interval of the purge operations + interval: 24h + dryrun: false + +trivy: + # enabled the flag to enable Trivy scanner + enabled: true + image: + # repository the repository for Trivy adapter image + repository: goharbor/trivy-adapter-photon + # tag the tag for Trivy adapter image + tag: v2.10.1 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + # replicas the number of Pod replicas + replicas: 1 + # debugMode the flag to enable Trivy debug mode with more verbose scanning log + debugMode: false + # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. + vulnType: "os,library" + # severity a comma-separated list of severities to be checked + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + # ignoreUnfixed the flag to display only fixed vulnerabilities + ignoreUnfixed: false + # insecure the flag to skip verifying registry certificate + insecure: false + # gitHubToken the GitHub access token to download Trivy DB + # + # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. + # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached + # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update + # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. + # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + gitHubToken: "" + # skipUpdate the flag to disable Trivy DB downloads from GitHub + # + # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the + # `/home/scanner/.cache/trivy/db/trivy.db` path. + skipUpdate: false + # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the + # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path + # + skipJavaDBUpdate: false + # The offlineScan option prevents Trivy from sending API requests to identify dependencies. + # + # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. + # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't + # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode. + # It would work if all the dependencies are in local. + # This option doesn’t affect DB download. You need to specify skipUpdate as well as offlineScan in an air-gapped environment. + offlineScan: false + # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. + securityCheck: "vuln" + # The duration to wait for scan completion + timeout: 5m0s + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +database: + # if external database is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-db + tag: v2.10.1 + # The initial superuser password for internal database + password: "changeit" + # The size limit for Shared memory, pgSQL use it for shared_buffer + # More details see: + # https://github.com/goharbor/harbor/issues/15034 + shmSizeLimit: 512Mi + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + # The timeout used in livenessProbe; 1 to 5 seconds + livenessProbe: + timeoutSeconds: 1 + # The timeout used in readinessProbe; 1 to 5 seconds + readinessProbe: + timeoutSeconds: 1 + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + initContainer: + migrator: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + permissions: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + external: + host: "192.168.0.1" + port: "5432" + username: "user" + password: "password" + coreDatabase: "registry" + # if using existing secret, the key must be "password" + existingSecret: "" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "disable" + # The maximum number of connections in the idle connection pool per pod (core+exporter). + # If it <=0, no idle connections are retained. + maxIdleConns: 100 + # The maximum number of open connections to the database per pod (core+exporter). + # If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgre of harbor. + maxOpenConns: 900 + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + +redis: + # if external Redis is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/redis-photon + tag: v2.10.1 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + # # jobserviceDatabaseIndex defaults to "1" + # # registryDatabaseIndex defaults to "2" + # # trivyAdapterIndex defaults to "5" + # # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + external: + # support redis, redis+sentinel + # addr for redis: : + # addr for redis+sentinel: :,:,: + addr: "192.168.0.2:6379" + # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel + sentinelMasterSet: "" + # The "coreDatabaseIndex" must be "0" as the library Harbor + # used doesn't support configuring it + # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + # username field can be an empty string, and it will be authenticated against the default user + username: "" + password: "" + # If using existingSecret, the key must be REDIS_PASSWORD + existingSecret: "" + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + +exporter: + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-exporter + tag: v2.10.1 + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + cacheDuration: 23 + cacheCleanInterval: 14400 + ## The priority class to run the pod as + priorityClassName: + +metrics: + enabled: false + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + ## Create prometheus serviceMonitor to scrape harbor metrics. + ## This requires the monitoring.coreos.com/v1 CRD. Please see + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md + ## + serviceMonitor: + enabled: false + additionalLabels: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # Metric relabel configs to apply to samples before ingestion. + metricRelabelings: + [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + # Relabel configs to apply to samples before ingestion. + relabelings: + [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +trace: + enabled: false + # trace provider: jaeger or otel + # jaeger should be 1.26+ + provider: jaeger + # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth + sample_rate: 1 + # namespace used to differentiate different harbor services + # namespace: + # attributes is a key value dict contains user defined attributes used to initialize trace provider + # attributes: + # application: harbor + jaeger: + # jaeger supports two modes: + # collector mode(uncomment endpoint and uncomment username, password if needed) + # agent mode(uncomment agent_host and agent_port) + endpoint: http://hostname:14268/api/traces + # username: + # password: + # agent_host: hostname + # export trace data by jaeger.thrift in compact mode + # agent_port: 6831 + otel: + endpoint: hostname:4318 + url_path: /v1/traces + compression: false + insecure: true + # timeout is in seconds + timeout: 10 + +# cache layer configurations +# if this feature enabled, harbor will cache the resource +# `project/project_metadata/repository/artifact/manifest` in the redis +# which help to improve the performance of high concurrent pulling manifest. +cache: + # default is not enabled. + enabled: false + # default keep cache for one day. + expireHours: 24 diff --git a/charts/harbor/harbor/1.14.2/.helmignore b/charts/harbor/harbor/1.14.2/.helmignore new file mode 100644 index 0000000000..b4424fd59b --- /dev/null +++ b/charts/harbor/harbor/1.14.2/.helmignore @@ -0,0 +1,6 @@ +.github/* +docs/* +.git/* +.gitignore +CONTRIBUTING.md +test/* \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/Chart.yaml b/charts/harbor/harbor/1.14.2/Chart.yaml new file mode 100644 index 0000000000..1632e628e1 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Harbor + catalog.cattle.io/kube-version: '>=1.20-0' + catalog.cattle.io/release-name: harbor +apiVersion: v1 +appVersion: 2.10.2 +description: An open source trusted cloud native registry that stores, signs, and + scans content +home: https://goharbor.io +icon: https://raw.githubusercontent.com/goharbor/website/main/static/img/logos/harbor-icon-color.png +keywords: +- docker +- registry +- harbor +maintainers: +- email: yinw@vmware.com + name: Wenkai Yin +- email: hweiwei@vmware.com + name: Weiwei He +- email: yshengwen@vmware.com + name: Shengwen Yu +name: harbor +sources: +- https://github.com/goharbor/harbor +- https://github.com/goharbor/harbor-helm +version: 1.14.2 diff --git a/charts/harbor/harbor/1.14.2/LICENSE b/charts/harbor/harbor/1.14.2/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/charts/harbor/harbor/1.14.2/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/harbor/harbor/1.14.2/README.md b/charts/harbor/harbor/1.14.2/README.md new file mode 100644 index 0000000000..472324a3ff --- /dev/null +++ b/charts/harbor/harbor/1.14.2/README.md @@ -0,0 +1,411 @@ +# Helm Chart for Harbor + +**Notes:** The master branch is in heavy development, please use the other stable versions instead. A highly available solution for Harbor based on chart can be found [here](docs/High%20Availability.md). And refer to the [guide](docs/Upgrade.md) to upgrade the existing deployment. + +This repository, including the issues, focuses on deploying Harbor chart via helm. For functionality issues or Harbor questions, please open issues on [goharbor/harbor](https://github.com/goharbor/harbor) + +## Introduction + +This [Helm](https://github.com/kubernetes/helm) chart installs [Harbor](https://github.com/goharbor/harbor) in a Kubernetes cluster. Welcome to [contribute](CONTRIBUTING.md) to Helm Chart for Harbor. + +## Prerequisites + +- Kubernetes cluster 1.20+ +- Helm v3.2.0+ + +## Installation + +### Add Helm repository + +```bash +helm repo add harbor https://helm.goharbor.io +``` + +### Configure the chart + +The following items can be set via `--set` flag during installation or configured by editing the `values.yaml` directly (need to download the chart first). + +#### Configure how to expose Harbor service + +- **Ingress**: The ingress controller must be installed in the Kubernetes cluster. + **Notes:** if TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to issue [#5291](https://github.com/goharbor/harbor/issues/5291) for details. +- **ClusterIP**: Exposes the service on a cluster-internal IP. Choosing this value makes the service only reachable from within the cluster. +- **NodePort**: Exposes the service on each Node’s IP at a static port (the NodePort). You’ll be able to contact the NodePort service, from outside the cluster, by requesting `NodeIP:NodePort`. +- **LoadBalancer**: Exposes the service externally using a cloud provider’s load balancer. + +#### Configure the external URL + +The external URL for Harbor core service is used to: + +1. populate the docker/helm commands showed on portal +2. populate the token service URL returned to docker client + +Format: `protocol://domain[:port]`. Usually: + +- if service exposed via `Ingress`, the `domain` should be the value of `expose.ingress.hosts.core` +- if service exposed via `ClusterIP`, the `domain` should be the value of `expose.clusterIP.name` +- if service exposed via `NodePort`, the `domain` should be the IP address of one Kubernetes node +- if service exposed via `LoadBalancer`, set the `domain` as your own domain name and add a CNAME record to map the domain name to the one you got from the cloud provider + +If Harbor is deployed behind the proxy, set it as the URL of proxy. + +#### Configure how to persist data + +- **Disable**: The data does not survive the termination of a pod. +- **Persistent Volume Claim(default)**: A default `StorageClass` is needed in the Kubernetes cluster to dynamically provision the volumes. Specify another StorageClass in the `storageClass` or set `existingClaim` if you already have existing persistent volumes to use. +- **External Storage(only for images and charts)**: For images and charts, the external storages are supported: `azure`, `gcs`, `s3` `swift` and `oss`. + +#### Configure the other items listed in [configuration](#configuration) section + +### Install the chart + +Install the Harbor helm chart with a release name `my-release`: +```bash +helm install my-release harbor/harbor +``` + +## Uninstallation + +To uninstall/delete the `my-release` deployment: +```bash +helm uninstall my-release +``` + +## Configuration + +The following table lists the configurable parameters of the Harbor chart and the default values. + +| Parameter | Description | Default | +| -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| **Expose** | | | +| `expose.type` | How to expose the service: `ingress`, `clusterIP`, `nodePort` or `loadBalancer`, other values will be ignored and the creation of service will be skipped. | `ingress` | +| `expose.tls.enabled` | Enable TLS or not. Delete the `ssl-redirect` annotations in `expose.ingress.annotations` when TLS is disabled and `expose.type` is `ingress`. Note: if the `expose.type` is `ingress` and TLS is disabled, the port must be included in the command when pulling/pushing images. Refer to https://github.com/goharbor/harbor/issues/5291 for details. | `true` | +| `expose.tls.certSource` | The source of the TLS certificate. Set as `auto`, `secret` or `none` and fill the information in the corresponding section: 1) auto: generate the TLS certificate automatically 2) secret: read the TLS certificate from the specified secret. The TLS certificate can be generated manually or by cert manager 3) none: configure no TLS certificate for the ingress. If the default TLS certificate is configured in the ingress controller, choose this option | `auto` | +| `expose.tls.auto.commonName` | The common name used to generate the certificate, it's necessary when the type isn't `ingress` | | +| `expose.tls.secret.secretName` | The name of secret which contains keys named: `tls.crt` - the certificate; `tls.key` - the private key | | +| `expose.ingress.hosts.core` | The host of Harbor core service in ingress rule | `core.harbor.domain` | +| `expose.ingress.controller` | The ingress controller type. Currently supports `default`, `gce`, `alb`, `f5-bigip` and `ncp` | `default` | +| `expose.ingress.kubeVersionOverride` | Allows the ability to override the kubernetes version used while templating the ingress | | +| `expose.ingress.annotations` | The annotations used commonly for ingresses | | +| `expose.ingress.harbor.annotations` | The annotations specific to harbor ingress | {} | +| `expose.ingress.harbor.labels` | The labels specific to harbor ingress | {} | +| `expose.clusterIP.name` | The name of ClusterIP service | `harbor` | +| `expose.clusterIP.annotations` | The annotations attached to the ClusterIP service | {} | +| `expose.clusterIP.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.clusterIP.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.name` | The name of NodePort service | `harbor` | +| `expose.nodePort.ports.http.port` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.nodePort.ports.http.nodePort` | The node port Harbor listens on when serving HTTP | `30002` | +| `expose.nodePort.ports.https.port` | The service port Harbor listens on when serving HTTPS | `443` | +| `expose.nodePort.ports.https.nodePort` | The node port Harbor listens on when serving HTTPS | `30003` | +| `expose.loadBalancer.name` | The name of service | `harbor` | +| `expose.loadBalancer.IP` | The IP of the loadBalancer. It only works when loadBalancer supports assigning IP | `""` | +| `expose.loadBalancer.ports.httpPort` | The service port Harbor listens on when serving HTTP | `80` | +| `expose.loadBalancer.ports.httpsPort` | The service port Harbor listens on when serving HTTPS | `30002` | +| `expose.loadBalancer.annotations` | The annotations attached to the loadBalancer service | {} | +| `expose.loadBalancer.sourceRanges` | List of IP address ranges to assign to loadBalancerSourceRanges | [] | +| **Internal TLS** | | | +| `internalTLS.enabled` | Enable TLS for the components (core, jobservice, portal, registry, trivy) | `false` | +| `internalTLS.strong_ssl_ciphers` | Enable strong ssl ciphers for nginx and portal | `false` +| `internalTLS.certSource` | Method to provide TLS for the components, options are `auto`, `manual`, `secret`. | `auto` | +| `internalTLS.trustCa` | The content of trust CA, only available when `certSource` is `manual`. **Note**: all the internal certificates of the components must be issued by this CA | | +| `internalTLS.core.secretName` | The secret name for core component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.core.crt` | Content of core's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.core.key` | Content of core's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.secretName` | The secret name for jobservice component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.jobservice.crt` | Content of jobservice's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.jobservice.key` | Content of jobservice's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.registry.secretName` | The secret name for registry component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.registry.crt` | Content of registry's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.registry.key` | Content of registry's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.portal.secretName` | The secret name for portal component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.portal.crt` | Content of portal's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.portal.key` | Content of portal's TLS key file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.secretName` | The secret name for trivy component, only available when `certSource` is `secret`. The secret must contain keys named: `ca.crt` - the CA certificate which is used to issue internal key and crt pair for components and all Harbor components must be issued by the same CA, `tls.crt` - the content of the TLS cert file, `tls.key` - the content of the TLS key file. | | +| `internalTLS.trivy.crt` | Content of trivy's TLS cert file, only available when `certSource` is `manual` | | +| `internalTLS.trivy.key` | Content of trivy's TLS key file, only available when `certSource` is `manual` | | +| **IPFamily** | | | +| `ipFamily.ipv4.enabled` | if cluster is ipv4 enabled, all ipv4 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| `ipFamily.ipv6.enabled` | if cluster is ipv6 enabled, all ipv6 related configs will set correspondingly, but currently it only affects the nginx related components | `true` | +| **Persistence** | | | +| `persistence.enabled` | Enable the data persistence or not | `true` | +| `persistence.resourcePolicy` | Setting it to `keep` to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted. Does not affect PVCs created for internal database and redis components. | `keep` | +| `persistence.persistentVolumeClaim.registry.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.registry.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.registry.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.registry.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.registry.size` | The size of the volume | `5Gi` | +| `persistence.persistentVolumeClaim.registry.annotations` | The annotations of the volume | | +|`persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.jobservice.jobLog.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.jobservice.jobLog.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.database.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.subPath` | The sub path used in the volume. If external database is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.database.accessMode` | The access mode of the volume. If external database is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.database.size` | The size of the volume. If external database is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.database.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.redis.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.subPath` | The sub path used in the volume. If external Redis is used, the setting will be ignored | | +| `persistence.persistentVolumeClaim.redis.accessMode` | The access mode of the volume. If external Redis is used, the setting will be ignored | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.redis.size` | The size of the volume. If external Redis is used, the setting will be ignored | `1Gi` | +| `persistence.persistentVolumeClaim.redis.annotations` | The annotations of the volume | | +| `persistence.persistentVolumeClaim.trivy.existingClaim` | Use the existing PVC which must be created manually before bound, and specify the `subPath` if the PVC is shared with other components | | +| `persistence.persistentVolumeClaim.trivy.storageClass` | Specify the `storageClass` used to provision the volume. Or the default StorageClass will be used (the default). Set it to `-` to disable dynamic provisioning | | +| `persistence.persistentVolumeClaim.trivy.subPath` | The sub path used in the volume | | +| `persistence.persistentVolumeClaim.trivy.accessMode` | The access mode of the volume | `ReadWriteOnce` | +| `persistence.persistentVolumeClaim.trivy.size` | The size of the volume | `1Gi` | +| `persistence.persistentVolumeClaim.trivy.annotations` | The annotations of the volume | | +| `persistence.imageChartStorage.disableredirect` | The configuration for managing redirects from content backends. For backends which not supported it (such as using minio for `s3` storage type), please set it to `true` to disable redirects. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect) for more details | `false` | +| `persistence.imageChartStorage.caBundleSecretName` | Specify the `caBundleSecretName` if the storage service uses a self-signed certificate. The secret must contain keys named `ca.crt` which will be injected into the trust store of registry's and containers. | | +| `persistence.imageChartStorage.type` | The type of storage for images and charts: `filesystem`, `azure`, `gcs`, `s3`, `swift` or `oss`. The type must be `filesystem` if you want to use persistent volumes for registry. Refer to the [guide](https://github.com/docker/distribution/blob/master/docs/configuration.md#storage) for more details | `filesystem` | +| `persistence.imageChartStorage.gcs.existingSecret` | An existing secret containing the gcs service account json key. The key must be gcs-key.json. | `""` | +| `persistence.imageChartStorage.gcs.useWorkloadIdentity` | A boolean to allow the use of workloadidentity in a GKE cluster. To use it, create a kubernetes service account and set the name in the key `serviceAccountName` of each component, then allow automounting the service account. | `false` | +| **General** | | | +| `externalURL` | The external URL for Harbor core service | `https://core.harbor.domain` | +| `caBundleSecretName` | The custom CA bundle secret name, the secret must contain key named "ca.crt" which will be injected into the trust store for core, jobservice, registry, trivy components. | | +| `uaaSecretName` | If using external UAA auth which has a self signed cert, you can provide a pre-created secret containing it under the key `ca.crt`. | | +| `imagePullPolicy` | The image pull policy | | +| `imagePullSecrets` | The imagePullSecrets names for all deployments | | +| `updateStrategy.type` | The update strategy for deployments with persistent volumes(jobservice, registry): `RollingUpdate` or `Recreate`. Set it as `Recreate` when `RWM` for volumes isn't supported | `RollingUpdate` | +| `logLevel` | The log level: `debug`, `info`, `warning`, `error` or `fatal` | `info` | +| `harborAdminPassword` | The initial password of Harbor admin. Change it from portal after launching Harbor | `Harbor12345` | +| `existingSecretAdminPassword` | The name of secret where admin password can be found. | | +| `existingSecretAdminPasswordKey` | The name of the key in the secret where to find harbor admin password Harbor | `HARBOR_ADMIN_PASSWORD` | +| `caSecretName` | The name of the secret which contains key named `ca.crt`. Setting this enables the download link on portal to download the CA certificate when the certificate isn't generated automatically | | +| `secretKey` | The key used for encryption. Must be a string of 16 chars | `not-a-secure-key` | +| `existingSecretSecretKey` | An existing secret containing the encoding secretKey | `""` | +| `proxy.httpProxy` | The URL of the HTTP proxy server | | +| `proxy.httpsProxy` | The URL of the HTTPS proxy server | | +| `proxy.noProxy` | The URLs that the proxy settings not apply to | 127.0.0.1,localhost,.local,.internal | +| `proxy.components` | The component list that the proxy settings apply to | core, jobservice, trivy | +| `enableMigrateHelmHook` | Run the migration job via helm hook, if it is true, the database migration will be separated from harbor-core, run with a preupgrade job migration-job | `false` | +| **Nginx** (if service exposed via `ingress`, Nginx will not be used) | | | +| `nginx.image.repository` | Image repository | `goharbor/nginx-photon` | +| `nginx.image.tag` | Image tag | `dev` | +| `nginx.replicas` | The replica count | `1` | +| `nginx.revisionHistoryLimit` | The revision history limit | `10` | +| `nginx.resources` | The [resources] to allocate for container | undefined | +| `nginx.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `nginx.nodeSelector` | Node labels for pod assignment | `{}` | +| `nginx.tolerations` | Tolerations for pod assignment | `[]` | +| `nginx.affinity` | Node/Pod affinities | `{}` | +| `nginx.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `nginx.podAnnotations` | Annotations to add to the nginx pod | `{}` | +| `nginx.priorityClassName` | The priority class to run the pod as | | +| **Portal** | | | +| `portal.image.repository` | Repository for portal image | `goharbor/harbor-portal` | +| `portal.image.tag` | Tag for portal image | `dev` | +| `portal.replicas` | The replica count | `1` | +| `portal.revisionHistoryLimit` | The revision history limit | `10` | +| `portal.resources` | The [resources] to allocate for container | undefined | +| `portal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `portal.nodeSelector` | Node labels for pod assignment | `{}` | +| `portal.tolerations` | Tolerations for pod assignment | `[]` | +| `portal.affinity` | Node/Pod affinities | `{}` | +| `portal.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `portal.podAnnotations` | Annotations to add to the portal pod | `{}` | +| `portal.serviceAnnotations` | Annotations to add to the portal service | `{}` | +| `portal.priorityClassName` | The priority class to run the pod as | | +| **Core** | | | +| `core.image.repository` | Repository for Harbor core image | `goharbor/harbor-core` | +| `core.image.tag` | Tag for Harbor core image | `dev` | +| `core.replicas` | The replica count | `1` | +| `core.revisionHistoryLimit` | The revision history limit | `10` | +| `core.startupProbe.initialDelaySeconds` | The initial delay in seconds for the startup probe | `10` | +| `core.resources` | The [resources] to allocate for container | undefined | +| `core.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `core.nodeSelector` | Node labels for pod assignment | `{}` | +| `core.tolerations` | Tolerations for pod assignment | `[]` | +| `core.affinity` | Node/Pod affinities | `{}` | +| `core.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `core.podAnnotations` | Annotations to add to the core pod | `{}` | +| `core.serviceAnnotations` | Annotations to add to the core service | `{}` | +| `core.configureUserSettings` | A JSON string to set in the environment variable `CONFIG_OVERWRITE_JSON` to configure user settings. See the [official docs](https://goharbor.io/docs/latest/install-config/configure-user-settings-cli/#configure-users-settings-using-an-environment-variable). | | +| `core.quotaUpdateProvider` | The provider for updating project quota(usage), there are 2 options, redis or db. By default it is implemented by db but you can configure it to redis which can improve the performance of high concurrent pushing to the same project, and reduce the database connections spike and occupies. Using redis will bring up some delay for quota usage updation for display, so only suggest switch provider to redis if you were ran into the db connections spike around the scenario of high concurrent pushing to same project, no improvment for other scenes. | `db` | +| `core.secret` | Secret is used when core server communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `core.secretName` | Fill the name of a kubernetes secret if you want to use your own TLS certificate and private key for token encryption/decryption. The secret must contain keys named: `tls.crt` - the certificate and `tls.key` - the private key. The default key pair will be used if it isn't set | | +| `core.tokenKey` | PEM-formatted RSA private key used to sign service tokens. Only used if `core.secretName` is unset. If set, `core.tokenCert` MUST also be set. | | +| `core.tokenCert` | PEM-formatted certificate signed by `core.tokenKey` used to validate service tokens. Only used if `core.secretName` is unset. If set, `core.tokenKey` MUST also be set. | | +| `core.xsrfKey` | The XSRF key. Will be generated automatically if it isn't specified | | +| `core.priorityClassName` | The priority class to run the pod as | | +| `core.artifactPullAsyncFlushDuration` | The time duration for async update artifact pull_time and repository pull_count | | +| `core.gdpr.deleteUser` | Enable GDPR compliant user delete | `false` | +| `core.gdpr.auditLogsCompliant` | Enable GDPR compliant for audit logs by changing username to its CRC32 value if that user was deleted from the system | `false` | +| **Jobservice** | | | +| `jobservice.image.repository` | Repository for jobservice image | `goharbor/harbor-jobservice` | +| `jobservice.image.tag` | Tag for jobservice image | `dev` | +| `jobservice.replicas` | The replica count | `1` | +| `jobservice.revisionHistoryLimit` | The revision history limit | `10` | +| `jobservice.maxJobWorkers` | The max job workers | `10` | +| `jobservice.jobLoggers` | The loggers for jobs: `file`, `database` or `stdout` | `[file]` | +| `jobservice.loggerSweeperDuration` | The jobLogger sweeper duration in days (ignored if `jobLoggers` is set to `stdout`) | `14` | +| `jobservice.notification.webhook_job_max_retry` | The maximum retry of webhook sending notifications | `3` | +| `jobservice.notification.webhook_job_http_client_timeout` | The http client timeout value of webhook sending notifications | `3` | +| `jobservice.reaper.max_update_hours` | the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 | `24` | +| `jobservice.reaper.max_dangling_hours` | the max time for execution in running state without new task created | `168` | +| `jobservice.resources` | The [resources] to allocate for container | undefined | +| `jobservice.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `jobservice.nodeSelector` | Node labels for pod assignment | `{}` | +| `jobservice.tolerations` | Tolerations for pod assignment | `[]` | +| `jobservice.affinity` | Node/Pod affinities | `{}` | +| `jobservice.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `jobservice.podAnnotations` | Annotations to add to the jobservice pod | `{}` | +| `jobservice.priorityClassName` | The priority class to run the pod as | | +| `jobservice.secret` | Secret is used when job service communicates with other components. If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| **Registry** | | | +| `registry.registry.image.repository` | Repository for registry image | `goharbor/registry-photon` | +| `registry.registry.image.tag` | Tag for registry image | `dev` | +| `registry.registry.resources` | The [resources] to allocate for container | undefined | +| `registry.controller.image.repository` | Repository for registry controller image | `goharbor/harbor-registryctl` | +| `registry.controller.image.tag` | Tag for registry controller image | `dev` | +| `registry.controller.resources` | The [resources] to allocate for container | undefined | +| `registry.replicas` | The replica count | `1` | +| `registry.revisionHistoryLimit` | The revision history limit | `10` | +| `registry.nodeSelector` | Node labels for pod assignment | `{}` | +| `registry.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `registry.tolerations` | Tolerations for pod assignment | `[]` | +| `registry.affinity` | Node/Pod affinities | `{}` | +| `registry.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `registry.middleware` | Middleware is used to add support for a CDN between backend storage and `docker pull` recipient. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#middleware). | | +| `registry.podAnnotations` | Annotations to add to the registry pod | `{}` | +| `registry.priorityClassName` | The priority class to run the pod as | | +| `registry.secret` | Secret is used to secure the upload state from client and registry storage backend. See [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#http). If a secret key is not specified, Helm will generate one. Must be a string of 16 chars. | | +| `registry.credentials.username` | The username that harbor core uses internally to access the registry instance. Together with the `registry.credentials.password`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). | `harbor_registry_user` | +| `registry.credentials.password` | The password that harbor core uses internally to access the registry instance. Together with the `registry.credentials.username`, a htpasswd  is created. This is an alternative to providing `registry.credentials.htpasswdString`. For more details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). It is suggested you update this value before installation. | `harbor_registry_password` | +| `registry.credentials.existingSecret` | An existing secret containing the password for accessing the registry instance, which is hosted by htpasswd auth mode. More details see [official docs](https://github.com/docker/distribution/blob/master/docs/configuration.md#htpasswd). The key must be `REGISTRY_PASSWD` | `""` | +| `registry.credentials.htpasswdString` | Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. | undefined | +| `registry.relativeurls` | If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. Needed if harbor is behind a reverse proxy | `false` | +| `registry.upload_purging.enabled` | If true, enable purge _upload directories | `true` | +| `registry.upload_purging.age` | Remove files in _upload directories which exist for a period of time, default is one week. | `168h` | +| `registry.upload_purging.interval` | The interval of the purge operations | `24h` | +| `registry.upload_purging.dryrun` | If true, enable dryrun for purging _upload, default false | `false` | +| **[Trivy][trivy]** | | | +| `trivy.enabled` | The flag to enable Trivy scanner | `true` | +| `trivy.image.repository` | Repository for Trivy adapter image | `goharbor/trivy-adapter-photon` | +| `trivy.image.tag` | Tag for Trivy adapter image | `dev` | +| `trivy.resources` | The [resources] to allocate for Trivy adapter container | | +| `trivy.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `trivy.replicas` | The number of Pod replicas | `1` | +| `trivy.debugMode` | The flag to enable Trivy debug mode | `false` | +| `trivy.vulnType` | Comma-separated list of vulnerability types. Possible values `os` and `library`. | `os,library` | +| `trivy.severity` | Comma-separated list of severities to be checked | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `trivy.skipUpdate` | The flag to disable [Trivy DB][trivy-db] downloads from GitHub | `false` | +| `trivy.skipJavaDBUpdate` | If the flag is enabled you have to manually download the `trivy-java.db` file [Trivy Java DB][trivy-java-db] and mount it in the `/home/scanner/.cache/trivy/java-db/trivy-java.db` path | `false` | +| `trivy.offlineScan` | The flag prevents Trivy from sending API requests to identify dependencies. | `false` | +| `trivy.securityCheck` | Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. | `vuln` | +| `trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `trivy.gitHubToken` | The GitHub access token to download [Trivy DB][trivy-db] (see [GitHub rate limiting][trivy-rate-limiting]) | | +| `trivy.priorityClassName` | The priority class to run the pod as | | +| `trivy.topologySpreadConstraints` | The priority class to run the pod as | | +| **Database** | | | +| `database.type` | If external database is used, set it to `external` | `internal` | +| `database.internal.image.repository` | Repository for database image | `goharbor/harbor-db` | +| `database.internal.image.tag` | Tag for database image | `dev` | +| `database.internal.password` | The password for database | `changeit` | +| `database.internal.shmSizeLimit` | The limit for the size of shared memory for internal PostgreSQL, conventionally it's around 50% of the memory limit of the container | `512Mi` | +| `database.internal.resources` | The [resources] to allocate for container | undefined | +| `database.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `database.internal.initContainer.migrator.resources` | The [resources] to allocate for the database migrator initContainer | undefined | +| `database.internal.initContainer.permissions.resources` | The [resources] to allocate for the database permissions initContainer | undefined | +| `database.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `database.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `database.internal.affinity` | Node/Pod affinities | `{}` | +| `database.internal.priorityClassName` | The priority class to run the pod as | | +| `database.internal.livenessProbe.timeoutSeconds` | The timeout used in liveness probe; 1 to 5 seconds | 1 | +| `database.internal.readinessProbe.timeoutSeconds` | The timeout used in readiness probe; 1 to 5 seconds | 1 | +| `database.external.host` | The hostname of external database | `192.168.0.1` | +| `database.external.port` | The port of external database | `5432` | +| `database.external.username` | The username of external database | `user` | +| `database.external.password` | The password of external database | `password` | +| `database.external.coreDatabase` | The database used by core service | `registry` | +| `database.external.existingSecret` | An existing password containing the database password. the key must be `password`. | `""` | +| `database.external.sslmode` | Connection method of external database (require, verify-full, verify-ca, disable) | `disable` | +| `database.maxIdleConns` | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | `50` | +| `database.maxOpenConns` | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | `100` | +| `database.podAnnotations` | Annotations to add to the database pod | `{}` | +| **Redis** | | | +| `redis.type` | If external redis is used, set it to `external` | `internal` | +| `redis.internal.image.repository` | Repository for redis image | `goharbor/redis-photon` | +| `redis.internal.image.tag` | Tag for redis image | `dev` | +| `redis.internal.resources` | The [resources] to allocate for container | undefined | +| `redis.internal.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `redis.internal.nodeSelector` | Node labels for pod assignment | `{}` | +| `redis.internal.tolerations` | Tolerations for pod assignment | `[]` | +| `redis.internal.affinity` | Node/Pod affinities | `{}` | +| `redis.internal.priorityClassName` | The priority class to run the pod as | | +| `redis.internal.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.internal.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.internal.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.internal.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.internal.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.addr` | The addr of external Redis: :. When using sentinel, it should be :,:,: | `192.168.0.2:6379` | +| `redis.external.sentinelMasterSet` | The name of the set of Redis instances to monitor | | +| `redis.external.coreDatabaseIndex` | The database index for core | `0` | +| `redis.external.jobserviceDatabaseIndex` | The database index for jobservice | `1` | +| `redis.external.registryDatabaseIndex` | The database index for registry | `2` | +| `redis.external.trivyAdapterIndex` | The database index for trivy adapter | `5` | +| `redis.external.harborDatabaseIndex` | The database index for harbor miscellaneous business logic | `0` | +| `redis.external.cacheLayerDatabaseIndex` | The database index for harbor cache layer | `0` | +| `redis.external.username` | The username of external Redis | | +| `redis.external.password` | The password of external Redis | | +| `redis.external.existingSecret` | Use an existing secret to connect to redis. The key must be `REDIS_PASSWORD`. | `""` | +| `redis.podAnnotations` | Annotations to add to the redis pod | `{}` | +| **Exporter** | | | +| `exporter.replicas` | The replica count | `1` | +| `exporter.revisionHistoryLimit` | The revision history limit | `10` | +| `exporter.podAnnotations` | Annotations to add to the exporter pod | `{}` | +| `exporter.image.repository` | Repository for redis image | `goharbor/harbor-exporter` | +| `exporter.image.tag` | Tag for exporter image | `dev` | +| `exporter.nodeSelector` | Node labels for pod assignment | `{}` | +| `exporter.tolerations` | Tolerations for pod assignment | `[]` | +| `exporter.affinity` | Node/Pod affinities | `{}` | +| `exporter.topologySpreadConstraints` | Constraints that define how Pods are spread across failure-domains like regions or availability zones | `[]` | +| `exporter.automountServiceAccountToken` | Mount serviceAccountToken? | `false` | +| `exporter.cacheDuration` | the cache duration for information that exporter collected from Harbor | `30` | +| `exporter.cacheCleanInterval` | cache clean interval for information that exporter collected from Harbor | `14400` | +| `exporter.priorityClassName` | The priority class to run the pod as | | +| **Metrics** | | | +| `metrics.enabled` | if enable harbor metrics | `false` | +| `metrics.core.path` | the url path for core metrics | `/metrics` | +| `metrics.core.port` | the port for core metrics | `8001` | +| `metrics.registry.path` | the url path for registry metrics | `/metrics` | +| `metrics.registry.port` | the port for registry metrics | `8001` | +| `metrics.exporter.path` | the url path for exporter metrics | `/metrics` | +| `metrics.exporter.port` | the port for exporter metrics | `8001` | +| `metrics.serviceMonitor.enabled` | create prometheus serviceMonitor. Requires prometheus CRD's | `false` | +| `metrics.serviceMonitor.additionalLabels` | additional labels to upsert to the manifest | `""` | +| `metrics.serviceMonitor.interval` | scrape period for harbor metrics | `""` | +| `metrics.serviceMonitor.metricRelabelings` | metrics relabel to add/mod/del before ingestion | `[]` | +| `metrics.serviceMonitor.relabelings` | relabels to add/mod/del to sample before scrape | `[]` | +| **Trace** | | | +| `trace.enabled` | Enable tracing or not | `false` | +| `trace.provider` | The tracing provider: `jaeger` or `otel`. `jaeger` should be 1.26+ | `jaeger` | +| `trace.sample_rate` | Set `sample_rate` to 1 if you want sampling 100% of trace data; set 0.5 if you want sampling 50% of trace data, and so forth | `1` | +| `trace.namespace` | Namespace used to differentiate different harbor services | | +| `trace.attributes` | `attributes` is a key value dict contains user defined attributes used to initialize trace provider | | +| `trace.jaeger.endpoint` | The endpoint of jaeger | `http://hostname:14268/api/traces` | +| `trace.jaeger.username` | The username of jaeger | | +| `trace.jaeger.password` | The password of jaeger | | +| `trace.jaeger.agent_host` | The agent host of jaeger | | +| `trace.jaeger.agent_port` | The agent port of jaeger | `6831` | +| `trace.otel.endpoint` | The endpoint of otel | `hostname:4318` | +| `trace.otel.url_path` | The URL path of otel | `/v1/traces` | +| `trace.otel.compression` | Whether enable compression or not for otel | `false` | +| `trace.otel.insecure` | Whether establish insecure connection or not for otel | `true` | +| `trace.otel.timeout` | The timeout in seconds of otel | `10` | +| **Cache** | | | +| `cache.enabled` | Enable cache layer or not | `false` | +| `cache.expireHours` | The expire hours of cache layer | `24` | + +[resources]: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +[trivy]: https://github.com/aquasecurity/trivy +[trivy-db]: https://github.com/aquasecurity/trivy-db +[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db +[trivy-rate-limiting]: https://github.com/aquasecurity/trivy#github-rate-limiting diff --git a/charts/harbor/harbor/1.14.2/templates/NOTES.txt b/charts/harbor/harbor/1.14.2/templates/NOTES.txt new file mode 100644 index 0000000000..0980c08a35 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/NOTES.txt @@ -0,0 +1,3 @@ +Please wait for several minutes for Harbor deployment to complete. +Then you should be able to visit the Harbor portal at {{ .Values.externalURL }} +For more details, please visit https://github.com/goharbor/harbor diff --git a/charts/harbor/harbor/1.14.2/templates/_helpers.tpl b/charts/harbor/harbor/1.14.2/templates/_helpers.tpl new file mode 100644 index 0000000000..b3430a1f36 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/_helpers.tpl @@ -0,0 +1,566 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "harbor.name" -}} +{{- default "harbor" .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "harbor.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default "harbor" .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Helm required labels */}} +{{- define "harbor.labels" -}} +heritage: {{ .Release.Service }} +release: {{ .Release.Name }} +chart: {{ .Chart.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{/* matchLabels */}} +{{- define "harbor.matchLabels" -}} +release: {{ .Release.Name }} +app: "{{ template "harbor.name" . }}" +{{- end -}} + +{{/* Helper for printing values from existing secrets*/}} +{{- define "harbor.secretKeyHelper" -}} + {{- if and (not (empty .data)) (hasKey .data .key) }} + {{- index .data .key | b64dec -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCert" -}} + {{- if and .Values.expose.tls.enabled (eq .Values.expose.tls.certSource "auto") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForIngress" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (eq .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.autoGenCertForNginx" -}} + {{- if and (eq (include "harbor.autoGenCert" .) "true") (ne .Values.expose.type "ingress") -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.host" -}} + {{- if eq .Values.database.type "internal" -}} + {{- template "harbor.database" . }} + {{- else -}} + {{- .Values.database.external.host -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.port" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "5432" -}} + {{- else -}} + {{- .Values.database.external.port -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.username" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "postgres" -}} + {{- else -}} + {{- .Values.database.external.username -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.rawPassword" -}} + {{- if eq .Values.database.type "internal" -}} + {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.database" .) -}} + {{- if and (not (empty $existingSecret)) (hasKey $existingSecret.data "POSTGRES_PASSWORD") -}} + {{- .Values.database.internal.password | default (index $existingSecret.data "POSTGRES_PASSWORD" | b64dec) -}} + {{- else -}} + {{- .Values.database.internal.password -}} + {{- end -}} + {{- else -}} + {{- .Values.database.external.password -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.escapedRawPassword" -}} + {{- include "harbor.database.rawPassword" . | urlquery | replace "+" "%20" -}} +{{- end -}} + +{{- define "harbor.database.encryptedPassword" -}} + {{- include "harbor.database.rawPassword" . | b64enc | quote -}} +{{- end -}} + +{{- define "harbor.database.coreDatabase" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "registry" -}} + {{- else -}} + {{- .Values.database.external.coreDatabase -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.database.sslmode" -}} + {{- if eq .Values.database.type "internal" -}} + {{- printf "%s" "disable" -}} + {{- else -}} + {{- .Values.database.external.sslmode -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.redis.scheme" -}} + {{- with .Values.redis }} + {{- ternary "redis+sentinel" "redis" (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }} + {{- end }} +{{- end -}} + +/*host:port*/ +{{- define "harbor.redis.addr" -}} + {{- with .Values.redis }} + {{- ternary (printf "%s:6379" (include "harbor.redis" $ )) .external.addr (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.masterSet" -}} + {{- with .Values.redis }} + {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.password" -}} + {{- with .Values.redis }} + {{- ternary "" .external.password (eq .type "internal") }} + {{- end }} +{{- end -}} + + +{{- define "harbor.redis.pwdfromsecret" -}} + {{- (lookup "v1" "Secret" .Release.Namespace (.Values.redis.external.existingSecret)).data.REDIS_PASSWORD | b64dec }} +{{- end -}} + +{{- define "harbor.redis.cred" -}} + {{- with .Values.redis }} + {{- if (and (eq .type "external" ) (.external.existingSecret)) }} + {{- printf ":%s@" (include "harbor.redis.pwdfromsecret" $) }} + {{- else }} + {{- ternary (printf "%s:%s@" (.external.username | urlquery) (.external.password | urlquery)) "" (and (eq .type "external" ) (not (not .external.password))) }} + {{- end }} + {{- end }} +{{- end -}} + +/*scheme://[:password@]host:port[/master_set]*/ +{{- define "harbor.redis.url" -}} + {{- with .Values.redis }} + {{- $path := ternary "" (printf "/%s" (include "harbor.redis.masterSet" $)) (not (include "harbor.redis.masterSet" $)) }} + {{- printf "%s://%s%s%s" (include "harbor.redis.scheme" $) (include "harbor.redis.cred" $) (include "harbor.redis.addr" $) $path -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCore" -}} + {{- with .Values.redis }} + {{- $index := ternary "0" .external.coreDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index*/ +{{- define "harbor.redis.urlForJobservice" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.jobserviceDatabaseIndex .external.jobserviceDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForRegistry" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForTrivy" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.trivyAdapterIndex .external.trivyAdapterIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForHarbor" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.harborDatabaseIndex .external.harborDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +/*scheme://[:password@]addr/db_index?idle_timeout_seconds=30*/ +{{- define "harbor.redis.urlForCache" -}} + {{- with .Values.redis }} + {{- $index := ternary .internal.cacheLayerDatabaseIndex .external.cacheLayerDatabaseIndex (eq .type "internal") }} + {{- printf "%s/%s?idle_timeout_seconds=30" (include "harbor.redis.url" $) $index -}} + {{- end }} +{{- end -}} + +{{- define "harbor.redis.dbForRegistry" -}} + {{- with .Values.redis }} + {{- ternary .internal.registryDatabaseIndex .external.registryDatabaseIndex (eq .type "internal") }} + {{- end }} +{{- end -}} + +{{- define "harbor.portal" -}} + {{- printf "%s-portal" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.core" -}} + {{- printf "%s-core" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.redis" -}} + {{- printf "%s-redis" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.jobservice" -}} + {{- printf "%s-jobservice" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registry" -}} + {{- printf "%s-registry" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.registryCtl" -}} + {{- printf "%s-registryctl" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.database" -}} + {{- printf "%s-database" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.trivy" -}} + {{- printf "%s-trivy" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.nginx" -}} + {{- printf "%s-nginx" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.exporter" -}} + {{- printf "%s-exporter" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.ingress" -}} + {{- printf "%s-ingress" (include "harbor.fullname" .) -}} +{{- end -}} + +{{- define "harbor.noProxy" -}} + {{- printf "%s,%s,%s,%s,%s,%s,%s,%s" (include "harbor.core" .) (include "harbor.jobservice" .) (include "harbor.database" .) (include "harbor.registry" .) (include "harbor.portal" .) (include "harbor.trivy" .) (include "harbor.exporter" .) .Values.proxy.noProxy -}} +{{- end -}} + +{{- define "harbor.caBundleVolume" -}} +- name: ca-bundle-certs + secret: + secretName: {{ .Values.caBundleSecretName }} +{{- end -}} + +{{- define "harbor.caBundleVolumeMount" -}} +- name: ca-bundle-certs + mountPath: /harbor_cust_cert/custom-ca.crt + subPath: ca.crt +{{- end -}} + +{{/* scheme for all components because it only support http mode */}} +{{- define "harbor.component.scheme" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "https" -}} + {{- else -}} + {{- printf "http" -}} + {{- end -}} +{{- end -}} + +{{/* core component container port */}} +{{- define "harbor.core.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* core component service port */}} +{{- define "harbor.core.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component container port */}} +{{- define "harbor.jobservice.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* jobservice component service port */}} +{{- define "harbor.jobservice.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* portal component container port */}} +{{- define "harbor.portal.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* portal component service port */}} +{{- define "harbor.portal.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "443" -}} + {{- else -}} + {{- printf "80" -}} + {{- end -}} +{{- end -}} + +{{/* registry component container port */}} +{{- define "harbor.registry.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registry component service port */}} +{{- define "harbor.registry.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "5443" -}} + {{- else -}} + {{- printf "5000" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component container port */}} +{{- define "harbor.registryctl.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* registryctl component service port */}} +{{- define "harbor.registryctl.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component container port */}} +{{- define "harbor.trivy.containerPort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* trivy component service port */}} +{{- define "harbor.trivy.servicePort" -}} + {{- if .Values.internalTLS.enabled -}} + {{- printf "8443" -}} + {{- else -}} + {{- printf "8080" -}} + {{- end -}} +{{- end -}} + +{{/* CORE_URL */}} +{{/* port is included in this url as a workaround for issue https://github.com/aquasecurity/harbor-scanner-trivy/issues/108 */}} +{{- define "harbor.coreURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.core" .) (include "harbor.core.servicePort" .) -}} +{{- end -}} + +{{/* JOBSERVICE_URL */}} +{{- define "harbor.jobserviceURL" -}} + {{- printf "%s://%s-jobservice" (include "harbor.component.scheme" .) (include "harbor.fullname" .) -}} +{{- end -}} + +{{/* PORTAL_URL */}} +{{- define "harbor.portalURL" -}} + {{- printf "%s://%s" (include "harbor.component.scheme" .) (include "harbor.portal" .) -}} +{{- end -}} + +{{/* REGISTRY_URL */}} +{{- define "harbor.registryURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registry.servicePort" .) -}} +{{- end -}} + +{{/* REGISTRY_CONTROLLER_URL */}} +{{- define "harbor.registryControllerURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.registry" .) (include "harbor.registryctl.servicePort" .) -}} +{{- end -}} + +{{/* TOKEN_SERVICE_URL */}} +{{- define "harbor.tokenServiceURL" -}} + {{- printf "%s/service/token" (include "harbor.coreURL" .) -}} +{{- end -}} + +{{/* TRIVY_ADAPTER_URL */}} +{{- define "harbor.trivyAdapterURL" -}} + {{- printf "%s://%s:%s" (include "harbor.component.scheme" .) (include "harbor.trivy" .) (include "harbor.trivy.servicePort" .) -}} +{{- end -}} + +{{- define "harbor.internalTLS.core.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.core.secretName -}} + {{- else -}} + {{- printf "%s-core-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.jobservice.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.jobservice.secretName -}} + {{- else -}} + {{- printf "%s-jobservice-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.portal.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.portal.secretName -}} + {{- else -}} + {{- printf "%s-portal-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.registry.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.registry.secretName -}} + {{- else -}} + {{- printf "%s-registry-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.internalTLS.trivy.secretName" -}} + {{- if eq .Values.internalTLS.certSource "secret" -}} + {{- .Values.internalTLS.trivy.secretName -}} + {{- else -}} + {{- printf "%s-trivy-internal-tls" (include "harbor.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsCoreSecretForIngress" -}} + {{- if eq .Values.expose.tls.certSource "none" -}} + {{- printf "" -}} + {{- else if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.ingress" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.tlsSecretForNginx" -}} + {{- if eq .Values.expose.tls.certSource "secret" -}} + {{- .Values.expose.tls.secret.secretName -}} + {{- else -}} + {{- include "harbor.nginx" . -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.metricsPortName" -}} + {{- if .Values.internalTLS.enabled }} + {{- printf "https-metrics" -}} + {{- else -}} + {{- printf "http-metrics" -}} + {{- end -}} +{{- end -}} + +{{- define "harbor.traceEnvs" -}} + TRACE_ENABLED: "{{ .Values.trace.enabled }}" + TRACE_SAMPLE_RATE: "{{ .Values.trace.sample_rate }}" + TRACE_NAMESPACE: "{{ .Values.trace.namespace }}" + {{- if .Values.trace.attributes }} + TRACE_ATTRIBUTES: {{ .Values.trace.attributes | toJson | squote }} + {{- end }} + {{- if eq .Values.trace.provider "jaeger" }} + TRACE_JAEGER_ENDPOINT: "{{ .Values.trace.jaeger.endpoint }}" + TRACE_JAEGER_USERNAME: "{{ .Values.trace.jaeger.username }}" + TRACE_JAEGER_AGENT_HOSTNAME: "{{ .Values.trace.jaeger.agent_host }}" + TRACE_JAEGER_AGENT_PORT: "{{ .Values.trace.jaeger.agent_port }}" + {{- else }} + TRACE_OTEL_ENDPOINT: "{{ .Values.trace.otel.endpoint }}" + TRACE_OTEL_URL_PATH: "{{ .Values.trace.otel.url_path }}" + TRACE_OTEL_COMPRESSION: "{{ .Values.trace.otel.compression }}" + TRACE_OTEL_INSECURE: "{{ .Values.trace.otel.insecure }}" + TRACE_OTEL_TIMEOUT: "{{ .Values.trace.otel.timeout }}" + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForCore" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-core" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForJobservice" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-jobservice" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceEnvsForRegistryCtl" -}} + {{- if .Values.trace.enabled }} + TRACE_SERVICE_NAME: "harbor-registryctl" + {{ include "harbor.traceEnvs" . }} + {{- end }} +{{- end -}} + +{{- define "harbor.traceJaegerPassword" -}} + {{- if and .Values.trace.enabled (eq .Values.trace.provider "jaeger") }} + TRACE_JAEGER_PASSWORD: "{{ .Values.trace.jaeger.password | default "" | b64enc }}" + {{- end }} +{{- end -}} + +{{/* Allow KubeVersion to be overridden. */}} +{{- define "harbor.ingress.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version .Values.expose.ingress.kubeVersionOverride -}} +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/core/core-cm.yaml b/charts/harbor/harbor/1.14.2/templates/core/core-cm.yaml new file mode 100644 index 0000000000..93cab01b4c --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/core/core-cm.yaml @@ -0,0 +1,90 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + app.conf: |+ + appname = Harbor + runmode = prod + enablegzip = true + + [prod] + httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} + PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" + DATABASE_TYPE: "postgresql" + POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" + POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" + POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" + POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" + POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" + EXT_ENDPOINT: "{{ .Values.externalURL }}" + CORE_URL: "{{ template "harbor.coreURL" . }}" + JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}" + WITH_TRIVY: {{ .Values.trivy.enabled | quote }} + TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}" + REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" + LOG_LEVEL: "{{ .Values.logLevel }}" + CONFIG_PATH: "/etc/core/app.conf" + CHART_CACHE_DRIVER: "redis" + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}" + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.harborDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.harborDatabaseIndex) }} + _REDIS_URL_HARBOR: "{{ template "harbor.redis.urlForHarbor" . }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} + PORTAL_URL: "{{ template "harbor.portalURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + {{- if .Values.uaaSecretName }} + UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt" + {{- end }} + {{- if has "core" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory" + {{- if .Values.metrics.enabled}} + METRIC_ENABLE: "true" + METRIC_PATH: "{{ .Values.metrics.core.path }}" + METRIC_PORT: "{{ .Values.metrics.core.port }}" + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: core + {{- end }} + + {{- if hasKey .Values.core "gcTimeWindowHours" }} + #make the GC time window configurable for testing + GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}" + {{- end }} + {{- template "harbor.traceEnvsForCore" . }} + + {{- if .Values.core.artifactPullAsyncFlushDuration }} + ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration | quote }} + {{- end }} + + {{- if .Values.core.gdpr}} + {{- if .Values.core.gdpr.deleteUser}} + GDPR_DELETE_USER: "true" + {{- end }} + {{- if .Values.core.gdpr.auditLogsCompliant}} + GDPR_AUDIT_LOGS: "true" + {{- end }} + {{- end }} + + {{- if .Values.cache.enabled }} + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + + {{- if .Values.core.quotaUpdateProvider }} + QUOTA_UPDATE_PROVIDER: "{{ .Values.core.quotaUpdateProvider }}" + {{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/core/core-dpl.yaml b/charts/harbor/harbor/1.14.2/templates/core/core-dpl.yaml new file mode 100644 index 0000000000..9a92b45a4f --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/core/core-dpl.yaml @@ -0,0 +1,248 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: core +spec: + replicas: {{ .Values.core.replicas }} + revisionHistoryLimit: {{ .Values.core.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: core + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: core +{{- if .Values.core.podLabels }} +{{ toYaml .Values.core.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/core/core-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.core.podAnnotations }} +{{ toYaml .Values.core.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.core.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.core.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: core +{{- end }} +{{- end }} + containers: + - name: core + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- if .Values.core.startupProbe.enabled }} + startupProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 360 + initialDelaySeconds: {{ .Values.core.startupProbe.initialDelaySeconds }} + periodSeconds: 10 + {{- end }} + livenessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v2.0/ping + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.core.containerPort" . }} + failureThreshold: 2 + periodSeconds: 10 + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }} + {{- if .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- else }} + key: JOBSERVICE_SECRET + {{- end }} + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/core/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/core/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/core/ca.crt + {{- end }} + {{- if .Values.database.external.existingSecret }} + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} + {{- if .Values.core.existingXsrfSecret }} + - name: CSRF_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.core.existingXsrfSecret }} + key: {{ .Values.core.existingXsrfSecretKey }} + {{- end }} +{{- with .Values.core.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + - name: secret-key + mountPath: /etc/core/key + subPath: key + - name: token-service-private-key + mountPath: /etc/core/private_key.pem + subPath: tls.key + {{- if .Values.expose.tls.enabled }} + - name: ca-download + mountPath: /etc/core/ca + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + mountPath: /etc/core/auth-ca/auth-ca.crt + subPath: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + {{- end }} + - name: psc + mountPath: /etc/core/token + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} +{{- if .Values.core.resources }} + resources: +{{ toYaml .Values.core.resources | indent 10 }} +{{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + - name: secret-key + secret: + {{- if .Values.existingSecretSecretKey }} + secretName: {{ .Values.existingSecretSecretKey }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + items: + - key: secretKey + path: key + - name: token-service-private-key + secret: + {{- if .Values.core.secretName }} + secretName: {{ .Values.core.secretName }} + {{- else }} + secretName: {{ template "harbor.core" . }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: ca-download + secret: + {{- if .Values.caSecretName }} + secretName: {{ .Values.caSecretName }} + {{- else if eq (include "harbor.autoGenCertForIngress" .) "true" }} + secretName: "{{ template "harbor.ingress" . }}" + {{- else if eq (include "harbor.autoGenCertForNginx" .) "true" }} + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- end }} + {{- if .Values.uaaSecretName }} + - name: auth-ca-cert + secret: + secretName: {{ .Values.uaaSecretName }} + items: + - key: ca.crt + path: auth-ca.crt + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + - name: psc + emptyDir: {} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.core.priorityClassName }} + priorityClassName: {{ .Values.core.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/core/core-pre-upgrade-job.yaml b/charts/harbor/harbor/1.14.2/templates/core/core-pre-upgrade-job.yaml new file mode 100644 index 0000000000..43c9d3596d --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/core/core-pre-upgrade-job.yaml @@ -0,0 +1,74 @@ +{{- if .Values.enableMigrateHelmHook }} +apiVersion: batch/v1 +kind: Job +metadata: + name: migration-job + labels: +{{ include "harbor.labels" . | indent 4 }} + component: migrator + annotations: + # This is what defines this resource as a hook. Without this line, the + # job is considered part of the release. + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" +spec: + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: migrator + spec: + restartPolicy: Never + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.core.serviceAccountName }} + serviceAccountName: {{ .Values.core.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 120 + containers: + - name: core-job + image: {{ .Values.core.image.repository }}:{{ .Values.core.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/harbor/harbor_core", "-mode=migrate"] + envFrom: + - configMapRef: + name: "{{ template "harbor.core" . }}" + - secretRef: + name: "{{ template "harbor.core" . }}" + {{- if .Values.database.external.existingSecret }} + env: + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/core/app.conf + subPath: app.conf + volumes: + - name: config + configMap: + name: {{ template "harbor.core" . }} + items: + - key: app.conf + path: app.conf + {{- with .Values.core.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.core.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/core/core-secret.yaml b/charts/harbor/harbor/1.14.2/templates/core/core-secret.yaml new file mode 100644 index 0000000000..62a41fce80 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/core/core-secret.yaml @@ -0,0 +1,36 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.core" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.existingSecretSecretKey }} + secretKey: {{ .Values.secretKey | b64enc | quote }} + {{- end }} + {{- if not .Values.core.existingSecret }} + secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} + {{- if not .Values.core.secretName }} + {{- $ca := genCA "harbor-token-ca" 365 }} + tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }} + tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }} + {{- end }} + {{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} + {{- end }} + {{- if not .Values.database.external.existingSecret }} + POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + {{- if not .Values.core.existingXsrfSecret }} + CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }} + {{- end }} +{{- if .Values.core.configureUserSettings }} + CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }} +{{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/1.14.2/templates/core/core-svc.yaml b/charts/harbor/harbor/1.14.2/templates/core/core-svc.yaml new file mode 100644 index 0000000000..0d2cfb2915 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/core/core-svc.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.core.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - name: {{ ternary "https-web" "http-web" .Values.internalTLS.enabled }} + port: {{ template "harbor.core.servicePort" . }} + targetPort: {{ template "harbor.core.containerPort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.core.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: core diff --git a/charts/harbor/harbor/1.14.2/templates/core/core-tls.yaml b/charts/harbor/harbor/1.14.2/templates/core/core-tls.yaml new file mode 100644 index 0000000000..c52148f0d9 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/core/core-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/database/database-secret.yaml b/charts/harbor/harbor/1.14.2/templates/database/database-secret.yaml new file mode 100644 index 0000000000..864aff4a18 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/database/database-secret.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end -}} diff --git a/charts/harbor/harbor/1.14.2/templates/database/database-ss.yaml b/charts/harbor/harbor/1.14.2/templates/database/database-ss.yaml new file mode 100644 index 0000000000..3b08b07ef1 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/database/database-ss.yaml @@ -0,0 +1,168 @@ +{{- if eq .Values.database.type "internal" -}} +{{- $database := .Values.persistence.persistentVolumeClaim.database -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: database +spec: + replicas: 1 + serviceName: "{{ template "harbor.database" . }}" + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: database + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: database +{{- if .Values.database.podLabels }} +{{ toYaml .Values.database.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/database/database-secret.yaml") . | sha256sum }} +{{- if .Values.database.podAnnotations }} +{{ toYaml .Values.database.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.database.internal.serviceAccountName }} + serviceAccountName: {{ .Values.database.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.database.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + initContainers: + # as we change the data directory to a sub folder to support psp, the init container here + # is used to migrate the existing data. See https://github.com/goharbor/harbor-helm/issues/756 + # for more detail. + # we may remove it after several releases + - name: "data-migrator" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "[ -e /var/lib/postgresql/data/postgresql.conf ] && [ ! -d /var/lib/postgresql/data/pgdata ] && mkdir -m 0700 /var/lib/postgresql/data/pgdata && mv /var/lib/postgresql/data/* /var/lib/postgresql/data/pgdata/ || true"] +{{- if .Values.database.internal.initContainer.migrator.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.migrator.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + # with "fsGroup" set, each time a volume is mounted, Kubernetes must recursively chown() and chmod() all the files and directories inside the volume + # this causes the postgresql reports the "data directory /var/lib/postgresql/data/pgdata has group or world access" issue when using some CSIs e.g. Ceph + # use this init container to correct the permission + # as "fsGroup" applied before the init container running, the container has enough permission to execute the command + - name: "data-permissions-ensurer" + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: ["/bin/sh"] + args: ["-c", "chmod -R 700 /var/lib/postgresql/data/pgdata || true"] +{{- if .Values.database.internal.initContainer.permissions.resources }} + resources: +{{ toYaml .Values.database.internal.initContainer.permissions.resources | indent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + containers: + - name: database + image: {{ .Values.database.internal.image.repository }}:{{ .Values.database.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 300 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.livenessProbe.timeoutSeconds }} + readinessProbe: + exec: + command: + - /docker-healthcheck.sh + initialDelaySeconds: 1 + periodSeconds: 10 + timeoutSeconds: {{ .Values.database.internal.readinessProbe.timeoutSeconds }} +{{- if .Values.database.internal.resources }} + resources: +{{ toYaml .Values.database.internal.resources | indent 10 }} +{{- end }} + envFrom: + - secretRef: + name: "{{ template "harbor.database" . }}" + env: + # put the data into a sub directory to avoid the permission issue in k8s with restricted psp enabled + # more detail refer to https://github.com/goharbor/harbor-helm/issues/756 + - name: PGDATA + value: "/var/lib/postgresql/data/pgdata" +{{- with .Values.database.internal.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - name: database-data + mountPath: /var/lib/postgresql/data + subPath: {{ $database.subPath }} + - name: shm-volume + mountPath: /dev/shm + volumes: + - name: shm-volume + emptyDir: + medium: Memory + sizeLimit: {{ .Values.database.internal.shmSizeLimit }} + {{- if not .Values.persistence.enabled }} + - name: "database-data" + emptyDir: {} + {{- else if $database.existingClaim }} + - name: "database-data" + persistentVolumeClaim: + claimName: {{ $database.existingClaim }} + {{- end -}} + {{- with .Values.database.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.database.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.database.internal.priorityClassName }} + priorityClassName: {{ .Values.database.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $database.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: "database-data" + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $database.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $database.accessMode | quote }}] + {{- if $database.storageClass }} + {{- if (eq "-" $database.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $database.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $database.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/1.14.2/templates/database/database-svc.yaml b/charts/harbor/harbor/1.14.2/templates/database/database-svc.yaml new file mode 100644 index 0000000000..6475048cd9 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/database/database-svc.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 5432 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: database +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/exporter/exporter-cm-env.yaml b/charts/harbor/harbor/1.14.2/templates/exporter/exporter-cm-env.yaml new file mode 100644 index 0000000000..0bf4e7d905 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/exporter/exporter-cm-env.yaml @@ -0,0 +1,35 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.exporter" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + LOG_LEVEL: "{{ .Values.logLevel }}" + HARBOR_EXPORTER_PORT: "{{ .Values.metrics.exporter.port }}" + HARBOR_EXPORTER_METRICS_PATH: "{{ .Values.metrics.exporter.path }}" + HARBOR_EXPORTER_METRICS_ENABLED: "{{ .Values.metrics.enabled }}" + HARBOR_EXPORTER_CACHE_TIME: "{{ .Values.exporter.cacheDuration }}" + HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "{{ .Values.exporter.cacheCleanInterval }}" + HARBOR_METRIC_NAMESPACE: harbor + HARBOR_METRIC_SUBSYSTEM: exporter + HARBOR_REDIS_URL: "{{ template "harbor.redis.urlForJobservice" . }}" + HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace + HARBOR_REDIS_TIMEOUT: "3600" + HARBOR_SERVICE_SCHEME: "{{ template "harbor.component.scheme" . }}" + HARBOR_SERVICE_HOST: "{{ template "harbor.core" . }}" + HARBOR_SERVICE_PORT: "{{ template "harbor.core.servicePort" . }}" + HARBOR_DATABASE_HOST: "{{ template "harbor.database.host" . }}" + HARBOR_DATABASE_PORT: "{{ template "harbor.database.port" . }}" + HARBOR_DATABASE_USERNAME: "{{ template "harbor.database.username" . }}" + HARBOR_DATABASE_DBNAME: "{{ template "harbor.database.coreDatabase" . }}" + HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" +{{- end}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/exporter/exporter-dpl.yaml b/charts/harbor/harbor/1.14.2/templates/exporter/exporter-dpl.yaml new file mode 100644 index 0000000000..6d2e1f53ac --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/exporter/exporter-dpl.yaml @@ -0,0 +1,139 @@ +{{- if .Values.metrics.enabled}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: exporter +spec: + replicas: {{ .Values.exporter.replicas }} + revisionHistoryLimit: {{ .Values.exporter.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: exporter + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: exporter +{{- if .Values.exporter.podLabels }} +{{ toYaml .Values.exporter.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/core/core-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.exporter.podAnnotations }} +{{ toYaml .Values.exporter.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.exporter.serviceAccountName }} + serviceAccountName: {{ .Values.exporter.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.exporter.automountServiceAccountToken | default false }} +{{- with .Values.exporter.topologySpreadConstraints }} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: exporter +{{- end }} +{{- end }} + containers: + - name: exporter + image: {{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + port: {{ .Values.metrics.exporter.port }} + initialDelaySeconds: 30 + periodSeconds: 10 + args: ["-log-level", "{{ .Values.logLevel }}"] + envFrom: + - configMapRef: + name: "{{ template "harbor.exporter" . }}-env" + - secretRef: + name: "{{ template "harbor.exporter" . }}" + env: + {{- if .Values.database.external.existingSecret }} + - name: HARBOR_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.database.external.existingSecret }} + key: password + {{- end }} + {{- if .Values.existingSecretAdminPassword }} + - name: HARBOR_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.existingSecretAdminPassword }} + key: {{ .Values.existingSecretAdminPasswordKey }} + {{- end }} +{{- if .Values.exporter.resources }} + resources: +{{ toYaml .Values.exporter.resources | indent 10 }} +{{- end }} +{{- with .Values.exporter.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.core.containerPort" . }} + volumeMounts: + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + mountPath: /etc/harbor/ssl/core + # There are some metric data are collectd from harbor core. + # When internal TLS is enabled, the Exporter need the CA file to collect these data. + {{- end }} + volumes: + - name: config + secret: + secretName: "{{ template "harbor.exporter" . }}" + {{- if .Values.internalTLS.enabled }} + - name: core-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.core.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.exporter.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.exporter.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.exporter.priorityClassName }} + priorityClassName: {{ .Values.exporter.priorityClassName }} + {{- end }} +{{ end }} diff --git a/charts/harbor/harbor/1.14.2/templates/exporter/exporter-secret.yaml b/charts/harbor/harbor/1.14.2/templates/exporter/exporter-secret.yaml new file mode 100644 index 0000000000..434a1bf689 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/exporter/exporter-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: +{{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} +{{- end }} +{{- if not .Values.database.external.existingSecret }} + HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/exporter/exporter-svc.yaml b/charts/harbor/harbor/1.14.2/templates/exporter/exporter-svc.yaml new file mode 100644 index 0000000000..4a6f3fdec6 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/exporter/exporter-svc.yaml @@ -0,0 +1,15 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.exporter" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.exporter.port }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: exporter +{{ end }} diff --git a/charts/harbor/harbor/1.14.2/templates/ingress/ingress.yaml b/charts/harbor/harbor/1.14.2/templates/ingress/ingress.yaml new file mode 100644 index 0000000000..e4c06939c6 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/ingress/ingress.yaml @@ -0,0 +1,145 @@ +{{- if eq .Values.expose.type "ingress" }} +{{- $ingress := .Values.expose.ingress -}} +{{- $tls := .Values.expose.tls -}} +{{- if eq .Values.expose.ingress.controller "gce" }} + {{- $_ := set . "portal_path" "/*" -}} + {{- $_ := set . "api_path" "/api/*" -}} + {{- $_ := set . "service_path" "/service/*" -}} + {{- $_ := set . "v2_path" "/v2/*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/*" -}} + {{- $_ := set . "controller_path" "/c/*" -}} +{{- else if eq .Values.expose.ingress.controller "ncp" }} + {{- $_ := set . "portal_path" "/.*" -}} + {{- $_ := set . "api_path" "/api/.*" -}} + {{- $_ := set . "service_path" "/service/.*" -}} + {{- $_ := set . "v2_path" "/v2/.*" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/.*" -}} + {{- $_ := set . "controller_path" "/c/.*" -}} +{{- else }} + {{- $_ := set . "portal_path" "/" -}} + {{- $_ := set . "api_path" "/api/" -}} + {{- $_ := set . "service_path" "/service/" -}} + {{- $_ := set . "v2_path" "/v2/" -}} + {{- $_ := set . "chartrepo_path" "/chartrepo/" -}} + {{- $_ := set . "controller_path" "/c/" -}} +{{- end }} + +--- +{{- if semverCompare "<1.14-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: extensions/v1beta1 +{{- else if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: networking.k8s.io/v1 +{{- end }} +kind: Ingress +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- if $ingress.harbor.labels }} +{{ toYaml $ingress.harbor.labels | indent 4 }} +{{- end }} + annotations: +{{ toYaml $ingress.annotations | indent 4 }} +{{- if .Values.internalTLS.enabled }} + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +{{- end }} +{{- if eq .Values.expose.ingress.controller "ncp" }} + ncp/use-regex: "true" + {{- if $tls.enabled }} + ncp/http-redirect: "true" + {{- end }} +{{- end }} +{{- if $ingress.harbor.annotations }} +{{ toYaml $ingress.harbor.annotations | indent 4 }} +{{- end }} +spec: + {{- if $ingress.className }} + ingressClassName: {{ $ingress.className }} + {{- end }} + {{- if $tls.enabled }} + tls: + - secretName: {{ template "harbor.tlsCoreSecretForIngress" . }} + {{- if $ingress.hosts.core }} + hosts: + - {{ $ingress.hosts.core }} + {{- end }} + {{- end }} + rules: + - http: + paths: +{{- if semverCompare "<1.19-0" (include "harbor.ingress.kubeVersion" .) }} + - path: {{ .api_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + backend: + serviceName: {{ template "harbor.core" . }} + servicePort: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + backend: + serviceName: {{ template "harbor.portal" . }} + servicePort: {{ template "harbor.portal.servicePort" . }} +{{- else }} + - path: {{ .api_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .service_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .v2_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .chartrepo_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .controller_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.core" . }} + port: + number: {{ template "harbor.core.servicePort" . }} + - path: {{ .portal_path }} + pathType: Prefix + backend: + service: + name: {{ template "harbor.portal" . }} + port: + number: {{ template "harbor.portal.servicePort" . }} +{{- end }} + {{- if $ingress.hosts.core }} + host: {{ $ingress.hosts.core }} + {{- end }} + +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/ingress/secret.yaml b/charts/harbor/harbor/1.14.2/templates/ingress/secret.yaml new file mode 100644 index 0000000000..41507b3dd9 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/ingress/secret.yaml @@ -0,0 +1,15 @@ +{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/internal/auto-tls.yaml b/charts/harbor/harbor/1.14.2/templates/internal/auto-tls.yaml new file mode 100644 index 0000000000..da5f5e2c7b --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/internal/auto-tls.yaml @@ -0,0 +1,81 @@ +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} +{{- $ca := genCA "harbor-internal-ca" 365 }} +{{- $coreCN := (include "harbor.core" .) }} +{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }} +{{- $jsCN := (include "harbor.jobservice" .) }} +{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }} +{{- $regCN := (include "harbor.registry" .) }} +{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }} +{{- $portalCN := (include "harbor.portal" .) }} +{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $coreCrt.Cert | b64enc | quote }} + tls.key: {{ $coreCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $jsCrt.Cert | b64enc | quote }} + tls.key: {{ $jsCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $regCrt.Cert | b64enc | quote }} + tls.key: {{ $regCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $portalCrt.Cert | b64enc | quote }} + tls.key: {{ $portalCrt.Key | b64enc | quote }} + +{{- if and .Values.trivy.enabled}} +--- +{{- $trivyCN := (include "harbor.trivy" .) }} +{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $trivyCrt.Cert | b64enc | quote }} + tls.key: {{ $trivyCrt.Key | b64enc | quote }} +{{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-cm-env.yaml b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-cm-env.yaml new file mode 100644 index 0000000000..8411c7a47c --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-cm-env.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + CORE_URL: "{{ template "harbor.coreURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + + JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "{{ .Values.jobservice.notification.webhook_job_max_retry }}" + JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "{{ .Values.jobservice.notification.webhook_job_http_client_timeout }}" + + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.metrics.enabled}} + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: jobservice + {{- end }} + {{- template "harbor.traceEnvsForJobservice" . }} + {{- if .Values.cache.enabled }} + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-cm.yaml b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-cm.yaml new file mode 100644 index 0000000000..8211c62209 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-cm.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + #Server listening port + protocol: "{{ template "harbor.component.scheme" . }}" + port: {{ template "harbor.jobservice.containerPort". }} + {{- if .Values.internalTLS.enabled }} + https_config: + cert: "/etc/harbor/ssl/jobservice/tls.crt" + key: "/etc/harbor/ssl/jobservice/tls.key" + {{- end }} + worker_pool: + workers: {{ .Values.jobservice.maxJobWorkers }} + backend: "redis" + redis_pool: + redis_url: "{{ template "harbor.redis.urlForJobservice" . }}" + namespace: "harbor_job_service_namespace" + idle_timeout_second: 3600 + job_loggers: + {{- if has "file" .Values.jobservice.jobLoggers }} + - name: "FILE" + level: {{ .Values.logLevel | upper }} + settings: # Customized settings of logger + base_dir: "/var/log/jobs" + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + settings: # Customized settings of sweeper + work_dir: "/var/log/jobs" + {{- end }} + {{- if has "database" .Values.jobservice.jobLoggers }} + - name: "DB" + level: {{ .Values.logLevel | upper }} + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + {{- end }} + {{- if has "stdout" .Values.jobservice.jobLoggers }} + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + {{- end }} + metric: + enabled: {{ .Values.metrics.enabled }} + path: {{ .Values.metrics.jobservice.path }} + port: {{ .Values.metrics.jobservice.port }} + #Loggers for the job service + loggers: + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: {{ .Values.jobservice.reaper.max_update_hours }} + # the max time for execution in running state without new task created + max_dangling_hours: {{ .Values.jobservice.reaper.max_dangling_hours }} diff --git a/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-dpl.yaml b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-dpl.yaml new file mode 100644 index 0000000000..e39e77e6ed --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-dpl.yaml @@ -0,0 +1,173 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + replicas: {{ .Values.jobservice.replicas }} + revisionHistoryLimit: {{ .Values.jobservice.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: jobservice + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: jobservice +{{- if .Values.jobservice.podLabels }} +{{ toYaml .Values.jobservice.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm.yaml") . | sha256sum }} + checksum/configmap-env: {{ include (print $.Template.BasePath "/jobservice/jobservice-cm-env.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/jobservice/jobservice-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.jobservice.podAnnotations }} +{{ toYaml .Values.jobservice.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 +{{- if .Values.jobservice.serviceAccountName }} + serviceAccountName: {{ .Values.jobservice.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.jobservice.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.jobservice.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: jobservice +{{- end }} +{{- end }} + containers: + - name: jobservice + image: {{ .Values.jobservice.image.repository }}:{{ .Values.jobservice.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/v1/stats + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.jobservice.containerPort" . }} + initialDelaySeconds: 20 + periodSeconds: 10 +{{- if .Values.jobservice.resources }} + resources: +{{ toYaml .Values.jobservice.resources | indent 10 }} +{{- end }} + env: + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} + key: secret + {{- if .Values.jobservice.existingSecret }} + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/jobservice/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/jobservice/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/jobservice/ca.crt + {{- end }} + {{- if .Values.registry.credentials.existingSecret }} + - name: REGISTRY_CREDENTIAL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.registry.credentials.existingSecret }} + key: REGISTRY_PASSWD + {{- end }} +{{- with .Values.jobservice.extraEnvVars }} +{{- toYaml . | nindent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.jobservice" . }}-env" + - secretRef: + name: "{{ template "harbor.jobservice" . }}" + ports: + - containerPort: {{ template "harbor.jobservice.containerPort" . }} + volumeMounts: + - name: jobservice-config + mountPath: /etc/jobservice/config.yml + subPath: config.yml + - name: job-logs + mountPath: /var/log/jobs + subPath: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.subPath }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + mountPath: /etc/harbor/ssl/jobservice + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: jobservice-config + configMap: + name: "{{ template "harbor.jobservice" . }}" + - name: job-logs + {{- if and .Values.persistence.enabled (has "file" .Values.jobservice.jobLoggers) }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.jobservice.jobLog.existingClaim | default (include "harbor.jobservice" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: jobservice-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.jobservice.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.jobservice.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.jobservice.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.jobservice.priorityClassName }} + priorityClassName: {{ .Values.jobservice.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-pvc.yaml b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-pvc.yaml new file mode 100644 index 0000000000..a6b8b8bd38 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-pvc.yaml @@ -0,0 +1,30 @@ +{{- $jobLog := .Values.persistence.persistentVolumeClaim.jobservice.jobLog -}} +{{- if and .Values.persistence.enabled (not $jobLog.existingClaim) (has "file" .Values.jobservice.jobLoggers) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.jobservice" . }} + annotations: + {{- range $key, $value := $jobLog.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: jobservice +spec: + accessModes: + - {{ $jobLog.accessMode }} + resources: + requests: + storage: {{ $jobLog.size }} + {{- if $jobLog.storageClass }} + {{- if eq "-" $jobLog.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $jobLog.storageClass }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-secrets.yaml b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-secrets.yaml new file mode 100644 index 0000000000..eeb00bde00 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-secrets.yaml @@ -0,0 +1,16 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.jobservice" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.jobservice.existingSecret }} + JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (include "harbor.secretKeyHelper" (dict "key" "JOBSERVICE_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-svc.yaml b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-svc.yaml new file mode 100644 index 0000000000..d2b7a47fd4 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-svc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-jobservice" "http-jobservice" .Values.internalTLS.enabled }} + port: {{ template "harbor.jobservice.servicePort" . }} + targetPort: {{ template "harbor.jobservice.containerPort" . }} +{{- if .Values.metrics.enabled }} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.jobservice.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: jobservice diff --git a/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-tls.yaml b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-tls.yaml new file mode 100644 index 0000000000..234cb39995 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/jobservice/jobservice-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/metrics/metrics-svcmon.yaml b/charts/harbor/harbor/1.14.2/templates/metrics/metrics-svcmon.yaml new file mode 100644 index 0000000000..1122ef01ef --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/metrics/metrics-svcmon.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "harbor.fullname" . }} + labels: {{ include "harbor.labels" . | nindent 4 }} +{{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} +{{- end }} +spec: + jobLabel: app.kubernetes.io/name + endpoints: + - port: {{ template "harbor.metricsPortName" . }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + honorLabels: true +{{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: +{{ tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | indent 4) . }} +{{- end }} +{{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: +{{ toYaml .Values.metrics.serviceMonitor.relabelings | indent 4 }} +{{- end }} + selector: + matchLabels: {{ include "harbor.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/nginx/configmap-http.yaml b/charts/harbor/harbor/1.14.2/templates/nginx/configmap-http.yaml new file mode 100644 index 0000000000..c4b8354d06 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/nginx/configmap-http.yaml @@ -0,0 +1,150 @@ +{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled}} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end }} + server_tokens off; + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # Add extra headers + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + proxy_send_timeout 900; + proxy_read_timeout 900; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + } +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/nginx/configmap-https.yaml b/charts/harbor/harbor/1.14.2/templates/nginx/configmap-https.yaml new file mode 100644 index 0000000000..56c943a619 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/nginx/configmap-https.yaml @@ -0,0 +1,187 @@ +{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}"; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8443 ssl; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8443 ssl; + {{- end }} + # server_name harbordomain.com; + server_tokens off; + # SSL + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + # Add extra headers + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; HttpOnly; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end}} + #server_name harbordomain.com; + return 301 https://$host$request_uri; + } + } +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/nginx/deployment.yaml b/charts/harbor/harbor/1.14.2/templates/nginx/deployment.yaml new file mode 100644 index 0000000000..8290d497b6 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/nginx/deployment.yaml @@ -0,0 +1,126 @@ +{{- if ne .Values.expose.type "ingress" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: nginx +spec: + replicas: {{ .Values.nginx.replicas }} + revisionHistoryLimit: {{ .Values.nginx.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: nginx + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: nginx +{{- if .Values.nginx.podLabels }} +{{ toYaml .Values.nginx.podLabels | indent 8 }} +{{- end }} + annotations: + {{- if not .Values.expose.tls.enabled }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-http.yaml") . | sha256sum }} + {{- else }} + checksum/configmap: {{ include (print $.Template.BasePath "/nginx/configmap-https.yaml") . | sha256sum }} + {{- end }} + {{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} + checksum/secret: {{ include (print $.Template.BasePath "/nginx/secret.yaml") . | sha256sum }} + {{- end }} +{{- if .Values.nginx.podAnnotations }} +{{ toYaml .Values.nginx.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- if .Values.nginx.serviceAccountName }} + serviceAccountName: {{ .Values.nginx.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.nginx.automountServiceAccountToken | default false }} +{{- with .Values.nginx.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: nginx +{{- end }} +{{- end }} + containers: + - name: nginx + image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}" + imagePullPolicy: "{{ .Values.imagePullPolicy }}" + {{- $_ := set . "scheme" "HTTP" -}} + {{- $_ := set . "port" "8080" -}} + {{- if .Values.expose.tls.enabled }} + {{- $_ := set . "scheme" "HTTPS" -}} + {{- $_ := set . "port" "8443" -}} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + scheme: {{ .scheme }} + path: / + port: {{ .port }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.nginx.resources }} + resources: +{{ toYaml .Values.nginx.resources | indent 10 }} +{{- end }} +{{- with .Values.nginx.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + ports: + - containerPort: 8080 + - containerPort: 8443 + - containerPort: 4443 + volumeMounts: + - name: config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.expose.tls.enabled }} + - name: certificate + mountPath: /etc/nginx/cert + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "harbor.nginx" . }} + {{- if .Values.expose.tls.enabled }} + - name: certificate + secret: + secretName: {{ template "harbor.tlsSecretForNginx" . }} + {{- end }} + {{- with .Values.nginx.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.nginx.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.nginx.priorityClassName }} + priorityClassName: {{ .Values.nginx.priorityClassName }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/nginx/secret.yaml b/charts/harbor/harbor/1.14.2/templates/nginx/secret.yaml new file mode 100644 index 0000000000..c819c556d9 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/nginx/secret.yaml @@ -0,0 +1,23 @@ +{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} + {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- else }} + {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/nginx/service.yaml b/charts/harbor/harbor/1.14.2/templates/nginx/service.yaml new file mode 100644 index 0000000000..205a805ea4 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/nginx/service.yaml @@ -0,0 +1,81 @@ +{{- if or (eq .Values.expose.type "clusterIP") (eq .Values.expose.type "nodePort") (eq .Values.expose.type "loadBalancer") }} +apiVersion: v1 +kind: Service +metadata: +{{- if eq .Values.expose.type "clusterIP" }} +{{- $clusterIP := .Values.expose.clusterIP }} + name: {{ $clusterIP.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $clusterIP.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: ClusterIP + {{- if .Values.expose.clusterIP.staticClusterIP }} + clusterIP: {{ .Values.expose.clusterIP.staticClusterIP }} + {{- end }} + ports: + - name: http + port: {{ $clusterIP.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $clusterIP.ports.httpsPort }} + targetPort: 8443 + {{- end }} +{{- else if eq .Values.expose.type "nodePort" }} +{{- $nodePort := .Values.expose.nodePort }} + name: {{ $nodePort.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + type: NodePort + ports: + - name: http + port: {{ $nodePort.ports.http.port }} + targetPort: 8080 + {{- if $nodePort.ports.http.nodePort }} + nodePort: {{ $nodePort.ports.http.nodePort }} + {{- end }} + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $nodePort.ports.https.port }} + targetPort: 8443 + {{- if $nodePort.ports.https.nodePort }} + nodePort: {{ $nodePort.ports.https.nodePort }} + {{- end }} + {{- end }} +{{- else if eq .Values.expose.type "loadBalancer" }} +{{- $loadBalancer := .Values.expose.loadBalancer }} + name: {{ $loadBalancer.name }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with $loadBalancer.annotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: + type: LoadBalancer + {{- with $loadBalancer.sourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if $loadBalancer.IP }} + loadBalancerIP: {{ $loadBalancer.IP }} + {{- end }} + ports: + - name: http + port: {{ $loadBalancer.ports.httpPort }} + targetPort: 8080 + {{- if .Values.expose.tls.enabled }} + - name: https + port: {{ $loadBalancer.ports.httpsPort }} + targetPort: 8443 + {{- end }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: nginx +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/portal/configmap.yaml b/charts/harbor/harbor/1.14.2/templates/portal/configmap.yaml new file mode 100644 index 0000000000..7b2118e721 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/portal/configmap.yaml @@ -0,0 +1,67 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + server { + {{- if .Values.internalTLS.enabled }} + {{- if .Values.ipFamily.ipv4.enabled}} + listen {{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + # SSL + ssl_certificate /etc/harbor/ssl/portal/tls.crt; + ssl_certificate_key /etc/harbor/ssl/portal/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + {{- else }} + {{- if .Values.ipFamily.ipv4.enabled }} + listen {{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- end }} + server_name localhost; + root /usr/share/nginx/html; + index index.html index.htm; + include /etc/nginx/mime.types; + gzip on; + gzip_min_length 1000; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + location /devcenter-api-2.0 { + try_files $uri $uri/ /swagger-ui-index.html; + } + location / { + try_files $uri $uri/ /index.html; + } + location = /index.html { + add_header Cache-Control "no-store, no-cache, must-revalidate"; + } + } + } diff --git a/charts/harbor/harbor/1.14.2/templates/portal/deployment.yaml b/charts/harbor/harbor/1.14.2/templates/portal/deployment.yaml new file mode 100644 index 0000000000..959a3fd7b5 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/portal/deployment.yaml @@ -0,0 +1,114 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: portal +spec: + replicas: {{ .Values.portal.replicas }} + revisionHistoryLimit: {{ .Values.portal.revisionHistoryLimit }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: portal + template: + metadata: + labels: +{{ include "harbor.matchLabels" . | indent 8 }} + component: portal +{{- if .Values.portal.podLabels }} +{{ toYaml .Values.portal.podLabels | indent 8 }} +{{- end }} + annotations: +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/portal/tls.yaml") . | sha256sum }} +{{- end }} + checksum/configmap: {{ include (print $.Template.BasePath "/portal/configmap.yaml") . | sha256sum }} +{{- if .Values.portal.podAnnotations }} +{{ toYaml .Values.portal.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- if .Values.portal.serviceAccountName }} + serviceAccountName: {{ .Values.portal.serviceAccountName }} +{{- end }} + automountServiceAccountToken: {{ .Values.portal.automountServiceAccountToken | default false }} +{{- with .Values.portal.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: portal +{{- end }} +{{- end }} + containers: + - name: portal + image: {{ .Values.portal.image.repository }}:{{ .Values.portal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- if .Values.portal.resources }} + resources: +{{ toYaml .Values.portal.resources | indent 10 }} +{{- end }} +{{- with .Values.portal.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.portal.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 + ports: + - containerPort: {{ template "harbor.portal.containerPort" . }} + volumeMounts: + - name: portal-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + mountPath: /etc/harbor/ssl/portal + {{- end }} + volumes: + - name: portal-config + configMap: + name: "{{ template "harbor.portal" . }}" + {{- if .Values.internalTLS.enabled }} + - name: portal-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.portal.secretName" . }} + {{- end }} + {{- with .Values.portal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.portal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.portal.priorityClassName }} + priorityClassName: {{ .Values.portal.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/portal/service.yaml b/charts/harbor/harbor/1.14.2/templates/portal/service.yaml new file mode 100644 index 0000000000..d00026da46 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/portal/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.portal.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - port: {{ template "harbor.portal.servicePort" . }} + targetPort: {{ template "harbor.portal.containerPort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: portal diff --git a/charts/harbor/harbor/1.14.2/templates/portal/tls.yaml b/charts/harbor/harbor/1.14.2/templates/portal/tls.yaml new file mode 100644 index 0000000000..de63f4e813 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/portal/tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/redis/service.yaml b/charts/harbor/harbor/1.14.2/templates/redis/service.yaml new file mode 100644 index 0000000000..79c95c3e05 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/redis/service.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.redis.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 6379 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: redis +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/redis/statefulset.yaml b/charts/harbor/harbor/1.14.2/templates/redis/statefulset.yaml new file mode 100644 index 0000000000..371b0fd5aa --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/redis/statefulset.yaml @@ -0,0 +1,116 @@ +{{- if eq .Values.redis.type "internal" -}} +{{- $redis := .Values.persistence.persistentVolumeClaim.redis -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: redis +spec: + replicas: 1 + serviceName: {{ template "harbor.redis" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: redis + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: redis +{{- if .Values.redis.podLabels }} +{{ toYaml .Values.redis.podLabels | indent 8 }} +{{- end }} +{{- if .Values.redis.podAnnotations }} + annotations: +{{ toYaml .Values.redis.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 999 + fsGroup: 999 +{{- if .Values.redis.internal.serviceAccountName }} + serviceAccountName: {{ .Values.redis.internal.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.redis.internal.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 + containers: + - name: redis + image: {{ .Values.redis.internal.image.repository }}:{{ .Values.redis.internal.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 6379 + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.redis.internal.resources }} + resources: +{{ toYaml .Values.redis.internal.resources | indent 10 }} +{{- end }} +{{- with .Values.redis.internal.extraEnvVars }} + env: +{{- toYaml . | nindent 10 }} +{{- end }} + volumeMounts: + - name: data + mountPath: /var/lib/redis + subPath: {{ $redis.subPath }} + {{- if not .Values.persistence.enabled }} + volumes: + - name: data + emptyDir: {} + {{- else if $redis.existingClaim }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ $redis.existingClaim }} + {{- end -}} + {{- with .Values.redis.internal.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.redis.internal.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.redis.internal.priorityClassName }} + priorityClassName: {{ .Values.redis.internal.priorityClassName }} + {{- end }} + {{- if and .Values.persistence.enabled (not $redis.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $redis.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $redis.accessMode | quote }}] + {{- if $redis.storageClass }} + {{- if (eq "-" $redis.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $redis.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $redis.size | quote }} + {{- end -}} + {{- end -}} diff --git a/charts/harbor/harbor/1.14.2/templates/registry/registry-cm.yaml b/charts/harbor/harbor/1.14.2/templates/registry/registry-cm.yaml new file mode 100644 index 0000000000..4f7056c384 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/registry/registry-cm.yaml @@ -0,0 +1,246 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + version: 0.1 + log: + {{- if eq .Values.logLevel "warning" }} + level: warn + {{- else if eq .Values.logLevel "fatal" }} + level: error + {{- else }} + level: {{ .Values.logLevel }} + {{- end }} + fields: + service: registry + storage: + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if eq $type "filesystem" }} + filesystem: + rootdirectory: {{ $storage.filesystem.rootdirectory }} + {{- if $storage.filesystem.maxthreads }} + maxthreads: {{ $storage.filesystem.maxthreads }} + {{- end }} + {{- else if eq $type "azure" }} + azure: + accountname: {{ $storage.azure.accountname }} + container: {{ $storage.azure.container }} + {{- if $storage.azure.realm }} + realm: {{ $storage.azure.realm }} + {{- end }} + {{- else if eq $type "gcs" }} + gcs: + bucket: {{ $storage.gcs.bucket }} + {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }} + keyfile: /etc/registry/gcs-key.json + {{- end }} + {{- if $storage.gcs.rootdirectory }} + rootdirectory: {{ $storage.gcs.rootdirectory }} + {{- end }} + {{- if $storage.gcs.chunksize }} + chunksize: {{ $storage.gcs.chunksize }} + {{- end }} + {{- else if eq $type "s3" }} + s3: + region: {{ $storage.s3.region }} + bucket: {{ $storage.s3.bucket }} + {{- if $storage.s3.regionendpoint }} + regionendpoint: {{ $storage.s3.regionendpoint }} + {{- end }} + {{- if $storage.s3.encrypt }} + encrypt: {{ $storage.s3.encrypt }} + {{- end }} + {{- if $storage.s3.keyid }} + keyid: {{ $storage.s3.keyid }} + {{- end }} + {{- if $storage.s3.secure }} + secure: {{ $storage.s3.secure }} + {{- end }} + {{- if and $storage.s3.secure $storage.s3.skipverify }} + skipverify: {{ $storage.s3.skipverify }} + {{- end }} + {{- if $storage.s3.v4auth }} + v4auth: {{ $storage.s3.v4auth }} + {{- end }} + {{- if $storage.s3.chunksize }} + chunksize: {{ $storage.s3.chunksize }} + {{- end }} + {{- if $storage.s3.rootdirectory }} + rootdirectory: {{ $storage.s3.rootdirectory }} + {{- end }} + {{- if $storage.s3.storageclass }} + storageclass: {{ $storage.s3.storageclass }} + {{- end }} + {{- if $storage.s3.multipartcopychunksize }} + multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }} + {{- end }} + {{- if $storage.s3.multipartcopymaxconcurrency }} + multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }} + {{- end }} + {{- if $storage.s3.multipartcopythresholdsize }} + multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }} + {{- end }} + {{- else if eq $type "swift" }} + swift: + authurl: {{ $storage.swift.authurl }} + username: {{ $storage.swift.username }} + container: {{ $storage.swift.container }} + {{- if $storage.swift.region }} + region: {{ $storage.swift.region }} + {{- end }} + {{- if $storage.swift.tenant }} + tenant: {{ $storage.swift.tenant }} + {{- end }} + {{- if $storage.swift.tenantid }} + tenantid: {{ $storage.swift.tenantid }} + {{- end }} + {{- if $storage.swift.domain }} + domain: {{ $storage.swift.domain }} + {{- end }} + {{- if $storage.swift.domainid }} + domainid: {{ $storage.swift.domainid }} + {{- end }} + {{- if $storage.swift.trustid }} + trustid: {{ $storage.swift.trustid }} + {{- end }} + {{- if $storage.swift.insecureskipverify }} + insecureskipverify: {{ $storage.swift.insecureskipverify }} + {{- end }} + {{- if $storage.swift.chunksize }} + chunksize: {{ $storage.swift.chunksize }} + {{- end }} + {{- if $storage.swift.prefix }} + prefix: {{ $storage.swift.prefix }} + {{- end }} + {{- if $storage.swift.authversion }} + authversion: {{ $storage.swift.authversion }} + {{- end }} + {{- if $storage.swift.endpointtype }} + endpointtype: {{ $storage.swift.endpointtype }} + {{- end }} + {{- if $storage.swift.tempurlcontainerkey }} + tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} + {{- end }} + {{- if $storage.swift.tempurlmethods }} + tempurlmethods: {{ $storage.swift.tempurlmethods }} + {{- end }} + {{- else if eq $type "oss" }} + oss: + accesskeyid: {{ $storage.oss.accesskeyid }} + region: {{ $storage.oss.region }} + bucket: {{ $storage.oss.bucket }} + {{- if $storage.oss.endpoint }} + endpoint: {{ $storage.oss.bucket }}.{{ $storage.oss.endpoint }} + {{- end }} + {{- if $storage.oss.internal }} + internal: {{ $storage.oss.internal }} + {{- end }} + {{- if $storage.oss.encrypt }} + encrypt: {{ $storage.oss.encrypt }} + {{- end }} + {{- if $storage.oss.secure }} + secure: {{ $storage.oss.secure }} + {{- end }} + {{- if $storage.oss.chunksize }} + chunksize: {{ $storage.oss.chunksize }} + {{- end }} + {{- if $storage.oss.rootdirectory }} + rootdirectory: {{ $storage.oss.rootdirectory }} + {{- end }} + {{- end }} + cache: + layerinfo: redis + maintenance: + uploadpurging: + {{- if .Values.registry.upload_purging.enabled }} + enabled: true + age: {{ .Values.registry.upload_purging.age }} + interval: {{ .Values.registry.upload_purging.interval }} + dryrun: {{ .Values.registry.upload_purging.dryrun }} + {{- else }} + enabled: false + {{- end }} + delete: + enabled: true + redirect: + disable: {{ $storage.disableredirect }} + redis: + addr: {{ template "harbor.redis.addr" . }} + {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }} + sentinelMasterSet: {{ template "harbor.redis.masterSet" . }} + {{- end }} + db: {{ template "harbor.redis.dbForRegistry" . }} + {{- if not (eq (include "harbor.redis.password" .) "") }} + password: {{ template "harbor.redis.password" . }} + {{- end }} + readtimeout: 10s + writetimeout: 10s + dialtimeout: 10s + pool: + maxidle: 100 + maxactive: 500 + idletimeout: 60s + http: + addr: :{{ template "harbor.registry.containerPort" . }} + relativeurls: {{ .Values.registry.relativeurls }} + {{- if .Values.internalTLS.enabled }} + tls: + certificate: /etc/harbor/ssl/registry/tls.crt + key: /etc/harbor/ssl/registry/tls.key + minimumtls: tls1.2 + {{- end }} + # set via environment variable + # secret: placeholder + debug: + {{- if .Values.metrics.enabled}} + addr: :{{ .Values.metrics.registry.port }} + prometheus: + enabled: true + path: {{ .Values.metrics.registry.path }} + {{- else }} + addr: localhost:5001 + {{- end }} + auth: + htpasswd: + realm: harbor-registry-basic-realm + path: /etc/registry/passwd + validation: + disabled: true + compatibility: + schema1: + enabled: true + + {{- if .Values.registry.middleware.enabled }} + {{- $middleware := .Values.registry.middleware }} + {{- $middlewareType := $middleware.type }} + {{- if eq $middlewareType "cloudFront" }} + middleware: + storage: + - name: cloudfront + options: + baseurl: {{ $middleware.cloudFront.baseurl }} + privatekey: /etc/registry/pk.pem + keypairid: {{ $middleware.cloudFront.keypairid }} + duration: {{ $middleware.cloudFront.duration }} + ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }} + {{- end }} + {{- end }} + ctl-config.yml: |+ + --- + {{- if .Values.internalTLS.enabled }} + protocol: "https" + port: 8443 + https_config: + cert: "/etc/harbor/ssl/registry/tls.crt" + key: "/etc/harbor/ssl/registry/tls.key" + {{- else }} + protocol: "http" + port: 8080 + {{- end }} + log_level: {{ .Values.logLevel }} + registry_config: "/etc/registry/config.yml" diff --git a/charts/harbor/harbor/1.14.2/templates/registry/registry-dpl.yaml b/charts/harbor/harbor/1.14.2/templates/registry/registry-dpl.yaml new file mode 100644 index 0000000000..dc4a833477 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/registry/registry-dpl.yaml @@ -0,0 +1,419 @@ +{{- $storage := .Values.persistence.imageChartStorage }} +{{- $type := $storage.type }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + replicas: {{ .Values.registry.replicas }} + revisionHistoryLimit: {{ .Values.registry.revisionHistoryLimit }} + strategy: + type: {{ .Values.updateStrategy.type }} + {{- if eq .Values.updateStrategy.type "Recreate" }} + rollingUpdate: null + {{- end }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: registry + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: registry +{{- if .Values.registry.podLabels }} +{{ toYaml .Values.registry.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/configmap: {{ include (print $.Template.BasePath "/registry/registry-cm.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/registry/registry-secret.yaml") . | sha256sum }} + checksum/secret-jobservice: {{ include (print $.Template.BasePath "/jobservice/jobservice-secrets.yaml") . | sha256sum }} + checksum/secret-core: {{ include (print $.Template.BasePath "/core/core-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/registry/registry-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.registry.podAnnotations }} +{{ toYaml .Values.registry.podAnnotations | indent 8 }} +{{- end }} + spec: + securityContext: + runAsUser: 10000 + fsGroup: 10000 + fsGroupChangePolicy: OnRootMismatch +{{- if .Values.registry.serviceAccountName }} + serviceAccountName: {{ .Values.registry.serviceAccountName }} +{{- end -}} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.registry.automountServiceAccountToken | default false }} + terminationGracePeriodSeconds: 120 +{{- with .Values.registry.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: registry +{{- end }} +{{- end }} + containers: + - name: registry + image: {{ .Values.registry.registry.image.repository }}:{{ .Values.registry.registry.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: / + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registry.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.registry.resources }} + resources: +{{ toYaml .Values.registry.registry.resources | indent 10 }} +{{- end }} + args: ["serve", "/etc/registry/config.yml"] + envFrom: + - secretRef: + name: "{{ template "harbor.registry" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + {{- if .Values.registry.existingSecret }} + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.registry.existingSecret }} + key: {{ .Values.registry.existingSecretKey }} + {{- end }} + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} + {{- if .Values.persistence.imageChartStorage.swift.existingSecret }} + - name: REGISTRY_STORAGE_SWIFT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_PASSWORD + - name: REGISTRY_STORAGE_SWIFT_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_SECRETKEY + optional: true + - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_ACCESSKEY + optional: true + {{- end }} + {{- if .Values.persistence.imageChartStorage.oss.existingSecret }} + - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }} + key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + optional: true + {{- end}} +{{- with .Values.registry.registry.extraEnvVars }} +{{- toYaml . | nindent 8 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.registry.containerPort" . }} + - containerPort: 5001 + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-htpasswd + mountPath: /etc/registry/passwd + subPath: passwd + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + mountPath: /etc/registry/pk.pem + subPath: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + - name: registryctl + image: {{ .Values.registry.controller.image.repository }}:{{ .Values.registry.controller.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 300 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /api/health + scheme: {{ include "harbor.component.scheme" . | upper }} + port: {{ template "harbor.registryctl.containerPort" . }} + initialDelaySeconds: 1 + periodSeconds: 10 +{{- if .Values.registry.controller.resources }} + resources: +{{ toYaml .Values.registry.controller.resources | indent 10 }} +{{- end }} + envFrom: + - configMapRef: + name: "{{ template "harbor.registryCtl" . }}" + - secretRef: + name: "{{ template "harbor.registry" . }}" + - secretRef: + name: "{{ template "harbor.registryCtl" . }}" + {{- if .Values.persistence.imageChartStorage.s3.existingSecret }} + - secretRef: + name: {{ .Values.persistence.imageChartStorage.s3.existingSecret }} + {{- end }} + env: + {{- if .Values.registry.existingSecret }} + - name: REGISTRY_HTTP_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.registry.existingSecret }} + key: {{ .Values.registry.existingSecretKey }} + {{- end }} + - name: CORE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.core" .) .Values.core.existingSecret }} + key: secret + - name: JOBSERVICE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (include "harbor.jobservice" .) .Values.jobservice.existingSecret }} + {{- if .Values.jobservice.existingSecret }} + key: {{ .Values.jobservice.existingSecretKey }} + {{- else }} + key: JOBSERVICE_SECRET + {{- end }} + {{- if has "registry" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: INTERNAL_TLS_KEY_PATH + value: /etc/harbor/ssl/registry/tls.key + - name: INTERNAL_TLS_CERT_PATH + value: /etc/harbor/ssl/registry/tls.crt + - name: INTERNAL_TLS_TRUST_CA_PATH + value: /etc/harbor/ssl/registry/ca.crt + {{- end }} + {{- if .Values.redis.external.existingSecret }} + - name: REGISTRY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.redis.external.existingSecret }} + key: REDIS_PASSWORD + {{- end }} + {{- if .Values.persistence.imageChartStorage.azure.existingSecret }} + - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.azure.existingSecret }} + key: AZURE_STORAGE_ACCESS_KEY + {{- end }} + {{- if .Values.persistence.imageChartStorage.swift.existingSecret }} + - name: REGISTRY_STORAGE_SWIFT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_PASSWORD + - name: REGISTRY_STORAGE_SWIFT_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_SECRETKEY + optional: true + - name: REGISTRY_STORAGE_SWIFT_ACCESSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.swift.existingSecret }} + key: REGISTRY_STORAGE_SWIFT_ACCESSKEY + optional: true + {{- end }} + {{- if .Values.persistence.imageChartStorage.oss.existingSecret }} + - name: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + valueFrom: + secretKeyRef: + name: {{ .Values.persistence.imageChartStorage.oss.existingSecret }} + key: REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + optional: true + {{- end}} +{{- with .Values.registry.controller.extraEnvVars }} +{{- toYaml . | nindent 8 }} +{{- end }} + ports: + - containerPort: {{ template "harbor.registryctl.containerPort" . }} + volumeMounts: + - name: registry-data + mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} + subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} + - name: registry-config + mountPath: /etc/registry/config.yml + subPath: config.yml + - name: registry-config + mountPath: /etc/registryctl/config.yml + subPath: ctl-config.yml + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + mountPath: /etc/harbor/ssl/registry + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + mountPath: /harbor_cust_cert/custom-ca-bundle.crt + subPath: ca.crt + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + mountPath: /etc/registry/gcs-key.json + subPath: gcs-key.json + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 8 }} + {{- end }} + volumes: + - name: registry-htpasswd + secret: + {{- if not .Values.registry.credentials.existingSecret }} + secretName: {{ template "harbor.registry" . }}-htpasswd + {{ else }} + secretName: {{ .Values.registry.credentials.existingSecret }} + {{- end }} + items: + - key: REGISTRY_HTPASSWD + path: passwd + - name: registry-config + configMap: + name: "{{ template "harbor.registry" . }}" + - name: registry-data + {{- if and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "filesystem") }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.persistentVolumeClaim.registry.existingClaim | default (include "harbor.registry" .) }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.internalTLS.enabled }} + - name: registry-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.registry.secretName" . }} + {{- end }} + {{- if and (and .Values.persistence.enabled (eq .Values.persistence.imageChartStorage.type "gcs")) (not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity ) }} + - name: gcs-key + secret: + {{- if and (eq $type "gcs") $storage.gcs.existingSecret }} + secretName: {{ $storage.gcs.existingSecret }} + {{- else }} + secretName: {{ template "harbor.registry" . }} + {{- end }} + items: + - key: GCS_KEY_DATA + path: gcs-key.json + {{- end }} + {{- if .Values.persistence.imageChartStorage.caBundleSecretName }} + - name: storage-service-ca + secret: + secretName: {{ .Values.persistence.imageChartStorage.caBundleSecretName }} + {{- end }} + {{- if .Values.registry.middleware.enabled }} + {{- if eq .Values.registry.middleware.type "cloudFront" }} + - name: cloudfront-key + secret: + secretName: {{ .Values.registry.middleware.cloudFront.privateKeySecret }} + items: + - key: CLOUDFRONT_KEY_DATA + path: pk.pem + {{- end }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- with .Values.registry.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.registry.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.registry.priorityClassName }} + priorityClassName: {{ .Values.registry.priorityClassName }} + {{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/registry/registry-pvc.yaml b/charts/harbor/harbor/1.14.2/templates/registry/registry-pvc.yaml new file mode 100644 index 0000000000..2112e22877 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/registry/registry-pvc.yaml @@ -0,0 +1,32 @@ +{{- if .Values.persistence.enabled }} +{{- $registry := .Values.persistence.persistentVolumeClaim.registry -}} +{{- if and (not $registry.existingClaim) (eq .Values.persistence.imageChartStorage.type "filesystem") }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "harbor.registry" . }} + annotations: + {{- range $key, $value := $registry.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if eq .Values.persistence.resourcePolicy "keep" }} + helm.sh/resource-policy: keep + {{- end }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: registry +spec: + accessModes: + - {{ $registry.accessMode }} + resources: + requests: + storage: {{ $registry.size }} + {{- if $registry.storageClass }} + {{- if eq "-" $registry.storageClass }} + storageClassName: "" + {{- else }} + storageClassName: {{ $registry.storageClass }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/registry/registry-secret.yaml b/charts/harbor/harbor/1.14.2/templates/registry/registry-secret.yaml new file mode 100644 index 0000000000..e853a9cbec --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/registry/registry-secret.yaml @@ -0,0 +1,55 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.registry" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.registry.existingSecret }} + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (include "harbor.secretKeyHelper" (dict "key" "REGISTRY_HTTP_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} + {{- if not .Values.redis.external.existingSecret }} + REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} + {{- end }} + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if and (eq $type "azure") (not $storage.azure.existingSecret) }} + REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} + {{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }} + GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} + {{- else if eq $type "s3" }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }} + REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} + {{- end }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }} + REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} + {{- end }} + {{- else if and (eq $type "swift") (not ($storage.swift.existingSecret)) }} + REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} + {{- if $storage.swift.secretkey }} + REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} + {{- end }} + {{- if $storage.swift.accesskey }} + REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} + {{- end }} + {{- else if and (eq $type "oss") ((not ($storage.oss.existingSecret))) }} + REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} + {{- end }} +{{- if not .Values.registry.credentials.existingSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}-htpasswd" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if .Values.registry.credentials.htpasswdString }} + REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }} + {{- else }} + REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/registry/registry-svc.yaml b/charts/harbor/harbor/1.14.2/templates/registry/registry-svc.yaml new file mode 100644 index 0000000000..749690ea03 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/registry/registry-svc.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-registry" "http-registry" .Values.internalTLS.enabled }} + port: {{ template "harbor.registry.servicePort" . }} + + - name: {{ ternary "https-controller" "http-controller" .Values.internalTLS.enabled }} + port: {{ template "harbor.registryctl.servicePort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.registry.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: registry \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/registry/registry-tls.yaml b/charts/harbor/harbor/1.14.2/templates/registry/registry-tls.yaml new file mode 100644 index 0000000000..9d1862c417 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/registry/registry-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/registry/registryctl-cm.yaml b/charts/harbor/harbor/1.14.2/templates/registry/registryctl-cm.yaml new file mode 100644 index 0000000000..87aa5ffe24 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/registry/registryctl-cm.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- template "harbor.traceEnvsForRegistryCtl" . }} diff --git a/charts/harbor/harbor/1.14.2/templates/registry/registryctl-secret.yaml b/charts/harbor/harbor/1.14.2/templates/registry/registryctl-secret.yaml new file mode 100644 index 0000000000..70097703e9 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/registry/registryctl-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- template "harbor.traceJaegerPassword" . }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.14.2/templates/trivy/trivy-secret.yaml b/charts/harbor/harbor/1.14.2/templates/trivy/trivy-secret.yaml new file mode 100644 index 0000000000..84652c7498 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/trivy/trivy-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.trivy.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }} + gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/trivy/trivy-sts.yaml b/charts/harbor/harbor/1.14.2/templates/trivy/trivy-sts.yaml new file mode 100644 index 0000000000..7ee4e1068f --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/trivy/trivy-sts.yaml @@ -0,0 +1,224 @@ +{{- if .Values.trivy.enabled }} +{{- $trivy := .Values.persistence.persistentVolumeClaim.trivy }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} + component: trivy +spec: + replicas: {{ .Values.trivy.replicas }} + serviceName: {{ template "harbor.trivy" . }} + selector: + matchLabels: +{{ include "harbor.matchLabels" . | indent 6 }} + component: trivy + template: + metadata: + labels: +{{ include "harbor.labels" . | indent 8 }} + component: trivy +{{- if .Values.trivy.podLabels }} +{{ toYaml .Values.trivy.podLabels | indent 8 }} +{{- end }} + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/trivy/trivy-secret.yaml") . | sha256sum }} +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} + checksum/tls: {{ include (print $.Template.BasePath "/internal/auto-tls.yaml") . | sha256sum }} +{{- else if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "manual") }} + checksum/tls: {{ include (print $.Template.BasePath "/trivy/trivy-tls.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.trivy.podAnnotations }} +{{ toYaml .Values.trivy.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- if .Values.trivy.serviceAccountName }} + serviceAccountName: {{ .Values.trivy.serviceAccountName }} +{{- end }} + securityContext: + runAsUser: 10000 + fsGroup: 10000 + automountServiceAccountToken: {{ .Values.trivy.automountServiceAccountToken | default false }} +{{- with .Values.trivy.topologySpreadConstraints}} + topologySpreadConstraints: +{{- range . }} + - {{ . | toYaml | indent 8 | trim }} + labelSelector: + matchLabels: +{{ include "harbor.matchLabels" $ | indent 12 }} + component: trivy +{{- end }} +{{- end }} + containers: + - name: trivy + image: {{ .Values.trivy.image.repository }}:{{ .Values.trivy.image.tag }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: false + allowPrivilegeEscalation: false + env: + {{- if has "trivy" .Values.proxy.components }} + - name: HTTP_PROXY + value: "{{ .Values.proxy.httpProxy }}" + - name: HTTPS_PROXY + value: "{{ .Values.proxy.httpsProxy }}" + - name: NO_PROXY + value: "{{ template "harbor.noProxy" . }}" + {{- end }} + - name: "SCANNER_LOG_LEVEL" + value: {{ .Values.logLevel | quote }} + - name: "SCANNER_TRIVY_CACHE_DIR" + value: "/home/scanner/.cache/trivy" + - name: "SCANNER_TRIVY_REPORTS_DIR" + value: "/home/scanner/.cache/reports" + - name: "SCANNER_TRIVY_DEBUG_MODE" + value: {{ .Values.trivy.debugMode | quote }} + - name: "SCANNER_TRIVY_VULN_TYPE" + value: {{ .Values.trivy.vulnType | quote }} + - name: "SCANNER_TRIVY_TIMEOUT" + value: {{ .Values.trivy.timeout | quote }} + - name: "SCANNER_TRIVY_GITHUB_TOKEN" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: gitHubToken + - name: "SCANNER_TRIVY_SEVERITY" + value: {{ .Values.trivy.severity | quote }} + - name: "SCANNER_TRIVY_IGNORE_UNFIXED" + value: {{ .Values.trivy.ignoreUnfixed | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_UPDATE" + value: {{ .Values.trivy.skipUpdate | default false | quote }} + - name: "SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" + value: {{ .Values.trivy.skipJavaDBUpdate | default false | quote }} + - name: "SCANNER_TRIVY_OFFLINE_SCAN" + value: {{ .Values.trivy.offlineScan | default false | quote }} + - name: "SCANNER_TRIVY_SECURITY_CHECKS" + value: {{ .Values.trivy.securityCheck | quote }} + - name: "SCANNER_TRIVY_INSECURE" + value: {{ .Values.trivy.insecure | default false | quote }} + - name: SCANNER_API_SERVER_ADDR + value: ":{{ template "harbor.trivy.containerPort" . }}" + {{- if .Values.internalTLS.enabled }} + - name: INTERNAL_TLS_ENABLED + value: "true" + - name: SCANNER_API_SERVER_TLS_KEY + value: /etc/harbor/ssl/trivy/tls.key + - name: SCANNER_API_SERVER_TLS_CERTIFICATE + value: /etc/harbor/ssl/trivy/tls.crt + {{- end }} + - name: "SCANNER_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_STORE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL + - name: "SCANNER_JOB_QUEUE_REDIS_URL" + valueFrom: + secretKeyRef: + name: {{ template "harbor.trivy" . }} + key: redisURL +{{- with .Values.trivy.extraEnvVars }} +{{- toYaml . | nindent 12 }} +{{- end }} + ports: + - name: api-server + containerPort: {{ template "harbor.trivy.containerPort" . }} + volumeMounts: + - name: data + mountPath: /home/scanner/.cache + subPath: {{ .Values.persistence.persistentVolumeClaim.trivy.subPath }} + readOnly: false + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + mountPath: /etc/harbor/ssl/trivy + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolumeMount" . | indent 10 }} + {{- end }} + livenessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/healthy + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + readinessProbe: + httpGet: + scheme: {{ include "harbor.component.scheme" . | upper }} + path: /probe/ready + port: api-server + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + resources: +{{ toYaml .Values.trivy.resources | indent 12 }} + {{- if or (or .Values.internalTLS.enabled .Values.caBundleSecretName) (or (not .Values.persistence.enabled) $trivy.existingClaim) }} + volumes: + {{- if .Values.internalTLS.enabled }} + - name: trivy-internal-certs + secret: + secretName: {{ template "harbor.internalTLS.trivy.secretName" . }} + {{- end }} + {{- if .Values.caBundleSecretName }} +{{ include "harbor.caBundleVolume" . | indent 6 }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: "data" + emptyDir: {} + {{- else if $trivy.existingClaim }} + - name: "data" + persistentVolumeClaim: + claimName: {{ $trivy.existingClaim }} + {{- end }} + {{- end }} + {{- with .Values.trivy.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.trivy.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.trivy.priorityClassName }} + priorityClassName: {{ .Values.trivy.priorityClassName }} + {{- end }} +{{- if and .Values.persistence.enabled (not $trivy.existingClaim) }} + volumeClaimTemplates: + - metadata: + name: data + labels: +{{ include "harbor.labels" . | indent 8 }} + annotations: + {{- range $key, $value := $trivy.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + accessModes: [{{ $trivy.accessMode | quote }}] + {{- if $trivy.storageClass }} + {{- if (eq "-" $trivy.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $trivy.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: {{ $trivy.size | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/templates/trivy/trivy-svc.yaml b/charts/harbor/harbor/1.14.2/templates/trivy/trivy-svc.yaml new file mode 100644 index 0000000000..24daf094e8 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/trivy/trivy-svc.yaml @@ -0,0 +1,16 @@ +{{ if .Values.trivy.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.trivy" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-trivy" "http-trivy" .Values.internalTLS.enabled }} + protocol: TCP + port: {{ template "harbor.trivy.servicePort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: trivy +{{ end }} diff --git a/charts/harbor/harbor/1.14.2/templates/trivy/trivy-tls.yaml b/charts/harbor/harbor/1.14.2/templates/trivy/trivy-tls.yaml new file mode 100644 index 0000000000..a9c8330c37 --- /dev/null +++ b/charts/harbor/harbor/1.14.2/templates/trivy/trivy-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.14.2/values.yaml b/charts/harbor/harbor/1.14.2/values.yaml new file mode 100644 index 0000000000..688b42c3ae --- /dev/null +++ b/charts/harbor/harbor/1.14.2/values.yaml @@ -0,0 +1,992 @@ +expose: + # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer" + # and fill the information in the corresponding section + type: ingress + tls: + # Enable TLS or not. + # Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress" + # Note: if the "expose.type" is "ingress" and TLS is disabled, + # the port must be included in the command when pulling/pushing images. + # Refer to https://github.com/goharbor/harbor/issues/5291 for details. + enabled: true + # The source of the tls certificate. Set as "auto", "secret" + # or "none" and fill the information in the corresponding section + # 1) auto: generate the tls certificate automatically + # 2) secret: read the tls certificate from the specified secret. + # The tls certificate can be generated manually or by cert manager + # 3) none: configure no tls certificate for the ingress. If the default + # tls certificate is configured in the ingress controller, choose this option + certSource: auto + auto: + # The common name used to generate the certificate, it's necessary + # when the type isn't "ingress" + commonName: "" + secret: + # The name of secret which contains keys named: + # "tls.crt" - the certificate + # "tls.key" - the private key + secretName: "" + ingress: + hosts: + core: core.harbor.domain + # set to the type of ingress controller if it has specific requirements. + # leave as `default` for most ingress controllers. + # set to `gce` if using the GCE ingress controller + # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller + # set to `alb` if using the ALB ingress controller + # set to `f5-bigip` if using the F5 BIG-IP ingress controller + controller: default + ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress + kubeVersionOverride: "" + className: "" + annotations: + # note different ingress controllers may require a different ssl-redirect annotation + # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below + ingress.kubernetes.io/ssl-redirect: "true" + ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + harbor: + # harbor ingress-specific annotations + annotations: {} + # harbor ingress-specific labels + labels: {} + clusterIP: + # The name of ClusterIP service + name: harbor + # The ip address of the ClusterIP service (leave empty for acquiring dynamic ip) + staticClusterIP: "" + # Annotations on the ClusterIP service + annotations: {} + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + nodePort: + # The name of NodePort service + name: harbor + ports: + http: + # The service port Harbor listens on when serving HTTP + port: 80 + # The node port Harbor listens on when serving HTTP + nodePort: 30002 + https: + # The service port Harbor listens on when serving HTTPS + port: 443 + # The node port Harbor listens on when serving HTTPS + nodePort: 30003 + loadBalancer: + # The name of LoadBalancer service + name: harbor + # Set the IP if the LoadBalancer supports assigning IP + IP: "" + ports: + # The service port Harbor listens on when serving HTTP + httpPort: 80 + # The service port Harbor listens on when serving HTTPS + httpsPort: 443 + annotations: {} + sourceRanges: [] + +# The external URL for Harbor core service. It is used to +# 1) populate the docker/helm commands showed on portal +# 2) populate the token service URL returned to docker client +# +# Format: protocol://domain[:port]. Usually: +# 1) if "expose.type" is "ingress", the "domain" should be +# the value of "expose.ingress.hosts.core" +# 2) if "expose.type" is "clusterIP", the "domain" should be +# the value of "expose.clusterIP.name" +# 3) if "expose.type" is "nodePort", the "domain" should be +# the IP address of k8s node +# +# If Harbor is deployed behind the proxy, set it as the URL of proxy +externalURL: https://core.harbor.domain + +# The internal TLS used for harbor components secure communicating. In order to enable https +# in each component tls cert files need to provided in advance. +internalTLS: + # If internal TLS enabled + enabled: false + # enable strong ssl ciphers (default: false) + strong_ssl_ciphers: false + # There are three ways to provide tls + # 1) "auto" will generate cert automatically + # 2) "manual" need provide cert file manually in following value + # 3) "secret" internal certificates from secret + certSource: "auto" + # The content of trust ca, only available when `certSource` is "manual" + trustCa: "" + # core related cert configuration + core: + # secret name for core's tls certs + secretName: "" + # Content of core's TLS cert file, only available when `certSource` is "manual" + crt: "" + # Content of core's TLS key file, only available when `certSource` is "manual" + key: "" + # jobservice related cert configuration + jobservice: + # secret name for jobservice's tls certs + secretName: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of jobservice's TLS key file, only available when `certSource` is "manual" + key: "" + # registry related cert configuration + registry: + # secret name for registry's tls certs + secretName: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of registry's TLS key file, only available when `certSource` is "manual" + key: "" + # portal related cert configuration + portal: + # secret name for portal's tls certs + secretName: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of portal's TLS key file, only available when `certSource` is "manual" + key: "" + # trivy related cert configuration + trivy: + # secret name for trivy's tls certs + secretName: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + crt: "" + # Content of trivy's TLS key file, only available when `certSource` is "manual" + key: "" + +ipFamily: + # ipv6Enabled set to true if ipv6 is enabled in cluster, currently it affected the nginx related component + ipv6: + enabled: true + # ipv4Enabled set to true if ipv4 is enabled in cluster, currently it affected the nginx related component + ipv4: + enabled: true + +# The persistence is enabled by default and a default StorageClass +# is needed in the k8s cluster to provision volumes dynamically. +# Specify another StorageClass in the "storageClass" or set "existingClaim" +# if you already have existing persistent volumes to use +# +# For storing images and charts, you can also use "azure", "gcs", "s3", +# "swift" or "oss". Set it in the "imageChartStorage" section +persistence: + enabled: true + # Setting it to "keep" to avoid removing PVCs during a helm delete + # operation. Leaving it empty will delete PVCs after the chart deleted + # (this does not apply for PVCs that are created for internal database + # and redis components, i.e. they are never deleted automatically) + resourcePolicy: "keep" + persistentVolumeClaim: + registry: + # Use the existing PVC which must be created manually before bound, + # and specify the "subPath" if the PVC is shared with other components + existingClaim: "" + # Specify the "storageClass" used to provision the volume. Or the default + # StorageClass will be used (the default). + # Set it to "-" to disable dynamic provisioning + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + jobservice: + jobLog: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external database is used, the following settings for database will + # be ignored + database: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + # If external Redis is used, the following settings for Redis will + # be ignored + redis: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 1Gi + annotations: {} + trivy: + existingClaim: "" + storageClass: "" + subPath: "" + accessMode: ReadWriteOnce + size: 5Gi + annotations: {} + # Define which storage backend is used for registry to store + # images and charts. Refer to + # https://github.com/distribution/distribution/blob/main/docs/configuration.md#storage + # for the detail. + imageChartStorage: + # Specify whether to disable `redirect` for images and chart storage, for + # backends which not supported it (such as using minio for `s3` storage type), please disable + # it. To disable redirects, simply set `disableredirect` to `true` instead. + # Refer to + # https://github.com/distribution/distribution/blob/main/docs/configuration.md#redirect + # for the detail. + disableredirect: false + # Specify the "caBundleSecretName" if the storage service uses a self-signed certificate. + # The secret must contain keys named "ca.crt" which will be injected into the trust store + # of registry's containers. + # caBundleSecretName: + + # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", + # "oss" and fill the information needed in the corresponding section. The type + # must be "filesystem" if you want to use persistent volumes for registry + type: filesystem + filesystem: + rootdirectory: /storage + #maxthreads: 100 + azure: + accountname: accountname + accountkey: base64encodedaccountkey + container: containername + #realm: core.windows.net + # To use existing secret, the key must be AZURE_STORAGE_ACCESS_KEY + existingSecret: "" + gcs: + bucket: bucketname + # The base64 encoded json file which contains the key + encodedkey: base64-encoded-json-key-file + #rootdirectory: /gcs/object/name/prefix + #chunksize: "5242880" + # To use existing secret, the key must be GCS_KEY_DATA + existingSecret: "" + useWorkloadIdentity: false + s3: + # Set an existing secret for S3 accesskey and secretkey + # keys in the secret should be REGISTRY_STORAGE_S3_ACCESSKEY and REGISTRY_STORAGE_S3_SECRETKEY for registry + #existingSecret: "" + region: us-west-1 + bucket: bucketname + #accesskey: awsaccesskey + #secretkey: awssecretkey + #regionendpoint: http://myobjects.local + #encrypt: false + #keyid: mykeyid + #secure: true + #skipverify: false + #v4auth: true + #chunksize: "5242880" + #rootdirectory: /s3/object/name/prefix + #storageclass: STANDARD + #multipartcopychunksize: "33554432" + #multipartcopymaxconcurrency: 100 + #multipartcopythresholdsize: "33554432" + swift: + authurl: https://storage.myprovider.com/v3/auth + username: username + password: password + container: containername + # keys in existing secret must be REGISTRY_STORAGE_SWIFT_PASSWORD, REGISTRY_STORAGE_SWIFT_SECRETKEY, REGISTRY_STORAGE_SWIFT_ACCESSKEY + existingSecret: "" + #region: fr + #tenant: tenantname + #tenantid: tenantid + #domain: domainname + #domainid: domainid + #trustid: trustid + #insecureskipverify: false + #chunksize: 5M + #prefix: + #secretkey: secretkey + #accesskey: accesskey + #authversion: 3 + #endpointtype: public + #tempurlcontainerkey: false + #tempurlmethods: + oss: + accesskeyid: accesskeyid + accesskeysecret: accesskeysecret + region: regionname + bucket: bucketname + # key in existingSecret must be REGISTRY_STORAGE_OSS_ACCESSKEYSECRET + existingSecret: "" + #endpoint: endpoint + #internal: false + #encrypt: false + #secure: true + #chunksize: 10M + #rootdirectory: rootdirectory + +imagePullPolicy: IfNotPresent + +# Use this set to assign a list of default pullSecrets +imagePullSecrets: +# - name: docker-registry-secret +# - name: internal-registry-secret + +# The update strategy for deployments with persistent volumes(jobservice, registry): "RollingUpdate" or "Recreate" +# Set it as "Recreate" when "RWM" for volumes isn't supported +updateStrategy: + type: RollingUpdate + +# debug, info, warning, error or fatal +logLevel: info + +# The initial password of Harbor admin. Change it from portal after launching Harbor +# or give an existing secret for it +# key in secret is given via (default to HARBOR_ADMIN_PASSWORD) +# existingSecretAdminPassword: +existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD +harborAdminPassword: "Harbor12345" + +# The name of the secret which contains key named "ca.crt". Setting this enables the +# download link on portal to download the CA certificate when the certificate isn't +# generated automatically +caSecretName: "" + +# The secret key used for encryption. Must be a string of 16 chars. +secretKey: "not-a-secure-key" +# If using existingSecretSecretKey, the key must be secretKey +existingSecretSecretKey: "" + +# The proxy settings for updating trivy vulnerabilities from the Internet and replicating +# artifacts from/to the registries that cannot be reached directly +proxy: + httpProxy: + httpsProxy: + noProxy: 127.0.0.1,localhost,.local,.internal + components: + - core + - jobservice + - trivy + +# Run the migration job via helm hook +enableMigrateHelmHook: false + +# The custom ca bundle secret, the secret must contain key named "ca.crt" +# which will be injected into the trust store for core, jobservice, registry, trivy components +# caBundleSecretName: "" + +## UAA Authentication Options +# If you're using UAA for authentication behind a self-signed +# certificate you will need to provide the CA Cert. +# Set uaaSecretName below to provide a pre-created secret that +# contains a base64 encoded CA Certificate named `ca.crt`. +# uaaSecretName: + +# If service exposed via "ingress", the Nginx will not be used +nginx: + image: + repository: goharbor/nginx-photon + tag: v2.10.2 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +portal: + image: + repository: goharbor/harbor-portal + tag: v2.10.2 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## Additional service annotations + serviceAnnotations: {} + ## The priority class to run the pod as + priorityClassName: + +core: + image: + repository: goharbor/harbor-core + tag: v2.10.2 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + replicas: 1 + revisionHistoryLimit: 10 + ## Startup probe values + startupProbe: + enabled: true + initialDelaySeconds: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## Additional service annotations + serviceAnnotations: {} + ## User settings configuration json string + configureUserSettings: + # The provider for updating project quota(usage), there are 2 options, redis or db. + # By default it is implemented by db but you can configure it to redis which + # can improve the performance of high concurrent pushing to the same project, + # and reduce the database connections spike and occupies. + # Using redis will bring up some delay for quota usage updation for display, so only + # suggest switch provider to redis if you were ran into the db connections spike around + # the scenario of high concurrent pushing to same project, no improvment for other scenes. + quotaUpdateProvider: db # Or redis + # Secret is used when core server communicates with other components. + # If a secret key is not specified, Helm will generate one. Alternatively set existingSecret to use an existing secret + # Must be a string of 16 chars. + secret: "" + # Fill in the name of a kubernetes secret if you want to use your own + # If using existingSecret, the key must be secret + existingSecret: "" + # Fill the name of a kubernetes secret if you want to use your own + # TLS certificate and private key for token encryption/decryption. + # The secret must contain keys named: + # "tls.key" - the private key + # "tls.crt" - the certificate + secretName: "" + # If not specifying a preexisting secret, a secret can be created from tokenKey and tokenCert and used instead. + # If none of secretName, tokenKey, and tokenCert are specified, an ephemeral key and certificate will be autogenerated. + # tokenKey and tokenCert must BOTH be set or BOTH unset. + # The tokenKey value is formatted as a multiline string containing a PEM-encoded RSA key, indented one more than tokenKey on the following line. + tokenKey: | + # If tokenKey is set, the value of tokenCert must be set as a PEM-encoded certificate signed by tokenKey, and supplied as a multiline string, indented one more than tokenCert on the following line. + tokenCert: | + # The XSRF key. Will be generated automatically if it isn't specified + xsrfKey: "" + # If using existingSecret, the key is defined by core.existingXsrfSecretKey + existingXsrfSecret: "" + # If using existingSecret, the key + existingXsrfSecretKey: CSRF_KEY + ## The priority class to run the pod as + priorityClassName: + # The time duration for async update artifact pull_time and repository + # pull_count, the unit is second. Will be 10 seconds if it isn't set. + # eg. artifactPullAsyncFlushDuration: 10 + artifactPullAsyncFlushDuration: + gdpr: + deleteUser: false + auditLogsCompliant: false + +jobservice: + image: + repository: goharbor/harbor-jobservice + tag: v2.10.2 + replicas: 1 + revisionHistoryLimit: 10 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + maxJobWorkers: 10 + # The logger for jobs: "file", "database" or "stdout" + jobLoggers: + - file + # - database + # - stdout + # The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`) + loggerSweeperDuration: 14 #days + notification: + webhook_job_max_retry: 3 + webhook_job_http_client_timeout: 3 # in seconds + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: 24 + # the max time for execution in running state without new task created + max_dangling_hours: 168 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + # Secret is used when job service communicates with other components. + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Use an existing secret resource + existingSecret: "" + # Key within the existing secret for the job service secret + existingSecretKey: JOBSERVICE_SECRET + ## The priority class to run the pod as + priorityClassName: + +registry: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + registry: + image: + repository: goharbor/registry-photon + tag: v2.10.2 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + controller: + image: + repository: goharbor/harbor-registryctl + tag: v2.10.2 + + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + replicas: 1 + revisionHistoryLimit: 10 + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + # Secret is used to secure the upload state from client + # and registry storage backend. + # See: https://github.com/distribution/distribution/blob/main/docs/configuration.md#http + # If a secret key is not specified, Helm will generate one. + # Must be a string of 16 chars. + secret: "" + # Use an existing secret resource + existingSecret: "" + # Key within the existing secret for the registry service secret + existingSecretKey: REGISTRY_HTTP_SECRET + # If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL. + relativeurls: false + credentials: + username: "harbor_registry_user" + password: "harbor_registry_password" + # If using existingSecret, the key must be REGISTRY_PASSWD and REGISTRY_HTPASSWD + existingSecret: "" + # Login and password in htpasswd string format. Excludes `registry.credentials.username` and `registry.credentials.password`. May come in handy when integrating with tools like argocd or flux. This allows the same line to be generated each time the template is rendered, instead of the `htpasswd` function from helm, which generates different lines each time because of the salt. + # htpasswdString: $apr1$XLefHzeG$Xl4.s00sMSCCcMyJljSZb0 # example string + htpasswdString: "" + middleware: + enabled: false + type: cloudFront + cloudFront: + baseurl: example.cloudfront.net + keypairid: KEYPAIRID + duration: 3000s + ipfilteredby: none + # The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key + # that allows access to CloudFront + privateKeySecret: "my-secret" + # enable purge _upload directories + upload_purging: + enabled: true + # remove files in _upload directories which exist for a period of time, default is one week. + age: 168h + # the interval of the purge operations + interval: 24h + dryrun: false + +trivy: + # enabled the flag to enable Trivy scanner + enabled: true + image: + # repository the repository for Trivy adapter image + repository: goharbor/trivy-adapter-photon + # tag the tag for Trivy adapter image + tag: v2.10.2 + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + # replicas the number of Pod replicas + replicas: 1 + # debugMode the flag to enable Trivy debug mode with more verbose scanning log + debugMode: false + # vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`. + vulnType: "os,library" + # severity a comma-separated list of severities to be checked + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + # ignoreUnfixed the flag to display only fixed vulnerabilities + ignoreUnfixed: false + # insecure the flag to skip verifying registry certificate + insecure: false + # gitHubToken the GitHub access token to download Trivy DB + # + # Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases. + # It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached + # in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update + # timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one. + # Currently, the database is updated every 12 hours and published as a new release to GitHub. + # + # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough + # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 + # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult + # https://developer.github.com/v3/#rate-limiting + # + # You can create a GitHub token by following the instructions in + # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line + gitHubToken: "" + # skipUpdate the flag to disable Trivy DB downloads from GitHub + # + # You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues. + # If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the + # `/home/scanner/.cache/trivy/db/trivy.db` path. + skipUpdate: false + # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the + # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path + # + skipJavaDBUpdate: false + # The offlineScan option prevents Trivy from sending API requests to identify dependencies. + # + # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. + # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't + # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode. + # It would work if all the dependencies are in local. + # This option doesn’t affect DB download. You need to specify skipUpdate as well as offlineScan in an air-gapped environment. + offlineScan: false + # Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. + securityCheck: "vuln" + # The duration to wait for scan completion + timeout: 5m0s + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 1 + memory: 1Gi + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + ## The priority class to run the pod as + priorityClassName: + +database: + # if external database is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-db + tag: v2.10.2 + # The initial superuser password for internal database + password: "changeit" + # The size limit for Shared memory, pgSQL use it for shared_buffer + # More details see: + # https://github.com/goharbor/harbor/issues/15034 + shmSizeLimit: 512Mi + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + # The timeout used in livenessProbe; 1 to 5 seconds + livenessProbe: + timeoutSeconds: 1 + # The timeout used in readinessProbe; 1 to 5 seconds + readinessProbe: + timeoutSeconds: 1 + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + initContainer: + migrator: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + permissions: {} + # resources: + # requests: + # memory: 128Mi + # cpu: 100m + external: + host: "192.168.0.1" + port: "5432" + username: "user" + password: "password" + coreDatabase: "registry" + # if using existing secret, the key must be "password" + existingSecret: "" + # "disable" - No SSL + # "require" - Always SSL (skip verification) + # "verify-ca" - Always SSL (verify that the certificate presented by the + # server was signed by a trusted CA) + # "verify-full" - Always SSL (verify that the certification presented by the + # server was signed by a trusted CA and the server host name matches the one + # in the certificate) + sslmode: "disable" + # The maximum number of connections in the idle connection pool per pod (core+exporter). + # If it <=0, no idle connections are retained. + maxIdleConns: 100 + # The maximum number of open connections to the database per pod (core+exporter). + # If it <= 0, then there is no limit on the number of open connections. + # Note: the default number of connections is 1024 for postgre of harbor. + maxOpenConns: 900 + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + +redis: + # if external Redis is used, set "type" to "external" + # and fill the connection information in "external" section + type: internal + internal: + # set the service account to be used, default if left empty + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/redis-photon + tag: v2.10.2 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + nodeSelector: {} + tolerations: [] + affinity: {} + ## The priority class to run the pod as + priorityClassName: + # # jobserviceDatabaseIndex defaults to "1" + # # registryDatabaseIndex defaults to "2" + # # trivyAdapterIndex defaults to "5" + # # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + external: + # support redis, redis+sentinel + # addr for redis: : + # addr for redis+sentinel: :,:,: + addr: "192.168.0.2:6379" + # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel + sentinelMasterSet: "" + # The "coreDatabaseIndex" must be "0" as the library Harbor + # used doesn't support configuring it + # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional + # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional + coreDatabaseIndex: "0" + jobserviceDatabaseIndex: "1" + registryDatabaseIndex: "2" + trivyAdapterIndex: "5" + # harborDatabaseIndex: "6" + # cacheLayerDatabaseIndex: "7" + # username field can be an empty string, and it will be authenticated against the default user + username: "" + password: "" + # If using existingSecret, the key must be REDIS_PASSWORD + existingSecret: "" + ## Additional deployment annotations + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + +exporter: + replicas: 1 + revisionHistoryLimit: 10 + # resources: + # requests: + # memory: 256Mi + # cpu: 100m + extraEnvVars: [] + podAnnotations: {} + ## Additional deployment labels + podLabels: {} + serviceAccountName: "" + # mount the service account token + automountServiceAccountToken: false + image: + repository: goharbor/harbor-exporter + tag: v2.10.2 + nodeSelector: {} + tolerations: [] + affinity: {} + # Spread Pods across failure-domains like regions, availability zones or nodes + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # nodeTaintsPolicy: Honor + # whenUnsatisfiable: DoNotSchedule + cacheDuration: 23 + cacheCleanInterval: 14400 + ## The priority class to run the pod as + priorityClassName: + +metrics: + enabled: false + core: + path: /metrics + port: 8001 + registry: + path: /metrics + port: 8001 + jobservice: + path: /metrics + port: 8001 + exporter: + path: /metrics + port: 8001 + ## Create prometheus serviceMonitor to scrape harbor metrics. + ## This requires the monitoring.coreos.com/v1 CRD. Please see + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md + ## + serviceMonitor: + enabled: false + additionalLabels: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # Metric relabel configs to apply to samples before ingestion. + metricRelabelings: + [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + # Relabel configs to apply to samples before ingestion. + relabelings: + [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +trace: + enabled: false + # trace provider: jaeger or otel + # jaeger should be 1.26+ + provider: jaeger + # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth + sample_rate: 1 + # namespace used to differentiate different harbor services + # namespace: + # attributes is a key value dict contains user defined attributes used to initialize trace provider + # attributes: + # application: harbor + jaeger: + # jaeger supports two modes: + # collector mode(uncomment endpoint and uncomment username, password if needed) + # agent mode(uncomment agent_host and agent_port) + endpoint: http://hostname:14268/api/traces + # username: + # password: + # agent_host: hostname + # export trace data by jaeger.thrift in compact mode + # agent_port: 6831 + otel: + endpoint: hostname:4318 + url_path: /v1/traces + compression: false + insecure: true + # timeout is in seconds + timeout: 10 + +# cache layer configurations +# if this feature enabled, harbor will cache the resource +# `project/project_metadata/repository/artifact/manifest` in the redis +# which help to improve the performance of high concurrent pulling manifest. +cache: + # default is not enabled. + enabled: false + # default keep cache for one day. + expireHours: 24 diff --git a/charts/harbor/harbor/1.15.0/.helmignore b/charts/harbor/harbor/1.15.0/.helmignore new file mode 100644 index 0000000000..b4424fd59b --- /dev/null +++ b/charts/harbor/harbor/1.15.0/.helmignore @@ -0,0 +1,6 @@ +.github/* +docs/* +.git/* +.gitignore +CONTRIBUTING.md +test/* \ No newline at end of file diff --git a/charts/harbor/harbor/Chart.yaml b/charts/harbor/harbor/1.15.0/Chart.yaml similarity index 100% rename from charts/harbor/harbor/Chart.yaml rename to charts/harbor/harbor/1.15.0/Chart.yaml diff --git a/charts/harbor/harbor/1.15.0/LICENSE b/charts/harbor/harbor/1.15.0/LICENSE new file mode 100644 index 0000000000..261eeb9e9f --- /dev/null +++ b/charts/harbor/harbor/1.15.0/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/harbor/harbor/README.md b/charts/harbor/harbor/1.15.0/README.md similarity index 100% rename from charts/harbor/harbor/README.md rename to charts/harbor/harbor/1.15.0/README.md diff --git a/charts/harbor/harbor/1.15.0/templates/NOTES.txt b/charts/harbor/harbor/1.15.0/templates/NOTES.txt new file mode 100644 index 0000000000..0980c08a35 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/NOTES.txt @@ -0,0 +1,3 @@ +Please wait for several minutes for Harbor deployment to complete. +Then you should be able to visit the Harbor portal at {{ .Values.externalURL }} +For more details, please visit https://github.com/goharbor/harbor diff --git a/charts/harbor/harbor/templates/_helpers.tpl b/charts/harbor/harbor/1.15.0/templates/_helpers.tpl similarity index 100% rename from charts/harbor/harbor/templates/_helpers.tpl rename to charts/harbor/harbor/1.15.0/templates/_helpers.tpl diff --git a/charts/harbor/harbor/1.15.0/templates/core/core-cm.yaml b/charts/harbor/harbor/1.15.0/templates/core/core-cm.yaml new file mode 100644 index 0000000000..93cab01b4c --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/core/core-cm.yaml @@ -0,0 +1,90 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + app.conf: |+ + appname = Harbor + runmode = prod + enablegzip = true + + [prod] + httpport = {{ ternary "8443" "8080" .Values.internalTLS.enabled }} + PORT: "{{ ternary "8443" "8080" .Values.internalTLS.enabled }}" + DATABASE_TYPE: "postgresql" + POSTGRESQL_HOST: "{{ template "harbor.database.host" . }}" + POSTGRESQL_PORT: "{{ template "harbor.database.port" . }}" + POSTGRESQL_USERNAME: "{{ template "harbor.database.username" . }}" + POSTGRESQL_DATABASE: "{{ template "harbor.database.coreDatabase" . }}" + POSTGRESQL_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + POSTGRESQL_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + POSTGRESQL_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" + EXT_ENDPOINT: "{{ .Values.externalURL }}" + CORE_URL: "{{ template "harbor.coreURL" . }}" + JOBSERVICE_URL: "{{ template "harbor.jobserviceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + CORE_LOCAL_URL: "{{ ternary "https://127.0.0.1:8443" "http://127.0.0.1:8080" .Values.internalTLS.enabled }}" + WITH_TRIVY: {{ .Values.trivy.enabled | quote }} + TRIVY_ADAPTER_URL: "{{ template "harbor.trivyAdapterURL" . }}" + REGISTRY_STORAGE_PROVIDER_NAME: "{{ .Values.persistence.imageChartStorage.type }}" + LOG_LEVEL: "{{ .Values.logLevel }}" + CONFIG_PATH: "/etc/core/app.conf" + CHART_CACHE_DRIVER: "redis" + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + _REDIS_URL_REG: "{{ template "harbor.redis.urlForRegistry" . }}" + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.harborDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.harborDatabaseIndex) }} + _REDIS_URL_HARBOR: "{{ template "harbor.redis.urlForHarbor" . }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} + PORTAL_URL: "{{ template "harbor.portalURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + {{- if .Values.uaaSecretName }} + UAA_CA_ROOT: "/etc/core/auth-ca/auth-ca.crt" + {{- end }} + {{- if has "core" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + PERMITTED_REGISTRY_TYPES_FOR_PROXY_CACHE: "docker-hub,harbor,azure-acr,aws-ecr,google-gcr,quay,docker-registry,github-ghcr,jfrog-artifactory" + {{- if .Values.metrics.enabled}} + METRIC_ENABLE: "true" + METRIC_PATH: "{{ .Values.metrics.core.path }}" + METRIC_PORT: "{{ .Values.metrics.core.port }}" + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: core + {{- end }} + + {{- if hasKey .Values.core "gcTimeWindowHours" }} + #make the GC time window configurable for testing + GC_TIME_WINDOW_HOURS: "{{ .Values.core.gcTimeWindowHours }}" + {{- end }} + {{- template "harbor.traceEnvsForCore" . }} + + {{- if .Values.core.artifactPullAsyncFlushDuration }} + ARTIFACT_PULL_ASYNC_FLUSH_DURATION: {{ .Values.core.artifactPullAsyncFlushDuration | quote }} + {{- end }} + + {{- if .Values.core.gdpr}} + {{- if .Values.core.gdpr.deleteUser}} + GDPR_DELETE_USER: "true" + {{- end }} + {{- if .Values.core.gdpr.auditLogsCompliant}} + GDPR_AUDIT_LOGS: "true" + {{- end }} + {{- end }} + + {{- if .Values.cache.enabled }} + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + + {{- if .Values.core.quotaUpdateProvider }} + QUOTA_UPDATE_PROVIDER: "{{ .Values.core.quotaUpdateProvider }}" + {{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/templates/core/core-dpl.yaml b/charts/harbor/harbor/1.15.0/templates/core/core-dpl.yaml similarity index 100% rename from charts/harbor/harbor/templates/core/core-dpl.yaml rename to charts/harbor/harbor/1.15.0/templates/core/core-dpl.yaml diff --git a/charts/harbor/harbor/templates/core/core-pre-upgrade-job.yaml b/charts/harbor/harbor/1.15.0/templates/core/core-pre-upgrade-job.yaml similarity index 100% rename from charts/harbor/harbor/templates/core/core-pre-upgrade-job.yaml rename to charts/harbor/harbor/1.15.0/templates/core/core-pre-upgrade-job.yaml diff --git a/charts/harbor/harbor/1.15.0/templates/core/core-secret.yaml b/charts/harbor/harbor/1.15.0/templates/core/core-secret.yaml new file mode 100644 index 0000000000..62a41fce80 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/core/core-secret.yaml @@ -0,0 +1,36 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.core" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.existingSecretSecretKey }} + secretKey: {{ .Values.secretKey | b64enc | quote }} + {{- end }} + {{- if not .Values.core.existingSecret }} + secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} + {{- if not .Values.core.secretName }} + {{- $ca := genCA "harbor-token-ca" 365 }} + tls.key: {{ .Values.core.tokenKey | default $ca.Key | b64enc | quote }} + tls.crt: {{ .Values.core.tokenCert | default $ca.Cert | b64enc | quote }} + {{- end }} + {{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} + {{- end }} + {{- if not .Values.database.external.existingSecret }} + POSTGRESQL_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + {{- if not .Values.core.existingXsrfSecret }} + CSRF_KEY: {{ .Values.core.xsrfKey | default (include "harbor.secretKeyHelper" (dict "key" "CSRF_KEY" "data" $existingSecret.data)) | default (randAlphaNum 32) | b64enc | quote }} + {{- end }} +{{- if .Values.core.configureUserSettings }} + CONFIG_OVERWRITE_JSON: {{ .Values.core.configureUserSettings | b64enc | quote }} +{{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/1.15.0/templates/core/core-svc.yaml b/charts/harbor/harbor/1.15.0/templates/core/core-svc.yaml new file mode 100644 index 0000000000..0d2cfb2915 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/core/core-svc.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.core" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.core.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - name: {{ ternary "https-web" "http-web" .Values.internalTLS.enabled }} + port: {{ template "harbor.core.servicePort" . }} + targetPort: {{ template "harbor.core.containerPort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.core.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: core diff --git a/charts/harbor/harbor/1.15.0/templates/core/core-tls.yaml b/charts/harbor/harbor/1.15.0/templates/core/core-tls.yaml new file mode 100644 index 0000000000..c52148f0d9 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/core/core-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.core.crt\" is required!" .Values.internalTLS.core.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.core.key\" is required!" .Values.internalTLS.core.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.15.0/templates/database/database-secret.yaml b/charts/harbor/harbor/1.15.0/templates/database/database-secret.yaml new file mode 100644 index 0000000000..864aff4a18 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/database/database-secret.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + POSTGRES_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end -}} diff --git a/charts/harbor/harbor/templates/database/database-ss.yaml b/charts/harbor/harbor/1.15.0/templates/database/database-ss.yaml similarity index 100% rename from charts/harbor/harbor/templates/database/database-ss.yaml rename to charts/harbor/harbor/1.15.0/templates/database/database-ss.yaml diff --git a/charts/harbor/harbor/1.15.0/templates/database/database-svc.yaml b/charts/harbor/harbor/1.15.0/templates/database/database-svc.yaml new file mode 100644 index 0000000000..6475048cd9 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/database/database-svc.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.database.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.database" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 5432 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: database +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/1.15.0/templates/exporter/exporter-cm-env.yaml b/charts/harbor/harbor/1.15.0/templates/exporter/exporter-cm-env.yaml new file mode 100644 index 0000000000..0bf4e7d905 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/exporter/exporter-cm-env.yaml @@ -0,0 +1,35 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.exporter" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + LOG_LEVEL: "{{ .Values.logLevel }}" + HARBOR_EXPORTER_PORT: "{{ .Values.metrics.exporter.port }}" + HARBOR_EXPORTER_METRICS_PATH: "{{ .Values.metrics.exporter.path }}" + HARBOR_EXPORTER_METRICS_ENABLED: "{{ .Values.metrics.enabled }}" + HARBOR_EXPORTER_CACHE_TIME: "{{ .Values.exporter.cacheDuration }}" + HARBOR_EXPORTER_CACHE_CLEAN_INTERVAL: "{{ .Values.exporter.cacheCleanInterval }}" + HARBOR_METRIC_NAMESPACE: harbor + HARBOR_METRIC_SUBSYSTEM: exporter + HARBOR_REDIS_URL: "{{ template "harbor.redis.urlForJobservice" . }}" + HARBOR_REDIS_NAMESPACE: harbor_job_service_namespace + HARBOR_REDIS_TIMEOUT: "3600" + HARBOR_SERVICE_SCHEME: "{{ template "harbor.component.scheme" . }}" + HARBOR_SERVICE_HOST: "{{ template "harbor.core" . }}" + HARBOR_SERVICE_PORT: "{{ template "harbor.core.servicePort" . }}" + HARBOR_DATABASE_HOST: "{{ template "harbor.database.host" . }}" + HARBOR_DATABASE_PORT: "{{ template "harbor.database.port" . }}" + HARBOR_DATABASE_USERNAME: "{{ template "harbor.database.username" . }}" + HARBOR_DATABASE_DBNAME: "{{ template "harbor.database.coreDatabase" . }}" + HARBOR_DATABASE_SSLMODE: "{{ template "harbor.database.sslmode" . }}" + HARBOR_DATABASE_MAX_IDLE_CONNS: "{{ .Values.database.maxIdleConns }}" + HARBOR_DATABASE_MAX_OPEN_CONNS: "{{ .Values.database.maxOpenConns }}" +{{- end}} \ No newline at end of file diff --git a/charts/harbor/harbor/templates/exporter/exporter-dpl.yaml b/charts/harbor/harbor/1.15.0/templates/exporter/exporter-dpl.yaml similarity index 100% rename from charts/harbor/harbor/templates/exporter/exporter-dpl.yaml rename to charts/harbor/harbor/1.15.0/templates/exporter/exporter-dpl.yaml diff --git a/charts/harbor/harbor/1.15.0/templates/exporter/exporter-secret.yaml b/charts/harbor/harbor/1.15.0/templates/exporter/exporter-secret.yaml new file mode 100644 index 0000000000..434a1bf689 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/exporter/exporter-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.exporter" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: +{{- if not .Values.existingSecretAdminPassword }} + HARBOR_ADMIN_PASSWORD: {{ .Values.harborAdminPassword | b64enc | quote }} +{{- end }} +{{- if not .Values.database.external.existingSecret }} + HARBOR_DATABASE_PASSWORD: {{ template "harbor.database.encryptedPassword" . }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.15.0/templates/exporter/exporter-svc.yaml b/charts/harbor/harbor/1.15.0/templates/exporter/exporter-svc.yaml new file mode 100644 index 0000000000..4a6f3fdec6 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/exporter/exporter-svc.yaml @@ -0,0 +1,15 @@ +{{- if .Values.metrics.enabled}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.exporter" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.exporter.port }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: exporter +{{ end }} diff --git a/charts/harbor/harbor/templates/ingress/ingress.yaml b/charts/harbor/harbor/1.15.0/templates/ingress/ingress.yaml similarity index 100% rename from charts/harbor/harbor/templates/ingress/ingress.yaml rename to charts/harbor/harbor/1.15.0/templates/ingress/ingress.yaml diff --git a/charts/harbor/harbor/1.15.0/templates/ingress/secret.yaml b/charts/harbor/harbor/1.15.0/templates/ingress/secret.yaml new file mode 100644 index 0000000000..41507b3dd9 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/ingress/secret.yaml @@ -0,0 +1,15 @@ +{{- if eq (include "harbor.autoGenCertForIngress" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cert := genSignedCert .Values.expose.ingress.hosts.core nil (list .Values.expose.ingress.hosts.core) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.ingress" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.15.0/templates/internal/auto-tls.yaml b/charts/harbor/harbor/1.15.0/templates/internal/auto-tls.yaml new file mode 100644 index 0000000000..da5f5e2c7b --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/internal/auto-tls.yaml @@ -0,0 +1,81 @@ +{{- if and .Values.internalTLS.enabled (eq .Values.internalTLS.certSource "auto") }} +{{- $ca := genCA "harbor-internal-ca" 365 }} +{{- $coreCN := (include "harbor.core" .) }} +{{- $coreCrt := genSignedCert $coreCN (list "127.0.0.1") (list "localhost" $coreCN) 365 $ca }} +{{- $jsCN := (include "harbor.jobservice" .) }} +{{- $jsCrt := genSignedCert $jsCN nil (list $jsCN) 365 $ca }} +{{- $regCN := (include "harbor.registry" .) }} +{{- $regCrt := genSignedCert $regCN nil (list $regCN) 365 $ca }} +{{- $portalCN := (include "harbor.portal" .) }} +{{- $portalCrt := genSignedCert $portalCN nil (list $portalCN) 365 $ca }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.core.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $coreCrt.Cert | b64enc | quote }} + tls.key: {{ $coreCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $jsCrt.Cert | b64enc | quote }} + tls.key: {{ $jsCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $regCrt.Cert | b64enc | quote }} + tls.key: {{ $regCrt.Key | b64enc | quote }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $portalCrt.Cert | b64enc | quote }} + tls.key: {{ $portalCrt.Key | b64enc | quote }} + +{{- if and .Values.trivy.enabled}} +--- +{{- $trivyCN := (include "harbor.trivy" .) }} +{{- $trivyCrt := genSignedCert $trivyCN nil (list $trivyCN) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $trivyCrt.Cert | b64enc | quote }} + tls.key: {{ $trivyCrt.Key | b64enc | quote }} +{{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-cm-env.yaml b/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-cm-env.yaml new file mode 100644 index 0000000000..8411c7a47c --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-cm-env.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}-env" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + CORE_URL: "{{ template "harbor.coreURL" . }}" + TOKEN_SERVICE_URL: "{{ template "harbor.tokenServiceURL" . }}" + REGISTRY_URL: "{{ template "harbor.registryURL" . }}" + REGISTRY_CONTROLLER_URL: "{{ template "harbor.registryControllerURL" . }}" + REGISTRY_CREDENTIAL_USERNAME: "{{ .Values.registry.credentials.username }}" + + JOBSERVICE_WEBHOOK_JOB_MAX_RETRY: "{{ .Values.jobservice.notification.webhook_job_max_retry }}" + JOBSERVICE_WEBHOOK_JOB_HTTP_CLIENT_TIMEOUT: "{{ .Values.jobservice.notification.webhook_job_http_client_timeout }}" + + {{- if has "jobservice" .Values.proxy.components }} + HTTP_PROXY: "{{ .Values.proxy.httpProxy }}" + HTTPS_PROXY: "{{ .Values.proxy.httpsProxy }}" + NO_PROXY: "{{ template "harbor.noProxy" . }}" + {{- end }} + {{- if .Values.metrics.enabled}} + METRIC_NAMESPACE: harbor + METRIC_SUBSYSTEM: jobservice + {{- end }} + {{- template "harbor.traceEnvsForJobservice" . }} + {{- if .Values.cache.enabled }} + _REDIS_URL_CORE: "{{ template "harbor.redis.urlForCore" . }}" + CACHE_ENABLED: "true" + CACHE_EXPIRE_HOURS: "{{ .Values.cache.expireHours }}" + {{- end }} + {{- if or (and (eq .Values.redis.type "internal") .Values.redis.internal.cacheLayerDatabaseIndex) (and (eq .Values.redis.type "external") .Values.redis.external.cacheLayerDatabaseIndex) }} + _REDIS_URL_CACHE_LAYER: "{{ template "harbor.redis.urlForCache" . }}" + {{- end }} diff --git a/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-cm.yaml b/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-cm.yaml new file mode 100644 index 0000000000..8211c62209 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-cm.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + #Server listening port + protocol: "{{ template "harbor.component.scheme" . }}" + port: {{ template "harbor.jobservice.containerPort". }} + {{- if .Values.internalTLS.enabled }} + https_config: + cert: "/etc/harbor/ssl/jobservice/tls.crt" + key: "/etc/harbor/ssl/jobservice/tls.key" + {{- end }} + worker_pool: + workers: {{ .Values.jobservice.maxJobWorkers }} + backend: "redis" + redis_pool: + redis_url: "{{ template "harbor.redis.urlForJobservice" . }}" + namespace: "harbor_job_service_namespace" + idle_timeout_second: 3600 + job_loggers: + {{- if has "file" .Values.jobservice.jobLoggers }} + - name: "FILE" + level: {{ .Values.logLevel | upper }} + settings: # Customized settings of logger + base_dir: "/var/log/jobs" + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + settings: # Customized settings of sweeper + work_dir: "/var/log/jobs" + {{- end }} + {{- if has "database" .Values.jobservice.jobLoggers }} + - name: "DB" + level: {{ .Values.logLevel | upper }} + sweeper: + duration: {{ .Values.jobservice.loggerSweeperDuration }} #days + {{- end }} + {{- if has "stdout" .Values.jobservice.jobLoggers }} + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + {{- end }} + metric: + enabled: {{ .Values.metrics.enabled }} + path: {{ .Values.metrics.jobservice.path }} + port: {{ .Values.metrics.jobservice.port }} + #Loggers for the job service + loggers: + - name: "STD_OUTPUT" + level: {{ .Values.logLevel | upper }} + reaper: + # the max time to wait for a task to finish, if unfinished after max_update_hours, the task will be mark as error, but the task will continue to run, default value is 24 + max_update_hours: {{ .Values.jobservice.reaper.max_update_hours }} + # the max time for execution in running state without new task created + max_dangling_hours: {{ .Values.jobservice.reaper.max_dangling_hours }} diff --git a/charts/harbor/harbor/templates/jobservice/jobservice-dpl.yaml b/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-dpl.yaml similarity index 100% rename from charts/harbor/harbor/templates/jobservice/jobservice-dpl.yaml rename to charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-dpl.yaml diff --git a/charts/harbor/harbor/templates/jobservice/jobservice-pvc.yaml b/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-pvc.yaml similarity index 100% rename from charts/harbor/harbor/templates/jobservice/jobservice-pvc.yaml rename to charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-pvc.yaml diff --git a/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-secrets.yaml b/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-secrets.yaml new file mode 100644 index 0000000000..eeb00bde00 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-secrets.yaml @@ -0,0 +1,16 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.jobservice" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.jobservice.existingSecret }} + JOBSERVICE_SECRET: {{ .Values.jobservice.secret | default (include "harbor.secretKeyHelper" (dict "key" "JOBSERVICE_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} + {{- if not .Values.registry.credentials.existingSecret }} + REGISTRY_CREDENTIAL_PASSWORD: {{ .Values.registry.credentials.password | b64enc | quote }} + {{- end }} + {{- template "harbor.traceJaegerPassword" . }} diff --git a/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-svc.yaml b/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-svc.yaml new file mode 100644 index 0000000000..d2b7a47fd4 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-svc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.jobservice" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-jobservice" "http-jobservice" .Values.internalTLS.enabled }} + port: {{ template "harbor.jobservice.servicePort" . }} + targetPort: {{ template "harbor.jobservice.containerPort" . }} +{{- if .Values.metrics.enabled }} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.jobservice.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: jobservice diff --git a/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-tls.yaml b/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-tls.yaml new file mode 100644 index 0000000000..234cb39995 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/jobservice/jobservice-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.jobservice.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.jobservice.crt\" is required!" .Values.internalTLS.jobservice.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.jobservice.key\" is required!" .Values.internalTLS.jobservice.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.15.0/templates/metrics/metrics-svcmon.yaml b/charts/harbor/harbor/1.15.0/templates/metrics/metrics-svcmon.yaml new file mode 100644 index 0000000000..1122ef01ef --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/metrics/metrics-svcmon.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "harbor.fullname" . }} + labels: {{ include "harbor.labels" . | nindent 4 }} +{{- if .Values.metrics.serviceMonitor.additionalLabels }} +{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }} +{{- end }} +spec: + jobLabel: app.kubernetes.io/name + endpoints: + - port: {{ template "harbor.metricsPortName" . }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + honorLabels: true +{{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: +{{ tpl (toYaml .Values.metrics.serviceMonitor.metricRelabelings | indent 4) . }} +{{- end }} +{{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: +{{ toYaml .Values.metrics.serviceMonitor.relabelings | indent 4 }} +{{- end }} + selector: + matchLabels: {{ include "harbor.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/harbor/harbor/1.15.0/templates/nginx/configmap-http.yaml b/charts/harbor/harbor/1.15.0/templates/nginx/configmap-http.yaml new file mode 100644 index 0000000000..c4b8354d06 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/nginx/configmap-http.yaml @@ -0,0 +1,150 @@ +{{- if and (ne .Values.expose.type "ingress") (not .Values.expose.tls.enabled) }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server {{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled}} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end }} + server_tokens off; + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # Add extra headers + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + proxy_send_timeout 900; + proxy_read_timeout 900; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + } +{{- end }} diff --git a/charts/harbor/harbor/1.15.0/templates/nginx/configmap-https.yaml b/charts/harbor/harbor/1.15.0/templates/nginx/configmap-https.yaml new file mode 100644 index 0000000000..56c943a619 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/nginx/configmap-https.yaml @@ -0,0 +1,187 @@ +{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }} +{{- $scheme := (include "harbor.component.scheme" .) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + + events { + worker_connections 3096; + use epoll; + multi_accept on; + } + + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + tcp_nodelay on; + + # this is necessary for us to be able to disable request buffering in all cases + proxy_http_version 1.1; + + upstream core { + server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}"; + } + + upstream portal { + server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}"; + } + + log_format timed_combined '[$time_local]:$remote_addr - ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time $upstream_response_time $pipe'; + + access_log /dev/stdout timed_combined; + + map $http_x_forwarded_proto $x_forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; + } + + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8443 ssl; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8443 ssl; + {{- end }} + # server_name harbordomain.com; + server_tokens off; + # SSL + ssl_certificate /etc/nginx/cert/tls.crt; + ssl_certificate_key /etc/nginx/cert/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # disable any limits to avoid HTTP 413 for large image uploads + client_max_body_size 0; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) + chunked_transfer_encoding on; + + # Add extra headers + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; + add_header X-Frame-Options DENY; + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + proxy_pass {{ $scheme }}://portal/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; HttpOnly; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /api/ { + proxy_pass {{ $scheme }}://core/api/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /chartrepo/ { + proxy_pass {{ $scheme }}://core/chartrepo/; + {{- if and .Values.internalTLS.enabled }} + proxy_ssl_verify off; + proxy_ssl_session_reuse on; + {{- end }} + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /c/ { + proxy_pass {{ $scheme }}://core/c/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /v1/ { + return 404; + } + + location /v2/ { + proxy_pass {{ $scheme }}://core/v2/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/ { + proxy_pass {{ $scheme }}://core/service/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $x_forwarded_proto; + + proxy_cookie_path / "/; Secure"; + + proxy_buffering off; + proxy_request_buffering off; + } + + location /service/notifications { + return 404; + } + } + server { + {{- if .Values.ipFamily.ipv4.enabled }} + listen 8080; + {{- end}} + {{- if .Values.ipFamily.ipv6.enabled }} + listen [::]:8080; + {{- end}} + #server_name harbordomain.com; + return 301 https://$host$request_uri; + } + } +{{- end }} diff --git a/charts/harbor/harbor/templates/nginx/deployment.yaml b/charts/harbor/harbor/1.15.0/templates/nginx/deployment.yaml similarity index 100% rename from charts/harbor/harbor/templates/nginx/deployment.yaml rename to charts/harbor/harbor/1.15.0/templates/nginx/deployment.yaml diff --git a/charts/harbor/harbor/1.15.0/templates/nginx/secret.yaml b/charts/harbor/harbor/1.15.0/templates/nginx/secret.yaml new file mode 100644 index 0000000000..c819c556d9 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/nginx/secret.yaml @@ -0,0 +1,23 @@ +{{- if eq (include "harbor.autoGenCertForNginx" .) "true" }} +{{- $ca := genCA "harbor-ca" 365 }} +{{- $cn := (required "The \"expose.tls.auto.commonName\" is required!" .Values.expose.tls.auto.commonName) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.nginx" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if regexMatch `^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$` $cn }} + {{- $cert := genSignedCert $cn (list $cn) nil 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- else }} + {{- $cert := genSignedCert $cn nil (list $cn) 365 $ca }} + tls.crt: {{ $cert.Cert | b64enc | quote }} + tls.key: {{ $cert.Key | b64enc | quote }} + ca.crt: {{ $ca.Cert | b64enc | quote }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/templates/nginx/service.yaml b/charts/harbor/harbor/1.15.0/templates/nginx/service.yaml similarity index 100% rename from charts/harbor/harbor/templates/nginx/service.yaml rename to charts/harbor/harbor/1.15.0/templates/nginx/service.yaml diff --git a/charts/harbor/harbor/1.15.0/templates/portal/configmap.yaml b/charts/harbor/harbor/1.15.0/templates/portal/configmap.yaml new file mode 100644 index 0000000000..7b2118e721 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/portal/configmap.yaml @@ -0,0 +1,67 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + nginx.conf: |+ + worker_processes auto; + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + client_body_temp_path /tmp/client_body_temp; + proxy_temp_path /tmp/proxy_temp; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + server { + {{- if .Values.internalTLS.enabled }} + {{- if .Values.ipFamily.ipv4.enabled}} + listen {{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }} ssl; + {{- end }} + # SSL + ssl_certificate /etc/harbor/ssl/portal/tls.crt; + ssl_certificate_key /etc/harbor/ssl/portal/tls.key; + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + {{- if .Values.internalTLS.strong_ssl_ciphers }} + ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+RSA+SHA256:DHE+RSA+SHA256:!AES128; + {{ else }} + ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:'; + {{- end }} + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + {{- else }} + {{- if .Values.ipFamily.ipv4.enabled }} + listen {{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- if .Values.ipFamily.ipv6.enabled}} + listen [::]:{{ template "harbor.portal.containerPort" . }}; + {{- end }} + {{- end }} + server_name localhost; + root /usr/share/nginx/html; + index index.html index.htm; + include /etc/nginx/mime.types; + gzip on; + gzip_min_length 1000; + gzip_proxied expired no-cache no-store private auth; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; + location /devcenter-api-2.0 { + try_files $uri $uri/ /swagger-ui-index.html; + } + location / { + try_files $uri $uri/ /index.html; + } + location = /index.html { + add_header Cache-Control "no-store, no-cache, must-revalidate"; + } + } + } diff --git a/charts/harbor/harbor/templates/portal/deployment.yaml b/charts/harbor/harbor/1.15.0/templates/portal/deployment.yaml similarity index 100% rename from charts/harbor/harbor/templates/portal/deployment.yaml rename to charts/harbor/harbor/1.15.0/templates/portal/deployment.yaml diff --git a/charts/harbor/harbor/1.15.0/templates/portal/service.yaml b/charts/harbor/harbor/1.15.0/templates/portal/service.yaml new file mode 100644 index 0000000000..d00026da46 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/portal/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.portal" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +{{- with .Values.portal.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.expose.ingress.controller "gce") (eq .Values.expose.ingress.controller "alb") (eq .Values.expose.ingress.controller "f5-bigip") }} + type: NodePort +{{- end }} + ports: + - port: {{ template "harbor.portal.servicePort" . }} + targetPort: {{ template "harbor.portal.containerPort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: portal diff --git a/charts/harbor/harbor/1.15.0/templates/portal/tls.yaml b/charts/harbor/harbor/1.15.0/templates/portal/tls.yaml new file mode 100644 index 0000000000..de63f4e813 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/portal/tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.portal.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.portal.crt\" is required!" .Values.internalTLS.portal.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.portal.key\" is required!" .Values.internalTLS.portal.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.15.0/templates/redis/service.yaml b/charts/harbor/harbor/1.15.0/templates/redis/service.yaml new file mode 100644 index 0000000000..79c95c3e05 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/redis/service.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.redis.type "internal" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "harbor.redis" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - port: 6379 + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: redis +{{- end -}} \ No newline at end of file diff --git a/charts/harbor/harbor/templates/redis/statefulset.yaml b/charts/harbor/harbor/1.15.0/templates/redis/statefulset.yaml similarity index 100% rename from charts/harbor/harbor/templates/redis/statefulset.yaml rename to charts/harbor/harbor/1.15.0/templates/redis/statefulset.yaml diff --git a/charts/harbor/harbor/1.15.0/templates/registry/registry-cm.yaml b/charts/harbor/harbor/1.15.0/templates/registry/registry-cm.yaml new file mode 100644 index 0000000000..4f7056c384 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/registry/registry-cm.yaml @@ -0,0 +1,246 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + config.yml: |+ + version: 0.1 + log: + {{- if eq .Values.logLevel "warning" }} + level: warn + {{- else if eq .Values.logLevel "fatal" }} + level: error + {{- else }} + level: {{ .Values.logLevel }} + {{- end }} + fields: + service: registry + storage: + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if eq $type "filesystem" }} + filesystem: + rootdirectory: {{ $storage.filesystem.rootdirectory }} + {{- if $storage.filesystem.maxthreads }} + maxthreads: {{ $storage.filesystem.maxthreads }} + {{- end }} + {{- else if eq $type "azure" }} + azure: + accountname: {{ $storage.azure.accountname }} + container: {{ $storage.azure.container }} + {{- if $storage.azure.realm }} + realm: {{ $storage.azure.realm }} + {{- end }} + {{- else if eq $type "gcs" }} + gcs: + bucket: {{ $storage.gcs.bucket }} + {{- if not .Values.persistence.imageChartStorage.gcs.useWorkloadIdentity }} + keyfile: /etc/registry/gcs-key.json + {{- end }} + {{- if $storage.gcs.rootdirectory }} + rootdirectory: {{ $storage.gcs.rootdirectory }} + {{- end }} + {{- if $storage.gcs.chunksize }} + chunksize: {{ $storage.gcs.chunksize }} + {{- end }} + {{- else if eq $type "s3" }} + s3: + region: {{ $storage.s3.region }} + bucket: {{ $storage.s3.bucket }} + {{- if $storage.s3.regionendpoint }} + regionendpoint: {{ $storage.s3.regionendpoint }} + {{- end }} + {{- if $storage.s3.encrypt }} + encrypt: {{ $storage.s3.encrypt }} + {{- end }} + {{- if $storage.s3.keyid }} + keyid: {{ $storage.s3.keyid }} + {{- end }} + {{- if $storage.s3.secure }} + secure: {{ $storage.s3.secure }} + {{- end }} + {{- if and $storage.s3.secure $storage.s3.skipverify }} + skipverify: {{ $storage.s3.skipverify }} + {{- end }} + {{- if $storage.s3.v4auth }} + v4auth: {{ $storage.s3.v4auth }} + {{- end }} + {{- if $storage.s3.chunksize }} + chunksize: {{ $storage.s3.chunksize }} + {{- end }} + {{- if $storage.s3.rootdirectory }} + rootdirectory: {{ $storage.s3.rootdirectory }} + {{- end }} + {{- if $storage.s3.storageclass }} + storageclass: {{ $storage.s3.storageclass }} + {{- end }} + {{- if $storage.s3.multipartcopychunksize }} + multipartcopychunksize: {{ $storage.s3.multipartcopychunksize }} + {{- end }} + {{- if $storage.s3.multipartcopymaxconcurrency }} + multipartcopymaxconcurrency: {{ $storage.s3.multipartcopymaxconcurrency }} + {{- end }} + {{- if $storage.s3.multipartcopythresholdsize }} + multipartcopythresholdsize: {{ $storage.s3.multipartcopythresholdsize }} + {{- end }} + {{- else if eq $type "swift" }} + swift: + authurl: {{ $storage.swift.authurl }} + username: {{ $storage.swift.username }} + container: {{ $storage.swift.container }} + {{- if $storage.swift.region }} + region: {{ $storage.swift.region }} + {{- end }} + {{- if $storage.swift.tenant }} + tenant: {{ $storage.swift.tenant }} + {{- end }} + {{- if $storage.swift.tenantid }} + tenantid: {{ $storage.swift.tenantid }} + {{- end }} + {{- if $storage.swift.domain }} + domain: {{ $storage.swift.domain }} + {{- end }} + {{- if $storage.swift.domainid }} + domainid: {{ $storage.swift.domainid }} + {{- end }} + {{- if $storage.swift.trustid }} + trustid: {{ $storage.swift.trustid }} + {{- end }} + {{- if $storage.swift.insecureskipverify }} + insecureskipverify: {{ $storage.swift.insecureskipverify }} + {{- end }} + {{- if $storage.swift.chunksize }} + chunksize: {{ $storage.swift.chunksize }} + {{- end }} + {{- if $storage.swift.prefix }} + prefix: {{ $storage.swift.prefix }} + {{- end }} + {{- if $storage.swift.authversion }} + authversion: {{ $storage.swift.authversion }} + {{- end }} + {{- if $storage.swift.endpointtype }} + endpointtype: {{ $storage.swift.endpointtype }} + {{- end }} + {{- if $storage.swift.tempurlcontainerkey }} + tempurlcontainerkey: {{ $storage.swift.tempurlcontainerkey }} + {{- end }} + {{- if $storage.swift.tempurlmethods }} + tempurlmethods: {{ $storage.swift.tempurlmethods }} + {{- end }} + {{- else if eq $type "oss" }} + oss: + accesskeyid: {{ $storage.oss.accesskeyid }} + region: {{ $storage.oss.region }} + bucket: {{ $storage.oss.bucket }} + {{- if $storage.oss.endpoint }} + endpoint: {{ $storage.oss.bucket }}.{{ $storage.oss.endpoint }} + {{- end }} + {{- if $storage.oss.internal }} + internal: {{ $storage.oss.internal }} + {{- end }} + {{- if $storage.oss.encrypt }} + encrypt: {{ $storage.oss.encrypt }} + {{- end }} + {{- if $storage.oss.secure }} + secure: {{ $storage.oss.secure }} + {{- end }} + {{- if $storage.oss.chunksize }} + chunksize: {{ $storage.oss.chunksize }} + {{- end }} + {{- if $storage.oss.rootdirectory }} + rootdirectory: {{ $storage.oss.rootdirectory }} + {{- end }} + {{- end }} + cache: + layerinfo: redis + maintenance: + uploadpurging: + {{- if .Values.registry.upload_purging.enabled }} + enabled: true + age: {{ .Values.registry.upload_purging.age }} + interval: {{ .Values.registry.upload_purging.interval }} + dryrun: {{ .Values.registry.upload_purging.dryrun }} + {{- else }} + enabled: false + {{- end }} + delete: + enabled: true + redirect: + disable: {{ $storage.disableredirect }} + redis: + addr: {{ template "harbor.redis.addr" . }} + {{- if eq "redis+sentinel" (include "harbor.redis.scheme" .) }} + sentinelMasterSet: {{ template "harbor.redis.masterSet" . }} + {{- end }} + db: {{ template "harbor.redis.dbForRegistry" . }} + {{- if not (eq (include "harbor.redis.password" .) "") }} + password: {{ template "harbor.redis.password" . }} + {{- end }} + readtimeout: 10s + writetimeout: 10s + dialtimeout: 10s + pool: + maxidle: 100 + maxactive: 500 + idletimeout: 60s + http: + addr: :{{ template "harbor.registry.containerPort" . }} + relativeurls: {{ .Values.registry.relativeurls }} + {{- if .Values.internalTLS.enabled }} + tls: + certificate: /etc/harbor/ssl/registry/tls.crt + key: /etc/harbor/ssl/registry/tls.key + minimumtls: tls1.2 + {{- end }} + # set via environment variable + # secret: placeholder + debug: + {{- if .Values.metrics.enabled}} + addr: :{{ .Values.metrics.registry.port }} + prometheus: + enabled: true + path: {{ .Values.metrics.registry.path }} + {{- else }} + addr: localhost:5001 + {{- end }} + auth: + htpasswd: + realm: harbor-registry-basic-realm + path: /etc/registry/passwd + validation: + disabled: true + compatibility: + schema1: + enabled: true + + {{- if .Values.registry.middleware.enabled }} + {{- $middleware := .Values.registry.middleware }} + {{- $middlewareType := $middleware.type }} + {{- if eq $middlewareType "cloudFront" }} + middleware: + storage: + - name: cloudfront + options: + baseurl: {{ $middleware.cloudFront.baseurl }} + privatekey: /etc/registry/pk.pem + keypairid: {{ $middleware.cloudFront.keypairid }} + duration: {{ $middleware.cloudFront.duration }} + ipfilteredby: {{ $middleware.cloudFront.ipfilteredby }} + {{- end }} + {{- end }} + ctl-config.yml: |+ + --- + {{- if .Values.internalTLS.enabled }} + protocol: "https" + port: 8443 + https_config: + cert: "/etc/harbor/ssl/registry/tls.crt" + key: "/etc/harbor/ssl/registry/tls.key" + {{- else }} + protocol: "http" + port: 8080 + {{- end }} + log_level: {{ .Values.logLevel }} + registry_config: "/etc/registry/config.yml" diff --git a/charts/harbor/harbor/templates/registry/registry-dpl.yaml b/charts/harbor/harbor/1.15.0/templates/registry/registry-dpl.yaml similarity index 100% rename from charts/harbor/harbor/templates/registry/registry-dpl.yaml rename to charts/harbor/harbor/1.15.0/templates/registry/registry-dpl.yaml diff --git a/charts/harbor/harbor/templates/registry/registry-pvc.yaml b/charts/harbor/harbor/1.15.0/templates/registry/registry-pvc.yaml similarity index 100% rename from charts/harbor/harbor/templates/registry/registry-pvc.yaml rename to charts/harbor/harbor/1.15.0/templates/registry/registry-pvc.yaml diff --git a/charts/harbor/harbor/1.15.0/templates/registry/registry-secret.yaml b/charts/harbor/harbor/1.15.0/templates/registry/registry-secret.yaml new file mode 100644 index 0000000000..e853a9cbec --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/registry/registry-secret.yaml @@ -0,0 +1,55 @@ +{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "harbor.registry" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if not .Values.registry.existingSecret }} + REGISTRY_HTTP_SECRET: {{ .Values.registry.secret | default (include "harbor.secretKeyHelper" (dict "key" "REGISTRY_HTTP_SECRET" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }} + {{- end }} + {{- if not .Values.redis.external.existingSecret }} + REGISTRY_REDIS_PASSWORD: {{ include "harbor.redis.password" . | b64enc | quote }} + {{- end }} + {{- $storage := .Values.persistence.imageChartStorage }} + {{- $type := $storage.type }} + {{- if and (eq $type "azure") (not $storage.azure.existingSecret) }} + REGISTRY_STORAGE_AZURE_ACCOUNTKEY: {{ $storage.azure.accountkey | b64enc | quote }} + {{- else if and (and (eq $type "gcs") (not $storage.gcs.existingSecret)) (not $storage.gcs.useWorkloadIdentity) }} + GCS_KEY_DATA: {{ $storage.gcs.encodedkey | quote }} + {{- else if eq $type "s3" }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.accesskey) }} + REGISTRY_STORAGE_S3_ACCESSKEY: {{ $storage.s3.accesskey | b64enc | quote }} + {{- end }} + {{- if and (not $storage.s3.existingSecret) ($storage.s3.secretkey) }} + REGISTRY_STORAGE_S3_SECRETKEY: {{ $storage.s3.secretkey | b64enc | quote }} + {{- end }} + {{- else if and (eq $type "swift") (not ($storage.swift.existingSecret)) }} + REGISTRY_STORAGE_SWIFT_PASSWORD: {{ $storage.swift.password | b64enc | quote }} + {{- if $storage.swift.secretkey }} + REGISTRY_STORAGE_SWIFT_SECRETKEY: {{ $storage.swift.secretkey | b64enc | quote }} + {{- end }} + {{- if $storage.swift.accesskey }} + REGISTRY_STORAGE_SWIFT_ACCESSKEY: {{ $storage.swift.accesskey | b64enc | quote }} + {{- end }} + {{- else if and (eq $type "oss") ((not ($storage.oss.existingSecret))) }} + REGISTRY_STORAGE_OSS_ACCESSKEYSECRET: {{ $storage.oss.accesskeysecret | b64enc | quote }} + {{- end }} +{{- if not .Values.registry.credentials.existingSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registry" . }}-htpasswd" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- if .Values.registry.credentials.htpasswdString }} + REGISTRY_HTPASSWD: {{ .Values.registry.credentials.htpasswdString | b64enc | quote }} + {{- else }} + REGISTRY_HTPASSWD: {{ htpasswd .Values.registry.credentials.username .Values.registry.credentials.password | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/harbor/harbor/1.15.0/templates/registry/registry-svc.yaml b/charts/harbor/harbor/1.15.0/templates/registry/registry-svc.yaml new file mode 100644 index 0000000000..749690ea03 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/registry/registry-svc.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.registry" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-registry" "http-registry" .Values.internalTLS.enabled }} + port: {{ template "harbor.registry.servicePort" . }} + + - name: {{ ternary "https-controller" "http-controller" .Values.internalTLS.enabled }} + port: {{ template "harbor.registryctl.servicePort" . }} +{{- if .Values.metrics.enabled}} + - name: {{ template "harbor.metricsPortName" . }} + port: {{ .Values.metrics.registry.port }} +{{- end }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: registry \ No newline at end of file diff --git a/charts/harbor/harbor/1.15.0/templates/registry/registry-tls.yaml b/charts/harbor/harbor/1.15.0/templates/registry/registry-tls.yaml new file mode 100644 index 0000000000..9d1862c417 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/registry/registry-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.registry.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.registry.crt\" is required!" .Values.internalTLS.registry.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.registry.key\" is required!" .Values.internalTLS.registry.key) | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.15.0/templates/registry/registryctl-cm.yaml b/charts/harbor/harbor/1.15.0/templates/registry/registryctl-cm.yaml new file mode 100644 index 0000000000..87aa5ffe24 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/registry/registryctl-cm.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +data: + {{- template "harbor.traceEnvsForRegistryCtl" . }} diff --git a/charts/harbor/harbor/1.15.0/templates/registry/registryctl-secret.yaml b/charts/harbor/harbor/1.15.0/templates/registry/registryctl-secret.yaml new file mode 100644 index 0000000000..70097703e9 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/registry/registryctl-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.registryCtl" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + {{- template "harbor.traceJaegerPassword" . }} \ No newline at end of file diff --git a/charts/harbor/harbor/1.15.0/templates/trivy/trivy-secret.yaml b/charts/harbor/harbor/1.15.0/templates/trivy/trivy-secret.yaml new file mode 100644 index 0000000000..84652c7498 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/trivy/trivy-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.trivy.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "harbor.trivy" . }} + labels: +{{ include "harbor.labels" . | indent 4 }} +type: Opaque +data: + redisURL: {{ include "harbor.redis.urlForTrivy" . | b64enc }} + gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }} +{{- end }} diff --git a/charts/harbor/harbor/templates/trivy/trivy-sts.yaml b/charts/harbor/harbor/1.15.0/templates/trivy/trivy-sts.yaml similarity index 100% rename from charts/harbor/harbor/templates/trivy/trivy-sts.yaml rename to charts/harbor/harbor/1.15.0/templates/trivy/trivy-sts.yaml diff --git a/charts/harbor/harbor/1.15.0/templates/trivy/trivy-svc.yaml b/charts/harbor/harbor/1.15.0/templates/trivy/trivy-svc.yaml new file mode 100644 index 0000000000..24daf094e8 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/trivy/trivy-svc.yaml @@ -0,0 +1,16 @@ +{{ if .Values.trivy.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: "{{ template "harbor.trivy" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +spec: + ports: + - name: {{ ternary "https-trivy" "http-trivy" .Values.internalTLS.enabled }} + protocol: TCP + port: {{ template "harbor.trivy.servicePort" . }} + selector: +{{ include "harbor.matchLabels" . | indent 4 }} + component: trivy +{{ end }} diff --git a/charts/harbor/harbor/1.15.0/templates/trivy/trivy-tls.yaml b/charts/harbor/harbor/1.15.0/templates/trivy/trivy-tls.yaml new file mode 100644 index 0000000000..a9c8330c37 --- /dev/null +++ b/charts/harbor/harbor/1.15.0/templates/trivy/trivy-tls.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.trivy.enabled .Values.internalTLS.enabled }} +{{- if eq .Values.internalTLS.certSource "manual" }} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ template "harbor.internalTLS.trivy.secretName" . }}" + labels: +{{ include "harbor.labels" . | indent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ (required "The \"internalTLS.trustCa\" is required!" .Values.internalTLS.trustCa) | b64enc | quote }} + tls.crt: {{ (required "The \"internalTLS.trivy.crt\" is required!" .Values.internalTLS.trivy.crt) | b64enc | quote }} + tls.key: {{ (required "The \"internalTLS.trivy.key\" is required!" .Values.internalTLS.trivy.key) | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/harbor/harbor/values.yaml b/charts/harbor/harbor/1.15.0/values.yaml similarity index 100% rename from charts/harbor/harbor/values.yaml rename to charts/harbor/harbor/1.15.0/values.yaml diff --git a/charts/hashicorp/consul/1.1.2/.helmignore b/charts/hashicorp/consul/1.1.2/.helmignore new file mode 100644 index 0000000000..d1180d2fb7 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/.helmignore @@ -0,0 +1,4 @@ +.git/ +.terraform/ +bin/ +test/ diff --git a/charts/hashicorp/consul/1.1.2/Chart.yaml b/charts/hashicorp/consul/1.1.2/Chart.yaml new file mode 100644 index 0000000000..c014890d22 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.15.3 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.1.2 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.1.2 + - name: envoy + image: envoyproxy/envoy:v1.25.6 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.15.3 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.1.2 diff --git a/charts/hashicorp/consul/1.1.2/README.md b/charts/hashicorp/consul/1.1.2/README.md new file mode 100644 index 0000000000..e7d7fd9285 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.23.x - 1.26.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/1.1.2/addons/gen.sh b/charts/hashicorp/consul/1.1.2/addons/gen.sh new file mode 100644 index 0000000000..967b368c63 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/addons/gen.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.1.2/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.1.2/addons/values/prometheus.yaml new file mode 100644 index 0000000000..9ffe9af5ae --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/addons/values/prometheus.yaml @@ -0,0 +1,18 @@ +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/assets/icon.png b/charts/hashicorp/consul/1.1.2/assets/icon.png similarity index 100% rename from charts/hashicorp/consul/assets/icon.png rename to charts/hashicorp/consul/1.1.2/assets/icon.png diff --git a/charts/hashicorp/consul/templates/NOTES.txt b/charts/hashicorp/consul/1.1.2/templates/NOTES.txt similarity index 100% rename from charts/hashicorp/consul/templates/NOTES.txt rename to charts/hashicorp/consul/1.1.2/templates/NOTES.txt diff --git a/charts/hashicorp/consul/1.1.2/templates/_helpers.tpl b/charts/hashicorp/consul/1.1.2/templates/_helpers.tpl new file mode 100644 index 0000000000..dd8f00222e --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/_helpers.tpl @@ -0,0 +1,425 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Compute the maximum number of unavailable replicas for the PodDisruptionBudget. +This defaults to (n/2)-1 where n is the number of members of the server cluster. +Special case of replica equaling 3 and allowing a minor disruption of 1 otherwise +use the integer value +Add a special case for replicas=1, where it should default to 0 as well. +*/}} +{{- define "consul.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.server.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if temeletryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, global.cloud.resourceId.secretName, telemetryCollector.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, global.cloud.resourceId.secretName,telemetryCollector.cloud.clientId.secretName must also be set."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When telemetryCollector has clientId and clientSecret global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When telemetryCollector has clientId and clientSecret .global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..8c5c2fa73e --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,302 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: [ "/bin/sh", "-ec", "/consul-bin/consul logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.1.2/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.1.2/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.1.2/templates/auth-method-clusterrole.yaml similarity index 100% rename from charts/hashicorp/consul/templates/auth-method-clusterrole.yaml rename to charts/hashicorp/consul/1.1.2/templates/auth-method-clusterrole.yaml diff --git a/charts/hashicorp/consul/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/auth-method-clusterrolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/auth-method-clusterrolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/auth-method-clusterrolebinding.yaml diff --git a/charts/hashicorp/consul/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.1.2/templates/auth-method-secret.yaml similarity index 100% rename from charts/hashicorp/consul/templates/auth-method-secret.yaml rename to charts/hashicorp/consul/1.1.2/templates/auth-method-secret.yaml diff --git a/charts/hashicorp/consul/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/auth-method-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/auth-method-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/auth-method-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.1.2/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..f9650a100b --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/client-config-configmap.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} + central-config.json: |- + { + "enable_central_service_config": true + } + + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.1.2/templates/client-daemonset.yaml new file mode 100644 index 0000000000..09a70b394e --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/client-daemonset.yaml @@ -0,0 +1,603 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/client-config-configmap.yaml") . | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/sh" + - "-ec" + - | + consul logout + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-file=/consul/extra-config/extra-from-values.json \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/client-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/client-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/client-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/client-role.yaml b/charts/hashicorp/consul/1.1.2/templates/client-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/client-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/client-role.yaml diff --git a/charts/hashicorp/consul/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/client-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/client-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/client-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.1.2/templates/client-securitycontextconstraints.yaml similarity index 100% rename from charts/hashicorp/consul/templates/client-securitycontextconstraints.yaml rename to charts/hashicorp/consul/1.1.2/templates/client-securitycontextconstraints.yaml diff --git a/charts/hashicorp/consul/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/client-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/client-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/client-serviceaccount.yaml diff --git a/charts/hashicorp/consul/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.1.2/templates/cni-clusterrole.yaml similarity index 100% rename from charts/hashicorp/consul/templates/cni-clusterrole.yaml rename to charts/hashicorp/consul/1.1.2/templates/cni-clusterrole.yaml diff --git a/charts/hashicorp/consul/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/cni-clusterrolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/cni-clusterrolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/cni-clusterrolebinding.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.1.2/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..ae04d9e657 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/cni-daemonset.yaml @@ -0,0 +1,90 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.1.2/templates/cni-networkattachmentdefinition.yaml similarity index 100% rename from charts/hashicorp/consul/templates/cni-networkattachmentdefinition.yaml rename to charts/hashicorp/consul/1.1.2/templates/cni-networkattachmentdefinition.yaml diff --git a/charts/hashicorp/consul/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/cni-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/cni-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/cni-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.1.2/templates/cni-resourcequota.yaml similarity index 100% rename from charts/hashicorp/consul/templates/cni-resourcequota.yaml rename to charts/hashicorp/consul/1.1.2/templates/cni-resourcequota.yaml diff --git a/charts/hashicorp/consul/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.1.2/templates/cni-securitycontextconstraints.yaml similarity index 100% rename from charts/hashicorp/consul/templates/cni-securitycontextconstraints.yaml rename to charts/hashicorp/consul/1.1.2/templates/cni-securitycontextconstraints.yaml diff --git a/charts/hashicorp/consul/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/cni-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/cni-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/cni-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.1.2/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..f2e12f0ad9 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,119 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + verbs: + - get + - patch + - update +{{- if .Values.global.acls.manageSystemACLs }} +- apiGroups: [ "" ] + resources: [ "serviceaccounts", "secrets" ] + verbs: + - get +{{- end }} +- apiGroups: [ "" ] + resources: [ "endpoints", "services", "namespaces", "nodes" ] + verbs: + - "get" + - "list" + - "watch" +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/connect-inject-clusterrolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/connect-inject-clusterrolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/connect-inject-clusterrolebinding.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.1.2/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..479e05b25a --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/connect-inject-deployment.yaml @@ -0,0 +1,339 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.1.2/templates/connect-inject-leader-election-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/connect-inject-leader-election-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/connect-inject-leader-election-role.yaml diff --git a/charts/hashicorp/consul/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/connect-inject-leader-election-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/connect-inject-leader-election-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/connect-inject-leader-election-rolebinding.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.1.2/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..afcfd3800f --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,295 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/connect-inject-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/connect-inject-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/connect-inject-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.1.2/templates/connect-inject-service.yaml similarity index 100% rename from charts/hashicorp/consul/templates/connect-inject-service.yaml rename to charts/hashicorp/consul/1.1.2/templates/connect-inject-service.yaml diff --git a/charts/hashicorp/consul/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/connect-inject-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/connect-inject-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/connect-inject-serviceaccount.yaml diff --git a/charts/hashicorp/consul/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.1.2/templates/connect-injector-disruptionbudget.yaml similarity index 100% rename from charts/hashicorp/consul/templates/connect-injector-disruptionbudget.yaml rename to charts/hashicorp/consul/1.1.2/templates/connect-injector-disruptionbudget.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.1.2/templates/crd-exportedservices.yaml new file mode 100644 index 0000000000..007990372c --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/crd-exportedservices.yaml @@ -0,0 +1,143 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: exportedservices.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: '[Experimental] Peer is the name of the peer + to export the service to.' + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.1.2/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..a01fafd8dd --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/crd-ingressgateways.yaml @@ -0,0 +1,377 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: ingressgateways.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.1.2/templates/crd-meshes.yaml new file mode 100644 index 0000000000..2e33eb9653 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/crd-meshes.yaml @@ -0,0 +1,210 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: meshes.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.1.2/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..e06e830f04 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/crd-peeringacceptors.yaml @@ -0,0 +1,154 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: peeringacceptors.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.1.2/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..e24401e761 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/crd-peeringdialers.yaml @@ -0,0 +1,154 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: peeringdialers.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.1.2/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..749f2e4257 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/crd-proxydefaults.yaml @@ -0,0 +1,234 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: proxydefaults.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.1.2/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..9ed10be65b --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/crd-servicedefaults.yaml @@ -0,0 +1,491 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicedefaults.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30000ms or 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30000ms or 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.1.2/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..cdbb5413b0 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/crd-serviceintentions.yaml @@ -0,0 +1,241 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: serviceintentions.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: '[Experimental] Peer is the peer name for the Name + parameter.' + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.1.2/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..e058052e97 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/crd-serviceresolvers.yaml @@ -0,0 +1,318 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: serviceresolvers.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.1.2/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..f28da9e7c1 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/crd-servicerouters.yaml @@ -0,0 +1,320 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicerouters.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.1.2/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..a2af050c3d --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/crd-servicesplitters.yaml @@ -0,0 +1,194 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicesplitters.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.1.2/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..583c218be8 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/crd-terminatinggateways.yaml @@ -0,0 +1,145 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: terminatinggateways.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.1.2/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..4f83a1f82a --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/create-federation-secret-job.yaml @@ -0,0 +1,144 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane create-federation-secret \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/create-federation-secret-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/create-federation-secret-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/create-federation-secret-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.1.2/templates/create-federation-secret-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/create-federation-secret-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/create-federation-secret-role.yaml diff --git a/charts/hashicorp/consul/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/create-federation-secret-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/create-federation-secret-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/create-federation-secret-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/create-federation-secret-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/create-federation-secret-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/create-federation-secret-serviceaccount.yaml diff --git a/charts/hashicorp/consul/templates/dns-service.yaml b/charts/hashicorp/consul/1.1.2/templates/dns-service.yaml similarity index 100% rename from charts/hashicorp/consul/templates/dns-service.yaml rename to charts/hashicorp/consul/1.1.2/templates/dns-service.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.1.2/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..0122690104 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/enterprise-license-job.yaml @@ -0,0 +1,144 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/enterprise-license-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/enterprise-license-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/enterprise-license-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.1.2/templates/enterprise-license-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/enterprise-license-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/enterprise-license-role.yaml diff --git a/charts/hashicorp/consul/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/enterprise-license-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/enterprise-license-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/enterprise-license-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/enterprise-license-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/enterprise-license-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/enterprise-license-serviceaccount.yaml diff --git a/charts/hashicorp/consul/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.1.2/templates/expose-servers-service.yaml similarity index 100% rename from charts/hashicorp/consul/templates/expose-servers-service.yaml rename to charts/hashicorp/consul/1.1.2/templates/expose-servers-service.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.1.2/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..9d296478a1 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,68 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.1.2/templates/gossip-encryption-autogenerate-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gossip-encryption-autogenerate-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/gossip-encryption-autogenerate-role.yaml diff --git a/charts/hashicorp/consul/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/gossip-encryption-autogenerate-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gossip-encryption-autogenerate-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/gossip-encryption-autogenerate-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/gossip-encryption-autogenerate-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gossip-encryption-autogenerate-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/gossip-encryption-autogenerate-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.1.2/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..4f72031855 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,362 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f7354da2b3 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.1.2/templates/ingress-gateways-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/ingress-gateways-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/ingress-gateways-role.yaml diff --git a/charts/hashicorp/consul/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/ingress-gateways-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/ingress-gateways-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/ingress-gateways-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.1.2/templates/ingress-gateways-service.yaml similarity index 100% rename from charts/hashicorp/consul/templates/ingress-gateways-service.yaml rename to charts/hashicorp/consul/1.1.2/templates/ingress-gateways-service.yaml diff --git a/charts/hashicorp/consul/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/ingress-gateways-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/ingress-gateways-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/ingress-gateways-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..b951418b26 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,34 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..f8150ebb53 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..449d6ae492 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,307 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b5bbb2fa03 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,52 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..5fdceca8df --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-service.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.meshGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..8c2da5ae06 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.1.2/templates/partition-init-job.yaml new file mode 100644 index 0000000000..db73ef783b --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/partition-init-job.yaml @@ -0,0 +1,123 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/partition-init-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/partition-init-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/partition-init-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.1.2/templates/partition-init-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/partition-init-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/partition-init-role.yaml diff --git a/charts/hashicorp/consul/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/partition-init-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/partition-init-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/partition-init-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/partition-init-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/partition-init-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/partition-init-serviceaccount.yaml diff --git a/charts/hashicorp/consul/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.1.2/templates/partition-name-configmap.yaml similarity index 100% rename from charts/hashicorp/consul/templates/partition-name-configmap.yaml rename to charts/hashicorp/consul/1.1.2/templates/partition-name-configmap.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/prometheus.yaml b/charts/hashicorp/consul/1.1.2/templates/prometheus.yaml new file mode 100644 index 0000000000..4dcede1745 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + + consul.hashicorp.com/connect-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.1.2/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..35b0877ab4 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,81 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ .Values.global.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/server-acl-init-cleanup-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-acl-init-cleanup-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-acl-init-cleanup-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.1.2/templates/server-acl-init-cleanup-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-acl-init-cleanup-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-acl-init-cleanup-role.yaml diff --git a/charts/hashicorp/consul/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/server-acl-init-cleanup-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-acl-init-cleanup-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-acl-init-cleanup-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/server-acl-init-cleanup-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-acl-init-cleanup-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-acl-init-cleanup-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.1.2/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..e62db41ec2 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/server-acl-init-job.yaml @@ -0,0 +1,327 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + consul-k8s-control-plane server-acl-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/server-acl-init-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-acl-init-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-acl-init-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.1.2/templates/server-acl-init-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-acl-init-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-acl-init-role.yaml diff --git a/charts/hashicorp/consul/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/server-acl-init-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-acl-init-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-acl-init-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/server-acl-init-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-acl-init-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-acl-init-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.1.2/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..f7dd85f166 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/server-config-configmap.yaml @@ -0,0 +1,181 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + "domain": "{{ .Values.global.domain }}", + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}" + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.1.2/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..edf9c1c57f --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/server-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/server-role.yaml b/charts/hashicorp/consul/1.1.2/templates/server-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-role.yaml diff --git a/charts/hashicorp/consul/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/server-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.1.2/templates/server-securitycontextconstraints.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-securitycontextconstraints.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-securitycontextconstraints.yaml diff --git a/charts/hashicorp/consul/templates/server-service.yaml b/charts/hashicorp/consul/1.1.2/templates/server-service.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-service.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-service.yaml diff --git a/charts/hashicorp/consul/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/server-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-serviceaccount.yaml diff --git a/charts/hashicorp/consul/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.1.2/templates/server-snapshot-agent-configmap.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-snapshot-agent-configmap.yaml rename to charts/hashicorp/consul/1.1.2/templates/server-snapshot-agent-configmap.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.1.2/templates/server-statefulset.yaml new file mode 100644 index 0000000000..741fe0280d --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/server-statefulset.yaml @@ -0,0 +1,616 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/server-config-configmap.yaml") . | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-file=/consul/extra-config/extra-from-values.json + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.1.2/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..585b5ad171 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,48 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + - endpoints + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/sync-catalog-clusterrolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/sync-catalog-clusterrolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/sync-catalog-clusterrolebinding.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.1.2/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..e88adea533 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/sync-catalog-deployment.yaml @@ -0,0 +1,229 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/sync-catalog-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/sync-catalog-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/sync-catalog-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/sync-catalog-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/sync-catalog-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/sync-catalog-serviceaccount.yaml diff --git a/charts/hashicorp/consul/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.1.2/templates/telemetry-collector-configmap.yaml similarity index 100% rename from charts/hashicorp/consul/templates/telemetry-collector-configmap.yaml rename to charts/hashicorp/consul/1.1.2/templates/telemetry-collector-configmap.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.1.2/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..62b8868f1f --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,391 @@ +{{- if .Values.telemetryCollector.enabled }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if .Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ + -log-level={{ default .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" \ + -proxy-id-file="/consul/connect-inject/proxyid" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: Always + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the global cloud section but we will share it here + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - -login-namespace="default" + {{- else }} + - -login-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - foo + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + - -service-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..286a92d0bd --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.1.2/templates/telemetry-collector-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/telemetry-collector-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/telemetry-collector-role.yaml diff --git a/charts/hashicorp/consul/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/telemetry-collector-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/telemetry-collector-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/telemetry-collector-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.1.2/templates/telemetry-collector-service.yaml similarity index 100% rename from charts/hashicorp/consul/templates/telemetry-collector-service.yaml rename to charts/hashicorp/consul/1.1.2/templates/telemetry-collector-service.yaml diff --git a/charts/hashicorp/consul/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/telemetry-collector-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/telemetry-collector-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/telemetry-collector-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.1.2/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..2f2cb9a921 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,339 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..97ad2af961 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.1.2/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..4ae280ca81 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/terminating-gateways-role.yaml @@ -0,0 +1,43 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }} +rules: +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/terminating-gateways-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/terminating-gateways-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/terminating-gateways-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.1.2/templates/terminating-gateways-service.yaml similarity index 100% rename from charts/hashicorp/consul/templates/terminating-gateways-service.yaml rename to charts/hashicorp/consul/1.1.2/templates/terminating-gateways-service.yaml diff --git a/charts/hashicorp/consul/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/terminating-gateways-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/terminating-gateways-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/terminating-gateways-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.1.2/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.1.2/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.1.2/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..ba29bb84ae --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,73 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/tls-init-cleanup-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/tls-init-cleanup-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/tls-init-cleanup-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.1.2/templates/tls-init-cleanup-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/tls-init-cleanup-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/tls-init-cleanup-role.yaml diff --git a/charts/hashicorp/consul/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/tls-init-cleanup-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/tls-init-cleanup-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/tls-init-cleanup-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/tls-init-cleanup-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/tls-init-cleanup-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/tls-init-cleanup-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.1.2/templates/tls-init-job.yaml new file mode 100644 index 0000000000..d002ae7a75 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/tls-init-job.yaml @@ -0,0 +1,115 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + consul-k8s-control-plane tls-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/tls-init-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/tls-init-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/tls-init-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.1.2/templates/tls-init-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/tls-init-role.yaml rename to charts/hashicorp/consul/1.1.2/templates/tls-init-role.yaml diff --git a/charts/hashicorp/consul/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/tls-init-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/tls-init-rolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/tls-init-rolebinding.yaml diff --git a/charts/hashicorp/consul/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/tls-init-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/tls-init-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/tls-init-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.1.2/templates/ui-ingress.yaml new file mode 100644 index 0000000000..0414a7cc2d --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/ui-ingress.yaml @@ -0,0 +1,83 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + rules: + {{ $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/ui-service.yaml b/charts/hashicorp/consul/1.1.2/templates/ui-service.yaml similarity index 100% rename from charts/hashicorp/consul/templates/ui-service.yaml rename to charts/hashicorp/consul/1.1.2/templates/ui-service.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..e13e2dc741 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,53 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-clusterrolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/webhook-cert-manager-clusterrolebinding.yaml rename to charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-clusterrolebinding.yaml diff --git a/charts/hashicorp/consul/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-configmap.yaml similarity index 100% rename from charts/hashicorp/consul/templates/webhook-cert-manager-configmap.yaml rename to charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-configmap.yaml diff --git a/charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..dd93c039d2 --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,79 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/webhook-cert-manager-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/webhook-cert-manager-serviceaccount.yaml rename to charts/hashicorp/consul/1.1.2/templates/webhook-cert-manager-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.1.2/values.yaml b/charts/hashicorp/consul/1.1.2/values.yaml new file mode 100644 index 0000000000..349624f3fc --- /dev/null +++ b/charts/hashicorp/consul/1.1.2/values.yaml @@ -0,0 +1,3193 @@ +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: "hashicorp/consul-enterprise:1.10.0-ent" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.15.3 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [ ] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.1.2 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "namespace": "my-vault-ns", + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [ ] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [ ] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [ ] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `meshGateway.enabled` and `connectInject.enabled` + # to be true. Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:`. + # (e.g. ["1.1.1.1:443", "2.3.4.5:443"] + # @type: array + primaryGateways: [ ] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: hashicorp/consul-dataplane:1.1.2 + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will enable the installation of an HCP Consul + # self-managed cluster. + enabled: false + + # The name of the Kubernetes secret that holds the HCP resource id. + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client secret. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is optional when global.cloud.enabled is true. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud authorization url. + # This is optional when global.cloud.enabled is true. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud scada address. + # This is optional when global.cloud.enabled is true. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [ ] + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # This will enable/disable [Connect](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional Connect settings can be configured + # by setting the `server.extraConfig` value. + connect: true + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '100Mi' + # cpu: '100m' + # limits: + # memory: '100Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `server.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [ ] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [ ] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: { } + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. + # @type: array + hosts: [ ] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [ ] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [ ] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: { } + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul Connect will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [ ] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [ ] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: [ "*" ] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: [ "kube-system", "kube-public" ] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + + # Configures metrics for Consul Connect services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "50Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "50Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Connect sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: [ "*" ] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [ ] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul Connect will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: "Service" + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true` + # and `client.enabled=true`. + enabled: false + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true` + # and `client.enabled=true`. + enabled: false + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [ ] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.6" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.1" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + clientId: + secretName: null + secretKey: null + clientSecret: + secretName: null + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: { } diff --git a/charts/hashicorp/consul/.helmignore b/charts/hashicorp/consul/1.2.0/.helmignore similarity index 100% rename from charts/hashicorp/consul/.helmignore rename to charts/hashicorp/consul/1.2.0/.helmignore diff --git a/charts/hashicorp/consul/1.2.0/Chart.yaml b/charts/hashicorp/consul/1.2.0/Chart.yaml new file mode 100644 index 0000000000..7946adaf87 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.16.0 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.2.0 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.2.0 + - name: envoy + image: envoyproxy/envoy:v1.25.1 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.16.0 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.2.0 diff --git a/charts/hashicorp/consul/1.2.0/README.md b/charts/hashicorp/consul/1.2.0/README.md new file mode 100644 index 0000000000..e7d7fd9285 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.23.x - 1.26.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/addons/gen.sh b/charts/hashicorp/consul/1.2.0/addons/gen.sh similarity index 100% rename from charts/hashicorp/consul/addons/gen.sh rename to charts/hashicorp/consul/1.2.0/addons/gen.sh diff --git a/charts/hashicorp/consul/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.2.0/addons/values/prometheus.yaml similarity index 100% rename from charts/hashicorp/consul/addons/values/prometheus.yaml rename to charts/hashicorp/consul/1.2.0/addons/values/prometheus.yaml diff --git a/charts/hashicorp/consul/1.2.0/assets/icon.png b/charts/hashicorp/consul/1.2.0/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.2.0/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.2.0/templates/NOTES.txt b/charts/hashicorp/consul/1.2.0/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/_helpers.tpl b/charts/hashicorp/consul/1.2.0/templates/_helpers.tpl new file mode 100644 index 0000000000..1b866888c0 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/_helpers.tpl @@ -0,0 +1,425 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Compute the maximum number of unavailable replicas for the PodDisruptionBudget. +This defaults to (n/2)-1 where n is the number of members of the server cluster. +Special case of replica equaling 3 and allowing a minor disruption of 1 otherwise +use the integer value +Add a special case for replicas=1, where it should default to 0 as well. +*/}} +{{- define "consul.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.server.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if temeletryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, global.cloud.resourceId.secretName, telemetryCollector.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, global.cloud.resourceId.secretName,telemetryCollector.cloud.clientId.secretName must also be set."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When telemetryCollector has clientId and clientSecret global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When telemetryCollector has clientId and clientSecret .global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..8c5c2fa73e --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,302 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: [ "/bin/sh", "-ec", "/consul-bin/consul logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.2.0/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.2.0/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.2.0/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.2.0/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.2.0/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..f9650a100b --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/client-config-configmap.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} + central-config.json: |- + { + "enable_central_service_config": true + } + + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.2.0/templates/client-daemonset.yaml new file mode 100644 index 0000000000..09a70b394e --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/client-daemonset.yaml @@ -0,0 +1,603 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/client-config-configmap.yaml") . | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/sh" + - "-ec" + - | + consul logout + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-file=/consul/extra-config/extra-from-values.json \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/client-role.yaml b/charts/hashicorp/consul/1.2.0/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.2.0/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.2.0/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.2.0/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.2.0/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..ae04d9e657 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/cni-daemonset.yaml @@ -0,0 +1,90 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.2.0/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.2.0/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.2.0/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.2.0/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.2.0/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..8c0bbe9bf7 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,189 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + - gatewayclassconfigs + - meshservices + - samenessgroups + - controlplanerequestlimits + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + - jwtproviders + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + - samenessgroups/status + - controlplanerequestlimits/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + - jwtproviders/status + verbs: + - get + - patch + - update +- apiGroups: [ "" ] + resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles", "rolebindings" ] + verbs: + - get + - list + - watch + - delete + - create + - update +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - referencegrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gateways/finalizers + - httproutes/finalizers + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch + - delete +- apiGroups: + - core + resources: + - services + verbs: + - watch + - list +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.0/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.2.0/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..479e05b25a --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/connect-inject-deployment.yaml @@ -0,0 +1,339 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.2.0/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.2.0/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..e4fe79f621 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,358 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-controlplanerequestlimits + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-controlplanerequestlimit.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - controlplanerequestlimits + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-samenessgroup + failurePolicy: Fail + name: mutate-samenessgroup.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - samenessgroups + sideEffects: None +{{- end }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-jwtprovider + failurePolicy: Fail + name: mutate-jwtprovider.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwtproviders + sideEffects: None +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.2.0/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.2.0/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.2.0/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-controlplanerequestlimits.yaml new file mode 100644 index 0000000000..bd1d6118b9 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-controlplanerequestlimits.yaml @@ -0,0 +1,197 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: controlplanerequestlimits.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ControlPlaneRequestLimit + listKind: ControlPlaneRequestLimitList + plural: controlplanerequestlimits + singular: controlplanerequestlimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControlPlaneRequestLimitSpec defines the desired state of + ControlPlaneRequestLimit. + properties: + acl: + properties: + readRate: + type: number + writeRate: + type: number + type: object + catalog: + properties: + readRate: + type: number + writeRate: + type: number + type: object + configEntry: + properties: + readRate: + type: number + writeRate: + type: number + type: object + connectCA: + properties: + readRate: + type: number + writeRate: + type: number + type: object + coordinate: + properties: + readRate: + type: number + writeRate: + type: number + type: object + discoveryChain: + properties: + readRate: + type: number + writeRate: + type: number + type: object + health: + properties: + readRate: + type: number + writeRate: + type: number + type: object + intention: + properties: + readRate: + type: number + writeRate: + type: number + type: object + kv: + properties: + readRate: + type: number + writeRate: + type: number + type: object + mode: + type: string + perparedQuery: + properties: + readRate: + type: number + writeRate: + type: number + type: object + readRate: + type: number + session: + properties: + readRate: + type: number + writeRate: + type: number + type: object + tenancy: + properties: + readRate: + type: number + writeRate: + type: number + type: object + txn: + properties: + readRate: + type: number + writeRate: + type: number + type: object + writeRate: + type: number + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-exportedservices.yaml new file mode 100644 index 0000000000..7ffddf7537 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-exportedservices.yaml @@ -0,0 +1,141 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: exportedservices.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-gatewayclassconfigs.yaml new file mode 100644 index 0000000000..65d425edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-gatewayclassconfigs.yaml @@ -0,0 +1,145 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: gatewayclassconfigs.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-gatewayclasses-external.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-gatewayclasses.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-gatewayclasses-external.yaml rename to charts/hashicorp/consul/1.2.0/templates/crd-gatewayclasses.yaml diff --git a/charts/hashicorp/consul/templates/crd-gateways-external.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-gateways.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-gateways-external.yaml rename to charts/hashicorp/consul/1.2.0/templates/crd-gateways.yaml diff --git a/charts/hashicorp/consul/templates/crd-grpcroutes-external.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-grpcroutes.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-grpcroutes-external.yaml rename to charts/hashicorp/consul/1.2.0/templates/crd-grpcroutes.yaml diff --git a/charts/hashicorp/consul/templates/crd-httproutes-external.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-httproutes.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-httproutes-external.yaml rename to charts/hashicorp/consul/1.2.0/templates/crd-httproutes.yaml diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..ef33890461 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-ingressgateways.yaml @@ -0,0 +1,371 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: ingressgateways.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-jwtproviders.yaml new file mode 100644 index 0000000000..c7d20883e8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-jwtproviders.yaml @@ -0,0 +1,259 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: jwtproviders.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: JWTProvider + listKind: JWTProviderList + plural: jwtproviders + singular: jwtprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTProvider is the Schema for the jwtproviders API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTProviderSpec defines the desired state of JWTProvider + properties: + audiences: + description: Audiences is the set of audiences the JWT is allowed + to access. If specified, all JWTs verified with this provider must + address at least one of these to be considered valid. + items: + type: string + type: array + cacheConfig: + description: CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up verification + when individual tokens are expected to be handled multiple times. + properties: + size: + description: "Size specifies the maximum number of JWT verification + results to cache. \n Defaults to 0, meaning that JWT caching + is disabled." + type: integer + type: object + clockSkewSeconds: + description: "ClockSkewSeconds specifies the maximum allowable time + difference from clock skew when validating the \"exp\" (Expiration) + and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + type: integer + forwarding: + description: Forwarding defines rules for forwarding verified JWTs + to the backend. + properties: + headerName: + description: "HeaderName is a header name to use when forwarding + a verified JWT to the backend. The verified JWT could have been + extracted from any location (query param, header, or cookie). + \n The header value will be base64-URL-encoded, and will not + be padded unless PadForwardPayloadHeader is true." + type: string + padForwardPayloadHeader: + description: "PadForwardPayloadHeader determines whether padding + should be added to the base64 encoded token forwarded with ForwardPayloadHeader. + \n Default value is false." + type: boolean + type: object + issuer: + description: Issuer is the entity that must have issued the JWT. This + value must match the "iss" claim of the token. + type: string + jsonWebKeySet: + description: JSONWebKeySet defines a JSON Web Key Set, its location + on disk, or the means with which to fetch a key set from a remote + server. + properties: + local: + description: Local specifies a local source for the key set. + properties: + filename: + description: Filename configures a location on disk where + the JWKS can be found. If specified, the file must be present + on the disk of ALL proxies with intentions referencing this + provider. + type: string + jwks: + description: JWKS contains a base64 encoded JWKS. + type: string + type: object + remote: + description: Remote specifies how to fetch a key set from a remote + server. + properties: + cacheDuration: + description: "CacheDuration is the duration after which cached + keys should be expired. \n Default value is 5 minutes." + format: int64 + type: integer + fetchAsynchronously: + description: "FetchAsynchronously indicates that the JWKS + should be fetched when a client request arrives. Client + requests will be paused until the JWKS is fetched. If false, + the proxy listener will wait for the JWKS to be fetched + before being activated. \n Default value is false." + type: boolean + requestTimeoutMs: + description: RequestTimeoutMs is the number of milliseconds + to time out when making a request for the JWKS. + type: integer + retryPolicy: + description: "RetryPolicy defines a retry policy for fetching + JWKS. \n There is no retry by default." + properties: + numRetries: + description: "NumRetries is the number of times to retry + fetching the JWKS. The retry strategy uses jittered + exponential backoff with a base interval of 1s and max + of 10s. \n Default value is 0." + type: integer + retryPolicyBackOff: + description: "Backoff policy \n Defaults to Envoy's backoff + policy" + properties: + baseInterval: + description: "BaseInterval to be used for the next + back off computation \n The default value from envoy + is 1s" + format: int64 + type: integer + maxInterval: + description: "MaxInternal to be used to specify the + maximum interval between retries. Optional but should + be greater or equal to BaseInterval. \n Defaults + to 10 times BaseInterval" + format: int64 + type: integer + type: object + type: object + uri: + description: URI is the URI of the server to query for the + JWKS. + type: string + type: object + type: object + locations: + description: 'Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. If no + locations are specified Envoy will default to: 1. Authorization + header with Bearer schema: "Authorization: Bearer " 2. accessToken + query parameter.' + items: + description: "JWTLocation is a location where the JWT could be present + in requests. \n Only one of Header, QueryParam, or Cookie can + be specified." + properties: + cookie: + description: Cookie defines how to extract a JWT from an HTTP + request cookie. + properties: + name: + description: Name is the name of the cookie containing the + token. + type: string + type: object + header: + description: Header defines how to extract a JWT from an HTTP + request header. + properties: + forward: + description: "Forward defines whether the header with the + JWT should be forwarded after the token has been verified. + If false, the header will not be forwarded to the backend. + \n Default value is false." + type: boolean + name: + description: Name is the name of the header containing the + token. + type: string + valuePrefix: + description: 'ValuePrefix is an optional prefix that precedes + the token in the header value. For example, "Bearer " + is a standard value prefix for a header named "Authorization", + but the prefix is not part of the token itself: "Authorization: + Bearer "' + type: string + type: object + queryParam: + description: QueryParam defines how to extract a JWT from an + HTTP request query parameter. + properties: + name: + description: Name is the name of the query param containing + the token. + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-meshes.yaml new file mode 100644 index 0000000000..cdc11b6ed9 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-meshes.yaml @@ -0,0 +1,209 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: meshes.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-meshservices.yaml new file mode 100644 index 0000000000..859c8683ee --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-meshservices.yaml @@ -0,0 +1,58 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: meshservices.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService holds a reference to an externally managed Consul + Service Mesh service. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of MeshService. + properties: + name: + description: Name holds the service name for a Consul service. + type: string + peer: + description: Peer optionally specifies the name of the peer exporting + the Consul service. If not specified, the Consul service is assumed + to be in the local datacenter. + type: string + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..3822f3bdfe --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-peeringacceptors.yaml @@ -0,0 +1,148 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: peeringacceptors.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..405361c486 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-peeringdialers.yaml @@ -0,0 +1,148 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: peeringdialers.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..30dd25f674 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-proxydefaults.yaml @@ -0,0 +1,257 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: proxydefaults.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + failoverPolicy: + description: FailoverPolicy specifies the exact mechanism used for + failover. + properties: + mode: + description: Mode specifies the type of failover that will be + performed. Valid values are "sequential", "" (equivalent to + "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions of the + failover targets. Valid values can be "us-west-1", "us-west-2", + and so on. + items: + type: string + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-referencegrants-external.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-referencegrants.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-referencegrants-external.yaml rename to charts/hashicorp/consul/1.2.0/templates/crd-referencegrants.yaml diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-samenessgroups.yaml new file mode 100644 index 0000000000..c1d1c85a8e --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-samenessgroups.yaml @@ -0,0 +1,131 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: samenessgroups.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: SamenessGroup + listKind: SamenessGroupList + plural: samenessgroups + shortNames: + - sameness-group + singular: samenessgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SamenessGroup is the Schema for the samenessgroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SamenessGroupSpec defines the desired state of SamenessGroup. + properties: + defaultForFailover: + description: DefaultForFailover indicates that upstream requests to + members of the given sameness group will implicitly failover between + members of this sameness group. When DefaultForFailover is true, + the local partition must be a member of the sameness group or IncludeLocal + must be set to true. + type: boolean + includeLocal: + description: IncludeLocal is used to include the local partition as + the first member of the sameness group. The local partition can + only be a member of a single sameness group. + type: boolean + members: + description: Members are the partitions and peers that are part of + the sameness group. If a member of a sameness group does not exist, + it will be ignored. + items: + properties: + partition: + description: The partitions and peers that are part of the sameness + group. A sameness group member cannot define both peer and + partition at the same time. + type: string + peer: + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..c926ece62a --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-servicedefaults.yaml @@ -0,0 +1,497 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: servicedefaults.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30000ms or 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30000ms or 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..335d2eff7a --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-serviceintentions.yaml @@ -0,0 +1,313 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: serviceintentions.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + jwt: + description: JWT specifies the configuration to validate a JSON Web + Token for all incoming requests. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: Value is the expected value at the given + path. If the type at the path is a list then we + verify that this value is contained in the list. + If the type at the path is a string then we verify + that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: Peer is the peer name for the Name parameter. + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + jwt: + description: JWT specifies configuration to validate a + JSON Web Token for incoming requests. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. + There MUST be a corresponding "jwt-provider" + config entry with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional + claims to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim + in the token JSON. + items: + type: string + type: array + value: + description: Value is the expected value + at the given path. If the type at the + path is a list then we verify that this + value is contained in the list. If the + type at the path is a string then we + verify that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + samenessGroup: + description: SamenessGroup is the name of the sameness group, + if applicable. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..ed95c15846 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-serviceresolvers.yaml @@ -0,0 +1,336 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: serviceresolvers.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + policy: + description: Policy specifies the exact mechanism used for failover. + properties: + mode: + description: Mode specifies the type of failover that will + be performed. Valid values are "sequential", "" (equivalent + to "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions + of the failover targets. Valid values can be "us-west-1", + "us-west-2", and so on. + items: + type: string + type: array + type: object + samenessGroup: + description: SamenessGroup is the name of the sameness group + to try during failover. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness group to + resolve the service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..0157f646b4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-servicerouters.yaml @@ -0,0 +1,314 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: servicerouters.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..18fb10341e --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-servicesplitters.yaml @@ -0,0 +1,188 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: servicesplitters.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-tcproutes-external.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-tcproutes.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-tcproutes-external.yaml rename to charts/hashicorp/consul/1.2.0/templates/crd-tcproutes.yaml diff --git a/charts/hashicorp/consul/1.2.0/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..955496aeee --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/crd-terminatinggateways.yaml @@ -0,0 +1,139 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: terminatinggateways.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-tlsroutes-external.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-tlsroutes.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-tlsroutes-external.yaml rename to charts/hashicorp/consul/1.2.0/templates/crd-tlsroutes.yaml diff --git a/charts/hashicorp/consul/templates/crd-udproutes-external.yaml b/charts/hashicorp/consul/1.2.0/templates/crd-udproutes.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-udproutes-external.yaml rename to charts/hashicorp/consul/1.2.0/templates/crd-udproutes.yaml diff --git a/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..4f83a1f82a --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-job.yaml @@ -0,0 +1,144 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane create-federation-secret \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/dns-service.yaml b/charts/hashicorp/consul/1.2.0/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.2.0/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..0122690104 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/enterprise-license-job.yaml @@ -0,0 +1,144 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.2.0/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.2.0/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.2.0/templates/gateway-cleanup-clusterrole.yaml new file mode 100644 index 0000000000..c533a882f5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/gateway-cleanup-clusterrole.yaml @@ -0,0 +1,35 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - delete +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-cleanup + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/gateway-cleanup-clusterrolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gateway-cleanup-clusterrolebinding.yaml rename to charts/hashicorp/consul/1.2.0/templates/gateway-cleanup-clusterrolebinding.yaml diff --git a/charts/hashicorp/consul/1.2.0/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.2.0/templates/gateway-cleanup-job.yaml new file mode 100644 index 0000000000..44f032b5fd --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/gateway-cleanup-job.yaml @@ -0,0 +1,61 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup + containers: + - name: gateway-cleanup + image: {{ .Values.global.imageK8S }} + command: + - consul-k8s-control-plane + args: + - gateway-cleanup + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/gateway-cleanup-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gateway-cleanup-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.2.0/templates/gateway-cleanup-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/gateway-cleanup-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gateway-cleanup-serviceaccount.yaml rename to charts/hashicorp/consul/1.2.0/templates/gateway-cleanup-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.2.0/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.2.0/templates/gateway-resources-clusterrole.yaml new file mode 100644 index 0000000000..c3bdfeb4a3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/gateway-resources-clusterrole.yaml @@ -0,0 +1,37 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - update + - create + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - update + - create +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-resources + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/gateway-resources-clusterrolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gateway-resources-clusterrolebinding.yaml rename to charts/hashicorp/consul/1.2.0/templates/gateway-resources-clusterrolebinding.yaml diff --git a/charts/hashicorp/consul/1.2.0/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.2.0/templates/gateway-resources-job.yaml new file mode 100644 index 0000000000..441e64eb14 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/gateway-resources-job.yaml @@ -0,0 +1,112 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources + containers: + - name: gateway-resources + image: {{ .Values.global.imageK8S }} + command: + - consul-k8s-control-plane + args: + - gateway-resources + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + - -controller-name=consul.hashicorp.com/gateway-controller + - -app={{template "consul.name" .}} + - -chart={{template "consul.chart" .}} + - -heritage={{ .Release.Service }} + - -release-name={{ .Release.Name }} + - -component=api-gateway + {{- if .Values.apiGateway.enabled }} # Overide values from the old stanza. To be removed in 1.17 (t-eckert 2023-05-19) + {{- if .Values.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} + {{- else }} # the new stanza + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- end}} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/gateway-resources-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gateway-resources-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.2.0/templates/gateway-resources-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/gateway-resources-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gateway-resources-serviceaccount.yaml rename to charts/hashicorp/consul/1.2.0/templates/gateway-resources-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..9d296478a1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,68 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..4f72031855 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,362 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f7354da2b3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..b951418b26 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,34 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..f8150ebb53 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..449d6ae492 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,307 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b5bbb2fa03 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,52 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..5fdceca8df --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-service.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.meshGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..8c2da5ae06 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.2.0/templates/partition-init-job.yaml new file mode 100644 index 0000000000..db73ef783b --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/partition-init-job.yaml @@ -0,0 +1,123 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.2.0/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.2.0/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/prometheus.yaml b/charts/hashicorp/consul/1.2.0/templates/prometheus.yaml new file mode 100644 index 0000000000..4dcede1745 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + + consul.hashicorp.com/connect-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..35b0877ab4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,81 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ .Values.global.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..e62db41ec2 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-job.yaml @@ -0,0 +1,327 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + consul-k8s-control-plane server-acl-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.2.0/templates/server-clusterrole.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-clusterrole.yaml rename to charts/hashicorp/consul/1.2.0/templates/server-clusterrole.yaml diff --git a/charts/hashicorp/consul/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/server-clusterrolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-clusterrolebinding.yaml rename to charts/hashicorp/consul/1.2.0/templates/server-clusterrolebinding.yaml diff --git a/charts/hashicorp/consul/1.2.0/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.2.0/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..1ad04a42b5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-config-configmap.yaml @@ -0,0 +1,190 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} + +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + "domain": "{{ .Values.global.domain }}", + "limits": { + "request_limits": { + "mode": "{{ .Values.server.limits.requestLimits.mode }}", + "read_rate": {{ .Values.server.limits.requestLimits.readRate }}, + "write_rate": {{ .Values.server.limits.requestLimits.writeRate }} + } + }, + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}" + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.2.0/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..edf9c1c57f --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-role.yaml b/charts/hashicorp/consul/1.2.0/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.2.0/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-service.yaml b/charts/hashicorp/consul/1.2.0/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.2.0/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.2.0/templates/server-statefulset.yaml new file mode 100644 index 0000000000..0bde9b881a --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/server-statefulset.yaml @@ -0,0 +1,633 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/server-config-configmap.yaml") . | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + initContainers: + - name: locality-init + image: {{ .Values.global.imageK8S }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane fetch-server-region -node-name "$NODE_NAME" -output-file /consul/extra-config/locality.json + volumeMounts: + - name: extra-config + mountPath: /consul/extra-config + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-file=/consul/extra-config/extra-from-values.json \ + -config-file=/consul/extra-config/locality.json + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.2.0/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..585b5ad171 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,48 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + - endpoints + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.0/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.2.0/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..e88adea533 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/sync-catalog-deployment.yaml @@ -0,0 +1,229 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..62b8868f1f --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,391 @@ +{{- if .Values.telemetryCollector.enabled }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if .Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ + -log-level={{ default .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" \ + -proxy-id-file="/consul/connect-inject/proxyid" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: Always + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the global cloud section but we will share it here + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - -login-namespace="default" + {{- else }} + - -login-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - foo + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + - -service-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..286a92d0bd --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..2f2cb9a921 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,339 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..97ad2af961 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..4ae280ca81 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-role.yaml @@ -0,0 +1,43 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }} +rules: +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.2.0/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..ba29bb84ae --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,73 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.2.0/templates/tls-init-job.yaml new file mode 100644 index 0000000000..d002ae7a75 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/tls-init-job.yaml @@ -0,0 +1,115 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + consul-k8s-control-plane tls-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.2.0/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.2.0/templates/ui-ingress.yaml new file mode 100644 index 0000000000..0414a7cc2d --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/ui-ingress.yaml @@ -0,0 +1,83 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + rules: + {{ $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/ui-service.yaml b/charts/hashicorp/consul/1.2.0/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..e13e2dc741 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,53 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..dd93c039d2 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,79 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.0/todo.txt b/charts/hashicorp/consul/1.2.0/todo.txt new file mode 100644 index 0000000000..c79bef389b --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/todo.txt @@ -0,0 +1,3 @@ + +- [x] Remove gatewayclass gatewayclassconfig bats +- [ ] Add test for each of the CRDs diff --git a/charts/hashicorp/consul/1.2.0/values.yaml b/charts/hashicorp/consul/1.2.0/values.yaml new file mode 100644 index 0000000000..0ea313e4b1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.0/values.yaml @@ -0,0 +1,3305 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: hashicorp/consul:1.16.0" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.16.0 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.2.0 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "namespace": "my-vault-ns", + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `meshGateway.enabled` and `connectInject.enabled` + # to be true. Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:`. + # (e.g. ["1.1.1.1:443", "2.3.4.5:443"] + # @type: array + primaryGateways: [] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: "hashicorp/consul-dataplane:1.2.0" + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will enable the installation of an HCP Consul + # self-managed cluster. + enabled: false + + # The name of the Kubernetes secret that holds the HCP resource id. + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client secret. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is optional when global.cloud.enabled is true. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud authorization url. + # This is optional when global.cloud.enabled is true. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud scada address. + # This is optional when global.cloud.enabled is true. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [ ] + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # This will enable/disable [Connect](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional Connect settings can be configured + # by setting the `server.extraConfig` value. + connect: true + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `server.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + + # Settings for potentially limiting timeouts, rate limiting on clients as well + # as servers, and other settings to limit exposure too many requests, requests + # waiting for too long, and other runtime considerations. + limits: + # This object specifies configurations that limit the rate of RPC and gRPC + # requests on the Consul server. Limiting the rate of gRPC and RPC requests + # also limits HTTP requests to the Consul server. + # https://developer.hashicorp.com/consul/docs/agent/config/config-files#request_limits + requestLimits: + # Setting for disabling or enabling rate limiting. If not disabled, it + # enforces the action that will occur when RequestLimitsReadRate + # or RequestLimitsWriteRate is exceeded. The default value of "disabled" will + # prevent any rate limiting from occuring. A value of "enforce" will block + # the request from processings by returning an error. A value of + # "permissive" will not block the request and will allow the request to + # continue processing. + # @type: string + mode: "disabled" + + # Setting that controls how frequently RPC, gRPC, and HTTP + # queries are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsReadRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + readRate: -1 + + # Setting that controls how frequently RPC, gRPC, and HTTP + # writes are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsWriteRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + writeRate: -1 + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. + # @type: array + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul Connect will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configuration settings for the Consul API Gateway integration. + apiGateway: + # Enables Consul on Kubernetes to manage the CRDs used for Gateway API. + # Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed. + # These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. + # If this setting is false, you will need to install the Gateway API CRDs manually. + manageExternalCRDs: true + + # Configuration settings for the GatewayClass installed by Consul on Kubernetes. + managedGatewayClass: + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + deployment: + defaultInstances: 1 + maxInstances: 1 + minInstances: 1 + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Pods handling traffic for Gateway API. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + # Configures metrics for Consul Connect services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Connect sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul Connect will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: "Service" + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# [DEPRECATED] Use connectInject.apiGateway instead. This stanza will be removed with the release of Consul 1.17 +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.1" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.1" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + clientId: + secretName: null + secretKey: null + clientSecret: + secretName: null + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: { } diff --git a/charts/hashicorp/consul/1.2.1/.helmignore b/charts/hashicorp/consul/1.2.1/.helmignore new file mode 100644 index 0000000000..3fa2f24edf --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/.helmignore @@ -0,0 +1,5 @@ +.git/ +.terraform/ +bin/ +test/ +crds/kustomization.yaml diff --git a/charts/hashicorp/consul/1.2.1/Chart.yaml b/charts/hashicorp/consul/1.2.1/Chart.yaml new file mode 100644 index 0000000000..ea481efeaa --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.16.1 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.2.1 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.2.1 + - name: envoy + image: envoyproxy/envoy:v1.25.9 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.16.1 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.2.1 diff --git a/charts/hashicorp/consul/1.2.1/README.md b/charts/hashicorp/consul/1.2.1/README.md new file mode 100644 index 0000000000..e7d7fd9285 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.23.x - 1.26.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/1.2.1/addons/gen.sh b/charts/hashicorp/consul/1.2.1/addons/gen.sh new file mode 100644 index 0000000000..1d03390bed --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/addons/gen.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.1/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.2.1/addons/values/prometheus.yaml new file mode 100644 index 0000000000..1f90636f2e --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/addons/values/prometheus.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/1.2.1/assets/icon.png b/charts/hashicorp/consul/1.2.1/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.2.1/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.2.1/templates/NOTES.txt b/charts/hashicorp/consul/1.2.1/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/_helpers.tpl b/charts/hashicorp/consul/1.2.1/templates/_helpers.tpl new file mode 100644 index 0000000000..18f57b188c --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/_helpers.tpl @@ -0,0 +1,448 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.restrictedSecurityContext" -}} +{{- if not .Values.global.enablePodSecurityPolicies -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +{{- if not .Values.global.openshift.enabled -}} +{{/* +We must set runAsUser or else the root user will be used in some cases and +containers will fail to start due to runAsNonRoot above (e.g. +tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100 +because it is a non-root user id that exists in the consul, consul-dataplane, +and consul-k8s-control-plane images. +*/}} + runAsUser: 100 +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Compute the maximum number of unavailable replicas for the PodDisruptionBudget. +This defaults to (n/2)-1 where n is the number of members of the server cluster. +Special case of replica equaling 3 and allowing a minor disruption of 1 otherwise +use the integer value +Add a special case for replicas=1, where it should default to 0 as well. +*/}} +{{- define "consul.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.server.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if temeletryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, global.cloud.resourceId.secretName, telemetryCollector.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, global.cloud.resourceId.secretName,telemetryCollector.cloud.clientId.secretName must also be set."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When telemetryCollector has clientId and clientSecret global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When telemetryCollector has clientId and clientSecret .global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} diff --git a/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..8c5c2fa73e --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,302 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: [ "/bin/sh", "-ec", "/consul-bin/consul logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.2.1/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.2.1/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.2.1/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.2.1/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.2.1/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..d91a4d21bf --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/client-config-configmap.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + log-level.json: |- + { + {{- if .Values.client.logLevel }} + "log_level": "{{ .Values.client.logLevel | upper }}" + {{- end }} + } + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} + central-config.json: |- + { + "enable_central_service_config": true + } + + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.2.1/templates/client-daemonset.yaml new file mode 100644 index 0000000000..345c5c731e --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/client-daemonset.yaml @@ -0,0 +1,599 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/client-config-configmap.yaml") . | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/sh" + - "-ec" + - | + consul logout + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-file=/consul/extra-config/extra-from-values.json \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/client-role.yaml b/charts/hashicorp/consul/1.2.1/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.2.1/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.2.1/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.2.1/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.2.1/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..ae04d9e657 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/cni-daemonset.yaml @@ -0,0 +1,90 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.2.1/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.2.1/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.2.1/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.2.1/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.2.1/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..f1f6b3878f --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,199 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + - gatewayclassconfigs + - meshservices + - samenessgroups + - controlplanerequestlimits + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + - jwtproviders + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + - samenessgroups/status + - controlplanerequestlimits/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + - jwtproviders/status + verbs: + - get + - patch + - update +- apiGroups: [ "" ] + resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles", "rolebindings" ] + verbs: + - get + - list + - watch + - delete + - create + - update +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - referencegrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gateways/finalizers + - httproutes/finalizers + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch + - delete +- apiGroups: + - core + resources: + - services + verbs: + - watch + - list +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" +{{- if .Values.global.openshift.enabled }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + verbs: + - use + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.1/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.2.1/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..e726c9ecc9 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/connect-inject-deployment.yaml @@ -0,0 +1,353 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }} + -default-enable-sidecar-proxy-lifecycle=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle=false \ + {{- end }} + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \ + {{- end }} + -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ + -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ + + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.2.1/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.2.1/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..e4fe79f621 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,358 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-controlplanerequestlimits + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-controlplanerequestlimit.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - controlplanerequestlimits + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-samenessgroup + failurePolicy: Fail + name: mutate-samenessgroup.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - samenessgroups + sideEffects: None +{{- end }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-jwtprovider + failurePolicy: Fail + name: mutate-jwtprovider.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwtproviders + sideEffects: None +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.2.1/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.2.1/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.2.1/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-controlplanerequestlimits.yaml new file mode 100644 index 0000000000..2b0c45a621 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-controlplanerequestlimits.yaml @@ -0,0 +1,203 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: controlplanerequestlimits.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ControlPlaneRequestLimit + listKind: ControlPlaneRequestLimitList + plural: controlplanerequestlimits + singular: controlplanerequestlimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControlPlaneRequestLimitSpec defines the desired state of + ControlPlaneRequestLimit. + properties: + acl: + properties: + readRate: + type: number + writeRate: + type: number + type: object + catalog: + properties: + readRate: + type: number + writeRate: + type: number + type: object + configEntry: + properties: + readRate: + type: number + writeRate: + type: number + type: object + connectCA: + properties: + readRate: + type: number + writeRate: + type: number + type: object + coordinate: + properties: + readRate: + type: number + writeRate: + type: number + type: object + discoveryChain: + properties: + readRate: + type: number + writeRate: + type: number + type: object + health: + properties: + readRate: + type: number + writeRate: + type: number + type: object + intention: + properties: + readRate: + type: number + writeRate: + type: number + type: object + kv: + properties: + readRate: + type: number + writeRate: + type: number + type: object + mode: + type: string + perparedQuery: + properties: + readRate: + type: number + writeRate: + type: number + type: object + readRate: + type: number + session: + properties: + readRate: + type: number + writeRate: + type: number + type: object + tenancy: + properties: + readRate: + type: number + writeRate: + type: number + type: object + txn: + properties: + readRate: + type: number + writeRate: + type: number + type: object + writeRate: + type: number + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-exportedservices.yaml new file mode 100644 index 0000000000..591500cb12 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-exportedservices.yaml @@ -0,0 +1,147 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: exportedservices.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-gatewayclassconfigs.yaml new file mode 100644 index 0000000000..8140902f78 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-gatewayclassconfigs.yaml @@ -0,0 +1,164 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: gatewayclassconfigs.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + openshiftSCCName: + description: The name of an existing SecurityContextConstraints + resource to bind to the managed role when running on OpenShift. + type: string + mapPrivilegedContainerPorts: + type: integer + format: int32 + minimum: 0 + maximum: 64512 + description: mapPrivilegedContainerPorts is the value which Consul will add to privileged container port + values (ports < 1024) defined on a Gateway when the number is greater than 0. This cannot be more than + 64512 as the highest privileged port is 1023, which would then map to 65535, which is the highest + valid port number. + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-gatewayclasses.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-gatewayclasses.yaml new file mode 100644 index 0000000000..f7b039531f --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-gatewayclasses.yaml @@ -0,0 +1,329 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + deprecated: true + deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-gateways.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-gateways.yaml new file mode 100644 index 0000000000..ae5de48de9 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-gateways.yaml @@ -0,0 +1,883 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-grpcroutes.yaml new file mode 100644 index 0000000000..8f22dbc196 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-grpcroutes.yaml @@ -0,0 +1,767 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - method: + type: Exact + description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. + items: + description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + default: + type: Exact + description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. + properties: + method: + description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)." + maxLength: 1024 + pattern: ^[A-Za-z_][A-Za-z_0-9]*$ + type: string + service: + description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)." + maxLength: 1024 + pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$ + type: string + type: + default: Exact + description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-httproutes.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-httproutes.yaml new file mode 100644 index 0000000000..2aa4478c66 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-httproutes.yaml @@ -0,0 +1,1915 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..a01fafd8dd --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-ingressgateways.yaml @@ -0,0 +1,377 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: ingressgateways.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-jwtproviders.yaml new file mode 100644 index 0000000000..8a51d16b68 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-jwtproviders.yaml @@ -0,0 +1,265 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: jwtproviders.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: JWTProvider + listKind: JWTProviderList + plural: jwtproviders + singular: jwtprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTProvider is the Schema for the jwtproviders API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTProviderSpec defines the desired state of JWTProvider + properties: + audiences: + description: Audiences is the set of audiences the JWT is allowed + to access. If specified, all JWTs verified with this provider must + address at least one of these to be considered valid. + items: + type: string + type: array + cacheConfig: + description: CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up verification + when individual tokens are expected to be handled multiple times. + properties: + size: + description: "Size specifies the maximum number of JWT verification + results to cache. \n Defaults to 0, meaning that JWT caching + is disabled." + type: integer + type: object + clockSkewSeconds: + description: "ClockSkewSeconds specifies the maximum allowable time + difference from clock skew when validating the \"exp\" (Expiration) + and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + type: integer + forwarding: + description: Forwarding defines rules for forwarding verified JWTs + to the backend. + properties: + headerName: + description: "HeaderName is a header name to use when forwarding + a verified JWT to the backend. The verified JWT could have been + extracted from any location (query param, header, or cookie). + \n The header value will be base64-URL-encoded, and will not + be padded unless PadForwardPayloadHeader is true." + type: string + padForwardPayloadHeader: + description: "PadForwardPayloadHeader determines whether padding + should be added to the base64 encoded token forwarded with ForwardPayloadHeader. + \n Default value is false." + type: boolean + type: object + issuer: + description: Issuer is the entity that must have issued the JWT. This + value must match the "iss" claim of the token. + type: string + jsonWebKeySet: + description: JSONWebKeySet defines a JSON Web Key Set, its location + on disk, or the means with which to fetch a key set from a remote + server. + properties: + local: + description: Local specifies a local source for the key set. + properties: + filename: + description: Filename configures a location on disk where + the JWKS can be found. If specified, the file must be present + on the disk of ALL proxies with intentions referencing this + provider. + type: string + jwks: + description: JWKS contains a base64 encoded JWKS. + type: string + type: object + remote: + description: Remote specifies how to fetch a key set from a remote + server. + properties: + cacheDuration: + description: "CacheDuration is the duration after which cached + keys should be expired. \n Default value is 5 minutes." + format: int64 + type: integer + fetchAsynchronously: + description: "FetchAsynchronously indicates that the JWKS + should be fetched when a client request arrives. Client + requests will be paused until the JWKS is fetched. If false, + the proxy listener will wait for the JWKS to be fetched + before being activated. \n Default value is false." + type: boolean + requestTimeoutMs: + description: RequestTimeoutMs is the number of milliseconds + to time out when making a request for the JWKS. + type: integer + retryPolicy: + description: "RetryPolicy defines a retry policy for fetching + JWKS. \n There is no retry by default." + properties: + numRetries: + description: "NumRetries is the number of times to retry + fetching the JWKS. The retry strategy uses jittered + exponential backoff with a base interval of 1s and max + of 10s. \n Default value is 0." + type: integer + retryPolicyBackOff: + description: "Backoff policy \n Defaults to Envoy's backoff + policy" + properties: + baseInterval: + description: "BaseInterval to be used for the next + back off computation \n The default value from envoy + is 1s" + format: int64 + type: integer + maxInterval: + description: "MaxInternal to be used to specify the + maximum interval between retries. Optional but should + be greater or equal to BaseInterval. \n Defaults + to 10 times BaseInterval" + format: int64 + type: integer + type: object + type: object + uri: + description: URI is the URI of the server to query for the + JWKS. + type: string + type: object + type: object + locations: + description: 'Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. If no + locations are specified Envoy will default to: 1. Authorization + header with Bearer schema: "Authorization: Bearer " 2. accessToken + query parameter.' + items: + description: "JWTLocation is a location where the JWT could be present + in requests. \n Only one of Header, QueryParam, or Cookie can + be specified." + properties: + cookie: + description: Cookie defines how to extract a JWT from an HTTP + request cookie. + properties: + name: + description: Name is the name of the cookie containing the + token. + type: string + type: object + header: + description: Header defines how to extract a JWT from an HTTP + request header. + properties: + forward: + description: "Forward defines whether the header with the + JWT should be forwarded after the token has been verified. + If false, the header will not be forwarded to the backend. + \n Default value is false." + type: boolean + name: + description: Name is the name of the header containing the + token. + type: string + valuePrefix: + description: 'ValuePrefix is an optional prefix that precedes + the token in the header value. For example, "Bearer " + is a standard value prefix for a header named "Authorization", + but the prefix is not part of the token itself: "Authorization: + Bearer "' + type: string + type: object + queryParam: + description: QueryParam defines how to extract a JWT from an + HTTP request query parameter. + properties: + name: + description: Name is the name of the query param containing + the token. + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-meshes.yaml new file mode 100644 index 0000000000..0710d41280 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-meshes.yaml @@ -0,0 +1,215 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: meshes.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-meshservices.yaml new file mode 100644 index 0000000000..df8f673bdc --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-meshservices.yaml @@ -0,0 +1,64 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: meshservices.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService holds a reference to an externally managed Consul + Service Mesh service. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of MeshService. + properties: + name: + description: Name holds the service name for a Consul service. + type: string + peer: + description: Peer optionally specifies the name of the peer exporting + the Consul service. If not specified, the Consul service is assumed + to be in the local datacenter. + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..e06e830f04 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-peeringacceptors.yaml @@ -0,0 +1,154 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: peeringacceptors.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..e24401e761 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-peeringdialers.yaml @@ -0,0 +1,154 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: peeringdialers.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..362672c1c1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-proxydefaults.yaml @@ -0,0 +1,263 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: proxydefaults.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + failoverPolicy: + description: FailoverPolicy specifies the exact mechanism used for + failover. + properties: + mode: + description: Mode specifies the type of failover that will be + performed. Valid values are "sequential", "" (equivalent to + "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions of the + failover targets. Valid values can be "us-west-1", "us-west-2", + and so on. + items: + type: string + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-referencegrants.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-referencegrants.yaml new file mode 100644 index 0000000000..d50211291d --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-referencegrants.yaml @@ -0,0 +1,211 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-samenessgroups.yaml new file mode 100644 index 0000000000..60beb5662c --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-samenessgroups.yaml @@ -0,0 +1,137 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: samenessgroups.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: SamenessGroup + listKind: SamenessGroupList + plural: samenessgroups + shortNames: + - sameness-group + singular: samenessgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SamenessGroup is the Schema for the samenessgroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SamenessGroupSpec defines the desired state of SamenessGroup. + properties: + defaultForFailover: + description: DefaultForFailover indicates that upstream requests to + members of the given sameness group will implicitly failover between + members of this sameness group. When DefaultForFailover is true, + the local partition must be a member of the sameness group or IncludeLocal + must be set to true. + type: boolean + includeLocal: + description: IncludeLocal is used to include the local partition as + the first member of the sameness group. The local partition can + only be a member of a single sameness group. + type: boolean + members: + description: Members are the partitions and peers that are part of + the sameness group. If a member of a sameness group does not exist, + it will be ignored. + items: + properties: + partition: + description: The partitions and peers that are part of the sameness + group. A sameness group member cannot define both peer and + partition at the same time. + type: string + peer: + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..870f5ad86c --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-servicedefaults.yaml @@ -0,0 +1,503 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicedefaults.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30000ms or 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30000ms or 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..c4d2b5f20d --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-serviceintentions.yaml @@ -0,0 +1,319 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: serviceintentions.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + jwt: + description: JWT specifies the configuration to validate a JSON Web + Token for all incoming requests. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: Value is the expected value at the given + path. If the type at the path is a list then we + verify that this value is contained in the list. + If the type at the path is a string then we verify + that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: Peer is the peer name for the Name parameter. + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + jwt: + description: JWT specifies configuration to validate a + JSON Web Token for incoming requests. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. + There MUST be a corresponding "jwt-provider" + config entry with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional + claims to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim + in the token JSON. + items: + type: string + type: array + value: + description: Value is the expected value + at the given path. If the type at the + path is a list then we verify that this + value is contained in the list. If the + type at the path is a string then we + verify that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + samenessGroup: + description: SamenessGroup is the name of the sameness group, + if applicable. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..0d46f83539 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-serviceresolvers.yaml @@ -0,0 +1,346 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: serviceresolvers.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + policy: + description: Policy specifies the exact mechanism used for failover. + properties: + mode: + description: Mode specifies the type of failover that will + be performed. Valid values are "sequential", "" (equivalent + to "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions + of the failover targets. Valid values can be "us-west-1", + "us-west-2", and so on. + items: + type: string + type: array + type: object + samenessGroup: + description: SamenessGroup is the name of the sameness group + to try during failover. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness group to + resolve the service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + requestTimeout: + description: RequestTimeout is the timeout for receiving an HTTP response + from this service before the connection is terminated. + type: string + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..f28da9e7c1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-servicerouters.yaml @@ -0,0 +1,320 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicerouters.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..a2af050c3d --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-servicesplitters.yaml @@ -0,0 +1,194 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicesplitters.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-tcproutes.yaml new file mode 100644 index 0000000000..a17f457a78 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-tcproutes.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..583c218be8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-terminatinggateways.yaml @@ -0,0 +1,145 @@ +{{- if .Values.connectInject.enabled }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: terminatinggateways.consul.hashicorp.com + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-tlsroutes.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-tlsroutes.yaml new file mode 100644 index 0000000000..be72f47d65 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-tlsroutes.yaml @@ -0,0 +1,294 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/crd-udproutes.yaml b/charts/hashicorp/consul/1.2.1/templates/crd-udproutes.yaml new file mode 100644 index 0000000000..fe331cca30 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/crd-udproutes.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..678a2af3ba --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-job.yaml @@ -0,0 +1,145 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane create-federation-secret \ + -log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/dns-service.yaml b/charts/hashicorp/consul/1.2.1/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.2.1/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..0122690104 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/enterprise-license-job.yaml @@ -0,0 +1,144 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.2.1/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.2.1/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-clusterrole.yaml new file mode 100644 index 0000000000..c533a882f5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-clusterrole.yaml @@ -0,0 +1,35 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - delete +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-cleanup + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-clusterrolebinding.yaml new file mode 100644 index 0000000000..9235f32101 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-job.yaml new file mode 100644 index 0000000000..a987c3b591 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-job.yaml @@ -0,0 +1,65 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup + containers: + - name: gateway-cleanup + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-cleanup + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ffbad130cc --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.connectInject.enabled .Values.global.enablePodSecurityPolicies)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..f50eb72d97 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gateway-cleanup-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.2.1/templates/gateway-resources-clusterrole.yaml new file mode 100644 index 0000000000..c3bdfeb4a3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gateway-resources-clusterrole.yaml @@ -0,0 +1,37 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - update + - create + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - update + - create +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-resources + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/gateway-resources-clusterrolebinding.yaml new file mode 100644 index 0000000000..921df23239 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gateway-resources-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-resources +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.1/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.2.1/templates/gateway-resources-job.yaml new file mode 100644 index 0000000000..de64e2d70d --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gateway-resources-job.yaml @@ -0,0 +1,122 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources + containers: + - name: gateway-resources + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-resources + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + - -controller-name=consul.hashicorp.com/gateway-controller + - -app={{template "consul.name" .}} + - -chart={{template "consul.chart" .}} + - -heritage={{ .Release.Service }} + - -release-name={{ .Release.Name }} + - -component=api-gateway + {{- if .Values.apiGateway.enabled }} # Overide values from the old stanza. To be removed in 1.17 (t-eckert 2023-05-19) + {{- if .Values.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} + {{- else }} # the new stanza + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations | nindent 14 -}} + {{- end }} + - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- if .Values.global.openshift.enabled }} + - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + {{- end }} + - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} + {{- end}} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/gateway-resources-podsecuritypolicy.yaml new file mode 100644 index 0000000000..da5299194c --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gateway-resources-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.connectInject.enabled)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/gateway-resources-serviceaccount.yaml new file mode 100644 index 0000000000..4611dc38e1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gateway-resources-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..02fb3ea168 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,69 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ default .Values.global.logLevel .Values.global.gossipEncryption.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..c10f1549f6 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,364 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f7354da2b3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..b951418b26 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,34 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..f8150ebb53 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..1936138db3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,307 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b5bbb2fa03 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,52 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..5fdceca8df --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-service.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.meshGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..8c2da5ae06 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.2.1/templates/partition-init-job.yaml new file mode 100644 index 0000000000..9209f850c8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/partition-init-job.yaml @@ -0,0 +1,124 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.2.1/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.2.1/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/prometheus.yaml b/charts/hashicorp/consul/1.2.1/templates/prometheus.yaml new file mode 100644 index 0000000000..4dcede1745 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + + consul.hashicorp.com/connect-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..39754d6c6f --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,88 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..e8a06cf7aa --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-job.yaml @@ -0,0 +1,334 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + consul-k8s-control-plane server-acl-init \ + -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 10 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.2.1/templates/server-clusterrole.yaml new file mode 100644 index 0000000000..c22f562264 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: + - get diff --git a/charts/hashicorp/consul/1.2.1/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..854fda870e --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-server +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.2.1/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..6c102f0ae3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-config-configmap.yaml @@ -0,0 +1,216 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} +{{- if and .Values.server.auditLogs.enabled (not .Values.global.acls.manageSystemACLs) }}{{fail "ACLs must be enabled inorder to configure audit logs"}}{{ end -}} +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + {{- if .Values.server.logLevel }} + "log_level": "{{ .Values.server.logLevel | upper }}", + {{- end }} + "domain": "{{ .Values.global.domain }}", + "limits": { + "request_limits": { + "mode": "{{ .Values.server.limits.requestLimits.mode }}", + "read_rate": {{ .Values.server.limits.requestLimits.readRate }}, + "write_rate": {{ .Values.server.limits.requestLimits.writeRate }} + } + }, + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}" + } + } + {{- end }} + {{- if and .Values.server.auditLogs.enabled .Values.global.acls.manageSystemACLs }} + audit-logging.json: |- + { + "audit": { + "enabled": true, + "sink": { + {{- range $index, $element := .Values.server.auditLogs.sinks }} + {{- if ne $index 0 }},{{end}} + "{{ $element.name }}": { + {{- $firstKeyValuePair := false }} + {{- range $k, $v := $element }} + {{- if ne $k "name" }} + {{- if ne $firstKeyValuePair false }},{{end}} + {{- $firstKeyValuePair = true }} + "{{ $k }}": "{{ $v }}" + {{- end }} + {{- end }} + } + {{- end }} + } + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.2.1/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..edf9c1c57f --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-role.yaml b/charts/hashicorp/consul/1.2.1/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.2.1/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-service.yaml b/charts/hashicorp/consul/1.2.1/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.2.1/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.2.1/templates/server-statefulset.yaml new file mode 100644 index 0000000000..04c84df71b --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/server-statefulset.yaml @@ -0,0 +1,636 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/server-config-configmap.yaml") . | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + initContainers: + - name: locality-init + image: {{ .Values.global.imageK8S }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane fetch-server-region -node-name "$NODE_NAME" -output-file /consul/extra-config/locality.json + volumeMounts: + - name: extra-config + mountPath: /consul/extra-config + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-file=/consul/extra-config/extra-from-values.json \ + -config-file=/consul/extra-config/locality.json + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.containerSecurityContext.server }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- else }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.2.1/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..585b5ad171 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,48 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + - endpoints + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.1/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.2.1/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..a8793ef6f6 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/sync-catalog-deployment.yaml @@ -0,0 +1,230 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..bf00fd9a03 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,391 @@ +{{- if .Values.telemetryCollector.enabled }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if .Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" \ + -proxy-id-file="/consul/connect-inject/proxyid" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: Always + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the global cloud section but we will share it here + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - -login-namespace="default" + {{- else }} + - -login-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - foo + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + - -service-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..286a92d0bd --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..9433e44bc9 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,341 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..97ad2af961 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..4ae280ca81 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-role.yaml @@ -0,0 +1,43 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }} +rules: +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.2.1/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..2254a38ed2 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,83 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.2.1/templates/tls-init-job.yaml new file mode 100644 index 0000000000..47651fe14b --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/tls-init-job.yaml @@ -0,0 +1,125 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + consul-k8s-control-plane tls-init \ + -log-level={{ default .Values.global.logLevel .Values.global.tls.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.2.1/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.2.1/templates/ui-ingress.yaml similarity index 100% rename from charts/hashicorp/consul/templates/ui-ingress.yaml rename to charts/hashicorp/consul/1.2.1/templates/ui-ingress.yaml diff --git a/charts/hashicorp/consul/1.2.1/templates/ui-service.yaml b/charts/hashicorp/consul/1.2.1/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..e13e2dc741 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,53 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..7ba25b330c --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,80 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.1/todo.txt b/charts/hashicorp/consul/1.2.1/todo.txt new file mode 100644 index 0000000000..c79bef389b --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/todo.txt @@ -0,0 +1,3 @@ + +- [x] Remove gatewayclass gatewayclassconfig bats +- [ ] Add test for each of the CRDs diff --git a/charts/hashicorp/consul/1.2.1/values.yaml b/charts/hashicorp/consul/1.2.1/values.yaml new file mode 100644 index 0000000000..c0bdc40f9c --- /dev/null +++ b/charts/hashicorp/consul/1.2.1/values.yaml @@ -0,0 +1,3495 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: "hashicorp/consul-enterprise:1.10.0-ent" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.16.1 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.2.1 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "namespace": "my-vault-ns", + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + # Override global log verbosity level for gossip-encryption-autogenerate-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # This value defines additional annotations for + # tls init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines additional annotations for + # acl init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # `meshGateway.enabled` or `externalServers.enabled` to be true. + # Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:` + # (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`). + # @type: array + primaryGateways: [] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Override global log verbosity level for the create-federation-secret-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: hashicorp/consul-dataplane:1.2.1 + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will enable the installation of an HCP Consul + # self-managed cluster. + enabled: false + + # The name of the Kubernetes secret that holds the HCP resource id. + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client secret. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is optional when global.cloud.enabled is true. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud authorization url. + # This is optional when global.cloud.enabled is true. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud scada address. + # This is optional when global.cloud.enabled is true. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [] + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional service mesh settings can be configured + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). + connect: true + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + # The acl-init job + # @type: map + # @recurse: false + aclInit: null + # The tls-init job + # @type: map + # @recurse: false + tlsInit: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `server.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + + # Settings for potentially limiting timeouts, rate limiting on clients as well + # as servers, and other settings to limit exposure too many requests, requests + # waiting for too long, and other runtime considerations. + limits: + # This object specifies configurations that limit the rate of RPC and gRPC + # requests on the Consul server. Limiting the rate of gRPC and RPC requests + # also limits HTTP requests to the Consul server. + # https://developer.hashicorp.com/consul/docs/agent/config/config-files#request_limits + requestLimits: + # Setting for disabling or enabling rate limiting. If not disabled, it + # enforces the action that will occur when RequestLimitsReadRate + # or RequestLimitsWriteRate is exceeded. The default value of "disabled" will + # prevent any rate limiting from occuring. A value of "enforce" will block + # the request from processings by returning an error. A value of + # "permissive" will not block the request and will allow the request to + # continue processing. + # @type: string + mode: "disabled" + + # Setting that controls how frequently RPC, gRPC, and HTTP + # queries are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsReadRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + readRate: -1 + + # Setting that controls how frequently RPC, gRPC, and HTTP + # writes are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsWriteRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + writeRate: -1 + + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # and configure a sink and filters for their audit logs. Please refer to + # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation + # for further information. + auditLogs: + # Controls whether Consul logs out each time a user performs an operation. + # global.acls.manageSystemACLs must be enabled to use this feature. + enabled: false + + # A single entry of the sink object provides configuration for the destination to which Consul + # will log auditing events. + # + # Example: + # + # ```yaml + # sinks: + # - name: My Sink + # type: file + # format: json + # path: /tmp/audit.json + # delivery_guarantee: best-effort + # rotate_duration: 24h + # rotate_max_files: 15 + # rotate_bytes: 25165824 + # + # ``` + # + # The sink object supports the following keys: + # + # - `name` - Name of the sink. + # + # - `type` - Type specifies what kind of sink this is. Currently only file sinks are available + # + # - `format` - Format specifies what format the events will be emitted with. Currently only `json` + # events are emitted. + # + # - `path` - The directory and filename to write audit events to. + # + # - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul + # only supports `best-effort` event delivery. + # + # - `mode` - The permissions to set on the audit log files. + # + # - `rotate_duration` - Specifies the interval by which the system rotates to a new log file. + # At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging. + # + # - `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file. + # At least one of rotate_bytes or rotate_duration must be configured to enable audit logging. + # + # - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files. + # + # @type: array + sinks: [] + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. + # @type: array + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul service mesh will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configuration settings for the Consul API Gateway integration. + apiGateway: + # Enables Consul on Kubernetes to manage the CRDs used for Gateway API. + # Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed. + # These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. + # If this setting is false, you will need to install the Gateway API CRDs manually. + manageExternalCRDs: true + + # Configuration settings for the GatewayClass installed by Consul on Kubernetes. + managedGatewayClass: + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + deployment: + defaultInstances: 1 + maxInstances: 1 + minInstances: 1 + + # The name of the OpenShift SecurityContextConstraints resource to use for Gateways. + # Only applicable if `global.openshift.enabled` is true. + # @type: string + openshiftSCCName: "restricted-v2" + + # This value defines the amount we will add to privileged container ports on gateways that use this class. + # This is useful if you don't want to give your containers extra permissions to run privileged ports. + # Example: The gateway listener is defined on port 80, but the underlying value of the port on the container + # will be the 80 + the number defined below. + mapPrivilegedContainerPorts: 0 + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Pods handling traffic for Gateway API. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + # Configures metrics for Consul service mesh services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Consul service mesh sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + # Set default lifecycle management configuration for sidecar proxy. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` + # - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` + # @type: map + lifecycle: + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul service mesh will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Override global log verbosity level for mesh-gateway-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: "Service" + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level for ingress-gateways-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# [DEPRECATED] Use connectInject.apiGateway instead. This stanza will be removed with the release of Consul 1.17 +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.9" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.1" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + clientId: + secretName: null + secretKey: null + clientSecret: + secretName: null + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} diff --git a/charts/hashicorp/consul/1.2.2/.helmignore b/charts/hashicorp/consul/1.2.2/.helmignore new file mode 100644 index 0000000000..3fa2f24edf --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/.helmignore @@ -0,0 +1,5 @@ +.git/ +.terraform/ +bin/ +test/ +crds/kustomization.yaml diff --git a/charts/hashicorp/consul/1.2.2/Chart.yaml b/charts/hashicorp/consul/1.2.2/Chart.yaml new file mode 100644 index 0000000000..0910b34da1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.16.2 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.2.2 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.2.2 + - name: envoy + image: envoyproxy/envoy:v1.25.9 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.16.2 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.2.2 diff --git a/charts/hashicorp/consul/1.2.2/README.md b/charts/hashicorp/consul/1.2.2/README.md new file mode 100644 index 0000000000..e7d7fd9285 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.23.x - 1.26.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/1.2.2/addons/gen.sh b/charts/hashicorp/consul/1.2.2/addons/gen.sh new file mode 100644 index 0000000000..1d03390bed --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/addons/gen.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.2/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.2.2/addons/values/prometheus.yaml new file mode 100644 index 0000000000..1f90636f2e --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/addons/values/prometheus.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/1.2.2/assets/icon.png b/charts/hashicorp/consul/1.2.2/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.2.2/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.2.2/templates/NOTES.txt b/charts/hashicorp/consul/1.2.2/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/_helpers.tpl b/charts/hashicorp/consul/1.2.2/templates/_helpers.tpl new file mode 100644 index 0000000000..5cefb9ec81 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/_helpers.tpl @@ -0,0 +1,450 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.restrictedSecurityContext" -}} +{{- if not .Values.global.enablePodSecurityPolicies -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +{{- if not .Values.global.openshift.enabled -}} +{{/* +We must set runAsUser or else the root user will be used in some cases and +containers will fail to start due to runAsNonRoot above (e.g. +tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100 +because it is a non-root user id that exists in the consul, consul-dataplane, +and consul-k8s-control-plane images. +*/}} + runAsUser: 100 +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Compute the maximum number of unavailable replicas for the PodDisruptionBudget. +This defaults to (n/2)-1 where n is the number of members of the server cluster. +Special case of replica equaling 3 and allowing a minor disruption of 1 otherwise +use the integer value +Add a special case for replicas=1, where it should default to 0 as well. +*/}} +{{- define "consul.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.server.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if temeletryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, global.cloud.resourceId.secretName, telemetryCollector.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, global.cloud.resourceId.secretName,telemetryCollector.cloud.clientId.secretName must also be set."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When telemetryCollector has clientId and clientSecret global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When telemetryCollector has clientId and clientSecret .global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} diff --git a/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..11396c8a03 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,305 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{ end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: [ "/bin/sh", "-ec", "/consul-bin/consul logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.2.2/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.2.2/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.2.2/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.2.2/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.2.2/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..d91a4d21bf --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/client-config-configmap.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + log-level.json: |- + { + {{- if .Values.client.logLevel }} + "log_level": "{{ .Values.client.logLevel | upper }}" + {{- end }} + } + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} + central-config.json: |- + { + "enable_central_service_config": true + } + + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.2.2/templates/client-daemonset.yaml new file mode 100644 index 0000000000..61425cfdb8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/client-daemonset.yaml @@ -0,0 +1,602 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/client-config-configmap.yaml") . | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/sh" + - "-ec" + - | + consul logout + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-file=/consul/extra-config/extra-from-values.json \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/client-role.yaml b/charts/hashicorp/consul/1.2.2/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.2.2/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.2.2/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.2.2/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.2.2/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..ae04d9e657 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/cni-daemonset.yaml @@ -0,0 +1,90 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.2.2/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.2.2/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.2.2/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.2.2/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.2.2/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..f1f6b3878f --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,199 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + - gatewayclassconfigs + - meshservices + - samenessgroups + - controlplanerequestlimits + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + - jwtproviders + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + - samenessgroups/status + - controlplanerequestlimits/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + - jwtproviders/status + verbs: + - get + - patch + - update +- apiGroups: [ "" ] + resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles", "rolebindings" ] + verbs: + - get + - list + - watch + - delete + - create + - update +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - referencegrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gateways/finalizers + - httproutes/finalizers + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch + - delete +- apiGroups: + - core + resources: + - services + verbs: + - watch + - list +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" +{{- if .Values.global.openshift.enabled }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + verbs: + - use + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.2/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.2.2/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..eebdc00baf --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/connect-inject-deployment.yaml @@ -0,0 +1,356 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }} + -default-enable-sidecar-proxy-lifecycle=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle=false \ + {{- end }} + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \ + {{- end }} + -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ + -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ + + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.2.2/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.2.2/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..e4fe79f621 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,358 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-controlplanerequestlimits + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-controlplanerequestlimit.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - controlplanerequestlimits + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-samenessgroup + failurePolicy: Fail + name: mutate-samenessgroup.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - samenessgroups + sideEffects: None +{{- end }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-jwtprovider + failurePolicy: Fail + name: mutate-jwtprovider.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwtproviders + sideEffects: None +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.2.2/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.2.2/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.2.2/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-controlplanerequestlimits.yaml new file mode 100644 index 0000000000..01722c0cf0 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-controlplanerequestlimits.yaml @@ -0,0 +1,206 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: controlplanerequestlimits.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ControlPlaneRequestLimit + listKind: ControlPlaneRequestLimitList + plural: controlplanerequestlimits + singular: controlplanerequestlimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControlPlaneRequestLimitSpec defines the desired state of + ControlPlaneRequestLimit. + properties: + acl: + properties: + readRate: + type: number + writeRate: + type: number + type: object + catalog: + properties: + readRate: + type: number + writeRate: + type: number + type: object + configEntry: + properties: + readRate: + type: number + writeRate: + type: number + type: object + connectCA: + properties: + readRate: + type: number + writeRate: + type: number + type: object + coordinate: + properties: + readRate: + type: number + writeRate: + type: number + type: object + discoveryChain: + properties: + readRate: + type: number + writeRate: + type: number + type: object + health: + properties: + readRate: + type: number + writeRate: + type: number + type: object + intention: + properties: + readRate: + type: number + writeRate: + type: number + type: object + kv: + properties: + readRate: + type: number + writeRate: + type: number + type: object + mode: + type: string + perparedQuery: + properties: + readRate: + type: number + writeRate: + type: number + type: object + readRate: + type: number + session: + properties: + readRate: + type: number + writeRate: + type: number + type: object + tenancy: + properties: + readRate: + type: number + writeRate: + type: number + type: object + txn: + properties: + readRate: + type: number + writeRate: + type: number + type: object + writeRate: + type: number + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-exportedservices.yaml new file mode 100644 index 0000000000..dd6b6ba3b8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-exportedservices.yaml @@ -0,0 +1,150 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: exportedservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-gatewayclassconfigs.yaml new file mode 100644 index 0000000000..98ecb345f3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-gatewayclassconfigs.yaml @@ -0,0 +1,211 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: gatewayclassconfigs.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + resources: + description: Resources defines the resource requirements for the + gateway. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + mapPrivilegedContainerPorts: + description: The value to add to privileged ports ( ports < 1024) + for gateway containers + format: int32 + type: integer + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + openshiftSCCName: + description: The name of the OpenShift SecurityContextConstraints + resource for this gateway class to use. + type: string + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-gatewayclasses.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-gatewayclasses.yaml new file mode 100644 index 0000000000..7b3677a8aa --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-gatewayclasses.yaml @@ -0,0 +1,330 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + deprecated: true + deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-gateways.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-gateways.yaml new file mode 100644 index 0000000000..cc8ca2dbbe --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-gateways.yaml @@ -0,0 +1,884 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-grpcroutes.yaml new file mode 100644 index 0000000000..642f3547c8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-grpcroutes.yaml @@ -0,0 +1,768 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - method: + type: Exact + description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. + items: + description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + default: + type: Exact + description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. + properties: + method: + description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)." + maxLength: 1024 + pattern: ^[A-Za-z_][A-Za-z_0-9]*$ + type: string + service: + description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)." + maxLength: 1024 + pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$ + type: string + type: + default: Exact + description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-httproutes.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-httproutes.yaml new file mode 100644 index 0000000000..69663dd208 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-httproutes.yaml @@ -0,0 +1,1916 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..51c02422b2 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-ingressgateways.yaml @@ -0,0 +1,458 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: ingressgateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how upstream + proxy instances will be monitored for removal from the load + balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. The + real time is equal to the base time multiplied by the number + of times the host has been ejected and is capped by max_ejection_time + (Default 300s). Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status is + detected through consecutive 5xx. This setting can be used + to disable ejection or to ramp it up slowly. Ex. Setting + this to 10 will make it a 10% chance that the host will + be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that can + be ejected due to outlier detection. Defaults to 10% but + will eject at least one host regardless of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected + for. The real time is equal to the base time multiplied + by the number of times the host has been ejected + and is capped by max_ejection_time (Default 300s). + Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This + setting can be used to disable ejection or to ramp + it up slowly. Ex. Setting this to 10 will make it + a 10% chance that the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster + that can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-jwtproviders.yaml new file mode 100644 index 0000000000..9f97922eb5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-jwtproviders.yaml @@ -0,0 +1,328 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: jwtproviders.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: JWTProvider + listKind: JWTProviderList + plural: jwtproviders + singular: jwtprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTProvider is the Schema for the jwtproviders API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTProviderSpec defines the desired state of JWTProvider + properties: + audiences: + description: Audiences is the set of audiences the JWT is allowed + to access. If specified, all JWTs verified with this provider must + address at least one of these to be considered valid. + items: + type: string + type: array + cacheConfig: + description: CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up verification + when individual tokens are expected to be handled multiple times. + properties: + size: + description: "Size specifies the maximum number of JWT verification + results to cache. \n Defaults to 0, meaning that JWT caching + is disabled." + type: integer + type: object + clockSkewSeconds: + description: "ClockSkewSeconds specifies the maximum allowable time + difference from clock skew when validating the \"exp\" (Expiration) + and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + type: integer + forwarding: + description: Forwarding defines rules for forwarding verified JWTs + to the backend. + properties: + headerName: + description: "HeaderName is a header name to use when forwarding + a verified JWT to the backend. The verified JWT could have been + extracted from any location (query param, header, or cookie). + \n The header value will be base64-URL-encoded, and will not + be padded unless PadForwardPayloadHeader is true." + type: string + padForwardPayloadHeader: + description: "PadForwardPayloadHeader determines whether padding + should be added to the base64 encoded token forwarded with ForwardPayloadHeader. + \n Default value is false." + type: boolean + type: object + issuer: + description: Issuer is the entity that must have issued the JWT. This + value must match the "iss" claim of the token. + type: string + jsonWebKeySet: + description: JSONWebKeySet defines a JSON Web Key Set, its location + on disk, or the means with which to fetch a key set from a remote + server. + properties: + local: + description: Local specifies a local source for the key set. + properties: + filename: + description: Filename configures a location on disk where + the JWKS can be found. If specified, the file must be present + on the disk of ALL proxies with intentions referencing this + provider. + type: string + jwks: + description: JWKS contains a base64 encoded JWKS. + type: string + type: object + remote: + description: Remote specifies how to fetch a key set from a remote + server. + properties: + cacheDuration: + description: "CacheDuration is the duration after which cached + keys should be expired. \n Default value is 5 minutes." + format: int64 + type: integer + fetchAsynchronously: + description: "FetchAsynchronously indicates that the JWKS + should be fetched when a client request arrives. Client + requests will be paused until the JWKS is fetched. If false, + the proxy listener will wait for the JWKS to be fetched + before being activated. \n Default value is false." + type: boolean + jwksCluster: + description: "JWKSCluster defines how the specified Remote JWKS + URI is to be fetched." + properties: + connectTimeout: + description: "The timeout for new network connections to hosts + in the cluster. \n If not set, a default value of 5s will be + used." + format: int64 + type: integer + discoveryType: + description: "DiscoveryType refers to the service discovery type + to use for resolving the cluster. \n Defaults to STRICT_DNS." + type: string + tlsCertificates: + description: "TLSCertificates refers to the data containing + certificate authority certificates to use in verifying a presented + peer certificate." + properties: + caCertificateProviderInstance: + description: "CaCertificateProviderInstance Certificate provider + instance for fetching TLS certificates." + properties: + instanceName: + description: "InstanceName refers to the certificate provider + instance name. \n The default value is 'default'." + type: string + certificateName: + description: "CertificateName is used to specify certificate + instances or types. For example, \"ROOTCA\" to specify a + root-certificate (validation context) or \"example.com\" + to specify a certificate for a particular domain. \n + The default value is the empty string." + type: string + type: object + trustedCA: + description: "TrustedCA defines TLS certificate data containing + certificate authority certificates to use in verifying a presented + peer certificate. \n Exactly one of Filename, EnvironmentVariable, + InlineString or InlineBytes must be specified." + properties: + filename: + description: "The name of the file on the local system to use a + data source for trusted CA certificates." + type: string + environmentVariable: + description: "The environment variable on the local system to use + a data source for trusted CA certificates." + type: string + inlineString: + description: "A string to inline in the configuration for use as + a data source for trusted CA certificates." + type: string + inlineBytes: + description: "A sequence of bytes to inline in the configuration + for use as a data source for trusted CA certificates." + type: string + type: object + type: object + type: object + requestTimeoutMs: + description: RequestTimeoutMs is the number of milliseconds + to time out when making a request for the JWKS. + type: integer + retryPolicy: + description: "RetryPolicy defines a retry policy for fetching + JWKS. \n There is no retry by default." + properties: + numRetries: + description: "NumRetries is the number of times to retry + fetching the JWKS. The retry strategy uses jittered + exponential backoff with a base interval of 1s and max + of 10s. \n Default value is 0." + type: integer + retryPolicyBackOff: + description: "Backoff policy \n Defaults to Envoy's backoff + policy" + properties: + baseInterval: + description: "BaseInterval to be used for the next + back off computation \n The default value from envoy + is 1s" + format: int64 + type: integer + maxInterval: + description: "MaxInternal to be used to specify the + maximum interval between retries. Optional but should + be greater or equal to BaseInterval. \n Defaults + to 10 times BaseInterval" + format: int64 + type: integer + type: object + type: object + uri: + description: URI is the URI of the server to query for the + JWKS. + type: string + type: object + type: object + locations: + description: 'Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. If no + locations are specified Envoy will default to: 1. Authorization + header with Bearer schema: "Authorization: Bearer " 2. accessToken + query parameter.' + items: + description: "JWTLocation is a location where the JWT could be present + in requests. \n Only one of Header, QueryParam, or Cookie can + be specified." + properties: + cookie: + description: Cookie defines how to extract a JWT from an HTTP + request cookie. + properties: + name: + description: Name is the name of the cookie containing the + token. + type: string + type: object + header: + description: Header defines how to extract a JWT from an HTTP + request header. + properties: + forward: + description: "Forward defines whether the header with the + JWT should be forwarded after the token has been verified. + If false, the header will not be forwarded to the backend. + \n Default value is false." + type: boolean + name: + description: Name is the name of the header containing the + token. + type: string + valuePrefix: + description: 'ValuePrefix is an optional prefix that precedes + the token in the header value. For example, "Bearer " + is a standard value prefix for a header named "Authorization", + but the prefix is not part of the token itself: "Authorization: + Bearer "' + type: string + type: object + queryParam: + description: QueryParam defines how to extract a JWT from an + HTTP request query parameter. + properties: + name: + description: Name is the name of the query param containing + the token. + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-meshes.yaml new file mode 100644 index 0000000000..b1b2319579 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-meshes.yaml @@ -0,0 +1,218 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: meshes.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-meshservices.yaml new file mode 100644 index 0000000000..d52da5a028 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-meshservices.yaml @@ -0,0 +1,66 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: meshservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService holds a reference to an externally managed Consul + Service Mesh service. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of MeshService. + properties: + name: + description: Name holds the service name for a Consul service. + type: string + peer: + description: Peer optionally specifies the name of the peer exporting + the Consul service. If not specified, the Consul service is assumed + to be in the local datacenter. + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..6f335e83a2 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-peeringacceptors.yaml @@ -0,0 +1,157 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: peeringacceptors.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..5fa49f1eed --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-peeringdialers.yaml @@ -0,0 +1,157 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: peeringdialers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..7bc5c6078a --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-proxydefaults.yaml @@ -0,0 +1,266 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: proxydefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + failoverPolicy: + description: FailoverPolicy specifies the exact mechanism used for + failover. + properties: + mode: + description: Mode specifies the type of failover that will be + performed. Valid values are "sequential", "" (equivalent to + "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions of the + failover targets. Valid values can be "us-west-1", "us-west-2", + and so on. + items: + type: string + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-referencegrants.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-referencegrants.yaml new file mode 100644 index 0000000000..d50211291d --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-referencegrants.yaml @@ -0,0 +1,211 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-samenessgroups.yaml new file mode 100644 index 0000000000..179972a9d6 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-samenessgroups.yaml @@ -0,0 +1,140 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: samenessgroups.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: SamenessGroup + listKind: SamenessGroupList + plural: samenessgroups + shortNames: + - sameness-group + singular: samenessgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SamenessGroup is the Schema for the samenessgroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SamenessGroupSpec defines the desired state of SamenessGroup. + properties: + defaultForFailover: + description: DefaultForFailover indicates that upstream requests to + members of the given sameness group will implicitly failover between + members of this sameness group. When DefaultForFailover is true, + the local partition must be a member of the sameness group or IncludeLocal + must be set to true. + type: boolean + includeLocal: + description: IncludeLocal is used to include the local partition as + the first member of the sameness group. The local partition can + only be a member of a single sameness group. + type: boolean + members: + description: Members are the partitions and peers that are part of + the sameness group. If a member of a sameness group does not exist, + it will be ignored. + items: + properties: + partition: + description: The partitions and peers that are part of the sameness + group. A sameness group member cannot define both peer and + partition at the same time. + type: string + peer: + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..9e6c304bec --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-servicedefaults.yaml @@ -0,0 +1,513 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicedefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 + seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set the + interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..edc7c7078b --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-serviceintentions.yaml @@ -0,0 +1,322 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: serviceintentions.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + jwt: + description: JWT specifies the configuration to validate a JSON Web + Token for all incoming requests. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: Value is the expected value at the given + path. If the type at the path is a list then we + verify that this value is contained in the list. + If the type at the path is a string then we verify + that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: Peer is the peer name for the Name parameter. + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + jwt: + description: JWT specifies configuration to validate a + JSON Web Token for incoming requests. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. + There MUST be a corresponding "jwt-provider" + config entry with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional + claims to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim + in the token JSON. + items: + type: string + type: array + value: + description: Value is the expected value + at the given path. If the type at the + path is a list then we verify that this + value is contained in the list. If the + type at the path is a string then we + verify that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + samenessGroup: + description: SamenessGroup is the name of the sameness group, + if applicable. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..bbc2e5b650 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-serviceresolvers.yaml @@ -0,0 +1,349 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: serviceresolvers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + policy: + description: Policy specifies the exact mechanism used for failover. + properties: + mode: + description: Mode specifies the type of failover that will + be performed. Valid values are "sequential", "" (equivalent + to "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions + of the failover targets. Valid values can be "us-west-1", + "us-west-2", and so on. + items: + type: string + type: array + type: object + samenessGroup: + description: SamenessGroup is the name of the sameness group + to try during failover. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness group to + resolve the service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + requestTimeout: + description: RequestTimeout is the timeout for receiving an HTTP response + from this service before the connection is terminated. + type: string + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..d36e8028b5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-servicerouters.yaml @@ -0,0 +1,323 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicerouters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..15f7714a84 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-servicesplitters.yaml @@ -0,0 +1,197 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicesplitters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-tcproutes.yaml new file mode 100644 index 0000000000..ba21ccd58a --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-tcproutes.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled (or .Values.connectInject.apiGateway.manageExternalCRDs .Values.connectInject.apiGateway.manageNonStandardCRDs ) }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..fae09bff53 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-terminatinggateways.yaml @@ -0,0 +1,148 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: terminatinggateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-tlsroutes.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-tlsroutes.yaml new file mode 100644 index 0000000000..dfabd80713 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-tlsroutes.yaml @@ -0,0 +1,294 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/crd-udproutes.yaml b/charts/hashicorp/consul/1.2.2/templates/crd-udproutes.yaml new file mode 100644 index 0000000000..935cce22fa --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/crd-udproutes.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..678a2af3ba --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-job.yaml @@ -0,0 +1,145 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane create-federation-secret \ + -log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/dns-service.yaml b/charts/hashicorp/consul/1.2.2/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.2.2/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..0122690104 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/enterprise-license-job.yaml @@ -0,0 +1,144 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.2.2/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.2.2/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-clusterrole.yaml new file mode 100644 index 0000000000..c533a882f5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-clusterrole.yaml @@ -0,0 +1,35 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - delete +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-cleanup + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-clusterrolebinding.yaml new file mode 100644 index 0000000000..9235f32101 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-job.yaml new file mode 100644 index 0000000000..20d2f8116e --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-job.yaml @@ -0,0 +1,58 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup + containers: + - name: gateway-cleanup + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-cleanup + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ffbad130cc --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.connectInject.enabled .Values.global.enablePodSecurityPolicies)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..f50eb72d97 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gateway-cleanup-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.2.2/templates/gateway-resources-clusterrole.yaml new file mode 100644 index 0000000000..c3bdfeb4a3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gateway-resources-clusterrole.yaml @@ -0,0 +1,37 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - update + - create + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - update + - create +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-resources + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/gateway-resources-clusterrolebinding.yaml new file mode 100644 index 0000000000..921df23239 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gateway-resources-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-resources +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.2/templates/gateway-resources-configmap.yaml b/charts/hashicorp/consul/1.2.2/templates/gateway-resources-configmap.yaml new file mode 100644 index 0000000000..591aaa2129 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gateway-resources-configmap.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.enabled }} +# Configuration of Gateway Resources Job which creates managed Gateway configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +data: + {{- if .Values.connectInject.apiGateway.managedGatewayClass.resources }} + resources.json: | + {{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.2.2/templates/gateway-resources-job.yaml new file mode 100644 index 0000000000..de510d9dc4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gateway-resources-job.yaml @@ -0,0 +1,123 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources + containers: + - name: gateway-resources + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-resources + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + - -controller-name=consul.hashicorp.com/gateway-controller + - -app={{template "consul.name" .}} + - -chart={{template "consul.chart" .}} + - -heritage={{ .Release.Service }} + - -release-name={{ .Release.Name }} + - -component=api-gateway + {{- if .Values.apiGateway.enabled }} # Overide values from the old stanza. To be removed in 1.17 (t-eckert 2023-05-19) + {{- if .Values.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} + {{- else }} # the new stanza + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations | nindent 14 -}} + {{- end }} + - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- if .Values.global.openshift.enabled }} + - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + {{- end }} + - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} + {{- end}} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/gateway-resources-podsecuritypolicy.yaml new file mode 100644 index 0000000000..da5299194c --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gateway-resources-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.connectInject.enabled)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/gateway-resources-serviceaccount.yaml new file mode 100644 index 0000000000..4611dc38e1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gateway-resources-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..02fb3ea168 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,69 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ default .Values.global.logLevel .Values.global.gossipEncryption.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..df9f500e3c --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,367 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/ingress-gateways-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.2.2/templates/ingress-gateways-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..b951418b26 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,34 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..f8150ebb53 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..ac050e7199 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,310 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..04576fe926 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..5fdceca8df --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-service.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.meshGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..8c2da5ae06 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.2.2/templates/partition-init-job.yaml new file mode 100644 index 0000000000..6e21289f22 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/partition-init-job.yaml @@ -0,0 +1,127 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.2.2/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.2.2/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/prometheus.yaml b/charts/hashicorp/consul/1.2.2/templates/prometheus.yaml new file mode 100644 index 0000000000..4dcede1745 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + + consul.hashicorp.com/connect-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..39754d6c6f --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,88 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..0b46697f31 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-job.yaml @@ -0,0 +1,344 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + {{- if .Values.global.argocd.enabled }} + "argocd.argoproj.io/hook": "Sync" + "argocd.argoproj.io/hook-delete-policy": "HookSucceeded" + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- else if .Values.global.secretsBackend.vault.vaultNamespace }} + - name: VAULT_NAMESPACE + value: {{ .Values.global.secretsBackend.vault.vaultNamespace }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + consul-k8s-control-plane server-acl-init \ + -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 10 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.2.2/templates/server-clusterrole.yaml new file mode 100644 index 0000000000..c22f562264 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: + - get diff --git a/charts/hashicorp/consul/1.2.2/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..854fda870e --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-server +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.2.2/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..9ebfbd2571 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-config-configmap.yaml @@ -0,0 +1,210 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} +{{- if and .Values.server.auditLogs.enabled (not .Values.global.acls.manageSystemACLs) }}{{fail "ACLs must be enabled inorder to configure audit logs"}}{{ end -}} +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + {{- if .Values.server.logLevel }} + "log_level": "{{ .Values.server.logLevel | upper }}", + {{- end }} + "domain": "{{ .Values.global.domain }}", + "limits": { + "request_limits": { + "mode": "{{ .Values.server.limits.requestLimits.mode }}", + "read_rate": {{ .Values.server.limits.requestLimits.readRate }}, + "write_rate": {{ .Values.server.limits.requestLimits.writeRate }} + } + }, + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + {{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }} + "namespace": "{{ .vaultNamespace }}", + {{- end }} + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}" + } + } + {{- end }} + {{- if and .Values.server.auditLogs.enabled .Values.global.acls.manageSystemACLs }} + audit-logging.json: |- + { + "audit": { + "enabled": true, + "sink": { + {{- range $index, $element := .Values.server.auditLogs.sinks }} + {{- if ne $index 0 }},{{end}} + "{{ get $element "name" }}": {{ omit $element "name" | toJson }} + {{- end }} + } + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.2.2/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..edf9c1c57f --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-role.yaml b/charts/hashicorp/consul/1.2.2/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.2.2/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-service.yaml b/charts/hashicorp/consul/1.2.2/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.2.2/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.2.2/templates/server-statefulset.yaml new file mode 100644 index 0000000000..a5dd04e904 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/server-statefulset.yaml @@ -0,0 +1,645 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/server-config-configmap.yaml") . | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + {{- if .Values.global.tls.enabled }} + "prometheus.io/port": "8501" + "prometheus.io/scheme": "https" + {{- else }} + "prometheus.io/port": "8500" + "prometheus.io/scheme": "http" + {{- end }} + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + initContainers: + - name: locality-init + image: {{ .Values.global.imageK8S }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane fetch-server-region -node-name "$NODE_NAME" -output-file /consul/extra-config/locality.json + volumeMounts: + - name: extra-config + mountPath: /consul/extra-config + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-file=/consul/extra-config/extra-from-values.json \ + -config-file=/consul/extra-config/locality.json + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.containerSecurityContext.server }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- else }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.2.2/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..585b5ad171 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,48 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + - endpoints + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.2/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.2.2/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..f4aeb1cdb8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/sync-catalog-deployment.yaml @@ -0,0 +1,233 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..6c7824b55e --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,394 @@ +{{- if .Values.telemetryCollector.enabled }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if .Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" \ + -proxy-id-file="/consul/connect-inject/proxyid" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: Always + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the global cloud section but we will share it here + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - -login-namespace="default" + {{- else }} + - -login-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - foo + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + - -service-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/telemetry-collector-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.2.2/templates/telemetry-collector-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..ea2131b8a2 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,344 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/terminating-gateways-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.2.2/templates/terminating-gateways-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..4ae280ca81 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-role.yaml @@ -0,0 +1,43 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }} +rules: +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.2.2/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..2254a38ed2 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,83 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.2.2/templates/tls-init-job.yaml new file mode 100644 index 0000000000..47651fe14b --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/tls-init-job.yaml @@ -0,0 +1,125 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + consul-k8s-control-plane tls-init \ + -log-level={{ default .Values.global.logLevel .Values.global.tls.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.2.2/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.2.2/templates/ui-ingress.yaml new file mode 100644 index 0000000000..f8c7f92a77 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/ui-ingress.yaml @@ -0,0 +1,85 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + {{- if ne .Values.ui.ingress.ingressClassName "" }} + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end }} + rules: + {{- $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/ui-service.yaml b/charts/hashicorp/consul/1.2.2/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..e13e2dc741 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,53 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..7ba25b330c --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,80 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.2/todo.txt b/charts/hashicorp/consul/1.2.2/todo.txt new file mode 100644 index 0000000000..c79bef389b --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/todo.txt @@ -0,0 +1,3 @@ + +- [x] Remove gatewayclass gatewayclassconfig bats +- [ ] Add test for each of the CRDs diff --git a/charts/hashicorp/consul/1.2.2/values.yaml b/charts/hashicorp/consul/1.2.2/values.yaml new file mode 100644 index 0000000000..e3bbfc181a --- /dev/null +++ b/charts/hashicorp/consul/1.2.2/values.yaml @@ -0,0 +1,3513 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: "hashicorp/consul-enterprise:1.10.0-ent" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.16.2 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.2.2 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` + # agent annotation and [Vault Connect CA namespace](https://developer.hashicorp.com/consul/docs/connect/ca/vault#namespace). + # To override one of these values individually, see `agentAnnotations` and `connectCA.additionalConfig`. + vaultNamespace: "" + + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + # Override global log verbosity level for `gossip-encryption-autogenerate-job` pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # This value defines additional annotations for + # tls init jobs. Format this value as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines additional annotations for + # acl init jobs. Format this value as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # If argocd.enabled is set to true, following annotations are added to + # job - server-acl-init-job + # annotations - + # argocd.argoproj.io/hook: Sync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd: + enabled: false + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # `meshGateway.enabled` or `externalServers.enabled` to be true. + # Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:` + # (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`). + # @type: array + primaryGateways: [] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Override global log verbosity level for the `create-federation-secret-job` pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: hashicorp/consul-dataplane:1.2.2 + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will enable the installation of an HCP Consul + # self-managed cluster. + enabled: false + + # The name of the Kubernetes secret that holds the HCP resource id. + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client secret. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is optional when global.cloud.enabled is true. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud authorization url. + # This is optional when global.cloud.enabled is true. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud scada address. + # This is optional when global.cloud.enabled is true. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [] + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional service mesh settings can be configured + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). + connect: true + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + # The acl-init job + # @type: map + # @recurse: false + aclInit: null + # The tls-init job + # @type: map + # @recurse: false + tlsInit: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `server.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + + # Settings for potentially limiting timeouts, rate limiting on clients as well + # as servers, and other settings to limit exposure too many requests, requests + # waiting for too long, and other runtime considerations. + limits: + # This object specifies configurations that limit the rate of RPC and gRPC + # requests on the Consul server. Limiting the rate of gRPC and RPC requests + # also limits HTTP requests to the Consul server. + # https://developer.hashicorp.com/consul/docs/agent/config/config-files#request_limits + requestLimits: + # Setting for disabling or enabling rate limiting. If not disabled, it + # enforces the action that will occur when RequestLimitsReadRate + # or RequestLimitsWriteRate is exceeded. The default value of "disabled" will + # prevent any rate limiting from occuring. A value of "enforce" will block + # the request from processings by returning an error. A value of + # "permissive" will not block the request and will allow the request to + # continue processing. + # @type: string + mode: "disabled" + + # Setting that controls how frequently RPC, gRPC, and HTTP + # queries are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsReadRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + readRate: -1 + + # Setting that controls how frequently RPC, gRPC, and HTTP + # writes are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsWriteRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + writeRate: -1 + + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # and configure a sink and filters for their audit logs. Please refer to + # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation + # for further information. + auditLogs: + # Controls whether Consul logs out each time a user performs an operation. + # global.acls.manageSystemACLs must be enabled to use this feature. + enabled: false + + # A single entry of the sink object provides configuration for the destination to which Consul + # will log auditing events. + # + # Example: + # + # ```yaml + # sinks: + # - name: My Sink + # type: file + # format: json + # path: /tmp/audit.json + # delivery_guarantee: best-effort + # rotate_duration: 24h + # rotate_max_files: 15 + # rotate_bytes: 25165824 + # + # ``` + # + # The sink object supports the following keys: + # + # - `name` - Name of the sink. + # + # - `type` - Type specifies what kind of sink this is. Currently only file sinks are available + # + # - `format` - Format specifies what format the events will be emitted with. Currently only `json` + # events are emitted. + # + # - `path` - The directory and filename to write audit events to. + # + # - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul + # only supports `best-effort` event delivery. + # + # - `mode` - The permissions to set on the audit log files. + # + # - `rotate_duration` - Specifies the interval by which the system rotates to a new log file. + # At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging. + # + # - `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file. + # At least one of rotate_bytes or rotate_duration must be configured to enable audit logging. + # + # - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files. + # + # @type: array + sinks: [] + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. + # @type: array + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul service mesh will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configuration settings for the Consul API Gateway integration. + apiGateway: + # Enables Consul on Kubernetes to manage the CRDs used for Gateway API. + # Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed. + # These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. + # If this setting is false, you will need to install the Gateway API CRDs manually. + manageExternalCRDs: true + + # Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true + # then all CRDs will be installed; otherwise, if manageNonStandardCRDs is true then only TCPRoute, GatewayClassConfig and MeshService + # will be installed. + manageNonStandardCRDs: false + + # Configuration settings for the GatewayClass installed by Consul on Kubernetes. + managedGatewayClass: + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # The resource settings for Pods handling traffic for Gateway API. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + deployment: + defaultInstances: 1 + maxInstances: 1 + minInstances: 1 + + # The name of the OpenShift SecurityContextConstraints resource to use for Gateways. + # Only applicable if `global.openshift.enabled` is true. + # @type: string + openshiftSCCName: "restricted-v2" + + # This value defines the amount Consul will add to privileged container ports on gateways that use this class. + # This is useful if you don't want to give your containers extra permissions to run privileged ports. + # Example: The gateway listener is defined on port 80, but the underlying value of the port on the container + # will be the 80 + the number defined below. + mapPrivilegedContainerPorts: 0 + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + # Configures metrics for Consul service mesh services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Sets the `logLevel` for the `consul-dataplane` sidecar and the `consul-connect-inject-init` container. When set, this value overrides the global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Consul service mesh sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + # Set default lifecycle management configuration for sidecar proxy. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` + # - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` + # @type: map + lifecycle: + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul service mesh will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Override global log verbosity level for `mesh-gateway-deployment` pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: "Service" + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level for `ingress-gateways-deployment` pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. You must provide a unique name for each ingress gateway. These names + # must be unique across different namespaces. + # Values defined here override the defaults, except in the case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# [DEPRECATED] Use connectInject.apiGateway instead. This stanza will be removed with the release of Consul 1.17 +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.9" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.1" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + clientId: + secretName: null + secretKey: null + clientSecret: + secretName: null + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} diff --git a/charts/hashicorp/consul/1.2.3/.helmignore b/charts/hashicorp/consul/1.2.3/.helmignore new file mode 100644 index 0000000000..3fa2f24edf --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/.helmignore @@ -0,0 +1,5 @@ +.git/ +.terraform/ +bin/ +test/ +crds/kustomization.yaml diff --git a/charts/hashicorp/consul/1.2.3/Chart.yaml b/charts/hashicorp/consul/1.2.3/Chart.yaml new file mode 100644 index 0000000000..7f6e754775 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.16.3 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.2.3 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.2.3 + - name: envoy + image: envoyproxy/envoy:v1.25.11 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.16.3 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.2.3 diff --git a/charts/hashicorp/consul/1.2.3/README.md b/charts/hashicorp/consul/1.2.3/README.md new file mode 100644 index 0000000000..e7d7fd9285 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.23.x - 1.26.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/1.2.3/addons/gen.sh b/charts/hashicorp/consul/1.2.3/addons/gen.sh new file mode 100644 index 0000000000..1d03390bed --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/addons/gen.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.3/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.2.3/addons/values/prometheus.yaml new file mode 100644 index 0000000000..1f90636f2e --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/addons/values/prometheus.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/1.2.3/assets/icon.png b/charts/hashicorp/consul/1.2.3/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.2.3/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.2.3/templates/NOTES.txt b/charts/hashicorp/consul/1.2.3/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/_helpers.tpl b/charts/hashicorp/consul/1.2.3/templates/_helpers.tpl new file mode 100644 index 0000000000..5cefb9ec81 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/_helpers.tpl @@ -0,0 +1,450 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.restrictedSecurityContext" -}} +{{- if not .Values.global.enablePodSecurityPolicies -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +{{- if not .Values.global.openshift.enabled -}} +{{/* +We must set runAsUser or else the root user will be used in some cases and +containers will fail to start due to runAsNonRoot above (e.g. +tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100 +because it is a non-root user id that exists in the consul, consul-dataplane, +and consul-k8s-control-plane images. +*/}} + runAsUser: 100 +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Compute the maximum number of unavailable replicas for the PodDisruptionBudget. +This defaults to (n/2)-1 where n is the number of members of the server cluster. +Special case of replica equaling 3 and allowing a minor disruption of 1 otherwise +use the integer value +Add a special case for replicas=1, where it should default to 0 as well. +*/}} +{{- define "consul.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.server.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if temeletryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, global.cloud.resourceId.secretName, telemetryCollector.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, global.cloud.resourceId.secretName,telemetryCollector.cloud.clientId.secretName must also be set."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When telemetryCollector has clientId and clientSecret global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When telemetryCollector has clientId and clientSecret .global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} diff --git a/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..11396c8a03 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,305 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{ end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: [ "/bin/sh", "-ec", "/consul-bin/consul logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.2.3/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.2.3/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.2.3/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.2.3/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.2.3/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..d91a4d21bf --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/client-config-configmap.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + log-level.json: |- + { + {{- if .Values.client.logLevel }} + "log_level": "{{ .Values.client.logLevel | upper }}" + {{- end }} + } + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} + central-config.json: |- + { + "enable_central_service_config": true + } + + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.2.3/templates/client-daemonset.yaml new file mode 100644 index 0000000000..61425cfdb8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/client-daemonset.yaml @@ -0,0 +1,602 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/client-config-configmap.yaml") . | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/sh" + - "-ec" + - | + consul logout + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-file=/consul/extra-config/extra-from-values.json \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/client-role.yaml b/charts/hashicorp/consul/1.2.3/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.2.3/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.2.3/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.2.3/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.2.3/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..ae04d9e657 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/cni-daemonset.yaml @@ -0,0 +1,90 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.2.3/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.2.3/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.2.3/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.2.3/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.2.3/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..f1f6b3878f --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,199 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + - gatewayclassconfigs + - meshservices + - samenessgroups + - controlplanerequestlimits + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + - jwtproviders + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + - samenessgroups/status + - controlplanerequestlimits/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + - jwtproviders/status + verbs: + - get + - patch + - update +- apiGroups: [ "" ] + resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles", "rolebindings" ] + verbs: + - get + - list + - watch + - delete + - create + - update +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - referencegrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gateways/finalizers + - httproutes/finalizers + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch + - delete +- apiGroups: + - core + resources: + - services + verbs: + - watch + - list +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" +{{- if .Values.global.openshift.enabled }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + verbs: + - use + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.3/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.2.3/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..eebdc00baf --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/connect-inject-deployment.yaml @@ -0,0 +1,356 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }} + -default-enable-sidecar-proxy-lifecycle=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle=false \ + {{- end }} + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \ + {{- end }} + -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ + -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ + + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.2.3/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.2.3/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..e4fe79f621 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,358 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-controlplanerequestlimits + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-controlplanerequestlimit.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - controlplanerequestlimits + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-samenessgroup + failurePolicy: Fail + name: mutate-samenessgroup.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - samenessgroups + sideEffects: None +{{- end }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-jwtprovider + failurePolicy: Fail + name: mutate-jwtprovider.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwtproviders + sideEffects: None +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.2.3/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.2.3/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.2.3/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-controlplanerequestlimits.yaml new file mode 100644 index 0000000000..326445e05b --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-controlplanerequestlimits.yaml @@ -0,0 +1,206 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: controlplanerequestlimits.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ControlPlaneRequestLimit + listKind: ControlPlaneRequestLimitList + plural: controlplanerequestlimits + singular: controlplanerequestlimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControlPlaneRequestLimitSpec defines the desired state of + ControlPlaneRequestLimit. + properties: + acl: + properties: + readRate: + type: number + writeRate: + type: number + type: object + catalog: + properties: + readRate: + type: number + writeRate: + type: number + type: object + configEntry: + properties: + readRate: + type: number + writeRate: + type: number + type: object + connectCA: + properties: + readRate: + type: number + writeRate: + type: number + type: object + coordinate: + properties: + readRate: + type: number + writeRate: + type: number + type: object + discoveryChain: + properties: + readRate: + type: number + writeRate: + type: number + type: object + health: + properties: + readRate: + type: number + writeRate: + type: number + type: object + intention: + properties: + readRate: + type: number + writeRate: + type: number + type: object + kv: + properties: + readRate: + type: number + writeRate: + type: number + type: object + mode: + type: string + preparedQuery: + properties: + readRate: + type: number + writeRate: + type: number + type: object + readRate: + type: number + session: + properties: + readRate: + type: number + writeRate: + type: number + type: object + tenancy: + properties: + readRate: + type: number + writeRate: + type: number + type: object + txn: + properties: + readRate: + type: number + writeRate: + type: number + type: object + writeRate: + type: number + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-exportedservices.yaml new file mode 100644 index 0000000000..dd6b6ba3b8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-exportedservices.yaml @@ -0,0 +1,150 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: exportedservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-gatewayclassconfigs.yaml new file mode 100644 index 0000000000..98ecb345f3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-gatewayclassconfigs.yaml @@ -0,0 +1,211 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: gatewayclassconfigs.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + resources: + description: Resources defines the resource requirements for the + gateway. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + mapPrivilegedContainerPorts: + description: The value to add to privileged ports ( ports < 1024) + for gateway containers + format: int32 + type: integer + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + openshiftSCCName: + description: The name of the OpenShift SecurityContextConstraints + resource for this gateway class to use. + type: string + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-gatewayclasses.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-gatewayclasses.yaml new file mode 100644 index 0000000000..7b3677a8aa --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-gatewayclasses.yaml @@ -0,0 +1,330 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + deprecated: true + deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-gateways.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-gateways.yaml new file mode 100644 index 0000000000..cc8ca2dbbe --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-gateways.yaml @@ -0,0 +1,884 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-grpcroutes.yaml new file mode 100644 index 0000000000..642f3547c8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-grpcroutes.yaml @@ -0,0 +1,768 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - method: + type: Exact + description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. + items: + description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + default: + type: Exact + description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. + properties: + method: + description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)." + maxLength: 1024 + pattern: ^[A-Za-z_][A-Za-z_0-9]*$ + type: string + service: + description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)." + maxLength: 1024 + pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$ + type: string + type: + default: Exact + description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-httproutes.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-httproutes.yaml new file mode 100644 index 0000000000..69663dd208 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-httproutes.yaml @@ -0,0 +1,1916 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..51c02422b2 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-ingressgateways.yaml @@ -0,0 +1,458 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: ingressgateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how upstream + proxy instances will be monitored for removal from the load + balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. The + real time is equal to the base time multiplied by the number + of times the host has been ejected and is capped by max_ejection_time + (Default 300s). Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status is + detected through consecutive 5xx. This setting can be used + to disable ejection or to ramp it up slowly. Ex. Setting + this to 10 will make it a 10% chance that the host will + be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that can + be ejected due to outlier detection. Defaults to 10% but + will eject at least one host regardless of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected + for. The real time is equal to the base time multiplied + by the number of times the host has been ejected + and is capped by max_ejection_time (Default 300s). + Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This + setting can be used to disable ejection or to ramp + it up slowly. Ex. Setting this to 10 will make it + a 10% chance that the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster + that can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-jwtproviders.yaml new file mode 100644 index 0000000000..9f97922eb5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-jwtproviders.yaml @@ -0,0 +1,328 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: jwtproviders.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: JWTProvider + listKind: JWTProviderList + plural: jwtproviders + singular: jwtprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTProvider is the Schema for the jwtproviders API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTProviderSpec defines the desired state of JWTProvider + properties: + audiences: + description: Audiences is the set of audiences the JWT is allowed + to access. If specified, all JWTs verified with this provider must + address at least one of these to be considered valid. + items: + type: string + type: array + cacheConfig: + description: CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up verification + when individual tokens are expected to be handled multiple times. + properties: + size: + description: "Size specifies the maximum number of JWT verification + results to cache. \n Defaults to 0, meaning that JWT caching + is disabled." + type: integer + type: object + clockSkewSeconds: + description: "ClockSkewSeconds specifies the maximum allowable time + difference from clock skew when validating the \"exp\" (Expiration) + and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + type: integer + forwarding: + description: Forwarding defines rules for forwarding verified JWTs + to the backend. + properties: + headerName: + description: "HeaderName is a header name to use when forwarding + a verified JWT to the backend. The verified JWT could have been + extracted from any location (query param, header, or cookie). + \n The header value will be base64-URL-encoded, and will not + be padded unless PadForwardPayloadHeader is true." + type: string + padForwardPayloadHeader: + description: "PadForwardPayloadHeader determines whether padding + should be added to the base64 encoded token forwarded with ForwardPayloadHeader. + \n Default value is false." + type: boolean + type: object + issuer: + description: Issuer is the entity that must have issued the JWT. This + value must match the "iss" claim of the token. + type: string + jsonWebKeySet: + description: JSONWebKeySet defines a JSON Web Key Set, its location + on disk, or the means with which to fetch a key set from a remote + server. + properties: + local: + description: Local specifies a local source for the key set. + properties: + filename: + description: Filename configures a location on disk where + the JWKS can be found. If specified, the file must be present + on the disk of ALL proxies with intentions referencing this + provider. + type: string + jwks: + description: JWKS contains a base64 encoded JWKS. + type: string + type: object + remote: + description: Remote specifies how to fetch a key set from a remote + server. + properties: + cacheDuration: + description: "CacheDuration is the duration after which cached + keys should be expired. \n Default value is 5 minutes." + format: int64 + type: integer + fetchAsynchronously: + description: "FetchAsynchronously indicates that the JWKS + should be fetched when a client request arrives. Client + requests will be paused until the JWKS is fetched. If false, + the proxy listener will wait for the JWKS to be fetched + before being activated. \n Default value is false." + type: boolean + jwksCluster: + description: "JWKSCluster defines how the specified Remote JWKS + URI is to be fetched." + properties: + connectTimeout: + description: "The timeout for new network connections to hosts + in the cluster. \n If not set, a default value of 5s will be + used." + format: int64 + type: integer + discoveryType: + description: "DiscoveryType refers to the service discovery type + to use for resolving the cluster. \n Defaults to STRICT_DNS." + type: string + tlsCertificates: + description: "TLSCertificates refers to the data containing + certificate authority certificates to use in verifying a presented + peer certificate." + properties: + caCertificateProviderInstance: + description: "CaCertificateProviderInstance Certificate provider + instance for fetching TLS certificates." + properties: + instanceName: + description: "InstanceName refers to the certificate provider + instance name. \n The default value is 'default'." + type: string + certificateName: + description: "CertificateName is used to specify certificate + instances or types. For example, \"ROOTCA\" to specify a + root-certificate (validation context) or \"example.com\" + to specify a certificate for a particular domain. \n + The default value is the empty string." + type: string + type: object + trustedCA: + description: "TrustedCA defines TLS certificate data containing + certificate authority certificates to use in verifying a presented + peer certificate. \n Exactly one of Filename, EnvironmentVariable, + InlineString or InlineBytes must be specified." + properties: + filename: + description: "The name of the file on the local system to use a + data source for trusted CA certificates." + type: string + environmentVariable: + description: "The environment variable on the local system to use + a data source for trusted CA certificates." + type: string + inlineString: + description: "A string to inline in the configuration for use as + a data source for trusted CA certificates." + type: string + inlineBytes: + description: "A sequence of bytes to inline in the configuration + for use as a data source for trusted CA certificates." + type: string + type: object + type: object + type: object + requestTimeoutMs: + description: RequestTimeoutMs is the number of milliseconds + to time out when making a request for the JWKS. + type: integer + retryPolicy: + description: "RetryPolicy defines a retry policy for fetching + JWKS. \n There is no retry by default." + properties: + numRetries: + description: "NumRetries is the number of times to retry + fetching the JWKS. The retry strategy uses jittered + exponential backoff with a base interval of 1s and max + of 10s. \n Default value is 0." + type: integer + retryPolicyBackOff: + description: "Backoff policy \n Defaults to Envoy's backoff + policy" + properties: + baseInterval: + description: "BaseInterval to be used for the next + back off computation \n The default value from envoy + is 1s" + format: int64 + type: integer + maxInterval: + description: "MaxInternal to be used to specify the + maximum interval between retries. Optional but should + be greater or equal to BaseInterval. \n Defaults + to 10 times BaseInterval" + format: int64 + type: integer + type: object + type: object + uri: + description: URI is the URI of the server to query for the + JWKS. + type: string + type: object + type: object + locations: + description: 'Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. If no + locations are specified Envoy will default to: 1. Authorization + header with Bearer schema: "Authorization: Bearer " 2. accessToken + query parameter.' + items: + description: "JWTLocation is a location where the JWT could be present + in requests. \n Only one of Header, QueryParam, or Cookie can + be specified." + properties: + cookie: + description: Cookie defines how to extract a JWT from an HTTP + request cookie. + properties: + name: + description: Name is the name of the cookie containing the + token. + type: string + type: object + header: + description: Header defines how to extract a JWT from an HTTP + request header. + properties: + forward: + description: "Forward defines whether the header with the + JWT should be forwarded after the token has been verified. + If false, the header will not be forwarded to the backend. + \n Default value is false." + type: boolean + name: + description: Name is the name of the header containing the + token. + type: string + valuePrefix: + description: 'ValuePrefix is an optional prefix that precedes + the token in the header value. For example, "Bearer " + is a standard value prefix for a header named "Authorization", + but the prefix is not part of the token itself: "Authorization: + Bearer "' + type: string + type: object + queryParam: + description: QueryParam defines how to extract a JWT from an + HTTP request query parameter. + properties: + name: + description: Name is the name of the query param containing + the token. + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-meshes.yaml new file mode 100644 index 0000000000..b1b2319579 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-meshes.yaml @@ -0,0 +1,218 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: meshes.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-meshservices.yaml new file mode 100644 index 0000000000..d52da5a028 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-meshservices.yaml @@ -0,0 +1,66 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: meshservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService holds a reference to an externally managed Consul + Service Mesh service. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of MeshService. + properties: + name: + description: Name holds the service name for a Consul service. + type: string + peer: + description: Peer optionally specifies the name of the peer exporting + the Consul service. If not specified, the Consul service is assumed + to be in the local datacenter. + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..6f335e83a2 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-peeringacceptors.yaml @@ -0,0 +1,157 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: peeringacceptors.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..5fa49f1eed --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-peeringdialers.yaml @@ -0,0 +1,157 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: peeringdialers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..7bc5c6078a --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-proxydefaults.yaml @@ -0,0 +1,266 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: proxydefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + failoverPolicy: + description: FailoverPolicy specifies the exact mechanism used for + failover. + properties: + mode: + description: Mode specifies the type of failover that will be + performed. Valid values are "sequential", "" (equivalent to + "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions of the + failover targets. Valid values can be "us-west-1", "us-west-2", + and so on. + items: + type: string + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-referencegrants.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-referencegrants.yaml new file mode 100644 index 0000000000..d50211291d --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-referencegrants.yaml @@ -0,0 +1,211 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-samenessgroups.yaml new file mode 100644 index 0000000000..179972a9d6 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-samenessgroups.yaml @@ -0,0 +1,140 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: samenessgroups.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: SamenessGroup + listKind: SamenessGroupList + plural: samenessgroups + shortNames: + - sameness-group + singular: samenessgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SamenessGroup is the Schema for the samenessgroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SamenessGroupSpec defines the desired state of SamenessGroup. + properties: + defaultForFailover: + description: DefaultForFailover indicates that upstream requests to + members of the given sameness group will implicitly failover between + members of this sameness group. When DefaultForFailover is true, + the local partition must be a member of the sameness group or IncludeLocal + must be set to true. + type: boolean + includeLocal: + description: IncludeLocal is used to include the local partition as + the first member of the sameness group. The local partition can + only be a member of a single sameness group. + type: boolean + members: + description: Members are the partitions and peers that are part of + the sameness group. If a member of a sameness group does not exist, + it will be ignored. + items: + properties: + partition: + description: The partitions and peers that are part of the sameness + group. A sameness group member cannot define both peer and + partition at the same time. + type: string + peer: + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..9e6c304bec --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-servicedefaults.yaml @@ -0,0 +1,513 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicedefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 + seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set the + interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..edc7c7078b --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-serviceintentions.yaml @@ -0,0 +1,322 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: serviceintentions.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + jwt: + description: JWT specifies the configuration to validate a JSON Web + Token for all incoming requests. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: Value is the expected value at the given + path. If the type at the path is a list then we + verify that this value is contained in the list. + If the type at the path is a string then we verify + that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: Peer is the peer name for the Name parameter. + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + jwt: + description: JWT specifies configuration to validate a + JSON Web Token for incoming requests. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. + There MUST be a corresponding "jwt-provider" + config entry with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional + claims to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim + in the token JSON. + items: + type: string + type: array + value: + description: Value is the expected value + at the given path. If the type at the + path is a list then we verify that this + value is contained in the list. If the + type at the path is a string then we + verify that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + samenessGroup: + description: SamenessGroup is the name of the sameness group, + if applicable. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..bbc2e5b650 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-serviceresolvers.yaml @@ -0,0 +1,349 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: serviceresolvers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + policy: + description: Policy specifies the exact mechanism used for failover. + properties: + mode: + description: Mode specifies the type of failover that will + be performed. Valid values are "sequential", "" (equivalent + to "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions + of the failover targets. Valid values can be "us-west-1", + "us-west-2", and so on. + items: + type: string + type: array + type: object + samenessGroup: + description: SamenessGroup is the name of the sameness group + to try during failover. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness group to + resolve the service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + requestTimeout: + description: RequestTimeout is the timeout for receiving an HTTP response + from this service before the connection is terminated. + type: string + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..d36e8028b5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-servicerouters.yaml @@ -0,0 +1,323 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicerouters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..15f7714a84 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-servicesplitters.yaml @@ -0,0 +1,197 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: servicesplitters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-tcproutes.yaml new file mode 100644 index 0000000000..ba21ccd58a --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-tcproutes.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled (or .Values.connectInject.apiGateway.manageExternalCRDs .Values.connectInject.apiGateway.manageNonStandardCRDs ) }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..fae09bff53 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-terminatinggateways.yaml @@ -0,0 +1,148 @@ +{{- if .Values.connectInject.enabled }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: terminatinggateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-tlsroutes.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-tlsroutes.yaml new file mode 100644 index 0000000000..dfabd80713 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-tlsroutes.yaml @@ -0,0 +1,294 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/crd-udproutes.yaml b/charts/hashicorp/consul/1.2.3/templates/crd-udproutes.yaml new file mode 100644 index 0000000000..935cce22fa --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/crd-udproutes.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..678a2af3ba --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-job.yaml @@ -0,0 +1,145 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane create-federation-secret \ + -log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/dns-service.yaml b/charts/hashicorp/consul/1.2.3/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.2.3/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..0122690104 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/enterprise-license-job.yaml @@ -0,0 +1,144 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.2.3/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.2.3/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-clusterrole.yaml new file mode 100644 index 0000000000..c533a882f5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-clusterrole.yaml @@ -0,0 +1,35 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - delete +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-cleanup + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-clusterrolebinding.yaml new file mode 100644 index 0000000000..9235f32101 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-job.yaml new file mode 100644 index 0000000000..20d2f8116e --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-job.yaml @@ -0,0 +1,58 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup + containers: + - name: gateway-cleanup + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-cleanup + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ffbad130cc --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.connectInject.enabled .Values.global.enablePodSecurityPolicies)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..f50eb72d97 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gateway-cleanup-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.2.3/templates/gateway-resources-clusterrole.yaml new file mode 100644 index 0000000000..c3bdfeb4a3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gateway-resources-clusterrole.yaml @@ -0,0 +1,37 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - update + - create + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - update + - create +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-resources + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/gateway-resources-clusterrolebinding.yaml new file mode 100644 index 0000000000..921df23239 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gateway-resources-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-resources +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.3/templates/gateway-resources-configmap.yaml b/charts/hashicorp/consul/1.2.3/templates/gateway-resources-configmap.yaml new file mode 100644 index 0000000000..591aaa2129 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gateway-resources-configmap.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.enabled }} +# Configuration of Gateway Resources Job which creates managed Gateway configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +data: + {{- if .Values.connectInject.apiGateway.managedGatewayClass.resources }} + resources.json: | + {{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.2.3/templates/gateway-resources-job.yaml new file mode 100644 index 0000000000..de510d9dc4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gateway-resources-job.yaml @@ -0,0 +1,123 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources + containers: + - name: gateway-resources + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-resources + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + - -controller-name=consul.hashicorp.com/gateway-controller + - -app={{template "consul.name" .}} + - -chart={{template "consul.chart" .}} + - -heritage={{ .Release.Service }} + - -release-name={{ .Release.Name }} + - -component=api-gateway + {{- if .Values.apiGateway.enabled }} # Overide values from the old stanza. To be removed in 1.17 (t-eckert 2023-05-19) + {{- if .Values.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} + {{- else }} # the new stanza + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations | nindent 14 -}} + {{- end }} + - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- if .Values.global.openshift.enabled }} + - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + {{- end }} + - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} + {{- end}} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/gateway-resources-podsecuritypolicy.yaml new file mode 100644 index 0000000000..da5299194c --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gateway-resources-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.connectInject.enabled)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/gateway-resources-serviceaccount.yaml new file mode 100644 index 0000000000..4611dc38e1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gateway-resources-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..02fb3ea168 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,69 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ default .Values.global.logLevel .Values.global.gossipEncryption.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..df9f500e3c --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,367 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b847e44ebd --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..b951418b26 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,34 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..f8150ebb53 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..ac050e7199 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,310 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..04576fe926 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..5fdceca8df --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-service.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.meshGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..8c2da5ae06 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.2.3/templates/partition-init-job.yaml new file mode 100644 index 0000000000..6e21289f22 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/partition-init-job.yaml @@ -0,0 +1,127 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.2.3/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.2.3/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/prometheus.yaml b/charts/hashicorp/consul/1.2.3/templates/prometheus.yaml new file mode 100644 index 0000000000..4dcede1745 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + + consul.hashicorp.com/connect-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..39754d6c6f --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,88 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..0b46697f31 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-job.yaml @@ -0,0 +1,344 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + {{- if .Values.global.argocd.enabled }} + "argocd.argoproj.io/hook": "Sync" + "argocd.argoproj.io/hook-delete-policy": "HookSucceeded" + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- else if .Values.global.secretsBackend.vault.vaultNamespace }} + - name: VAULT_NAMESPACE + value: {{ .Values.global.secretsBackend.vault.vaultNamespace }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + consul-k8s-control-plane server-acl-init \ + -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 10 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.2.3/templates/server-clusterrole.yaml new file mode 100644 index 0000000000..c22f562264 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: + - get diff --git a/charts/hashicorp/consul/1.2.3/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..854fda870e --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-server +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.2.3/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..9ebfbd2571 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-config-configmap.yaml @@ -0,0 +1,210 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} +{{- if and .Values.server.auditLogs.enabled (not .Values.global.acls.manageSystemACLs) }}{{fail "ACLs must be enabled inorder to configure audit logs"}}{{ end -}} +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + {{- if .Values.server.logLevel }} + "log_level": "{{ .Values.server.logLevel | upper }}", + {{- end }} + "domain": "{{ .Values.global.domain }}", + "limits": { + "request_limits": { + "mode": "{{ .Values.server.limits.requestLimits.mode }}", + "read_rate": {{ .Values.server.limits.requestLimits.readRate }}, + "write_rate": {{ .Values.server.limits.requestLimits.writeRate }} + } + }, + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + {{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }} + "namespace": "{{ .vaultNamespace }}", + {{- end }} + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}" + } + } + {{- end }} + {{- if and .Values.server.auditLogs.enabled .Values.global.acls.manageSystemACLs }} + audit-logging.json: |- + { + "audit": { + "enabled": true, + "sink": { + {{- range $index, $element := .Values.server.auditLogs.sinks }} + {{- if ne $index 0 }},{{end}} + "{{ get $element "name" }}": {{ omit $element "name" | toJson }} + {{- end }} + } + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.2.3/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..edf9c1c57f --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-role.yaml b/charts/hashicorp/consul/1.2.3/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.2.3/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-service.yaml b/charts/hashicorp/consul/1.2.3/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.2.3/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.2.3/templates/server-statefulset.yaml new file mode 100644 index 0000000000..a5dd04e904 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/server-statefulset.yaml @@ -0,0 +1,645 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/server-config-configmap.yaml") . | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + {{- if .Values.global.tls.enabled }} + "prometheus.io/port": "8501" + "prometheus.io/scheme": "https" + {{- else }} + "prometheus.io/port": "8500" + "prometheus.io/scheme": "http" + {{- end }} + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + initContainers: + - name: locality-init + image: {{ .Values.global.imageK8S }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane fetch-server-region -node-name "$NODE_NAME" -output-file /consul/extra-config/locality.json + volumeMounts: + - name: extra-config + mountPath: /consul/extra-config + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-file=/consul/extra-config/extra-from-values.json \ + -config-file=/consul/extra-config/locality.json + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.containerSecurityContext.server }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- else }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.2.3/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..585b5ad171 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,48 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + - endpoints + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.3/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.2.3/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..f4aeb1cdb8 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/sync-catalog-deployment.yaml @@ -0,0 +1,233 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..6c7824b55e --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,394 @@ +{{- if .Values.telemetryCollector.enabled }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if .Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" \ + -proxy-id-file="/consul/connect-inject/proxyid" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: Always + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the global cloud section but we will share it here + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - -login-namespace="default" + {{- else }} + - -login-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - foo + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + - -service-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f4c05a2f33 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..ea2131b8a2 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,344 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..7307fb8be9 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..4ae280ca81 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-role.yaml @@ -0,0 +1,43 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }} +rules: +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.2.3/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..2254a38ed2 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,83 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.2.3/templates/tls-init-job.yaml new file mode 100644 index 0000000000..47651fe14b --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/tls-init-job.yaml @@ -0,0 +1,125 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + consul-k8s-control-plane tls-init \ + -log-level={{ default .Values.global.logLevel .Values.global.tls.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.2.3/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.2.3/templates/ui-ingress.yaml new file mode 100644 index 0000000000..f8c7f92a77 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/ui-ingress.yaml @@ -0,0 +1,85 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + {{- if ne .Values.ui.ingress.ingressClassName "" }} + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end }} + rules: + {{- $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/ui-service.yaml b/charts/hashicorp/consul/1.2.3/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..e13e2dc741 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,53 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..7ba25b330c --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,80 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.2.3/todo.txt b/charts/hashicorp/consul/1.2.3/todo.txt new file mode 100644 index 0000000000..c79bef389b --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/todo.txt @@ -0,0 +1,3 @@ + +- [x] Remove gatewayclass gatewayclassconfig bats +- [ ] Add test for each of the CRDs diff --git a/charts/hashicorp/consul/1.2.3/values.yaml b/charts/hashicorp/consul/1.2.3/values.yaml new file mode 100644 index 0000000000..caffadc6d5 --- /dev/null +++ b/charts/hashicorp/consul/1.2.3/values.yaml @@ -0,0 +1,3513 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: "hashicorp/consul-enterprise:1.10.0-ent" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.16.3 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.2.3 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` + # agent annotation and [Vault Connect CA namespace](https://developer.hashicorp.com/consul/docs/connect/ca/vault#namespace). + # To override one of these values individually, see `agentAnnotations` and `connectCA.additionalConfig`. + vaultNamespace: "" + + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + # Override global log verbosity level for `gossip-encryption-autogenerate-job` pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # This value defines additional annotations for + # tls init jobs. Format this value as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines additional annotations for + # acl init jobs. Format this value as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # If argocd.enabled is set to true, following annotations are added to + # job - server-acl-init-job + # annotations - + # argocd.argoproj.io/hook: Sync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd: + enabled: false + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # `meshGateway.enabled` or `externalServers.enabled` to be true. + # Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:` + # (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`). + # @type: array + primaryGateways: [] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Override global log verbosity level for the `create-federation-secret-job` pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: hashicorp/consul-dataplane:1.2.3 + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will enable the installation of an HCP Consul + # self-managed cluster. + enabled: false + + # The name of the Kubernetes secret that holds the HCP resource id. + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client secret. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is optional when global.cloud.enabled is true. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud authorization url. + # This is optional when global.cloud.enabled is true. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud scada address. + # This is optional when global.cloud.enabled is true. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [] + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional service mesh settings can be configured + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). + connect: true + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + # The acl-init job + # @type: map + # @recurse: false + aclInit: null + # The tls-init job + # @type: map + # @recurse: false + tlsInit: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `server.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + + # Settings for potentially limiting timeouts, rate limiting on clients as well + # as servers, and other settings to limit exposure too many requests, requests + # waiting for too long, and other runtime considerations. + limits: + # This object specifies configurations that limit the rate of RPC and gRPC + # requests on the Consul server. Limiting the rate of gRPC and RPC requests + # also limits HTTP requests to the Consul server. + # https://developer.hashicorp.com/consul/docs/agent/config/config-files#request_limits + requestLimits: + # Setting for disabling or enabling rate limiting. If not disabled, it + # enforces the action that will occur when RequestLimitsReadRate + # or RequestLimitsWriteRate is exceeded. The default value of "disabled" will + # prevent any rate limiting from occuring. A value of "enforce" will block + # the request from processings by returning an error. A value of + # "permissive" will not block the request and will allow the request to + # continue processing. + # @type: string + mode: "disabled" + + # Setting that controls how frequently RPC, gRPC, and HTTP + # queries are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsReadRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + readRate: -1 + + # Setting that controls how frequently RPC, gRPC, and HTTP + # writes are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsWriteRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + writeRate: -1 + + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # and configure a sink and filters for their audit logs. Please refer to + # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation + # for further information. + auditLogs: + # Controls whether Consul logs out each time a user performs an operation. + # global.acls.manageSystemACLs must be enabled to use this feature. + enabled: false + + # A single entry of the sink object provides configuration for the destination to which Consul + # will log auditing events. + # + # Example: + # + # ```yaml + # sinks: + # - name: My Sink + # type: file + # format: json + # path: /tmp/audit.json + # delivery_guarantee: best-effort + # rotate_duration: 24h + # rotate_max_files: 15 + # rotate_bytes: 25165824 + # + # ``` + # + # The sink object supports the following keys: + # + # - `name` - Name of the sink. + # + # - `type` - Type specifies what kind of sink this is. Currently only file sinks are available + # + # - `format` - Format specifies what format the events will be emitted with. Currently only `json` + # events are emitted. + # + # - `path` - The directory and filename to write audit events to. + # + # - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul + # only supports `best-effort` event delivery. + # + # - `mode` - The permissions to set on the audit log files. + # + # - `rotate_duration` - Specifies the interval by which the system rotates to a new log file. + # At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging. + # + # - `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file. + # At least one of rotate_bytes or rotate_duration must be configured to enable audit logging. + # + # - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files. + # + # @type: array + sinks: [] + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. + # @type: array + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul service mesh will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configuration settings for the Consul API Gateway integration. + apiGateway: + # Enables Consul on Kubernetes to manage the CRDs used for Gateway API. + # Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed. + # These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. + # If this setting is false, you will need to install the Gateway API CRDs manually. + manageExternalCRDs: true + + # Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true + # then all CRDs will be installed; otherwise, if manageNonStandardCRDs is true then only TCPRoute, GatewayClassConfig and MeshService + # will be installed. + manageNonStandardCRDs: false + + # Configuration settings for the GatewayClass installed by Consul on Kubernetes. + managedGatewayClass: + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # The resource settings for Pods handling traffic for Gateway API. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + deployment: + defaultInstances: 1 + maxInstances: 1 + minInstances: 1 + + # The name of the OpenShift SecurityContextConstraints resource to use for Gateways. + # Only applicable if `global.openshift.enabled` is true. + # @type: string + openshiftSCCName: "restricted-v2" + + # This value defines the amount Consul will add to privileged container ports on gateways that use this class. + # This is useful if you don't want to give your containers extra permissions to run privileged ports. + # Example: The gateway listener is defined on port 80, but the underlying value of the port on the container + # will be the 80 + the number defined below. + mapPrivilegedContainerPorts: 0 + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + # Configures metrics for Consul service mesh services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Sets the `logLevel` for the `consul-dataplane` sidecar and the `consul-connect-inject-init` container. When set, this value overrides the global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Consul service mesh sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + # Set default lifecycle management configuration for sidecar proxy. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` + # - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` + # @type: map + lifecycle: + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul service mesh will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Override global log verbosity level for `mesh-gateway-deployment` pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: "Service" + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level for `ingress-gateways-deployment` pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. You must provide a unique name for each ingress gateway. These names + # must be unique across different namespaces. + # Values defined here override the defaults, except in the case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# [DEPRECATED] Use connectInject.apiGateway instead. +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.11" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.2" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + clientId: + secretName: null + secretKey: null + clientSecret: + secretName: null + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} diff --git a/charts/hashicorp/consul/1.3.0/.helmignore b/charts/hashicorp/consul/1.3.0/.helmignore new file mode 100644 index 0000000000..3fa2f24edf --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/.helmignore @@ -0,0 +1,5 @@ +.git/ +.terraform/ +bin/ +test/ +crds/kustomization.yaml diff --git a/charts/hashicorp/consul/1.3.0/Chart.yaml b/charts/hashicorp/consul/1.3.0/Chart.yaml new file mode 100644 index 0000000000..9ed51669da --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.17.0 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.3.0 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.3.0 + - name: envoy + image: envoyproxy/envoy:v1.25.11 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.17.0 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.3.0 diff --git a/charts/hashicorp/consul/1.3.0/README.md b/charts/hashicorp/consul/1.3.0/README.md new file mode 100644 index 0000000000..e7d7fd9285 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.23.x - 1.26.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/1.3.0/addons/gen.sh b/charts/hashicorp/consul/1.3.0/addons/gen.sh new file mode 100644 index 0000000000..1d03390bed --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/addons/gen.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.0/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.3.0/addons/values/prometheus.yaml new file mode 100644 index 0000000000..1f90636f2e --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/addons/values/prometheus.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/1.3.0/assets/icon.png b/charts/hashicorp/consul/1.3.0/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.3.0/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.3.0/templates/NOTES.txt b/charts/hashicorp/consul/1.3.0/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/_helpers.tpl b/charts/hashicorp/consul/1.3.0/templates/_helpers.tpl new file mode 100644 index 0000000000..5f06839923 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/_helpers.tpl @@ -0,0 +1,502 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.restrictedSecurityContext" -}} +{{- if not .Values.global.enablePodSecurityPolicies -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +{{- if not .Values.global.openshift.enabled -}} +{{/* +We must set runAsUser or else the root user will be used in some cases and +containers will fail to start due to runAsNonRoot above (e.g. +tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100 +because it is a non-root user id that exists in the consul, consul-dataplane, +and consul-k8s-control-plane images. +*/}} + runAsUser: 100 +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Compute the maximum number of unavailable replicas for the PodDisruptionBudget. +This defaults to (n/2)-1 where n is the number of members of the server cluster. +Special case of replica equaling 3 and allowing a minor disruption of 1 otherwise +use the integer value +Add a special case for replicas=1, where it should default to 0 as well. +*/}} +{{- define "consul.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.server.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if temeletryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, global.cloud.resourceId.secretName, telemetryCollector.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (or (not .Values.global.cloud.resourceId.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, global.cloud.resourceId.secretName,telemetryCollector.cloud.clientId.secretName must also be set."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When telemetryCollector has clientId and clientSecret global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When telemetryCollector has clientId and clientSecret .global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} + +{{/* +Fails if global.experiments.resourceAPIs is set along with any of these unsupported features. +- global.peering.enabled +- global.federation.enabled +- global.cloud.enabled +- client.enabled +- ui.enabled +- syncCatalog.enabled +- meshGateway.enabled +- ingressGateways.enabled +- terminatingGateways.enabled +- apiGateway.enabled + +Usage: {{ template "consul.validateResourceAPIs" . }} + +*/}} +{{- define "consul.validateResourceAPIs" -}} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.peering.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.peering.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.adminPartitions.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.adminPartitions.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.federation.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.federation.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.cloud.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.cloud.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.client.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, client.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ui.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ui.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.syncCatalog.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, syncCatalog.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.meshGateway.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, meshGateway.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ingressGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ingressGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.terminatingGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.apiGateway.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, apiGateway.enabled is currently unsupported."}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..1bd1f8500a --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,306 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{ end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: [ "/bin/sh", "-ec", "/consul-bin/consul logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.3.0/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.3.0/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.3.0/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.3.0/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.3.0/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..d91a4d21bf --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/client-config-configmap.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + log-level.json: |- + { + {{- if .Values.client.logLevel }} + "log_level": "{{ .Values.client.logLevel | upper }}" + {{- end }} + } + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} + central-config.json: |- + { + "enable_central_service_config": true + } + + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.3.0/templates/client-daemonset.yaml new file mode 100644 index 0000000000..e7dd83ef26 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/client-daemonset.yaml @@ -0,0 +1,603 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/client-config-configmap.yaml") . | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/sh" + - "-ec" + - | + consul logout + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-file=/consul/extra-config/extra-from-values.json \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/client-role.yaml b/charts/hashicorp/consul/1.3.0/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.3.0/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.3.0/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.3.0/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.3.0/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..258924f449 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/cni-daemonset.yaml @@ -0,0 +1,91 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.3.0/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.3.0/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.3.0/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.3.0/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.3.0/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..2506637949 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,255 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + - gatewayclassconfigs + - meshservices + - samenessgroups + - controlplanerequestlimits + - routeretryfilters + - routetimeoutfilters + - routeauthfilters + - gatewaypolicies + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + - jwtproviders + - routeauthfilters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + - samenessgroups/status + - controlplanerequestlimits/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + - jwtproviders/status + - routeauthfilters/status + - gatewaypolicies/status + verbs: + - get + - patch + - update +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions/status + verbs: + - get + - patch + - update +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - grpcroutes + - httproutes + - tcproutes + - proxyconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - grpcroutes/status + - httproutes/status + - tcproutes/status + - proxyconfigurations/status + verbs: + - get + - patch + - update +{{- end }} +- apiGroups: [ "" ] + resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles", "rolebindings" ] + verbs: + - get + - list + - watch + - delete + - create + - update +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - referencegrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gateways/finalizers + - httproutes/finalizers + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch + - delete +- apiGroups: + - core + resources: + - services + verbs: + - watch + - list +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" +{{- if .Values.global.openshift.enabled }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + verbs: + - use + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.0/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.3.0/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..53f894035a --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/connect-inject-deployment.yaml @@ -0,0 +1,361 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateResourceAPIs" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }} + -default-enable-sidecar-proxy-lifecycle=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle=false \ + {{- end }} + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \ + {{- end }} + -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ + -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ + + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.3.0/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.3.0/templates/connect-inject-mutatingwebhookconfiguration.yaml similarity index 100% rename from charts/hashicorp/consul/templates/connect-inject-mutatingwebhookconfiguration.yaml rename to charts/hashicorp/consul/1.3.0/templates/connect-inject-mutatingwebhookconfiguration.yaml diff --git a/charts/hashicorp/consul/1.3.0/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.3.0/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.3.0/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/connect-inject-validatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.3.0/templates/connect-inject-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8d01ace911 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/connect-inject-validatingwebhookconfiguration.yaml @@ -0,0 +1,31 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The ValidatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- name: validate-gatewaypolicy.consul.hashicorp.com + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "consul.hashicorp.com" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gatewaypolicies" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /validate-v1alpha1-gatewaypolicy +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.3.0/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-controlplanerequestlimits.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-controlplanerequestlimits.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-controlplanerequestlimits.yaml diff --git a/charts/hashicorp/consul/templates/crd-exportedservices-v1.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-exportedservices.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-exportedservices-v1.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-exportedservices.yaml diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-gatewayclassconfigs.yaml new file mode 100644 index 0000000000..130db72a22 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-gatewayclassconfigs.yaml @@ -0,0 +1,201 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + resources: + description: Resources defines the resource requirements for the + gateway. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + mapPrivilegedContainerPorts: + description: The value to add to privileged ports ( ports < 1024) + for gateway containers + format: int32 + type: integer + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + openshiftSCCName: + description: The name of the OpenShift SecurityContextConstraints + resource for this gateway class to use. + type: string + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-gatewayclasses-external.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-gatewayclasses-external.yaml new file mode 100644 index 0000000000..391637b5f7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-gatewayclasses-external.yaml @@ -0,0 +1,331 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + deprecated: true + deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-gatewaypolicies.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-gatewaypolicies.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-gatewaypolicies.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-gatewaypolicies.yaml diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-gateways-external.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-gateways-external.yaml new file mode 100644 index 0000000000..ab56d4f5fb --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-gateways-external.yaml @@ -0,0 +1,885 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-grpcroutes-external.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-grpcroutes-external.yaml new file mode 100644 index 0000000000..3e4aa75853 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-grpcroutes-external.yaml @@ -0,0 +1,769 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - method: + type: Exact + description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. + items: + description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + default: + type: Exact + description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. + properties: + method: + description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)." + maxLength: 1024 + pattern: ^[A-Za-z_][A-Za-z_0-9]*$ + type: string + service: + description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)." + maxLength: 1024 + pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$ + type: string + type: + default: Exact + description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-grpcroutes.yaml new file mode 100644 index 0000000000..31812fff35 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-grpcroutes.yaml @@ -0,0 +1,617 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + shortNames: + - grpc-route + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GRPCRoute is the Schema for the GRPC Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this GRPCRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. Failure behavior here depends on + how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the GRPCBackendRef definition for the rules about what + makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies gRPC request header matchers. + Multiple match values are ANDed together, meaning, a + request MUST match all the specified headers to select + the route. + items: + properties: + name: + type: string + type: + description: "HeaderMatchType specifies the semantics + of how HTTP header values should be compared. + Valid HeaderMatchType values, along with their + conformance levels, are: \n Note that values may + be added to this enum, implementations must ensure + that unknown values will not cause a crash. \n + Unknown values here must result in the implementation + setting the Accepted Condition for the Route to + status: False, with a Reason of UnsupportedValue." + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + type: string + type: object + type: array + method: + description: Method specifies a gRPC request service/method + matcher. If this field is not specified, all services + and methods will match. + properties: + method: + description: "Value of the method to match against. + If left empty or omitted, will match all services. + \n At least one of Service and Method MUST be a + non-empty string.}" + type: string + service: + description: "Value of the service to match against. + If left empty or omitted, will match any service. + \n At least one of Service and Method MUST be a + non-empty string." + type: string + type: + description: 'Type specifies how to match against + the service and/or method. Support: Core (Exact + with service and method specified)' + enum: + - GRPC_METHOD_MATCH_TYPE_UNSPECIFIED + - GRPC_METHOD_MATCH_TYPE_EXACT + - GRPC_METHOD_MATCH_TYPE_REGEX + format: int32 + type: string + type: object + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-httproutes-external.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-httproutes-external.yaml new file mode 100644 index 0000000000..c89591376a --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-httproutes-external.yaml @@ -0,0 +1,1917 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-httproutes.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-httproutes.yaml new file mode 100644 index 0000000000..3da6e1e637 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-httproutes.yaml @@ -0,0 +1,673 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + shortNames: + - http-route + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: HTTPRoute is the Schema for the HTTP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this HTTPRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of HTTP-based routing rules that this + route should use for constructing a routing table. + items: + description: HTTPRouteRule specifies the routing rules used to determine + what upstream service an HTTP request is routed to. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + properties: + invert: + description: 'NOTE: not in gamma; service-router + compat' + type: boolean + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, “foo” and “Foo” are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for “Set-Cookie”." + type: string + type: + description: Type specifies how to match against + the value of the header. + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + description: Value is the value of HTTP Header to + be matched. + type: string + type: object + type: array + method: + description: Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. + type: string + path: + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the “/” path is provided. + properties: + type: + description: Type specifies how to match against the + path Value. + enum: + - PATH_MATCH_TYPE_UNSPECIFIED + - PATH_MATCH_TYPE_EXACT + - PATH_MATCH_TYPE_PREFIX + - PATH_MATCH_TYPE_REGEX + format: int32 + type: string + value: + description: Value of the HTTP path to match against. + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is recommended that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + type: string + type: + description: Type specifies how to match against + the value of the query parameter. + enum: + - QUERY_PARAM_MATCH_TYPE_UNSPECIFIED + - QUERY_PARAM_MATCH_TYPE_EXACT + - QUERY_PARAM_MATCH_TYPE_REGEX + - QUERY_PARAM_MATCH_TYPE_PRESENT + format: int32 + type: string + value: + description: Value is the value of HTTP query param + to be matched. + type: string + type: object + type: array + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-ingressgateways.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-ingressgateways.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-ingressgateways.yaml diff --git a/charts/hashicorp/consul/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-jwtproviders.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-jwtproviders.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-jwtproviders.yaml diff --git a/charts/hashicorp/consul/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-meshes.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-meshes.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-meshes.yaml diff --git a/charts/hashicorp/consul/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-meshservices.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-meshservices.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-meshservices.yaml diff --git a/charts/hashicorp/consul/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-peeringacceptors.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-peeringacceptors.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-peeringacceptors.yaml diff --git a/charts/hashicorp/consul/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-peeringdialers.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-peeringdialers.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-peeringdialers.yaml diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-proxyconfigurations.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-proxyconfigurations.yaml new file mode 100644 index 0000000000..9a33bd2bab --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-proxyconfigurations.yaml @@ -0,0 +1,423 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxyconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: ProxyConfiguration + listKind: ProxyConfigurationList + plural: proxyconfigurations + shortNames: + - proxy-configuration + singular: proxyconfiguration + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: ProxyConfiguration is the Schema for the TCP Routes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: This is a Resource type. + properties: + bootstrapConfig: + description: bootstrap_config is the configuration that requires proxies + to be restarted to be applied. + properties: + dogstatsdUrl: + type: string + overrideJsonTpl: + type: string + prometheusBindAddr: + type: string + readyBindAddr: + type: string + staticClustersJson: + type: string + staticListenersJson: + type: string + statsBindAddr: + type: string + statsConfigJson: + type: string + statsFlushInterval: + type: string + statsSinksJson: + type: string + statsTags: + items: + type: string + type: array + statsdUrl: + type: string + telemetryCollectorBindSocketDir: + type: string + tracingConfigJson: + type: string + type: object + dynamicConfig: + description: dynamic_config is the configuration that could be changed + dynamically (i.e. without needing restart). + properties: + accessLogs: + description: AccessLogs configures the output and format of Envoy + access logs + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have + a matching listener filter. + type: boolean + enabled: + description: Enabled turns off all access logging + type: boolean + jsonFormat: + description: The presence of one format string or the other + implies the access log string encoding. Defining both is + invalid. + type: string + path: + description: Path is the output file to write logs + type: string + textFormat: + type: string + type: + description: 'Type selects the output for logs: "file", "stderr". + "stdout"' + enum: + - LOG_SINK_TYPE_DEFAULT + - LOG_SINK_TYPE_FILE + - LOG_SINK_TYPE_STDERR + - LOG_SINK_TYPE_STDOUT + format: int32 + type: string + type: object + envoyExtensions: + items: + description: EnvoyExtension has configuration for an extension + that patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + consulVersion: + type: string + envoyVersion: + type: string + name: + type: string + required: + type: boolean + type: object + type: array + exposeConfig: + properties: + exposePaths: + items: + properties: + listenerPort: + format: int32 + type: integer + localPathPort: + format: int32 + type: integer + path: + type: string + protocol: + enum: + - EXPOSE_PATH_PROTOCOL_HTTP + - EXPOSE_PATH_PROTOCOL_HTTP2 + format: int32 + type: string + type: object + type: array + type: object + inboundConnections: + description: inbound_connections configures inbound connections + to the proxy. + properties: + balanceInboundConnections: + enum: + - BALANCE_CONNECTIONS_DEFAULT + - BALANCE_CONNECTIONS_EXACT + format: int32 + type: string + maxInboundConnections: + format: int64 + type: integer + type: object + listenerTracingJson: + type: string + localClusterJson: + type: string + localConnection: + additionalProperties: + description: Referenced by ProxyConfiguration + properties: + connectTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + requestTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + description: local_connection is the configuration that should + be used to connect to the local application provided per-port. + The map keys should correspond to port names on the workload. + type: object + localWorkloadAddress: + description: "deprecated: local_workload_address, local_workload_port, + and local_workload_socket_path are deprecated and are only needed + for migration of existing resources. \n Deprecated: Marked as + deprecated in pbmesh/v2beta1/proxy_configuration.proto." + type: string + localWorkloadPort: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + format: int32 + type: integer + localWorkloadSocketPath: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + type: string + meshGatewayMode: + enum: + - MESH_GATEWAY_MODE_UNSPECIFIED + - MESH_GATEWAY_MODE_NONE + - MESH_GATEWAY_MODE_LOCAL + - MESH_GATEWAY_MODE_REMOTE + format: int32 + type: string + mode: + description: mode indicates the proxy's mode. This will default + to 'transparent'. + enum: + - PROXY_MODE_DEFAULT + - PROXY_MODE_TRANSPARENT + - PROXY_MODE_DIRECT + format: int32 + type: string + mutualTlsMode: + enum: + - MUTUAL_TLS_MODE_DEFAULT + - MUTUAL_TLS_MODE_STRICT + - MUTUAL_TLS_MODE_PERMISSIVE + format: int32 + type: string + publicListenerJson: + type: string + transparentProxy: + properties: + dialedDirectly: + description: dialed_directly indicates whether this proxy + should be dialed using original destination IP in the connection + rather than load balance between all endpoints. + type: boolean + outboundListenerPort: + description: outbound_listener_port is the port for the proxy's + outbound listener. This defaults to 15001. + format: int32 + type: integer + type: object + type: object + opaqueConfig: + description: "deprecated: prevent usage when using v2 APIs directly. + needed for backwards compatibility \n Deprecated: Marked as deprecated + in pbmesh/v2beta1/proxy_configuration.proto." + type: object + x-kubernetes-preserve-unknown-fields: true + workloads: + description: Selection of workloads this proxy configuration should + apply to. These can be prefixes or specific workload names. + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-proxydefaults.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-proxydefaults.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-proxydefaults.yaml diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-referencegrants-external.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-referencegrants-external.yaml new file mode 100644 index 0000000000..6ae177d987 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-referencegrants-external.yaml @@ -0,0 +1,211 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-routeauthfilters.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-routeauthfilters.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-routeauthfilters.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-routeauthfilters.yaml diff --git a/charts/hashicorp/consul/templates/crd-routeretryfilters.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-routeretryfilters.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-routeretryfilters.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-routeretryfilters.yaml diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-routetimeoutfilters.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-routetimeoutfilters.yaml new file mode 100644 index 0000000000..95ab50320d --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-routetimeoutfilters.yaml @@ -0,0 +1,105 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routetimeoutfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteTimeoutFilter + listKind: RouteTimeoutFilterList + plural: routetimeoutfilters + singular: routetimeoutfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteTimeoutFilter is the Schema for the httproutetimeoutfilters + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteTimeoutFilterSpec defines the desired state of RouteTimeoutFilter. + properties: + idleTimeout: + type: string + requestTimeout: + type: string + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-samenessgroups.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-samenessgroups.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-samenessgroups.yaml diff --git a/charts/hashicorp/consul/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-servicedefaults.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-servicedefaults.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-servicedefaults.yaml diff --git a/charts/hashicorp/consul/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-serviceintentions.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-serviceintentions.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-serviceintentions.yaml diff --git a/charts/hashicorp/consul/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-serviceresolvers.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-serviceresolvers.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-serviceresolvers.yaml diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..72690c60e4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-servicerouters.yaml @@ -0,0 +1,312 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicerouters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-servicesplitters.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-servicesplitters.yaml rename to charts/hashicorp/consul/1.3.0/templates/crd-servicesplitters.yaml diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-tcproutes-external.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-tcproutes-external.yaml new file mode 100644 index 0000000000..91989135e2 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-tcproutes-external.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-tcproutes.yaml new file mode 100644 index 0000000000..ae9d2cd080 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-tcproutes.yaml @@ -0,0 +1,278 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + shortNames: + - tcp-route + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TCPRoute is the Schema for the TCP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute + \n This is a Resource type." + properties: + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + properties: + backendRefs: + description: BackendRefs defines the backend(s) where matching + requests should be sent. If unspecified or invalid (refers + to a non-existent resource or a Service with no endpoints), + the underlying implementation MUST actively reject connection + attempts to this backend. Connection rejections must respect + weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..565aa63381 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-terminatinggateways.yaml @@ -0,0 +1,137 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: terminatinggateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-tlsroutes-external.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-tlsroutes-external.yaml new file mode 100644 index 0000000000..dfabd80713 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-tlsroutes-external.yaml @@ -0,0 +1,294 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-trafficpermissions.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-trafficpermissions.yaml new file mode 100644 index 0000000000..27ab6f5e3d --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-trafficpermissions.yaml @@ -0,0 +1,261 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: trafficpermissions.auth.consul.hashicorp.com +spec: + group: auth.consul.hashicorp.com + names: + kind: TrafficPermissions + listKind: TrafficPermissionsList + plural: trafficpermissions + shortNames: + - traffic-permissions + singular: trafficpermissions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TrafficPermissions is the Schema for the traffic-permissions + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + action: + description: "Action can be either allow or deny for the entire object. + It will default to allow. \n If action is allow, we will allow the + connection if one of the rules in Rules matches, in other words, + we will deny all requests except for the ones that match Rules. + If Consul is in default allow mode, then allow actions have no effect + without a deny permission as everything is allowed by default. \n + If action is deny, we will deny the connection if one of the rules + in Rules match, in other words, we will allow all requests except + for the ones that match Rules. If Consul is default deny mode, then + deny permissions have no effect without an allow permission as everything + is denied by default. \n Action unspecified is reserved for compatibility + with the addition of future actions." + enum: + - ACTION_ALLOW + - ACTION_DENY + - ACTION_UNKNOWN + format: int32 + type: string + destination: + description: Destination is a configuration of the destination proxies + where these traffic permissions should apply. + properties: + identityName: + type: string + type: object + permissions: + description: Permissions is a list of permissions to match on. They + are applied using OR semantics. + items: + description: Permissions is a list of permissions to match on. + properties: + destinationRules: + description: DestinationRules is a list of rules to apply for + matching sources in this Permission. These rules are specific + to the request or connection that is going to the destination(s) + selected by the TrafficPermissions resource. + items: + description: DestinationRule contains rules rules to apply + to the incoming connection. + properties: + exclude: + description: Exclude contains a list of rules to exclude + when evaluating rules for the incoming connection. + items: + properties: + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + description: PortNames is a list of workload ports + to apply this rule to. The ports specified here + must be the ports used in the connection. + items: + type: string + type: array + type: object + type: array + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. If no + methods are specified, this rule will apply to all methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + items: + type: string + type: array + type: object + type: array + sources: + description: Sources is a list of sources in this traffic permission. + items: + description: Source represents the source identity. To specify + any of the wildcard sources, the specific fields need to + be omitted. For example, for a wildcard namespace, identity_name + should be omitted. + properties: + exclude: + description: Exclude is a list of sources to exclude from + this source. + items: + description: ExcludeSource is almost the same as source + but it prevents the addition of matching sources. + properties: + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/crd-udproutes-external.yaml b/charts/hashicorp/consul/1.3.0/templates/crd-udproutes-external.yaml new file mode 100644 index 0000000000..935cce22fa --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/crd-udproutes-external.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..f0d5a1c821 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-job.yaml @@ -0,0 +1,146 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane create-federation-secret \ + -log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/dns-service.yaml b/charts/hashicorp/consul/1.3.0/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.3.0/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..80ae582152 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/enterprise-license-job.yaml @@ -0,0 +1,145 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.3.0/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.3.0/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-clusterrole.yaml new file mode 100644 index 0000000000..c533a882f5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-clusterrole.yaml @@ -0,0 +1,35 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - delete +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-cleanup + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-clusterrolebinding.yaml new file mode 100644 index 0000000000..9235f32101 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-job.yaml new file mode 100644 index 0000000000..df6c22fd30 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-job.yaml @@ -0,0 +1,59 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup + containers: + - name: gateway-cleanup + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-cleanup + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ffbad130cc --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.connectInject.enabled .Values.global.enablePodSecurityPolicies)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..f50eb72d97 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gateway-cleanup-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.3.0/templates/gateway-resources-clusterrole.yaml new file mode 100644 index 0000000000..c3bdfeb4a3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gateway-resources-clusterrole.yaml @@ -0,0 +1,37 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - update + - create + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - update + - create +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-resources + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/gateway-resources-clusterrolebinding.yaml new file mode 100644 index 0000000000..921df23239 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gateway-resources-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-resources +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.0/templates/gateway-resources-configmap.yaml b/charts/hashicorp/consul/1.3.0/templates/gateway-resources-configmap.yaml new file mode 100644 index 0000000000..591aaa2129 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gateway-resources-configmap.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.enabled }} +# Configuration of Gateway Resources Job which creates managed Gateway configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +data: + {{- if .Values.connectInject.apiGateway.managedGatewayClass.resources }} + resources.json: | + {{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.3.0/templates/gateway-resources-job.yaml new file mode 100644 index 0000000000..1136d2e0fe --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gateway-resources-job.yaml @@ -0,0 +1,124 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources + containers: + - name: gateway-resources + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-resources + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + - -controller-name=consul.hashicorp.com/gateway-controller + - -app={{template "consul.name" .}} + - -chart={{template "consul.chart" .}} + - -heritage={{ .Release.Service }} + - -release-name={{ .Release.Name }} + - -component=api-gateway + {{- if .Values.apiGateway.enabled }} # Overide values from the old stanza. To be removed in 1.17 (t-eckert 2023-05-19) + {{- if .Values.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} + {{- else }} # the new stanza + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations | nindent 14 -}} + {{- end }} + - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- if .Values.global.openshift.enabled }} + - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + {{- end }} + - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} + {{- end}} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/gateway-resources-podsecuritypolicy.yaml new file mode 100644 index 0000000000..da5299194c --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gateway-resources-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.connectInject.enabled)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/gateway-resources-serviceaccount.yaml new file mode 100644 index 0000000000..4611dc38e1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gateway-resources-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..cc5b5397c2 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,70 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ default .Values.global.logLevel .Values.global.gossipEncryption.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..4eef2e96ac --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,368 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b847e44ebd --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..b951418b26 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,34 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..f8150ebb53 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..afb5d44a0e --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,311 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..04576fe926 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..5fdceca8df --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-service.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.meshGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..8c2da5ae06 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.3.0/templates/partition-init-job.yaml new file mode 100644 index 0000000000..59a119e0c7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/partition-init-job.yaml @@ -0,0 +1,128 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.3.0/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.3.0/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/prometheus.yaml b/charts/hashicorp/consul/1.3.0/templates/prometheus.yaml similarity index 100% rename from charts/hashicorp/consul/templates/prometheus.yaml rename to charts/hashicorp/consul/1.3.0/templates/prometheus.yaml diff --git a/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..b47e04188f --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,89 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..aca1444a9b --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-job.yaml @@ -0,0 +1,349 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + {{- if .Values.global.argocd.enabled }} + "argocd.argoproj.io/hook": "Sync" + "argocd.argoproj.io/hook-delete-policy": "HookSucceeded" + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- else if .Values.global.secretsBackend.vault.vaultNamespace }} + - name: VAULT_NAMESPACE + value: {{ .Values.global.secretsBackend.vault.vaultNamespace }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + consul-k8s-control-plane server-acl-init \ + -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 10 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.3.0/templates/server-clusterrole.yaml new file mode 100644 index 0000000000..c22f562264 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: + - get diff --git a/charts/hashicorp/consul/1.3.0/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..854fda870e --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-server +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.3.0/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..9ebfbd2571 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-config-configmap.yaml @@ -0,0 +1,210 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} +{{- if and .Values.server.auditLogs.enabled (not .Values.global.acls.manageSystemACLs) }}{{fail "ACLs must be enabled inorder to configure audit logs"}}{{ end -}} +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + {{- if .Values.server.logLevel }} + "log_level": "{{ .Values.server.logLevel | upper }}", + {{- end }} + "domain": "{{ .Values.global.domain }}", + "limits": { + "request_limits": { + "mode": "{{ .Values.server.limits.requestLimits.mode }}", + "read_rate": {{ .Values.server.limits.requestLimits.readRate }}, + "write_rate": {{ .Values.server.limits.requestLimits.writeRate }} + } + }, + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + {{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }} + "namespace": "{{ .vaultNamespace }}", + {{- end }} + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}" + } + } + {{- end }} + {{- if and .Values.server.auditLogs.enabled .Values.global.acls.manageSystemACLs }} + audit-logging.json: |- + { + "audit": { + "enabled": true, + "sink": { + {{- range $index, $element := .Values.server.auditLogs.sinks }} + {{- if ne $index 0 }},{{end}} + "{{ get $element "name" }}": {{ omit $element "name" | toJson }} + {{- end }} + } + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.3.0/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..edf9c1c57f --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-role.yaml b/charts/hashicorp/consul/1.3.0/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.3.0/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-service.yaml b/charts/hashicorp/consul/1.3.0/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.3.0/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.3.0/templates/server-statefulset.yaml new file mode 100644 index 0000000000..d2785369c7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/server-statefulset.yaml @@ -0,0 +1,650 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/server-config-configmap.yaml") . | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + {{- if .Values.global.tls.enabled }} + "prometheus.io/port": "8501" + "prometheus.io/scheme": "https" + {{- else }} + "prometheus.io/port": "8500" + "prometheus.io/scheme": "http" + {{- end }} + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + initContainers: + - name: locality-init + image: {{ .Values.global.imageK8S }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane fetch-server-region -node-name "$NODE_NAME" -output-file /consul/extra-config/locality.json + volumeMounts: + - name: extra-config + mountPath: /consul/extra-config + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-file=/consul/extra-config/extra-from-values.json \ + -config-file=/consul/extra-config/locality.json \ + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -hcl="experiments=[\"resource-apis\"]" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.containerSecurityContext.server }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- else }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.3.0/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..585b5ad171 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,48 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + - endpoints + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.0/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.3.0/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..f81b999e79 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/sync-catalog-deployment.yaml @@ -0,0 +1,234 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..396cc147ab --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,394 @@ +{{- if and .Values.telemetryCollector.enabled (not (mustHas "resource-apis" .Values.global.experiments)) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if .Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" \ + -proxy-id-file="/consul/connect-inject/proxyid" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the global cloud section but we will share it here + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - -login-namespace="default" + {{- else }} + - -login-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - foo + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + - -service-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f4c05a2f33 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-v2-deployment.yaml b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-v2-deployment.yaml new file mode 100644 index 0000000000..a88277f3b2 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/telemetry-collector-v2-deployment.yaml @@ -0,0 +1,378 @@ +{{- if and .Values.telemetryCollector.enabled (mustHas "resource-apis" .Values.global.experiments) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/mesh-inject": "false" + # This annotation tells the pod controller that this pod was injected even though it wasn't. + # This ensures the pod controller will sync a workload for the pod into Consul + "consul.hashicorp.com/mesh-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/consul-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the mesh injector so that we don't run into + # any race conditions on the mesh-injector deployment or upgrade + - name: consul-mesh-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if .Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + consul-k8s-control-plane mesh-init -proxy-name=${POD_NAME} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the global cloud section but we will share it here + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + - -login-namespace="default" + {{- else }} + - -login-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - foo + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + - -service-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: DP_PROXY_ID + value: $(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: TMPDIR + value: /consul/mesh-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-mesh-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..3a1a23fad3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,345 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..7307fb8be9 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..4ae280ca81 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-role.yaml @@ -0,0 +1,43 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }} +rules: +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.3.0/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..9500410a53 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,84 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.3.0/templates/tls-init-job.yaml new file mode 100644 index 0000000000..54727e03dd --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/tls-init-job.yaml @@ -0,0 +1,126 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + consul-k8s-control-plane tls-init \ + -log-level={{ default .Values.global.logLevel .Values.global.tls.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.3.0/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.3.0/templates/ui-ingress.yaml new file mode 100644 index 0000000000..f8c7f92a77 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/ui-ingress.yaml @@ -0,0 +1,85 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + {{- if ne .Values.ui.ingress.ingressClassName "" }} + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end }} + rules: + {{- $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/ui-service.yaml b/charts/hashicorp/consul/1.3.0/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-clusterrole.yaml similarity index 100% rename from charts/hashicorp/consul/templates/webhook-cert-manager-clusterrole.yaml rename to charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-clusterrole.yaml diff --git a/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..29b85d7079 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,81 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.0/values.yaml b/charts/hashicorp/consul/1.3.0/values.yaml new file mode 100644 index 0000000000..3d295cf25f --- /dev/null +++ b/charts/hashicorp/consul/1.3.0/values.yaml @@ -0,0 +1,3531 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: "hashicorp/consul-enterprise:1.10.0-ent" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.17.0 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.3.0 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` + # agent annotation and [Vault Connect CA namespace](https://developer.hashicorp.com/consul/docs/connect/ca/vault#namespace). + # To override one of these values individually, see `agentAnnotations` and `connectCA.additionalConfig`. + vaultNamespace: "" + + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + # Override global log verbosity level for gossip-encryption-autogenerate-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # This value defines additional annotations for + # tls init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines additional annotations for + # acl init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # If argocd.enabled is set to true, following annotations are added to + # job - server-acl-init-job + # annotations - + # argocd.argoproj.io/hook: Sync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd: + enabled: false + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # `meshGateway.enabled` or `externalServers.enabled` to be true. + # Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:` + # (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`). + # @type: array + primaryGateways: [] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Override global log verbosity level for the create-federation-secret-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: hashicorp/consul-dataplane:1.3.0 + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will enable the installation of an HCP Consul + # self-managed cluster. + enabled: false + + # The name of the Kubernetes secret that holds the HCP resource id. + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client secret. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud client id. + # This is optional when global.cloud.enabled is true. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud authorization url. + # This is optional when global.cloud.enabled is true. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The name of the Kubernetes secret that holds the HCP cloud scada address. + # This is optional when global.cloud.enabled is true. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [ ] + + # Consul feature flags that will be enabled across components. + # Supported feature flags: + # * `resource-apis`: + # _**Danger**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul components will use the + # V2 resources APIs for all operations. + # + # Example: + # + # ```yaml + # experiments: [ "resource-apis" ] + # ``` + # @type: array + experiments: [ ] + + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional service mesh settings can be configured + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). + connect: true + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + # The acl-init job + # @type: map + # @recurse: false + aclInit: null + # The tls-init job + # @type: map + # @recurse: false + tlsInit: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `server.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # and configure a sink and filters for their audit logs. Please refer to + # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation + # for further information. + auditLogs: + # Controls whether Consul logs out each time a user performs an operation. + # global.acls.manageSystemACLs must be enabled to use this feature. + enabled: false + + # A single entry of the sink object provides configuration for the destination to which Consul + # will log auditing events. + # + # Example: + # + # ```yaml + # sinks: + # - name: My Sink + # type: file + # format: json + # path: /tmp/audit.json + # delivery_guarantee: best-effort + # rotate_duration: 24h + # rotate_max_files: 15 + # rotate_bytes: 25165824 + # + # ``` + # + # The sink object supports the following keys: + # + # - `name` - Name of the sink. + # + # - `type` - Type specifies what kind of sink this is. Currently only file sinks are available + # + # - `format` - Format specifies what format the events will be emitted with. Currently only `json` + # events are emitted. + # + # - `path` - The directory and filename to write audit events to. + # + # - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul + # only supports `best-effort` event delivery. + # + # - `mode` - The permissions to set on the audit log files. + # + # - `rotate_duration` - Specifies the interval by which the system rotates to a new log file. + # At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging. + # + # - `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file. + # At least one of rotate_bytes or rotate_duration must be configured to enable audit logging. + # + # - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files. + # + # @type: array + sinks: [] + + # Settings for potentially limiting timeouts, rate limiting on clients as well + # as servers, and other settings to limit exposure too many requests, requests + # waiting for too long, and other runtime considerations. + limits: + # This object specifies configurations that limit the rate of RPC and gRPC + # requests on the Consul server. Limiting the rate of gRPC and RPC requests + # also limits HTTP requests to the Consul server. + # https://developer.hashicorp.com/consul/docs/agent/config/config-files#request_limits + requestLimits: + # Setting for disabling or enabling rate limiting. If not disabled, it + # enforces the action that will occur when RequestLimitsReadRate + # or RequestLimitsWriteRate is exceeded. The default value of "disabled" will + # prevent any rate limiting from occuring. A value of "enforce" will block + # the request from processings by returning an error. A value of + # "permissive" will not block the request and will allow the request to + # continue processing. + # @type: string + mode: "disabled" + + # Setting that controls how frequently RPC, gRPC, and HTTP + # queries are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsReadRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + readRate: -1 + + # Setting that controls how frequently RPC, gRPC, and HTTP + # writes are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsWriteRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + writeRate: -1 + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. + # @type: array + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul service mesh will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configuration settings for the Consul API Gateway integration. + apiGateway: + # Enables Consul on Kubernetes to manage the CRDs used for Gateway API. + # Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed. + # These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. + # If this setting is false, you will need to install the Gateway API CRDs manually. + manageExternalCRDs: true + + # Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true + # then all CRDs will be installed; otherwise, if manageNonStandardCRDs is true then only TCPRoute, GatewayClassConfig and MeshService + # will be installed. + manageNonStandardCRDs: false + + # Configuration settings for the GatewayClass installed by Consul on Kubernetes. + managedGatewayClass: + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # The resource settings for Pods handling traffic for Gateway API. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + deployment: + defaultInstances: 1 + maxInstances: 1 + minInstances: 1 + + # The name of the OpenShift SecurityContextConstraints resource to use for Gateways. + # Only applicable if `global.openshift.enabled` is true. + # @type: string + openshiftSCCName: "restricted-v2" + + # This value defines the amount we will add to privileged container ports on gateways that use this class. + # This is useful if you don't want to give your containers extra permissions to run privileged ports. + # Example: The gateway listener is defined on port 80, but the underlying value of the port on the container + # will be the 80 + the number defined below. + mapPrivilegedContainerPorts: 0 + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + # Configures metrics for Consul service mesh services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Sets the `logLevel` for the `consul-dataplane` sidecar and the `consul-connect-inject-init` container. When set, this value overrides the global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Consul service mesh sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + # Set default lifecycle management configuration for sidecar proxy. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` + # - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` + # @type: map + lifecycle: + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul service mesh will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Override global log verbosity level for mesh-gateway-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: "Service" + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level for ingress-gateways-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. You must provide a unique name for each ingress gateway. These names + # must be unique across different namespaces. + # Values defined here override the defaults, except in the case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# [DEPRECATED] Use connectInject.apiGateway instead. +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.11" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.2" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + clientId: + secretName: null + secretKey: null + clientSecret: + secretName: null + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: { } diff --git a/charts/hashicorp/consul/1.3.1/.helmignore b/charts/hashicorp/consul/1.3.1/.helmignore new file mode 100644 index 0000000000..3fa2f24edf --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/.helmignore @@ -0,0 +1,5 @@ +.git/ +.terraform/ +bin/ +test/ +crds/kustomization.yaml diff --git a/charts/hashicorp/consul/1.3.1/Chart.yaml b/charts/hashicorp/consul/1.3.1/Chart.yaml new file mode 100644 index 0000000000..58acd9ad07 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.17.1 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.3.1 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.3.1 + - name: envoy + image: envoyproxy/envoy:v1.25.11 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.17.1 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.3.1 diff --git a/charts/hashicorp/consul/1.3.1/README.md b/charts/hashicorp/consul/1.3.1/README.md new file mode 100644 index 0000000000..e7d7fd9285 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.23.x - 1.26.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/1.3.1/addons/gen.sh b/charts/hashicorp/consul/1.3.1/addons/gen.sh new file mode 100644 index 0000000000..1d03390bed --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/addons/gen.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.1/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.3.1/addons/values/prometheus.yaml new file mode 100644 index 0000000000..1f90636f2e --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/addons/values/prometheus.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/1.3.1/assets/icon.png b/charts/hashicorp/consul/1.3.1/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.3.1/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.3.1/templates/NOTES.txt b/charts/hashicorp/consul/1.3.1/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/_helpers.tpl b/charts/hashicorp/consul/1.3.1/templates/_helpers.tpl new file mode 100644 index 0000000000..809d965a6e --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/_helpers.tpl @@ -0,0 +1,521 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.restrictedSecurityContext" -}} +{{- if not .Values.global.enablePodSecurityPolicies -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +{{- if not .Values.global.openshift.enabled -}} +{{/* +We must set runAsUser or else the root user will be used in some cases and +containers will fail to start due to runAsNonRoot above (e.g. +tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100 +because it is a non-root user id that exists in the consul, consul-dataplane, +and consul-k8s-control-plane images. +*/}} + runAsUser: 100 +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/tmp/extra-config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Compute the maximum number of unavailable replicas for the PodDisruptionBudget. +This defaults to (n/2)-1 where n is the number of members of the server cluster. +Special case of replica equaling 3 and allowing a minor disruption of 1 otherwise +use the integer value +Add a special case for replicas=1, where it should default to 0 as well. +*/}} +{{- define "consul.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.server.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if telemetryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (and (not .Values.global.cloud.clientSecret.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (and (not .Values.global.cloud.clientId.secretName) (not .Values.telemetryCollector.cloud.clientId.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretName or global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretKey or global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} + +{{/* +Fails if telemetryCollector.cloud.resourceId is set but differs from global.cloud.resourceId. This should never happen. Either one or both are set, but they should never differ. +If they differ, that implies we're configuring servers for one HCP Consul cluster but pushing envoy metrics for a different HCP Consul cluster. A user could set the same value +in two secrets (it's questionable whether resourceId should be a secret at all) but we won't know at this point, so we just check secret name+key. + +Usage: {{ template "consul.validateTelemetryCollectorResourceId" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorResourceId" -}} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName) (not (eq .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName)) }} +{{fail "When both global.cloud.resourceId.secretName and telemetryCollector.cloud.resourceId.secretName are set, they should be the same."}} +{{- end }} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey) (not (eq .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When both global.cloud.resourceId.secretKey and telemetryCollector.cloud.resourceId.secretKey are set, they should be the same."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{/* +Fails if global.experiments.resourceAPIs is set along with any of these unsupported features. +- global.peering.enabled +- global.federation.enabled +- global.cloud.enabled +- client.enabled +- ui.enabled +- syncCatalog.enabled +- meshGateway.enabled +- ingressGateways.enabled +- terminatingGateways.enabled +- apiGateway.enabled + +Usage: {{ template "consul.validateResourceAPIs" . }} + +*/}} +{{- define "consul.validateResourceAPIs" -}} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.peering.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.peering.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.adminPartitions.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.adminPartitions.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.federation.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.federation.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.cloud.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.cloud.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.client.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, client.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ui.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ui.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.syncCatalog.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, syncCatalog.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.meshGateway.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, meshGateway.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ingressGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ingressGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.terminatingGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.apiGateway.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, apiGateway.enabled is currently unsupported."}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..1bd1f8500a --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,306 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{ end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: [ "/bin/sh", "-ec", "/consul-bin/consul logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.3.1/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.3.1/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.3.1/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.3.1/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.3.1/templates/client-config-configmap.yaml similarity index 100% rename from charts/hashicorp/consul/templates/client-config-configmap.yaml rename to charts/hashicorp/consul/1.3.1/templates/client-config-configmap.yaml diff --git a/charts/hashicorp/consul/1.3.1/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.3.1/templates/client-daemonset.yaml new file mode 100644 index 0000000000..dd0454b10d --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/client-daemonset.yaml @@ -0,0 +1,608 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/client-config-configmap.yaml") .) (include (print $.Template.BasePath "/client-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/sh" + - "-ec" + - | + consul logout + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-dir=/consul/extra-config \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/client-role.yaml b/charts/hashicorp/consul/1.3.1/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.3.1/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.3.1/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/client-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.3.1/templates/client-tmp-extra-config-configmap.yaml similarity index 100% rename from charts/hashicorp/consul/templates/client-tmp-extra-config-configmap.yaml rename to charts/hashicorp/consul/1.3.1/templates/client-tmp-extra-config-configmap.yaml diff --git a/charts/hashicorp/consul/1.3.1/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.3.1/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.3.1/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..258924f449 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/cni-daemonset.yaml @@ -0,0 +1,91 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.3.1/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.3.1/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.3.1/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.3.1/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.3.1/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..2506637949 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,255 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + - gatewayclassconfigs + - meshservices + - samenessgroups + - controlplanerequestlimits + - routeretryfilters + - routetimeoutfilters + - routeauthfilters + - gatewaypolicies + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + - jwtproviders + - routeauthfilters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + - samenessgroups/status + - controlplanerequestlimits/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + - jwtproviders/status + - routeauthfilters/status + - gatewaypolicies/status + verbs: + - get + - patch + - update +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions/status + verbs: + - get + - patch + - update +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - grpcroutes + - httproutes + - tcproutes + - proxyconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - grpcroutes/status + - httproutes/status + - tcproutes/status + - proxyconfigurations/status + verbs: + - get + - patch + - update +{{- end }} +- apiGroups: [ "" ] + resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles", "rolebindings" ] + verbs: + - get + - list + - watch + - delete + - create + - update +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - referencegrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gateways/finalizers + - httproutes/finalizers + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch + - delete +- apiGroups: + - core + resources: + - services + verbs: + - watch + - list +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" +{{- if .Values.global.openshift.enabled }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + verbs: + - use + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.1/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.3.1/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..2fafae7df1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/connect-inject-deployment.yaml @@ -0,0 +1,364 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.enabled .Values.global.cloud.enabled }} + {{- if and (gt (len .Values.externalServers.hosts) 0) (regexMatch ".+.hashicorp.cloud$" ( first .Values.externalServers.hosts )) }}{{fail "global.cloud.enabled cannot be used in combination with an HCP-managed cluster address in externalServers.hosts. global.cloud.enabled is for linked self-managed clusters."}}{{- end }} +{{- end }} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateResourceAPIs" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }} + -default-enable-sidecar-proxy-lifecycle=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle=false \ + {{- end }} + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \ + {{- end }} + -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ + -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ + + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.3.1/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.3.1/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..e65c386636 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,381 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-controlplanerequestlimits + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-controlplanerequestlimit.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - controlplanerequestlimits + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-samenessgroup + failurePolicy: Fail + name: mutate-samenessgroup.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - samenessgroups + sideEffects: None +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v2beta1-trafficpermissions + failurePolicy: Fail + name: mutate-trafficpermissions.auth.consul.hashicorp.com + rules: + - apiGroups: + - auth.consul.hashicorp.com + apiVersions: + - v2beta1 + operations: + - CREATE + - UPDATE + resources: + - trafficpermissions + sideEffects: None +{{- end }} +{{- end }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-jwtprovider + failurePolicy: Fail + name: mutate-jwtprovider.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwtproviders + sideEffects: None +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.3.1/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.3.1/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/connect-inject-validatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.3.1/templates/connect-inject-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8d01ace911 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/connect-inject-validatingwebhookconfiguration.yaml @@ -0,0 +1,31 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The ValidatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- name: validate-gatewaypolicy.consul.hashicorp.com + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "consul.hashicorp.com" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gatewaypolicies" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /validate-v1alpha1-gatewaypolicy +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.3.1/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-controlplanerequestlimits.yaml new file mode 100644 index 0000000000..1939a8d373 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-controlplanerequestlimits.yaml @@ -0,0 +1,195 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: controlplanerequestlimits.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ControlPlaneRequestLimit + listKind: ControlPlaneRequestLimitList + plural: controlplanerequestlimits + singular: controlplanerequestlimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControlPlaneRequestLimitSpec defines the desired state of + ControlPlaneRequestLimit. + properties: + acl: + properties: + readRate: + type: number + writeRate: + type: number + type: object + catalog: + properties: + readRate: + type: number + writeRate: + type: number + type: object + configEntry: + properties: + readRate: + type: number + writeRate: + type: number + type: object + connectCA: + properties: + readRate: + type: number + writeRate: + type: number + type: object + coordinate: + properties: + readRate: + type: number + writeRate: + type: number + type: object + discoveryChain: + properties: + readRate: + type: number + writeRate: + type: number + type: object + health: + properties: + readRate: + type: number + writeRate: + type: number + type: object + intention: + properties: + readRate: + type: number + writeRate: + type: number + type: object + kv: + properties: + readRate: + type: number + writeRate: + type: number + type: object + mode: + type: string + preparedQuery: + properties: + readRate: + type: number + writeRate: + type: number + type: object + readRate: + type: number + session: + properties: + readRate: + type: number + writeRate: + type: number + type: object + tenancy: + properties: + readRate: + type: number + writeRate: + type: number + type: object + txn: + properties: + readRate: + type: number + writeRate: + type: number + type: object + writeRate: + type: number + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-exportedservices.yaml new file mode 100644 index 0000000000..081a2b0cf0 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-exportedservices.yaml @@ -0,0 +1,139 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-gatewayclassconfigs.yaml new file mode 100644 index 0000000000..130db72a22 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-gatewayclassconfigs.yaml @@ -0,0 +1,201 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + resources: + description: Resources defines the resource requirements for the + gateway. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + mapPrivilegedContainerPorts: + description: The value to add to privileged ports ( ports < 1024) + for gateway containers + format: int32 + type: integer + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + openshiftSCCName: + description: The name of the OpenShift SecurityContextConstraints + resource for this gateway class to use. + type: string + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-gatewayclasses-external.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-gatewayclasses-external.yaml new file mode 100644 index 0000000000..391637b5f7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-gatewayclasses-external.yaml @@ -0,0 +1,331 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + deprecated: true + deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-gatewaypolicies.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-gatewaypolicies.yaml new file mode 100644 index 0000000000..1cdfa331f5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-gatewaypolicies.yaml @@ -0,0 +1,282 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewaypolicies.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayPolicy + listKind: GatewayPolicyList + plural: gatewaypolicies + singular: gatewaypolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayPolicy is the Schema for the gatewaypolicies API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GatewayPolicySpec defines the desired state of GatewayPolicy. + properties: + default: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + override: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + targetRef: + description: TargetRef identifies an API object to apply policy to. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it may only apply + to traffic originating from the same namespace as the policy. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: SectionName refers to the listener targeted by this + policy. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + status: + description: GatewayPolicyStatus defines the observed state of the gateway. + properties: + conditions: + description: "Conditions describe the current conditions of the Policy. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-gateways-external.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-gateways-external.yaml new file mode 100644 index 0000000000..ab56d4f5fb --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-gateways-external.yaml @@ -0,0 +1,885 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-grpcroutes-external.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-grpcroutes-external.yaml new file mode 100644 index 0000000000..3e4aa75853 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-grpcroutes-external.yaml @@ -0,0 +1,769 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - method: + type: Exact + description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. + items: + description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + default: + type: Exact + description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. + properties: + method: + description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)." + maxLength: 1024 + pattern: ^[A-Za-z_][A-Za-z_0-9]*$ + type: string + service: + description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)." + maxLength: 1024 + pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$ + type: string + type: + default: Exact + description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-grpcroutes.yaml new file mode 100644 index 0000000000..31812fff35 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-grpcroutes.yaml @@ -0,0 +1,617 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + shortNames: + - grpc-route + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GRPCRoute is the Schema for the GRPC Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this GRPCRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. Failure behavior here depends on + how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the GRPCBackendRef definition for the rules about what + makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies gRPC request header matchers. + Multiple match values are ANDed together, meaning, a + request MUST match all the specified headers to select + the route. + items: + properties: + name: + type: string + type: + description: "HeaderMatchType specifies the semantics + of how HTTP header values should be compared. + Valid HeaderMatchType values, along with their + conformance levels, are: \n Note that values may + be added to this enum, implementations must ensure + that unknown values will not cause a crash. \n + Unknown values here must result in the implementation + setting the Accepted Condition for the Route to + status: False, with a Reason of UnsupportedValue." + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + type: string + type: object + type: array + method: + description: Method specifies a gRPC request service/method + matcher. If this field is not specified, all services + and methods will match. + properties: + method: + description: "Value of the method to match against. + If left empty or omitted, will match all services. + \n At least one of Service and Method MUST be a + non-empty string.}" + type: string + service: + description: "Value of the service to match against. + If left empty or omitted, will match any service. + \n At least one of Service and Method MUST be a + non-empty string." + type: string + type: + description: 'Type specifies how to match against + the service and/or method. Support: Core (Exact + with service and method specified)' + enum: + - GRPC_METHOD_MATCH_TYPE_UNSPECIFIED + - GRPC_METHOD_MATCH_TYPE_EXACT + - GRPC_METHOD_MATCH_TYPE_REGEX + format: int32 + type: string + type: object + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-httproutes-external.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-httproutes-external.yaml new file mode 100644 index 0000000000..c89591376a --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-httproutes-external.yaml @@ -0,0 +1,1917 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-httproutes.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-httproutes.yaml new file mode 100644 index 0000000000..3da6e1e637 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-httproutes.yaml @@ -0,0 +1,673 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + shortNames: + - http-route + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: HTTPRoute is the Schema for the HTTP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this HTTPRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of HTTP-based routing rules that this + route should use for constructing a routing table. + items: + description: HTTPRouteRule specifies the routing rules used to determine + what upstream service an HTTP request is routed to. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + properties: + invert: + description: 'NOTE: not in gamma; service-router + compat' + type: boolean + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, “foo” and “Foo” are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for “Set-Cookie”." + type: string + type: + description: Type specifies how to match against + the value of the header. + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + description: Value is the value of HTTP Header to + be matched. + type: string + type: object + type: array + method: + description: Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. + type: string + path: + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the “/” path is provided. + properties: + type: + description: Type specifies how to match against the + path Value. + enum: + - PATH_MATCH_TYPE_UNSPECIFIED + - PATH_MATCH_TYPE_EXACT + - PATH_MATCH_TYPE_PREFIX + - PATH_MATCH_TYPE_REGEX + format: int32 + type: string + value: + description: Value of the HTTP path to match against. + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is recommended that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + type: string + type: + description: Type specifies how to match against + the value of the query parameter. + enum: + - QUERY_PARAM_MATCH_TYPE_UNSPECIFIED + - QUERY_PARAM_MATCH_TYPE_EXACT + - QUERY_PARAM_MATCH_TYPE_REGEX + - QUERY_PARAM_MATCH_TYPE_PRESENT + format: int32 + type: string + value: + description: Value is the value of HTTP query param + to be matched. + type: string + type: object + type: array + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..dcbc543525 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-ingressgateways.yaml @@ -0,0 +1,447 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: ingressgateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how upstream + proxy instances will be monitored for removal from the load + balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. The + real time is equal to the base time multiplied by the number + of times the host has been ejected and is capped by max_ejection_time + (Default 300s). Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status is + detected through consecutive 5xx. This setting can be used + to disable ejection or to ramp it up slowly. Ex. Setting + this to 10 will make it a 10% chance that the host will + be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that can + be ejected due to outlier detection. Defaults to 10% but + will eject at least one host regardless of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected + for. The real time is equal to the base time multiplied + by the number of times the host has been ejected + and is capped by max_ejection_time (Default 300s). + Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This + setting can be used to disable ejection or to ramp + it up slowly. Ex. Setting this to 10 will make it + a 10% chance that the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster + that can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-jwtproviders.yaml new file mode 100644 index 0000000000..94c9697b33 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-jwtproviders.yaml @@ -0,0 +1,313 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: jwtproviders.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: JWTProvider + listKind: JWTProviderList + plural: jwtproviders + singular: jwtprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTProvider is the Schema for the jwtproviders API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTProviderSpec defines the desired state of JWTProvider + properties: + audiences: + description: Audiences is the set of audiences the JWT is allowed + to access. If specified, all JWTs verified with this provider must + address at least one of these to be considered valid. + items: + type: string + type: array + cacheConfig: + description: CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up verification + when individual tokens are expected to be handled multiple times. + properties: + size: + description: "Size specifies the maximum number of JWT verification + results to cache. \n Defaults to 0, meaning that JWT caching + is disabled." + type: integer + type: object + clockSkewSeconds: + description: "ClockSkewSeconds specifies the maximum allowable time + difference from clock skew when validating the \"exp\" (Expiration) + and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + type: integer + forwarding: + description: Forwarding defines rules for forwarding verified JWTs + to the backend. + properties: + headerName: + description: "HeaderName is a header name to use when forwarding + a verified JWT to the backend. The verified JWT could have been + extracted from any location (query param, header, or cookie). + \n The header value will be base64-URL-encoded, and will not + be padded unless PadForwardPayloadHeader is true." + type: string + padForwardPayloadHeader: + description: "PadForwardPayloadHeader determines whether padding + should be added to the base64 encoded token forwarded with ForwardPayloadHeader. + \n Default value is false." + type: boolean + type: object + issuer: + description: Issuer is the entity that must have issued the JWT. This + value must match the "iss" claim of the token. + type: string + jsonWebKeySet: + description: JSONWebKeySet defines a JSON Web Key Set, its location + on disk, or the means with which to fetch a key set from a remote + server. + properties: + local: + description: Local specifies a local source for the key set. + properties: + filename: + description: Filename configures a location on disk where + the JWKS can be found. If specified, the file must be present + on the disk of ALL proxies with intentions referencing this + provider. + type: string + jwks: + description: JWKS contains a base64 encoded JWKS. + type: string + type: object + remote: + description: Remote specifies how to fetch a key set from a remote + server. + properties: + cacheDuration: + description: "CacheDuration is the duration after which cached + keys should be expired. \n Default value is 5 minutes." + type: string + fetchAsynchronously: + description: "FetchAsynchronously indicates that the JWKS + should be fetched when a client request arrives. Client + requests will be paused until the JWKS is fetched. If false, + the proxy listener will wait for the JWKS to be fetched + before being activated. \n Default value is false." + type: boolean + jwksCluster: + description: JWKSCluster defines how the specified Remote + JWKS URI is to be fetched. + properties: + connectTimeout: + description: The timeout for new network connections to + hosts in the cluster. If not set, a default value of + 5s will be used. + type: string + discoveryType: + description: "DiscoveryType refers to the service discovery + type to use for resolving the cluster. \n This defaults + to STRICT_DNS. Other options include STATIC, LOGICAL_DNS, + EDS or ORIGINAL_DST." + type: string + tlsCertificates: + description: "TLSCertificates refers to the data containing + certificate authority certificates to use in verifying + a presented peer certificate. If not specified and a + peer certificate is presented it will not be verified. + \n Must be either CaCertificateProviderInstance or TrustedCA." + properties: + caCertificateProviderInstance: + description: CaCertificateProviderInstance Certificate + provider instance for fetching TLS certificates. + properties: + certificateName: + description: "CertificateName is used to specify + certificate instances or types. For example, + \"ROOTCA\" to specify a root-certificate (validation + context) or \"example.com\" to specify a certificate + for a particular domain. \n The default value + is the empty string." + type: string + instanceName: + description: "InstanceName refers to the certificate + provider instance name. \n The default value + is \"default\"." + type: string + type: object + trustedCA: + description: "TrustedCA defines TLS certificate data + containing certificate authority certificates to + use in verifying a presented peer certificate. \n + Exactly one of Filename, EnvironmentVariable, InlineString + or InlineBytes must be specified." + properties: + environmentVariable: + type: string + filename: + type: string + inlineBytes: + format: byte + type: string + inlineString: + type: string + type: object + type: object + type: object + requestTimeoutMs: + description: RequestTimeoutMs is the number of milliseconds + to time out when making a request for the JWKS. + type: integer + retryPolicy: + description: "RetryPolicy defines a retry policy for fetching + JWKS. \n There is no retry by default." + properties: + numRetries: + description: "NumRetries is the number of times to retry + fetching the JWKS. The retry strategy uses jittered + exponential backoff with a base interval of 1s and max + of 10s. \n Default value is 0." + type: integer + retryPolicyBackOff: + description: "Retry's backoff policy. \n Defaults to Envoy's + backoff policy." + properties: + baseInterval: + description: "BaseInterval to be used for the next + back off computation. \n The default value from + envoy is 1s." + type: string + maxInterval: + description: "MaxInternal to be used to specify the + maximum interval between retries. Optional but should + be greater or equal to BaseInterval. \n Defaults + to 10 times BaseInterval." + type: string + type: object + type: object + uri: + description: URI is the URI of the server to query for the + JWKS. + type: string + type: object + type: object + locations: + description: 'Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. If no + locations are specified Envoy will default to: 1. Authorization + header with Bearer schema: "Authorization: Bearer " 2. accessToken + query parameter.' + items: + description: "JWTLocation is a location where the JWT could be present + in requests. \n Only one of Header, QueryParam, or Cookie can + be specified." + properties: + cookie: + description: Cookie defines how to extract a JWT from an HTTP + request cookie. + properties: + name: + description: Name is the name of the cookie containing the + token. + type: string + type: object + header: + description: Header defines how to extract a JWT from an HTTP + request header. + properties: + forward: + description: "Forward defines whether the header with the + JWT should be forwarded after the token has been verified. + If false, the header will not be forwarded to the backend. + \n Default value is false." + type: boolean + name: + description: Name is the name of the header containing the + token. + type: string + valuePrefix: + description: 'ValuePrefix is an optional prefix that precedes + the token in the header value. For example, "Bearer " + is a standard value prefix for a header named "Authorization", + but the prefix is not part of the token itself: "Authorization: + Bearer "' + type: string + type: object + queryParam: + description: QueryParam defines how to extract a JWT from an + HTTP request query parameter. + properties: + name: + description: Name is the name of the query param containing + the token. + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-meshes.yaml new file mode 100644 index 0000000000..f8ce4fc12e --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-meshes.yaml @@ -0,0 +1,207 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshes.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-meshservices.yaml new file mode 100644 index 0000000000..a5d36fb966 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-meshservices.yaml @@ -0,0 +1,56 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService holds a reference to an externally managed Consul + Service Mesh service. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of MeshService. + properties: + name: + description: Name holds the service name for a Consul service. + type: string + peer: + description: Peer optionally specifies the name of the peer exporting + the Consul service. If not specified, the Consul service is assumed + to be in the local datacenter. + type: string + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..2352ba7ad3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-peeringacceptors.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringacceptors.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..09991d2091 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-peeringdialers.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringdialers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-proxyconfigurations.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-proxyconfigurations.yaml new file mode 100644 index 0000000000..9a33bd2bab --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-proxyconfigurations.yaml @@ -0,0 +1,423 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxyconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: ProxyConfiguration + listKind: ProxyConfigurationList + plural: proxyconfigurations + shortNames: + - proxy-configuration + singular: proxyconfiguration + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: ProxyConfiguration is the Schema for the TCP Routes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: This is a Resource type. + properties: + bootstrapConfig: + description: bootstrap_config is the configuration that requires proxies + to be restarted to be applied. + properties: + dogstatsdUrl: + type: string + overrideJsonTpl: + type: string + prometheusBindAddr: + type: string + readyBindAddr: + type: string + staticClustersJson: + type: string + staticListenersJson: + type: string + statsBindAddr: + type: string + statsConfigJson: + type: string + statsFlushInterval: + type: string + statsSinksJson: + type: string + statsTags: + items: + type: string + type: array + statsdUrl: + type: string + telemetryCollectorBindSocketDir: + type: string + tracingConfigJson: + type: string + type: object + dynamicConfig: + description: dynamic_config is the configuration that could be changed + dynamically (i.e. without needing restart). + properties: + accessLogs: + description: AccessLogs configures the output and format of Envoy + access logs + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have + a matching listener filter. + type: boolean + enabled: + description: Enabled turns off all access logging + type: boolean + jsonFormat: + description: The presence of one format string or the other + implies the access log string encoding. Defining both is + invalid. + type: string + path: + description: Path is the output file to write logs + type: string + textFormat: + type: string + type: + description: 'Type selects the output for logs: "file", "stderr". + "stdout"' + enum: + - LOG_SINK_TYPE_DEFAULT + - LOG_SINK_TYPE_FILE + - LOG_SINK_TYPE_STDERR + - LOG_SINK_TYPE_STDOUT + format: int32 + type: string + type: object + envoyExtensions: + items: + description: EnvoyExtension has configuration for an extension + that patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + consulVersion: + type: string + envoyVersion: + type: string + name: + type: string + required: + type: boolean + type: object + type: array + exposeConfig: + properties: + exposePaths: + items: + properties: + listenerPort: + format: int32 + type: integer + localPathPort: + format: int32 + type: integer + path: + type: string + protocol: + enum: + - EXPOSE_PATH_PROTOCOL_HTTP + - EXPOSE_PATH_PROTOCOL_HTTP2 + format: int32 + type: string + type: object + type: array + type: object + inboundConnections: + description: inbound_connections configures inbound connections + to the proxy. + properties: + balanceInboundConnections: + enum: + - BALANCE_CONNECTIONS_DEFAULT + - BALANCE_CONNECTIONS_EXACT + format: int32 + type: string + maxInboundConnections: + format: int64 + type: integer + type: object + listenerTracingJson: + type: string + localClusterJson: + type: string + localConnection: + additionalProperties: + description: Referenced by ProxyConfiguration + properties: + connectTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + requestTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + description: local_connection is the configuration that should + be used to connect to the local application provided per-port. + The map keys should correspond to port names on the workload. + type: object + localWorkloadAddress: + description: "deprecated: local_workload_address, local_workload_port, + and local_workload_socket_path are deprecated and are only needed + for migration of existing resources. \n Deprecated: Marked as + deprecated in pbmesh/v2beta1/proxy_configuration.proto." + type: string + localWorkloadPort: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + format: int32 + type: integer + localWorkloadSocketPath: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + type: string + meshGatewayMode: + enum: + - MESH_GATEWAY_MODE_UNSPECIFIED + - MESH_GATEWAY_MODE_NONE + - MESH_GATEWAY_MODE_LOCAL + - MESH_GATEWAY_MODE_REMOTE + format: int32 + type: string + mode: + description: mode indicates the proxy's mode. This will default + to 'transparent'. + enum: + - PROXY_MODE_DEFAULT + - PROXY_MODE_TRANSPARENT + - PROXY_MODE_DIRECT + format: int32 + type: string + mutualTlsMode: + enum: + - MUTUAL_TLS_MODE_DEFAULT + - MUTUAL_TLS_MODE_STRICT + - MUTUAL_TLS_MODE_PERMISSIVE + format: int32 + type: string + publicListenerJson: + type: string + transparentProxy: + properties: + dialedDirectly: + description: dialed_directly indicates whether this proxy + should be dialed using original destination IP in the connection + rather than load balance between all endpoints. + type: boolean + outboundListenerPort: + description: outbound_listener_port is the port for the proxy's + outbound listener. This defaults to 15001. + format: int32 + type: integer + type: object + type: object + opaqueConfig: + description: "deprecated: prevent usage when using v2 APIs directly. + needed for backwards compatibility \n Deprecated: Marked as deprecated + in pbmesh/v2beta1/proxy_configuration.proto." + type: object + x-kubernetes-preserve-unknown-fields: true + workloads: + description: Selection of workloads this proxy configuration should + apply to. These can be prefixes or specific workload names. + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..ce49c9149a --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-proxydefaults.yaml @@ -0,0 +1,265 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxydefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + failoverPolicy: + description: FailoverPolicy specifies the exact mechanism used for + failover. + properties: + mode: + description: Mode specifies the type of failover that will be + performed. Valid values are "sequential", "" (equivalent to + "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions of the + failover targets. Valid values can be "us-west-1", "us-west-2", + and so on. + items: + type: string + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-referencegrants-external.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-referencegrants-external.yaml new file mode 100644 index 0000000000..6ae177d987 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-referencegrants-external.yaml @@ -0,0 +1,211 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-routeauthfilters.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-routeauthfilters.yaml new file mode 100644 index 0000000000..a51bf226cd --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-routeauthfilters.yaml @@ -0,0 +1,199 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeauthfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteAuthFilter + listKind: RouteAuthFilterList + plural: routeauthfilters + singular: routeauthfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteAuthFilter is the Schema for the routeauthfilters API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteAuthFilterSpec defines the desired state of RouteAuthFilter. + properties: + jwt: + description: This re-uses the JWT requirement type from Gateway Policy + Types. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the actual + claim information to be verified. + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the given + path: - If the type at the path is a list then we + verify that this value is contained in the list. + \n - If the type at the path is a string then we + verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + status: + description: RouteAuthFilterStatus defines the observed state of the gateway. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: ResolvedRefs + description: "Conditions describe the current conditions of the Filter. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-routeretryfilters.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-routeretryfilters.yaml new file mode 100644 index 0000000000..14b6062f60 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-routeretryfilters.yaml @@ -0,0 +1,115 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeretryfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteRetryFilter + listKind: RouteRetryFilterList + plural: routeretryfilters + singular: routeretryfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteRetryFilter is the Schema for the routeretryfilters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteRetryFilterSpec defines the desired state of RouteRetryFilter. + properties: + numRetries: + format: int32 + minimum: 0 + type: integer + retryOn: + items: + type: string + type: array + retryOnConnectFailure: + type: boolean + retryOnStatusCodes: + items: + format: int32 + type: integer + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-routetimeoutfilters.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-routetimeoutfilters.yaml new file mode 100644 index 0000000000..95ab50320d --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-routetimeoutfilters.yaml @@ -0,0 +1,105 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routetimeoutfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteTimeoutFilter + listKind: RouteTimeoutFilterList + plural: routetimeoutfilters + singular: routetimeoutfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteTimeoutFilter is the Schema for the httproutetimeoutfilters + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteTimeoutFilterSpec defines the desired state of RouteTimeoutFilter. + properties: + idleTimeout: + type: string + requestTimeout: + type: string + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-samenessgroups.yaml new file mode 100644 index 0000000000..ea0ad7c8a0 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-samenessgroups.yaml @@ -0,0 +1,129 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: samenessgroups.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: SamenessGroup + listKind: SamenessGroupList + plural: samenessgroups + shortNames: + - sameness-group + singular: samenessgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SamenessGroup is the Schema for the samenessgroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SamenessGroupSpec defines the desired state of SamenessGroup. + properties: + defaultForFailover: + description: DefaultForFailover indicates that upstream requests to + members of the given sameness group will implicitly failover between + members of this sameness group. When DefaultForFailover is true, + the local partition must be a member of the sameness group or IncludeLocal + must be set to true. + type: boolean + includeLocal: + description: IncludeLocal is used to include the local partition as + the first member of the sameness group. The local partition can + only be a member of a single sameness group. + type: boolean + members: + description: Members are the partitions and peers that are part of + the sameness group. If a member of a sameness group does not exist, + it will be ignored. + items: + properties: + partition: + description: The partitions and peers that are part of the sameness + group. A sameness group member cannot define both peer and + partition at the same time. + type: string + peer: + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..c7e2b5bb2b --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-servicedefaults.yaml @@ -0,0 +1,565 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicedefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + rateLimits: + description: RateLimits is rate limiting configuration that is applied + to inbound traffic for a service. Rate limiting is a Consul enterprise + feature. + properties: + instanceLevel: + description: InstanceLevel represents rate limit configuration + that is applied per service instance. + properties: + requestsMaxBurst: + description: "RequestsMaxBurst is the maximum number of requests + that can be sent in a burst. Should be equal to or greater + than RequestsPerSecond. If unset, defaults to RequestsPerSecond. + \n Internally, this is the maximum size of the token bucket + used for rate limiting." + type: integer + requestsPerSecond: + description: "RequestsPerSecond is the average number of requests + per second that can be made without being throttled. This + field is required if RequestsMaxBurst is set. The allowed + number of requests may exceed RequestsPerSecond up to the + value specified in RequestsMaxBurst. \n Internally, this + is the refill rate of the token bucket used for rate limiting." + type: integer + routes: + description: Routes is a list of rate limits applied to specific + routes. For a given request, the first matching route will + be applied, if any. Overrides any top-level configuration. + items: + properties: + pathExact: + description: Exact path to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathPrefix: + description: Prefix to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathRegex: + description: Regex to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + requestsMaxBurst: + description: RequestsMaxBurst is the maximum number + of requests that can be sent in a burst. Should be + equal to or greater than RequestsPerSecond. If unset, + defaults to RequestsPerSecond. Internally, this is + the maximum size of the token bucket used for rate + limiting. + type: integer + requestsPerSecond: + description: RequestsPerSecond is the average number + of requests per second that can be made without being + throttled. This field is required if RequestsMaxBurst + is set. The allowed number of requests may exceed + RequestsPerSecond up to the value specified in RequestsMaxBurst. + Internally, this is the refill rate of the token bucket + used for rate limiting. + type: integer + type: object + type: array + type: object + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 + seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set the + interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..75299f016e --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-serviceintentions.yaml @@ -0,0 +1,311 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceintentions.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + jwt: + description: JWT specifies the configuration to validate a JSON Web + Token for all incoming requests. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: Value is the expected value at the given + path. If the type at the path is a list then we + verify that this value is contained in the list. + If the type at the path is a string then we verify + that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: Peer is the peer name for the Name parameter. + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + jwt: + description: JWT specifies configuration to validate a + JSON Web Token for incoming requests. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. + There MUST be a corresponding "jwt-provider" + config entry with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional + claims to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim + in the token JSON. + items: + type: string + type: array + value: + description: Value is the expected value + at the given path. If the type at the + path is a list then we verify that this + value is contained in the list. If the + type at the path is a string then we + verify that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + samenessGroup: + description: SamenessGroup is the name of the sameness group, + if applicable. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..6d89125216 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-serviceresolvers.yaml @@ -0,0 +1,348 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceresolvers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + policy: + description: Policy specifies the exact mechanism used for failover. + properties: + mode: + description: Mode specifies the type of failover that will + be performed. Valid values are "sequential", "" (equivalent + to "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions + of the failover targets. Valid values can be "us-west-1", + "us-west-2", and so on. + items: + type: string + type: array + type: object + samenessGroup: + description: SamenessGroup is the name of the sameness group + to try during failover. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness group to + resolve the service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + requestTimeout: + description: RequestTimeout is the timeout for receiving an HTTP response + from this service before the connection is terminated. + type: string + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..c4e06d05bc --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-servicerouters.yaml @@ -0,0 +1,319 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicerouters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOn: + description: RetryOn is a flat list of conditions for Consul + to retry requests based on the response from an upstream + service. + items: + type: string + type: array + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..8d5ed58023 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-servicesplitters.yaml @@ -0,0 +1,186 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicesplitters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-tcproutes-external.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-tcproutes-external.yaml new file mode 100644 index 0000000000..91989135e2 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-tcproutes-external.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-tcproutes.yaml new file mode 100644 index 0000000000..ae9d2cd080 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-tcproutes.yaml @@ -0,0 +1,278 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + shortNames: + - tcp-route + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TCPRoute is the Schema for the TCP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute + \n This is a Resource type." + properties: + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + properties: + backendRefs: + description: BackendRefs defines the backend(s) where matching + requests should be sent. If unspecified or invalid (refers + to a non-existent resource or a Service with no endpoints), + the underlying implementation MUST actively reject connection + attempts to this backend. Connection rejections must respect + weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..565aa63381 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-terminatinggateways.yaml @@ -0,0 +1,137 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: terminatinggateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-tlsroutes-external.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-tlsroutes-external.yaml new file mode 100644 index 0000000000..dfabd80713 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-tlsroutes-external.yaml @@ -0,0 +1,294 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-trafficpermissions.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-trafficpermissions.yaml new file mode 100644 index 0000000000..27ab6f5e3d --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-trafficpermissions.yaml @@ -0,0 +1,261 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: trafficpermissions.auth.consul.hashicorp.com +spec: + group: auth.consul.hashicorp.com + names: + kind: TrafficPermissions + listKind: TrafficPermissionsList + plural: trafficpermissions + shortNames: + - traffic-permissions + singular: trafficpermissions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TrafficPermissions is the Schema for the traffic-permissions + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + action: + description: "Action can be either allow or deny for the entire object. + It will default to allow. \n If action is allow, we will allow the + connection if one of the rules in Rules matches, in other words, + we will deny all requests except for the ones that match Rules. + If Consul is in default allow mode, then allow actions have no effect + without a deny permission as everything is allowed by default. \n + If action is deny, we will deny the connection if one of the rules + in Rules match, in other words, we will allow all requests except + for the ones that match Rules. If Consul is default deny mode, then + deny permissions have no effect without an allow permission as everything + is denied by default. \n Action unspecified is reserved for compatibility + with the addition of future actions." + enum: + - ACTION_ALLOW + - ACTION_DENY + - ACTION_UNKNOWN + format: int32 + type: string + destination: + description: Destination is a configuration of the destination proxies + where these traffic permissions should apply. + properties: + identityName: + type: string + type: object + permissions: + description: Permissions is a list of permissions to match on. They + are applied using OR semantics. + items: + description: Permissions is a list of permissions to match on. + properties: + destinationRules: + description: DestinationRules is a list of rules to apply for + matching sources in this Permission. These rules are specific + to the request or connection that is going to the destination(s) + selected by the TrafficPermissions resource. + items: + description: DestinationRule contains rules rules to apply + to the incoming connection. + properties: + exclude: + description: Exclude contains a list of rules to exclude + when evaluating rules for the incoming connection. + items: + properties: + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + description: PortNames is a list of workload ports + to apply this rule to. The ports specified here + must be the ports used in the connection. + items: + type: string + type: array + type: object + type: array + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. If no + methods are specified, this rule will apply to all methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + items: + type: string + type: array + type: object + type: array + sources: + description: Sources is a list of sources in this traffic permission. + items: + description: Source represents the source identity. To specify + any of the wildcard sources, the specific fields need to + be omitted. For example, for a wildcard namespace, identity_name + should be omitted. + properties: + exclude: + description: Exclude is a list of sources to exclude from + this source. + items: + description: ExcludeSource is almost the same as source + but it prevents the addition of matching sources. + properties: + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/crd-udproutes-external.yaml b/charts/hashicorp/consul/1.3.1/templates/crd-udproutes-external.yaml new file mode 100644 index 0000000000..935cce22fa --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/crd-udproutes-external.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..f0d5a1c821 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-job.yaml @@ -0,0 +1,146 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane create-federation-secret \ + -log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/dns-service.yaml b/charts/hashicorp/consul/1.3.1/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.3.1/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..80ae582152 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/enterprise-license-job.yaml @@ -0,0 +1,145 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.3.1/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.3.1/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-clusterrole.yaml new file mode 100644 index 0000000000..c533a882f5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-clusterrole.yaml @@ -0,0 +1,35 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - delete +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-cleanup + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-clusterrolebinding.yaml new file mode 100644 index 0000000000..9235f32101 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-job.yaml new file mode 100644 index 0000000000..df6c22fd30 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-job.yaml @@ -0,0 +1,59 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup + containers: + - name: gateway-cleanup + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-cleanup + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ffbad130cc --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.connectInject.enabled .Values.global.enablePodSecurityPolicies)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..f50eb72d97 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gateway-cleanup-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.3.1/templates/gateway-resources-clusterrole.yaml new file mode 100644 index 0000000000..c3bdfeb4a3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gateway-resources-clusterrole.yaml @@ -0,0 +1,37 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - update + - create + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - update + - create +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-resources + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/gateway-resources-clusterrolebinding.yaml new file mode 100644 index 0000000000..921df23239 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gateway-resources-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-resources +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.1/templates/gateway-resources-configmap.yaml b/charts/hashicorp/consul/1.3.1/templates/gateway-resources-configmap.yaml new file mode 100644 index 0000000000..591aaa2129 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gateway-resources-configmap.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.enabled }} +# Configuration of Gateway Resources Job which creates managed Gateway configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +data: + {{- if .Values.connectInject.apiGateway.managedGatewayClass.resources }} + resources.json: | + {{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.3.1/templates/gateway-resources-job.yaml new file mode 100644 index 0000000000..1136d2e0fe --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gateway-resources-job.yaml @@ -0,0 +1,124 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources + containers: + - name: gateway-resources + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-resources + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + - -controller-name=consul.hashicorp.com/gateway-controller + - -app={{template "consul.name" .}} + - -chart={{template "consul.chart" .}} + - -heritage={{ .Release.Service }} + - -release-name={{ .Release.Name }} + - -component=api-gateway + {{- if .Values.apiGateway.enabled }} # Overide values from the old stanza. To be removed in 1.17 (t-eckert 2023-05-19) + {{- if .Values.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} + {{- else }} # the new stanza + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations | nindent 14 -}} + {{- end }} + - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- if .Values.global.openshift.enabled }} + - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + {{- end }} + - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} + {{- end}} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/gateway-resources-podsecuritypolicy.yaml new file mode 100644 index 0000000000..da5299194c --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gateway-resources-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.connectInject.enabled)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/gateway-resources-serviceaccount.yaml new file mode 100644 index 0000000000..4611dc38e1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gateway-resources-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..cc5b5397c2 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,70 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ default .Values.global.logLevel .Values.global.gossipEncryption.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..4eef2e96ac --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,368 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b847e44ebd --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..b951418b26 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,34 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..f8150ebb53 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..afb5d44a0e --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,311 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..04576fe926 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..5fdceca8df --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-service.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.meshGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..8c2da5ae06 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.3.1/templates/partition-init-job.yaml new file mode 100644 index 0000000000..59a119e0c7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/partition-init-job.yaml @@ -0,0 +1,128 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.3.1/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.3.1/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/prometheus.yaml b/charts/hashicorp/consul/1.3.1/templates/prometheus.yaml new file mode 100644 index 0000000000..a708708daf --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..b47e04188f --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,89 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..aca1444a9b --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-job.yaml @@ -0,0 +1,349 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + {{- if .Values.global.argocd.enabled }} + "argocd.argoproj.io/hook": "Sync" + "argocd.argoproj.io/hook-delete-policy": "HookSucceeded" + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- else if .Values.global.secretsBackend.vault.vaultNamespace }} + - name: VAULT_NAMESPACE + value: {{ .Values.global.secretsBackend.vault.vaultNamespace }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + consul-k8s-control-plane server-acl-init \ + -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 10 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.3.1/templates/server-clusterrole.yaml new file mode 100644 index 0000000000..c22f562264 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: + - get diff --git a/charts/hashicorp/consul/1.3.1/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..854fda870e --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-server +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.3.1/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..8cd726f445 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-config-configmap.yaml @@ -0,0 +1,208 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} +{{- if and .Values.server.auditLogs.enabled (not .Values.global.acls.manageSystemACLs) }}{{fail "ACLs must be enabled inorder to configure audit logs"}}{{ end -}} +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + {{- if .Values.server.logLevel }} + "log_level": "{{ .Values.server.logLevel | upper }}", + {{- end }} + "domain": "{{ .Values.global.domain }}", + "limits": { + "request_limits": { + "mode": "{{ .Values.server.limits.requestLimits.mode }}", + "read_rate": {{ .Values.server.limits.requestLimits.readRate }}, + "write_rate": {{ .Values.server.limits.requestLimits.writeRate }} + } + }, + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + {{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }} + "namespace": "{{ .vaultNamespace }}", + {{- end }} + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}" + } + } + {{- end }} + {{- if and .Values.server.auditLogs.enabled .Values.global.acls.manageSystemACLs }} + audit-logging.json: |- + { + "audit": { + "enabled": true, + "sink": { + {{- range $index, $element := .Values.server.auditLogs.sinks }} + {{- if ne $index 0 }},{{end}} + "{{ get $element "name" }}": {{ omit $element "name" | toJson }} + {{- end }} + } + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.3.1/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..edf9c1c57f --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-role.yaml b/charts/hashicorp/consul/1.3.1/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.3.1/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-service.yaml b/charts/hashicorp/consul/1.3.1/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.3.1/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.3.1/templates/server-statefulset.yaml new file mode 100644 index 0000000000..5c76a12389 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/server-statefulset.yaml @@ -0,0 +1,657 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/server-config-configmap.yaml") .) (include (print $.Template.BasePath "/server-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + {{- if .Values.global.tls.enabled }} + "prometheus.io/port": "8501" + "prometheus.io/scheme": "https" + {{- else }} + "prometheus.io/port": "8500" + "prometheus.io/scheme": "http" + {{- end }} + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + initContainers: + - name: locality-init + image: {{ .Values.global.imageK8S }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane fetch-server-region -node-name "$NODE_NAME" -output-file /consul/extra-config/locality.json + volumeMounts: + - name: extra-config + mountPath: /consul/extra-config + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-dir=/consul/extra-config \ + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -hcl="experiments=[\"resource-apis\"]" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.containerSecurityContext.server }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- else }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/server-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.3.1/templates/server-tmp-extra-config-configmap.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-tmp-extra-config-configmap.yaml rename to charts/hashicorp/consul/1.3.1/templates/server-tmp-extra-config-configmap.yaml diff --git a/charts/hashicorp/consul/1.3.1/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.3.1/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..585b5ad171 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,48 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + - endpoints + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.1/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.3.1/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..f81b999e79 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/sync-catalog-deployment.yaml @@ -0,0 +1,234 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..d36034b29c --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,436 @@ +{{- if and .Values.telemetryCollector.enabled (not (mustHas "resource-apis" .Values.global.experiments)) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # Signals to the endpoints controller that we should force Consul NS creation, since we bypass the mesh webhook. + "consul.hashicorp.com/telemetry-collector": "true" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: default + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + consul-k8s-control-plane connect-init \ + -log-json={{ .Values.global.logJSON }} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -pod-name=${POD_NAME} \ + -pod-namespace=${POD_NAMESPACE} \ + -proxy-id-file="/consul/connect-inject/proxyid" \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f4c05a2f33 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-v2-deployment.yaml b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-v2-deployment.yaml new file mode 100644 index 0000000000..d8c94e7ecf --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/telemetry-collector-v2-deployment.yaml @@ -0,0 +1,415 @@ +{{- if and .Values.telemetryCollector.enabled (mustHas "resource-apis" .Values.global.experiments) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/mesh-inject": "false" + # This annotation tells the pod controller that this pod was injected even though it wasn't. + # This ensures the pod controller will sync a workload for the pod into Consul + "consul.hashicorp.com/mesh-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/consul-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the mesh injector so that we don't run into + # any race conditions on the mesh-injector deployment or upgrade + - name: consul-mesh-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + consul-k8s-control-plane mesh-init -proxy-name=${POD_NAME} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: DP_PROXY_ID + value: $(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: TMPDIR + value: /consul/mesh-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-mesh-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..3a1a23fad3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,345 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..7307fb8be9 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..4ae280ca81 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-role.yaml @@ -0,0 +1,43 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }} +rules: +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.3.1/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..9500410a53 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,84 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.3.1/templates/tls-init-job.yaml new file mode 100644 index 0000000000..54727e03dd --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/tls-init-job.yaml @@ -0,0 +1,126 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + consul-k8s-control-plane tls-init \ + -log-level={{ default .Values.global.logLevel .Values.global.tls.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.3.1/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.3.1/templates/ui-ingress.yaml new file mode 100644 index 0000000000..f8c7f92a77 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/ui-ingress.yaml @@ -0,0 +1,85 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + {{- if ne .Values.ui.ingress.ingressClassName "" }} + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end }} + rules: + {{- $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/ui-service.yaml b/charts/hashicorp/consul/1.3.1/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..2a5c80d94c --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,54 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..29b85d7079 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,81 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.1/values.yaml b/charts/hashicorp/consul/1.3.1/values.yaml new file mode 100644 index 0000000000..80245654ae --- /dev/null +++ b/charts/hashicorp/consul/1.3.1/values.yaml @@ -0,0 +1,3589 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: "hashicorp/consul-enterprise:1.10.0-ent" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.17.1 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.3.1 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` + # agent annotation and [Vault Connect CA namespace](https://developer.hashicorp.com/consul/docs/connect/ca/vault#namespace). + # To override one of these values individually, see `agentAnnotations` and `connectCA.additionalConfig`. + vaultNamespace: "" + + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + # Override global log verbosity level for gossip-encryption-autogenerate-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # This value defines additional annotations for + # tls init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines additional annotations for + # acl init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # If argocd.enabled is set to true, following annotations are added to + # job - server-acl-init-job + # annotations - + # argocd.argoproj.io/hook: Sync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd: + enabled: false + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # `meshGateway.enabled` or `externalServers.enabled` to be true. + # Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:` + # (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`). + # @type: array + primaryGateways: [] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Override global log verbosity level for the create-federation-secret-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: hashicorp/consul-dataplane:1.3.1 + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul Central self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will link a [self-managed cluster to HCP](https://developer.hashicorp.com/hcp/docs/consul/self-managed). + # This can either be used to [configure a new cluster](https://developer.hashicorp.com/hcp/docs/consul/self-managed/new) + # or [link an existing one](https://developer.hashicorp.com/hcp/docs/consul/self-managed/existing). + # + # Note: this setting should not be enabled for [HashiCorp-managed clusters](https://developer.hashicorp.com/hcp/docs/consul/hcp-managed). + # It is strictly for linking self-managed clusters. + enabled: false + + # The resource id of the HCP Consul Central cluster to link to. Eg: + # organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The hostname of HCP's API. This setting is used for internal testing and validation. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The URL of HCP's auth API. This setting is used for internal testing and validation. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The address of HCP's scada service. This setting is used for internal testing and validation. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [] + + # Consul feature flags that will be enabled across components. + # Supported feature flags: + # * `resource-apis`: + # _**Danger**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul components will use the + # V2 resources APIs for all operations. + # + # Example: + # + # ```yaml + # experiments: [ "resource-apis" ] + # ``` + # @type: array + experiments: [] + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # The [Persistent Volume Claim (PVC) retention policy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention) + # controls if and how PVCs are deleted during the lifecycle of a StatefulSet. + # WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted, + # and WhenScaled specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is scaled down. + # + # Example: + # + # ```yaml + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + # ``` + # @type: map + persistentVolumeClaimRetentionPolicy: null + + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional service mesh settings can be configured + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). + connect: true + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + # The acl-init job + # @type: map + # @recurse: false + aclInit: null + # The tls-init job + # @type: map + # @recurse: false + tlsInit: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `server.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # and configure a sink and filters for their audit logs. Please refer to + # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation + # for further information. + auditLogs: + # Controls whether Consul logs out each time a user performs an operation. + # global.acls.manageSystemACLs must be enabled to use this feature. + enabled: false + + # A single entry of the sink object provides configuration for the destination to which Consul + # will log auditing events. + # + # Example: + # + # ```yaml + # sinks: + # - name: My Sink + # type: file + # format: json + # path: /tmp/audit.json + # delivery_guarantee: best-effort + # rotate_duration: 24h + # rotate_max_files: 15 + # rotate_bytes: 25165824 + # + # ``` + # + # The sink object supports the following keys: + # + # - `name` - Name of the sink. + # + # - `type` - Type specifies what kind of sink this is. Currently only file sinks are available + # + # - `format` - Format specifies what format the events will be emitted with. Currently only `json` + # events are emitted. + # + # - `path` - The directory and filename to write audit events to. + # + # - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul + # only supports `best-effort` event delivery. + # + # - `mode` - The permissions to set on the audit log files. + # + # - `rotate_duration` - Specifies the interval by which the system rotates to a new log file. + # At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging. + # + # - `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file. + # At least one of rotate_bytes or rotate_duration must be configured to enable audit logging. + # + # - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files. + # + # @type: array + sinks: [] + + # Settings for potentially limiting timeouts, rate limiting on clients as well + # as servers, and other settings to limit exposure too many requests, requests + # waiting for too long, and other runtime considerations. + limits: + # This object specifies configurations that limit the rate of RPC and gRPC + # requests on the Consul server. Limiting the rate of gRPC and RPC requests + # also limits HTTP requests to the Consul server. + # https://developer.hashicorp.com/consul/docs/agent/config/config-files#request_limits + requestLimits: + # Setting for disabling or enabling rate limiting. If not disabled, it + # enforces the action that will occur when RequestLimitsReadRate + # or RequestLimitsWriteRate is exceeded. The default value of "disabled" will + # prevent any rate limiting from occuring. A value of "enforce" will block + # the request from processings by returning an error. A value of + # "permissive" will not block the request and will allow the request to + # continue processing. + # @type: string + mode: "disabled" + + # Setting that controls how frequently RPC, gRPC, and HTTP + # queries are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsReadRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + readRate: -1 + + # Setting that controls how frequently RPC, gRPC, and HTTP + # writes are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsWriteRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + writeRate: -1 + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. + # @type: array + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul service mesh will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configuration settings for the Consul API Gateway integration. + apiGateway: + # Enables Consul on Kubernetes to manage the CRDs used for Gateway API. + # Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed. + # These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. + # If this setting is false, you will need to install the Gateway API CRDs manually. + manageExternalCRDs: true + + # Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true + # then all CRDs will be installed; otherwise, if manageNonStandardCRDs is true then only TCPRoute, GatewayClassConfig and MeshService + # will be installed. + manageNonStandardCRDs: false + + # Configuration settings for the GatewayClass installed by Consul on Kubernetes. + managedGatewayClass: + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # The resource settings for Pods handling traffic for Gateway API. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + deployment: + defaultInstances: 1 + maxInstances: 1 + minInstances: 1 + + # The name of the OpenShift SecurityContextConstraints resource to use for Gateways. + # Only applicable if `global.openshift.enabled` is true. + # @type: string + openshiftSCCName: "restricted-v2" + + # This value defines the amount we will add to privileged container ports on gateways that use this class. + # This is useful if you don't want to give your containers extra permissions to run privileged ports. + # Example: The gateway listener is defined on port 80, but the underlying value of the port on the container + # will be the 80 + the number defined below. + mapPrivilegedContainerPorts: 0 + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + # Configures metrics for Consul service mesh services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Sets the `logLevel` for the `consul-dataplane` sidecar and the `consul-connect-inject-init` container. When set, this value overrides the global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Consul service mesh sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + # Set default lifecycle management configuration for sidecar proxy. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` + # - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` + # @type: map + lifecycle: + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul service mesh will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Override global log verbosity level for mesh-gateway-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: "Service" + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level for ingress-gateways-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. You must provide a unique name for each ingress gateway. These names + # must be unique across different namespaces. + # Values defined here override the defaults, except in the case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# [DEPRECATED] Use connectInject.apiGateway instead. +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.11" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.2" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + # The resource id of the HCP Consul Central cluster to push metrics for. Eg: + # `organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster` + # + # This is used for HCP Consul Central-linked or managed clusters where global.cloud.resourceId is unset. For example, when using externalServers + # with HCP Consul-managed clusters or HCP Consul Central-linked clusters in a different admin partition. + # + # If global.cloud.resourceId is set, this should either be unset (defaulting to global.cloud.resourceId) or be the same as global.cloud.resourceId. + # + # @default: global.cloud.resourceId + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientId + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP. + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientSecret + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the deployment. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} diff --git a/charts/hashicorp/consul/1.3.2/.helmignore b/charts/hashicorp/consul/1.3.2/.helmignore new file mode 100644 index 0000000000..3fa2f24edf --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/.helmignore @@ -0,0 +1,5 @@ +.git/ +.terraform/ +bin/ +test/ +crds/kustomization.yaml diff --git a/charts/hashicorp/consul/1.3.2/Chart.yaml b/charts/hashicorp/consul/1.3.2/Chart.yaml new file mode 100644 index 0000000000..2fa3de6fde --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.17.2 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.3.2 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.3.2 + - name: envoy + image: envoyproxy/envoy:v1.25.11 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.17.2 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.3.2 diff --git a/charts/hashicorp/consul/1.3.2/README.md b/charts/hashicorp/consul/1.3.2/README.md new file mode 100644 index 0000000000..e7d7fd9285 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.23.x - 1.26.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/1.3.2/addons/gen.sh b/charts/hashicorp/consul/1.3.2/addons/gen.sh new file mode 100644 index 0000000000..1d03390bed --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/addons/gen.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.2/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.3.2/addons/values/prometheus.yaml new file mode 100644 index 0000000000..1f90636f2e --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/addons/values/prometheus.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/1.3.2/assets/icon.png b/charts/hashicorp/consul/1.3.2/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.3.2/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.3.2/templates/NOTES.txt b/charts/hashicorp/consul/1.3.2/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/_helpers.tpl b/charts/hashicorp/consul/1.3.2/templates/_helpers.tpl new file mode 100644 index 0000000000..809d965a6e --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/_helpers.tpl @@ -0,0 +1,521 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.restrictedSecurityContext" -}} +{{- if not .Values.global.enablePodSecurityPolicies -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +{{- if not .Values.global.openshift.enabled -}} +{{/* +We must set runAsUser or else the root user will be used in some cases and +containers will fail to start due to runAsNonRoot above (e.g. +tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100 +because it is a non-root user id that exists in the consul, consul-dataplane, +and consul-k8s-control-plane images. +*/}} + runAsUser: 100 +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/tmp/extra-config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Compute the maximum number of unavailable replicas for the PodDisruptionBudget. +This defaults to (n/2)-1 where n is the number of members of the server cluster. +Special case of replica equaling 3 and allowing a minor disruption of 1 otherwise +use the integer value +Add a special case for replicas=1, where it should default to 0 as well. +*/}} +{{- define "consul.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.server.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if telemetryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (and (not .Values.global.cloud.clientSecret.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (and (not .Values.global.cloud.clientId.secretName) (not .Values.telemetryCollector.cloud.clientId.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretName or global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretKey or global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} + +{{/* +Fails if telemetryCollector.cloud.resourceId is set but differs from global.cloud.resourceId. This should never happen. Either one or both are set, but they should never differ. +If they differ, that implies we're configuring servers for one HCP Consul cluster but pushing envoy metrics for a different HCP Consul cluster. A user could set the same value +in two secrets (it's questionable whether resourceId should be a secret at all) but we won't know at this point, so we just check secret name+key. + +Usage: {{ template "consul.validateTelemetryCollectorResourceId" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorResourceId" -}} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName) (not (eq .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName)) }} +{{fail "When both global.cloud.resourceId.secretName and telemetryCollector.cloud.resourceId.secretName are set, they should be the same."}} +{{- end }} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey) (not (eq .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When both global.cloud.resourceId.secretKey and telemetryCollector.cloud.resourceId.secretKey are set, they should be the same."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{/* +Fails if global.experiments.resourceAPIs is set along with any of these unsupported features. +- global.peering.enabled +- global.federation.enabled +- global.cloud.enabled +- client.enabled +- ui.enabled +- syncCatalog.enabled +- meshGateway.enabled +- ingressGateways.enabled +- terminatingGateways.enabled +- apiGateway.enabled + +Usage: {{ template "consul.validateResourceAPIs" . }} + +*/}} +{{- define "consul.validateResourceAPIs" -}} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.peering.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.peering.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.adminPartitions.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.adminPartitions.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.federation.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.federation.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.cloud.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.cloud.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.client.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, client.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ui.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ui.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.syncCatalog.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, syncCatalog.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.meshGateway.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, meshGateway.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ingressGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ingressGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.terminatingGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.apiGateway.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, apiGateway.enabled is currently unsupported."}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..1bd1f8500a --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,306 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{ end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: [ "/bin/sh", "-ec", "/consul-bin/consul logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.3.2/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.3.2/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.3.2/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.3.2/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.3.2/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..cab2c7c043 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/client-config-configmap.yaml @@ -0,0 +1,40 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + log-level.json: |- + { + {{- if .Values.client.logLevel }} + "log_level": "{{ .Values.client.logLevel | upper }}" + {{- end }} + } + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.3.2/templates/client-daemonset.yaml new file mode 100644 index 0000000000..dd0454b10d --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/client-daemonset.yaml @@ -0,0 +1,608 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/client-config-configmap.yaml") .) (include (print $.Template.BasePath "/client-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/sh" + - "-ec" + - | + consul logout + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-dir=/consul/extra-config \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/client-role.yaml b/charts/hashicorp/consul/1.3.2/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.3.2/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.3.2/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/client-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.3.2/templates/client-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a379157f57 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/client-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the client-daemonset where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.3.2/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.3.2/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..258924f449 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/cni-daemonset.yaml @@ -0,0 +1,91 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.3.2/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.3.2/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.3.2/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.3.2/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.3.2/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..2506637949 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,255 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + - gatewayclassconfigs + - meshservices + - samenessgroups + - controlplanerequestlimits + - routeretryfilters + - routetimeoutfilters + - routeauthfilters + - gatewaypolicies + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + - jwtproviders + - routeauthfilters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + - samenessgroups/status + - controlplanerequestlimits/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + - jwtproviders/status + - routeauthfilters/status + - gatewaypolicies/status + verbs: + - get + - patch + - update +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions/status + verbs: + - get + - patch + - update +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - grpcroutes + - httproutes + - tcproutes + - proxyconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - grpcroutes/status + - httproutes/status + - tcproutes/status + - proxyconfigurations/status + verbs: + - get + - patch + - update +{{- end }} +- apiGroups: [ "" ] + resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles", "rolebindings" ] + verbs: + - get + - list + - watch + - delete + - create + - update +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - referencegrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gateways/finalizers + - httproutes/finalizers + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch + - delete +- apiGroups: + - core + resources: + - services + verbs: + - watch + - list +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" +{{- if .Values.global.openshift.enabled }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + verbs: + - use + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.2/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.3.2/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..b87c8223b8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/connect-inject-deployment.yaml @@ -0,0 +1,365 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.enabled .Values.global.cloud.enabled }} + {{- if and (gt (len .Values.externalServers.hosts) 0) (regexMatch ".+.hashicorp.cloud$" ( first .Values.externalServers.hosts )) }}{{fail "global.cloud.enabled cannot be used in combination with an HCP-managed cluster address in externalServers.hosts. global.cloud.enabled is for linked self-managed clusters."}}{{- end }} +{{- end }} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateResourceAPIs" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }} + -default-enable-sidecar-proxy-lifecycle=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle=false \ + {{- end }} + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \ + {{- end }} + -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ + -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ + -default-sidecar-proxy-startup-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultStartupFailureSeconds }} \ + -default-sidecar-proxy-liveness-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultLivenessFailureSeconds }} \ + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.3.2/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.3.2/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..e65c386636 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,381 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-controlplanerequestlimits + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-controlplanerequestlimit.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - controlplanerequestlimits + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-samenessgroup + failurePolicy: Fail + name: mutate-samenessgroup.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - samenessgroups + sideEffects: None +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v2beta1-trafficpermissions + failurePolicy: Fail + name: mutate-trafficpermissions.auth.consul.hashicorp.com + rules: + - apiGroups: + - auth.consul.hashicorp.com + apiVersions: + - v2beta1 + operations: + - CREATE + - UPDATE + resources: + - trafficpermissions + sideEffects: None +{{- end }} +{{- end }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-jwtprovider + failurePolicy: Fail + name: mutate-jwtprovider.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwtproviders + sideEffects: None +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.3.2/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.3.2/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/connect-inject-validatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.3.2/templates/connect-inject-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8d01ace911 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/connect-inject-validatingwebhookconfiguration.yaml @@ -0,0 +1,31 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The ValidatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- name: validate-gatewaypolicy.consul.hashicorp.com + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "consul.hashicorp.com" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gatewaypolicies" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /validate-v1alpha1-gatewaypolicy +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.3.2/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-controlplanerequestlimits.yaml new file mode 100644 index 0000000000..1939a8d373 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-controlplanerequestlimits.yaml @@ -0,0 +1,195 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: controlplanerequestlimits.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ControlPlaneRequestLimit + listKind: ControlPlaneRequestLimitList + plural: controlplanerequestlimits + singular: controlplanerequestlimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControlPlaneRequestLimitSpec defines the desired state of + ControlPlaneRequestLimit. + properties: + acl: + properties: + readRate: + type: number + writeRate: + type: number + type: object + catalog: + properties: + readRate: + type: number + writeRate: + type: number + type: object + configEntry: + properties: + readRate: + type: number + writeRate: + type: number + type: object + connectCA: + properties: + readRate: + type: number + writeRate: + type: number + type: object + coordinate: + properties: + readRate: + type: number + writeRate: + type: number + type: object + discoveryChain: + properties: + readRate: + type: number + writeRate: + type: number + type: object + health: + properties: + readRate: + type: number + writeRate: + type: number + type: object + intention: + properties: + readRate: + type: number + writeRate: + type: number + type: object + kv: + properties: + readRate: + type: number + writeRate: + type: number + type: object + mode: + type: string + preparedQuery: + properties: + readRate: + type: number + writeRate: + type: number + type: object + readRate: + type: number + session: + properties: + readRate: + type: number + writeRate: + type: number + type: object + tenancy: + properties: + readRate: + type: number + writeRate: + type: number + type: object + txn: + properties: + readRate: + type: number + writeRate: + type: number + type: object + writeRate: + type: number + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-exportedservices.yaml new file mode 100644 index 0000000000..081a2b0cf0 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-exportedservices.yaml @@ -0,0 +1,139 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-gatewayclassconfigs.yaml new file mode 100644 index 0000000000..130db72a22 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-gatewayclassconfigs.yaml @@ -0,0 +1,201 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + resources: + description: Resources defines the resource requirements for the + gateway. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + mapPrivilegedContainerPorts: + description: The value to add to privileged ports ( ports < 1024) + for gateway containers + format: int32 + type: integer + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + openshiftSCCName: + description: The name of the OpenShift SecurityContextConstraints + resource for this gateway class to use. + type: string + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-gatewayclasses-external.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-gatewayclasses-external.yaml new file mode 100644 index 0000000000..391637b5f7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-gatewayclasses-external.yaml @@ -0,0 +1,331 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + deprecated: true + deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-gatewaypolicies.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-gatewaypolicies.yaml new file mode 100644 index 0000000000..1cdfa331f5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-gatewaypolicies.yaml @@ -0,0 +1,282 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewaypolicies.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayPolicy + listKind: GatewayPolicyList + plural: gatewaypolicies + singular: gatewaypolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayPolicy is the Schema for the gatewaypolicies API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GatewayPolicySpec defines the desired state of GatewayPolicy. + properties: + default: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + override: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + targetRef: + description: TargetRef identifies an API object to apply policy to. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it may only apply + to traffic originating from the same namespace as the policy. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: SectionName refers to the listener targeted by this + policy. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + status: + description: GatewayPolicyStatus defines the observed state of the gateway. + properties: + conditions: + description: "Conditions describe the current conditions of the Policy. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-gateways-external.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-gateways-external.yaml new file mode 100644 index 0000000000..ab56d4f5fb --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-gateways-external.yaml @@ -0,0 +1,885 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-grpcroutes-external.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-grpcroutes-external.yaml new file mode 100644 index 0000000000..3e4aa75853 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-grpcroutes-external.yaml @@ -0,0 +1,769 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - method: + type: Exact + description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. + items: + description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + default: + type: Exact + description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. + properties: + method: + description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)." + maxLength: 1024 + pattern: ^[A-Za-z_][A-Za-z_0-9]*$ + type: string + service: + description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)." + maxLength: 1024 + pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$ + type: string + type: + default: Exact + description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-grpcroutes.yaml new file mode 100644 index 0000000000..31812fff35 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-grpcroutes.yaml @@ -0,0 +1,617 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + shortNames: + - grpc-route + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GRPCRoute is the Schema for the GRPC Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this GRPCRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. Failure behavior here depends on + how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the GRPCBackendRef definition for the rules about what + makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies gRPC request header matchers. + Multiple match values are ANDed together, meaning, a + request MUST match all the specified headers to select + the route. + items: + properties: + name: + type: string + type: + description: "HeaderMatchType specifies the semantics + of how HTTP header values should be compared. + Valid HeaderMatchType values, along with their + conformance levels, are: \n Note that values may + be added to this enum, implementations must ensure + that unknown values will not cause a crash. \n + Unknown values here must result in the implementation + setting the Accepted Condition for the Route to + status: False, with a Reason of UnsupportedValue." + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + type: string + type: object + type: array + method: + description: Method specifies a gRPC request service/method + matcher. If this field is not specified, all services + and methods will match. + properties: + method: + description: "Value of the method to match against. + If left empty or omitted, will match all services. + \n At least one of Service and Method MUST be a + non-empty string.}" + type: string + service: + description: "Value of the service to match against. + If left empty or omitted, will match any service. + \n At least one of Service and Method MUST be a + non-empty string." + type: string + type: + description: 'Type specifies how to match against + the service and/or method. Support: Core (Exact + with service and method specified)' + enum: + - GRPC_METHOD_MATCH_TYPE_UNSPECIFIED + - GRPC_METHOD_MATCH_TYPE_EXACT + - GRPC_METHOD_MATCH_TYPE_REGEX + format: int32 + type: string + type: object + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-httproutes-external.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-httproutes-external.yaml new file mode 100644 index 0000000000..c89591376a --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-httproutes-external.yaml @@ -0,0 +1,1917 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-httproutes.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-httproutes.yaml new file mode 100644 index 0000000000..3da6e1e637 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-httproutes.yaml @@ -0,0 +1,673 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + shortNames: + - http-route + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: HTTPRoute is the Schema for the HTTP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this HTTPRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of HTTP-based routing rules that this + route should use for constructing a routing table. + items: + description: HTTPRouteRule specifies the routing rules used to determine + what upstream service an HTTP request is routed to. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + properties: + invert: + description: 'NOTE: not in gamma; service-router + compat' + type: boolean + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, “foo” and “Foo” are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for “Set-Cookie”." + type: string + type: + description: Type specifies how to match against + the value of the header. + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + description: Value is the value of HTTP Header to + be matched. + type: string + type: object + type: array + method: + description: Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. + type: string + path: + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the “/” path is provided. + properties: + type: + description: Type specifies how to match against the + path Value. + enum: + - PATH_MATCH_TYPE_UNSPECIFIED + - PATH_MATCH_TYPE_EXACT + - PATH_MATCH_TYPE_PREFIX + - PATH_MATCH_TYPE_REGEX + format: int32 + type: string + value: + description: Value of the HTTP path to match against. + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is recommended that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + type: string + type: + description: Type specifies how to match against + the value of the query parameter. + enum: + - QUERY_PARAM_MATCH_TYPE_UNSPECIFIED + - QUERY_PARAM_MATCH_TYPE_EXACT + - QUERY_PARAM_MATCH_TYPE_REGEX + - QUERY_PARAM_MATCH_TYPE_PRESENT + format: int32 + type: string + value: + description: Value is the value of HTTP query param + to be matched. + type: string + type: object + type: array + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..dcbc543525 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-ingressgateways.yaml @@ -0,0 +1,447 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: ingressgateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how upstream + proxy instances will be monitored for removal from the load + balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. The + real time is equal to the base time multiplied by the number + of times the host has been ejected and is capped by max_ejection_time + (Default 300s). Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status is + detected through consecutive 5xx. This setting can be used + to disable ejection or to ramp it up slowly. Ex. Setting + this to 10 will make it a 10% chance that the host will + be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that can + be ejected due to outlier detection. Defaults to 10% but + will eject at least one host regardless of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected + for. The real time is equal to the base time multiplied + by the number of times the host has been ejected + and is capped by max_ejection_time (Default 300s). + Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This + setting can be used to disable ejection or to ramp + it up slowly. Ex. Setting this to 10 will make it + a 10% chance that the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster + that can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-jwtproviders.yaml new file mode 100644 index 0000000000..94c9697b33 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-jwtproviders.yaml @@ -0,0 +1,313 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: jwtproviders.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: JWTProvider + listKind: JWTProviderList + plural: jwtproviders + singular: jwtprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTProvider is the Schema for the jwtproviders API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTProviderSpec defines the desired state of JWTProvider + properties: + audiences: + description: Audiences is the set of audiences the JWT is allowed + to access. If specified, all JWTs verified with this provider must + address at least one of these to be considered valid. + items: + type: string + type: array + cacheConfig: + description: CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up verification + when individual tokens are expected to be handled multiple times. + properties: + size: + description: "Size specifies the maximum number of JWT verification + results to cache. \n Defaults to 0, meaning that JWT caching + is disabled." + type: integer + type: object + clockSkewSeconds: + description: "ClockSkewSeconds specifies the maximum allowable time + difference from clock skew when validating the \"exp\" (Expiration) + and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + type: integer + forwarding: + description: Forwarding defines rules for forwarding verified JWTs + to the backend. + properties: + headerName: + description: "HeaderName is a header name to use when forwarding + a verified JWT to the backend. The verified JWT could have been + extracted from any location (query param, header, or cookie). + \n The header value will be base64-URL-encoded, and will not + be padded unless PadForwardPayloadHeader is true." + type: string + padForwardPayloadHeader: + description: "PadForwardPayloadHeader determines whether padding + should be added to the base64 encoded token forwarded with ForwardPayloadHeader. + \n Default value is false." + type: boolean + type: object + issuer: + description: Issuer is the entity that must have issued the JWT. This + value must match the "iss" claim of the token. + type: string + jsonWebKeySet: + description: JSONWebKeySet defines a JSON Web Key Set, its location + on disk, or the means with which to fetch a key set from a remote + server. + properties: + local: + description: Local specifies a local source for the key set. + properties: + filename: + description: Filename configures a location on disk where + the JWKS can be found. If specified, the file must be present + on the disk of ALL proxies with intentions referencing this + provider. + type: string + jwks: + description: JWKS contains a base64 encoded JWKS. + type: string + type: object + remote: + description: Remote specifies how to fetch a key set from a remote + server. + properties: + cacheDuration: + description: "CacheDuration is the duration after which cached + keys should be expired. \n Default value is 5 minutes." + type: string + fetchAsynchronously: + description: "FetchAsynchronously indicates that the JWKS + should be fetched when a client request arrives. Client + requests will be paused until the JWKS is fetched. If false, + the proxy listener will wait for the JWKS to be fetched + before being activated. \n Default value is false." + type: boolean + jwksCluster: + description: JWKSCluster defines how the specified Remote + JWKS URI is to be fetched. + properties: + connectTimeout: + description: The timeout for new network connections to + hosts in the cluster. If not set, a default value of + 5s will be used. + type: string + discoveryType: + description: "DiscoveryType refers to the service discovery + type to use for resolving the cluster. \n This defaults + to STRICT_DNS. Other options include STATIC, LOGICAL_DNS, + EDS or ORIGINAL_DST." + type: string + tlsCertificates: + description: "TLSCertificates refers to the data containing + certificate authority certificates to use in verifying + a presented peer certificate. If not specified and a + peer certificate is presented it will not be verified. + \n Must be either CaCertificateProviderInstance or TrustedCA." + properties: + caCertificateProviderInstance: + description: CaCertificateProviderInstance Certificate + provider instance for fetching TLS certificates. + properties: + certificateName: + description: "CertificateName is used to specify + certificate instances or types. For example, + \"ROOTCA\" to specify a root-certificate (validation + context) or \"example.com\" to specify a certificate + for a particular domain. \n The default value + is the empty string." + type: string + instanceName: + description: "InstanceName refers to the certificate + provider instance name. \n The default value + is \"default\"." + type: string + type: object + trustedCA: + description: "TrustedCA defines TLS certificate data + containing certificate authority certificates to + use in verifying a presented peer certificate. \n + Exactly one of Filename, EnvironmentVariable, InlineString + or InlineBytes must be specified." + properties: + environmentVariable: + type: string + filename: + type: string + inlineBytes: + format: byte + type: string + inlineString: + type: string + type: object + type: object + type: object + requestTimeoutMs: + description: RequestTimeoutMs is the number of milliseconds + to time out when making a request for the JWKS. + type: integer + retryPolicy: + description: "RetryPolicy defines a retry policy for fetching + JWKS. \n There is no retry by default." + properties: + numRetries: + description: "NumRetries is the number of times to retry + fetching the JWKS. The retry strategy uses jittered + exponential backoff with a base interval of 1s and max + of 10s. \n Default value is 0." + type: integer + retryPolicyBackOff: + description: "Retry's backoff policy. \n Defaults to Envoy's + backoff policy." + properties: + baseInterval: + description: "BaseInterval to be used for the next + back off computation. \n The default value from + envoy is 1s." + type: string + maxInterval: + description: "MaxInternal to be used to specify the + maximum interval between retries. Optional but should + be greater or equal to BaseInterval. \n Defaults + to 10 times BaseInterval." + type: string + type: object + type: object + uri: + description: URI is the URI of the server to query for the + JWKS. + type: string + type: object + type: object + locations: + description: 'Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. If no + locations are specified Envoy will default to: 1. Authorization + header with Bearer schema: "Authorization: Bearer " 2. accessToken + query parameter.' + items: + description: "JWTLocation is a location where the JWT could be present + in requests. \n Only one of Header, QueryParam, or Cookie can + be specified." + properties: + cookie: + description: Cookie defines how to extract a JWT from an HTTP + request cookie. + properties: + name: + description: Name is the name of the cookie containing the + token. + type: string + type: object + header: + description: Header defines how to extract a JWT from an HTTP + request header. + properties: + forward: + description: "Forward defines whether the header with the + JWT should be forwarded after the token has been verified. + If false, the header will not be forwarded to the backend. + \n Default value is false." + type: boolean + name: + description: Name is the name of the header containing the + token. + type: string + valuePrefix: + description: 'ValuePrefix is an optional prefix that precedes + the token in the header value. For example, "Bearer " + is a standard value prefix for a header named "Authorization", + but the prefix is not part of the token itself: "Authorization: + Bearer "' + type: string + type: object + queryParam: + description: QueryParam defines how to extract a JWT from an + HTTP request query parameter. + properties: + name: + description: Name is the name of the query param containing + the token. + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-meshes.yaml new file mode 100644 index 0000000000..f8ce4fc12e --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-meshes.yaml @@ -0,0 +1,207 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshes.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-meshservices.yaml new file mode 100644 index 0000000000..a5d36fb966 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-meshservices.yaml @@ -0,0 +1,56 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService holds a reference to an externally managed Consul + Service Mesh service. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of MeshService. + properties: + name: + description: Name holds the service name for a Consul service. + type: string + peer: + description: Peer optionally specifies the name of the peer exporting + the Consul service. If not specified, the Consul service is assumed + to be in the local datacenter. + type: string + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..2352ba7ad3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-peeringacceptors.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringacceptors.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..09991d2091 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-peeringdialers.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringdialers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-proxyconfigurations.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-proxyconfigurations.yaml new file mode 100644 index 0000000000..9a33bd2bab --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-proxyconfigurations.yaml @@ -0,0 +1,423 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxyconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: ProxyConfiguration + listKind: ProxyConfigurationList + plural: proxyconfigurations + shortNames: + - proxy-configuration + singular: proxyconfiguration + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: ProxyConfiguration is the Schema for the TCP Routes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: This is a Resource type. + properties: + bootstrapConfig: + description: bootstrap_config is the configuration that requires proxies + to be restarted to be applied. + properties: + dogstatsdUrl: + type: string + overrideJsonTpl: + type: string + prometheusBindAddr: + type: string + readyBindAddr: + type: string + staticClustersJson: + type: string + staticListenersJson: + type: string + statsBindAddr: + type: string + statsConfigJson: + type: string + statsFlushInterval: + type: string + statsSinksJson: + type: string + statsTags: + items: + type: string + type: array + statsdUrl: + type: string + telemetryCollectorBindSocketDir: + type: string + tracingConfigJson: + type: string + type: object + dynamicConfig: + description: dynamic_config is the configuration that could be changed + dynamically (i.e. without needing restart). + properties: + accessLogs: + description: AccessLogs configures the output and format of Envoy + access logs + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have + a matching listener filter. + type: boolean + enabled: + description: Enabled turns off all access logging + type: boolean + jsonFormat: + description: The presence of one format string or the other + implies the access log string encoding. Defining both is + invalid. + type: string + path: + description: Path is the output file to write logs + type: string + textFormat: + type: string + type: + description: 'Type selects the output for logs: "file", "stderr". + "stdout"' + enum: + - LOG_SINK_TYPE_DEFAULT + - LOG_SINK_TYPE_FILE + - LOG_SINK_TYPE_STDERR + - LOG_SINK_TYPE_STDOUT + format: int32 + type: string + type: object + envoyExtensions: + items: + description: EnvoyExtension has configuration for an extension + that patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + consulVersion: + type: string + envoyVersion: + type: string + name: + type: string + required: + type: boolean + type: object + type: array + exposeConfig: + properties: + exposePaths: + items: + properties: + listenerPort: + format: int32 + type: integer + localPathPort: + format: int32 + type: integer + path: + type: string + protocol: + enum: + - EXPOSE_PATH_PROTOCOL_HTTP + - EXPOSE_PATH_PROTOCOL_HTTP2 + format: int32 + type: string + type: object + type: array + type: object + inboundConnections: + description: inbound_connections configures inbound connections + to the proxy. + properties: + balanceInboundConnections: + enum: + - BALANCE_CONNECTIONS_DEFAULT + - BALANCE_CONNECTIONS_EXACT + format: int32 + type: string + maxInboundConnections: + format: int64 + type: integer + type: object + listenerTracingJson: + type: string + localClusterJson: + type: string + localConnection: + additionalProperties: + description: Referenced by ProxyConfiguration + properties: + connectTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + requestTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + description: local_connection is the configuration that should + be used to connect to the local application provided per-port. + The map keys should correspond to port names on the workload. + type: object + localWorkloadAddress: + description: "deprecated: local_workload_address, local_workload_port, + and local_workload_socket_path are deprecated and are only needed + for migration of existing resources. \n Deprecated: Marked as + deprecated in pbmesh/v2beta1/proxy_configuration.proto." + type: string + localWorkloadPort: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + format: int32 + type: integer + localWorkloadSocketPath: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + type: string + meshGatewayMode: + enum: + - MESH_GATEWAY_MODE_UNSPECIFIED + - MESH_GATEWAY_MODE_NONE + - MESH_GATEWAY_MODE_LOCAL + - MESH_GATEWAY_MODE_REMOTE + format: int32 + type: string + mode: + description: mode indicates the proxy's mode. This will default + to 'transparent'. + enum: + - PROXY_MODE_DEFAULT + - PROXY_MODE_TRANSPARENT + - PROXY_MODE_DIRECT + format: int32 + type: string + mutualTlsMode: + enum: + - MUTUAL_TLS_MODE_DEFAULT + - MUTUAL_TLS_MODE_STRICT + - MUTUAL_TLS_MODE_PERMISSIVE + format: int32 + type: string + publicListenerJson: + type: string + transparentProxy: + properties: + dialedDirectly: + description: dialed_directly indicates whether this proxy + should be dialed using original destination IP in the connection + rather than load balance between all endpoints. + type: boolean + outboundListenerPort: + description: outbound_listener_port is the port for the proxy's + outbound listener. This defaults to 15001. + format: int32 + type: integer + type: object + type: object + opaqueConfig: + description: "deprecated: prevent usage when using v2 APIs directly. + needed for backwards compatibility \n Deprecated: Marked as deprecated + in pbmesh/v2beta1/proxy_configuration.proto." + type: object + x-kubernetes-preserve-unknown-fields: true + workloads: + description: Selection of workloads this proxy configuration should + apply to. These can be prefixes or specific workload names. + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..ce49c9149a --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-proxydefaults.yaml @@ -0,0 +1,265 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxydefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + failoverPolicy: + description: FailoverPolicy specifies the exact mechanism used for + failover. + properties: + mode: + description: Mode specifies the type of failover that will be + performed. Valid values are "sequential", "" (equivalent to + "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions of the + failover targets. Valid values can be "us-west-1", "us-west-2", + and so on. + items: + type: string + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-referencegrants-external.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-referencegrants-external.yaml new file mode 100644 index 0000000000..6ae177d987 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-referencegrants-external.yaml @@ -0,0 +1,211 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-routeauthfilters.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-routeauthfilters.yaml new file mode 100644 index 0000000000..a51bf226cd --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-routeauthfilters.yaml @@ -0,0 +1,199 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeauthfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteAuthFilter + listKind: RouteAuthFilterList + plural: routeauthfilters + singular: routeauthfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteAuthFilter is the Schema for the routeauthfilters API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteAuthFilterSpec defines the desired state of RouteAuthFilter. + properties: + jwt: + description: This re-uses the JWT requirement type from Gateway Policy + Types. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the actual + claim information to be verified. + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the given + path: - If the type at the path is a list then we + verify that this value is contained in the list. + \n - If the type at the path is a string then we + verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + status: + description: RouteAuthFilterStatus defines the observed state of the gateway. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: ResolvedRefs + description: "Conditions describe the current conditions of the Filter. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-routeretryfilters.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-routeretryfilters.yaml new file mode 100644 index 0000000000..14b6062f60 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-routeretryfilters.yaml @@ -0,0 +1,115 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeretryfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteRetryFilter + listKind: RouteRetryFilterList + plural: routeretryfilters + singular: routeretryfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteRetryFilter is the Schema for the routeretryfilters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteRetryFilterSpec defines the desired state of RouteRetryFilter. + properties: + numRetries: + format: int32 + minimum: 0 + type: integer + retryOn: + items: + type: string + type: array + retryOnConnectFailure: + type: boolean + retryOnStatusCodes: + items: + format: int32 + type: integer + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-routetimeoutfilters.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-routetimeoutfilters.yaml new file mode 100644 index 0000000000..95ab50320d --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-routetimeoutfilters.yaml @@ -0,0 +1,105 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routetimeoutfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteTimeoutFilter + listKind: RouteTimeoutFilterList + plural: routetimeoutfilters + singular: routetimeoutfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteTimeoutFilter is the Schema for the httproutetimeoutfilters + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteTimeoutFilterSpec defines the desired state of RouteTimeoutFilter. + properties: + idleTimeout: + type: string + requestTimeout: + type: string + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-samenessgroups.yaml new file mode 100644 index 0000000000..ea0ad7c8a0 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-samenessgroups.yaml @@ -0,0 +1,129 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: samenessgroups.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: SamenessGroup + listKind: SamenessGroupList + plural: samenessgroups + shortNames: + - sameness-group + singular: samenessgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SamenessGroup is the Schema for the samenessgroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SamenessGroupSpec defines the desired state of SamenessGroup. + properties: + defaultForFailover: + description: DefaultForFailover indicates that upstream requests to + members of the given sameness group will implicitly failover between + members of this sameness group. When DefaultForFailover is true, + the local partition must be a member of the sameness group or IncludeLocal + must be set to true. + type: boolean + includeLocal: + description: IncludeLocal is used to include the local partition as + the first member of the sameness group. The local partition can + only be a member of a single sameness group. + type: boolean + members: + description: Members are the partitions and peers that are part of + the sameness group. If a member of a sameness group does not exist, + it will be ignored. + items: + properties: + partition: + description: The partitions and peers that are part of the sameness + group. A sameness group member cannot define both peer and + partition at the same time. + type: string + peer: + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..c7e2b5bb2b --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-servicedefaults.yaml @@ -0,0 +1,565 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicedefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + rateLimits: + description: RateLimits is rate limiting configuration that is applied + to inbound traffic for a service. Rate limiting is a Consul enterprise + feature. + properties: + instanceLevel: + description: InstanceLevel represents rate limit configuration + that is applied per service instance. + properties: + requestsMaxBurst: + description: "RequestsMaxBurst is the maximum number of requests + that can be sent in a burst. Should be equal to or greater + than RequestsPerSecond. If unset, defaults to RequestsPerSecond. + \n Internally, this is the maximum size of the token bucket + used for rate limiting." + type: integer + requestsPerSecond: + description: "RequestsPerSecond is the average number of requests + per second that can be made without being throttled. This + field is required if RequestsMaxBurst is set. The allowed + number of requests may exceed RequestsPerSecond up to the + value specified in RequestsMaxBurst. \n Internally, this + is the refill rate of the token bucket used for rate limiting." + type: integer + routes: + description: Routes is a list of rate limits applied to specific + routes. For a given request, the first matching route will + be applied, if any. Overrides any top-level configuration. + items: + properties: + pathExact: + description: Exact path to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathPrefix: + description: Prefix to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathRegex: + description: Regex to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + requestsMaxBurst: + description: RequestsMaxBurst is the maximum number + of requests that can be sent in a burst. Should be + equal to or greater than RequestsPerSecond. If unset, + defaults to RequestsPerSecond. Internally, this is + the maximum size of the token bucket used for rate + limiting. + type: integer + requestsPerSecond: + description: RequestsPerSecond is the average number + of requests per second that can be made without being + throttled. This field is required if RequestsMaxBurst + is set. The allowed number of requests may exceed + RequestsPerSecond up to the value specified in RequestsMaxBurst. + Internally, this is the refill rate of the token bucket + used for rate limiting. + type: integer + type: object + type: array + type: object + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 + seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set the + interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..75299f016e --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-serviceintentions.yaml @@ -0,0 +1,311 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceintentions.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + jwt: + description: JWT specifies the configuration to validate a JSON Web + Token for all incoming requests. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: Value is the expected value at the given + path. If the type at the path is a list then we + verify that this value is contained in the list. + If the type at the path is a string then we verify + that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: Peer is the peer name for the Name parameter. + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + jwt: + description: JWT specifies configuration to validate a + JSON Web Token for incoming requests. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. + There MUST be a corresponding "jwt-provider" + config entry with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional + claims to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim + in the token JSON. + items: + type: string + type: array + value: + description: Value is the expected value + at the given path. If the type at the + path is a list then we verify that this + value is contained in the list. If the + type at the path is a string then we + verify that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + samenessGroup: + description: SamenessGroup is the name of the sameness group, + if applicable. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..6d89125216 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-serviceresolvers.yaml @@ -0,0 +1,348 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceresolvers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + policy: + description: Policy specifies the exact mechanism used for failover. + properties: + mode: + description: Mode specifies the type of failover that will + be performed. Valid values are "sequential", "" (equivalent + to "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions + of the failover targets. Valid values can be "us-west-1", + "us-west-2", and so on. + items: + type: string + type: array + type: object + samenessGroup: + description: SamenessGroup is the name of the sameness group + to try during failover. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness group to + resolve the service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + requestTimeout: + description: RequestTimeout is the timeout for receiving an HTTP response + from this service before the connection is terminated. + type: string + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..c4e06d05bc --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-servicerouters.yaml @@ -0,0 +1,319 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicerouters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOn: + description: RetryOn is a flat list of conditions for Consul + to retry requests based on the response from an upstream + service. + items: + type: string + type: array + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..8d5ed58023 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-servicesplitters.yaml @@ -0,0 +1,186 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicesplitters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-tcproutes-external.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-tcproutes-external.yaml new file mode 100644 index 0000000000..91989135e2 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-tcproutes-external.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-tcproutes.yaml new file mode 100644 index 0000000000..ae9d2cd080 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-tcproutes.yaml @@ -0,0 +1,278 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + shortNames: + - tcp-route + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TCPRoute is the Schema for the TCP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute + \n This is a Resource type." + properties: + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + properties: + backendRefs: + description: BackendRefs defines the backend(s) where matching + requests should be sent. If unspecified or invalid (refers + to a non-existent resource or a Service with no endpoints), + the underlying implementation MUST actively reject connection + attempts to this backend. Connection rejections must respect + weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..565aa63381 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-terminatinggateways.yaml @@ -0,0 +1,137 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: terminatinggateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-tlsroutes-external.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-tlsroutes-external.yaml new file mode 100644 index 0000000000..dfabd80713 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-tlsroutes-external.yaml @@ -0,0 +1,294 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-trafficpermissions.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-trafficpermissions.yaml new file mode 100644 index 0000000000..27ab6f5e3d --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-trafficpermissions.yaml @@ -0,0 +1,261 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: trafficpermissions.auth.consul.hashicorp.com +spec: + group: auth.consul.hashicorp.com + names: + kind: TrafficPermissions + listKind: TrafficPermissionsList + plural: trafficpermissions + shortNames: + - traffic-permissions + singular: trafficpermissions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TrafficPermissions is the Schema for the traffic-permissions + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + action: + description: "Action can be either allow or deny for the entire object. + It will default to allow. \n If action is allow, we will allow the + connection if one of the rules in Rules matches, in other words, + we will deny all requests except for the ones that match Rules. + If Consul is in default allow mode, then allow actions have no effect + without a deny permission as everything is allowed by default. \n + If action is deny, we will deny the connection if one of the rules + in Rules match, in other words, we will allow all requests except + for the ones that match Rules. If Consul is default deny mode, then + deny permissions have no effect without an allow permission as everything + is denied by default. \n Action unspecified is reserved for compatibility + with the addition of future actions." + enum: + - ACTION_ALLOW + - ACTION_DENY + - ACTION_UNKNOWN + format: int32 + type: string + destination: + description: Destination is a configuration of the destination proxies + where these traffic permissions should apply. + properties: + identityName: + type: string + type: object + permissions: + description: Permissions is a list of permissions to match on. They + are applied using OR semantics. + items: + description: Permissions is a list of permissions to match on. + properties: + destinationRules: + description: DestinationRules is a list of rules to apply for + matching sources in this Permission. These rules are specific + to the request or connection that is going to the destination(s) + selected by the TrafficPermissions resource. + items: + description: DestinationRule contains rules rules to apply + to the incoming connection. + properties: + exclude: + description: Exclude contains a list of rules to exclude + when evaluating rules for the incoming connection. + items: + properties: + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + description: PortNames is a list of workload ports + to apply this rule to. The ports specified here + must be the ports used in the connection. + items: + type: string + type: array + type: object + type: array + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. If no + methods are specified, this rule will apply to all methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + items: + type: string + type: array + type: object + type: array + sources: + description: Sources is a list of sources in this traffic permission. + items: + description: Source represents the source identity. To specify + any of the wildcard sources, the specific fields need to + be omitted. For example, for a wildcard namespace, identity_name + should be omitted. + properties: + exclude: + description: Exclude is a list of sources to exclude from + this source. + items: + description: ExcludeSource is almost the same as source + but it prevents the addition of matching sources. + properties: + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/crd-udproutes-external.yaml b/charts/hashicorp/consul/1.3.2/templates/crd-udproutes-external.yaml new file mode 100644 index 0000000000..935cce22fa --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/crd-udproutes-external.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..f0d5a1c821 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-job.yaml @@ -0,0 +1,146 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane create-federation-secret \ + -log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/dns-service.yaml b/charts/hashicorp/consul/1.3.2/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.3.2/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..80ae582152 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/enterprise-license-job.yaml @@ -0,0 +1,145 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.3.2/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.3.2/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-clusterrole.yaml new file mode 100644 index 0000000000..c533a882f5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-clusterrole.yaml @@ -0,0 +1,35 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - delete +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-cleanup + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-clusterrolebinding.yaml new file mode 100644 index 0000000000..9235f32101 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-job.yaml new file mode 100644 index 0000000000..df6c22fd30 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-job.yaml @@ -0,0 +1,59 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup + containers: + - name: gateway-cleanup + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-cleanup + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ffbad130cc --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.connectInject.enabled .Values.global.enablePodSecurityPolicies)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..f50eb72d97 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gateway-cleanup-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.3.2/templates/gateway-resources-clusterrole.yaml new file mode 100644 index 0000000000..c3bdfeb4a3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gateway-resources-clusterrole.yaml @@ -0,0 +1,37 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - update + - create + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - update + - create +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-resources + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/gateway-resources-clusterrolebinding.yaml new file mode 100644 index 0000000000..921df23239 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gateway-resources-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-resources +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.2/templates/gateway-resources-configmap.yaml b/charts/hashicorp/consul/1.3.2/templates/gateway-resources-configmap.yaml new file mode 100644 index 0000000000..591aaa2129 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gateway-resources-configmap.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.enabled }} +# Configuration of Gateway Resources Job which creates managed Gateway configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +data: + {{- if .Values.connectInject.apiGateway.managedGatewayClass.resources }} + resources.json: | + {{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.3.2/templates/gateway-resources-job.yaml new file mode 100644 index 0000000000..1136d2e0fe --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gateway-resources-job.yaml @@ -0,0 +1,124 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources + containers: + - name: gateway-resources + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-resources + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + - -controller-name=consul.hashicorp.com/gateway-controller + - -app={{template "consul.name" .}} + - -chart={{template "consul.chart" .}} + - -heritage={{ .Release.Service }} + - -release-name={{ .Release.Name }} + - -component=api-gateway + {{- if .Values.apiGateway.enabled }} # Overide values from the old stanza. To be removed in 1.17 (t-eckert 2023-05-19) + {{- if .Values.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} + {{- else }} # the new stanza + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations | nindent 14 -}} + {{- end }} + - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- if .Values.global.openshift.enabled }} + - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + {{- end }} + - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} + {{- end}} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/gateway-resources-podsecuritypolicy.yaml new file mode 100644 index 0000000000..da5299194c --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gateway-resources-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.connectInject.enabled)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/gateway-resources-serviceaccount.yaml new file mode 100644 index 0000000000..4611dc38e1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gateway-resources-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..cc5b5397c2 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,70 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ default .Values.global.logLevel .Values.global.gossipEncryption.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..4eef2e96ac --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,368 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b847e44ebd --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..b951418b26 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,34 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..f8150ebb53 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..afb5d44a0e --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,311 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..04576fe926 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..5fdceca8df --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-service.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.meshGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..8c2da5ae06 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.3.2/templates/partition-init-job.yaml new file mode 100644 index 0000000000..59a119e0c7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/partition-init-job.yaml @@ -0,0 +1,128 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.3.2/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.3.2/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/prometheus.yaml b/charts/hashicorp/consul/1.3.2/templates/prometheus.yaml new file mode 100644 index 0000000000..a708708daf --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..b47e04188f --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,89 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..aca1444a9b --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-job.yaml @@ -0,0 +1,349 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + {{- if .Values.global.argocd.enabled }} + "argocd.argoproj.io/hook": "Sync" + "argocd.argoproj.io/hook-delete-policy": "HookSucceeded" + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- else if .Values.global.secretsBackend.vault.vaultNamespace }} + - name: VAULT_NAMESPACE + value: {{ .Values.global.secretsBackend.vault.vaultNamespace }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + consul-k8s-control-plane server-acl-init \ + -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 10 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.3.2/templates/server-clusterrole.yaml new file mode 100644 index 0000000000..c22f562264 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: + - get diff --git a/charts/hashicorp/consul/1.3.2/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..854fda870e --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-server +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.3.2/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..8cd726f445 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-config-configmap.yaml @@ -0,0 +1,208 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} +{{- if and .Values.server.auditLogs.enabled (not .Values.global.acls.manageSystemACLs) }}{{fail "ACLs must be enabled inorder to configure audit logs"}}{{ end -}} +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + {{- if .Values.server.logLevel }} + "log_level": "{{ .Values.server.logLevel | upper }}", + {{- end }} + "domain": "{{ .Values.global.domain }}", + "limits": { + "request_limits": { + "mode": "{{ .Values.server.limits.requestLimits.mode }}", + "read_rate": {{ .Values.server.limits.requestLimits.readRate }}, + "write_rate": {{ .Values.server.limits.requestLimits.writeRate }} + } + }, + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + {{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }} + "namespace": "{{ .vaultNamespace }}", + {{- end }} + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}" + } + } + {{- end }} + {{- if and .Values.server.auditLogs.enabled .Values.global.acls.manageSystemACLs }} + audit-logging.json: |- + { + "audit": { + "enabled": true, + "sink": { + {{- range $index, $element := .Values.server.auditLogs.sinks }} + {{- if ne $index 0 }},{{end}} + "{{ get $element "name" }}": {{ omit $element "name" | toJson }} + {{- end }} + } + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.3.2/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..edf9c1c57f --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-role.yaml b/charts/hashicorp/consul/1.3.2/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.3.2/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-service.yaml b/charts/hashicorp/consul/1.3.2/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.3.2/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.3.2/templates/server-statefulset.yaml new file mode 100644 index 0000000000..5c76a12389 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-statefulset.yaml @@ -0,0 +1,657 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/server-config-configmap.yaml") .) (include (print $.Template.BasePath "/server-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + {{- if .Values.global.tls.enabled }} + "prometheus.io/port": "8501" + "prometheus.io/scheme": "https" + {{- else }} + "prometheus.io/port": "8500" + "prometheus.io/scheme": "http" + {{- end }} + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + initContainers: + - name: locality-init + image: {{ .Values.global.imageK8S }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane fetch-server-region -node-name "$NODE_NAME" -output-file /consul/extra-config/locality.json + volumeMounts: + - name: extra-config + mountPath: /consul/extra-config + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-dir=/consul/extra-config \ + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -hcl="experiments=[\"resource-apis\"]" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.containerSecurityContext.server }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- else }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/server-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.3.2/templates/server-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a42d6d09f6 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/server-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the server-stateful set where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.2/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.3.2/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..585b5ad171 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,48 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + - endpoints + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.2/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.3.2/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..f81b999e79 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/sync-catalog-deployment.yaml @@ -0,0 +1,234 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..d36034b29c --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,436 @@ +{{- if and .Values.telemetryCollector.enabled (not (mustHas "resource-apis" .Values.global.experiments)) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # Signals to the endpoints controller that we should force Consul NS creation, since we bypass the mesh webhook. + "consul.hashicorp.com/telemetry-collector": "true" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: default + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + consul-k8s-control-plane connect-init \ + -log-json={{ .Values.global.logJSON }} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -pod-name=${POD_NAME} \ + -pod-namespace=${POD_NAMESPACE} \ + -proxy-id-file="/consul/connect-inject/proxyid" \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f4c05a2f33 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-v2-deployment.yaml b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-v2-deployment.yaml new file mode 100644 index 0000000000..d8c94e7ecf --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/telemetry-collector-v2-deployment.yaml @@ -0,0 +1,415 @@ +{{- if and .Values.telemetryCollector.enabled (mustHas "resource-apis" .Values.global.experiments) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/mesh-inject": "false" + # This annotation tells the pod controller that this pod was injected even though it wasn't. + # This ensures the pod controller will sync a workload for the pod into Consul + "consul.hashicorp.com/mesh-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/consul-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the mesh injector so that we don't run into + # any race conditions on the mesh-injector deployment or upgrade + - name: consul-mesh-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + consul-k8s-control-plane mesh-init -proxy-name=${POD_NAME} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: DP_PROXY_ID + value: $(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: TMPDIR + value: /consul/mesh-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-mesh-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..3a1a23fad3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,345 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..7307fb8be9 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..4ae280ca81 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-role.yaml @@ -0,0 +1,43 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }} +rules: +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.3.2/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..9500410a53 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,84 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.3.2/templates/tls-init-job.yaml new file mode 100644 index 0000000000..54727e03dd --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/tls-init-job.yaml @@ -0,0 +1,126 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + consul-k8s-control-plane tls-init \ + -log-level={{ default .Values.global.logLevel .Values.global.tls.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.3.2/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.3.2/templates/ui-ingress.yaml new file mode 100644 index 0000000000..f8c7f92a77 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/ui-ingress.yaml @@ -0,0 +1,85 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + {{- if ne .Values.ui.ingress.ingressClassName "" }} + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end }} + rules: + {{- $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/ui-service.yaml b/charts/hashicorp/consul/1.3.2/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..2a5c80d94c --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,54 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..29b85d7079 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,81 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.2/values.yaml b/charts/hashicorp/consul/1.3.2/values.yaml new file mode 100644 index 0000000000..0d2d3aaa3a --- /dev/null +++ b/charts/hashicorp/consul/1.3.2/values.yaml @@ -0,0 +1,3596 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: "hashicorp/consul-enterprise:1.10.0-ent" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.17.2 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.3.2 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` + # agent annotation and [Vault Connect CA namespace](https://developer.hashicorp.com/consul/docs/connect/ca/vault#namespace). + # To override one of these values individually, see `agentAnnotations` and `connectCA.additionalConfig`. + vaultNamespace: "" + + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + # Override global log verbosity level for gossip-encryption-autogenerate-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # This value defines additional annotations for + # tls init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines additional annotations for + # acl init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # If argocd.enabled is set to true, following annotations are added to + # job - server-acl-init-job + # annotations - + # argocd.argoproj.io/hook: Sync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd: + enabled: false + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # `meshGateway.enabled` or `externalServers.enabled` to be true. + # Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:` + # (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`). + # @type: array + primaryGateways: [] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Override global log verbosity level for the create-federation-secret-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: hashicorp/consul-dataplane:1.3.2 + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul Central self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will link a [self-managed cluster to HCP](https://developer.hashicorp.com/hcp/docs/consul/self-managed). + # This can either be used to [configure a new cluster](https://developer.hashicorp.com/hcp/docs/consul/self-managed/new) + # or [link an existing one](https://developer.hashicorp.com/hcp/docs/consul/self-managed/existing). + # + # Note: this setting should not be enabled for [HashiCorp-managed clusters](https://developer.hashicorp.com/hcp/docs/consul/hcp-managed). + # It is strictly for linking self-managed clusters. + enabled: false + + # The resource id of the HCP Consul Central cluster to link to. Eg: + # organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The hostname of HCP's API. This setting is used for internal testing and validation. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The URL of HCP's auth API. This setting is used for internal testing and validation. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The address of HCP's scada service. This setting is used for internal testing and validation. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [] + + # Consul feature flags that will be enabled across components. + # Supported feature flags: + # * `resource-apis`: + # _**Danger**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul components will use the + # V2 resources APIs for all operations. + # + # Example: + # + # ```yaml + # experiments: [ "resource-apis" ] + # ``` + # @type: array + experiments: [] + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # The [Persistent Volume Claim (PVC) retention policy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention) + # controls if and how PVCs are deleted during the lifecycle of a StatefulSet. + # WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted, + # and WhenScaled specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is scaled down. + # + # Example: + # + # ```yaml + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + # ``` + # @type: map + persistentVolumeClaimRetentionPolicy: null + + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional service mesh settings can be configured + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). + connect: true + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + # The acl-init job + # @type: map + # @recurse: false + aclInit: null + # The tls-init job + # @type: map + # @recurse: false + tlsInit: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `server.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # and configure a sink and filters for their audit logs. Please refer to + # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation + # for further information. + auditLogs: + # Controls whether Consul logs out each time a user performs an operation. + # global.acls.manageSystemACLs must be enabled to use this feature. + enabled: false + + # A single entry of the sink object provides configuration for the destination to which Consul + # will log auditing events. + # + # Example: + # + # ```yaml + # sinks: + # - name: My Sink + # type: file + # format: json + # path: /tmp/audit.json + # delivery_guarantee: best-effort + # rotate_duration: 24h + # rotate_max_files: 15 + # rotate_bytes: 25165824 + # + # ``` + # + # The sink object supports the following keys: + # + # - `name` - Name of the sink. + # + # - `type` - Type specifies what kind of sink this is. Currently only file sinks are available + # + # - `format` - Format specifies what format the events will be emitted with. Currently only `json` + # events are emitted. + # + # - `path` - The directory and filename to write audit events to. + # + # - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul + # only supports `best-effort` event delivery. + # + # - `mode` - The permissions to set on the audit log files. + # + # - `rotate_duration` - Specifies the interval by which the system rotates to a new log file. + # At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging. + # + # - `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file. + # At least one of rotate_bytes or rotate_duration must be configured to enable audit logging. + # + # - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files. + # + # @type: array + sinks: [] + + # Settings for potentially limiting timeouts, rate limiting on clients as well + # as servers, and other settings to limit exposure too many requests, requests + # waiting for too long, and other runtime considerations. + limits: + # This object specifies configurations that limit the rate of RPC and gRPC + # requests on the Consul server. Limiting the rate of gRPC and RPC requests + # also limits HTTP requests to the Consul server. + # https://developer.hashicorp.com/consul/docs/agent/config/config-files#request_limits + requestLimits: + # Setting for disabling or enabling rate limiting. If not disabled, it + # enforces the action that will occur when RequestLimitsReadRate + # or RequestLimitsWriteRate is exceeded. The default value of "disabled" will + # prevent any rate limiting from occuring. A value of "enforce" will block + # the request from processings by returning an error. A value of + # "permissive" will not block the request and will allow the request to + # continue processing. + # @type: string + mode: "disabled" + + # Setting that controls how frequently RPC, gRPC, and HTTP + # queries are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsReadRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + readRate: -1 + + # Setting that controls how frequently RPC, gRPC, and HTTP + # writes are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsWriteRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + writeRate: -1 + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. + # @type: array + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul service mesh will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configuration settings for the Consul API Gateway integration. + apiGateway: + # Enables Consul on Kubernetes to manage the CRDs used for Gateway API. + # Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed. + # These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. + # If this setting is false, you will need to install the Gateway API CRDs manually. + manageExternalCRDs: true + + # Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true + # then all CRDs will be installed; otherwise, if manageNonStandardCRDs is true then only TCPRoute, GatewayClassConfig and MeshService + # will be installed. + manageNonStandardCRDs: false + + # Configuration settings for the GatewayClass installed by Consul on Kubernetes. + managedGatewayClass: + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # The resource settings for Pods handling traffic for Gateway API. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + deployment: + defaultInstances: 1 + maxInstances: 1 + minInstances: 1 + + # The name of the OpenShift SecurityContextConstraints resource to use for Gateways. + # Only applicable if `global.openshift.enabled` is true. + # @type: string + openshiftSCCName: "restricted-v2" + + # This value defines the amount we will add to privileged container ports on gateways that use this class. + # This is useful if you don't want to give your containers extra permissions to run privileged ports. + # Example: The gateway listener is defined on port 80, but the underlying value of the port on the container + # will be the 80 + the number defined below. + mapPrivilegedContainerPorts: 0 + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + # Configures metrics for Consul service mesh services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Sets the `logLevel` for the `consul-dataplane` sidecar and the `consul-connect-inject-init` container. When set, this value overrides the global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Consul service mesh sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + # Set default lifecycle management configuration for sidecar proxy. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` + # - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` + # @type: map + lifecycle: + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" + + # Configures how long the k8s startup probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultStartupFailureSeconds: 0 + # Configures how long the k8s liveness probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultLivenessFailureSeconds: 0 + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul service mesh will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Override global log verbosity level for mesh-gateway-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: "Service" + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level for ingress-gateways-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. You must provide a unique name for each ingress gateway. These names + # must be unique across different namespaces. + # Values defined here override the defaults, except in the case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# [DEPRECATED] Use connectInject.apiGateway instead. +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.11" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.2" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + # The resource id of the HCP Consul Central cluster to push metrics for. Eg: + # `organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster` + # + # This is used for HCP Consul Central-linked or managed clusters where global.cloud.resourceId is unset. For example, when using externalServers + # with HCP Consul-managed clusters or HCP Consul Central-linked clusters in a different admin partition. + # + # If global.cloud.resourceId is set, this should either be unset (defaulting to global.cloud.resourceId) or be the same as global.cloud.resourceId. + # + # @default: global.cloud.resourceId + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientId + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP. + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientSecret + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the deployment. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} diff --git a/charts/hashicorp/consul/1.3.3/.helmignore b/charts/hashicorp/consul/1.3.3/.helmignore new file mode 100644 index 0000000000..3fa2f24edf --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/.helmignore @@ -0,0 +1,5 @@ +.git/ +.terraform/ +bin/ +test/ +crds/kustomization.yaml diff --git a/charts/hashicorp/consul/1.3.3/Chart.yaml b/charts/hashicorp/consul/1.3.3/Chart.yaml new file mode 100644 index 0000000000..545c08aefc --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.17.3 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.3.3 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.3.3 + - name: envoy + image: envoyproxy/envoy:v1.25.11 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.17.3 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.3.3 diff --git a/charts/hashicorp/consul/1.3.3/README.md b/charts/hashicorp/consul/1.3.3/README.md new file mode 100644 index 0000000000..e7d7fd9285 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.23.x - 1.26.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/1.3.3/addons/gen.sh b/charts/hashicorp/consul/1.3.3/addons/gen.sh new file mode 100644 index 0000000000..1d03390bed --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/addons/gen.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.3/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.3.3/addons/values/prometheus.yaml new file mode 100644 index 0000000000..1f90636f2e --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/addons/values/prometheus.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/1.3.3/assets/icon.png b/charts/hashicorp/consul/1.3.3/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.3.3/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.3.3/templates/NOTES.txt b/charts/hashicorp/consul/1.3.3/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/_helpers.tpl b/charts/hashicorp/consul/1.3.3/templates/_helpers.tpl new file mode 100644 index 0000000000..bb2da193fc --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/_helpers.tpl @@ -0,0 +1,688 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.restrictedSecurityContext" -}} +{{- if not .Values.global.enablePodSecurityPolicies -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +{{- if not .Values.global.openshift.enabled -}} +{{/* +We must set runAsUser or else the root user will be used in some cases and +containers will fail to start due to runAsNonRoot above (e.g. +tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100 +because it is a non-root user id that exists in the consul, consul-dataplane, +and consul-k8s-control-plane images. +*/}} + runAsUser: 100 +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/tmp/extra-config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Cleanup server.extraConfig entries to avoid conflicting entries: + - server.enableAgentDebug: + - `enable_debug` should not exist in extraConfig + - metrics.disableAgentHostName: + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `disable_hostname` should not exist in extraConfig + - metrics.enableHostMetrics: + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `enable_host_metrics` should not exist in extraConfig + - metrics.prefixFilter + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `prefix_filter` should not exist in extraConfig + - metrics.datadog.enabled: + - if global.metrics.datadog.enabled and global.metrics.datadog.dogstatsd.enabled, `dogstatsd_tags` and `dogstatsd_addr` should not exist in extraConfig + +Usage: {{ template "consul.validateExtraConfig" . }} +*/}} +{{- define "consul.validateExtraConfig" -}} +{{- if (contains "enable_debug" .Values.server.extraConfig) }}{{ fail "The enable_debug key is present in extra-from-values.json. Use server.enableAgentDebug to set this value." }}{{- end }} +{{- if (contains "disable_hostname" .Values.server.extraConfig) }}{{ fail "The disable_hostname key is present in extra-from-values.json. Use global.metrics.disableAgentHostName to set this value." }}{{- end }} +{{- if (contains "enable_host_metrics" .Values.server.extraConfig) }}{{ fail "The enable_host_metrics key is present in extra-from-values.json. Use global.metrics.enableHostMetrics to set this value." }}{{- end }} +{{- if (contains "prefix_filter" .Values.server.extraConfig) }}{{ fail "The prefix_filter key is present in extra-from-values.json. Use global.metrics.prefix_filter to set this value." }}{{- end }} +{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }}{{- if (and .Values.global.metrics.datadog.dogstatsd.enabled) }}{{- if (contains "dogstatsd_tags" .Values.server.extraConfig) }}{{ fail "The dogstatsd_tags key is present in extra-from-values.json. Use global.metrics.datadog.dogstatsd.dogstatsdTags to set this value." }}{{- end }}{{- end }}{{- if (and .Values.global.metrics.datadog.dogstatsd.enabled) }}{{- if (contains "dogstatsd_addr" .Values.server.extraConfig) }}{{ fail "The dogstatsd_addr key is present in extra-from-values.json. Use global.metrics.datadog.dogstatsd.dogstatsd_addr to set this value." }}{{- end }}{{- end }}{{- end }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Compute the maximum number of unavailable replicas for the PodDisruptionBudget. +This defaults to (n/2)-1 where n is the number of members of the server cluster. +Special case of replica equaling 3 and allowing a minor disruption of 1 otherwise +use the integer value +Add a special case for replicas=1, where it should default to 0 as well. +*/}} +{{- define "consul.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.server.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if telemetryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (and (not .Values.global.cloud.clientSecret.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (and (not .Values.global.cloud.clientId.secretName) (not .Values.telemetryCollector.cloud.clientId.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretName or global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretKey or global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} + +{{/* +Fails if telemetryCollector.cloud.resourceId is set but differs from global.cloud.resourceId. This should never happen. Either one or both are set, but they should never differ. +If they differ, that implies we're configuring servers for one HCP Consul cluster but pushing envoy metrics for a different HCP Consul cluster. A user could set the same value +in two secrets (it's questionable whether resourceId should be a secret at all) but we won't know at this point, so we just check secret name+key. + +Usage: {{ template "consul.validateTelemetryCollectorResourceId" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorResourceId" -}} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName) (not (eq .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName)) }} +{{fail "When both global.cloud.resourceId.secretName and telemetryCollector.cloud.resourceId.secretName are set, they should be the same."}} +{{- end }} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey) (not (eq .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When both global.cloud.resourceId.secretKey and telemetryCollector.cloud.resourceId.secretKey are set, they should be the same."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{/* +Fails if global.experiments.resourceAPIs is set along with any of these unsupported features. +- global.peering.enabled +- global.federation.enabled +- global.cloud.enabled +- client.enabled +- ui.enabled +- syncCatalog.enabled +- meshGateway.enabled +- ingressGateways.enabled +- terminatingGateways.enabled +- apiGateway.enabled + +Usage: {{ template "consul.validateResourceAPIs" . }} + +*/}} +{{- define "consul.validateResourceAPIs" -}} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.peering.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.peering.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.adminPartitions.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.adminPartitions.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.federation.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.federation.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.cloud.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.cloud.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.client.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, client.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ui.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ui.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.syncCatalog.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, syncCatalog.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.meshGateway.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, meshGateway.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ingressGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ingressGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.terminatingGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.apiGateway.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, apiGateway.enabled is currently unsupported."}} +{{- end }} +{{- end }} + +{{/* +Validation for Consul Metrics configuration: + +Fail if metrics.enabled=true and metrics.disableAgentHostName=true, but metrics.enableAgentMetrics=false + - metrics.enabled = true + - metrics.enableAgentMetrics = false + - metrics.disableAgentHostName = true + +Fail if metrics.enableAgentMetrics=true and metrics.disableAgentHostName=true, but metrics.enabled=false + - metrics.enabled = false + - metrics.enableAgentMetrics = true + - metrics.disableAgentHostName = true + +Fail if metrics.enabled=true and metrics.enableHostMetrics=true, but metrics.enableAgentMetrics=false + - metrics.enabled = true + - metrics.enableAgentMetrics = false + - metrics.enableHostMetrics = true + +Fail if metrics.enableAgentMetrics=true and metrics.enableHostMetrics=true, but metrics.enabled=false + - metrics.enabled = false + - metrics.enableAgentMetrics = true + - metrics.enableHostMetrics = true + +Usage: {{ template "consul.validateMetricsConfig" . }} + +*/}} + +{{- define "consul.validateMetricsConfig" -}} +{{- if and (not .Values.global.metrics.enableAgentMetrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enabled )}} +{{fail "When enabling metrics (global.metrics.enabled) and disabling hostname emission from metrics (global.metrics.disableAgentHostName), global.metrics.enableAgentMetrics must be set to true"}} +{{- end }} +{{- if and (not .Values.global.metrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enableAgentMetrics )}} +{{fail "When enabling Consul agent metrics (global.metrics.enableAgentMetrics) and disabling hostname emission from metrics (global.metrics.disableAgentHostName), global metrics enablement (global.metrics.enabled) must be set to true"}} +{{- end }} +{{- if and (not .Values.global.metrics.enableAgentMetrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enabled )}} +{{fail "When disabling hostname emission from metrics (global.metrics.disableAgentHostName) and enabling global metrics (global.metrics.enabled), Consul agent metrics must be enabled(global.metrics.enableAgentMetrics=true)"}} +{{- end }} +{{- if and (not .Values.global.metrics.enabled) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enableAgentMetrics)}} +{{fail "When enabling Consul agent metrics (global.metrics.enableAgentMetrics) and disabling hostname metrics emission (global.metrics.disableAgentHostName), global metrics must be enabled (global.metrics.enabled)."}} +{{- end }} +{{- end -}} + +{{/* +Validation for Consul Datadog Integration deployment: + +Fail if Datadog integration enabled and Consul server agent telemetry is not enabled. + - global.metrics.datadog.enabled=true + - global.metrics.enableAgentMetrics=false || global.metrics.enabled=false + +Fail if Consul OpenMetrics (Prometheus) and DogStatsD metrics are both enabled and configured. + - global.metrics.datadog.dogstatsd.enabled (scrapes `/v1/agent/metrics?format=prometheus` via the `use_prometheus_endpoint` option) + - global.metrics.datadog.openMetricsPrometheus.enabled (scrapes `/v1/agent/metrics?format=prometheus`) + - see https://docs.datadoghq.com/integrations/consul/?tab=host#host for recommendation to not have both + +Fail if Datadog OTLP forwarding is enabled and Consul Telemetry Collection is not enabled. + - global.metrics.datadog.otlp.enabled=true + - telemetryCollector.enabled=false + +Fail if Consul Open Telemetry collector forwarding protocol is not one of either "http" or "grpc" + - global.metrics.datadog.otlp.protocol!="http" || global.metrics.datadog.otlp.protocol!="grpc" + +Usage: {{ template "consul.validateDatadogConfiguration" . }} + +*/}} + +{{- define "consul.validateDatadogConfiguration" -}} +{{- if and .Values.global.metrics.datadog.enabled (or (not .Values.global.metrics.enableAgentMetrics) (not .Values.global.metrics.enabled) )}} +{{fail "When enabling datadog metrics collection, the /v1/agent/metrics is required to be accessible, therefore global.metrics.enableAgentMetrics and global.metrics.enabled must be also be enabled."}} +{{- end }} +{{- if and .Values.global.metrics.datadog.dogstatsd.enabled .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} +{{fail "You must have one of DogStatsD (global.metrics.datadog.dogstatsd.enabled) or OpenMetrics (global.metrics.datadog.openMetricsPrometheus.enabled) enabled, not both as this is an unsupported configuration." }} +{{- end }} +{{- if and .Values.global.metrics.datadog.otlp.enabled (not .Values.telemetryCollector.enabled) }} +{{fail "Cannot enable Datadog OTLP metrics collection (global.metrics.datadog.otlp.enabled) without consul-telemetry-collector. Ensure Consul OTLP collection is enabled (telemetryCollector.enabled) and configured." }} +{{- end }} +{{- if and (ne ( lower .Values.global.metrics.datadog.otlp.protocol) "http") (ne ( lower .Values.global.metrics.datadog.otlp.protocol) "grpc") }} +{{fail "Valid values for global.metrics.datadog.otlp.protocol must be one of either \"http\" or \"grpc\"." }} +{{- end }} +{{- end -}} + +{{/* +Sets the dogstatsd_addr field of the agent configuration dependent on the +socket transport type being used: + - "UDS" (Unix Domain Socket): prefixes "unix://" to URL and appends path to socket (i.e., unix:///var/run/datadog/dsd.socket) + - "UDP" (User Datagram Protocol): adds no prefix and appends dogstatsd port number to hostname/IP (i.e., 172.20.180.10:8125) +- global.metrics.enableDatadogIntegration.dogstatsd configuration + +Usage: {{ template "consul.dogstatsdAaddressInfo" . }} +*/}} + +{{- define "consul.dogstatsdAaddressInfo" -}} +{{- if (and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled) }} + "dogstatsd_addr": "{{- if eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" }}unix://{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdAddr }}{{- else }}{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdAddr | trimAll "\"" }}{{- if ne ( .Values.global.metrics.datadog.dogstatsd.dogstatsdPort | int ) 0 }}:{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdPort | toString }}{{- end }}{{- end }}",{{- end }} +{{- end -}} + +{{/* +Configures the metrics prefixing that's required to either allow or dissallow certaing RPC or gRPC server calls: + +Usage: {{ template "consul.prefixFilter" . }} +*/}} +{{- define "consul.prefixFilter" -}} +{{- $allowList := .Values.global.metrics.prefixFilter.allowList }} +{{- $blockList := .Values.global.metrics.prefixFilter.blockList }} +{{- if and (not (empty $allowList)) (not (empty $blockList)) }} + "prefix_filter": [{{- range $index, $value := concat $allowList $blockList -}} + "{{- if (has $value $allowList) }}{{ printf "+%s" ($value | trimAll "\"") }}{{- else }}{{ printf "-%s" ($value | trimAll "\"") }}{{- end }}"{{- if lt $index (sub (len (concat $allowList $blockList)) 1) -}},{{- end -}} + {{- end -}}], +{{- else if not (empty $allowList) }} + "prefix_filter": [{{- range $index, $value := $allowList -}} + "{{ printf "+%s" ($value | trimAll "\"") }}"{{- if lt $index (sub (len $allowList) 1) -}},{{- end -}} + {{- end -}}], +{{- else if not (empty $blockList) }} + "prefix_filter": [{{- range $index, $value := $blockList -}} + "{{ printf "-%s" ($value | trimAll "\"") }}"{{- if lt $index (sub (len $blockList) 1) -}},{{- end -}} + {{- end -}}], +{{- end }} +{{- end -}} + +{{/* +Retrieves the global consul/consul-enterprise version string for use with labels or tags. +Requirements for valid labels: + - a valid label must be an empty string or consist of + => alphanumeric characters + => '-', '_' or '.' + => must start and end with an alphanumeric character + (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is + '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?') + +Usage: {{ template "consul.versionInfo" }} +*/}} +{{- define "consul.versionInfo" -}} +{{- $imageVersion := regexSplit ":" .Values.global.image -1 }} +{{- $versionInfo := printf "%s" (index $imageVersion 1 ) | trimSuffix "\"" }} +{{- $sanitizedVersion := "" }} +{{- $pattern := "^([A-Za-z0-9][-A-Za-z0-9_.]*[A-Za-z0-9])?$" }} +{{- if not (regexMatch $pattern $versionInfo) -}} + {{- $sanitizedVersion = regexReplaceAll "[^A-Za-z0-9-_.]|sha256" $versionInfo "" }} + {{- $sanitizedVersion = printf "%s" (trimSuffix "-" (trimPrefix "-" $sanitizedVersion)) -}} +{{- else }} + {{- $sanitizedVersion = $versionInfo }} +{{- end -}} +{{- printf "%s" $sanitizedVersion | quote }} +{{- end -}} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..453be66054 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,306 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{ end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: ["/consul-bin/consul", "logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.3.3/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.3.3/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.3.3/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.3.3/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.3.3/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..cab2c7c043 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/client-config-configmap.yaml @@ -0,0 +1,40 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + log-level.json: |- + { + {{- if .Values.client.logLevel }} + "log_level": "{{ .Values.client.logLevel | upper }}" + {{- end }} + } + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.3.3/templates/client-daemonset.yaml new file mode 100644 index 0000000000..3f04e826f4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/client-daemonset.yaml @@ -0,0 +1,606 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/client-config-configmap.yaml") .) (include (print $.Template.BasePath "/client-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/consul" + - "logout" + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-dir=/consul/extra-config \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/client-role.yaml b/charts/hashicorp/consul/1.3.3/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.3.3/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.3.3/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/client-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.3.3/templates/client-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a379157f57 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/client-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the client-daemonset where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.3.3/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.3.3/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..258924f449 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/cni-daemonset.yaml @@ -0,0 +1,91 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.3.3/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.3.3/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.3.3/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.3.3/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.3.3/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..2506637949 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,255 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + - gatewayclassconfigs + - meshservices + - samenessgroups + - controlplanerequestlimits + - routeretryfilters + - routetimeoutfilters + - routeauthfilters + - gatewaypolicies + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + - jwtproviders + - routeauthfilters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + - samenessgroups/status + - controlplanerequestlimits/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + - jwtproviders/status + - routeauthfilters/status + - gatewaypolicies/status + verbs: + - get + - patch + - update +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions/status + verbs: + - get + - patch + - update +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - grpcroutes + - httproutes + - tcproutes + - proxyconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - grpcroutes/status + - httproutes/status + - tcproutes/status + - proxyconfigurations/status + verbs: + - get + - patch + - update +{{- end }} +- apiGroups: [ "" ] + resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles", "rolebindings" ] + verbs: + - get + - list + - watch + - delete + - create + - update +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - referencegrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gateways/finalizers + - httproutes/finalizers + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch + - delete +- apiGroups: + - core + resources: + - services + verbs: + - watch + - list +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" +{{- if .Values.global.openshift.enabled }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + verbs: + - use + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.3/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.3.3/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..13c69e83a2 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/connect-inject-deployment.yaml @@ -0,0 +1,365 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.enabled .Values.global.cloud.enabled }} + {{- if and (gt (len .Values.externalServers.hosts) 0) (regexMatch ".+.hashicorp.cloud$" ( first .Values.externalServers.hosts )) }}{{fail "global.cloud.enabled cannot be used in combination with an HCP-managed cluster address in externalServers.hosts. global.cloud.enabled is for linked self-managed clusters."}}{{- end }} +{{- end }} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateResourceAPIs" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }} + -default-enable-sidecar-proxy-lifecycle=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle=false \ + {{- end }} + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \ + {{- end }} + -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ + -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ + -default-sidecar-proxy-startup-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultStartupFailureSeconds }} \ + -default-sidecar-proxy-liveness-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultLivenessFailureSeconds }} \ + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.3.3/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.3.3/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..e65c386636 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,381 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-controlplanerequestlimits + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-controlplanerequestlimit.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - controlplanerequestlimits + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-samenessgroup + failurePolicy: Fail + name: mutate-samenessgroup.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - samenessgroups + sideEffects: None +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v2beta1-trafficpermissions + failurePolicy: Fail + name: mutate-trafficpermissions.auth.consul.hashicorp.com + rules: + - apiGroups: + - auth.consul.hashicorp.com + apiVersions: + - v2beta1 + operations: + - CREATE + - UPDATE + resources: + - trafficpermissions + sideEffects: None +{{- end }} +{{- end }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-jwtprovider + failurePolicy: Fail + name: mutate-jwtprovider.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwtproviders + sideEffects: None +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.3.3/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.3.3/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/connect-inject-validatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.3.3/templates/connect-inject-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8d01ace911 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/connect-inject-validatingwebhookconfiguration.yaml @@ -0,0 +1,31 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The ValidatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- name: validate-gatewaypolicy.consul.hashicorp.com + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "consul.hashicorp.com" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gatewaypolicies" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /validate-v1alpha1-gatewaypolicy +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.3.3/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-controlplanerequestlimits.yaml new file mode 100644 index 0000000000..1939a8d373 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-controlplanerequestlimits.yaml @@ -0,0 +1,195 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: controlplanerequestlimits.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ControlPlaneRequestLimit + listKind: ControlPlaneRequestLimitList + plural: controlplanerequestlimits + singular: controlplanerequestlimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControlPlaneRequestLimitSpec defines the desired state of + ControlPlaneRequestLimit. + properties: + acl: + properties: + readRate: + type: number + writeRate: + type: number + type: object + catalog: + properties: + readRate: + type: number + writeRate: + type: number + type: object + configEntry: + properties: + readRate: + type: number + writeRate: + type: number + type: object + connectCA: + properties: + readRate: + type: number + writeRate: + type: number + type: object + coordinate: + properties: + readRate: + type: number + writeRate: + type: number + type: object + discoveryChain: + properties: + readRate: + type: number + writeRate: + type: number + type: object + health: + properties: + readRate: + type: number + writeRate: + type: number + type: object + intention: + properties: + readRate: + type: number + writeRate: + type: number + type: object + kv: + properties: + readRate: + type: number + writeRate: + type: number + type: object + mode: + type: string + preparedQuery: + properties: + readRate: + type: number + writeRate: + type: number + type: object + readRate: + type: number + session: + properties: + readRate: + type: number + writeRate: + type: number + type: object + tenancy: + properties: + readRate: + type: number + writeRate: + type: number + type: object + txn: + properties: + readRate: + type: number + writeRate: + type: number + type: object + writeRate: + type: number + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-exportedservices.yaml new file mode 100644 index 0000000000..081a2b0cf0 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-exportedservices.yaml @@ -0,0 +1,139 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-gatewayclassconfigs.yaml new file mode 100644 index 0000000000..130db72a22 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-gatewayclassconfigs.yaml @@ -0,0 +1,201 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + resources: + description: Resources defines the resource requirements for the + gateway. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + mapPrivilegedContainerPorts: + description: The value to add to privileged ports ( ports < 1024) + for gateway containers + format: int32 + type: integer + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + openshiftSCCName: + description: The name of the OpenShift SecurityContextConstraints + resource for this gateway class to use. + type: string + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-gatewayclasses-external.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-gatewayclasses-external.yaml new file mode 100644 index 0000000000..391637b5f7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-gatewayclasses-external.yaml @@ -0,0 +1,331 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + deprecated: true + deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-gatewaypolicies.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-gatewaypolicies.yaml new file mode 100644 index 0000000000..1cdfa331f5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-gatewaypolicies.yaml @@ -0,0 +1,282 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewaypolicies.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayPolicy + listKind: GatewayPolicyList + plural: gatewaypolicies + singular: gatewaypolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayPolicy is the Schema for the gatewaypolicies API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GatewayPolicySpec defines the desired state of GatewayPolicy. + properties: + default: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + override: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + targetRef: + description: TargetRef identifies an API object to apply policy to. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it may only apply + to traffic originating from the same namespace as the policy. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: SectionName refers to the listener targeted by this + policy. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + status: + description: GatewayPolicyStatus defines the observed state of the gateway. + properties: + conditions: + description: "Conditions describe the current conditions of the Policy. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-gateways-external.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-gateways-external.yaml new file mode 100644 index 0000000000..ab56d4f5fb --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-gateways-external.yaml @@ -0,0 +1,885 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-grpcroutes-external.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-grpcroutes-external.yaml new file mode 100644 index 0000000000..3e4aa75853 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-grpcroutes-external.yaml @@ -0,0 +1,769 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - method: + type: Exact + description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. + items: + description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + default: + type: Exact + description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. + properties: + method: + description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)." + maxLength: 1024 + pattern: ^[A-Za-z_][A-Za-z_0-9]*$ + type: string + service: + description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)." + maxLength: 1024 + pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$ + type: string + type: + default: Exact + description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-grpcroutes.yaml new file mode 100644 index 0000000000..31812fff35 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-grpcroutes.yaml @@ -0,0 +1,617 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + shortNames: + - grpc-route + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GRPCRoute is the Schema for the GRPC Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this GRPCRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. Failure behavior here depends on + how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the GRPCBackendRef definition for the rules about what + makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies gRPC request header matchers. + Multiple match values are ANDed together, meaning, a + request MUST match all the specified headers to select + the route. + items: + properties: + name: + type: string + type: + description: "HeaderMatchType specifies the semantics + of how HTTP header values should be compared. + Valid HeaderMatchType values, along with their + conformance levels, are: \n Note that values may + be added to this enum, implementations must ensure + that unknown values will not cause a crash. \n + Unknown values here must result in the implementation + setting the Accepted Condition for the Route to + status: False, with a Reason of UnsupportedValue." + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + type: string + type: object + type: array + method: + description: Method specifies a gRPC request service/method + matcher. If this field is not specified, all services + and methods will match. + properties: + method: + description: "Value of the method to match against. + If left empty or omitted, will match all services. + \n At least one of Service and Method MUST be a + non-empty string.}" + type: string + service: + description: "Value of the service to match against. + If left empty or omitted, will match any service. + \n At least one of Service and Method MUST be a + non-empty string." + type: string + type: + description: 'Type specifies how to match against + the service and/or method. Support: Core (Exact + with service and method specified)' + enum: + - GRPC_METHOD_MATCH_TYPE_UNSPECIFIED + - GRPC_METHOD_MATCH_TYPE_EXACT + - GRPC_METHOD_MATCH_TYPE_REGEX + format: int32 + type: string + type: object + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-httproutes-external.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-httproutes-external.yaml new file mode 100644 index 0000000000..c89591376a --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-httproutes-external.yaml @@ -0,0 +1,1917 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-httproutes.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-httproutes.yaml new file mode 100644 index 0000000000..3da6e1e637 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-httproutes.yaml @@ -0,0 +1,673 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + shortNames: + - http-route + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: HTTPRoute is the Schema for the HTTP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this HTTPRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of HTTP-based routing rules that this + route should use for constructing a routing table. + items: + description: HTTPRouteRule specifies the routing rules used to determine + what upstream service an HTTP request is routed to. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + properties: + invert: + description: 'NOTE: not in gamma; service-router + compat' + type: boolean + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, “foo” and “Foo” are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for “Set-Cookie”." + type: string + type: + description: Type specifies how to match against + the value of the header. + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + description: Value is the value of HTTP Header to + be matched. + type: string + type: object + type: array + method: + description: Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. + type: string + path: + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the “/” path is provided. + properties: + type: + description: Type specifies how to match against the + path Value. + enum: + - PATH_MATCH_TYPE_UNSPECIFIED + - PATH_MATCH_TYPE_EXACT + - PATH_MATCH_TYPE_PREFIX + - PATH_MATCH_TYPE_REGEX + format: int32 + type: string + value: + description: Value of the HTTP path to match against. + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is recommended that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + type: string + type: + description: Type specifies how to match against + the value of the query parameter. + enum: + - QUERY_PARAM_MATCH_TYPE_UNSPECIFIED + - QUERY_PARAM_MATCH_TYPE_EXACT + - QUERY_PARAM_MATCH_TYPE_REGEX + - QUERY_PARAM_MATCH_TYPE_PRESENT + format: int32 + type: string + value: + description: Value is the value of HTTP query param + to be matched. + type: string + type: object + type: array + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..dcbc543525 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-ingressgateways.yaml @@ -0,0 +1,447 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: ingressgateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how upstream + proxy instances will be monitored for removal from the load + balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. The + real time is equal to the base time multiplied by the number + of times the host has been ejected and is capped by max_ejection_time + (Default 300s). Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status is + detected through consecutive 5xx. This setting can be used + to disable ejection or to ramp it up slowly. Ex. Setting + this to 10 will make it a 10% chance that the host will + be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that can + be ejected due to outlier detection. Defaults to 10% but + will eject at least one host regardless of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected + for. The real time is equal to the base time multiplied + by the number of times the host has been ejected + and is capped by max_ejection_time (Default 300s). + Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This + setting can be used to disable ejection or to ramp + it up slowly. Ex. Setting this to 10 will make it + a 10% chance that the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster + that can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-jwtproviders.yaml new file mode 100644 index 0000000000..94c9697b33 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-jwtproviders.yaml @@ -0,0 +1,313 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: jwtproviders.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: JWTProvider + listKind: JWTProviderList + plural: jwtproviders + singular: jwtprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTProvider is the Schema for the jwtproviders API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTProviderSpec defines the desired state of JWTProvider + properties: + audiences: + description: Audiences is the set of audiences the JWT is allowed + to access. If specified, all JWTs verified with this provider must + address at least one of these to be considered valid. + items: + type: string + type: array + cacheConfig: + description: CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up verification + when individual tokens are expected to be handled multiple times. + properties: + size: + description: "Size specifies the maximum number of JWT verification + results to cache. \n Defaults to 0, meaning that JWT caching + is disabled." + type: integer + type: object + clockSkewSeconds: + description: "ClockSkewSeconds specifies the maximum allowable time + difference from clock skew when validating the \"exp\" (Expiration) + and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + type: integer + forwarding: + description: Forwarding defines rules for forwarding verified JWTs + to the backend. + properties: + headerName: + description: "HeaderName is a header name to use when forwarding + a verified JWT to the backend. The verified JWT could have been + extracted from any location (query param, header, or cookie). + \n The header value will be base64-URL-encoded, and will not + be padded unless PadForwardPayloadHeader is true." + type: string + padForwardPayloadHeader: + description: "PadForwardPayloadHeader determines whether padding + should be added to the base64 encoded token forwarded with ForwardPayloadHeader. + \n Default value is false." + type: boolean + type: object + issuer: + description: Issuer is the entity that must have issued the JWT. This + value must match the "iss" claim of the token. + type: string + jsonWebKeySet: + description: JSONWebKeySet defines a JSON Web Key Set, its location + on disk, or the means with which to fetch a key set from a remote + server. + properties: + local: + description: Local specifies a local source for the key set. + properties: + filename: + description: Filename configures a location on disk where + the JWKS can be found. If specified, the file must be present + on the disk of ALL proxies with intentions referencing this + provider. + type: string + jwks: + description: JWKS contains a base64 encoded JWKS. + type: string + type: object + remote: + description: Remote specifies how to fetch a key set from a remote + server. + properties: + cacheDuration: + description: "CacheDuration is the duration after which cached + keys should be expired. \n Default value is 5 minutes." + type: string + fetchAsynchronously: + description: "FetchAsynchronously indicates that the JWKS + should be fetched when a client request arrives. Client + requests will be paused until the JWKS is fetched. If false, + the proxy listener will wait for the JWKS to be fetched + before being activated. \n Default value is false." + type: boolean + jwksCluster: + description: JWKSCluster defines how the specified Remote + JWKS URI is to be fetched. + properties: + connectTimeout: + description: The timeout for new network connections to + hosts in the cluster. If not set, a default value of + 5s will be used. + type: string + discoveryType: + description: "DiscoveryType refers to the service discovery + type to use for resolving the cluster. \n This defaults + to STRICT_DNS. Other options include STATIC, LOGICAL_DNS, + EDS or ORIGINAL_DST." + type: string + tlsCertificates: + description: "TLSCertificates refers to the data containing + certificate authority certificates to use in verifying + a presented peer certificate. If not specified and a + peer certificate is presented it will not be verified. + \n Must be either CaCertificateProviderInstance or TrustedCA." + properties: + caCertificateProviderInstance: + description: CaCertificateProviderInstance Certificate + provider instance for fetching TLS certificates. + properties: + certificateName: + description: "CertificateName is used to specify + certificate instances or types. For example, + \"ROOTCA\" to specify a root-certificate (validation + context) or \"example.com\" to specify a certificate + for a particular domain. \n The default value + is the empty string." + type: string + instanceName: + description: "InstanceName refers to the certificate + provider instance name. \n The default value + is \"default\"." + type: string + type: object + trustedCA: + description: "TrustedCA defines TLS certificate data + containing certificate authority certificates to + use in verifying a presented peer certificate. \n + Exactly one of Filename, EnvironmentVariable, InlineString + or InlineBytes must be specified." + properties: + environmentVariable: + type: string + filename: + type: string + inlineBytes: + format: byte + type: string + inlineString: + type: string + type: object + type: object + type: object + requestTimeoutMs: + description: RequestTimeoutMs is the number of milliseconds + to time out when making a request for the JWKS. + type: integer + retryPolicy: + description: "RetryPolicy defines a retry policy for fetching + JWKS. \n There is no retry by default." + properties: + numRetries: + description: "NumRetries is the number of times to retry + fetching the JWKS. The retry strategy uses jittered + exponential backoff with a base interval of 1s and max + of 10s. \n Default value is 0." + type: integer + retryPolicyBackOff: + description: "Retry's backoff policy. \n Defaults to Envoy's + backoff policy." + properties: + baseInterval: + description: "BaseInterval to be used for the next + back off computation. \n The default value from + envoy is 1s." + type: string + maxInterval: + description: "MaxInternal to be used to specify the + maximum interval between retries. Optional but should + be greater or equal to BaseInterval. \n Defaults + to 10 times BaseInterval." + type: string + type: object + type: object + uri: + description: URI is the URI of the server to query for the + JWKS. + type: string + type: object + type: object + locations: + description: 'Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. If no + locations are specified Envoy will default to: 1. Authorization + header with Bearer schema: "Authorization: Bearer " 2. accessToken + query parameter.' + items: + description: "JWTLocation is a location where the JWT could be present + in requests. \n Only one of Header, QueryParam, or Cookie can + be specified." + properties: + cookie: + description: Cookie defines how to extract a JWT from an HTTP + request cookie. + properties: + name: + description: Name is the name of the cookie containing the + token. + type: string + type: object + header: + description: Header defines how to extract a JWT from an HTTP + request header. + properties: + forward: + description: "Forward defines whether the header with the + JWT should be forwarded after the token has been verified. + If false, the header will not be forwarded to the backend. + \n Default value is false." + type: boolean + name: + description: Name is the name of the header containing the + token. + type: string + valuePrefix: + description: 'ValuePrefix is an optional prefix that precedes + the token in the header value. For example, "Bearer " + is a standard value prefix for a header named "Authorization", + but the prefix is not part of the token itself: "Authorization: + Bearer "' + type: string + type: object + queryParam: + description: QueryParam defines how to extract a JWT from an + HTTP request query parameter. + properties: + name: + description: Name is the name of the query param containing + the token. + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-meshes.yaml new file mode 100644 index 0000000000..f8ce4fc12e --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-meshes.yaml @@ -0,0 +1,207 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshes.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-meshservices.yaml new file mode 100644 index 0000000000..a5d36fb966 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-meshservices.yaml @@ -0,0 +1,56 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService holds a reference to an externally managed Consul + Service Mesh service. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of MeshService. + properties: + name: + description: Name holds the service name for a Consul service. + type: string + peer: + description: Peer optionally specifies the name of the peer exporting + the Consul service. If not specified, the Consul service is assumed + to be in the local datacenter. + type: string + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..2352ba7ad3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-peeringacceptors.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringacceptors.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..09991d2091 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-peeringdialers.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringdialers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-proxyconfigurations.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-proxyconfigurations.yaml new file mode 100644 index 0000000000..9a33bd2bab --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-proxyconfigurations.yaml @@ -0,0 +1,423 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxyconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: ProxyConfiguration + listKind: ProxyConfigurationList + plural: proxyconfigurations + shortNames: + - proxy-configuration + singular: proxyconfiguration + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: ProxyConfiguration is the Schema for the TCP Routes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: This is a Resource type. + properties: + bootstrapConfig: + description: bootstrap_config is the configuration that requires proxies + to be restarted to be applied. + properties: + dogstatsdUrl: + type: string + overrideJsonTpl: + type: string + prometheusBindAddr: + type: string + readyBindAddr: + type: string + staticClustersJson: + type: string + staticListenersJson: + type: string + statsBindAddr: + type: string + statsConfigJson: + type: string + statsFlushInterval: + type: string + statsSinksJson: + type: string + statsTags: + items: + type: string + type: array + statsdUrl: + type: string + telemetryCollectorBindSocketDir: + type: string + tracingConfigJson: + type: string + type: object + dynamicConfig: + description: dynamic_config is the configuration that could be changed + dynamically (i.e. without needing restart). + properties: + accessLogs: + description: AccessLogs configures the output and format of Envoy + access logs + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have + a matching listener filter. + type: boolean + enabled: + description: Enabled turns off all access logging + type: boolean + jsonFormat: + description: The presence of one format string or the other + implies the access log string encoding. Defining both is + invalid. + type: string + path: + description: Path is the output file to write logs + type: string + textFormat: + type: string + type: + description: 'Type selects the output for logs: "file", "stderr". + "stdout"' + enum: + - LOG_SINK_TYPE_DEFAULT + - LOG_SINK_TYPE_FILE + - LOG_SINK_TYPE_STDERR + - LOG_SINK_TYPE_STDOUT + format: int32 + type: string + type: object + envoyExtensions: + items: + description: EnvoyExtension has configuration for an extension + that patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + consulVersion: + type: string + envoyVersion: + type: string + name: + type: string + required: + type: boolean + type: object + type: array + exposeConfig: + properties: + exposePaths: + items: + properties: + listenerPort: + format: int32 + type: integer + localPathPort: + format: int32 + type: integer + path: + type: string + protocol: + enum: + - EXPOSE_PATH_PROTOCOL_HTTP + - EXPOSE_PATH_PROTOCOL_HTTP2 + format: int32 + type: string + type: object + type: array + type: object + inboundConnections: + description: inbound_connections configures inbound connections + to the proxy. + properties: + balanceInboundConnections: + enum: + - BALANCE_CONNECTIONS_DEFAULT + - BALANCE_CONNECTIONS_EXACT + format: int32 + type: string + maxInboundConnections: + format: int64 + type: integer + type: object + listenerTracingJson: + type: string + localClusterJson: + type: string + localConnection: + additionalProperties: + description: Referenced by ProxyConfiguration + properties: + connectTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + requestTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + description: local_connection is the configuration that should + be used to connect to the local application provided per-port. + The map keys should correspond to port names on the workload. + type: object + localWorkloadAddress: + description: "deprecated: local_workload_address, local_workload_port, + and local_workload_socket_path are deprecated and are only needed + for migration of existing resources. \n Deprecated: Marked as + deprecated in pbmesh/v2beta1/proxy_configuration.proto." + type: string + localWorkloadPort: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + format: int32 + type: integer + localWorkloadSocketPath: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + type: string + meshGatewayMode: + enum: + - MESH_GATEWAY_MODE_UNSPECIFIED + - MESH_GATEWAY_MODE_NONE + - MESH_GATEWAY_MODE_LOCAL + - MESH_GATEWAY_MODE_REMOTE + format: int32 + type: string + mode: + description: mode indicates the proxy's mode. This will default + to 'transparent'. + enum: + - PROXY_MODE_DEFAULT + - PROXY_MODE_TRANSPARENT + - PROXY_MODE_DIRECT + format: int32 + type: string + mutualTlsMode: + enum: + - MUTUAL_TLS_MODE_DEFAULT + - MUTUAL_TLS_MODE_STRICT + - MUTUAL_TLS_MODE_PERMISSIVE + format: int32 + type: string + publicListenerJson: + type: string + transparentProxy: + properties: + dialedDirectly: + description: dialed_directly indicates whether this proxy + should be dialed using original destination IP in the connection + rather than load balance between all endpoints. + type: boolean + outboundListenerPort: + description: outbound_listener_port is the port for the proxy's + outbound listener. This defaults to 15001. + format: int32 + type: integer + type: object + type: object + opaqueConfig: + description: "deprecated: prevent usage when using v2 APIs directly. + needed for backwards compatibility \n Deprecated: Marked as deprecated + in pbmesh/v2beta1/proxy_configuration.proto." + type: object + x-kubernetes-preserve-unknown-fields: true + workloads: + description: Selection of workloads this proxy configuration should + apply to. These can be prefixes or specific workload names. + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..ce49c9149a --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-proxydefaults.yaml @@ -0,0 +1,265 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxydefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + failoverPolicy: + description: FailoverPolicy specifies the exact mechanism used for + failover. + properties: + mode: + description: Mode specifies the type of failover that will be + performed. Valid values are "sequential", "" (equivalent to + "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions of the + failover targets. Valid values can be "us-west-1", "us-west-2", + and so on. + items: + type: string + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-referencegrants-external.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-referencegrants-external.yaml new file mode 100644 index 0000000000..6ae177d987 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-referencegrants-external.yaml @@ -0,0 +1,211 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-routeauthfilters.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-routeauthfilters.yaml new file mode 100644 index 0000000000..a51bf226cd --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-routeauthfilters.yaml @@ -0,0 +1,199 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeauthfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteAuthFilter + listKind: RouteAuthFilterList + plural: routeauthfilters + singular: routeauthfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteAuthFilter is the Schema for the routeauthfilters API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteAuthFilterSpec defines the desired state of RouteAuthFilter. + properties: + jwt: + description: This re-uses the JWT requirement type from Gateway Policy + Types. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the actual + claim information to be verified. + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the given + path: - If the type at the path is a list then we + verify that this value is contained in the list. + \n - If the type at the path is a string then we + verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + status: + description: RouteAuthFilterStatus defines the observed state of the gateway. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: ResolvedRefs + description: "Conditions describe the current conditions of the Filter. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-routeretryfilters.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-routeretryfilters.yaml new file mode 100644 index 0000000000..14b6062f60 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-routeretryfilters.yaml @@ -0,0 +1,115 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeretryfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteRetryFilter + listKind: RouteRetryFilterList + plural: routeretryfilters + singular: routeretryfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteRetryFilter is the Schema for the routeretryfilters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteRetryFilterSpec defines the desired state of RouteRetryFilter. + properties: + numRetries: + format: int32 + minimum: 0 + type: integer + retryOn: + items: + type: string + type: array + retryOnConnectFailure: + type: boolean + retryOnStatusCodes: + items: + format: int32 + type: integer + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-routetimeoutfilters.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-routetimeoutfilters.yaml new file mode 100644 index 0000000000..95ab50320d --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-routetimeoutfilters.yaml @@ -0,0 +1,105 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routetimeoutfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteTimeoutFilter + listKind: RouteTimeoutFilterList + plural: routetimeoutfilters + singular: routetimeoutfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteTimeoutFilter is the Schema for the httproutetimeoutfilters + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteTimeoutFilterSpec defines the desired state of RouteTimeoutFilter. + properties: + idleTimeout: + type: string + requestTimeout: + type: string + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-samenessgroups.yaml new file mode 100644 index 0000000000..ea0ad7c8a0 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-samenessgroups.yaml @@ -0,0 +1,129 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: samenessgroups.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: SamenessGroup + listKind: SamenessGroupList + plural: samenessgroups + shortNames: + - sameness-group + singular: samenessgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SamenessGroup is the Schema for the samenessgroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SamenessGroupSpec defines the desired state of SamenessGroup. + properties: + defaultForFailover: + description: DefaultForFailover indicates that upstream requests to + members of the given sameness group will implicitly failover between + members of this sameness group. When DefaultForFailover is true, + the local partition must be a member of the sameness group or IncludeLocal + must be set to true. + type: boolean + includeLocal: + description: IncludeLocal is used to include the local partition as + the first member of the sameness group. The local partition can + only be a member of a single sameness group. + type: boolean + members: + description: Members are the partitions and peers that are part of + the sameness group. If a member of a sameness group does not exist, + it will be ignored. + items: + properties: + partition: + description: The partitions and peers that are part of the sameness + group. A sameness group member cannot define both peer and + partition at the same time. + type: string + peer: + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..c7e2b5bb2b --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-servicedefaults.yaml @@ -0,0 +1,565 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicedefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + rateLimits: + description: RateLimits is rate limiting configuration that is applied + to inbound traffic for a service. Rate limiting is a Consul enterprise + feature. + properties: + instanceLevel: + description: InstanceLevel represents rate limit configuration + that is applied per service instance. + properties: + requestsMaxBurst: + description: "RequestsMaxBurst is the maximum number of requests + that can be sent in a burst. Should be equal to or greater + than RequestsPerSecond. If unset, defaults to RequestsPerSecond. + \n Internally, this is the maximum size of the token bucket + used for rate limiting." + type: integer + requestsPerSecond: + description: "RequestsPerSecond is the average number of requests + per second that can be made without being throttled. This + field is required if RequestsMaxBurst is set. The allowed + number of requests may exceed RequestsPerSecond up to the + value specified in RequestsMaxBurst. \n Internally, this + is the refill rate of the token bucket used for rate limiting." + type: integer + routes: + description: Routes is a list of rate limits applied to specific + routes. For a given request, the first matching route will + be applied, if any. Overrides any top-level configuration. + items: + properties: + pathExact: + description: Exact path to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathPrefix: + description: Prefix to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathRegex: + description: Regex to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + requestsMaxBurst: + description: RequestsMaxBurst is the maximum number + of requests that can be sent in a burst. Should be + equal to or greater than RequestsPerSecond. If unset, + defaults to RequestsPerSecond. Internally, this is + the maximum size of the token bucket used for rate + limiting. + type: integer + requestsPerSecond: + description: RequestsPerSecond is the average number + of requests per second that can be made without being + throttled. This field is required if RequestsMaxBurst + is set. The allowed number of requests may exceed + RequestsPerSecond up to the value specified in RequestsMaxBurst. + Internally, this is the refill rate of the token bucket + used for rate limiting. + type: integer + type: object + type: array + type: object + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 + seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set the + interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..75299f016e --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-serviceintentions.yaml @@ -0,0 +1,311 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceintentions.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + jwt: + description: JWT specifies the configuration to validate a JSON Web + Token for all incoming requests. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: Value is the expected value at the given + path. If the type at the path is a list then we + verify that this value is contained in the list. + If the type at the path is a string then we verify + that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: Peer is the peer name for the Name parameter. + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + jwt: + description: JWT specifies configuration to validate a + JSON Web Token for incoming requests. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. + There MUST be a corresponding "jwt-provider" + config entry with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional + claims to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim + in the token JSON. + items: + type: string + type: array + value: + description: Value is the expected value + at the given path. If the type at the + path is a list then we verify that this + value is contained in the list. If the + type at the path is a string then we + verify that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + samenessGroup: + description: SamenessGroup is the name of the sameness group, + if applicable. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..6d89125216 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-serviceresolvers.yaml @@ -0,0 +1,348 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceresolvers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + policy: + description: Policy specifies the exact mechanism used for failover. + properties: + mode: + description: Mode specifies the type of failover that will + be performed. Valid values are "sequential", "" (equivalent + to "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions + of the failover targets. Valid values can be "us-west-1", + "us-west-2", and so on. + items: + type: string + type: array + type: object + samenessGroup: + description: SamenessGroup is the name of the sameness group + to try during failover. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness group to + resolve the service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + requestTimeout: + description: RequestTimeout is the timeout for receiving an HTTP response + from this service before the connection is terminated. + type: string + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..dca5aa7fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-servicerouters.yaml @@ -0,0 +1,323 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicerouters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOn: + description: RetryOn is a flat list of conditions for Consul + to retry requests based on the response from an upstream + service. + items: + type: string + type: array + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + caseInsensitive: + description: CaseInsensitive configures PathExact and + PathPrefix matches to ignore upper/lower casing. + type: boolean + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..8d5ed58023 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-servicesplitters.yaml @@ -0,0 +1,186 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicesplitters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-tcproutes-external.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-tcproutes-external.yaml new file mode 100644 index 0000000000..91989135e2 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-tcproutes-external.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-tcproutes.yaml new file mode 100644 index 0000000000..ae9d2cd080 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-tcproutes.yaml @@ -0,0 +1,278 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + shortNames: + - tcp-route + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TCPRoute is the Schema for the TCP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute + \n This is a Resource type." + properties: + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + properties: + backendRefs: + description: BackendRefs defines the backend(s) where matching + requests should be sent. If unspecified or invalid (refers + to a non-existent resource or a Service with no endpoints), + the underlying implementation MUST actively reject connection + attempts to this backend. Connection rejections must respect + weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..565aa63381 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-terminatinggateways.yaml @@ -0,0 +1,137 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: terminatinggateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-tlsroutes-external.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-tlsroutes-external.yaml new file mode 100644 index 0000000000..dfabd80713 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-tlsroutes-external.yaml @@ -0,0 +1,294 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-trafficpermissions.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-trafficpermissions.yaml new file mode 100644 index 0000000000..27ab6f5e3d --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-trafficpermissions.yaml @@ -0,0 +1,261 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: trafficpermissions.auth.consul.hashicorp.com +spec: + group: auth.consul.hashicorp.com + names: + kind: TrafficPermissions + listKind: TrafficPermissionsList + plural: trafficpermissions + shortNames: + - traffic-permissions + singular: trafficpermissions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TrafficPermissions is the Schema for the traffic-permissions + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + action: + description: "Action can be either allow or deny for the entire object. + It will default to allow. \n If action is allow, we will allow the + connection if one of the rules in Rules matches, in other words, + we will deny all requests except for the ones that match Rules. + If Consul is in default allow mode, then allow actions have no effect + without a deny permission as everything is allowed by default. \n + If action is deny, we will deny the connection if one of the rules + in Rules match, in other words, we will allow all requests except + for the ones that match Rules. If Consul is default deny mode, then + deny permissions have no effect without an allow permission as everything + is denied by default. \n Action unspecified is reserved for compatibility + with the addition of future actions." + enum: + - ACTION_ALLOW + - ACTION_DENY + - ACTION_UNKNOWN + format: int32 + type: string + destination: + description: Destination is a configuration of the destination proxies + where these traffic permissions should apply. + properties: + identityName: + type: string + type: object + permissions: + description: Permissions is a list of permissions to match on. They + are applied using OR semantics. + items: + description: Permissions is a list of permissions to match on. + properties: + destinationRules: + description: DestinationRules is a list of rules to apply for + matching sources in this Permission. These rules are specific + to the request or connection that is going to the destination(s) + selected by the TrafficPermissions resource. + items: + description: DestinationRule contains rules rules to apply + to the incoming connection. + properties: + exclude: + description: Exclude contains a list of rules to exclude + when evaluating rules for the incoming connection. + items: + properties: + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + description: PortNames is a list of workload ports + to apply this rule to. The ports specified here + must be the ports used in the connection. + items: + type: string + type: array + type: object + type: array + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. If no + methods are specified, this rule will apply to all methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + items: + type: string + type: array + type: object + type: array + sources: + description: Sources is a list of sources in this traffic permission. + items: + description: Source represents the source identity. To specify + any of the wildcard sources, the specific fields need to + be omitted. For example, for a wildcard namespace, identity_name + should be omitted. + properties: + exclude: + description: Exclude is a list of sources to exclude from + this source. + items: + description: ExcludeSource is almost the same as source + but it prevents the addition of matching sources. + properties: + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/crd-udproutes-external.yaml b/charts/hashicorp/consul/1.3.3/templates/crd-udproutes-external.yaml new file mode 100644 index 0000000000..935cce22fa --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/crd-udproutes-external.yaml @@ -0,0 +1,284 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..aff6b5a934 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-job.yaml @@ -0,0 +1,146 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane create-federation-secret \ + -log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/datadog-agent-role.yaml b/charts/hashicorp/consul/1.3.3/templates/datadog-agent-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/datadog-agent-role.yaml rename to charts/hashicorp/consul/1.3.3/templates/datadog-agent-role.yaml diff --git a/charts/hashicorp/consul/templates/datadog-agent-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/datadog-agent-rolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/datadog-agent-rolebinding.yaml rename to charts/hashicorp/consul/1.3.3/templates/datadog-agent-rolebinding.yaml diff --git a/charts/hashicorp/consul/1.3.3/templates/dns-service.yaml b/charts/hashicorp/consul/1.3.3/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.3.3/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..8db9500a22 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/enterprise-license-job.yaml @@ -0,0 +1,145 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.3.3/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.3.3/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-clusterrole.yaml new file mode 100644 index 0000000000..c533a882f5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-clusterrole.yaml @@ -0,0 +1,35 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - delete +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-cleanup + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-clusterrolebinding.yaml new file mode 100644 index 0000000000..9235f32101 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-job.yaml new file mode 100644 index 0000000000..df6c22fd30 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-job.yaml @@ -0,0 +1,59 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup + containers: + - name: gateway-cleanup + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-cleanup + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ffbad130cc --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.connectInject.enabled .Values.global.enablePodSecurityPolicies)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..f50eb72d97 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gateway-cleanup-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.3.3/templates/gateway-resources-clusterrole.yaml new file mode 100644 index 0000000000..c3bdfeb4a3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gateway-resources-clusterrole.yaml @@ -0,0 +1,37 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - update + - create + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - update + - create +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-resources + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/gateway-resources-clusterrolebinding.yaml new file mode 100644 index 0000000000..921df23239 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gateway-resources-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-resources +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.3/templates/gateway-resources-configmap.yaml b/charts/hashicorp/consul/1.3.3/templates/gateway-resources-configmap.yaml new file mode 100644 index 0000000000..591aaa2129 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gateway-resources-configmap.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.enabled }} +# Configuration of Gateway Resources Job which creates managed Gateway configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +data: + {{- if .Values.connectInject.apiGateway.managedGatewayClass.resources }} + resources.json: | + {{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.3.3/templates/gateway-resources-job.yaml new file mode 100644 index 0000000000..1136d2e0fe --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gateway-resources-job.yaml @@ -0,0 +1,124 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources + containers: + - name: gateway-resources + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-resources + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + - -controller-name=consul.hashicorp.com/gateway-controller + - -app={{template "consul.name" .}} + - -chart={{template "consul.chart" .}} + - -heritage={{ .Release.Service }} + - -release-name={{ .Release.Name }} + - -component=api-gateway + {{- if .Values.apiGateway.enabled }} # Overide values from the old stanza. To be removed in 1.17 (t-eckert 2023-05-19) + {{- if .Values.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} + {{- else }} # the new stanza + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations | nindent 14 -}} + {{- end }} + - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- if .Values.global.openshift.enabled }} + - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + {{- end }} + - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} + {{- end}} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/gateway-resources-podsecuritypolicy.yaml new file mode 100644 index 0000000000..da5299194c --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gateway-resources-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.connectInject.enabled)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/gateway-resources-serviceaccount.yaml new file mode 100644 index 0000000000..4611dc38e1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gateway-resources-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..cea13c77fe --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,70 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ default .Values.global.logLevel .Values.global.gossipEncryption.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..448c810262 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,368 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b847e44ebd --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..b951418b26 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,34 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..f8150ebb53 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..a22bdc0879 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,319 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + securityContext: + capabilities: + {{ if not .Values.meshGateway.hostNetwork}} + drop: + - ALL + {{- end }} + add: + - NET_BIND_SERVICE + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..04576fe926 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..5fdceca8df --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-service.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.meshGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..8c2da5ae06 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.meshGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.3.3/templates/partition-init-job.yaml new file mode 100644 index 0000000000..bb4e7b3706 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/partition-init-job.yaml @@ -0,0 +1,128 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.3.3/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.3.3/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/prometheus.yaml b/charts/hashicorp/consul/1.3.3/templates/prometheus.yaml new file mode 100644 index 0000000000..a708708daf --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..b47e04188f --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,89 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..2e798a54d5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-job.yaml @@ -0,0 +1,353 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + {{- if .Values.global.argocd.enabled }} + "argocd.argoproj.io/hook": "Sync" + "argocd.argoproj.io/hook-delete-policy": "HookSucceeded" + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- else if .Values.global.secretsBackend.vault.vaultNamespace }} + - name: VAULT_NAMESPACE + value: {{ .Values.global.secretsBackend.vault.vaultNamespace }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + exec consul-k8s-control-plane server-acl-init \ + -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if (and (not .Values.global.metrics.datadog.dogstatsd.enabled) .Values.global.metrics.datadog.enabled .Values.global.acls.manageSystemACLs) }} + -create-dd-agent-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 10 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.3.3/templates/server-clusterrole.yaml new file mode 100644 index 0000000000..c22f562264 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: + - get diff --git a/charts/hashicorp/consul/1.3.3/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..854fda870e --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-server +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.3.3/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..423eeac60a --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-config-configmap.yaml @@ -0,0 +1,215 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} +{{- if and .Values.server.auditLogs.enabled (not .Values.global.acls.manageSystemACLs) }}{{fail "ACLs must be enabled inorder to configure audit logs"}}{{ end -}} +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + {{- if .Values.server.logLevel }} + "log_level": "{{ .Values.server.logLevel | upper }}", + {{- end }} + "enable_debug": {{ .Values.server.enableAgentDebug }}, + "domain": "{{ .Values.global.domain }}", + "limits": { + "request_limits": { + "mode": "{{ .Values.server.limits.requestLimits.mode }}", + "read_rate": {{ .Values.server.limits.requestLimits.readRate }}, + "write_rate": {{ .Values.server.limits.requestLimits.writeRate }} + } + }, + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + {{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }} + "namespace": "{{ .vaultNamespace }}", + {{- end }} + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}", + "disable_hostname": {{ .Values.global.metrics.disableAgentHostName }},{{ template "consul.prefixFilter" . }} + "enable_host_metrics": {{ .Values.global.metrics.enableHostMetrics }}{{- if .Values.global.metrics.datadog.dogstatsd.enabled }},{{ template "consul.dogstatsdAaddressInfo" . }} + {{- if .Values.global.metrics.datadog.dogstatsd.enabled }} + "dogstatsd_tags": {{ .Values.global.metrics.datadog.dogstatsd.dogstatsdTags | toJson }} + {{- end }} + {{- end }} + } + } + {{- end }} + {{- if and .Values.server.auditLogs.enabled .Values.global.acls.manageSystemACLs }} + audit-logging.json: |- + { + "audit": { + "enabled": true, + "sink": { + {{- range $index, $element := .Values.server.auditLogs.sinks }} + {{- if ne $index 0 }},{{end}} + "{{ get $element "name" }}": {{ omit $element "name" | toJson }} + {{- end }} + } + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.3.3/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..edf9c1c57f --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-role.yaml b/charts/hashicorp/consul/1.3.3/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.3.3/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-service.yaml b/charts/hashicorp/consul/1.3.3/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.3.3/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.3.3/templates/server-statefulset.yaml new file mode 100644 index 0000000000..e744f2fe80 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-statefulset.yaml @@ -0,0 +1,738 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateMetricsConfig" . }} +{{ template "consul.validateDatadogConfiguration" . }} +{{ template "consul.validateExtraConfig" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.global.metrics.datadog.enabled }} + "tags.datadoghq.com/version": {{ template "consul.versionInfo" . }} + "tags.datadoghq.com/env": {{ template "consul.name" . }} + "tags.datadoghq.com/service": "consul-server" + {{- end }} + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/server-config-configmap.yaml") .) (include (print $.Template.BasePath "/server-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + {{- if not .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + {{- if .Values.global.tls.enabled }} + "prometheus.io/port": "8501" + "prometheus.io/scheme": "https" + {{- else }} + "prometheus.io/port": "8500" + "prometheus.io/scheme": "http" + {{- end }} + {{- end }} + {{- if .Values.global.metrics.datadog.enabled }} + "ad.datadoghq.com/tolerate-unready": "true" + "ad.datadoghq.com/consul.logs": {{ .Values.global.metrics.datadog.dogstatsd.dogstatsdTags | toJson | replace "[" "[{" | replace "]" "}]" | replace ":" "\": \"" | join "\",\"" | squote }} + {{- if .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} + "ad.datadoghq.com/consul.checks": | + { + "openmetrics": { + "init_config": {}, + "instances": [ + { + {{- if .Values.global.tls.enabled }} + "openmetrics_endpoint": "https://consul-server.{{ .Release.Namespace }}.svc:8501/v1/agent/metrics?format=prometheus", + "tls_cert": "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt", + "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key", + "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt", + {{- else }} + "openmetrics_endpoint": "http://consul-server.{{ .Release.Namespace }}.svc:8500/v1/agent/metrics?format=prometheus", + {{- end }} + {{- if ( .Values.global.acls.manageSystemACLs) }} + "headers": { + "X-Consul-Token": "ENC[k8s_secret@{{ .Release.Namespace }}/{{ .Release.Namespace }}-datadog-agent-metrics-acl-token/token]" + }, + {{- end }} + "namespace": "{{ .Release.Namespace }}", + "metrics": [ ".*" ] + } + ] + } + } + {{- else if (not .Values.global.metrics.datadog.dogstatsd.enabled) }} + "ad.datadoghq.com/consul.checks": | + { + "consul": { + "init_config": {}, + "instances": [ + { + {{- if .Values.global.tls.enabled }} + "url": "https://consul-server.{{ .Release.Namespace }}.svc:8501", + "tls_cert": "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt", + "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key", + "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt", + {{- else }} + "url": "http://consul-server.consul.svc:8500", + {{- end }} + "use_prometheus_endpoint": true, + {{- if ( .Values.global.acls.manageSystemACLs) }} + "acl_token": "ENC[k8s_secret@{{ .Release.Namespace }}/{{ .Release.Namespace }}-datadog-agent-metrics-acl-token/token]", + {{- end }} + "new_leader_checks": true, + "network_latency_checks": true, + "catalog_checks": true, + "auth_type": "basic" + } + ] + } + } + {{- else }} + "ad.datadoghq.com/consul.metrics_exclude": "true" + {{- end }} + {{- end }} + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled (eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" ) }} + - name: dsdsocket + hostPath: + path: /var/run/datadog + type: DirectoryOrCreate + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + initContainers: + - name: locality-init + image: {{ .Values.global.imageK8S }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane fetch-server-region -node-name "$NODE_NAME" -output-file /consul/extra-config/locality.json + volumeMounts: + - name: extra-config + mountPath: /consul/extra-config + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image | trimPrefix "\"" | trimSuffix "\"" }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-dir=/consul/extra-config \ + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -hcl="experiments=[\"resource-apis\"]" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled (eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" ) }} + - name: dsdsocket + mountPath: /var/run/datadog + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.containerSecurityContext.server }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- else }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/server-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.3.3/templates/server-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a42d6d09f6 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/server-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the server-stateful set where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.3/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.3.3/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..585b5ad171 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,48 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + - endpoints + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.3/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.3.3/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..8bd3e0af61 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/sync-catalog-deployment.yaml @@ -0,0 +1,234 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..f7b6d7bd2e --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,449 @@ +{{- if and .Values.telemetryCollector.enabled (not (mustHas "resource-apis" .Values.global.experiments)) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # Signals to the endpoints controller that we should force Consul NS creation, since we bypass the mesh webhook. + "consul.hashicorp.com/telemetry-collector": "true" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: default + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + exec consul-k8s-control-plane connect-init \ + -log-json={{ .Values.global.logJSON }} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -pod-name=${POD_NAME} \ + -pod-namespace=${POD_NAMESPACE} \ + -proxy-id-file="/consul/connect-inject/proxyid" \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- if .Values.global.metrics.datadog.otlp.enabled }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if eq (.Values.global.metrics.datadog.otlp.protocol | lower ) "http" }} + - name: CO_OTEL_HTTP_ENDPOINT + value: "http://$(HOST_IP):4318" + {{- else if eq (.Values.global.metrics.datadog.otlp.protocol | lower) "grpc" }} + - name: CO_OTEL_HTTP_ENDPOINT + value: "grpc://$(HOST_IP):4317" + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + exec consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f4c05a2f33 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/templates/telemetry-collector-v2-deployment.yaml b/charts/hashicorp/consul/1.3.3/templates/telemetry-collector-v2-deployment.yaml similarity index 100% rename from charts/hashicorp/consul/templates/telemetry-collector-v2-deployment.yaml rename to charts/hashicorp/consul/1.3.3/templates/telemetry-collector-v2-deployment.yaml diff --git a/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..a04bbbfa1f --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,345 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..7307fb8be9 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..4ae280ca81 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-role.yaml @@ -0,0 +1,43 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }} +rules: +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.3.3/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..9500410a53 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,84 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.3.3/templates/tls-init-job.yaml new file mode 100644 index 0000000000..41c0c2827e --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/tls-init-job.yaml @@ -0,0 +1,126 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + exec consul-k8s-control-plane tls-init \ + -log-level={{ default .Values.global.logLevel .Values.global.tls.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.3.3/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.3.3/templates/ui-ingress.yaml new file mode 100644 index 0000000000..f8c7f92a77 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/ui-ingress.yaml @@ -0,0 +1,85 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + {{- if ne .Values.ui.ingress.ingressClassName "" }} + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end }} + rules: + {{- $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/ui-service.yaml b/charts/hashicorp/consul/1.3.3/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..2a5c80d94c --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,54 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..45c87c9ceb --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,81 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.3.3/values.yaml b/charts/hashicorp/consul/1.3.3/values.yaml new file mode 100644 index 0000000000..46162d36aa --- /dev/null +++ b/charts/hashicorp/consul/1.3.3/values.yaml @@ -0,0 +1,3754 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: "hashicorp/consul-enterprise:1.10.0-ent" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.17.3 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.3.3 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` + # agent annotation and [Vault Connect CA namespace](https://developer.hashicorp.com/consul/docs/connect/ca/vault#namespace). + # To override one of these values individually, see `agentAnnotations` and `connectCA.additionalConfig`. + vaultNamespace: "" + + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + # Override global log verbosity level for gossip-encryption-autogenerate-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # This value defines additional annotations for + # tls init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines additional annotations for + # acl init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # If argocd.enabled is set to true, following annotations are added to + # job - server-acl-init-job + # annotations - + # argocd.argoproj.io/hook: Sync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd: + enabled: false + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # `meshGateway.enabled` or `externalServers.enabled` to be true. + # Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:` + # (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`). + # @type: array + primaryGateways: [] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Override global log verbosity level for the create-federation-secret-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Set to true to stop prepending the machine's hostname to gauge-type metrics. Default is false. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + # @type: boolean + disableAgentHostName: false + + # Configures consul agent underlying host metrics. Only applicable if + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + # @type: boolean + enableHostMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # This configures the list of filter rules to apply for allowing/blocking + # metrics by prefix in the following format: + # + # A leading "+" will enable any metrics with the given prefix, and a leading "-" will block them. + # If there is overlap between two rules, the more specific rule will take precedence. + # Blocking will take priority if the same prefix is listed multiple times. + # + # - allowList: + prefixFilter: + # @type: array + allowList: [] + # @type: array + blockList: [] + + # Configures consul integration configurations for datadog on kubernetes. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + datadog: + # Enables datadog [Consul Autodiscovery Integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized#metric-collection) + # by configuring the required `ad.datadoghq.com/consul.checks` annotation. The following _Consul_ agent metrics/health statuses + # are monitored by Datadog unless monitoring via OpenMetrics (Prometheus) or DogStatsD: + # - Serf events and member flaps + # - The Raft protocol + # - DNS performance + # - API Endpoints scraped: + # - `/v1/agent/metrics?format=prometheus` + # - `/v1/agent/self` + # - `/v1/status/leader` + # - `/v1/status/peers` + # - `/v1/catalog/services` + # - `/v1/health/service` + # - `/v1/health/state/any` + # - `/v1/coordinate/datacenters` + # - `/v1/coordinate/nodes` + # + # Setting either `global.metrics.datadog.otlp.enabled=true` or `global.metrics.datadog.dogstatsd.enabled=true` disables the above checks + # in lieu of metrics data collection via DogStatsD or by a customer OpenMetrics (Prometheus) collection endpoint. + # + # ~> **Note:** If you have a [dogstatsd_mapper_profile](https://docs.datadoghq.com/integrations/consul/?tab=host#dogstatsd) configured for Consul + # residing on either your Datadog NodeAgent or ClusterAgent the default Consul agent metrics/health status checks will fail. If you do not desire + # to utilize DogStatsD metrics emission from Consul, remove this configuration file, and restart your Datadog agent to permit the checks to run. + # + # @default: false + # @type: boolean + enabled: false + + # Configures Kubernetes Prometheus/OpenMetrics auto-discovery annotations for use with Datadog. + # This configuration is less common and more for advanced usage with custom metrics monitoring + # configurations. See https://docs.datadoghq.com/containers/kubernetes/prometheus/?tab=kubernetesadv2 for more details + # surround further configuration. + openMetricsPrometheus: + # @default: false + # @type: boolean + enabled: false + + otlp: + # Enables forwarding of Consul's Telemetry Collector OTLP metrics for + # ingestion by Datadog Agent. + # @default: false + # @type: boolean + enabled: false + # Protocol used for DataDog Endpoint OTLP ingestion. + # + # Valid protocol options are one of either: + # + # - "http": will forward to DataDog HTTP OTLP Node Agent Endpoint default - "0.0.0.0:4318" + # - "grpc": will forward to DataDog gRPC OTLP Node Agent Endpoint default - "0.0.0.0:4317" + # + # @default: "http" + # @type: string + protocol: "http" + + # Configuration settings for DogStatsD metrics aggregation service + # that is bundled with the Datadog Agent. + # DogStatsD implements the StatsD protocol and adds a few Datadog-specific extensions: + # - Histogram metric type + # - Service checks + # - Events + # - Tagging + dogstatsd: + enabled: false + # Sets the socket transport type for dogstatsd: + # - "UDS" (Unix Domain Socket): prefixes `unix://` to URL and appends path to socket (i.e., "unix:///var/run/datadog/dsd.socket") + # If set, this will create the required [hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) mount for + # managing [DogStatsD with Unix Domain Socket on Kubernetes](https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=kubernetes). + # The volume is mounted using the `DirectoryOrCreate` type, thereby setting `0755` permissions with the same kubelet group ownership. + # + # Applies the following `volumes` and `volumeMounts` to the consul-server stateful set consul containers: + # + # ```yaml + # volumes: + # - name: dsdsocket + # hostPath: + # path: /var/run/datadog + # type: DirectoryOrCreate + # volumeMounts: + # - name: dsdsocket + # mountPath: /var/run/datadog + # readOnly: true + # ``` + # - "UDP" (User Datagram Protocol): assigns address to use `hostname/IP:Port` formatted URL for UDP transport to hostIP based + # dogstatsd sink (i.e., 127.0.0.1:8125). HostIP of Datadog agent must be reachable and known to Consul server emitting metrics. + # + # @default: "UDS" + # @type: string + socketTransportType: "UDS" + # Sets URL path for dogstatsd: + # + # Can be either a path to unix domain socket or an IP Address or Hostname that's reachable from the + # consul-server service, server containers. When using "UDS" the path will be appended. When using "UDP" + # the path will be prepended to the specified `dogstatsdPort`. + # + # @default: "/var/run/datadog/dsd.socket" + # @type: string + dogstatsdAddr: "/var/run/datadog/dsd.socket" + # Configures IP based dogstatsd designated port that will be appended to "UDP" based transport socket IP/Hostname URL. + # + # If using a kubernetes service based address (i.e., datadog.default.svc.cluster.local), set this to 0 to + # mitigate appending a port value to the dogstatsd address field. Resultant address would be "datadog.default.svc.cluster.local" with + # default port setting, while appending a non-zero port would result in "172.10.23.6:8125" with a dogstatsdAddr value + # of "172.10.23.6". + # + # @default: 0 + # @type: integer + dogstatsdPort: 0 + # Configures datadog [autodiscovery](https://docs.datadoghq.com/containers/kubernetes/log/?tab=operator#autodiscovery) + # style [log integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized#log-collection) + # configuration for Consul. + # + # The default settings should handle most Consul Kubernetes deployment schemes. The resultant annotation + # will reside on the consul-server statefulset as autodiscovery annotations. + # (i.e., ad.datadoghq.com/consul.logs: ["source:consul","consul_service:consul-server", ""]) + # + # @default: ["source:consul","consul_service:consul-server"] + # @type: array + dogstatsdTags: ["source:consul","consul_service:consul-server"] + # Namespace + # + # @default: "default" + # @type: string + namespace: "default" + + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: hashicorp/consul-dataplane:1.3.3 + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul Central self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will link a [self-managed cluster to HCP](https://developer.hashicorp.com/hcp/docs/consul/self-managed). + # This can either be used to [configure a new cluster](https://developer.hashicorp.com/hcp/docs/consul/self-managed/new) + # or [link an existing one](https://developer.hashicorp.com/hcp/docs/consul/self-managed/existing). + # + # Note: this setting should not be enabled for [HashiCorp-managed clusters](https://developer.hashicorp.com/hcp/docs/consul/hcp-managed). + # It is strictly for linking self-managed clusters. + enabled: false + + # The resource id of the HCP Consul Central cluster to link to. Eg: + # organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The hostname of HCP's API. This setting is used for internal testing and validation. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The URL of HCP's auth API. This setting is used for internal testing and validation. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The address of HCP's scada service. This setting is used for internal testing and validation. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [] + + # Consul feature flags that will be enabled across components. + # Supported feature flags: + # * `resource-apis`: + # _**Danger**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul components will use the + # V2 resources APIs for all operations. + # + # Example: + # + # ```yaml + # experiments: [ "resource-apis" ] + # ``` + # @type: array + experiments: [] + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # The [Persistent Volume Claim (PVC) retention policy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention) + # controls if and how PVCs are deleted during the lifecycle of a StatefulSet. + # WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted, + # and WhenScaled specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is scaled down. + # + # Example: + # + # ```yaml + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + # ``` + # @type: map + persistentVolumeClaimRetentionPolicy: null + + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional service mesh settings can be configured + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). + connect: true + + # When set to true, enables Consul to report additional debugging information, including runtime profiling (pprof) data. + # This setting is only required for clusters without ACL enabled. Sets `enable_debug` in server agent config to `true`. + # If you change this setting, you must restart the agent for the change to take effect. Default is false. + # @type: boolean + enableAgentDebug: false + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + # The acl-init job + # @type: map + # @recurse: false + aclInit: null + # The tls-init job + # @type: map + # @recurse: false + tlsInit: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `server.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # and configure a sink and filters for their audit logs. Please refer to + # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation + # for further information. + auditLogs: + # Controls whether Consul logs out each time a user performs an operation. + # global.acls.manageSystemACLs must be enabled to use this feature. + enabled: false + + # A single entry of the sink object provides configuration for the destination to which Consul + # will log auditing events. + # + # Example: + # + # ```yaml + # sinks: + # - name: My Sink + # type: file + # format: json + # path: /tmp/audit.json + # delivery_guarantee: best-effort + # rotate_duration: 24h + # rotate_max_files: 15 + # rotate_bytes: 25165824 + # + # ``` + # + # The sink object supports the following keys: + # + # - `name` - Name of the sink. + # + # - `type` - Type specifies what kind of sink this is. Currently only file sinks are available + # + # - `format` - Format specifies what format the events will be emitted with. Currently only `json` + # events are emitted. + # + # - `path` - The directory and filename to write audit events to. + # + # - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul + # only supports `best-effort` event delivery. + # + # - `mode` - The permissions to set on the audit log files. + # + # - `rotate_duration` - Specifies the interval by which the system rotates to a new log file. + # At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging. + # + # - `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file. + # At least one of rotate_bytes or rotate_duration must be configured to enable audit logging. + # + # - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files. + # + # @type: array + sinks: [] + + # Settings for potentially limiting timeouts, rate limiting on clients as well + # as servers, and other settings to limit exposure too many requests, requests + # waiting for too long, and other runtime considerations. + limits: + # This object specifies configurations that limit the rate of RPC and gRPC + # requests on the Consul server. Limiting the rate of gRPC and RPC requests + # also limits HTTP requests to the Consul server. + # https://developer.hashicorp.com/consul/docs/agent/config/config-files#request_limits + requestLimits: + # Setting for disabling or enabling rate limiting. If not disabled, it + # enforces the action that will occur when RequestLimitsReadRate + # or RequestLimitsWriteRate is exceeded. The default value of "disabled" will + # prevent any rate limiting from occuring. A value of "enforce" will block + # the request from processings by returning an error. A value of + # "permissive" will not block the request and will allow the request to + # continue processing. + # @type: string + mode: "disabled" + + # Setting that controls how frequently RPC, gRPC, and HTTP + # queries are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsReadRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + readRate: -1 + + # Setting that controls how frequently RPC, gRPC, and HTTP + # writes are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsWriteRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + writeRate: -1 + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. + # @type: array + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul service mesh will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configuration settings for the Consul API Gateway integration. + apiGateway: + # Enables Consul on Kubernetes to manage the CRDs used for Gateway API. + # Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed. + # These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. + # If this setting is false, you will need to install the Gateway API CRDs manually. + manageExternalCRDs: true + + # Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true + # then all CRDs will be installed; otherwise, if manageNonStandardCRDs is true then only TCPRoute, GatewayClassConfig and MeshService + # will be installed. + manageNonStandardCRDs: false + + # Configuration settings for the GatewayClass installed by Consul on Kubernetes. + managedGatewayClass: + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # The resource settings for Pods handling traffic for Gateway API. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + deployment: + defaultInstances: 1 + maxInstances: 1 + minInstances: 1 + + # The name of the OpenShift SecurityContextConstraints resource to use for Gateways. + # Only applicable if `global.openshift.enabled` is true. + # @type: string + openshiftSCCName: "restricted-v2" + + # This value defines the amount we will add to privileged container ports on gateways that use this class. + # This is useful if you don't want to give your containers extra permissions to run privileged ports. + # Example: The gateway listener is defined on port 80, but the underlying value of the port on the container + # will be the 80 + the number defined below. + mapPrivilegedContainerPorts: 0 + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + # Configures metrics for Consul service mesh services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Sets the `logLevel` for the `consul-dataplane` sidecar and the `consul-connect-inject-init` container. When set, this value overrides the global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Consul service mesh sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + # Set default lifecycle management configuration for sidecar proxy. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` + # - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` + # @type: map + lifecycle: + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" + + # Configures how long the k8s startup probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultStartupFailureSeconds: 0 + # Configures how long the k8s liveness probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultLivenessFailureSeconds: 0 + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul service mesh will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Override global log verbosity level for mesh-gateway-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: "Service" + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level for ingress-gateways-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. You must provide a unique name for each ingress gateway. These names + # must be unique across different namespaces. + # Values defined here override the defaults, except in the case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# [DEPRECATED] Use connectInject.apiGateway instead. +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.11" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.2" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + # The resource id of the HCP Consul Central cluster to push metrics for. Eg: + # `organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster` + # + # This is used for HCP Consul Central-linked or managed clusters where global.cloud.resourceId is unset. For example, when using externalServers + # with HCP Consul-managed clusters or HCP Consul Central-linked clusters in a different admin partition. + # + # If global.cloud.resourceId is set, this should either be unset (defaulting to global.cloud.resourceId) or be the same as global.cloud.resourceId. + # + # @default: global.cloud.resourceId + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientId + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP. + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientSecret + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the deployment. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} diff --git a/charts/hashicorp/consul/1.4.0/.helmignore b/charts/hashicorp/consul/1.4.0/.helmignore new file mode 100644 index 0000000000..3fa2f24edf --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/.helmignore @@ -0,0 +1,5 @@ +.git/ +.terraform/ +bin/ +test/ +crds/kustomization.yaml diff --git a/charts/hashicorp/consul/1.4.0/Chart.yaml b/charts/hashicorp/consul/1.4.0/Chart.yaml new file mode 100644 index 0000000000..481e833023 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.18.0 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.4.0 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.4.0 + - name: envoy + image: envoyproxy/envoy:v1.25.11 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.18.0 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.4.0 diff --git a/charts/hashicorp/consul/README.md b/charts/hashicorp/consul/1.4.0/README.md similarity index 100% rename from charts/hashicorp/consul/README.md rename to charts/hashicorp/consul/1.4.0/README.md diff --git a/charts/hashicorp/consul/1.4.0/addons/gen.sh b/charts/hashicorp/consul/1.4.0/addons/gen.sh new file mode 100644 index 0000000000..1d03390bed --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/addons/gen.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.0/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.4.0/addons/values/prometheus.yaml new file mode 100644 index 0000000000..1f90636f2e --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/addons/values/prometheus.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/1.4.0/assets/icon.png b/charts/hashicorp/consul/1.4.0/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.4.0/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.4.0/templates/NOTES.txt b/charts/hashicorp/consul/1.4.0/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/_helpers.tpl b/charts/hashicorp/consul/1.4.0/templates/_helpers.tpl new file mode 100644 index 0000000000..ca87485a78 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/_helpers.tpl @@ -0,0 +1,688 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.restrictedSecurityContext" -}} +{{- if not .Values.global.enablePodSecurityPolicies -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +{{- if not .Values.global.openshift.enabled -}} +{{/* +We must set runAsUser or else the root user will be used in some cases and +containers will fail to start due to runAsNonRoot above (e.g. +tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100 +because it is a non-root user id that exists in the consul, consul-dataplane, +and consul-k8s-control-plane images. +*/}} + runAsUser: 100 +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/tmp/extra-config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Cleanup server.extraConfig entries to avoid conflicting entries: + - server.enableAgentDebug: + - `enable_debug` should not exist in extraConfig + - metrics.disableAgentHostName: + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `disable_hostname` should not exist in extraConfig + - metrics.enableHostMetrics: + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `enable_host_metrics` should not exist in extraConfig + - metrics.prefixFilter + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `prefix_filter` should not exist in extraConfig + - metrics.datadog.enabled: + - if global.metrics.datadog.enabled and global.metrics.datadog.dogstatsd.enabled, `dogstatsd_tags` and `dogstatsd_addr` should not exist in extraConfig + +Usage: {{ template "consul.validateExtraConfig" . }} +*/}} +{{- define "consul.validateExtraConfig" -}} +{{- if (contains "enable_debug" .Values.server.extraConfig) }}{{ fail "The enable_debug key is present in extra-from-values.json. Use server.enableAgentDebug to set this value." }}{{- end }} +{{- if (contains "disable_hostname" .Values.server.extraConfig) }}{{ fail "The disable_hostname key is present in extra-from-values.json. Use global.metrics.disableAgentHostName to set this value." }}{{- end }} +{{- if (contains "enable_host_metrics" .Values.server.extraConfig) }}{{ fail "The enable_host_metrics key is present in extra-from-values.json. Use global.metrics.enableHostMetrics to set this value." }}{{- end }} +{{- if (contains "prefix_filter" .Values.server.extraConfig) }}{{ fail "The prefix_filter key is present in extra-from-values.json. Use global.metrics.prefix_filter to set this value." }}{{- end }} +{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }}{{- if (and .Values.global.metrics.datadog.dogstatsd.enabled) }}{{- if (contains "dogstatsd_tags" .Values.server.extraConfig) }}{{ fail "The dogstatsd_tags key is present in extra-from-values.json. Use global.metrics.datadog.dogstatsd.dogstatsdTags to set this value." }}{{- end }}{{- end }}{{- if (and .Values.global.metrics.datadog.dogstatsd.enabled) }}{{- if (contains "dogstatsd_addr" .Values.server.extraConfig) }}{{ fail "The dogstatsd_addr key is present in extra-from-values.json. Use global.metrics.datadog.dogstatsd.dogstatsd_addr to set this value." }}{{- end }}{{- end }}{{- end }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Calculate max number of server pods that are allowed to be voluntarily disrupted. +When there's 1 server, this is set to 0 because this pod should not be disrupted. This is an edge +case and I'm not sure it makes a difference when there's only one server but that's what the previous config was and +I don't want to change it for this edge case. +Otherwise we've changed this to always be 1 as part of the move to set leave_on_terminate +to true. With leave_on_terminate set to true, whenever a server pod is stopped, the number of peers in raft +is reduced. If the number of servers is odd and the count is reduced by 1, the quorum size doesn't change, +but if it's reduced by more than 1, the quorum size can change so that's why this is now always hardcoded to 1. +*/}} +{{- define "consul.server.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{ 1 }} +{{- end -}} +{{- end -}} + +{{- define "consul.server.autopilotMinQuorum" -}} +{{- add (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if telemetryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (and (not .Values.global.cloud.clientSecret.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set." }} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (and (not .Values.global.cloud.clientId.secretName) (not .Values.telemetryCollector.cloud.clientId.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set." }} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretName or global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretKey or global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} + +{{/* +Fails if telemetryCollector.cloud.resourceId is set but differs from global.cloud.resourceId. This should never happen. Either one or both are set, but they should never differ. +If they differ, that implies we're configuring servers for one HCP Consul cluster but pushing envoy metrics for a different HCP Consul cluster. A user could set the same value +in two secrets (it's questionable whether resourceId should be a secret at all) but we won't know at this point, so we just check secret name+key. + +Usage: {{ template "consul.validateTelemetryCollectorResourceId" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorResourceId" -}} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName) (not (eq .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName)) }} +{{fail "When both global.cloud.resourceId.secretName and telemetryCollector.cloud.resourceId.secretName are set, they should be the same."}} +{{- end }} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey) (not (eq .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When both global.cloud.resourceId.secretKey and telemetryCollector.cloud.resourceId.secretKey are set, they should be the same."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{/* +Fails if global.experiments.resourceAPIs is set along with any of these unsupported features. +- global.peering.enabled +- global.federation.enabled +- global.cloud.enabled +- client.enabled +- ui.enabled +- syncCatalog.enabled +- meshGateway.enabled +- ingressGateways.enabled +- terminatingGateways.enabled +- apiGateway.enabled + +Usage: {{ template "consul.validateResourceAPIs" . }} + +*/}} +{{- define "consul.validateResourceAPIs" -}} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.peering.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.peering.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) (not (mustHas "v2tenancy" .Values.global.experiments)) .Values.global.adminPartitions.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.experiments.v2tenancy must also be set to support global.adminPartitions.enabled."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.federation.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.federation.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.cloud.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.cloud.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.client.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, client.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ui.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ui.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.syncCatalog.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, syncCatalog.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ingressGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ingressGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.terminatingGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.apiGateway.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, apiGateway.enabled is currently unsupported."}} +{{- end }} +{{- end }} + +{{/* +Validation for Consul Metrics configuration: + +Fail if metrics.enabled=true and metrics.disableAgentHostName=true, but metrics.enableAgentMetrics=false + - metrics.enabled = true + - metrics.enableAgentMetrics = false + - metrics.disableAgentHostName = true + +Fail if metrics.enableAgentMetrics=true and metrics.disableAgentHostName=true, but metrics.enabled=false + - metrics.enabled = false + - metrics.enableAgentMetrics = true + - metrics.disableAgentHostName = true + +Fail if metrics.enabled=true and metrics.enableHostMetrics=true, but metrics.enableAgentMetrics=false + - metrics.enabled = true + - metrics.enableAgentMetrics = false + - metrics.enableHostMetrics = true + +Fail if metrics.enableAgentMetrics=true and metrics.enableHostMetrics=true, but metrics.enabled=false + - metrics.enabled = false + - metrics.enableAgentMetrics = true + - metrics.enableHostMetrics = true + +Usage: {{ template "consul.validateMetricsConfig" . }} + +*/}} + +{{- define "consul.validateMetricsConfig" -}} +{{- if and (not .Values.global.metrics.enableAgentMetrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enabled )}} +{{fail "When enabling metrics (global.metrics.enabled) and disabling hostname emission from metrics (global.metrics.disableAgentHostName), global.metrics.enableAgentMetrics must be set to true"}} +{{- end }} +{{- if and (not .Values.global.metrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enableAgentMetrics )}} +{{fail "When enabling Consul agent metrics (global.metrics.enableAgentMetrics) and disabling hostname emission from metrics (global.metrics.disableAgentHostName), global metrics enablement (global.metrics.enabled) must be set to true"}} +{{- end }} +{{- if and (not .Values.global.metrics.enableAgentMetrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enabled )}} +{{fail "When disabling hostname emission from metrics (global.metrics.disableAgentHostName) and enabling global metrics (global.metrics.enabled), Consul agent metrics must be enabled(global.metrics.enableAgentMetrics=true)"}} +{{- end }} +{{- if and (not .Values.global.metrics.enabled) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enableAgentMetrics)}} +{{fail "When enabling Consul agent metrics (global.metrics.enableAgentMetrics) and disabling hostname metrics emission (global.metrics.disableAgentHostName), global metrics must be enabled (global.metrics.enabled)."}} +{{- end }} +{{- end -}} + +{{/* +Validation for Consul Datadog Integration deployment: + +Fail if Datadog integration enabled and Consul server agent telemetry is not enabled. + - global.metrics.datadog.enabled=true + - global.metrics.enableAgentMetrics=false || global.metrics.enabled=false + +Fail if Consul OpenMetrics (Prometheus) and DogStatsD metrics are both enabled and configured. + - global.metrics.datadog.dogstatsd.enabled (scrapes `/v1/agent/metrics?format=prometheus` via the `use_prometheus_endpoint` option) + - global.metrics.datadog.openMetricsPrometheus.enabled (scrapes `/v1/agent/metrics?format=prometheus`) + - see https://docs.datadoghq.com/integrations/consul/?tab=host#host for recommendation to not have both + +Fail if Datadog OTLP forwarding is enabled and Consul Telemetry Collection is not enabled. + - global.metrics.datadog.otlp.enabled=true + - telemetryCollector.enabled=false + +Fail if Consul Open Telemetry collector forwarding protocol is not one of either "http" or "grpc" + - global.metrics.datadog.otlp.protocol!="http" || global.metrics.datadog.otlp.protocol!="grpc" + +Usage: {{ template "consul.validateDatadogConfiguration" . }} + +*/}} + +{{- define "consul.validateDatadogConfiguration" -}} +{{- if and .Values.global.metrics.datadog.enabled (or (not .Values.global.metrics.enableAgentMetrics) (not .Values.global.metrics.enabled) )}} +{{fail "When enabling datadog metrics collection, the /v1/agent/metrics is required to be accessible, therefore global.metrics.enableAgentMetrics and global.metrics.enabled must be also be enabled."}} +{{- end }} +{{- if and .Values.global.metrics.datadog.dogstatsd.enabled .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} +{{fail "You must have one of DogStatsD (global.metrics.datadog.dogstatsd.enabled) or OpenMetrics (global.metrics.datadog.openMetricsPrometheus.enabled) enabled, not both as this is an unsupported configuration." }} +{{- end }} +{{- if and .Values.global.metrics.datadog.otlp.enabled (not .Values.telemetryCollector.enabled) }} +{{fail "Cannot enable Datadog OTLP metrics collection (global.metrics.datadog.otlp.enabled) without consul-telemetry-collector. Ensure Consul OTLP collection is enabled (telemetryCollector.enabled) and configured." }} +{{- end }} +{{- if and (ne ( lower .Values.global.metrics.datadog.otlp.protocol) "http") (ne ( lower .Values.global.metrics.datadog.otlp.protocol) "grpc") }} +{{fail "Valid values for global.metrics.datadog.otlp.protocol must be one of either \"http\" or \"grpc\"." }} +{{- end }} +{{- end -}} + +{{/* +Sets the dogstatsd_addr field of the agent configuration dependent on the +socket transport type being used: + - "UDS" (Unix Domain Socket): prefixes "unix://" to URL and appends path to socket (i.e., unix:///var/run/datadog/dsd.socket) + - "UDP" (User Datagram Protocol): adds no prefix and appends dogstatsd port number to hostname/IP (i.e., 172.20.180.10:8125) +- global.metrics.enableDatadogIntegration.dogstatsd configuration + +Usage: {{ template "consul.dogstatsdAaddressInfo" . }} +*/}} + +{{- define "consul.dogstatsdAaddressInfo" -}} +{{- if (and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled) }} + "dogstatsd_addr": "{{- if eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" }}unix://{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdAddr }}{{- else }}{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdAddr | trimAll "\"" }}{{- if ne ( .Values.global.metrics.datadog.dogstatsd.dogstatsdPort | int ) 0 }}:{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdPort | toString }}{{- end }}{{- end }}",{{- end }} +{{- end -}} + +{{/* +Configures the metrics prefixing that's required to either allow or dissallow certaing RPC or gRPC server calls: + +Usage: {{ template "consul.prefixFilter" . }} +*/}} +{{- define "consul.prefixFilter" -}} +{{- $allowList := .Values.global.metrics.prefixFilter.allowList }} +{{- $blockList := .Values.global.metrics.prefixFilter.blockList }} +{{- if and (not (empty $allowList)) (not (empty $blockList)) }} + "prefix_filter": [{{- range $index, $value := concat $allowList $blockList -}} + "{{- if (has $value $allowList) }}{{ printf "+%s" ($value | trimAll "\"") }}{{- else }}{{ printf "-%s" ($value | trimAll "\"") }}{{- end }}"{{- if lt $index (sub (len (concat $allowList $blockList)) 1) -}},{{- end -}} + {{- end -}}], +{{- else if not (empty $allowList) }} + "prefix_filter": [{{- range $index, $value := $allowList -}} + "{{ printf "+%s" ($value | trimAll "\"") }}"{{- if lt $index (sub (len $allowList) 1) -}},{{- end -}} + {{- end -}}], +{{- else if not (empty $blockList) }} + "prefix_filter": [{{- range $index, $value := $blockList -}} + "{{ printf "-%s" ($value | trimAll "\"") }}"{{- if lt $index (sub (len $blockList) 1) -}},{{- end -}} + {{- end -}}], +{{- end }} +{{- end -}} + +{{/* +Retrieves the global consul/consul-enterprise version string for use with labels or tags. +Requirements for valid labels: + - a valid label must be an empty string or consist of + => alphanumeric characters + => '-', '_' or '.' + => must start and end with an alphanumeric character + (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is + '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?') + +Usage: {{ template "consul.versionInfo" }} +*/}} +{{- define "consul.versionInfo" -}} +{{- $imageVersion := regexSplit ":" .Values.global.image -1 }} +{{- $versionInfo := printf "%s" (index $imageVersion 1 ) | trimSuffix "\"" }} +{{- $sanitizedVersion := "" }} +{{- $pattern := "^([A-Za-z0-9][-A-Za-z0-9_.]*[A-Za-z0-9])?$" }} +{{- if not (regexMatch $pattern $versionInfo) -}} + {{- $sanitizedVersion = regexReplaceAll "[^A-Za-z0-9-_.]|sha256" $versionInfo "" }} + {{- $sanitizedVersion = printf "%s" (trimSuffix "-" (trimPrefix "-" $sanitizedVersion)) -}} +{{- else }} + {{- $sanitizedVersion = $versionInfo }} +{{- end -}} +{{- printf "%s" $sanitizedVersion | quote }} +{{- end -}} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..453be66054 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,306 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{ end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: ["/consul-bin/consul", "logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.4.0/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.4.0/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.4.0/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.4.0/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.4.0/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..cab2c7c043 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/client-config-configmap.yaml @@ -0,0 +1,40 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + log-level.json: |- + { + {{- if .Values.client.logLevel }} + "log_level": "{{ .Values.client.logLevel | upper }}" + {{- end }} + } + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.4.0/templates/client-daemonset.yaml new file mode 100644 index 0000000000..3f04e826f4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/client-daemonset.yaml @@ -0,0 +1,606 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/client-config-configmap.yaml") .) (include (print $.Template.BasePath "/client-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/consul" + - "logout" + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-dir=/consul/extra-config \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/client-role.yaml b/charts/hashicorp/consul/1.4.0/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.4.0/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.4.0/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/client-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.4.0/templates/client-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a379157f57 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/client-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the client-daemonset where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.4.0/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.4.0/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..258924f449 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/cni-daemonset.yaml @@ -0,0 +1,91 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.4.0/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.4.0/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.4.0/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.4.0/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.4.0/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..c6845870ba --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,287 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + - gatewayclassconfigs + - meshservices + - samenessgroups + - controlplanerequestlimits + - routeretryfilters + - routetimeoutfilters + - routeauthfilters + - gatewaypolicies + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + - jwtproviders + - routeauthfilters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + - samenessgroups/status + - controlplanerequestlimits/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + - jwtproviders/status + - routeauthfilters/status + - gatewaypolicies/status + verbs: + - get + - patch + - update +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions/status + verbs: + - get + - patch + - update +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + - gatewayclasses + - meshconfigurations + - grpcroutes + - httproutes + - meshgateways + - tcproutes + - proxyconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs/status + - gatewayclasses/status + - meshconfigurations/status + - grpcroutes/status + - httproutes/status + - meshgateways/status + - tcproutes/status + - proxyconfigurations/status + verbs: + - get + - patch + - update +- apiGroups: + - multicluster.consul.hashicorp.com + resources: + - exportedservices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multicluster.consul.hashicorp.com + resources: + - exportedservices/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} +- apiGroups: [ "" ] + resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles", "rolebindings" ] + verbs: + - get + - list + - watch + - delete + - create + - update +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - referencegrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gateways/finalizers + - httproutes/finalizers + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch + - delete +- apiGroups: + - core + resources: + - services + verbs: + - watch + - list +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" +{{- if .Values.global.openshift.enabled }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + verbs: + - use + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.0/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.4.0/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..1565e92811 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/connect-inject-deployment.yaml @@ -0,0 +1,368 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.enabled .Values.global.cloud.enabled }} + {{- if and (gt (len .Values.externalServers.hosts) 0) (regexMatch ".+.hashicorp.cloud$" ( first .Values.externalServers.hosts )) }}{{fail "global.cloud.enabled cannot be used in combination with an HCP-managed cluster address in externalServers.hosts. global.cloud.enabled is for linked self-managed clusters."}}{{- end }} +{{- end }} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateResourceAPIs" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + {{- if (mustHas "v2tenancy" .Values.global.experiments) }} + -enable-v2tenancy=true \ + {{- end }} + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }} + -default-enable-sidecar-proxy-lifecycle=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle=false \ + {{- end }} + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \ + {{- end }} + -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ + -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ + -default-sidecar-proxy-startup-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultStartupFailureSeconds }} \ + -default-sidecar-proxy-liveness-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultLivenessFailureSeconds }} \ + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.4.0/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.4.0/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..e65c386636 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,381 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-controlplanerequestlimits + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-controlplanerequestlimit.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - controlplanerequestlimits + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-samenessgroup + failurePolicy: Fail + name: mutate-samenessgroup.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - samenessgroups + sideEffects: None +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v2beta1-trafficpermissions + failurePolicy: Fail + name: mutate-trafficpermissions.auth.consul.hashicorp.com + rules: + - apiGroups: + - auth.consul.hashicorp.com + apiVersions: + - v2beta1 + operations: + - CREATE + - UPDATE + resources: + - trafficpermissions + sideEffects: None +{{- end }} +{{- end }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-jwtprovider + failurePolicy: Fail + name: mutate-jwtprovider.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwtproviders + sideEffects: None +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.4.0/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.4.0/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/connect-inject-validatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.4.0/templates/connect-inject-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8d01ace911 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/connect-inject-validatingwebhookconfiguration.yaml @@ -0,0 +1,31 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The ValidatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- name: validate-gatewaypolicy.consul.hashicorp.com + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "consul.hashicorp.com" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gatewaypolicies" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /validate-v1alpha1-gatewaypolicy +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.4.0/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-apigateways.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-apigateways.yaml new file mode 100644 index 0000000000..755fb05b64 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-apigateways.yaml @@ -0,0 +1,240 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: apigateways.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: APIGateway + listKind: APIGatewayList + plural: apigateways + singular: apigateway + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: APIGateway is the Schema for the API Gateway + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + gatewayClassName: + description: GatewayClassName is the name of the GatewayClass used + by the APIGateway + type: string + listeners: + items: + properties: + hostname: + description: Hostname is the host name that a listener should + be bound to, if unspecified, the listener accepts requests + for all hostnames. + type: string + name: + description: Name is the name of the listener in a given gateway. + This must be unique within a gateway. + type: string + port: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: Protocol is the protocol that a listener should + use, it must either be "http" or "tcp" + type: string + tls: + description: TLS is the TLS settings for the listener. + properties: + certificates: + description: Certificates is a set of references to certificates + that a gateway listener uses for TLS termination. + items: + description: Reference identifies which resource a condition + relates to, when it is not the core resource itself. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the + resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all partitions." + type: string + peerName: + description: "PeerName identifies which peer the + resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes are + made to the group's resource types. + type: string + kind: + description: Kind identifies the specific resource + type within the group. + type: string + type: object + type: object + type: array + tlsParameters: + description: TLSParameters contains optional configuration + for running TLS termination. + properties: + cipherSuites: + items: + enum: + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_AES256_SHA + - TLS_CIPHER_SUITE_ECDHE_ECDSA_CHACHA20_POLY1305 + - TLS_CIPHER_SUITE_ECDHE_RSA_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_ECDHE_RSA_CHACHA20_POLY1305 + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_SHA + - TLS_CIPHER_SUITE_ECDHE_RSA_AES128_SHA + - TLS_CIPHER_SUITE_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_AES128_SHA + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_GCM_SHA384 + - TLS_CIPHER_SUITE_ECDHE_RSA_AES256_GCM_SHA384 + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_SHA + - TLS_CIPHER_SUITE_ECDHE_RSA_AES256_SHA + - TLS_CIPHER_SUITE_AES256_GCM_SHA384 + format: int32 + type: string + type: array + maxVersion: + enum: + - TLS_VERSION_AUTO + - TLS_VERSION_1_0 + - TLS_VERSION_1_1 + - TLS_VERSION_1_2 + - TLS_VERSION_1_3 + - TLS_VERSION_INVALID + - TLS_VERSION_UNSPECIFIED + format: int32 + type: string + minVersion: + enum: + - TLS_VERSION_AUTO + - TLS_VERSION_1_0 + - TLS_VERSION_1_1 + - TLS_VERSION_1_2 + - TLS_VERSION_1_3 + - TLS_VERSION_INVALID + - TLS_VERSION_UNSPECIFIED + format: int32 + type: string + type: object + type: object + type: object + minItems: 1 + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-controlplanerequestlimits.yaml new file mode 100644 index 0000000000..1939a8d373 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-controlplanerequestlimits.yaml @@ -0,0 +1,195 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: controlplanerequestlimits.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ControlPlaneRequestLimit + listKind: ControlPlaneRequestLimitList + plural: controlplanerequestlimits + singular: controlplanerequestlimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControlPlaneRequestLimitSpec defines the desired state of + ControlPlaneRequestLimit. + properties: + acl: + properties: + readRate: + type: number + writeRate: + type: number + type: object + catalog: + properties: + readRate: + type: number + writeRate: + type: number + type: object + configEntry: + properties: + readRate: + type: number + writeRate: + type: number + type: object + connectCA: + properties: + readRate: + type: number + writeRate: + type: number + type: object + coordinate: + properties: + readRate: + type: number + writeRate: + type: number + type: object + discoveryChain: + properties: + readRate: + type: number + writeRate: + type: number + type: object + health: + properties: + readRate: + type: number + writeRate: + type: number + type: object + intention: + properties: + readRate: + type: number + writeRate: + type: number + type: object + kv: + properties: + readRate: + type: number + writeRate: + type: number + type: object + mode: + type: string + preparedQuery: + properties: + readRate: + type: number + writeRate: + type: number + type: object + readRate: + type: number + session: + properties: + readRate: + type: number + writeRate: + type: number + type: object + tenancy: + properties: + readRate: + type: number + writeRate: + type: number + type: object + txn: + properties: + readRate: + type: number + writeRate: + type: number + type: object + writeRate: + type: number + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-exportedservices-v1.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-exportedservices-v1.yaml new file mode 100644 index 0000000000..081a2b0cf0 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-exportedservices-v1.yaml @@ -0,0 +1,139 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-exportedservices.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-exportedservices.yaml rename to charts/hashicorp/consul/1.4.0/templates/crd-exportedservices.yaml diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-gatewayclassconfigs-v1.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-gatewayclassconfigs-v1.yaml new file mode 100644 index 0000000000..130db72a22 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-gatewayclassconfigs-v1.yaml @@ -0,0 +1,201 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + resources: + description: Resources defines the resource requirements for the + gateway. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + mapPrivilegedContainerPorts: + description: The value to add to privileged ports ( ports < 1024) + for gateway containers + format: int32 + type: integer + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + openshiftSCCName: + description: The name of the OpenShift SecurityContextConstraints + resource for this gateway class to use. + type: string + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-gatewayclassconfigs.yaml new file mode 100644 index 0000000000..93effd843b --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-gatewayclassconfigs.yaml @@ -0,0 +1,1826 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GatewayClassConfig is the Schema for the Mesh Gateway API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GatewayClassConfigSpec specifies the desired state of the + GatewayClassConfig CRD. + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key included + here will override those in Set if specified on the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included here + will be overridden if present in InheritFromGateway and set + on the Gateway. + type: object + type: object + deployment: + description: Deployment contains config specific to the Deployment + created from this GatewayClass + properties: + affinity: + description: Affinity specifies the affinity to use on the created + Deployment. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects + (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them are + ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to a pod label update), + the system may or may not try to eventually evict the + pod from its node. When there are multiple elements, + the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + container: + description: Container contains config specific to the created + Deployment's container. + properties: + consul: + description: Consul specifies configuration for the consul-dataplane + container + properties: + logging: + description: Logging specifies the logging configuration + for Consul Dataplane + properties: + level: + description: Level sets the logging level for Consul + Dataplane (debug, info, etc.) + type: string + type: object + type: object + hostPort: + description: HostPort specifies a port to be exposed to the + external host network + format: int32 + type: integer + portModifier: + description: PortModifier specifies the value to be added + to every port value for listeners on this gateway. This + is generally used to avoid binding to privileged ports in + the container. + format: int32 + type: integer + resources: + description: Resources specifies the resource requirements + for the created Deployment's container + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + dnsPolicy: + description: DNSPolicy specifies the dns policy to use. These + are set on a per pod basis. + enum: + - Default + - ClusterFirst + - ClusterFirstWithHostNet + - None + type: string + hostNetwork: + description: HostNetwork specifies whether the gateway pods should + run on the host network. + type: boolean + initContainer: + description: InitContainer contains config specific to the created + Deployment's init container. + properties: + consul: + description: Consul specifies configuration for the consul-k8s-control-plane + init container + properties: + logging: + description: Logging specifies the logging configuration + for Consul Dataplane + properties: + level: + description: Level sets the logging level for Consul + Dataplane (debug, info, etc.) + type: string + type: object + type: object + resources: + description: Resources specifies the resource requirements + for the created Deployment's init container + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a feature that constrains the scheduling + of a pod to nodes that match specified labels. By defining NodeSelector + in a pod''s configuration, you can ensure that the pod is only + scheduled to nodes with the corresponding labels, providing + a way to influence the placement of workloads based on node + attributes. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: PriorityClassName specifies the priority class name + to use on the created Deployment. + type: string + replicas: + description: Replicas specifies the configuration to control the + number of replicas for the created Deployment. + properties: + default: + description: Default is the number of replicas assigned to + the Deployment when created + format: int32 + type: integer + max: + description: Max is the maximum number of replicas allowed + for a gateway with this class. If the replica count exceeds + this value due to manual or automated scaling, the replica + count will be restored to this value. + format: int32 + type: integer + min: + description: Min is the minimum number of replicas allowed + for a gateway with this class. If the replica count drops + below this value due to manual or automated scaling, the + replica count will be restored to this value. + format: int32 + type: integer + type: object + securityContext: + description: SecurityContext specifies the security context for + the created Deployment's Pod. + properties: + fsGroup: + description: "A special supplemental group that applies to + all containers in a pod. Some volume types allow the Kubelet + to change the ownership of that volume to be owned by the + pod: \n 1. The owning GID will be the FSGroup 2. The setgid + bit is set (new files created in the volume will be owned + by FSGroup) 3. The permission bits are OR'd with rw-rw---- + \n If unset, the Kubelet will not modify the ownership and + permissions of any volume. Note that this field cannot be + set when spec.os.name is windows." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior of changing + ownership and permission of the volume before being exposed + inside Pod. This field will only apply to volume types which + support fsGroup based ownership(and permissions). It will + have no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used. Note that + this field cannot be set when spec.os.name is windows.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this field + cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail + to start the container if it does. If unset or false, no + such validation will be performed. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata if + unspecified. May also be set in SecurityContext. If set + in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random + SELinux context for each container. May also be set in + SecurityContext. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile must + be preconfigured on the node to work. Must be a descending + path, relative to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - a + profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile + should be used. Unconfined - no profile should be applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first process + run in each container, in addition to the container's primary + GID, the fsGroup (if specified), and group memberships defined + in the container image for the uid of the container process. + If unspecified, no additional groups are added to any container. + Note that group memberships defined in the container image + for the uid of the container process are still effective, + even if they are not included in this list. Note that this + field cannot be set when spec.os.name is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls used + for the pod. Pods with unsupported sysctls (by the container + runtime) might fail to launch. Note that this field cannot + be set when spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options within a container's + SecurityContext will be used. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. This field is + alpha-level and will only be honored by components that + enable the WindowsHostProcessContainers feature flag. + Setting this field without the feature flag will result + in errors when validating the Pod. All of a Pod's containers + must have the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, if HostProcess + is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set in + PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + tolerations: + description: Tolerations specifies the tolerations to use on the + created Deployment. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: 'TopologySpreadConstraints is a feature that controls + how pods are spead across your topology. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/' + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine + the number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to + select the pods over which spreading will be calculated. + The keys are used to lookup values from the incoming pod + labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading + will be calculated for the incoming pod. Keys that don't + exist in the incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which pods + may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the number + of matching pods in the target topology and the global + minimum. The global minimum is the minimum number of matching + pods in an eligible domain or zero if the number of eligible + domains is less than MinDomains. For example, in a 3-zone + cluster, MaxSkew is set to 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | | P P | P P | P | - + if MaxSkew is 1, incoming pod can only be scheduled to + zone3 to become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled + onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies that + satisfy it. It''s a required field. Default value is 1 + and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number of eligible + domains. When the number of eligible domains with matching + topology keys is less than minDomains, Pod Topology Spread + treats \"global minimum\" as 0, and then the calculation + of Skew is performed. And when the number of eligible + domains with matching topology keys equals or greater + than minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains is less + than minDomains, scheduler won't schedule more than maxSkew + Pods to those domains. If value is nil, the constraint + behaves as if MinDomains is equal to 1. Valid values are + integers greater than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone cluster, + MaxSkew is set to 2, MinDomains is set to 5 and pods with + the same labelSelector spread as 2/2/2: | zone1 | zone2 + | zone3 | | P P | P P | P P | The number of domains + is less than 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the same labelSelector + cannot be scheduled, because computed skew will be 3(3 + - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. \n This is a beta field and requires + the MinDomainsInPodTopologySpread feature gate to be enabled + (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we will treat + Pod's nodeAffinity/nodeSelector when calculating pod topology + spread skew. Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this value is + nil, the behavior is equivalent to the Honor policy. This + is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will treat + node taints when calculating pod topology spread skew. + Options are: - Honor: nodes without taints, along with + tainted nodes for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. All nodes + are included. \n If this value is nil, the behavior is + equivalent to the Ignore policy. This is a beta-level + feature default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. Nodes + that have a label with this key and identical values are + considered to be in the same topology. We consider each + as a "bucket", and try to put balanced number + of pods into each bucket. We define a domain as a particular + instance of a topology. Also, we define an eligible domain + as a domain whose nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is a domain + of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with + a pod if it doesn''t satisfy the spread constraint. - + DoNotSchedule (default) tells the scheduler not to schedule + it. - ScheduleAnyway tells the scheduler to schedule the + pod in any location, but giving higher precedence to topologies + that would help reduce the skew. A constraint is considered + "Unsatisfiable" for an incoming pod if and only if every + possible node assignment for that pod would violate "MaxSkew" + on some topology. For example, in a 3-zone cluster, MaxSkew + is set to 1, and pods with the same labelSelector spread + as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming + pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) + as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). + In other words, the cluster can still be imbalanced, but + scheduler won''t make it *more* imbalanced. It''s a required + field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key included + here will override those in Set if specified on the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included here + will be overridden if present in InheritFromGateway and set + on the Gateway. + type: object + type: object + role: + description: Role contains config specific to the Role created from + this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + roleBinding: + description: RoleBinding contains config specific to the RoleBinding + created from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + service: + description: Service contains config specific to the Service created + from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: + description: Type specifies the type of Service to use (LoadBalancer, + ClusterIP, etc.) + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + type: object + serviceAccount: + description: ServiceAccount contains config specific to the corev1.ServiceAccount + created from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-gatewayclasses-external.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-gatewayclasses-external.yaml new file mode 100644 index 0000000000..93435b7fce --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-gatewayclasses-external.yaml @@ -0,0 +1,328 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + deprecated: true + deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-gatewayclasses.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-gatewayclasses.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-gatewayclasses.yaml rename to charts/hashicorp/consul/1.4.0/templates/crd-gatewayclasses.yaml diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-gatewaypolicies.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-gatewaypolicies.yaml new file mode 100644 index 0000000000..1cdfa331f5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-gatewaypolicies.yaml @@ -0,0 +1,282 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewaypolicies.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayPolicy + listKind: GatewayPolicyList + plural: gatewaypolicies + singular: gatewaypolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayPolicy is the Schema for the gatewaypolicies API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GatewayPolicySpec defines the desired state of GatewayPolicy. + properties: + default: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + override: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + targetRef: + description: TargetRef identifies an API object to apply policy to. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it may only apply + to traffic originating from the same namespace as the policy. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: SectionName refers to the listener targeted by this + policy. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + status: + description: GatewayPolicyStatus defines the observed state of the gateway. + properties: + conditions: + description: "Conditions describe the current conditions of the Policy. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-gateways-external.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-gateways-external.yaml new file mode 100644 index 0000000000..41df34942a --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-gateways-external.yaml @@ -0,0 +1,882 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-grpcroutes-external.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-grpcroutes-external.yaml new file mode 100644 index 0000000000..739ed2c659 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-grpcroutes-external.yaml @@ -0,0 +1,766 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - method: + type: Exact + description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. + items: + description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + default: + type: Exact + description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. + properties: + method: + description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)." + maxLength: 1024 + pattern: ^[A-Za-z_][A-Za-z_0-9]*$ + type: string + service: + description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)." + maxLength: 1024 + pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$ + type: string + type: + default: Exact + description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-grpcroutes.yaml new file mode 100644 index 0000000000..31812fff35 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-grpcroutes.yaml @@ -0,0 +1,617 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + shortNames: + - grpc-route + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GRPCRoute is the Schema for the GRPC Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this GRPCRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. Failure behavior here depends on + how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the GRPCBackendRef definition for the rules about what + makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies gRPC request header matchers. + Multiple match values are ANDed together, meaning, a + request MUST match all the specified headers to select + the route. + items: + properties: + name: + type: string + type: + description: "HeaderMatchType specifies the semantics + of how HTTP header values should be compared. + Valid HeaderMatchType values, along with their + conformance levels, are: \n Note that values may + be added to this enum, implementations must ensure + that unknown values will not cause a crash. \n + Unknown values here must result in the implementation + setting the Accepted Condition for the Route to + status: False, with a Reason of UnsupportedValue." + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + type: string + type: object + type: array + method: + description: Method specifies a gRPC request service/method + matcher. If this field is not specified, all services + and methods will match. + properties: + method: + description: "Value of the method to match against. + If left empty or omitted, will match all services. + \n At least one of Service and Method MUST be a + non-empty string.}" + type: string + service: + description: "Value of the service to match against. + If left empty or omitted, will match any service. + \n At least one of Service and Method MUST be a + non-empty string." + type: string + type: + description: 'Type specifies how to match against + the service and/or method. Support: Core (Exact + with service and method specified)' + enum: + - GRPC_METHOD_MATCH_TYPE_UNSPECIFIED + - GRPC_METHOD_MATCH_TYPE_EXACT + - GRPC_METHOD_MATCH_TYPE_REGEX + format: int32 + type: string + type: object + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-httproutes-external.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-httproutes-external.yaml new file mode 100644 index 0000000000..bba3672d16 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-httproutes-external.yaml @@ -0,0 +1,1914 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-httproutes.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-httproutes.yaml new file mode 100644 index 0000000000..3da6e1e637 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-httproutes.yaml @@ -0,0 +1,673 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + shortNames: + - http-route + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: HTTPRoute is the Schema for the HTTP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this HTTPRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of HTTP-based routing rules that this + route should use for constructing a routing table. + items: + description: HTTPRouteRule specifies the routing rules used to determine + what upstream service an HTTP request is routed to. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + properties: + invert: + description: 'NOTE: not in gamma; service-router + compat' + type: boolean + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, “foo” and “Foo” are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for “Set-Cookie”." + type: string + type: + description: Type specifies how to match against + the value of the header. + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + description: Value is the value of HTTP Header to + be matched. + type: string + type: object + type: array + method: + description: Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. + type: string + path: + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the “/” path is provided. + properties: + type: + description: Type specifies how to match against the + path Value. + enum: + - PATH_MATCH_TYPE_UNSPECIFIED + - PATH_MATCH_TYPE_EXACT + - PATH_MATCH_TYPE_PREFIX + - PATH_MATCH_TYPE_REGEX + format: int32 + type: string + value: + description: Value of the HTTP path to match against. + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is recommended that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + type: string + type: + description: Type specifies how to match against + the value of the query parameter. + enum: + - QUERY_PARAM_MATCH_TYPE_UNSPECIFIED + - QUERY_PARAM_MATCH_TYPE_EXACT + - QUERY_PARAM_MATCH_TYPE_REGEX + - QUERY_PARAM_MATCH_TYPE_PRESENT + format: int32 + type: string + value: + description: Value is the value of HTTP query param + to be matched. + type: string + type: object + type: array + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..dcbc543525 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-ingressgateways.yaml @@ -0,0 +1,447 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: ingressgateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how upstream + proxy instances will be monitored for removal from the load + balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. The + real time is equal to the base time multiplied by the number + of times the host has been ejected and is capped by max_ejection_time + (Default 300s). Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status is + detected through consecutive 5xx. This setting can be used + to disable ejection or to ramp it up slowly. Ex. Setting + this to 10 will make it a 10% chance that the host will + be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that can + be ejected due to outlier detection. Defaults to 10% but + will eject at least one host regardless of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected + for. The real time is equal to the base time multiplied + by the number of times the host has been ejected + and is capped by max_ejection_time (Default 300s). + Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This + setting can be used to disable ejection or to ramp + it up slowly. Ex. Setting this to 10 will make it + a 10% chance that the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster + that can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-jwtproviders.yaml new file mode 100644 index 0000000000..94c9697b33 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-jwtproviders.yaml @@ -0,0 +1,313 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: jwtproviders.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: JWTProvider + listKind: JWTProviderList + plural: jwtproviders + singular: jwtprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTProvider is the Schema for the jwtproviders API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTProviderSpec defines the desired state of JWTProvider + properties: + audiences: + description: Audiences is the set of audiences the JWT is allowed + to access. If specified, all JWTs verified with this provider must + address at least one of these to be considered valid. + items: + type: string + type: array + cacheConfig: + description: CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up verification + when individual tokens are expected to be handled multiple times. + properties: + size: + description: "Size specifies the maximum number of JWT verification + results to cache. \n Defaults to 0, meaning that JWT caching + is disabled." + type: integer + type: object + clockSkewSeconds: + description: "ClockSkewSeconds specifies the maximum allowable time + difference from clock skew when validating the \"exp\" (Expiration) + and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + type: integer + forwarding: + description: Forwarding defines rules for forwarding verified JWTs + to the backend. + properties: + headerName: + description: "HeaderName is a header name to use when forwarding + a verified JWT to the backend. The verified JWT could have been + extracted from any location (query param, header, or cookie). + \n The header value will be base64-URL-encoded, and will not + be padded unless PadForwardPayloadHeader is true." + type: string + padForwardPayloadHeader: + description: "PadForwardPayloadHeader determines whether padding + should be added to the base64 encoded token forwarded with ForwardPayloadHeader. + \n Default value is false." + type: boolean + type: object + issuer: + description: Issuer is the entity that must have issued the JWT. This + value must match the "iss" claim of the token. + type: string + jsonWebKeySet: + description: JSONWebKeySet defines a JSON Web Key Set, its location + on disk, or the means with which to fetch a key set from a remote + server. + properties: + local: + description: Local specifies a local source for the key set. + properties: + filename: + description: Filename configures a location on disk where + the JWKS can be found. If specified, the file must be present + on the disk of ALL proxies with intentions referencing this + provider. + type: string + jwks: + description: JWKS contains a base64 encoded JWKS. + type: string + type: object + remote: + description: Remote specifies how to fetch a key set from a remote + server. + properties: + cacheDuration: + description: "CacheDuration is the duration after which cached + keys should be expired. \n Default value is 5 minutes." + type: string + fetchAsynchronously: + description: "FetchAsynchronously indicates that the JWKS + should be fetched when a client request arrives. Client + requests will be paused until the JWKS is fetched. If false, + the proxy listener will wait for the JWKS to be fetched + before being activated. \n Default value is false." + type: boolean + jwksCluster: + description: JWKSCluster defines how the specified Remote + JWKS URI is to be fetched. + properties: + connectTimeout: + description: The timeout for new network connections to + hosts in the cluster. If not set, a default value of + 5s will be used. + type: string + discoveryType: + description: "DiscoveryType refers to the service discovery + type to use for resolving the cluster. \n This defaults + to STRICT_DNS. Other options include STATIC, LOGICAL_DNS, + EDS or ORIGINAL_DST." + type: string + tlsCertificates: + description: "TLSCertificates refers to the data containing + certificate authority certificates to use in verifying + a presented peer certificate. If not specified and a + peer certificate is presented it will not be verified. + \n Must be either CaCertificateProviderInstance or TrustedCA." + properties: + caCertificateProviderInstance: + description: CaCertificateProviderInstance Certificate + provider instance for fetching TLS certificates. + properties: + certificateName: + description: "CertificateName is used to specify + certificate instances or types. For example, + \"ROOTCA\" to specify a root-certificate (validation + context) or \"example.com\" to specify a certificate + for a particular domain. \n The default value + is the empty string." + type: string + instanceName: + description: "InstanceName refers to the certificate + provider instance name. \n The default value + is \"default\"." + type: string + type: object + trustedCA: + description: "TrustedCA defines TLS certificate data + containing certificate authority certificates to + use in verifying a presented peer certificate. \n + Exactly one of Filename, EnvironmentVariable, InlineString + or InlineBytes must be specified." + properties: + environmentVariable: + type: string + filename: + type: string + inlineBytes: + format: byte + type: string + inlineString: + type: string + type: object + type: object + type: object + requestTimeoutMs: + description: RequestTimeoutMs is the number of milliseconds + to time out when making a request for the JWKS. + type: integer + retryPolicy: + description: "RetryPolicy defines a retry policy for fetching + JWKS. \n There is no retry by default." + properties: + numRetries: + description: "NumRetries is the number of times to retry + fetching the JWKS. The retry strategy uses jittered + exponential backoff with a base interval of 1s and max + of 10s. \n Default value is 0." + type: integer + retryPolicyBackOff: + description: "Retry's backoff policy. \n Defaults to Envoy's + backoff policy." + properties: + baseInterval: + description: "BaseInterval to be used for the next + back off computation. \n The default value from + envoy is 1s." + type: string + maxInterval: + description: "MaxInternal to be used to specify the + maximum interval between retries. Optional but should + be greater or equal to BaseInterval. \n Defaults + to 10 times BaseInterval." + type: string + type: object + type: object + uri: + description: URI is the URI of the server to query for the + JWKS. + type: string + type: object + type: object + locations: + description: 'Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. If no + locations are specified Envoy will default to: 1. Authorization + header with Bearer schema: "Authorization: Bearer " 2. accessToken + query parameter.' + items: + description: "JWTLocation is a location where the JWT could be present + in requests. \n Only one of Header, QueryParam, or Cookie can + be specified." + properties: + cookie: + description: Cookie defines how to extract a JWT from an HTTP + request cookie. + properties: + name: + description: Name is the name of the cookie containing the + token. + type: string + type: object + header: + description: Header defines how to extract a JWT from an HTTP + request header. + properties: + forward: + description: "Forward defines whether the header with the + JWT should be forwarded after the token has been verified. + If false, the header will not be forwarded to the backend. + \n Default value is false." + type: boolean + name: + description: Name is the name of the header containing the + token. + type: string + valuePrefix: + description: 'ValuePrefix is an optional prefix that precedes + the token in the header value. For example, "Bearer " + is a standard value prefix for a header named "Authorization", + but the prefix is not part of the token itself: "Authorization: + Bearer "' + type: string + type: object + queryParam: + description: QueryParam defines how to extract a JWT from an + HTTP request query parameter. + properties: + name: + description: Name is the name of the query param containing + the token. + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-meshconfigurations.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-meshconfigurations.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-meshconfigurations.yaml rename to charts/hashicorp/consul/1.4.0/templates/crd-meshconfigurations.yaml diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-meshes.yaml new file mode 100644 index 0000000000..f8ce4fc12e --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-meshes.yaml @@ -0,0 +1,207 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshes.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-meshgateways.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-meshgateways.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-meshgateways.yaml rename to charts/hashicorp/consul/1.4.0/templates/crd-meshgateways.yaml diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-meshservices.yaml new file mode 100644 index 0000000000..a5d36fb966 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-meshservices.yaml @@ -0,0 +1,56 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService holds a reference to an externally managed Consul + Service Mesh service. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of MeshService. + properties: + name: + description: Name holds the service name for a Consul service. + type: string + peer: + description: Peer optionally specifies the name of the peer exporting + the Consul service. If not specified, the Consul service is assumed + to be in the local datacenter. + type: string + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..2352ba7ad3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-peeringacceptors.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringacceptors.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..09991d2091 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-peeringdialers.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringdialers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-proxyconfigurations.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-proxyconfigurations.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-proxyconfigurations.yaml rename to charts/hashicorp/consul/1.4.0/templates/crd-proxyconfigurations.yaml diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..ce49c9149a --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-proxydefaults.yaml @@ -0,0 +1,265 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxydefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + failoverPolicy: + description: FailoverPolicy specifies the exact mechanism used for + failover. + properties: + mode: + description: Mode specifies the type of failover that will be + performed. Valid values are "sequential", "" (equivalent to + "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions of the + failover targets. Valid values can be "us-west-1", "us-west-2", + and so on. + items: + type: string + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-referencegrants-external.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-referencegrants-external.yaml new file mode 100644 index 0000000000..db9cf12027 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-referencegrants-external.yaml @@ -0,0 +1,208 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-routeauthfilters.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-routeauthfilters.yaml new file mode 100644 index 0000000000..a51bf226cd --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-routeauthfilters.yaml @@ -0,0 +1,199 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeauthfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteAuthFilter + listKind: RouteAuthFilterList + plural: routeauthfilters + singular: routeauthfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteAuthFilter is the Schema for the routeauthfilters API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteAuthFilterSpec defines the desired state of RouteAuthFilter. + properties: + jwt: + description: This re-uses the JWT requirement type from Gateway Policy + Types. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the actual + claim information to be verified. + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the given + path: - If the type at the path is a list then we + verify that this value is contained in the list. + \n - If the type at the path is a string then we + verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + status: + description: RouteAuthFilterStatus defines the observed state of the gateway. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: ResolvedRefs + description: "Conditions describe the current conditions of the Filter. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-routeretryfilters.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-routeretryfilters.yaml new file mode 100644 index 0000000000..14b6062f60 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-routeretryfilters.yaml @@ -0,0 +1,115 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeretryfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteRetryFilter + listKind: RouteRetryFilterList + plural: routeretryfilters + singular: routeretryfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteRetryFilter is the Schema for the routeretryfilters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteRetryFilterSpec defines the desired state of RouteRetryFilter. + properties: + numRetries: + format: int32 + minimum: 0 + type: integer + retryOn: + items: + type: string + type: array + retryOnConnectFailure: + type: boolean + retryOnStatusCodes: + items: + format: int32 + type: integer + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-routetimeoutfilters.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-routetimeoutfilters.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-routetimeoutfilters.yaml rename to charts/hashicorp/consul/1.4.0/templates/crd-routetimeoutfilters.yaml diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-samenessgroups.yaml new file mode 100644 index 0000000000..ea0ad7c8a0 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-samenessgroups.yaml @@ -0,0 +1,129 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: samenessgroups.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: SamenessGroup + listKind: SamenessGroupList + plural: samenessgroups + shortNames: + - sameness-group + singular: samenessgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SamenessGroup is the Schema for the samenessgroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SamenessGroupSpec defines the desired state of SamenessGroup. + properties: + defaultForFailover: + description: DefaultForFailover indicates that upstream requests to + members of the given sameness group will implicitly failover between + members of this sameness group. When DefaultForFailover is true, + the local partition must be a member of the sameness group or IncludeLocal + must be set to true. + type: boolean + includeLocal: + description: IncludeLocal is used to include the local partition as + the first member of the sameness group. The local partition can + only be a member of a single sameness group. + type: boolean + members: + description: Members are the partitions and peers that are part of + the sameness group. If a member of a sameness group does not exist, + it will be ignored. + items: + properties: + partition: + description: The partitions and peers that are part of the sameness + group. A sameness group member cannot define both peer and + partition at the same time. + type: string + peer: + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..c7e2b5bb2b --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-servicedefaults.yaml @@ -0,0 +1,565 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicedefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + rateLimits: + description: RateLimits is rate limiting configuration that is applied + to inbound traffic for a service. Rate limiting is a Consul enterprise + feature. + properties: + instanceLevel: + description: InstanceLevel represents rate limit configuration + that is applied per service instance. + properties: + requestsMaxBurst: + description: "RequestsMaxBurst is the maximum number of requests + that can be sent in a burst. Should be equal to or greater + than RequestsPerSecond. If unset, defaults to RequestsPerSecond. + \n Internally, this is the maximum size of the token bucket + used for rate limiting." + type: integer + requestsPerSecond: + description: "RequestsPerSecond is the average number of requests + per second that can be made without being throttled. This + field is required if RequestsMaxBurst is set. The allowed + number of requests may exceed RequestsPerSecond up to the + value specified in RequestsMaxBurst. \n Internally, this + is the refill rate of the token bucket used for rate limiting." + type: integer + routes: + description: Routes is a list of rate limits applied to specific + routes. For a given request, the first matching route will + be applied, if any. Overrides any top-level configuration. + items: + properties: + pathExact: + description: Exact path to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathPrefix: + description: Prefix to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathRegex: + description: Regex to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + requestsMaxBurst: + description: RequestsMaxBurst is the maximum number + of requests that can be sent in a burst. Should be + equal to or greater than RequestsPerSecond. If unset, + defaults to RequestsPerSecond. Internally, this is + the maximum size of the token bucket used for rate + limiting. + type: integer + requestsPerSecond: + description: RequestsPerSecond is the average number + of requests per second that can be made without being + throttled. This field is required if RequestsMaxBurst + is set. The allowed number of requests may exceed + RequestsPerSecond up to the value specified in RequestsMaxBurst. + Internally, this is the refill rate of the token bucket + used for rate limiting. + type: integer + type: object + type: array + type: object + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 + seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set the + interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..75299f016e --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-serviceintentions.yaml @@ -0,0 +1,311 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceintentions.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + jwt: + description: JWT specifies the configuration to validate a JSON Web + Token for all incoming requests. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: Value is the expected value at the given + path. If the type at the path is a list then we + verify that this value is contained in the list. + If the type at the path is a string then we verify + that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: Peer is the peer name for the Name parameter. + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + jwt: + description: JWT specifies configuration to validate a + JSON Web Token for incoming requests. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. + There MUST be a corresponding "jwt-provider" + config entry with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional + claims to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim + in the token JSON. + items: + type: string + type: array + value: + description: Value is the expected value + at the given path. If the type at the + path is a list then we verify that this + value is contained in the list. If the + type at the path is a string then we + verify that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + samenessGroup: + description: SamenessGroup is the name of the sameness group, + if applicable. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..6d89125216 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-serviceresolvers.yaml @@ -0,0 +1,348 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceresolvers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + policy: + description: Policy specifies the exact mechanism used for failover. + properties: + mode: + description: Mode specifies the type of failover that will + be performed. Valid values are "sequential", "" (equivalent + to "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions + of the failover targets. Valid values can be "us-west-1", + "us-west-2", and so on. + items: + type: string + type: array + type: object + samenessGroup: + description: SamenessGroup is the name of the sameness group + to try during failover. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness group to + resolve the service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + requestTimeout: + description: RequestTimeout is the timeout for receiving an HTTP response + from this service before the connection is terminated. + type: string + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-servicerouters.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-servicerouters.yaml rename to charts/hashicorp/consul/1.4.0/templates/crd-servicerouters.yaml diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..8d5ed58023 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-servicesplitters.yaml @@ -0,0 +1,186 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicesplitters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-tcproutes-external.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-tcproutes-external.yaml new file mode 100644 index 0000000000..b5bc7be13c --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-tcproutes-external.yaml @@ -0,0 +1,281 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-tcproutes.yaml new file mode 100644 index 0000000000..ae9d2cd080 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-tcproutes.yaml @@ -0,0 +1,278 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + shortNames: + - tcp-route + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TCPRoute is the Schema for the TCP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute + \n This is a Resource type." + properties: + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + properties: + backendRefs: + description: BackendRefs defines the backend(s) where matching + requests should be sent. If unspecified or invalid (refers + to a non-existent resource or a Service with no endpoints), + the underlying implementation MUST actively reject connection + attempts to this backend. Connection rejections must respect + weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..565aa63381 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-terminatinggateways.yaml @@ -0,0 +1,137 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: terminatinggateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-tlsroutes-external.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-tlsroutes-external.yaml new file mode 100644 index 0000000000..1acd1b973a --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-tlsroutes-external.yaml @@ -0,0 +1,291 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-trafficpermissions.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-trafficpermissions.yaml new file mode 100644 index 0000000000..27ab6f5e3d --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-trafficpermissions.yaml @@ -0,0 +1,261 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: trafficpermissions.auth.consul.hashicorp.com +spec: + group: auth.consul.hashicorp.com + names: + kind: TrafficPermissions + listKind: TrafficPermissionsList + plural: trafficpermissions + shortNames: + - traffic-permissions + singular: trafficpermissions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TrafficPermissions is the Schema for the traffic-permissions + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + action: + description: "Action can be either allow or deny for the entire object. + It will default to allow. \n If action is allow, we will allow the + connection if one of the rules in Rules matches, in other words, + we will deny all requests except for the ones that match Rules. + If Consul is in default allow mode, then allow actions have no effect + without a deny permission as everything is allowed by default. \n + If action is deny, we will deny the connection if one of the rules + in Rules match, in other words, we will allow all requests except + for the ones that match Rules. If Consul is default deny mode, then + deny permissions have no effect without an allow permission as everything + is denied by default. \n Action unspecified is reserved for compatibility + with the addition of future actions." + enum: + - ACTION_ALLOW + - ACTION_DENY + - ACTION_UNKNOWN + format: int32 + type: string + destination: + description: Destination is a configuration of the destination proxies + where these traffic permissions should apply. + properties: + identityName: + type: string + type: object + permissions: + description: Permissions is a list of permissions to match on. They + are applied using OR semantics. + items: + description: Permissions is a list of permissions to match on. + properties: + destinationRules: + description: DestinationRules is a list of rules to apply for + matching sources in this Permission. These rules are specific + to the request or connection that is going to the destination(s) + selected by the TrafficPermissions resource. + items: + description: DestinationRule contains rules rules to apply + to the incoming connection. + properties: + exclude: + description: Exclude contains a list of rules to exclude + when evaluating rules for the incoming connection. + items: + properties: + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + description: PortNames is a list of workload ports + to apply this rule to. The ports specified here + must be the ports used in the connection. + items: + type: string + type: array + type: object + type: array + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. If no + methods are specified, this rule will apply to all methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + items: + type: string + type: array + type: object + type: array + sources: + description: Sources is a list of sources in this traffic permission. + items: + description: Source represents the source identity. To specify + any of the wildcard sources, the specific fields need to + be omitted. For example, for a wildcard namespace, identity_name + should be omitted. + properties: + exclude: + description: Exclude is a list of sources to exclude from + this source. + items: + description: ExcludeSource is almost the same as source + but it prevents the addition of matching sources. + properties: + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/crd-udproutes-external.yaml b/charts/hashicorp/consul/1.4.0/templates/crd-udproutes-external.yaml new file mode 100644 index 0000000000..0661b24c1a --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/crd-udproutes-external.yaml @@ -0,0 +1,281 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..aff6b5a934 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-job.yaml @@ -0,0 +1,146 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane create-federation-secret \ + -log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/datadog-agent-role.yaml b/charts/hashicorp/consul/1.4.0/templates/datadog-agent-role.yaml new file mode 100644 index 0000000000..191e6433c6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/datadog-agent-role.yaml @@ -0,0 +1,38 @@ +{{- if .Values.global.metrics.datadog.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-datadog-metrics + namespace: {{ .Release.Namespace }} + labels: + app: datadog + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: agent +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +{{- if .Values.global.enablePodSecurityPolicies }} +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-datadog-metrics + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-datadog-metrics + verbs: + - use +{{- end }} +{{- else}} +rules: + - apiGroups: [ "" ] + resources: [ "secrets" ] + resourceNames: + - {{ .Release.Namespace }}-datadog-agent-metrics-acl-token + verbs: [ "get", "watch", "list" ] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.0/templates/datadog-agent-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/datadog-agent-rolebinding.yaml new file mode 100644 index 0000000000..5fc3fdf545 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/datadog-agent-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.global.metrics.datadog.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-datadog-metrics + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: agent +subjects: + - kind: ServiceAccount + apiGroup: "" + name: datadog-agent + namespace: datadog + - kind: ServiceAccount + apiGroup: "" + name: datadog-cluster-agent + namespace: datadog +roleRef: + kind: Role + name: {{ template "consul.fullname" . }}-datadog-metrics + apiGroup: "" +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.0/templates/dns-service.yaml b/charts/hashicorp/consul/1.4.0/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.4.0/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..8db9500a22 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/enterprise-license-job.yaml @@ -0,0 +1,145 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.4.0/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.4.0/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-clusterrole.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gateway-cleanup-clusterrole.yaml rename to charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-clusterrole.yaml diff --git a/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-clusterrolebinding.yaml new file mode 100644 index 0000000000..9235f32101 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-job.yaml new file mode 100644 index 0000000000..0d4f84272c --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-job.yaml @@ -0,0 +1,67 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup + containers: + - name: gateway-cleanup + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-cleanup + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ffbad130cc --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.connectInject.enabled .Values.global.enablePodSecurityPolicies)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..f50eb72d97 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gateway-cleanup-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +{{- end }} diff --git a/charts/hashicorp/consul/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.4.0/templates/gateway-resources-clusterrole.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gateway-resources-clusterrole.yaml rename to charts/hashicorp/consul/1.4.0/templates/gateway-resources-clusterrole.yaml diff --git a/charts/hashicorp/consul/1.4.0/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/gateway-resources-clusterrolebinding.yaml new file mode 100644 index 0000000000..921df23239 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gateway-resources-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-resources +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.0/templates/gateway-resources-configmap.yaml b/charts/hashicorp/consul/1.4.0/templates/gateway-resources-configmap.yaml new file mode 100644 index 0000000000..842ba6690d --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gateway-resources-configmap.yaml @@ -0,0 +1,132 @@ +{{- if .Values.connectInject.enabled }} + +# Validation +# For meshGateway.wanAddress, static must be set if source is "Static" +{{if (and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static ""))}}{{fail ".meshGateway.wanAddress.static must be set to a value if .meshGateway.wanAddress.source is Static"}}{{ end }} + +# Configuration of Gateway Resources Job which creates managed Gateway configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +data: + {{- if .Values.connectInject.apiGateway.managedGatewayClass.resources }} + resources.json: | + {{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }} + {{- end }} + {{- if and (mustHas "resource-apis" .Values.global.experiments) .Values.meshGateway.enabled }} + config.yaml: | + gatewayClassConfigs: + - apiVersion: mesh.consul.hashicorp.com/v2beta1 + metadata: + name: consul-mesh-gateway + kind: GatewayClassConfig + spec: + labels: + set: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + deployment: + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.affinity }} + affinity: {{ toJson (default "{}" .Values.meshGateway.affinity) }} + {{- end }} + {{- if .Values.meshGateway.annotations }} + annotations: + set: {{ toJson .Values.meshGateway.annotations }} + {{- end }} + {{- if .Values.global.extraLabels }} + labels: + set: {{ toJson .Values.global.extraLabels }} + {{- end }} + container: + consul: + logging: + level: {{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + portModifier: {{ sub .Values.meshGateway.containerPort .Values.meshGateway.service.port }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + resources: {{ toJson .Values.meshGateway.resources }} + initContainer: + consul: + logging: + level: {{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + resources: {{ toJson .Values.meshGateway.initServiceInitContainer.resources }} + {{- with .Values.meshGateway.nodeSelector }} + nodeSelector: {{ fromYaml . | toJson }} + {{- end }} + {{- with .Values.meshGateway.hostNetwork }} + hostNetwork: {{ . }} + {{- end }} + {{- with .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ fromYamlArray . | toJson }} + {{- end }} + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 16 | trim }} + {{- end }} + replicas: + default: {{ .Values.meshGateway.replicas }} + min: {{ .Values.meshGateway.replicas }} + max: {{ .Values.meshGateway.replicas }} + {{- if .Values.meshGateway.tolerations }} + tolerations: {{ fromYamlArray .Values.meshGateway.tolerations | toJson }} + {{- end }} + service: + {{- if .Values.meshGateway.service.annotations }} + annotations: + set: {{ toJson .Values.meshGateway.service.annotations }} + {{- end }} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.serviceAccount.annotations }} + serviceAccount: + annotations: + set: {{ toJson .Values.meshGateway.serviceAccount.annotations }} + {{- end }} + meshGateways: + - apiVersion: mesh.consul.hashicorp.com/v2beta1 + kind: MeshGateway + metadata: + name: mesh-gateway + namespace: {{ .Release.Namespace }} + annotations: + # TODO are these annotations even necessary? + "consul.hashicorp.com/gateway-wan-address-source": {{ .Values.meshGateway.wanAddress.source | quote }} + "consul.hashicorp.com/gateway-wan-address-static": {{ .Values.meshGateway.wanAddress.static | quote }} + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.service.nodePort | quote }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.service.port | quote }} + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.wanAddress.port | quote }} + {{- end }} + spec: + gatewayClassName: consul-mesh-gateway + listeners: + - name: "wan" + port: {{ .Values.meshGateway.service.port }} + protocol: "TCP" + workloads: + prefixes: + - "mesh-gateway" + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.4.0/templates/gateway-resources-job.yaml new file mode 100644 index 0000000000..5934372ed3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gateway-resources-job.yaml @@ -0,0 +1,124 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources + containers: + - name: gateway-resources + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-resources + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + - -controller-name=consul.hashicorp.com/gateway-controller + - -app={{template "consul.name" .}} + - -chart={{template "consul.chart" .}} + - -heritage={{ .Release.Service }} + - -release-name={{ .Release.Name }} + - -component=api-gateway + {{- if .Values.apiGateway.enabled }} # Override values from the old stanza. To be removed after ~1.18 (t-eckert 2023-05-19) NET-6263 + {{- if .Values.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} + {{- else }} # the new stanza + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations | nindent 14 -}} + {{- end }} + - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- if .Values.global.openshift.enabled }} + - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + {{- end }} + - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} + {{- end}} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/gateway-resources-podsecuritypolicy.yaml new file mode 100644 index 0000000000..da5299194c --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gateway-resources-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.connectInject.enabled)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/gateway-resources-serviceaccount.yaml new file mode 100644 index 0000000000..4611dc38e1 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gateway-resources-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..cea13c77fe --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,70 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ default .Values.global.logLevel .Values.global.gossipEncryption.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..448c810262 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,368 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b847e44ebd --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.4.0/templates/mesh-gateway-clusterrole.yaml similarity index 100% rename from charts/hashicorp/consul/templates/mesh-gateway-clusterrole.yaml rename to charts/hashicorp/consul/1.4.0/templates/mesh-gateway-clusterrole.yaml diff --git a/charts/hashicorp/consul/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/mesh-gateway-clusterrolebinding.yaml similarity index 100% rename from charts/hashicorp/consul/templates/mesh-gateway-clusterrolebinding.yaml rename to charts/hashicorp/consul/1.4.0/templates/mesh-gateway-clusterrolebinding.yaml diff --git a/charts/hashicorp/consul/1.4.0/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.4.0/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..efcc1f910b --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,321 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + securityContext: + capabilities: + {{ if not .Values.meshGateway.hostNetwork}} + drop: + - ALL + {{- end }} + add: + - NET_BIND_SERVICE + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/mesh-gateway-podsecuritypolicy.yaml similarity index 100% rename from charts/hashicorp/consul/templates/mesh-gateway-podsecuritypolicy.yaml rename to charts/hashicorp/consul/1.4.0/templates/mesh-gateway-podsecuritypolicy.yaml diff --git a/charts/hashicorp/consul/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.4.0/templates/mesh-gateway-service.yaml similarity index 100% rename from charts/hashicorp/consul/templates/mesh-gateway-service.yaml rename to charts/hashicorp/consul/1.4.0/templates/mesh-gateway-service.yaml diff --git a/charts/hashicorp/consul/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/mesh-gateway-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/consul/templates/mesh-gateway-serviceaccount.yaml rename to charts/hashicorp/consul/1.4.0/templates/mesh-gateway-serviceaccount.yaml diff --git a/charts/hashicorp/consul/1.4.0/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.4.0/templates/partition-init-job.yaml new file mode 100644 index 0000000000..21ad2930b8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/partition-init-job.yaml @@ -0,0 +1,131 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and (mustHas "resource-apis" .Values.global.experiments) (mustHas "v2tenancy" .Values.global.experiments) }} + -enable-v2tenancy=true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.4.0/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.4.0/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/prometheus.yaml b/charts/hashicorp/consul/1.4.0/templates/prometheus.yaml new file mode 100644 index 0000000000..a708708daf --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..b47e04188f --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,89 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..2e798a54d5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-job.yaml @@ -0,0 +1,353 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + {{- if .Values.global.argocd.enabled }} + "argocd.argoproj.io/hook": "Sync" + "argocd.argoproj.io/hook-delete-policy": "HookSucceeded" + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- else if .Values.global.secretsBackend.vault.vaultNamespace }} + - name: VAULT_NAMESPACE + value: {{ .Values.global.secretsBackend.vault.vaultNamespace }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + exec consul-k8s-control-plane server-acl-init \ + -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if (and (not .Values.global.metrics.datadog.dogstatsd.enabled) .Values.global.metrics.datadog.enabled .Values.global.acls.manageSystemACLs) }} + -create-dd-agent-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 10 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.4.0/templates/server-clusterrole.yaml new file mode 100644 index 0000000000..c22f562264 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: + - get diff --git a/charts/hashicorp/consul/1.4.0/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..854fda870e --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-server +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} diff --git a/charts/hashicorp/consul/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.4.0/templates/server-config-configmap.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-config-configmap.yaml rename to charts/hashicorp/consul/1.4.0/templates/server-config-configmap.yaml diff --git a/charts/hashicorp/consul/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.4.0/templates/server-disruptionbudget.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-disruptionbudget.yaml rename to charts/hashicorp/consul/1.4.0/templates/server-disruptionbudget.yaml diff --git a/charts/hashicorp/consul/1.4.0/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-role.yaml b/charts/hashicorp/consul/1.4.0/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.4.0/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-service.yaml b/charts/hashicorp/consul/1.4.0/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.4.0/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.4.0/templates/server-statefulset.yaml new file mode 100644 index 0000000000..6dcd2e320a --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-statefulset.yaml @@ -0,0 +1,747 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateMetricsConfig" . }} +{{ template "consul.validateDatadogConfiguration" . }} +{{ template "consul.validateExtraConfig" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.global.metrics.datadog.enabled }} + "tags.datadoghq.com/version": {{ template "consul.versionInfo" . }} + "tags.datadoghq.com/env": {{ template "consul.name" . }} + "tags.datadoghq.com/service": "consul-server" + {{- end }} + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/server-config-configmap.yaml") .) (include (print $.Template.BasePath "/server-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + {{- if not .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + {{- if .Values.global.tls.enabled }} + "prometheus.io/port": "8501" + "prometheus.io/scheme": "https" + {{- else }} + "prometheus.io/port": "8500" + "prometheus.io/scheme": "http" + {{- end }} + {{- end }} + {{- if .Values.global.metrics.datadog.enabled }} + "ad.datadoghq.com/tolerate-unready": "true" + "ad.datadoghq.com/consul.logs": {{ .Values.global.metrics.datadog.dogstatsd.dogstatsdTags | toJson | replace "[" "[{" | replace "]" "}]" | replace ":" "\": \"" | join "\",\"" | squote }} + {{- if .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} + "ad.datadoghq.com/consul.checks": | + { + "openmetrics": { + "init_config": {}, + "instances": [ + { + {{- if .Values.global.tls.enabled }} + "openmetrics_endpoint": "https://consul-server.{{ .Release.Namespace }}.svc:8501/v1/agent/metrics?format=prometheus", + "tls_cert": "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt", + "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key", + "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt", + {{- else }} + "openmetrics_endpoint": "http://consul-server.{{ .Release.Namespace }}.svc:8500/v1/agent/metrics?format=prometheus", + {{- end }} + {{- if ( .Values.global.acls.manageSystemACLs) }} + "headers": { + "X-Consul-Token": "ENC[k8s_secret@{{ .Release.Namespace }}/{{ .Release.Namespace }}-datadog-agent-metrics-acl-token/token]" + }, + {{- end }} + "namespace": "{{ .Release.Namespace }}", + "metrics": [ ".*" ] + } + ] + } + } + {{- else if (not .Values.global.metrics.datadog.dogstatsd.enabled) }} + "ad.datadoghq.com/consul.checks": | + { + "consul": { + "init_config": {}, + "instances": [ + { + {{- if .Values.global.tls.enabled }} + "url": "https://consul-server.{{ .Release.Namespace }}.svc:8501", + "tls_cert": "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt", + "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key", + "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt", + {{- else }} + "url": "http://consul-server.consul.svc:8500", + {{- end }} + "use_prometheus_endpoint": true, + {{- if ( .Values.global.acls.manageSystemACLs) }} + "acl_token": "ENC[k8s_secret@{{ .Release.Namespace }}/{{ .Release.Namespace }}-datadog-agent-metrics-acl-token/token]", + {{- end }} + "new_leader_checks": true, + "network_latency_checks": true, + "catalog_checks": true, + "auth_type": "basic" + } + ] + } + } + {{- else }} + "ad.datadoghq.com/consul.metrics_exclude": "true" + {{- end }} + {{- end }} + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled (eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" ) }} + - name: dsdsocket + hostPath: + path: /var/run/datadog + type: DirectoryOrCreate + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + initContainers: + - name: locality-init + image: {{ .Values.global.imageK8S }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane fetch-server-region -node-name "$NODE_NAME" -output-file /consul/extra-config/locality.json + volumeMounts: + - name: extra-config + mountPath: /consul/extra-config + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image | trimPrefix "\"" | trimSuffix "\"" }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-dir=/consul/extra-config \ + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + + {{- if .Values.global.experiments }} + {{- $commaSeparatedValues := "" }} + {{- range $index, $value := .Values.global.experiments }} + {{- if ne $index 0 }} + {{- $commaSeparatedValues = printf "%s,\\\"%s\\\"" $commaSeparatedValues $value }} + {{- else }} + {{- $commaSeparatedValues = printf "\\\"%s\\\"" $value }} + {{- end }} + {{- end }} + -hcl="experiments=[{{ $commaSeparatedValues }}]" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled (eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" ) }} + - name: dsdsocket + mountPath: /var/run/datadog + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.containerSecurityContext.server }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- else }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/server-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.4.0/templates/server-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a42d6d09f6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/server-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the server-stateful set where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.0/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.4.0/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..585b5ad171 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,48 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + - endpoints + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.0/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.4.0/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..8bd3e0af61 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/sync-catalog-deployment.yaml @@ -0,0 +1,234 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..f7b6d7bd2e --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,449 @@ +{{- if and .Values.telemetryCollector.enabled (not (mustHas "resource-apis" .Values.global.experiments)) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # Signals to the endpoints controller that we should force Consul NS creation, since we bypass the mesh webhook. + "consul.hashicorp.com/telemetry-collector": "true" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: default + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + exec consul-k8s-control-plane connect-init \ + -log-json={{ .Values.global.logJSON }} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -pod-name=${POD_NAME} \ + -pod-namespace=${POD_NAMESPACE} \ + -proxy-id-file="/consul/connect-inject/proxyid" \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- if .Values.global.metrics.datadog.otlp.enabled }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if eq (.Values.global.metrics.datadog.otlp.protocol | lower ) "http" }} + - name: CO_OTEL_HTTP_ENDPOINT + value: "http://$(HOST_IP):4318" + {{- else if eq (.Values.global.metrics.datadog.otlp.protocol | lower) "grpc" }} + - name: CO_OTEL_HTTP_ENDPOINT + value: "grpc://$(HOST_IP):4317" + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + exec consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f4c05a2f33 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-v2-deployment.yaml b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-v2-deployment.yaml new file mode 100644 index 0000000000..09f4a2dbbc --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/telemetry-collector-v2-deployment.yaml @@ -0,0 +1,415 @@ +{{- if and .Values.telemetryCollector.enabled (mustHas "resource-apis" .Values.global.experiments) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/mesh-inject": "false" + # This annotation tells the pod controller that this pod was injected even though it wasn't. + # This ensures the pod controller will sync a workload for the pod into Consul + "consul.hashicorp.com/mesh-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/consul-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the mesh injector so that we don't run into + # any race conditions on the mesh-injector deployment or upgrade + - name: consul-mesh-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + exec consul-k8s-control-plane mesh-init -proxy-name=${POD_NAME} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + exec consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: DP_PROXY_ID + value: $(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: TMPDIR + value: /consul/mesh-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-mesh-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..a04bbbfa1f --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,345 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..7307fb8be9 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..4ae280ca81 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-role.yaml @@ -0,0 +1,43 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }} +rules: +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.4.0/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..9500410a53 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,84 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.4.0/templates/tls-init-job.yaml new file mode 100644 index 0000000000..41c0c2827e --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/tls-init-job.yaml @@ -0,0 +1,126 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + exec consul-k8s-control-plane tls-init \ + -log-level={{ default .Values.global.logLevel .Values.global.tls.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.4.0/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.4.0/templates/ui-ingress.yaml new file mode 100644 index 0000000000..f8c7f92a77 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/ui-ingress.yaml @@ -0,0 +1,85 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + {{- if ne .Values.ui.ingress.ingressClassName "" }} + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end }} + rules: + {{- $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/ui-service.yaml b/charts/hashicorp/consul/1.4.0/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..2a5c80d94c --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,54 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..45c87c9ceb --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,81 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.0/values.yaml b/charts/hashicorp/consul/1.4.0/values.yaml new file mode 100644 index 0000000000..2bad84077a --- /dev/null +++ b/charts/hashicorp/consul/1.4.0/values.yaml @@ -0,0 +1,3768 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: "hashicorp/consul-enterprise:1.10.0-ent" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.18.0 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.4.0 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` + # agent annotation and [Vault Connect CA namespace](https://developer.hashicorp.com/consul/docs/connect/ca/vault#namespace). + # To override one of these values individually, see `agentAnnotations` and `connectCA.additionalConfig`. + vaultNamespace: "" + + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + # Override global log verbosity level for gossip-encryption-autogenerate-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # This value defines additional annotations for + # tls init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines additional annotations for + # acl init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # If argocd.enabled is set to true, following annotations are added to + # job - server-acl-init-job + # annotations - + # argocd.argoproj.io/hook: Sync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd: + enabled: false + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # `meshGateway.enabled` or `externalServers.enabled` to be true. + # Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:` + # (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`). + # @type: array + primaryGateways: [] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Override global log verbosity level for the create-federation-secret-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Set to true to stop prepending the machine's hostname to gauge-type metrics. Default is false. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + # @type: boolean + disableAgentHostName: false + + # Configures consul agent underlying host metrics. Only applicable if + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + # @type: boolean + enableHostMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # This configures the list of filter rules to apply for allowing/blocking + # metrics by prefix in the following format: + # + # A leading "+" will enable any metrics with the given prefix, and a leading "-" will block them. + # If there is overlap between two rules, the more specific rule will take precedence. + # Blocking will take priority if the same prefix is listed multiple times. + # + # - allowList: + prefixFilter: + # @type: array + allowList: [] + # @type: array + blockList: [] + + # Configures consul integration configurations for datadog on kubernetes. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + datadog: + # Enables datadog [Consul Autodiscovery Integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized#metric-collection) + # by configuring the required `ad.datadoghq.com/consul.checks` annotation. The following _Consul_ agent metrics/health statuses + # are monitored by Datadog unless monitoring via OpenMetrics (Prometheus) or DogStatsD: + # - Serf events and member flaps + # - The Raft protocol + # - DNS performance + # - API Endpoints scraped: + # - `/v1/agent/metrics?format=prometheus` + # - `/v1/agent/self` + # - `/v1/status/leader` + # - `/v1/status/peers` + # - `/v1/catalog/services` + # - `/v1/health/service` + # - `/v1/health/state/any` + # - `/v1/coordinate/datacenters` + # - `/v1/coordinate/nodes` + # + # Setting either `global.metrics.datadog.otlp.enabled=true` or `global.metrics.datadog.dogstatsd.enabled=true` disables the above checks + # in lieu of metrics data collection via DogStatsD or by a customer OpenMetrics (Prometheus) collection endpoint. + # + # ~> **Note:** If you have a [dogstatsd_mapper_profile](https://docs.datadoghq.com/integrations/consul/?tab=host#dogstatsd) configured for Consul + # residing on either your Datadog NodeAgent or ClusterAgent the default Consul agent metrics/health status checks will fail. If you do not desire + # to utilize DogStatsD metrics emission from Consul, remove this configuration file, and restart your Datadog agent to permit the checks to run. + # + # @default: false + # @type: boolean + enabled: false + + # Configures Kubernetes Prometheus/OpenMetrics auto-discovery annotations for use with Datadog. + # This configuration is less common and more for advanced usage with custom metrics monitoring + # configurations. See https://docs.datadoghq.com/containers/kubernetes/prometheus/?tab=kubernetesadv2 for more details + # surround further configuration. + openMetricsPrometheus: + # @default: false + # @type: boolean + enabled: false + + otlp: + # Enables forwarding of Consul's Telemetry Collector OTLP metrics for + # ingestion by Datadog Agent. + # @default: false + # @type: boolean + enabled: false + # Protocol used for DataDog Endpoint OTLP ingestion. + # + # Valid protocol options are one of either: + # + # - "http": will forward to DataDog HTTP OTLP Node Agent Endpoint default - "0.0.0.0:4318" + # - "grpc": will forward to DataDog gRPC OTLP Node Agent Endpoint default - "0.0.0.0:4317" + # + # @default: "http" + # @type: string + protocol: "http" + + # Configuration settings for DogStatsD metrics aggregation service + # that is bundled with the Datadog Agent. + # DogStatsD implements the StatsD protocol and adds a few Datadog-specific extensions: + # - Histogram metric type + # - Service checks + # - Events + # - Tagging + dogstatsd: + enabled: false + # Sets the socket transport type for dogstatsd: + # - "UDS" (Unix Domain Socket): prefixes `unix://` to URL and appends path to socket (i.e., "unix:///var/run/datadog/dsd.socket") + # If set, this will create the required [hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) mount for + # managing [DogStatsD with Unix Domain Socket on Kubernetes](https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=kubernetes). + # The volume is mounted using the `DirectoryOrCreate` type, thereby setting `0755` permissions with the same kubelet group ownership. + # + # Applies the following `volumes` and `volumeMounts` to the consul-server stateful set consul containers: + # + # ```yaml + # volumes: + # - name: dsdsocket + # hostPath: + # path: /var/run/datadog + # type: DirectoryOrCreate + # volumeMounts: + # - name: dsdsocket + # mountPath: /var/run/datadog + # readOnly: true + # ``` + # - "UDP" (User Datagram Protocol): assigns address to use `hostname/IP:Port` formatted URL for UDP transport to hostIP based + # dogstatsd sink (i.e., 127.0.0.1:8125). HostIP of Datadog agent must be reachable and known to Consul server emitting metrics. + # + # @default: "UDS" + # @type: string + socketTransportType: "UDS" + # Sets URL path for dogstatsd: + # + # Can be either a path to unix domain socket or an IP Address or Hostname that's reachable from the + # consul-server service, server containers. When using "UDS" the path will be appended. When using "UDP" + # the path will be prepended to the specified `dogstatsdPort`. + # + # @default: "/var/run/datadog/dsd.socket" + # @type: string + dogstatsdAddr: "/var/run/datadog/dsd.socket" + # Configures IP based dogstatsd designated port that will be appended to "UDP" based transport socket IP/Hostname URL. + # + # If using a kubernetes service based address (i.e., datadog.default.svc.cluster.local), set this to 0 to + # mitigate appending a port value to the dogstatsd address field. Resultant address would be "datadog.default.svc.cluster.local" with + # default port setting, while appending a non-zero port would result in "172.10.23.6:8125" with a dogstatsdAddr value + # of "172.10.23.6". + # + # @default: 0 + # @type: integer + dogstatsdPort: 0 + # Configures datadog [autodiscovery](https://docs.datadoghq.com/containers/kubernetes/log/?tab=operator#autodiscovery) + # style [log integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized#log-collection) + # configuration for Consul. + # + # The default settings should handle most Consul Kubernetes deployment schemes. The resultant annotation + # will reside on the consul-server statefulset as autodiscovery annotations. + # (i.e., ad.datadoghq.com/consul.logs: ["source:consul","consul_service:consul-server", ""]) + # + # @default: ["source:consul","consul_service:consul-server"] + # @type: array + dogstatsdTags: ["source:consul","consul_service:consul-server"] + # Namespace + # + # @default: "default" + # @type: string + namespace: "default" + + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: hashicorp/consul-dataplane:1.4.0 + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul Central self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will link a [self-managed cluster to HCP](https://developer.hashicorp.com/hcp/docs/consul/self-managed). + # This can either be used to [configure a new cluster](https://developer.hashicorp.com/hcp/docs/consul/self-managed/new) + # or [link an existing one](https://developer.hashicorp.com/hcp/docs/consul/self-managed/existing). + # + # Note: this setting should not be enabled for [HashiCorp-managed clusters](https://developer.hashicorp.com/hcp/docs/consul/hcp-managed). + # It is strictly for linking self-managed clusters. + enabled: false + + # The resource id of the HCP Consul Central cluster to link to. Eg: + # organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The hostname of HCP's API. This setting is used for internal testing and validation. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The URL of HCP's auth API. This setting is used for internal testing and validation. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The address of HCP's scada service. This setting is used for internal testing and validation. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [] + + # Consul feature flags that will be enabled across components. + # Supported feature flags: + # * `resource-apis`: + # _**Danger**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul components will use the + # V2 resources APIs for all operations. + # * `v2tenancy`: + # _**Danger**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul V2 resources (catalog, mesh, auth, etc) + # will use V2 implementations for tenancy (partitions and namesapces) + # instead of bridging to the existing V1 implementations. The + # `resource-apis` feature flag must also be set. + # + # Example: + # + # ```yaml + # experiments: [ "resource-apis" ] + # ``` + # @type: array + experiments: [] + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # The [Persistent Volume Claim (PVC) retention policy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention) + # controls if and how PVCs are deleted during the lifecycle of a StatefulSet. + # WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted, + # and WhenScaled specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is scaled down. + # + # Example: + # + # ```yaml + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + # ``` + # @type: map + persistentVolumeClaimRetentionPolicy: null + + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional service mesh settings can be configured + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). + connect: true + + # When set to true, enables Consul to report additional debugging information, including runtime profiling (pprof) data. + # This setting is only required for clusters without ACL enabled. Sets `enable_debug` in server agent config to `true`. + # If you change this setting, you must restart the agent for the change to take effect. Default is false. + # @type: boolean + enableAgentDebug: false + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + # The acl-init job + # @type: map + # @recurse: false + aclInit: null + # The tls-init job + # @type: map + # @recurse: false + tlsInit: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. In most cases you should not change this as it is automatically set to + # the correct number when left as null. This setting has been kept to not break backwards compatibility. + # + # By default, this is set to 1 internally in the chart. When server pods are stopped gracefully, they leave the Raft + # consensus pool. When running an odd number of servers, one server leaving the pool does not change the quorum + # size, and so fault tolerance is not affected. However, if more than one server were to leave the pool, the quorum + # size would change. That's why this is set to 1 internally and should not be changed in most cases. + # + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # and configure a sink and filters for their audit logs. Please refer to + # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation + # for further information. + auditLogs: + # Controls whether Consul logs out each time a user performs an operation. + # global.acls.manageSystemACLs must be enabled to use this feature. + enabled: false + + # A single entry of the sink object provides configuration for the destination to which Consul + # will log auditing events. + # + # Example: + # + # ```yaml + # sinks: + # - name: My Sink + # type: file + # format: json + # path: /tmp/audit.json + # delivery_guarantee: best-effort + # rotate_duration: 24h + # rotate_max_files: 15 + # rotate_bytes: 25165824 + # + # ``` + # + # The sink object supports the following keys: + # + # - `name` - Name of the sink. + # + # - `type` - Type specifies what kind of sink this is. Currently only file sinks are available + # + # - `format` - Format specifies what format the events will be emitted with. Currently only `json` + # events are emitted. + # + # - `path` - The directory and filename to write audit events to. + # + # - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul + # only supports `best-effort` event delivery. + # + # - `mode` - The permissions to set on the audit log files. + # + # - `rotate_duration` - Specifies the interval by which the system rotates to a new log file. + # At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging. + # + # - `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file. + # At least one of rotate_bytes or rotate_duration must be configured to enable audit logging. + # + # - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files. + # + # @type: array + sinks: [] + + # Settings for potentially limiting timeouts, rate limiting on clients as well + # as servers, and other settings to limit exposure too many requests, requests + # waiting for too long, and other runtime considerations. + limits: + # This object specifies configurations that limit the rate of RPC and gRPC + # requests on the Consul server. Limiting the rate of gRPC and RPC requests + # also limits HTTP requests to the Consul server. + # https://developer.hashicorp.com/consul/docs/agent/config/config-files#request_limits + requestLimits: + # Setting for disabling or enabling rate limiting. If not disabled, it + # enforces the action that will occur when RequestLimitsReadRate + # or RequestLimitsWriteRate is exceeded. The default value of "disabled" will + # prevent any rate limiting from occuring. A value of "enforce" will block + # the request from processings by returning an error. A value of + # "permissive" will not block the request and will allow the request to + # continue processing. + # @type: string + mode: "disabled" + + # Setting that controls how frequently RPC, gRPC, and HTTP + # queries are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsReadRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + readRate: -1 + + # Setting that controls how frequently RPC, gRPC, and HTTP + # writes are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsWriteRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + writeRate: -1 + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. `tlsServerName` is required if TLS is enabled and 'hosts' is not a DNS name. + # @type: array + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. This name also appears as the hostname in the server certificate's subject field. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul service mesh will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configuration settings for the Consul API Gateway integration. + apiGateway: + # Enables Consul on Kubernetes to manage the CRDs used for Gateway API. + # Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed. + # These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. + # If this setting is false, you will need to install the Gateway API CRDs manually. + manageExternalCRDs: true + + # Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true + # then all CRDs will be installed; otherwise, if manageNonStandardCRDs is true then only TCPRoute, GatewayClassConfig and MeshService + # will be installed. + manageNonStandardCRDs: false + + # Configuration settings for the GatewayClass installed by Consul on Kubernetes. + managedGatewayClass: + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # The resource settings for Pods handling traffic for Gateway API. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + deployment: + defaultInstances: 1 + maxInstances: 1 + minInstances: 1 + + # The name of the OpenShift SecurityContextConstraints resource to use for Gateways. + # Only applicable if `global.openshift.enabled` is true. + # @type: string + openshiftSCCName: "restricted-v2" + + # This value defines the amount we will add to privileged container ports on gateways that use this class. + # This is useful if you don't want to give your containers extra permissions to run privileged ports. + # Example: The gateway listener is defined on port 80, but the underlying value of the port on the container + # will be the 80 + the number defined below. + mapPrivilegedContainerPorts: 0 + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + # Configures metrics for Consul service mesh services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Sets the `logLevel` for the `consul-dataplane` sidecar and the `consul-connect-inject-init` container. When set, this value overrides the global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Consul service mesh sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + # Set default lifecycle management configuration for sidecar proxy. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` + # - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` + # @type: map + lifecycle: + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" + + # Configures how long the k8s startup probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultStartupFailureSeconds: 0 + # Configures how long the k8s liveness probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultLivenessFailureSeconds: 0 + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul service mesh will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Override global log verbosity level for mesh-gateway-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: Service + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level for ingress-gateways-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. You must provide a unique name for each ingress gateway. These names + # must be unique across different namespaces. + # Values defined here override the defaults, except in the case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# [DEPRECATED] Use connectInject.apiGateway instead. +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.11" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.2" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + # The resource id of the HCP Consul Central cluster to push metrics for. Eg: + # `organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster` + # + # This is used for HCP Consul Central-linked or managed clusters where global.cloud.resourceId is unset. For example, when using externalServers + # with HCP Consul-managed clusters or HCP Consul Central-linked clusters in a different admin partition. + # + # If global.cloud.resourceId is set, this should either be unset (defaulting to global.cloud.resourceId) or be the same as global.cloud.resourceId. + # + # @default: global.cloud.resourceId + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientId + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP. + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientSecret + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the deployment. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} diff --git a/charts/hashicorp/consul/1.4.1/.helmignore b/charts/hashicorp/consul/1.4.1/.helmignore new file mode 100644 index 0000000000..3fa2f24edf --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/.helmignore @@ -0,0 +1,5 @@ +.git/ +.terraform/ +bin/ +test/ +crds/kustomization.yaml diff --git a/charts/hashicorp/consul/1.4.1/Chart.yaml b/charts/hashicorp/consul/1.4.1/Chart.yaml new file mode 100644 index 0000000000..f7e484b429 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.18.1 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.4.1 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.4.1 + - name: envoy + image: envoyproxy/envoy:v1.25.11 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.18.1 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.4.1 diff --git a/charts/hashicorp/consul/1.4.1/README.md b/charts/hashicorp/consul/1.4.1/README.md new file mode 100644 index 0000000000..a0a9929ed4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.26.x - 1.29.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/1.4.1/addons/gen.sh b/charts/hashicorp/consul/1.4.1/addons/gen.sh new file mode 100644 index 0000000000..1d03390bed --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/addons/gen.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.1/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.4.1/addons/values/prometheus.yaml new file mode 100644 index 0000000000..1f90636f2e --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/addons/values/prometheus.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/1.4.1/assets/icon.png b/charts/hashicorp/consul/1.4.1/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.4.1/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.4.1/templates/NOTES.txt b/charts/hashicorp/consul/1.4.1/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/_helpers.tpl b/charts/hashicorp/consul/1.4.1/templates/_helpers.tpl new file mode 100644 index 0000000000..ca87485a78 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/_helpers.tpl @@ -0,0 +1,688 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.restrictedSecurityContext" -}} +{{- if not .Values.global.enablePodSecurityPolicies -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +{{- if not .Values.global.openshift.enabled -}} +{{/* +We must set runAsUser or else the root user will be used in some cases and +containers will fail to start due to runAsNonRoot above (e.g. +tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100 +because it is a non-root user id that exists in the consul, consul-dataplane, +and consul-k8s-control-plane images. +*/}} + runAsUser: 100 +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/tmp/extra-config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Cleanup server.extraConfig entries to avoid conflicting entries: + - server.enableAgentDebug: + - `enable_debug` should not exist in extraConfig + - metrics.disableAgentHostName: + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `disable_hostname` should not exist in extraConfig + - metrics.enableHostMetrics: + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `enable_host_metrics` should not exist in extraConfig + - metrics.prefixFilter + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `prefix_filter` should not exist in extraConfig + - metrics.datadog.enabled: + - if global.metrics.datadog.enabled and global.metrics.datadog.dogstatsd.enabled, `dogstatsd_tags` and `dogstatsd_addr` should not exist in extraConfig + +Usage: {{ template "consul.validateExtraConfig" . }} +*/}} +{{- define "consul.validateExtraConfig" -}} +{{- if (contains "enable_debug" .Values.server.extraConfig) }}{{ fail "The enable_debug key is present in extra-from-values.json. Use server.enableAgentDebug to set this value." }}{{- end }} +{{- if (contains "disable_hostname" .Values.server.extraConfig) }}{{ fail "The disable_hostname key is present in extra-from-values.json. Use global.metrics.disableAgentHostName to set this value." }}{{- end }} +{{- if (contains "enable_host_metrics" .Values.server.extraConfig) }}{{ fail "The enable_host_metrics key is present in extra-from-values.json. Use global.metrics.enableHostMetrics to set this value." }}{{- end }} +{{- if (contains "prefix_filter" .Values.server.extraConfig) }}{{ fail "The prefix_filter key is present in extra-from-values.json. Use global.metrics.prefix_filter to set this value." }}{{- end }} +{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }}{{- if (and .Values.global.metrics.datadog.dogstatsd.enabled) }}{{- if (contains "dogstatsd_tags" .Values.server.extraConfig) }}{{ fail "The dogstatsd_tags key is present in extra-from-values.json. Use global.metrics.datadog.dogstatsd.dogstatsdTags to set this value." }}{{- end }}{{- end }}{{- if (and .Values.global.metrics.datadog.dogstatsd.enabled) }}{{- if (contains "dogstatsd_addr" .Values.server.extraConfig) }}{{ fail "The dogstatsd_addr key is present in extra-from-values.json. Use global.metrics.datadog.dogstatsd.dogstatsd_addr to set this value." }}{{- end }}{{- end }}{{- end }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Calculate max number of server pods that are allowed to be voluntarily disrupted. +When there's 1 server, this is set to 0 because this pod should not be disrupted. This is an edge +case and I'm not sure it makes a difference when there's only one server but that's what the previous config was and +I don't want to change it for this edge case. +Otherwise we've changed this to always be 1 as part of the move to set leave_on_terminate +to true. With leave_on_terminate set to true, whenever a server pod is stopped, the number of peers in raft +is reduced. If the number of servers is odd and the count is reduced by 1, the quorum size doesn't change, +but if it's reduced by more than 1, the quorum size can change so that's why this is now always hardcoded to 1. +*/}} +{{- define "consul.server.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{ 1 }} +{{- end -}} +{{- end -}} + +{{- define "consul.server.autopilotMinQuorum" -}} +{{- add (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if telemetryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (and (not .Values.global.cloud.clientSecret.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set." }} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (and (not .Values.global.cloud.clientId.secretName) (not .Values.telemetryCollector.cloud.clientId.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set." }} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretName or global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretKey or global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} + +{{/* +Fails if telemetryCollector.cloud.resourceId is set but differs from global.cloud.resourceId. This should never happen. Either one or both are set, but they should never differ. +If they differ, that implies we're configuring servers for one HCP Consul cluster but pushing envoy metrics for a different HCP Consul cluster. A user could set the same value +in two secrets (it's questionable whether resourceId should be a secret at all) but we won't know at this point, so we just check secret name+key. + +Usage: {{ template "consul.validateTelemetryCollectorResourceId" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorResourceId" -}} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName) (not (eq .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName)) }} +{{fail "When both global.cloud.resourceId.secretName and telemetryCollector.cloud.resourceId.secretName are set, they should be the same."}} +{{- end }} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey) (not (eq .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When both global.cloud.resourceId.secretKey and telemetryCollector.cloud.resourceId.secretKey are set, they should be the same."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{/* +Fails if global.experiments.resourceAPIs is set along with any of these unsupported features. +- global.peering.enabled +- global.federation.enabled +- global.cloud.enabled +- client.enabled +- ui.enabled +- syncCatalog.enabled +- meshGateway.enabled +- ingressGateways.enabled +- terminatingGateways.enabled +- apiGateway.enabled + +Usage: {{ template "consul.validateResourceAPIs" . }} + +*/}} +{{- define "consul.validateResourceAPIs" -}} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.peering.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.peering.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) (not (mustHas "v2tenancy" .Values.global.experiments)) .Values.global.adminPartitions.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.experiments.v2tenancy must also be set to support global.adminPartitions.enabled."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.federation.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.federation.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.cloud.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.cloud.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.client.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, client.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ui.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ui.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.syncCatalog.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, syncCatalog.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ingressGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ingressGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.terminatingGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.apiGateway.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, apiGateway.enabled is currently unsupported."}} +{{- end }} +{{- end }} + +{{/* +Validation for Consul Metrics configuration: + +Fail if metrics.enabled=true and metrics.disableAgentHostName=true, but metrics.enableAgentMetrics=false + - metrics.enabled = true + - metrics.enableAgentMetrics = false + - metrics.disableAgentHostName = true + +Fail if metrics.enableAgentMetrics=true and metrics.disableAgentHostName=true, but metrics.enabled=false + - metrics.enabled = false + - metrics.enableAgentMetrics = true + - metrics.disableAgentHostName = true + +Fail if metrics.enabled=true and metrics.enableHostMetrics=true, but metrics.enableAgentMetrics=false + - metrics.enabled = true + - metrics.enableAgentMetrics = false + - metrics.enableHostMetrics = true + +Fail if metrics.enableAgentMetrics=true and metrics.enableHostMetrics=true, but metrics.enabled=false + - metrics.enabled = false + - metrics.enableAgentMetrics = true + - metrics.enableHostMetrics = true + +Usage: {{ template "consul.validateMetricsConfig" . }} + +*/}} + +{{- define "consul.validateMetricsConfig" -}} +{{- if and (not .Values.global.metrics.enableAgentMetrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enabled )}} +{{fail "When enabling metrics (global.metrics.enabled) and disabling hostname emission from metrics (global.metrics.disableAgentHostName), global.metrics.enableAgentMetrics must be set to true"}} +{{- end }} +{{- if and (not .Values.global.metrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enableAgentMetrics )}} +{{fail "When enabling Consul agent metrics (global.metrics.enableAgentMetrics) and disabling hostname emission from metrics (global.metrics.disableAgentHostName), global metrics enablement (global.metrics.enabled) must be set to true"}} +{{- end }} +{{- if and (not .Values.global.metrics.enableAgentMetrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enabled )}} +{{fail "When disabling hostname emission from metrics (global.metrics.disableAgentHostName) and enabling global metrics (global.metrics.enabled), Consul agent metrics must be enabled(global.metrics.enableAgentMetrics=true)"}} +{{- end }} +{{- if and (not .Values.global.metrics.enabled) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enableAgentMetrics)}} +{{fail "When enabling Consul agent metrics (global.metrics.enableAgentMetrics) and disabling hostname metrics emission (global.metrics.disableAgentHostName), global metrics must be enabled (global.metrics.enabled)."}} +{{- end }} +{{- end -}} + +{{/* +Validation for Consul Datadog Integration deployment: + +Fail if Datadog integration enabled and Consul server agent telemetry is not enabled. + - global.metrics.datadog.enabled=true + - global.metrics.enableAgentMetrics=false || global.metrics.enabled=false + +Fail if Consul OpenMetrics (Prometheus) and DogStatsD metrics are both enabled and configured. + - global.metrics.datadog.dogstatsd.enabled (scrapes `/v1/agent/metrics?format=prometheus` via the `use_prometheus_endpoint` option) + - global.metrics.datadog.openMetricsPrometheus.enabled (scrapes `/v1/agent/metrics?format=prometheus`) + - see https://docs.datadoghq.com/integrations/consul/?tab=host#host for recommendation to not have both + +Fail if Datadog OTLP forwarding is enabled and Consul Telemetry Collection is not enabled. + - global.metrics.datadog.otlp.enabled=true + - telemetryCollector.enabled=false + +Fail if Consul Open Telemetry collector forwarding protocol is not one of either "http" or "grpc" + - global.metrics.datadog.otlp.protocol!="http" || global.metrics.datadog.otlp.protocol!="grpc" + +Usage: {{ template "consul.validateDatadogConfiguration" . }} + +*/}} + +{{- define "consul.validateDatadogConfiguration" -}} +{{- if and .Values.global.metrics.datadog.enabled (or (not .Values.global.metrics.enableAgentMetrics) (not .Values.global.metrics.enabled) )}} +{{fail "When enabling datadog metrics collection, the /v1/agent/metrics is required to be accessible, therefore global.metrics.enableAgentMetrics and global.metrics.enabled must be also be enabled."}} +{{- end }} +{{- if and .Values.global.metrics.datadog.dogstatsd.enabled .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} +{{fail "You must have one of DogStatsD (global.metrics.datadog.dogstatsd.enabled) or OpenMetrics (global.metrics.datadog.openMetricsPrometheus.enabled) enabled, not both as this is an unsupported configuration." }} +{{- end }} +{{- if and .Values.global.metrics.datadog.otlp.enabled (not .Values.telemetryCollector.enabled) }} +{{fail "Cannot enable Datadog OTLP metrics collection (global.metrics.datadog.otlp.enabled) without consul-telemetry-collector. Ensure Consul OTLP collection is enabled (telemetryCollector.enabled) and configured." }} +{{- end }} +{{- if and (ne ( lower .Values.global.metrics.datadog.otlp.protocol) "http") (ne ( lower .Values.global.metrics.datadog.otlp.protocol) "grpc") }} +{{fail "Valid values for global.metrics.datadog.otlp.protocol must be one of either \"http\" or \"grpc\"." }} +{{- end }} +{{- end -}} + +{{/* +Sets the dogstatsd_addr field of the agent configuration dependent on the +socket transport type being used: + - "UDS" (Unix Domain Socket): prefixes "unix://" to URL and appends path to socket (i.e., unix:///var/run/datadog/dsd.socket) + - "UDP" (User Datagram Protocol): adds no prefix and appends dogstatsd port number to hostname/IP (i.e., 172.20.180.10:8125) +- global.metrics.enableDatadogIntegration.dogstatsd configuration + +Usage: {{ template "consul.dogstatsdAaddressInfo" . }} +*/}} + +{{- define "consul.dogstatsdAaddressInfo" -}} +{{- if (and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled) }} + "dogstatsd_addr": "{{- if eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" }}unix://{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdAddr }}{{- else }}{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdAddr | trimAll "\"" }}{{- if ne ( .Values.global.metrics.datadog.dogstatsd.dogstatsdPort | int ) 0 }}:{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdPort | toString }}{{- end }}{{- end }}",{{- end }} +{{- end -}} + +{{/* +Configures the metrics prefixing that's required to either allow or dissallow certaing RPC or gRPC server calls: + +Usage: {{ template "consul.prefixFilter" . }} +*/}} +{{- define "consul.prefixFilter" -}} +{{- $allowList := .Values.global.metrics.prefixFilter.allowList }} +{{- $blockList := .Values.global.metrics.prefixFilter.blockList }} +{{- if and (not (empty $allowList)) (not (empty $blockList)) }} + "prefix_filter": [{{- range $index, $value := concat $allowList $blockList -}} + "{{- if (has $value $allowList) }}{{ printf "+%s" ($value | trimAll "\"") }}{{- else }}{{ printf "-%s" ($value | trimAll "\"") }}{{- end }}"{{- if lt $index (sub (len (concat $allowList $blockList)) 1) -}},{{- end -}} + {{- end -}}], +{{- else if not (empty $allowList) }} + "prefix_filter": [{{- range $index, $value := $allowList -}} + "{{ printf "+%s" ($value | trimAll "\"") }}"{{- if lt $index (sub (len $allowList) 1) -}},{{- end -}} + {{- end -}}], +{{- else if not (empty $blockList) }} + "prefix_filter": [{{- range $index, $value := $blockList -}} + "{{ printf "-%s" ($value | trimAll "\"") }}"{{- if lt $index (sub (len $blockList) 1) -}},{{- end -}} + {{- end -}}], +{{- end }} +{{- end -}} + +{{/* +Retrieves the global consul/consul-enterprise version string for use with labels or tags. +Requirements for valid labels: + - a valid label must be an empty string or consist of + => alphanumeric characters + => '-', '_' or '.' + => must start and end with an alphanumeric character + (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is + '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?') + +Usage: {{ template "consul.versionInfo" }} +*/}} +{{- define "consul.versionInfo" -}} +{{- $imageVersion := regexSplit ":" .Values.global.image -1 }} +{{- $versionInfo := printf "%s" (index $imageVersion 1 ) | trimSuffix "\"" }} +{{- $sanitizedVersion := "" }} +{{- $pattern := "^([A-Za-z0-9][-A-Za-z0-9_.]*[A-Za-z0-9])?$" }} +{{- if not (regexMatch $pattern $versionInfo) -}} + {{- $sanitizedVersion = regexReplaceAll "[^A-Za-z0-9-_.]|sha256" $versionInfo "" }} + {{- $sanitizedVersion = printf "%s" (trimSuffix "-" (trimPrefix "-" $sanitizedVersion)) -}} +{{- else }} + {{- $sanitizedVersion = $versionInfo }} +{{- end -}} +{{- printf "%s" $sanitizedVersion | quote }} +{{- end -}} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..453be66054 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,306 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{ end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: ["/consul-bin/consul", "logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.4.1/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.4.1/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.4.1/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.4.1/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.4.1/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..cab2c7c043 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/client-config-configmap.yaml @@ -0,0 +1,40 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + log-level.json: |- + { + {{- if .Values.client.logLevel }} + "log_level": "{{ .Values.client.logLevel | upper }}" + {{- end }} + } + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.4.1/templates/client-daemonset.yaml new file mode 100644 index 0000000000..3f04e826f4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/client-daemonset.yaml @@ -0,0 +1,606 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/client-config-configmap.yaml") .) (include (print $.Template.BasePath "/client-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/consul" + - "logout" + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-dir=/consul/extra-config \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/client-role.yaml b/charts/hashicorp/consul/1.4.1/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.4.1/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.4.1/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/client-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.4.1/templates/client-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a379157f57 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/client-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the client-daemonset where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.4.1/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.4.1/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..258924f449 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/cni-daemonset.yaml @@ -0,0 +1,91 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.4.1/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.4.1/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.4.1/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.4.1/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.4.1/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..c6845870ba --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,287 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + - gatewayclassconfigs + - meshservices + - samenessgroups + - controlplanerequestlimits + - routeretryfilters + - routetimeoutfilters + - routeauthfilters + - gatewaypolicies + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + - jwtproviders + - routeauthfilters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + - samenessgroups/status + - controlplanerequestlimits/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + - jwtproviders/status + - routeauthfilters/status + - gatewaypolicies/status + verbs: + - get + - patch + - update +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions/status + verbs: + - get + - patch + - update +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + - gatewayclasses + - meshconfigurations + - grpcroutes + - httproutes + - meshgateways + - tcproutes + - proxyconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs/status + - gatewayclasses/status + - meshconfigurations/status + - grpcroutes/status + - httproutes/status + - meshgateways/status + - tcproutes/status + - proxyconfigurations/status + verbs: + - get + - patch + - update +- apiGroups: + - multicluster.consul.hashicorp.com + resources: + - exportedservices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multicluster.consul.hashicorp.com + resources: + - exportedservices/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} +- apiGroups: [ "" ] + resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles", "rolebindings" ] + verbs: + - get + - list + - watch + - delete + - create + - update +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - referencegrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gateways/finalizers + - httproutes/finalizers + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch + - delete +- apiGroups: + - core + resources: + - services + verbs: + - watch + - list +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" +{{- if .Values.global.openshift.enabled }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + verbs: + - use + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.1/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.4.1/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..1565e92811 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/connect-inject-deployment.yaml @@ -0,0 +1,368 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.enabled .Values.global.cloud.enabled }} + {{- if and (gt (len .Values.externalServers.hosts) 0) (regexMatch ".+.hashicorp.cloud$" ( first .Values.externalServers.hosts )) }}{{fail "global.cloud.enabled cannot be used in combination with an HCP-managed cluster address in externalServers.hosts. global.cloud.enabled is for linked self-managed clusters."}}{{- end }} +{{- end }} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateResourceAPIs" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + {{- if (mustHas "v2tenancy" .Values.global.experiments) }} + -enable-v2tenancy=true \ + {{- end }} + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }} + -default-enable-sidecar-proxy-lifecycle=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle=false \ + {{- end }} + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \ + {{- end }} + -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ + -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ + -default-sidecar-proxy-startup-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultStartupFailureSeconds }} \ + -default-sidecar-proxy-liveness-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultLivenessFailureSeconds }} \ + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.4.1/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.4.1/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..e65c386636 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,381 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-controlplanerequestlimits + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-controlplanerequestlimit.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - controlplanerequestlimits + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-samenessgroup + failurePolicy: Fail + name: mutate-samenessgroup.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - samenessgroups + sideEffects: None +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v2beta1-trafficpermissions + failurePolicy: Fail + name: mutate-trafficpermissions.auth.consul.hashicorp.com + rules: + - apiGroups: + - auth.consul.hashicorp.com + apiVersions: + - v2beta1 + operations: + - CREATE + - UPDATE + resources: + - trafficpermissions + sideEffects: None +{{- end }} +{{- end }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-jwtprovider + failurePolicy: Fail + name: mutate-jwtprovider.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwtproviders + sideEffects: None +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.4.1/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.4.1/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/connect-inject-validatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.4.1/templates/connect-inject-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8d01ace911 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/connect-inject-validatingwebhookconfiguration.yaml @@ -0,0 +1,31 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The ValidatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- name: validate-gatewaypolicy.consul.hashicorp.com + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "consul.hashicorp.com" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gatewaypolicies" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /validate-v1alpha1-gatewaypolicy +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.4.1/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-apigateways.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-apigateways.yaml new file mode 100644 index 0000000000..755fb05b64 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-apigateways.yaml @@ -0,0 +1,240 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: apigateways.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: APIGateway + listKind: APIGatewayList + plural: apigateways + singular: apigateway + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: APIGateway is the Schema for the API Gateway + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + gatewayClassName: + description: GatewayClassName is the name of the GatewayClass used + by the APIGateway + type: string + listeners: + items: + properties: + hostname: + description: Hostname is the host name that a listener should + be bound to, if unspecified, the listener accepts requests + for all hostnames. + type: string + name: + description: Name is the name of the listener in a given gateway. + This must be unique within a gateway. + type: string + port: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: Protocol is the protocol that a listener should + use, it must either be "http" or "tcp" + type: string + tls: + description: TLS is the TLS settings for the listener. + properties: + certificates: + description: Certificates is a set of references to certificates + that a gateway listener uses for TLS termination. + items: + description: Reference identifies which resource a condition + relates to, when it is not the core resource itself. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the + resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all partitions." + type: string + peerName: + description: "PeerName identifies which peer the + resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes are + made to the group's resource types. + type: string + kind: + description: Kind identifies the specific resource + type within the group. + type: string + type: object + type: object + type: array + tlsParameters: + description: TLSParameters contains optional configuration + for running TLS termination. + properties: + cipherSuites: + items: + enum: + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_AES256_SHA + - TLS_CIPHER_SUITE_ECDHE_ECDSA_CHACHA20_POLY1305 + - TLS_CIPHER_SUITE_ECDHE_RSA_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_ECDHE_RSA_CHACHA20_POLY1305 + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_SHA + - TLS_CIPHER_SUITE_ECDHE_RSA_AES128_SHA + - TLS_CIPHER_SUITE_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_AES128_SHA + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_GCM_SHA384 + - TLS_CIPHER_SUITE_ECDHE_RSA_AES256_GCM_SHA384 + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_SHA + - TLS_CIPHER_SUITE_ECDHE_RSA_AES256_SHA + - TLS_CIPHER_SUITE_AES256_GCM_SHA384 + format: int32 + type: string + type: array + maxVersion: + enum: + - TLS_VERSION_AUTO + - TLS_VERSION_1_0 + - TLS_VERSION_1_1 + - TLS_VERSION_1_2 + - TLS_VERSION_1_3 + - TLS_VERSION_INVALID + - TLS_VERSION_UNSPECIFIED + format: int32 + type: string + minVersion: + enum: + - TLS_VERSION_AUTO + - TLS_VERSION_1_0 + - TLS_VERSION_1_1 + - TLS_VERSION_1_2 + - TLS_VERSION_1_3 + - TLS_VERSION_INVALID + - TLS_VERSION_UNSPECIFIED + format: int32 + type: string + type: object + type: object + type: object + minItems: 1 + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-controlplanerequestlimits.yaml new file mode 100644 index 0000000000..1939a8d373 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-controlplanerequestlimits.yaml @@ -0,0 +1,195 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: controlplanerequestlimits.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ControlPlaneRequestLimit + listKind: ControlPlaneRequestLimitList + plural: controlplanerequestlimits + singular: controlplanerequestlimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControlPlaneRequestLimitSpec defines the desired state of + ControlPlaneRequestLimit. + properties: + acl: + properties: + readRate: + type: number + writeRate: + type: number + type: object + catalog: + properties: + readRate: + type: number + writeRate: + type: number + type: object + configEntry: + properties: + readRate: + type: number + writeRate: + type: number + type: object + connectCA: + properties: + readRate: + type: number + writeRate: + type: number + type: object + coordinate: + properties: + readRate: + type: number + writeRate: + type: number + type: object + discoveryChain: + properties: + readRate: + type: number + writeRate: + type: number + type: object + health: + properties: + readRate: + type: number + writeRate: + type: number + type: object + intention: + properties: + readRate: + type: number + writeRate: + type: number + type: object + kv: + properties: + readRate: + type: number + writeRate: + type: number + type: object + mode: + type: string + preparedQuery: + properties: + readRate: + type: number + writeRate: + type: number + type: object + readRate: + type: number + session: + properties: + readRate: + type: number + writeRate: + type: number + type: object + tenancy: + properties: + readRate: + type: number + writeRate: + type: number + type: object + txn: + properties: + readRate: + type: number + writeRate: + type: number + type: object + writeRate: + type: number + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-exportedservices-v1.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-exportedservices-v1.yaml new file mode 100644 index 0000000000..081a2b0cf0 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-exportedservices-v1.yaml @@ -0,0 +1,139 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-exportedservices.yaml new file mode 100644 index 0000000000..6613e3da7e --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-exportedservices.yaml @@ -0,0 +1,108 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.multicluster.consul.hashicorp.com +spec: + group: multicluster.consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the Exported Services API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + consumers: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + services: + items: + type: string + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-gatewayclassconfigs-v1.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-gatewayclassconfigs-v1.yaml new file mode 100644 index 0000000000..41023c19dc --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-gatewayclassconfigs-v1.yaml @@ -0,0 +1,218 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + resources: + description: Resources defines the resource requirements for the + gateway. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + mapPrivilegedContainerPorts: + description: The value to add to privileged ports ( ports < 1024) + for gateway containers + format: int32 + type: integer + metrics: + description: Metrics defines how to configure the metrics for a gateway. + properties: + enabled: + description: Enable metrics for this class of gateways. If unspecified, + will inherit behavior from the global Helm configuration. + type: boolean + path: + description: The path used for metrics. + type: string + port: + description: The port used for metrics. + format: int32 + maximum: 65535 + minimum: 1024 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + openshiftSCCName: + description: The name of the OpenShift SecurityContextConstraints + resource for this gateway class to use. + type: string + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-gatewayclassconfigs.yaml new file mode 100644 index 0000000000..93effd843b --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-gatewayclassconfigs.yaml @@ -0,0 +1,1826 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GatewayClassConfig is the Schema for the Mesh Gateway API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GatewayClassConfigSpec specifies the desired state of the + GatewayClassConfig CRD. + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key included + here will override those in Set if specified on the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included here + will be overridden if present in InheritFromGateway and set + on the Gateway. + type: object + type: object + deployment: + description: Deployment contains config specific to the Deployment + created from this GatewayClass + properties: + affinity: + description: Affinity specifies the affinity to use on the created + Deployment. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects + (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them are + ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to a pod label update), + the system may or may not try to eventually evict the + pod from its node. When there are multiple elements, + the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + container: + description: Container contains config specific to the created + Deployment's container. + properties: + consul: + description: Consul specifies configuration for the consul-dataplane + container + properties: + logging: + description: Logging specifies the logging configuration + for Consul Dataplane + properties: + level: + description: Level sets the logging level for Consul + Dataplane (debug, info, etc.) + type: string + type: object + type: object + hostPort: + description: HostPort specifies a port to be exposed to the + external host network + format: int32 + type: integer + portModifier: + description: PortModifier specifies the value to be added + to every port value for listeners on this gateway. This + is generally used to avoid binding to privileged ports in + the container. + format: int32 + type: integer + resources: + description: Resources specifies the resource requirements + for the created Deployment's container + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + dnsPolicy: + description: DNSPolicy specifies the dns policy to use. These + are set on a per pod basis. + enum: + - Default + - ClusterFirst + - ClusterFirstWithHostNet + - None + type: string + hostNetwork: + description: HostNetwork specifies whether the gateway pods should + run on the host network. + type: boolean + initContainer: + description: InitContainer contains config specific to the created + Deployment's init container. + properties: + consul: + description: Consul specifies configuration for the consul-k8s-control-plane + init container + properties: + logging: + description: Logging specifies the logging configuration + for Consul Dataplane + properties: + level: + description: Level sets the logging level for Consul + Dataplane (debug, info, etc.) + type: string + type: object + type: object + resources: + description: Resources specifies the resource requirements + for the created Deployment's init container + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a feature that constrains the scheduling + of a pod to nodes that match specified labels. By defining NodeSelector + in a pod''s configuration, you can ensure that the pod is only + scheduled to nodes with the corresponding labels, providing + a way to influence the placement of workloads based on node + attributes. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: PriorityClassName specifies the priority class name + to use on the created Deployment. + type: string + replicas: + description: Replicas specifies the configuration to control the + number of replicas for the created Deployment. + properties: + default: + description: Default is the number of replicas assigned to + the Deployment when created + format: int32 + type: integer + max: + description: Max is the maximum number of replicas allowed + for a gateway with this class. If the replica count exceeds + this value due to manual or automated scaling, the replica + count will be restored to this value. + format: int32 + type: integer + min: + description: Min is the minimum number of replicas allowed + for a gateway with this class. If the replica count drops + below this value due to manual or automated scaling, the + replica count will be restored to this value. + format: int32 + type: integer + type: object + securityContext: + description: SecurityContext specifies the security context for + the created Deployment's Pod. + properties: + fsGroup: + description: "A special supplemental group that applies to + all containers in a pod. Some volume types allow the Kubelet + to change the ownership of that volume to be owned by the + pod: \n 1. The owning GID will be the FSGroup 2. The setgid + bit is set (new files created in the volume will be owned + by FSGroup) 3. The permission bits are OR'd with rw-rw---- + \n If unset, the Kubelet will not modify the ownership and + permissions of any volume. Note that this field cannot be + set when spec.os.name is windows." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior of changing + ownership and permission of the volume before being exposed + inside Pod. This field will only apply to volume types which + support fsGroup based ownership(and permissions). It will + have no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used. Note that + this field cannot be set when spec.os.name is windows.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this field + cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail + to start the container if it does. If unset or false, no + such validation will be performed. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata if + unspecified. May also be set in SecurityContext. If set + in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random + SELinux context for each container. May also be set in + SecurityContext. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile must + be preconfigured on the node to work. Must be a descending + path, relative to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - a + profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile + should be used. Unconfined - no profile should be applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first process + run in each container, in addition to the container's primary + GID, the fsGroup (if specified), and group memberships defined + in the container image for the uid of the container process. + If unspecified, no additional groups are added to any container. + Note that group memberships defined in the container image + for the uid of the container process are still effective, + even if they are not included in this list. Note that this + field cannot be set when spec.os.name is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls used + for the pod. Pods with unsupported sysctls (by the container + runtime) might fail to launch. Note that this field cannot + be set when spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options within a container's + SecurityContext will be used. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. This field is + alpha-level and will only be honored by components that + enable the WindowsHostProcessContainers feature flag. + Setting this field without the feature flag will result + in errors when validating the Pod. All of a Pod's containers + must have the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, if HostProcess + is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set in + PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + tolerations: + description: Tolerations specifies the tolerations to use on the + created Deployment. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: 'TopologySpreadConstraints is a feature that controls + how pods are spead across your topology. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/' + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine + the number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to + select the pods over which spreading will be calculated. + The keys are used to lookup values from the incoming pod + labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading + will be calculated for the incoming pod. Keys that don't + exist in the incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which pods + may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the number + of matching pods in the target topology and the global + minimum. The global minimum is the minimum number of matching + pods in an eligible domain or zero if the number of eligible + domains is less than MinDomains. For example, in a 3-zone + cluster, MaxSkew is set to 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | | P P | P P | P | - + if MaxSkew is 1, incoming pod can only be scheduled to + zone3 to become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled + onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies that + satisfy it. It''s a required field. Default value is 1 + and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number of eligible + domains. When the number of eligible domains with matching + topology keys is less than minDomains, Pod Topology Spread + treats \"global minimum\" as 0, and then the calculation + of Skew is performed. And when the number of eligible + domains with matching topology keys equals or greater + than minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains is less + than minDomains, scheduler won't schedule more than maxSkew + Pods to those domains. If value is nil, the constraint + behaves as if MinDomains is equal to 1. Valid values are + integers greater than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone cluster, + MaxSkew is set to 2, MinDomains is set to 5 and pods with + the same labelSelector spread as 2/2/2: | zone1 | zone2 + | zone3 | | P P | P P | P P | The number of domains + is less than 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the same labelSelector + cannot be scheduled, because computed skew will be 3(3 + - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. \n This is a beta field and requires + the MinDomainsInPodTopologySpread feature gate to be enabled + (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we will treat + Pod's nodeAffinity/nodeSelector when calculating pod topology + spread skew. Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this value is + nil, the behavior is equivalent to the Honor policy. This + is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will treat + node taints when calculating pod topology spread skew. + Options are: - Honor: nodes without taints, along with + tainted nodes for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. All nodes + are included. \n If this value is nil, the behavior is + equivalent to the Ignore policy. This is a beta-level + feature default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. Nodes + that have a label with this key and identical values are + considered to be in the same topology. We consider each + as a "bucket", and try to put balanced number + of pods into each bucket. We define a domain as a particular + instance of a topology. Also, we define an eligible domain + as a domain whose nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is a domain + of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with + a pod if it doesn''t satisfy the spread constraint. - + DoNotSchedule (default) tells the scheduler not to schedule + it. - ScheduleAnyway tells the scheduler to schedule the + pod in any location, but giving higher precedence to topologies + that would help reduce the skew. A constraint is considered + "Unsatisfiable" for an incoming pod if and only if every + possible node assignment for that pod would violate "MaxSkew" + on some topology. For example, in a 3-zone cluster, MaxSkew + is set to 1, and pods with the same labelSelector spread + as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming + pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) + as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). + In other words, the cluster can still be imbalanced, but + scheduler won''t make it *more* imbalanced. It''s a required + field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key included + here will override those in Set if specified on the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included here + will be overridden if present in InheritFromGateway and set + on the Gateway. + type: object + type: object + role: + description: Role contains config specific to the Role created from + this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + roleBinding: + description: RoleBinding contains config specific to the RoleBinding + created from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + service: + description: Service contains config specific to the Service created + from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: + description: Type specifies the type of Service to use (LoadBalancer, + ClusterIP, etc.) + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + type: object + serviceAccount: + description: ServiceAccount contains config specific to the corev1.ServiceAccount + created from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-gatewayclasses-external.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-gatewayclasses-external.yaml new file mode 100644 index 0000000000..93435b7fce --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-gatewayclasses-external.yaml @@ -0,0 +1,328 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + deprecated: true + deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-gatewayclasses.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-gatewayclasses.yaml new file mode 100644 index 0000000000..70763f9104 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-gatewayclasses.yaml @@ -0,0 +1,122 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclasses.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GatewayClass is the Schema for the Gateway Class API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + controllerName: + description: ControllerName is the name of the Kubernetes controller + that manages Gateways of this class + type: string + description: + description: Description of GatewayClass + type: string + parametersRef: + description: ParametersRef refers to a resource responsible for configuring + the behavior of the GatewayClass. + properties: + group: + description: The Kubernetes Group that the referred object belongs + to + type: string + kind: + description: The Kubernetes Kind that the referred object is + type: string + name: + description: The Name of the referred object + type: string + namespace: + description: The kubernetes namespace that the referred object + is in + type: string + required: + - name + type: object + required: + - controllerName + - parametersRef + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-gatewaypolicies.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-gatewaypolicies.yaml new file mode 100644 index 0000000000..1cdfa331f5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-gatewaypolicies.yaml @@ -0,0 +1,282 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewaypolicies.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayPolicy + listKind: GatewayPolicyList + plural: gatewaypolicies + singular: gatewaypolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayPolicy is the Schema for the gatewaypolicies API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GatewayPolicySpec defines the desired state of GatewayPolicy. + properties: + default: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + override: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + targetRef: + description: TargetRef identifies an API object to apply policy to. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it may only apply + to traffic originating from the same namespace as the policy. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: SectionName refers to the listener targeted by this + policy. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + status: + description: GatewayPolicyStatus defines the observed state of the gateway. + properties: + conditions: + description: "Conditions describe the current conditions of the Policy. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-gateways-external.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-gateways-external.yaml new file mode 100644 index 0000000000..41df34942a --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-gateways-external.yaml @@ -0,0 +1,882 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-grpcroutes-external.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-grpcroutes-external.yaml new file mode 100644 index 0000000000..739ed2c659 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-grpcroutes-external.yaml @@ -0,0 +1,766 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - method: + type: Exact + description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. + items: + description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + default: + type: Exact + description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. + properties: + method: + description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)." + maxLength: 1024 + pattern: ^[A-Za-z_][A-Za-z_0-9]*$ + type: string + service: + description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)." + maxLength: 1024 + pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$ + type: string + type: + default: Exact + description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-grpcroutes.yaml new file mode 100644 index 0000000000..31812fff35 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-grpcroutes.yaml @@ -0,0 +1,617 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + shortNames: + - grpc-route + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GRPCRoute is the Schema for the GRPC Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this GRPCRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. Failure behavior here depends on + how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the GRPCBackendRef definition for the rules about what + makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies gRPC request header matchers. + Multiple match values are ANDed together, meaning, a + request MUST match all the specified headers to select + the route. + items: + properties: + name: + type: string + type: + description: "HeaderMatchType specifies the semantics + of how HTTP header values should be compared. + Valid HeaderMatchType values, along with their + conformance levels, are: \n Note that values may + be added to this enum, implementations must ensure + that unknown values will not cause a crash. \n + Unknown values here must result in the implementation + setting the Accepted Condition for the Route to + status: False, with a Reason of UnsupportedValue." + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + type: string + type: object + type: array + method: + description: Method specifies a gRPC request service/method + matcher. If this field is not specified, all services + and methods will match. + properties: + method: + description: "Value of the method to match against. + If left empty or omitted, will match all services. + \n At least one of Service and Method MUST be a + non-empty string.}" + type: string + service: + description: "Value of the service to match against. + If left empty or omitted, will match any service. + \n At least one of Service and Method MUST be a + non-empty string." + type: string + type: + description: 'Type specifies how to match against + the service and/or method. Support: Core (Exact + with service and method specified)' + enum: + - GRPC_METHOD_MATCH_TYPE_UNSPECIFIED + - GRPC_METHOD_MATCH_TYPE_EXACT + - GRPC_METHOD_MATCH_TYPE_REGEX + format: int32 + type: string + type: object + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-httproutes-external.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-httproutes-external.yaml new file mode 100644 index 0000000000..bba3672d16 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-httproutes-external.yaml @@ -0,0 +1,1914 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-httproutes.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-httproutes.yaml new file mode 100644 index 0000000000..3da6e1e637 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-httproutes.yaml @@ -0,0 +1,673 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + shortNames: + - http-route + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: HTTPRoute is the Schema for the HTTP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this HTTPRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of HTTP-based routing rules that this + route should use for constructing a routing table. + items: + description: HTTPRouteRule specifies the routing rules used to determine + what upstream service an HTTP request is routed to. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + properties: + invert: + description: 'NOTE: not in gamma; service-router + compat' + type: boolean + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, “foo” and “Foo” are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for “Set-Cookie”." + type: string + type: + description: Type specifies how to match against + the value of the header. + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + description: Value is the value of HTTP Header to + be matched. + type: string + type: object + type: array + method: + description: Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. + type: string + path: + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the “/” path is provided. + properties: + type: + description: Type specifies how to match against the + path Value. + enum: + - PATH_MATCH_TYPE_UNSPECIFIED + - PATH_MATCH_TYPE_EXACT + - PATH_MATCH_TYPE_PREFIX + - PATH_MATCH_TYPE_REGEX + format: int32 + type: string + value: + description: Value of the HTTP path to match against. + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is recommended that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + type: string + type: + description: Type specifies how to match against + the value of the query parameter. + enum: + - QUERY_PARAM_MATCH_TYPE_UNSPECIFIED + - QUERY_PARAM_MATCH_TYPE_EXACT + - QUERY_PARAM_MATCH_TYPE_REGEX + - QUERY_PARAM_MATCH_TYPE_PRESENT + format: int32 + type: string + value: + description: Value is the value of HTTP query param + to be matched. + type: string + type: object + type: array + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..dcbc543525 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-ingressgateways.yaml @@ -0,0 +1,447 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: ingressgateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how upstream + proxy instances will be monitored for removal from the load + balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. The + real time is equal to the base time multiplied by the number + of times the host has been ejected and is capped by max_ejection_time + (Default 300s). Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status is + detected through consecutive 5xx. This setting can be used + to disable ejection or to ramp it up slowly. Ex. Setting + this to 10 will make it a 10% chance that the host will + be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that can + be ejected due to outlier detection. Defaults to 10% but + will eject at least one host regardless of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected + for. The real time is equal to the base time multiplied + by the number of times the host has been ejected + and is capped by max_ejection_time (Default 300s). + Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This + setting can be used to disable ejection or to ramp + it up slowly. Ex. Setting this to 10 will make it + a 10% chance that the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster + that can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-jwtproviders.yaml new file mode 100644 index 0000000000..94c9697b33 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-jwtproviders.yaml @@ -0,0 +1,313 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: jwtproviders.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: JWTProvider + listKind: JWTProviderList + plural: jwtproviders + singular: jwtprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTProvider is the Schema for the jwtproviders API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTProviderSpec defines the desired state of JWTProvider + properties: + audiences: + description: Audiences is the set of audiences the JWT is allowed + to access. If specified, all JWTs verified with this provider must + address at least one of these to be considered valid. + items: + type: string + type: array + cacheConfig: + description: CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up verification + when individual tokens are expected to be handled multiple times. + properties: + size: + description: "Size specifies the maximum number of JWT verification + results to cache. \n Defaults to 0, meaning that JWT caching + is disabled." + type: integer + type: object + clockSkewSeconds: + description: "ClockSkewSeconds specifies the maximum allowable time + difference from clock skew when validating the \"exp\" (Expiration) + and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + type: integer + forwarding: + description: Forwarding defines rules for forwarding verified JWTs + to the backend. + properties: + headerName: + description: "HeaderName is a header name to use when forwarding + a verified JWT to the backend. The verified JWT could have been + extracted from any location (query param, header, or cookie). + \n The header value will be base64-URL-encoded, and will not + be padded unless PadForwardPayloadHeader is true." + type: string + padForwardPayloadHeader: + description: "PadForwardPayloadHeader determines whether padding + should be added to the base64 encoded token forwarded with ForwardPayloadHeader. + \n Default value is false." + type: boolean + type: object + issuer: + description: Issuer is the entity that must have issued the JWT. This + value must match the "iss" claim of the token. + type: string + jsonWebKeySet: + description: JSONWebKeySet defines a JSON Web Key Set, its location + on disk, or the means with which to fetch a key set from a remote + server. + properties: + local: + description: Local specifies a local source for the key set. + properties: + filename: + description: Filename configures a location on disk where + the JWKS can be found. If specified, the file must be present + on the disk of ALL proxies with intentions referencing this + provider. + type: string + jwks: + description: JWKS contains a base64 encoded JWKS. + type: string + type: object + remote: + description: Remote specifies how to fetch a key set from a remote + server. + properties: + cacheDuration: + description: "CacheDuration is the duration after which cached + keys should be expired. \n Default value is 5 minutes." + type: string + fetchAsynchronously: + description: "FetchAsynchronously indicates that the JWKS + should be fetched when a client request arrives. Client + requests will be paused until the JWKS is fetched. If false, + the proxy listener will wait for the JWKS to be fetched + before being activated. \n Default value is false." + type: boolean + jwksCluster: + description: JWKSCluster defines how the specified Remote + JWKS URI is to be fetched. + properties: + connectTimeout: + description: The timeout for new network connections to + hosts in the cluster. If not set, a default value of + 5s will be used. + type: string + discoveryType: + description: "DiscoveryType refers to the service discovery + type to use for resolving the cluster. \n This defaults + to STRICT_DNS. Other options include STATIC, LOGICAL_DNS, + EDS or ORIGINAL_DST." + type: string + tlsCertificates: + description: "TLSCertificates refers to the data containing + certificate authority certificates to use in verifying + a presented peer certificate. If not specified and a + peer certificate is presented it will not be verified. + \n Must be either CaCertificateProviderInstance or TrustedCA." + properties: + caCertificateProviderInstance: + description: CaCertificateProviderInstance Certificate + provider instance for fetching TLS certificates. + properties: + certificateName: + description: "CertificateName is used to specify + certificate instances or types. For example, + \"ROOTCA\" to specify a root-certificate (validation + context) or \"example.com\" to specify a certificate + for a particular domain. \n The default value + is the empty string." + type: string + instanceName: + description: "InstanceName refers to the certificate + provider instance name. \n The default value + is \"default\"." + type: string + type: object + trustedCA: + description: "TrustedCA defines TLS certificate data + containing certificate authority certificates to + use in verifying a presented peer certificate. \n + Exactly one of Filename, EnvironmentVariable, InlineString + or InlineBytes must be specified." + properties: + environmentVariable: + type: string + filename: + type: string + inlineBytes: + format: byte + type: string + inlineString: + type: string + type: object + type: object + type: object + requestTimeoutMs: + description: RequestTimeoutMs is the number of milliseconds + to time out when making a request for the JWKS. + type: integer + retryPolicy: + description: "RetryPolicy defines a retry policy for fetching + JWKS. \n There is no retry by default." + properties: + numRetries: + description: "NumRetries is the number of times to retry + fetching the JWKS. The retry strategy uses jittered + exponential backoff with a base interval of 1s and max + of 10s. \n Default value is 0." + type: integer + retryPolicyBackOff: + description: "Retry's backoff policy. \n Defaults to Envoy's + backoff policy." + properties: + baseInterval: + description: "BaseInterval to be used for the next + back off computation. \n The default value from + envoy is 1s." + type: string + maxInterval: + description: "MaxInternal to be used to specify the + maximum interval between retries. Optional but should + be greater or equal to BaseInterval. \n Defaults + to 10 times BaseInterval." + type: string + type: object + type: object + uri: + description: URI is the URI of the server to query for the + JWKS. + type: string + type: object + type: object + locations: + description: 'Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. If no + locations are specified Envoy will default to: 1. Authorization + header with Bearer schema: "Authorization: Bearer " 2. accessToken + query parameter.' + items: + description: "JWTLocation is a location where the JWT could be present + in requests. \n Only one of Header, QueryParam, or Cookie can + be specified." + properties: + cookie: + description: Cookie defines how to extract a JWT from an HTTP + request cookie. + properties: + name: + description: Name is the name of the cookie containing the + token. + type: string + type: object + header: + description: Header defines how to extract a JWT from an HTTP + request header. + properties: + forward: + description: "Forward defines whether the header with the + JWT should be forwarded after the token has been verified. + If false, the header will not be forwarded to the backend. + \n Default value is false." + type: boolean + name: + description: Name is the name of the header containing the + token. + type: string + valuePrefix: + description: 'ValuePrefix is an optional prefix that precedes + the token in the header value. For example, "Bearer " + is a standard value prefix for a header named "Authorization", + but the prefix is not part of the token itself: "Authorization: + Bearer "' + type: string + type: object + queryParam: + description: QueryParam defines how to extract a JWT from an + HTTP request query parameter. + properties: + name: + description: Name is the name of the query param containing + the token. + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-meshconfigurations.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-meshconfigurations.yaml new file mode 100644 index 0000000000..21114d723f --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-meshconfigurations.yaml @@ -0,0 +1,100 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: MeshConfiguration + listKind: MeshConfigurationList + plural: meshconfigurations + singular: meshconfiguration + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: MeshConfiguration is the Schema for the Mesh Configuration + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshConfiguration is responsible for configuring the default + behavior of Mesh Gateways. This is a Resource type. + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-meshes.yaml new file mode 100644 index 0000000000..f8ce4fc12e --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-meshes.yaml @@ -0,0 +1,207 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshes.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-meshgateways.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-meshgateways.yaml new file mode 100644 index 0000000000..6202add695 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-meshgateways.yaml @@ -0,0 +1,134 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshgateways.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: MeshGateway + listKind: MeshGatewayList + plural: meshgateways + singular: meshgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: MeshGateway is the Schema for the Mesh Gateway API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + gatewayClassName: + description: GatewayClassName is the name of the GatewayClass used + by the MeshGateway + type: string + listeners: + items: + properties: + name: + type: string + port: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + enum: + - TCP + type: string + type: object + minItems: 1 + type: array + workloads: + description: Selection of workloads to be configured as mesh gateways + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-meshservices.yaml new file mode 100644 index 0000000000..a5d36fb966 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-meshservices.yaml @@ -0,0 +1,56 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService holds a reference to an externally managed Consul + Service Mesh service. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of MeshService. + properties: + name: + description: Name holds the service name for a Consul service. + type: string + peer: + description: Peer optionally specifies the name of the peer exporting + the Consul service. If not specified, the Consul service is assumed + to be in the local datacenter. + type: string + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..2352ba7ad3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-peeringacceptors.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringacceptors.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..09991d2091 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-peeringdialers.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringdialers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-proxyconfigurations.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-proxyconfigurations.yaml new file mode 100644 index 0000000000..3d19d5ea4f --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-proxyconfigurations.yaml @@ -0,0 +1,405 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxyconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: ProxyConfiguration + listKind: ProxyConfigurationList + plural: proxyconfigurations + shortNames: + - proxy-configuration + singular: proxyconfiguration + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: ProxyConfiguration is the Schema for the TCP Routes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: This is a Resource type. + properties: + bootstrapConfig: + description: bootstrap_config is the configuration that requires proxies + to be restarted to be applied. + properties: + dogstatsdUrl: + type: string + overrideJsonTpl: + type: string + prometheusBindAddr: + type: string + readyBindAddr: + type: string + staticClustersJson: + type: string + staticListenersJson: + type: string + statsBindAddr: + type: string + statsConfigJson: + type: string + statsFlushInterval: + type: string + statsSinksJson: + type: string + statsTags: + items: + type: string + type: array + statsdUrl: + type: string + telemetryCollectorBindSocketDir: + type: string + tracingConfigJson: + type: string + type: object + dynamicConfig: + description: dynamic_config is the configuration that could be changed + dynamically (i.e. without needing restart). + properties: + accessLogs: + description: AccessLogs configures the output and format of Envoy + access logs + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have + a matching listener filter. + type: boolean + enabled: + description: Enabled turns off all access logging + type: boolean + jsonFormat: + description: The presence of one format string or the other + implies the access log string encoding. Defining both is + invalid. + type: string + path: + description: Path is the output file to write logs + type: string + textFormat: + type: string + type: + description: 'Type selects the output for logs: "file", "stderr". + "stdout"' + enum: + - LOG_SINK_TYPE_DEFAULT + - LOG_SINK_TYPE_FILE + - LOG_SINK_TYPE_STDERR + - LOG_SINK_TYPE_STDOUT + format: int32 + type: string + type: object + exposeConfig: + properties: + exposePaths: + items: + properties: + listenerPort: + format: int32 + type: integer + localPathPort: + format: int32 + type: integer + path: + type: string + protocol: + enum: + - EXPOSE_PATH_PROTOCOL_HTTP + - EXPOSE_PATH_PROTOCOL_HTTP2 + format: int32 + type: string + type: object + type: array + type: object + inboundConnections: + description: inbound_connections configures inbound connections + to the proxy. + properties: + balanceInboundConnections: + enum: + - BALANCE_CONNECTIONS_DEFAULT + - BALANCE_CONNECTIONS_EXACT + format: int32 + type: string + maxInboundConnections: + format: int32 + type: integer + type: object + listenerTracingJson: + type: string + localClusterJson: + type: string + localConnection: + additionalProperties: + description: Referenced by ProxyConfiguration + properties: + connectTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + requestTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + description: local_connection is the configuration that should + be used to connect to the local application provided per-port. + The map keys should correspond to port names on the workload. + type: object + localWorkloadAddress: + description: "deprecated: local_workload_address, local_workload_port, + and local_workload_socket_path are deprecated and are only needed + for migration of existing resources. \n Deprecated: Marked as + deprecated in pbmesh/v2beta1/proxy_configuration.proto." + type: string + localWorkloadPort: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + format: int32 + type: integer + localWorkloadSocketPath: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + type: string + meshGatewayMode: + enum: + - MESH_GATEWAY_MODE_UNSPECIFIED + - MESH_GATEWAY_MODE_NONE + - MESH_GATEWAY_MODE_LOCAL + - MESH_GATEWAY_MODE_REMOTE + format: int32 + type: string + mode: + description: mode indicates the proxy's mode. This will default + to 'transparent'. + enum: + - PROXY_MODE_DEFAULT + - PROXY_MODE_TRANSPARENT + - PROXY_MODE_DIRECT + format: int32 + type: string + mutualTlsMode: + enum: + - MUTUAL_TLS_MODE_DEFAULT + - MUTUAL_TLS_MODE_STRICT + - MUTUAL_TLS_MODE_PERMISSIVE + format: int32 + type: string + publicListenerJson: + type: string + transparentProxy: + properties: + dialedDirectly: + description: dialed_directly indicates whether this proxy + should be dialed using original destination IP in the connection + rather than load balance between all endpoints. + type: boolean + outboundListenerPort: + description: outbound_listener_port is the port for the proxy's + outbound listener. This defaults to 15001. + format: int32 + type: integer + type: object + type: object + opaqueConfig: + description: "deprecated: prevent usage when using v2 APIs directly. + needed for backwards compatibility \n Deprecated: Marked as deprecated + in pbmesh/v2beta1/proxy_configuration.proto." + type: object + x-kubernetes-preserve-unknown-fields: true + workloads: + description: Selection of workloads this proxy configuration should + apply to. These can be prefixes or specific workload names. + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..ce49c9149a --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-proxydefaults.yaml @@ -0,0 +1,265 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxydefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + failoverPolicy: + description: FailoverPolicy specifies the exact mechanism used for + failover. + properties: + mode: + description: Mode specifies the type of failover that will be + performed. Valid values are "sequential", "" (equivalent to + "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions of the + failover targets. Valid values can be "us-west-1", "us-west-2", + and so on. + items: + type: string + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-referencegrants-external.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-referencegrants-external.yaml new file mode 100644 index 0000000000..db9cf12027 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-referencegrants-external.yaml @@ -0,0 +1,208 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-routeauthfilters.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-routeauthfilters.yaml new file mode 100644 index 0000000000..a51bf226cd --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-routeauthfilters.yaml @@ -0,0 +1,199 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeauthfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteAuthFilter + listKind: RouteAuthFilterList + plural: routeauthfilters + singular: routeauthfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteAuthFilter is the Schema for the routeauthfilters API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteAuthFilterSpec defines the desired state of RouteAuthFilter. + properties: + jwt: + description: This re-uses the JWT requirement type from Gateway Policy + Types. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the actual + claim information to be verified. + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the given + path: - If the type at the path is a list then we + verify that this value is contained in the list. + \n - If the type at the path is a string then we + verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + status: + description: RouteAuthFilterStatus defines the observed state of the gateway. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: ResolvedRefs + description: "Conditions describe the current conditions of the Filter. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-routeretryfilters.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-routeretryfilters.yaml new file mode 100644 index 0000000000..14b6062f60 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-routeretryfilters.yaml @@ -0,0 +1,115 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeretryfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteRetryFilter + listKind: RouteRetryFilterList + plural: routeretryfilters + singular: routeretryfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteRetryFilter is the Schema for the routeretryfilters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteRetryFilterSpec defines the desired state of RouteRetryFilter. + properties: + numRetries: + format: int32 + minimum: 0 + type: integer + retryOn: + items: + type: string + type: array + retryOnConnectFailure: + type: boolean + retryOnStatusCodes: + items: + format: int32 + type: integer + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-routetimeoutfilters.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-routetimeoutfilters.yaml new file mode 100644 index 0000000000..07ebfe9386 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-routetimeoutfilters.yaml @@ -0,0 +1,107 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routetimeoutfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteTimeoutFilter + listKind: RouteTimeoutFilterList + plural: routetimeoutfilters + singular: routetimeoutfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteTimeoutFilter is the Schema for the httproutetimeoutfilters + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteTimeoutFilterSpec defines the desired state of RouteTimeoutFilter. + properties: + idleTimeout: + format: duration + type: string + requestTimeout: + format: duration + type: string + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-samenessgroups.yaml new file mode 100644 index 0000000000..ea0ad7c8a0 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-samenessgroups.yaml @@ -0,0 +1,129 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: samenessgroups.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: SamenessGroup + listKind: SamenessGroupList + plural: samenessgroups + shortNames: + - sameness-group + singular: samenessgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SamenessGroup is the Schema for the samenessgroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SamenessGroupSpec defines the desired state of SamenessGroup. + properties: + defaultForFailover: + description: DefaultForFailover indicates that upstream requests to + members of the given sameness group will implicitly failover between + members of this sameness group. When DefaultForFailover is true, + the local partition must be a member of the sameness group or IncludeLocal + must be set to true. + type: boolean + includeLocal: + description: IncludeLocal is used to include the local partition as + the first member of the sameness group. The local partition can + only be a member of a single sameness group. + type: boolean + members: + description: Members are the partitions and peers that are part of + the sameness group. If a member of a sameness group does not exist, + it will be ignored. + items: + properties: + partition: + description: The partitions and peers that are part of the sameness + group. A sameness group member cannot define both peer and + partition at the same time. + type: string + peer: + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..c7e2b5bb2b --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-servicedefaults.yaml @@ -0,0 +1,565 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicedefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + rateLimits: + description: RateLimits is rate limiting configuration that is applied + to inbound traffic for a service. Rate limiting is a Consul enterprise + feature. + properties: + instanceLevel: + description: InstanceLevel represents rate limit configuration + that is applied per service instance. + properties: + requestsMaxBurst: + description: "RequestsMaxBurst is the maximum number of requests + that can be sent in a burst. Should be equal to or greater + than RequestsPerSecond. If unset, defaults to RequestsPerSecond. + \n Internally, this is the maximum size of the token bucket + used for rate limiting." + type: integer + requestsPerSecond: + description: "RequestsPerSecond is the average number of requests + per second that can be made without being throttled. This + field is required if RequestsMaxBurst is set. The allowed + number of requests may exceed RequestsPerSecond up to the + value specified in RequestsMaxBurst. \n Internally, this + is the refill rate of the token bucket used for rate limiting." + type: integer + routes: + description: Routes is a list of rate limits applied to specific + routes. For a given request, the first matching route will + be applied, if any. Overrides any top-level configuration. + items: + properties: + pathExact: + description: Exact path to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathPrefix: + description: Prefix to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathRegex: + description: Regex to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + requestsMaxBurst: + description: RequestsMaxBurst is the maximum number + of requests that can be sent in a burst. Should be + equal to or greater than RequestsPerSecond. If unset, + defaults to RequestsPerSecond. Internally, this is + the maximum size of the token bucket used for rate + limiting. + type: integer + requestsPerSecond: + description: RequestsPerSecond is the average number + of requests per second that can be made without being + throttled. This field is required if RequestsMaxBurst + is set. The allowed number of requests may exceed + RequestsPerSecond up to the value specified in RequestsMaxBurst. + Internally, this is the refill rate of the token bucket + used for rate limiting. + type: integer + type: object + type: array + type: object + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 + seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set the + interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..75299f016e --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-serviceintentions.yaml @@ -0,0 +1,311 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceintentions.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + jwt: + description: JWT specifies the configuration to validate a JSON Web + Token for all incoming requests. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: Value is the expected value at the given + path. If the type at the path is a list then we + verify that this value is contained in the list. + If the type at the path is a string then we verify + that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: Peer is the peer name for the Name parameter. + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + jwt: + description: JWT specifies configuration to validate a + JSON Web Token for incoming requests. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. + There MUST be a corresponding "jwt-provider" + config entry with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional + claims to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim + in the token JSON. + items: + type: string + type: array + value: + description: Value is the expected value + at the given path. If the type at the + path is a list then we verify that this + value is contained in the list. If the + type at the path is a string then we + verify that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + samenessGroup: + description: SamenessGroup is the name of the sameness group, + if applicable. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..6d89125216 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-serviceresolvers.yaml @@ -0,0 +1,348 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceresolvers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + policy: + description: Policy specifies the exact mechanism used for failover. + properties: + mode: + description: Mode specifies the type of failover that will + be performed. Valid values are "sequential", "" (equivalent + to "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions + of the failover targets. Valid values can be "us-west-1", + "us-west-2", and so on. + items: + type: string + type: array + type: object + samenessGroup: + description: SamenessGroup is the name of the sameness group + to try during failover. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness group to + resolve the service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + requestTimeout: + description: RequestTimeout is the timeout for receiving an HTTP response + from this service before the connection is terminated. + type: string + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..c7924081fd --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-servicerouters.yaml @@ -0,0 +1,323 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicerouters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOn: + description: 'RetryOn is a flat list of conditions for Consul + to retry requests based on the response from an upstream + service. Refer to the valid conditions here: https://developer.hashicorp.com/consul/docs/connect/config-entries/service-router#routes-destination-retryon' + items: + type: string + type: array + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + caseInsensitive: + description: CaseInsensitive configures PathExact and + PathPrefix matches to ignore upper/lower casing. + type: boolean + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..8d5ed58023 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-servicesplitters.yaml @@ -0,0 +1,186 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicesplitters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-tcproutes-external.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-tcproutes-external.yaml new file mode 100644 index 0000000000..b5bc7be13c --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-tcproutes-external.yaml @@ -0,0 +1,281 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-tcproutes.yaml new file mode 100644 index 0000000000..ae9d2cd080 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-tcproutes.yaml @@ -0,0 +1,278 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + shortNames: + - tcp-route + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TCPRoute is the Schema for the TCP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute + \n This is a Resource type." + properties: + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + properties: + backendRefs: + description: BackendRefs defines the backend(s) where matching + requests should be sent. If unspecified or invalid (refers + to a non-existent resource or a Service with no endpoints), + the underlying implementation MUST actively reject connection + attempts to this backend. Connection rejections must respect + weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-terminatinggateways.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-terminatinggateways.yaml rename to charts/hashicorp/consul/1.4.1/templates/crd-terminatinggateways.yaml diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-tlsroutes-external.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-tlsroutes-external.yaml new file mode 100644 index 0000000000..1acd1b973a --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-tlsroutes-external.yaml @@ -0,0 +1,291 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-trafficpermissions.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-trafficpermissions.yaml new file mode 100644 index 0000000000..27ab6f5e3d --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-trafficpermissions.yaml @@ -0,0 +1,261 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: trafficpermissions.auth.consul.hashicorp.com +spec: + group: auth.consul.hashicorp.com + names: + kind: TrafficPermissions + listKind: TrafficPermissionsList + plural: trafficpermissions + shortNames: + - traffic-permissions + singular: trafficpermissions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TrafficPermissions is the Schema for the traffic-permissions + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + action: + description: "Action can be either allow or deny for the entire object. + It will default to allow. \n If action is allow, we will allow the + connection if one of the rules in Rules matches, in other words, + we will deny all requests except for the ones that match Rules. + If Consul is in default allow mode, then allow actions have no effect + without a deny permission as everything is allowed by default. \n + If action is deny, we will deny the connection if one of the rules + in Rules match, in other words, we will allow all requests except + for the ones that match Rules. If Consul is default deny mode, then + deny permissions have no effect without an allow permission as everything + is denied by default. \n Action unspecified is reserved for compatibility + with the addition of future actions." + enum: + - ACTION_ALLOW + - ACTION_DENY + - ACTION_UNKNOWN + format: int32 + type: string + destination: + description: Destination is a configuration of the destination proxies + where these traffic permissions should apply. + properties: + identityName: + type: string + type: object + permissions: + description: Permissions is a list of permissions to match on. They + are applied using OR semantics. + items: + description: Permissions is a list of permissions to match on. + properties: + destinationRules: + description: DestinationRules is a list of rules to apply for + matching sources in this Permission. These rules are specific + to the request or connection that is going to the destination(s) + selected by the TrafficPermissions resource. + items: + description: DestinationRule contains rules rules to apply + to the incoming connection. + properties: + exclude: + description: Exclude contains a list of rules to exclude + when evaluating rules for the incoming connection. + items: + properties: + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + description: PortNames is a list of workload ports + to apply this rule to. The ports specified here + must be the ports used in the connection. + items: + type: string + type: array + type: object + type: array + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. If no + methods are specified, this rule will apply to all methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + items: + type: string + type: array + type: object + type: array + sources: + description: Sources is a list of sources in this traffic permission. + items: + description: Source represents the source identity. To specify + any of the wildcard sources, the specific fields need to + be omitted. For example, for a wildcard namespace, identity_name + should be omitted. + properties: + exclude: + description: Exclude is a list of sources to exclude from + this source. + items: + description: ExcludeSource is almost the same as source + but it prevents the addition of matching sources. + properties: + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/crd-udproutes-external.yaml b/charts/hashicorp/consul/1.4.1/templates/crd-udproutes-external.yaml new file mode 100644 index 0000000000..0661b24c1a --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/crd-udproutes-external.yaml @@ -0,0 +1,281 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..aff6b5a934 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-job.yaml @@ -0,0 +1,146 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane create-federation-secret \ + -log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/datadog-agent-role.yaml b/charts/hashicorp/consul/1.4.1/templates/datadog-agent-role.yaml new file mode 100644 index 0000000000..191e6433c6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/datadog-agent-role.yaml @@ -0,0 +1,38 @@ +{{- if .Values.global.metrics.datadog.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-datadog-metrics + namespace: {{ .Release.Namespace }} + labels: + app: datadog + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: agent +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +{{- if .Values.global.enablePodSecurityPolicies }} +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-datadog-metrics + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-datadog-metrics + verbs: + - use +{{- end }} +{{- else}} +rules: + - apiGroups: [ "" ] + resources: [ "secrets" ] + resourceNames: + - {{ .Release.Namespace }}-datadog-agent-metrics-acl-token + verbs: [ "get", "watch", "list" ] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.1/templates/datadog-agent-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/datadog-agent-rolebinding.yaml new file mode 100644 index 0000000000..5fc3fdf545 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/datadog-agent-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.global.metrics.datadog.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-datadog-metrics + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: agent +subjects: + - kind: ServiceAccount + apiGroup: "" + name: datadog-agent + namespace: datadog + - kind: ServiceAccount + apiGroup: "" + name: datadog-cluster-agent + namespace: datadog +roleRef: + kind: Role + name: {{ template "consul.fullname" . }}-datadog-metrics + apiGroup: "" +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.1/templates/dns-service.yaml b/charts/hashicorp/consul/1.4.1/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.4.1/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..8db9500a22 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/enterprise-license-job.yaml @@ -0,0 +1,145 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.4.1/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.4.1/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-clusterrole.yaml new file mode 100644 index 0000000000..5518bfc390 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-clusterrole.yaml @@ -0,0 +1,44 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - delete + - apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + - gatewayclasses + - meshgateways + verbs: + - get + - delete +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-cleanup + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-clusterrolebinding.yaml new file mode 100644 index 0000000000..9235f32101 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-job.yaml new file mode 100644 index 0000000000..0d4f84272c --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-job.yaml @@ -0,0 +1,67 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup + containers: + - name: gateway-cleanup + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-cleanup + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ffbad130cc --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.connectInject.enabled .Values.global.enablePodSecurityPolicies)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..f50eb72d97 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gateway-cleanup-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.4.1/templates/gateway-resources-clusterrole.yaml new file mode 100644 index 0000000000..ad7082f060 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gateway-resources-clusterrole.yaml @@ -0,0 +1,47 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +rules: + - apiGroups: + - mesh.consul.hashicorp.com + resources: + - meshgateways + verbs: + - get + - update + - create + - apiGroups: + - consul.hashicorp.com + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - update + - create + - apiGroups: + - gateway.networking.k8s.io + - mesh.consul.hashicorp.com + resources: + - gatewayclasses + verbs: + - get + - update + - create +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-resources + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/gateway-resources-clusterrolebinding.yaml new file mode 100644 index 0000000000..921df23239 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gateway-resources-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-resources +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.1/templates/gateway-resources-configmap.yaml b/charts/hashicorp/consul/1.4.1/templates/gateway-resources-configmap.yaml new file mode 100644 index 0000000000..842ba6690d --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gateway-resources-configmap.yaml @@ -0,0 +1,132 @@ +{{- if .Values.connectInject.enabled }} + +# Validation +# For meshGateway.wanAddress, static must be set if source is "Static" +{{if (and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static ""))}}{{fail ".meshGateway.wanAddress.static must be set to a value if .meshGateway.wanAddress.source is Static"}}{{ end }} + +# Configuration of Gateway Resources Job which creates managed Gateway configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +data: + {{- if .Values.connectInject.apiGateway.managedGatewayClass.resources }} + resources.json: | + {{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }} + {{- end }} + {{- if and (mustHas "resource-apis" .Values.global.experiments) .Values.meshGateway.enabled }} + config.yaml: | + gatewayClassConfigs: + - apiVersion: mesh.consul.hashicorp.com/v2beta1 + metadata: + name: consul-mesh-gateway + kind: GatewayClassConfig + spec: + labels: + set: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + deployment: + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.affinity }} + affinity: {{ toJson (default "{}" .Values.meshGateway.affinity) }} + {{- end }} + {{- if .Values.meshGateway.annotations }} + annotations: + set: {{ toJson .Values.meshGateway.annotations }} + {{- end }} + {{- if .Values.global.extraLabels }} + labels: + set: {{ toJson .Values.global.extraLabels }} + {{- end }} + container: + consul: + logging: + level: {{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + portModifier: {{ sub .Values.meshGateway.containerPort .Values.meshGateway.service.port }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + resources: {{ toJson .Values.meshGateway.resources }} + initContainer: + consul: + logging: + level: {{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + resources: {{ toJson .Values.meshGateway.initServiceInitContainer.resources }} + {{- with .Values.meshGateway.nodeSelector }} + nodeSelector: {{ fromYaml . | toJson }} + {{- end }} + {{- with .Values.meshGateway.hostNetwork }} + hostNetwork: {{ . }} + {{- end }} + {{- with .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ fromYamlArray . | toJson }} + {{- end }} + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 16 | trim }} + {{- end }} + replicas: + default: {{ .Values.meshGateway.replicas }} + min: {{ .Values.meshGateway.replicas }} + max: {{ .Values.meshGateway.replicas }} + {{- if .Values.meshGateway.tolerations }} + tolerations: {{ fromYamlArray .Values.meshGateway.tolerations | toJson }} + {{- end }} + service: + {{- if .Values.meshGateway.service.annotations }} + annotations: + set: {{ toJson .Values.meshGateway.service.annotations }} + {{- end }} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.serviceAccount.annotations }} + serviceAccount: + annotations: + set: {{ toJson .Values.meshGateway.serviceAccount.annotations }} + {{- end }} + meshGateways: + - apiVersion: mesh.consul.hashicorp.com/v2beta1 + kind: MeshGateway + metadata: + name: mesh-gateway + namespace: {{ .Release.Namespace }} + annotations: + # TODO are these annotations even necessary? + "consul.hashicorp.com/gateway-wan-address-source": {{ .Values.meshGateway.wanAddress.source | quote }} + "consul.hashicorp.com/gateway-wan-address-static": {{ .Values.meshGateway.wanAddress.static | quote }} + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.service.nodePort | quote }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.service.port | quote }} + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.wanAddress.port | quote }} + {{- end }} + spec: + gatewayClassName: consul-mesh-gateway + listeners: + - name: "wan" + port: {{ .Values.meshGateway.service.port }} + protocol: "TCP" + workloads: + prefixes: + - "mesh-gateway" + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.4.1/templates/gateway-resources-job.yaml new file mode 100644 index 0000000000..ead22833e9 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gateway-resources-job.yaml @@ -0,0 +1,133 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources + containers: + - name: gateway-resources + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-resources + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + - -controller-name=consul.hashicorp.com/gateway-controller + - -app={{template "consul.name" .}} + - -chart={{template "consul.chart" .}} + - -heritage={{ .Release.Service }} + - -release-name={{ .Release.Name }} + - -component=api-gateway + {{- if .Values.apiGateway.enabled }} # Override values from the old stanza. To be removed after ~1.18 (t-eckert 2023-05-19) NET-6263 + {{- if .Values.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} + {{- else }} # the new stanza + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations | nindent 14 -}} + {{- end }} + - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- if .Values.global.openshift.enabled }} + - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + {{- end }} + - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} + {{- if (ne (.Values.connectInject.apiGateway.managedGatewayClass.metrics.enabled | toString) "-") }} + - -enable-metrics={{ .Values.connectInject.apiGateway.managedGatewayClass.metrics.enabled | toString }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.metrics.path }} + - -metrics-path={{ .Values.connectInject.apiGateway.managedGatewayClass.metrics.path }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.metrics.port }} + - -metrics-port={{ .Values.connectInject.apiGateway.managedGatewayClass.metrics.port }} + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/gateway-resources-podsecuritypolicy.yaml new file mode 100644 index 0000000000..da5299194c --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gateway-resources-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.connectInject.enabled)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/gateway-resources-serviceaccount.yaml new file mode 100644 index 0000000000..4611dc38e1 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gateway-resources-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..cea13c77fe --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,70 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ default .Values.global.logLevel .Values.global.gossipEncryption.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..448c810262 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,368 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b847e44ebd --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..3053105105 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,36 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..2fb80fc04c --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..efcc1f910b --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,321 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + securityContext: + capabilities: + {{ if not .Values.meshGateway.hostNetwork}} + drop: + - ALL + {{- end }} + add: + - NET_BIND_SERVICE + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..56e4b7924c --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..80f82ac897 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-service.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..b1a0661eaa --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.4.1/templates/partition-init-job.yaml new file mode 100644 index 0000000000..21ad2930b8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/partition-init-job.yaml @@ -0,0 +1,131 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and (mustHas "resource-apis" .Values.global.experiments) (mustHas "v2tenancy" .Values.global.experiments) }} + -enable-v2tenancy=true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.4.1/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.4.1/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/prometheus.yaml b/charts/hashicorp/consul/1.4.1/templates/prometheus.yaml new file mode 100644 index 0000000000..a708708daf --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..b47e04188f --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,89 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..2e798a54d5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-job.yaml @@ -0,0 +1,353 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + {{- if .Values.global.argocd.enabled }} + "argocd.argoproj.io/hook": "Sync" + "argocd.argoproj.io/hook-delete-policy": "HookSucceeded" + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- else if .Values.global.secretsBackend.vault.vaultNamespace }} + - name: VAULT_NAMESPACE + value: {{ .Values.global.secretsBackend.vault.vaultNamespace }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + exec consul-k8s-control-plane server-acl-init \ + -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if (and (not .Values.global.metrics.datadog.dogstatsd.enabled) .Values.global.metrics.datadog.enabled .Values.global.acls.manageSystemACLs) }} + -create-dd-agent-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 10 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.4.1/templates/server-clusterrole.yaml new file mode 100644 index 0000000000..c22f562264 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: + - get diff --git a/charts/hashicorp/consul/1.4.1/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..854fda870e --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-server +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.4.1/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..8c74364a29 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-config-configmap.yaml @@ -0,0 +1,220 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} +{{- if and .Values.server.auditLogs.enabled (not .Values.global.acls.manageSystemACLs) }}{{fail "ACLs must be enabled inorder to configure audit logs"}}{{ end -}} +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + {{- if .Values.server.logLevel }} + "log_level": "{{ .Values.server.logLevel | upper }}", + {{- end }} + "enable_debug": {{ .Values.server.enableAgentDebug }}, + "domain": "{{ .Values.global.domain }}", + "limits": { + "request_limits": { + "mode": "{{ .Values.server.limits.requestLimits.mode }}", + "read_rate": {{ .Values.server.limits.requestLimits.readRate }}, + "write_rate": {{ .Values.server.limits.requestLimits.writeRate }} + } + }, + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true, + "leave_on_terminate": true, + "autopilot": { + "min_quorum": {{ template "consul.server.autopilotMinQuorum" . }}, + "disable_upgrade_migration": true + } + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + {{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }} + "namespace": "{{ .vaultNamespace }}", + {{- end }} + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}", + "disable_hostname": {{ .Values.global.metrics.disableAgentHostName }},{{ template "consul.prefixFilter" . }} + "enable_host_metrics": {{ .Values.global.metrics.enableHostMetrics }}{{- if .Values.global.metrics.datadog.dogstatsd.enabled }},{{ template "consul.dogstatsdAaddressInfo" . }} + {{- if .Values.global.metrics.datadog.dogstatsd.enabled }} + "dogstatsd_tags": {{ .Values.global.metrics.datadog.dogstatsd.dogstatsdTags | toJson }} + {{- end }} + {{- end }} + } + } + {{- end }} + {{- if and .Values.server.auditLogs.enabled .Values.global.acls.manageSystemACLs }} + audit-logging.json: |- + { + "audit": { + "enabled": true, + "sink": { + {{- range $index, $element := .Values.server.auditLogs.sinks }} + {{- if ne $index 0 }},{{end}} + "{{ get $element "name" }}": {{ omit $element "name" | toJson }} + {{- end }} + } + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.4.1/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..56805edc2a --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.server.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-role.yaml b/charts/hashicorp/consul/1.4.1/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.4.1/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-service.yaml b/charts/hashicorp/consul/1.4.1/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.4.1/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.4.1/templates/server-statefulset.yaml new file mode 100644 index 0000000000..6dcd2e320a --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-statefulset.yaml @@ -0,0 +1,747 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateMetricsConfig" . }} +{{ template "consul.validateDatadogConfiguration" . }} +{{ template "consul.validateExtraConfig" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.global.metrics.datadog.enabled }} + "tags.datadoghq.com/version": {{ template "consul.versionInfo" . }} + "tags.datadoghq.com/env": {{ template "consul.name" . }} + "tags.datadoghq.com/service": "consul-server" + {{- end }} + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/server-config-configmap.yaml") .) (include (print $.Template.BasePath "/server-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + {{- if not .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/v1/agent/metrics" + {{- if .Values.global.tls.enabled }} + "prometheus.io/port": "8501" + "prometheus.io/scheme": "https" + {{- else }} + "prometheus.io/port": "8500" + "prometheus.io/scheme": "http" + {{- end }} + {{- end }} + {{- if .Values.global.metrics.datadog.enabled }} + "ad.datadoghq.com/tolerate-unready": "true" + "ad.datadoghq.com/consul.logs": {{ .Values.global.metrics.datadog.dogstatsd.dogstatsdTags | toJson | replace "[" "[{" | replace "]" "}]" | replace ":" "\": \"" | join "\",\"" | squote }} + {{- if .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} + "ad.datadoghq.com/consul.checks": | + { + "openmetrics": { + "init_config": {}, + "instances": [ + { + {{- if .Values.global.tls.enabled }} + "openmetrics_endpoint": "https://consul-server.{{ .Release.Namespace }}.svc:8501/v1/agent/metrics?format=prometheus", + "tls_cert": "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt", + "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key", + "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt", + {{- else }} + "openmetrics_endpoint": "http://consul-server.{{ .Release.Namespace }}.svc:8500/v1/agent/metrics?format=prometheus", + {{- end }} + {{- if ( .Values.global.acls.manageSystemACLs) }} + "headers": { + "X-Consul-Token": "ENC[k8s_secret@{{ .Release.Namespace }}/{{ .Release.Namespace }}-datadog-agent-metrics-acl-token/token]" + }, + {{- end }} + "namespace": "{{ .Release.Namespace }}", + "metrics": [ ".*" ] + } + ] + } + } + {{- else if (not .Values.global.metrics.datadog.dogstatsd.enabled) }} + "ad.datadoghq.com/consul.checks": | + { + "consul": { + "init_config": {}, + "instances": [ + { + {{- if .Values.global.tls.enabled }} + "url": "https://consul-server.{{ .Release.Namespace }}.svc:8501", + "tls_cert": "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt", + "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key", + "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt", + {{- else }} + "url": "http://consul-server.consul.svc:8500", + {{- end }} + "use_prometheus_endpoint": true, + {{- if ( .Values.global.acls.manageSystemACLs) }} + "acl_token": "ENC[k8s_secret@{{ .Release.Namespace }}/{{ .Release.Namespace }}-datadog-agent-metrics-acl-token/token]", + {{- end }} + "new_leader_checks": true, + "network_latency_checks": true, + "catalog_checks": true, + "auth_type": "basic" + } + ] + } + } + {{- else }} + "ad.datadoghq.com/consul.metrics_exclude": "true" + {{- end }} + {{- end }} + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled (eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" ) }} + - name: dsdsocket + hostPath: + path: /var/run/datadog + type: DirectoryOrCreate + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + initContainers: + - name: locality-init + image: {{ .Values.global.imageK8S }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane fetch-server-region -node-name "$NODE_NAME" -output-file /consul/extra-config/locality.json + volumeMounts: + - name: extra-config + mountPath: /consul/extra-config + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image | trimPrefix "\"" | trimSuffix "\"" }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-dir=/consul/extra-config \ + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + + {{- if .Values.global.experiments }} + {{- $commaSeparatedValues := "" }} + {{- range $index, $value := .Values.global.experiments }} + {{- if ne $index 0 }} + {{- $commaSeparatedValues = printf "%s,\\\"%s\\\"" $commaSeparatedValues $value }} + {{- else }} + {{- $commaSeparatedValues = printf "\\\"%s\\\"" $value }} + {{- end }} + {{- end }} + -hcl="experiments=[{{ $commaSeparatedValues }}]" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled (eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" ) }} + - name: dsdsocket + mountPath: /var/run/datadog + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.containerSecurityContext.server }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- else }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/server-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.4.1/templates/server-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a42d6d09f6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/server-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the server-stateful set where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.4.1/templates/sync-catalog-clusterrole.yaml similarity index 100% rename from charts/hashicorp/consul/templates/sync-catalog-clusterrole.yaml rename to charts/hashicorp/consul/1.4.1/templates/sync-catalog-clusterrole.yaml diff --git a/charts/hashicorp/consul/1.4.1/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.4.1/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..8bd3e0af61 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/sync-catalog-deployment.yaml @@ -0,0 +1,234 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..f7b6d7bd2e --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,449 @@ +{{- if and .Values.telemetryCollector.enabled (not (mustHas "resource-apis" .Values.global.experiments)) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # Signals to the endpoints controller that we should force Consul NS creation, since we bypass the mesh webhook. + "consul.hashicorp.com/telemetry-collector": "true" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: default + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + exec consul-k8s-control-plane connect-init \ + -log-json={{ .Values.global.logJSON }} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -pod-name=${POD_NAME} \ + -pod-namespace=${POD_NAMESPACE} \ + -proxy-id-file="/consul/connect-inject/proxyid" \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- if .Values.global.metrics.datadog.otlp.enabled }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if eq (.Values.global.metrics.datadog.otlp.protocol | lower ) "http" }} + - name: CO_OTEL_HTTP_ENDPOINT + value: "http://$(HOST_IP):4318" + {{- else if eq (.Values.global.metrics.datadog.otlp.protocol | lower) "grpc" }} + - name: CO_OTEL_HTTP_ENDPOINT + value: "grpc://$(HOST_IP):4317" + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + exec consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f4c05a2f33 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-v2-deployment.yaml b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-v2-deployment.yaml new file mode 100644 index 0000000000..09f4a2dbbc --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/telemetry-collector-v2-deployment.yaml @@ -0,0 +1,415 @@ +{{- if and .Values.telemetryCollector.enabled (mustHas "resource-apis" .Values.global.experiments) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/mesh-inject": "false" + # This annotation tells the pod controller that this pod was injected even though it wasn't. + # This ensures the pod controller will sync a workload for the pod into Consul + "consul.hashicorp.com/mesh-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/consul-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the mesh injector so that we don't run into + # any race conditions on the mesh-injector deployment or upgrade + - name: consul-mesh-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + exec consul-k8s-control-plane mesh-init -proxy-name=${POD_NAME} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + exec consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: DP_PROXY_ID + value: $(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: TMPDIR + value: /consul/mesh-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-mesh-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..a04bbbfa1f --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,345 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + "prometheus.io/path": "/metrics" + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..7307fb8be9 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..4ae280ca81 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-role.yaml @@ -0,0 +1,43 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if (or $root.Values.global.acls.manageSystemACLs $root.Values.global.enablePodSecurityPolicies) }} +rules: +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.4.1/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..9500410a53 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,84 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.4.1/templates/tls-init-job.yaml new file mode 100644 index 0000000000..41c0c2827e --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/tls-init-job.yaml @@ -0,0 +1,126 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + exec consul-k8s-control-plane tls-init \ + -log-level={{ default .Values.global.logLevel .Values.global.tls.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.4.1/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.4.1/templates/ui-ingress.yaml new file mode 100644 index 0000000000..f8c7f92a77 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/ui-ingress.yaml @@ -0,0 +1,85 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + {{- if ne .Values.ui.ingress.ingressClassName "" }} + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end }} + rules: + {{- $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/ui-service.yaml b/charts/hashicorp/consul/1.4.1/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..2a5c80d94c --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,54 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..45c87c9ceb --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,81 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.1/values.yaml b/charts/hashicorp/consul/1.4.1/values.yaml new file mode 100644 index 0000000000..42c5cc95da --- /dev/null +++ b/charts/hashicorp/consul/1.4.1/values.yaml @@ -0,0 +1,3778 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: "hashicorp/consul-enterprise:1.10.0-ent" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.18.1 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.4.1 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` + # agent annotation and [Vault Connect CA namespace](https://developer.hashicorp.com/consul/docs/connect/ca/vault#namespace). + # To override one of these values individually, see `agentAnnotations` and `connectCA.additionalConfig`. + vaultNamespace: "" + + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + # Override global log verbosity level for gossip-encryption-autogenerate-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # This value defines additional annotations for + # tls init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines additional annotations for + # acl init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # If argocd.enabled is set to true, following annotations are added to + # job - server-acl-init-job + # annotations - + # argocd.argoproj.io/hook: Sync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd: + enabled: false + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # `meshGateway.enabled` or `externalServers.enabled` to be true. + # Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:` + # (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`). + # @type: array + primaryGateways: [] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Override global log verbosity level for the create-federation-secret-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Set to true to stop prepending the machine's hostname to gauge-type metrics. Default is false. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + # @type: boolean + disableAgentHostName: false + + # Configures consul agent underlying host metrics. Default is false. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + # @type: boolean + enableHostMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # Configures the list of filter rules to apply for allowing or blocking + # metrics by prefix in the following format: + # + # A leading "+" will enable any metrics with the given prefix, and a leading "-" will block them. + # If there is overlap between two rules, the more specific rule will take precedence. + # Blocking will take priority if the same prefix is listed multiple times. + prefixFilter: + # @type: array + allowList: [] + # @type: array + blockList: [] + + # Configures consul integration configurations for datadog on kubernetes. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + datadog: + # Enables datadog [Consul Autodiscovery Integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized#metric-collection) + # by configuring the required `ad.datadoghq.com/consul.checks` annotation. The following _Consul_ agent metrics/health statuses + # are monitored by Datadog unless monitoring via OpenMetrics (Prometheus) or DogStatsD: + # - Serf events and member flaps + # - The Raft protocol + # - DNS performance + # - API Endpoints scraped: + # - `/v1/agent/metrics?format=prometheus` + # - `/v1/agent/self` + # - `/v1/status/leader` + # - `/v1/status/peers` + # - `/v1/catalog/services` + # - `/v1/health/service` + # - `/v1/health/state/any` + # - `/v1/coordinate/datacenters` + # - `/v1/coordinate/nodes` + # + # Setting either `global.metrics.datadog.otlp.enabled=true` or `global.metrics.datadog.dogstatsd.enabled=true` disables the above checks + # in lieu of metrics data collection via DogStatsD or by a customer OpenMetrics (Prometheus) collection endpoint. + # + # ~> **Note:** If you have a [dogstatsd_mapper_profile](https://docs.datadoghq.com/integrations/consul/?tab=host#dogstatsd) configured for Consul + # residing on either your Datadog NodeAgent or ClusterAgent the default Consul agent metrics/health status checks will fail. If you do not desire + # to utilize DogStatsD metrics emission from Consul, remove this configuration file, and restart your Datadog agent to permit the checks to run. + # + # @default: false + # @type: boolean + enabled: false + + # Configures Kubernetes Prometheus/OpenMetrics auto-discovery annotations for use with Datadog. + # This configuration is less common and more for advanced usage with custom metrics monitoring + # configurations. Refer to the [Datadog documentation](https://docs.datadoghq.com/containers/kubernetes/prometheus/?tab=kubernetesadv2) for more details. + openMetricsPrometheus: + # @default: false + # @type: boolean + enabled: false + + otlp: + # Enables forwarding of Consul's Telemetry Collector OTLP metrics for + # ingestion by Datadog Agent. + # @default: false + # @type: boolean + enabled: false + # Protocol used for DataDog Endpoint OTLP ingestion. + # + # Valid protocol options are one of either: + # + # - "http": will forward to DataDog HTTP OTLP Node Agent Endpoint default - "0.0.0.0:4318" + # - "grpc": will forward to DataDog gRPC OTLP Node Agent Endpoint default - "0.0.0.0:4317" + # + # @default: "http" + # @type: string + protocol: "http" + + # Configuration settings for DogStatsD metrics aggregation service + # that is bundled with the Datadog Agent. + # DogStatsD implements the StatsD protocol and adds a few Datadog-specific extensions: + # - Histogram metric type + # - Service checks + # - Events + # - Tagging + dogstatsd: + enabled: false + # Sets the socket transport type for dogstatsd: + # - "UDS" (Unix Domain Socket): prefixes `unix://` to URL and appends path to socket (i.e., "unix:///var/run/datadog/dsd.socket") + # If set, this will create the required [hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) mount for + # managing [DogStatsD with Unix Domain Socket on Kubernetes](https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=kubernetes). + # The volume is mounted using the `DirectoryOrCreate` type, thereby setting `0755` permissions with the same kubelet group ownership. + # + # Applies the following `volumes` and `volumeMounts` to the consul-server stateful set consul containers: + # + # ```yaml + # volumes: + # - name: dsdsocket + # hostPath: + # path: /var/run/datadog + # type: DirectoryOrCreate + # volumeMounts: + # - name: dsdsocket + # mountPath: /var/run/datadog + # readOnly: true + # ``` + # - "UDP" (User Datagram Protocol): assigns address to use `hostname/IP:Port` formatted URL for UDP transport to hostIP based + # dogstatsd sink (i.e., 127.0.0.1:8125). HostIP of Datadog agent must be reachable and known to Consul server emitting metrics. + # + # @default: "UDS" + # @type: string + socketTransportType: "UDS" + # Sets URL path for dogstatsd: + # + # Can be either a path to unix domain socket or an IP Address or Hostname that's reachable from the + # consul-server service, server containers. When using "UDS" the path will be appended. When using "UDP" + # the path will be prepended to the specified `dogstatsdPort`. + # + # @default: "/var/run/datadog/dsd.socket" + # @type: string + dogstatsdAddr: "/var/run/datadog/dsd.socket" + # Configures IP based dogstatsd designated port that will be appended to "UDP" based transport socket IP/Hostname URL. + # + # If using a kubernetes service based address (i.e., datadog.default.svc.cluster.local), set this to 0 to + # mitigate appending a port value to the dogstatsd address field. Resultant address would be "datadog.default.svc.cluster.local" with + # default port setting, while appending a non-zero port would result in "172.10.23.6:8125" with a dogstatsdAddr value + # of "172.10.23.6". + # + # @default: 0 + # @type: integer + dogstatsdPort: 0 + # Configures datadog [autodiscovery](https://docs.datadoghq.com/containers/kubernetes/log/?tab=operator#autodiscovery) + # style [log integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized#log-collection) + # configuration for Consul. + # + # The default settings should handle most Consul Kubernetes deployment schemes. The resultant annotation + # will reside on the consul-server statefulset as autodiscovery annotations. + # (i.e., ad.datadoghq.com/consul.logs: ["source:consul","consul_service:consul-server", ""]) + # + # @default: ["source:consul","consul_service:consul-server"] + # @type: array + dogstatsdTags: ["source:consul","consul_service:consul-server"] + # Namespace + # + # @default: "default" + # @type: string + namespace: "default" + + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: hashicorp/consul-dataplane:1.4.1 + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul Central self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will link a [self-managed cluster to HCP](https://developer.hashicorp.com/hcp/docs/consul/self-managed). + # This can either be used to [configure a new cluster](https://developer.hashicorp.com/hcp/docs/consul/self-managed/new) + # or [link an existing one](https://developer.hashicorp.com/hcp/docs/consul/self-managed/existing). + # + # Note: this setting should not be enabled for [HashiCorp-managed clusters](https://developer.hashicorp.com/hcp/docs/consul/hcp-managed). + # It is strictly for linking self-managed clusters. + enabled: false + + # The resource id of the HCP Consul Central cluster to link to. Eg: + # organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The hostname of HCP's API. This setting is used for internal testing and validation. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The URL of HCP's auth API. This setting is used for internal testing and validation. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The address of HCP's scada service. This setting is used for internal testing and validation. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [] + + # Consul feature flags that will be enabled across components. + # Supported feature flags: + # - `resource-apis`: + # _**Warning**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul components will use the + # V2 resources APIs for all operations. + # - `v2tenancy`: + # _**Warning**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul V2 resources (catalog, mesh, auth, etc) + # will use V2 implementations for tenancy (partitions and namesapces) + # instead of bridging to the existing V1 implementations. The + # `resource-apis` feature flag must also be set. + # + # Example: + # + # ```yaml + # experiments: [ "resource-apis" ] + # ``` + # @type: array + experiments: [] + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # The [Persistent Volume Claim (PVC) retention policy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention) + # controls if and how PVCs are deleted during the lifecycle of a StatefulSet. + # WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted, + # and WhenScaled specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is scaled down. + # + # Example: + # + # ```yaml + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + # ``` + # @type: map + persistentVolumeClaimRetentionPolicy: null + + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional service mesh settings can be configured + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). + connect: true + + # When set to true, enables Consul to report additional debugging information, including runtime profiling (pprof) data. + # This setting is only required for clusters without ACL enabled. Sets `enable_debug` in server agent config to `true`. + # If you change this setting, you must restart the agent for the change to take effect. Default is false. + # @type: boolean + enableAgentDebug: false + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + # The acl-init job + # @type: map + # @recurse: false + aclInit: null + # The tls-init job + # @type: map + # @recurse: false + tlsInit: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. In most cases you should not change this as it is automatically set to + # the correct number when left as null. This setting has been kept to preserve backwards compatibility. + # + # By default, this is set to 1 internally in the chart. When server pods are stopped gracefully, they leave the Raft + # consensus pool. When running an odd number of servers, one server leaving the pool does not change the quorum + # size, and so fault tolerance is not affected. However, if more than one server were to leave the pool, the quorum + # size would change. That's why this is set to 1 internally and should not be changed in most cases. + # + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # and configure a sink and filters for their audit logs. Please refer to + # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation + # for further information. + auditLogs: + # Controls whether Consul logs out each time a user performs an operation. + # global.acls.manageSystemACLs must be enabled to use this feature. + enabled: false + + # A single entry of the sink object provides configuration for the destination to which Consul + # will log auditing events. + # + # Example: + # + # ```yaml + # sinks: + # - name: My Sink + # type: file + # format: json + # path: /tmp/audit.json + # delivery_guarantee: best-effort + # rotate_duration: 24h + # rotate_max_files: 15 + # rotate_bytes: 25165824 + # + # ``` + # + # The sink object supports the following keys: + # + # - `name` - Name of the sink. + # + # - `type` - Type specifies what kind of sink this is. Currently only file sinks are available + # + # - `format` - Format specifies what format the events will be emitted with. Currently only `json` + # events are emitted. + # + # - `path` - The directory and filename to write audit events to. + # + # - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul + # only supports `best-effort` event delivery. + # + # - `mode` - The permissions to set on the audit log files. + # + # - `rotate_duration` - Specifies the interval by which the system rotates to a new log file. + # At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging. + # + # - `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file. + # At least one of rotate_bytes or rotate_duration must be configured to enable audit logging. + # + # - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files. + # + # @type: array + sinks: [] + + # Settings for potentially limiting timeouts, rate limiting on clients as well + # as servers, and other settings to limit exposure too many requests, requests + # waiting for too long, and other runtime considerations. + limits: + # This object specifies configurations that limit the rate of RPC and gRPC + # requests on the Consul server. Limiting the rate of gRPC and RPC requests + # also limits HTTP requests to the Consul server. + # https://developer.hashicorp.com/consul/docs/agent/config/config-files#request_limits + requestLimits: + # Setting for disabling or enabling rate limiting. If not disabled, it + # enforces the action that will occur when RequestLimitsReadRate + # or RequestLimitsWriteRate is exceeded. The default value of "disabled" will + # prevent any rate limiting from occuring. A value of "enforce" will block + # the request from processings by returning an error. A value of + # "permissive" will not block the request and will allow the request to + # continue processing. + # @type: string + mode: "disabled" + + # Setting that controls how frequently RPC, gRPC, and HTTP + # queries are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsReadRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + readRate: -1 + + # Setting that controls how frequently RPC, gRPC, and HTTP + # writes are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsWriteRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + writeRate: -1 + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. `tlsServerName` is required if TLS is enabled and 'hosts' is not a DNS name. + # @type: array + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. This name also appears as the hostname in the server certificate's subject field. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul service mesh will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configuration settings for the Consul API Gateway integration. + apiGateway: + # Enables Consul on Kubernetes to manage the CRDs used for Gateway API. + # Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed. + # These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. + # If this setting is false, you will need to install the Gateway API CRDs manually. + manageExternalCRDs: true + + # Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true + # then all CRDs will be installed; otherwise, if manageNonStandardCRDs is true then only TCPRoute, GatewayClassConfig and MeshService + # will be installed. + manageNonStandardCRDs: false + + # Configuration settings for the GatewayClass installed by Consul on Kubernetes. + managedGatewayClass: + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # Metrics settings for gateways created with this gateway class configuration. + metrics: + # This value enables or disables metrics collection on a gateway, overriding the global gateway metrics collection settings. + # @type: boolean + enabled: "-" + # This value sets the port to use for scraping gateway metrics via prometheus, defaults to 20200 if not set. Must be in the port + # range of 1024-65535. + # @type: int + port: null + # This value sets the path to use for scraping gateway metrics via prometheus, defaults to /metrics if not set. + # @type: string + path: null + + # The resource settings for Pods handling traffic for Gateway API. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + deployment: + defaultInstances: 1 + maxInstances: 1 + minInstances: 1 + + # The name of the OpenShift SecurityContextConstraints resource to use for Gateways. + # Only applicable if `global.openshift.enabled` is true. + # @type: string + openshiftSCCName: "restricted-v2" + + # This value defines the amount we will add to privileged container ports on gateways that use this class. + # This is useful if you don't want to give your containers extra permissions to run privileged ports. + # Example: The gateway listener is defined on port 80, but the underlying value of the port on the container + # will be the 80 + the number defined below. + mapPrivilegedContainerPorts: 0 + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + # Configures metrics for Consul service mesh services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Sets the `logLevel` for the `consul-dataplane` sidecar and the `consul-connect-inject-init` container. When set, this value overrides the global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Consul service mesh sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + # Set default lifecycle management configuration for sidecar proxy. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` + # - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` + # @type: map + lifecycle: + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" + + # Configures how long the k8s startup probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultStartupFailureSeconds: 0 + # Configures how long the k8s liveness probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultLivenessFailureSeconds: 0 + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul service mesh will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Override global log verbosity level for mesh-gateway-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: Service + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level for ingress-gateways-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. You must provide a unique name for each ingress gateway. These names + # must be unique across different namespaces. + # Values defined here override the defaults, except in the case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# [DEPRECATED] Use connectInject.apiGateway instead. +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.11" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.2" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + # The resource id of the HCP Consul Central cluster to push metrics for. Eg: + # `organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster` + # + # This is used for HCP Consul Central-linked or managed clusters where global.cloud.resourceId is unset. For example, when using externalServers + # with HCP Consul-managed clusters or HCP Consul Central-linked clusters in a different admin partition. + # + # If global.cloud.resourceId is set, this should either be unset (defaulting to global.cloud.resourceId) or be the same as global.cloud.resourceId. + # + # @default: global.cloud.resourceId + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientId + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP. + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientSecret + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the deployment. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} diff --git a/charts/hashicorp/consul/1.4.2/.helmignore b/charts/hashicorp/consul/1.4.2/.helmignore new file mode 100644 index 0000000000..3fa2f24edf --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/.helmignore @@ -0,0 +1,5 @@ +.git/ +.terraform/ +bin/ +test/ +crds/kustomization.yaml diff --git a/charts/hashicorp/consul/1.4.2/Chart.yaml b/charts/hashicorp/consul/1.4.2/Chart.yaml new file mode 100644 index 0000000000..4bed92bd0e --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.18.2 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.4.2 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.4.2 + - name: envoy + image: envoyproxy/envoy:v1.25.11 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.18.2 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.4.2 diff --git a/charts/hashicorp/consul/1.4.2/README.md b/charts/hashicorp/consul/1.4.2/README.md new file mode 100644 index 0000000000..a0a9929ed4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.26.x - 1.29.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/1.4.2/addons/gen.sh b/charts/hashicorp/consul/1.4.2/addons/gen.sh new file mode 100644 index 0000000000..1d03390bed --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/addons/gen.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.2/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.4.2/addons/values/prometheus.yaml new file mode 100644 index 0000000000..1f90636f2e --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/addons/values/prometheus.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/1.4.2/assets/icon.png b/charts/hashicorp/consul/1.4.2/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.4.2/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.4.2/templates/NOTES.txt b/charts/hashicorp/consul/1.4.2/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/_helpers.tpl b/charts/hashicorp/consul/1.4.2/templates/_helpers.tpl new file mode 100644 index 0000000000..ca87485a78 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/_helpers.tpl @@ -0,0 +1,688 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.restrictedSecurityContext" -}} +{{- if not .Values.global.enablePodSecurityPolicies -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +{{- if not .Values.global.openshift.enabled -}} +{{/* +We must set runAsUser or else the root user will be used in some cases and +containers will fail to start due to runAsNonRoot above (e.g. +tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100 +because it is a non-root user id that exists in the consul, consul-dataplane, +and consul-k8s-control-plane images. +*/}} + runAsUser: 100 +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/tmp/extra-config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Cleanup server.extraConfig entries to avoid conflicting entries: + - server.enableAgentDebug: + - `enable_debug` should not exist in extraConfig + - metrics.disableAgentHostName: + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `disable_hostname` should not exist in extraConfig + - metrics.enableHostMetrics: + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `enable_host_metrics` should not exist in extraConfig + - metrics.prefixFilter + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `prefix_filter` should not exist in extraConfig + - metrics.datadog.enabled: + - if global.metrics.datadog.enabled and global.metrics.datadog.dogstatsd.enabled, `dogstatsd_tags` and `dogstatsd_addr` should not exist in extraConfig + +Usage: {{ template "consul.validateExtraConfig" . }} +*/}} +{{- define "consul.validateExtraConfig" -}} +{{- if (contains "enable_debug" .Values.server.extraConfig) }}{{ fail "The enable_debug key is present in extra-from-values.json. Use server.enableAgentDebug to set this value." }}{{- end }} +{{- if (contains "disable_hostname" .Values.server.extraConfig) }}{{ fail "The disable_hostname key is present in extra-from-values.json. Use global.metrics.disableAgentHostName to set this value." }}{{- end }} +{{- if (contains "enable_host_metrics" .Values.server.extraConfig) }}{{ fail "The enable_host_metrics key is present in extra-from-values.json. Use global.metrics.enableHostMetrics to set this value." }}{{- end }} +{{- if (contains "prefix_filter" .Values.server.extraConfig) }}{{ fail "The prefix_filter key is present in extra-from-values.json. Use global.metrics.prefix_filter to set this value." }}{{- end }} +{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }}{{- if (and .Values.global.metrics.datadog.dogstatsd.enabled) }}{{- if (contains "dogstatsd_tags" .Values.server.extraConfig) }}{{ fail "The dogstatsd_tags key is present in extra-from-values.json. Use global.metrics.datadog.dogstatsd.dogstatsdTags to set this value." }}{{- end }}{{- end }}{{- if (and .Values.global.metrics.datadog.dogstatsd.enabled) }}{{- if (contains "dogstatsd_addr" .Values.server.extraConfig) }}{{ fail "The dogstatsd_addr key is present in extra-from-values.json. Use global.metrics.datadog.dogstatsd.dogstatsd_addr to set this value." }}{{- end }}{{- end }}{{- end }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Calculate max number of server pods that are allowed to be voluntarily disrupted. +When there's 1 server, this is set to 0 because this pod should not be disrupted. This is an edge +case and I'm not sure it makes a difference when there's only one server but that's what the previous config was and +I don't want to change it for this edge case. +Otherwise we've changed this to always be 1 as part of the move to set leave_on_terminate +to true. With leave_on_terminate set to true, whenever a server pod is stopped, the number of peers in raft +is reduced. If the number of servers is odd and the count is reduced by 1, the quorum size doesn't change, +but if it's reduced by more than 1, the quorum size can change so that's why this is now always hardcoded to 1. +*/}} +{{- define "consul.server.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{ 1 }} +{{- end -}} +{{- end -}} + +{{- define "consul.server.autopilotMinQuorum" -}} +{{- add (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if telemetryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (and (not .Values.global.cloud.clientSecret.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set." }} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (and (not .Values.global.cloud.clientId.secretName) (not .Values.telemetryCollector.cloud.clientId.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set." }} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretName or global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretKey or global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} + +{{/* +Fails if telemetryCollector.cloud.resourceId is set but differs from global.cloud.resourceId. This should never happen. Either one or both are set, but they should never differ. +If they differ, that implies we're configuring servers for one HCP Consul cluster but pushing envoy metrics for a different HCP Consul cluster. A user could set the same value +in two secrets (it's questionable whether resourceId should be a secret at all) but we won't know at this point, so we just check secret name+key. + +Usage: {{ template "consul.validateTelemetryCollectorResourceId" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorResourceId" -}} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName) (not (eq .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName)) }} +{{fail "When both global.cloud.resourceId.secretName and telemetryCollector.cloud.resourceId.secretName are set, they should be the same."}} +{{- end }} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey) (not (eq .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When both global.cloud.resourceId.secretKey and telemetryCollector.cloud.resourceId.secretKey are set, they should be the same."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{/* +Fails if global.experiments.resourceAPIs is set along with any of these unsupported features. +- global.peering.enabled +- global.federation.enabled +- global.cloud.enabled +- client.enabled +- ui.enabled +- syncCatalog.enabled +- meshGateway.enabled +- ingressGateways.enabled +- terminatingGateways.enabled +- apiGateway.enabled + +Usage: {{ template "consul.validateResourceAPIs" . }} + +*/}} +{{- define "consul.validateResourceAPIs" -}} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.peering.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.peering.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) (not (mustHas "v2tenancy" .Values.global.experiments)) .Values.global.adminPartitions.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.experiments.v2tenancy must also be set to support global.adminPartitions.enabled."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.federation.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.federation.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.cloud.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.cloud.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.client.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, client.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ui.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ui.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.syncCatalog.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, syncCatalog.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ingressGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ingressGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.terminatingGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.apiGateway.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, apiGateway.enabled is currently unsupported."}} +{{- end }} +{{- end }} + +{{/* +Validation for Consul Metrics configuration: + +Fail if metrics.enabled=true and metrics.disableAgentHostName=true, but metrics.enableAgentMetrics=false + - metrics.enabled = true + - metrics.enableAgentMetrics = false + - metrics.disableAgentHostName = true + +Fail if metrics.enableAgentMetrics=true and metrics.disableAgentHostName=true, but metrics.enabled=false + - metrics.enabled = false + - metrics.enableAgentMetrics = true + - metrics.disableAgentHostName = true + +Fail if metrics.enabled=true and metrics.enableHostMetrics=true, but metrics.enableAgentMetrics=false + - metrics.enabled = true + - metrics.enableAgentMetrics = false + - metrics.enableHostMetrics = true + +Fail if metrics.enableAgentMetrics=true and metrics.enableHostMetrics=true, but metrics.enabled=false + - metrics.enabled = false + - metrics.enableAgentMetrics = true + - metrics.enableHostMetrics = true + +Usage: {{ template "consul.validateMetricsConfig" . }} + +*/}} + +{{- define "consul.validateMetricsConfig" -}} +{{- if and (not .Values.global.metrics.enableAgentMetrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enabled )}} +{{fail "When enabling metrics (global.metrics.enabled) and disabling hostname emission from metrics (global.metrics.disableAgentHostName), global.metrics.enableAgentMetrics must be set to true"}} +{{- end }} +{{- if and (not .Values.global.metrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enableAgentMetrics )}} +{{fail "When enabling Consul agent metrics (global.metrics.enableAgentMetrics) and disabling hostname emission from metrics (global.metrics.disableAgentHostName), global metrics enablement (global.metrics.enabled) must be set to true"}} +{{- end }} +{{- if and (not .Values.global.metrics.enableAgentMetrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enabled )}} +{{fail "When disabling hostname emission from metrics (global.metrics.disableAgentHostName) and enabling global metrics (global.metrics.enabled), Consul agent metrics must be enabled(global.metrics.enableAgentMetrics=true)"}} +{{- end }} +{{- if and (not .Values.global.metrics.enabled) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enableAgentMetrics)}} +{{fail "When enabling Consul agent metrics (global.metrics.enableAgentMetrics) and disabling hostname metrics emission (global.metrics.disableAgentHostName), global metrics must be enabled (global.metrics.enabled)."}} +{{- end }} +{{- end -}} + +{{/* +Validation for Consul Datadog Integration deployment: + +Fail if Datadog integration enabled and Consul server agent telemetry is not enabled. + - global.metrics.datadog.enabled=true + - global.metrics.enableAgentMetrics=false || global.metrics.enabled=false + +Fail if Consul OpenMetrics (Prometheus) and DogStatsD metrics are both enabled and configured. + - global.metrics.datadog.dogstatsd.enabled (scrapes `/v1/agent/metrics?format=prometheus` via the `use_prometheus_endpoint` option) + - global.metrics.datadog.openMetricsPrometheus.enabled (scrapes `/v1/agent/metrics?format=prometheus`) + - see https://docs.datadoghq.com/integrations/consul/?tab=host#host for recommendation to not have both + +Fail if Datadog OTLP forwarding is enabled and Consul Telemetry Collection is not enabled. + - global.metrics.datadog.otlp.enabled=true + - telemetryCollector.enabled=false + +Fail if Consul Open Telemetry collector forwarding protocol is not one of either "http" or "grpc" + - global.metrics.datadog.otlp.protocol!="http" || global.metrics.datadog.otlp.protocol!="grpc" + +Usage: {{ template "consul.validateDatadogConfiguration" . }} + +*/}} + +{{- define "consul.validateDatadogConfiguration" -}} +{{- if and .Values.global.metrics.datadog.enabled (or (not .Values.global.metrics.enableAgentMetrics) (not .Values.global.metrics.enabled) )}} +{{fail "When enabling datadog metrics collection, the /v1/agent/metrics is required to be accessible, therefore global.metrics.enableAgentMetrics and global.metrics.enabled must be also be enabled."}} +{{- end }} +{{- if and .Values.global.metrics.datadog.dogstatsd.enabled .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} +{{fail "You must have one of DogStatsD (global.metrics.datadog.dogstatsd.enabled) or OpenMetrics (global.metrics.datadog.openMetricsPrometheus.enabled) enabled, not both as this is an unsupported configuration." }} +{{- end }} +{{- if and .Values.global.metrics.datadog.otlp.enabled (not .Values.telemetryCollector.enabled) }} +{{fail "Cannot enable Datadog OTLP metrics collection (global.metrics.datadog.otlp.enabled) without consul-telemetry-collector. Ensure Consul OTLP collection is enabled (telemetryCollector.enabled) and configured." }} +{{- end }} +{{- if and (ne ( lower .Values.global.metrics.datadog.otlp.protocol) "http") (ne ( lower .Values.global.metrics.datadog.otlp.protocol) "grpc") }} +{{fail "Valid values for global.metrics.datadog.otlp.protocol must be one of either \"http\" or \"grpc\"." }} +{{- end }} +{{- end -}} + +{{/* +Sets the dogstatsd_addr field of the agent configuration dependent on the +socket transport type being used: + - "UDS" (Unix Domain Socket): prefixes "unix://" to URL and appends path to socket (i.e., unix:///var/run/datadog/dsd.socket) + - "UDP" (User Datagram Protocol): adds no prefix and appends dogstatsd port number to hostname/IP (i.e., 172.20.180.10:8125) +- global.metrics.enableDatadogIntegration.dogstatsd configuration + +Usage: {{ template "consul.dogstatsdAaddressInfo" . }} +*/}} + +{{- define "consul.dogstatsdAaddressInfo" -}} +{{- if (and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled) }} + "dogstatsd_addr": "{{- if eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" }}unix://{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdAddr }}{{- else }}{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdAddr | trimAll "\"" }}{{- if ne ( .Values.global.metrics.datadog.dogstatsd.dogstatsdPort | int ) 0 }}:{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdPort | toString }}{{- end }}{{- end }}",{{- end }} +{{- end -}} + +{{/* +Configures the metrics prefixing that's required to either allow or dissallow certaing RPC or gRPC server calls: + +Usage: {{ template "consul.prefixFilter" . }} +*/}} +{{- define "consul.prefixFilter" -}} +{{- $allowList := .Values.global.metrics.prefixFilter.allowList }} +{{- $blockList := .Values.global.metrics.prefixFilter.blockList }} +{{- if and (not (empty $allowList)) (not (empty $blockList)) }} + "prefix_filter": [{{- range $index, $value := concat $allowList $blockList -}} + "{{- if (has $value $allowList) }}{{ printf "+%s" ($value | trimAll "\"") }}{{- else }}{{ printf "-%s" ($value | trimAll "\"") }}{{- end }}"{{- if lt $index (sub (len (concat $allowList $blockList)) 1) -}},{{- end -}} + {{- end -}}], +{{- else if not (empty $allowList) }} + "prefix_filter": [{{- range $index, $value := $allowList -}} + "{{ printf "+%s" ($value | trimAll "\"") }}"{{- if lt $index (sub (len $allowList) 1) -}},{{- end -}} + {{- end -}}], +{{- else if not (empty $blockList) }} + "prefix_filter": [{{- range $index, $value := $blockList -}} + "{{ printf "-%s" ($value | trimAll "\"") }}"{{- if lt $index (sub (len $blockList) 1) -}},{{- end -}} + {{- end -}}], +{{- end }} +{{- end -}} + +{{/* +Retrieves the global consul/consul-enterprise version string for use with labels or tags. +Requirements for valid labels: + - a valid label must be an empty string or consist of + => alphanumeric characters + => '-', '_' or '.' + => must start and end with an alphanumeric character + (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is + '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?') + +Usage: {{ template "consul.versionInfo" }} +*/}} +{{- define "consul.versionInfo" -}} +{{- $imageVersion := regexSplit ":" .Values.global.image -1 }} +{{- $versionInfo := printf "%s" (index $imageVersion 1 ) | trimSuffix "\"" }} +{{- $sanitizedVersion := "" }} +{{- $pattern := "^([A-Za-z0-9][-A-Za-z0-9_.]*[A-Za-z0-9])?$" }} +{{- if not (regexMatch $pattern $versionInfo) -}} + {{- $sanitizedVersion = regexReplaceAll "[^A-Za-z0-9-_.]|sha256" $versionInfo "" }} + {{- $sanitizedVersion = printf "%s" (trimSuffix "-" (trimPrefix "-" $sanitizedVersion)) -}} +{{- else }} + {{- $sanitizedVersion = $versionInfo }} +{{- end -}} +{{- printf "%s" $sanitizedVersion | quote }} +{{- end -}} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..453be66054 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,306 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{ end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: ["/consul-bin/consul", "logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.4.2/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.4.2/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.4.2/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.4.2/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.4.2/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..cab2c7c043 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/client-config-configmap.yaml @@ -0,0 +1,40 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + log-level.json: |- + { + {{- if .Values.client.logLevel }} + "log_level": "{{ .Values.client.logLevel | upper }}" + {{- end }} + } + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.4.2/templates/client-daemonset.yaml new file mode 100644 index 0000000000..cf0cb1d686 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/client-daemonset.yaml @@ -0,0 +1,608 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/client-config-configmap.yaml") .) (include (print $.Template.BasePath "/client-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + {{- if not (hasKey (default "" .Values.client.annotations | fromYaml) "prometheus.io/path")}} + "prometheus.io/path": "/v1/agent/metrics" + {{- end }} + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/consul" + - "logout" + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-dir=/consul/extra-config \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/client-role.yaml b/charts/hashicorp/consul/1.4.2/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.4.2/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.4.2/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/client-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.4.2/templates/client-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a379157f57 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/client-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the client-daemonset where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.4.2/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.4.2/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..258924f449 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/cni-daemonset.yaml @@ -0,0 +1,91 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.4.2/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.4.2/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.4.2/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.4.2/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.4.2/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..c6845870ba --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,287 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + - gatewayclassconfigs + - meshservices + - samenessgroups + - controlplanerequestlimits + - routeretryfilters + - routetimeoutfilters + - routeauthfilters + - gatewaypolicies + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + - jwtproviders + - routeauthfilters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + - samenessgroups/status + - controlplanerequestlimits/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + - jwtproviders/status + - routeauthfilters/status + - gatewaypolicies/status + verbs: + - get + - patch + - update +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions/status + verbs: + - get + - patch + - update +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + - gatewayclasses + - meshconfigurations + - grpcroutes + - httproutes + - meshgateways + - tcproutes + - proxyconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs/status + - gatewayclasses/status + - meshconfigurations/status + - grpcroutes/status + - httproutes/status + - meshgateways/status + - tcproutes/status + - proxyconfigurations/status + verbs: + - get + - patch + - update +- apiGroups: + - multicluster.consul.hashicorp.com + resources: + - exportedservices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multicluster.consul.hashicorp.com + resources: + - exportedservices/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} +- apiGroups: [ "" ] + resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles", "rolebindings" ] + verbs: + - get + - list + - watch + - delete + - create + - update +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - referencegrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gateways/finalizers + - httproutes/finalizers + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch + - delete +- apiGroups: + - core + resources: + - services + verbs: + - watch + - list +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" +{{- if .Values.global.openshift.enabled }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + verbs: + - use + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.2/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.4.2/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..fe07c2581a --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/connect-inject-deployment.yaml @@ -0,0 +1,370 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.enabled .Values.global.cloud.enabled }} + {{- if and (gt (len .Values.externalServers.hosts) 0) (regexMatch ".+.hashicorp.cloud$" ( first .Values.externalServers.hosts )) }}{{fail "global.cloud.enabled cannot be used in combination with an HCP-managed cluster address in externalServers.hosts. global.cloud.enabled is for linked self-managed clusters."}}{{- end }} +{{- end }} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateResourceAPIs" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + {{- if (mustHas "v2tenancy" .Values.global.experiments) }} + -enable-v2tenancy=true \ + {{- end }} + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }} + -default-enable-sidecar-proxy-lifecycle=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle=false \ + {{- end }} + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \ + {{- end }} + -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-startup-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultStartupGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ + -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ + -default-sidecar-proxy-lifecycle-graceful-startup-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulStartupPath }}" \ + -default-sidecar-proxy-startup-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultStartupFailureSeconds }} \ + -default-sidecar-proxy-liveness-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultLivenessFailureSeconds }} \ + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.4.2/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.4.2/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..e65c386636 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,381 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-controlplanerequestlimits + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-controlplanerequestlimit.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - controlplanerequestlimits + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-samenessgroup + failurePolicy: Fail + name: mutate-samenessgroup.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - samenessgroups + sideEffects: None +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v2beta1-trafficpermissions + failurePolicy: Fail + name: mutate-trafficpermissions.auth.consul.hashicorp.com + rules: + - apiGroups: + - auth.consul.hashicorp.com + apiVersions: + - v2beta1 + operations: + - CREATE + - UPDATE + resources: + - trafficpermissions + sideEffects: None +{{- end }} +{{- end }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-jwtprovider + failurePolicy: Fail + name: mutate-jwtprovider.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwtproviders + sideEffects: None +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.4.2/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.4.2/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/connect-inject-validatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.4.2/templates/connect-inject-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8d01ace911 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/connect-inject-validatingwebhookconfiguration.yaml @@ -0,0 +1,31 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The ValidatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- name: validate-gatewaypolicy.consul.hashicorp.com + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "consul.hashicorp.com" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gatewaypolicies" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /validate-v1alpha1-gatewaypolicy +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.4.2/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-apigateways.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-apigateways.yaml new file mode 100644 index 0000000000..755fb05b64 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-apigateways.yaml @@ -0,0 +1,240 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: apigateways.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: APIGateway + listKind: APIGatewayList + plural: apigateways + singular: apigateway + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: APIGateway is the Schema for the API Gateway + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + gatewayClassName: + description: GatewayClassName is the name of the GatewayClass used + by the APIGateway + type: string + listeners: + items: + properties: + hostname: + description: Hostname is the host name that a listener should + be bound to, if unspecified, the listener accepts requests + for all hostnames. + type: string + name: + description: Name is the name of the listener in a given gateway. + This must be unique within a gateway. + type: string + port: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: Protocol is the protocol that a listener should + use, it must either be "http" or "tcp" + type: string + tls: + description: TLS is the TLS settings for the listener. + properties: + certificates: + description: Certificates is a set of references to certificates + that a gateway listener uses for TLS termination. + items: + description: Reference identifies which resource a condition + relates to, when it is not the core resource itself. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the + resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all partitions." + type: string + peerName: + description: "PeerName identifies which peer the + resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes are + made to the group's resource types. + type: string + kind: + description: Kind identifies the specific resource + type within the group. + type: string + type: object + type: object + type: array + tlsParameters: + description: TLSParameters contains optional configuration + for running TLS termination. + properties: + cipherSuites: + items: + enum: + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_AES256_SHA + - TLS_CIPHER_SUITE_ECDHE_ECDSA_CHACHA20_POLY1305 + - TLS_CIPHER_SUITE_ECDHE_RSA_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_ECDHE_RSA_CHACHA20_POLY1305 + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_SHA + - TLS_CIPHER_SUITE_ECDHE_RSA_AES128_SHA + - TLS_CIPHER_SUITE_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_AES128_SHA + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_GCM_SHA384 + - TLS_CIPHER_SUITE_ECDHE_RSA_AES256_GCM_SHA384 + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_SHA + - TLS_CIPHER_SUITE_ECDHE_RSA_AES256_SHA + - TLS_CIPHER_SUITE_AES256_GCM_SHA384 + format: int32 + type: string + type: array + maxVersion: + enum: + - TLS_VERSION_AUTO + - TLS_VERSION_1_0 + - TLS_VERSION_1_1 + - TLS_VERSION_1_2 + - TLS_VERSION_1_3 + - TLS_VERSION_INVALID + - TLS_VERSION_UNSPECIFIED + format: int32 + type: string + minVersion: + enum: + - TLS_VERSION_AUTO + - TLS_VERSION_1_0 + - TLS_VERSION_1_1 + - TLS_VERSION_1_2 + - TLS_VERSION_1_3 + - TLS_VERSION_INVALID + - TLS_VERSION_UNSPECIFIED + format: int32 + type: string + type: object + type: object + type: object + minItems: 1 + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-controlplanerequestlimits.yaml new file mode 100644 index 0000000000..1939a8d373 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-controlplanerequestlimits.yaml @@ -0,0 +1,195 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: controlplanerequestlimits.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ControlPlaneRequestLimit + listKind: ControlPlaneRequestLimitList + plural: controlplanerequestlimits + singular: controlplanerequestlimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControlPlaneRequestLimitSpec defines the desired state of + ControlPlaneRequestLimit. + properties: + acl: + properties: + readRate: + type: number + writeRate: + type: number + type: object + catalog: + properties: + readRate: + type: number + writeRate: + type: number + type: object + configEntry: + properties: + readRate: + type: number + writeRate: + type: number + type: object + connectCA: + properties: + readRate: + type: number + writeRate: + type: number + type: object + coordinate: + properties: + readRate: + type: number + writeRate: + type: number + type: object + discoveryChain: + properties: + readRate: + type: number + writeRate: + type: number + type: object + health: + properties: + readRate: + type: number + writeRate: + type: number + type: object + intention: + properties: + readRate: + type: number + writeRate: + type: number + type: object + kv: + properties: + readRate: + type: number + writeRate: + type: number + type: object + mode: + type: string + preparedQuery: + properties: + readRate: + type: number + writeRate: + type: number + type: object + readRate: + type: number + session: + properties: + readRate: + type: number + writeRate: + type: number + type: object + tenancy: + properties: + readRate: + type: number + writeRate: + type: number + type: object + txn: + properties: + readRate: + type: number + writeRate: + type: number + type: object + writeRate: + type: number + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-exportedservices-v1.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-exportedservices-v1.yaml new file mode 100644 index 0000000000..081a2b0cf0 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-exportedservices-v1.yaml @@ -0,0 +1,139 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-exportedservices.yaml new file mode 100644 index 0000000000..6613e3da7e --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-exportedservices.yaml @@ -0,0 +1,108 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.multicluster.consul.hashicorp.com +spec: + group: multicluster.consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the Exported Services API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + consumers: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + services: + items: + type: string + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-gatewayclassconfigs-v1.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-gatewayclassconfigs-v1.yaml new file mode 100644 index 0000000000..41023c19dc --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-gatewayclassconfigs-v1.yaml @@ -0,0 +1,218 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + resources: + description: Resources defines the resource requirements for the + gateway. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + mapPrivilegedContainerPorts: + description: The value to add to privileged ports ( ports < 1024) + for gateway containers + format: int32 + type: integer + metrics: + description: Metrics defines how to configure the metrics for a gateway. + properties: + enabled: + description: Enable metrics for this class of gateways. If unspecified, + will inherit behavior from the global Helm configuration. + type: boolean + path: + description: The path used for metrics. + type: string + port: + description: The port used for metrics. + format: int32 + maximum: 65535 + minimum: 1024 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + openshiftSCCName: + description: The name of the OpenShift SecurityContextConstraints + resource for this gateway class to use. + type: string + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-gatewayclassconfigs.yaml new file mode 100644 index 0000000000..93effd843b --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-gatewayclassconfigs.yaml @@ -0,0 +1,1826 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GatewayClassConfig is the Schema for the Mesh Gateway API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GatewayClassConfigSpec specifies the desired state of the + GatewayClassConfig CRD. + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key included + here will override those in Set if specified on the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included here + will be overridden if present in InheritFromGateway and set + on the Gateway. + type: object + type: object + deployment: + description: Deployment contains config specific to the Deployment + created from this GatewayClass + properties: + affinity: + description: Affinity specifies the affinity to use on the created + Deployment. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects + (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them are + ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to a pod label update), + the system may or may not try to eventually evict the + pod from its node. When there are multiple elements, + the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + container: + description: Container contains config specific to the created + Deployment's container. + properties: + consul: + description: Consul specifies configuration for the consul-dataplane + container + properties: + logging: + description: Logging specifies the logging configuration + for Consul Dataplane + properties: + level: + description: Level sets the logging level for Consul + Dataplane (debug, info, etc.) + type: string + type: object + type: object + hostPort: + description: HostPort specifies a port to be exposed to the + external host network + format: int32 + type: integer + portModifier: + description: PortModifier specifies the value to be added + to every port value for listeners on this gateway. This + is generally used to avoid binding to privileged ports in + the container. + format: int32 + type: integer + resources: + description: Resources specifies the resource requirements + for the created Deployment's container + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + dnsPolicy: + description: DNSPolicy specifies the dns policy to use. These + are set on a per pod basis. + enum: + - Default + - ClusterFirst + - ClusterFirstWithHostNet + - None + type: string + hostNetwork: + description: HostNetwork specifies whether the gateway pods should + run on the host network. + type: boolean + initContainer: + description: InitContainer contains config specific to the created + Deployment's init container. + properties: + consul: + description: Consul specifies configuration for the consul-k8s-control-plane + init container + properties: + logging: + description: Logging specifies the logging configuration + for Consul Dataplane + properties: + level: + description: Level sets the logging level for Consul + Dataplane (debug, info, etc.) + type: string + type: object + type: object + resources: + description: Resources specifies the resource requirements + for the created Deployment's init container + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a feature that constrains the scheduling + of a pod to nodes that match specified labels. By defining NodeSelector + in a pod''s configuration, you can ensure that the pod is only + scheduled to nodes with the corresponding labels, providing + a way to influence the placement of workloads based on node + attributes. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: PriorityClassName specifies the priority class name + to use on the created Deployment. + type: string + replicas: + description: Replicas specifies the configuration to control the + number of replicas for the created Deployment. + properties: + default: + description: Default is the number of replicas assigned to + the Deployment when created + format: int32 + type: integer + max: + description: Max is the maximum number of replicas allowed + for a gateway with this class. If the replica count exceeds + this value due to manual or automated scaling, the replica + count will be restored to this value. + format: int32 + type: integer + min: + description: Min is the minimum number of replicas allowed + for a gateway with this class. If the replica count drops + below this value due to manual or automated scaling, the + replica count will be restored to this value. + format: int32 + type: integer + type: object + securityContext: + description: SecurityContext specifies the security context for + the created Deployment's Pod. + properties: + fsGroup: + description: "A special supplemental group that applies to + all containers in a pod. Some volume types allow the Kubelet + to change the ownership of that volume to be owned by the + pod: \n 1. The owning GID will be the FSGroup 2. The setgid + bit is set (new files created in the volume will be owned + by FSGroup) 3. The permission bits are OR'd with rw-rw---- + \n If unset, the Kubelet will not modify the ownership and + permissions of any volume. Note that this field cannot be + set when spec.os.name is windows." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior of changing + ownership and permission of the volume before being exposed + inside Pod. This field will only apply to volume types which + support fsGroup based ownership(and permissions). It will + have no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used. Note that + this field cannot be set when spec.os.name is windows.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this field + cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail + to start the container if it does. If unset or false, no + such validation will be performed. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata if + unspecified. May also be set in SecurityContext. If set + in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random + SELinux context for each container. May also be set in + SecurityContext. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile must + be preconfigured on the node to work. Must be a descending + path, relative to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - a + profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile + should be used. Unconfined - no profile should be applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first process + run in each container, in addition to the container's primary + GID, the fsGroup (if specified), and group memberships defined + in the container image for the uid of the container process. + If unspecified, no additional groups are added to any container. + Note that group memberships defined in the container image + for the uid of the container process are still effective, + even if they are not included in this list. Note that this + field cannot be set when spec.os.name is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls used + for the pod. Pods with unsupported sysctls (by the container + runtime) might fail to launch. Note that this field cannot + be set when spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options within a container's + SecurityContext will be used. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. This field is + alpha-level and will only be honored by components that + enable the WindowsHostProcessContainers feature flag. + Setting this field without the feature flag will result + in errors when validating the Pod. All of a Pod's containers + must have the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, if HostProcess + is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set in + PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + tolerations: + description: Tolerations specifies the tolerations to use on the + created Deployment. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: 'TopologySpreadConstraints is a feature that controls + how pods are spead across your topology. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/' + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine + the number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to + select the pods over which spreading will be calculated. + The keys are used to lookup values from the incoming pod + labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading + will be calculated for the incoming pod. Keys that don't + exist in the incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which pods + may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the number + of matching pods in the target topology and the global + minimum. The global minimum is the minimum number of matching + pods in an eligible domain or zero if the number of eligible + domains is less than MinDomains. For example, in a 3-zone + cluster, MaxSkew is set to 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | | P P | P P | P | - + if MaxSkew is 1, incoming pod can only be scheduled to + zone3 to become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled + onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies that + satisfy it. It''s a required field. Default value is 1 + and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number of eligible + domains. When the number of eligible domains with matching + topology keys is less than minDomains, Pod Topology Spread + treats \"global minimum\" as 0, and then the calculation + of Skew is performed. And when the number of eligible + domains with matching topology keys equals or greater + than minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains is less + than minDomains, scheduler won't schedule more than maxSkew + Pods to those domains. If value is nil, the constraint + behaves as if MinDomains is equal to 1. Valid values are + integers greater than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone cluster, + MaxSkew is set to 2, MinDomains is set to 5 and pods with + the same labelSelector spread as 2/2/2: | zone1 | zone2 + | zone3 | | P P | P P | P P | The number of domains + is less than 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the same labelSelector + cannot be scheduled, because computed skew will be 3(3 + - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. \n This is a beta field and requires + the MinDomainsInPodTopologySpread feature gate to be enabled + (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we will treat + Pod's nodeAffinity/nodeSelector when calculating pod topology + spread skew. Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this value is + nil, the behavior is equivalent to the Honor policy. This + is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will treat + node taints when calculating pod topology spread skew. + Options are: - Honor: nodes without taints, along with + tainted nodes for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. All nodes + are included. \n If this value is nil, the behavior is + equivalent to the Ignore policy. This is a beta-level + feature default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. Nodes + that have a label with this key and identical values are + considered to be in the same topology. We consider each + as a "bucket", and try to put balanced number + of pods into each bucket. We define a domain as a particular + instance of a topology. Also, we define an eligible domain + as a domain whose nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is a domain + of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with + a pod if it doesn''t satisfy the spread constraint. - + DoNotSchedule (default) tells the scheduler not to schedule + it. - ScheduleAnyway tells the scheduler to schedule the + pod in any location, but giving higher precedence to topologies + that would help reduce the skew. A constraint is considered + "Unsatisfiable" for an incoming pod if and only if every + possible node assignment for that pod would violate "MaxSkew" + on some topology. For example, in a 3-zone cluster, MaxSkew + is set to 1, and pods with the same labelSelector spread + as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming + pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) + as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). + In other words, the cluster can still be imbalanced, but + scheduler won''t make it *more* imbalanced. It''s a required + field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key included + here will override those in Set if specified on the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included here + will be overridden if present in InheritFromGateway and set + on the Gateway. + type: object + type: object + role: + description: Role contains config specific to the Role created from + this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + roleBinding: + description: RoleBinding contains config specific to the RoleBinding + created from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + service: + description: Service contains config specific to the Service created + from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: + description: Type specifies the type of Service to use (LoadBalancer, + ClusterIP, etc.) + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + type: object + serviceAccount: + description: ServiceAccount contains config specific to the corev1.ServiceAccount + created from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-gatewayclasses-external.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-gatewayclasses-external.yaml new file mode 100644 index 0000000000..93435b7fce --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-gatewayclasses-external.yaml @@ -0,0 +1,328 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + deprecated: true + deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-gatewayclasses.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-gatewayclasses.yaml new file mode 100644 index 0000000000..70763f9104 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-gatewayclasses.yaml @@ -0,0 +1,122 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclasses.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GatewayClass is the Schema for the Gateway Class API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + controllerName: + description: ControllerName is the name of the Kubernetes controller + that manages Gateways of this class + type: string + description: + description: Description of GatewayClass + type: string + parametersRef: + description: ParametersRef refers to a resource responsible for configuring + the behavior of the GatewayClass. + properties: + group: + description: The Kubernetes Group that the referred object belongs + to + type: string + kind: + description: The Kubernetes Kind that the referred object is + type: string + name: + description: The Name of the referred object + type: string + namespace: + description: The kubernetes namespace that the referred object + is in + type: string + required: + - name + type: object + required: + - controllerName + - parametersRef + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-gatewaypolicies.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-gatewaypolicies.yaml new file mode 100644 index 0000000000..1cdfa331f5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-gatewaypolicies.yaml @@ -0,0 +1,282 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewaypolicies.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayPolicy + listKind: GatewayPolicyList + plural: gatewaypolicies + singular: gatewaypolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayPolicy is the Schema for the gatewaypolicies API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GatewayPolicySpec defines the desired state of GatewayPolicy. + properties: + default: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + override: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + targetRef: + description: TargetRef identifies an API object to apply policy to. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it may only apply + to traffic originating from the same namespace as the policy. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: SectionName refers to the listener targeted by this + policy. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + status: + description: GatewayPolicyStatus defines the observed state of the gateway. + properties: + conditions: + description: "Conditions describe the current conditions of the Policy. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-gateways-external.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-gateways-external.yaml new file mode 100644 index 0000000000..41df34942a --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-gateways-external.yaml @@ -0,0 +1,882 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-grpcroutes-external.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-grpcroutes-external.yaml new file mode 100644 index 0000000000..739ed2c659 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-grpcroutes-external.yaml @@ -0,0 +1,766 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - method: + type: Exact + description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. + items: + description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + default: + type: Exact + description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. + properties: + method: + description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)." + maxLength: 1024 + pattern: ^[A-Za-z_][A-Za-z_0-9]*$ + type: string + service: + description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)." + maxLength: 1024 + pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$ + type: string + type: + default: Exact + description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-grpcroutes.yaml new file mode 100644 index 0000000000..31812fff35 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-grpcroutes.yaml @@ -0,0 +1,617 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + shortNames: + - grpc-route + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GRPCRoute is the Schema for the GRPC Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this GRPCRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. Failure behavior here depends on + how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the GRPCBackendRef definition for the rules about what + makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies gRPC request header matchers. + Multiple match values are ANDed together, meaning, a + request MUST match all the specified headers to select + the route. + items: + properties: + name: + type: string + type: + description: "HeaderMatchType specifies the semantics + of how HTTP header values should be compared. + Valid HeaderMatchType values, along with their + conformance levels, are: \n Note that values may + be added to this enum, implementations must ensure + that unknown values will not cause a crash. \n + Unknown values here must result in the implementation + setting the Accepted Condition for the Route to + status: False, with a Reason of UnsupportedValue." + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + type: string + type: object + type: array + method: + description: Method specifies a gRPC request service/method + matcher. If this field is not specified, all services + and methods will match. + properties: + method: + description: "Value of the method to match against. + If left empty or omitted, will match all services. + \n At least one of Service and Method MUST be a + non-empty string.}" + type: string + service: + description: "Value of the service to match against. + If left empty or omitted, will match any service. + \n At least one of Service and Method MUST be a + non-empty string." + type: string + type: + description: 'Type specifies how to match against + the service and/or method. Support: Core (Exact + with service and method specified)' + enum: + - GRPC_METHOD_MATCH_TYPE_UNSPECIFIED + - GRPC_METHOD_MATCH_TYPE_EXACT + - GRPC_METHOD_MATCH_TYPE_REGEX + format: int32 + type: string + type: object + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-httproutes-external.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-httproutes-external.yaml new file mode 100644 index 0000000000..bba3672d16 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-httproutes-external.yaml @@ -0,0 +1,1914 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-httproutes.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-httproutes.yaml new file mode 100644 index 0000000000..3da6e1e637 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-httproutes.yaml @@ -0,0 +1,673 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + shortNames: + - http-route + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: HTTPRoute is the Schema for the HTTP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this HTTPRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of HTTP-based routing rules that this + route should use for constructing a routing table. + items: + description: HTTPRouteRule specifies the routing rules used to determine + what upstream service an HTTP request is routed to. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + properties: + invert: + description: 'NOTE: not in gamma; service-router + compat' + type: boolean + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, “foo” and “Foo” are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for “Set-Cookie”." + type: string + type: + description: Type specifies how to match against + the value of the header. + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + description: Value is the value of HTTP Header to + be matched. + type: string + type: object + type: array + method: + description: Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. + type: string + path: + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the “/” path is provided. + properties: + type: + description: Type specifies how to match against the + path Value. + enum: + - PATH_MATCH_TYPE_UNSPECIFIED + - PATH_MATCH_TYPE_EXACT + - PATH_MATCH_TYPE_PREFIX + - PATH_MATCH_TYPE_REGEX + format: int32 + type: string + value: + description: Value of the HTTP path to match against. + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is recommended that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + type: string + type: + description: Type specifies how to match against + the value of the query parameter. + enum: + - QUERY_PARAM_MATCH_TYPE_UNSPECIFIED + - QUERY_PARAM_MATCH_TYPE_EXACT + - QUERY_PARAM_MATCH_TYPE_REGEX + - QUERY_PARAM_MATCH_TYPE_PRESENT + format: int32 + type: string + value: + description: Value is the value of HTTP query param + to be matched. + type: string + type: object + type: array + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..dcbc543525 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-ingressgateways.yaml @@ -0,0 +1,447 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: ingressgateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how upstream + proxy instances will be monitored for removal from the load + balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. The + real time is equal to the base time multiplied by the number + of times the host has been ejected and is capped by max_ejection_time + (Default 300s). Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status is + detected through consecutive 5xx. This setting can be used + to disable ejection or to ramp it up slowly. Ex. Setting + this to 10 will make it a 10% chance that the host will + be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that can + be ejected due to outlier detection. Defaults to 10% but + will eject at least one host regardless of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected + for. The real time is equal to the base time multiplied + by the number of times the host has been ejected + and is capped by max_ejection_time (Default 300s). + Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This + setting can be used to disable ejection or to ramp + it up slowly. Ex. Setting this to 10 will make it + a 10% chance that the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster + that can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-jwtproviders.yaml new file mode 100644 index 0000000000..94c9697b33 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-jwtproviders.yaml @@ -0,0 +1,313 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: jwtproviders.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: JWTProvider + listKind: JWTProviderList + plural: jwtproviders + singular: jwtprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTProvider is the Schema for the jwtproviders API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTProviderSpec defines the desired state of JWTProvider + properties: + audiences: + description: Audiences is the set of audiences the JWT is allowed + to access. If specified, all JWTs verified with this provider must + address at least one of these to be considered valid. + items: + type: string + type: array + cacheConfig: + description: CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up verification + when individual tokens are expected to be handled multiple times. + properties: + size: + description: "Size specifies the maximum number of JWT verification + results to cache. \n Defaults to 0, meaning that JWT caching + is disabled." + type: integer + type: object + clockSkewSeconds: + description: "ClockSkewSeconds specifies the maximum allowable time + difference from clock skew when validating the \"exp\" (Expiration) + and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + type: integer + forwarding: + description: Forwarding defines rules for forwarding verified JWTs + to the backend. + properties: + headerName: + description: "HeaderName is a header name to use when forwarding + a verified JWT to the backend. The verified JWT could have been + extracted from any location (query param, header, or cookie). + \n The header value will be base64-URL-encoded, and will not + be padded unless PadForwardPayloadHeader is true." + type: string + padForwardPayloadHeader: + description: "PadForwardPayloadHeader determines whether padding + should be added to the base64 encoded token forwarded with ForwardPayloadHeader. + \n Default value is false." + type: boolean + type: object + issuer: + description: Issuer is the entity that must have issued the JWT. This + value must match the "iss" claim of the token. + type: string + jsonWebKeySet: + description: JSONWebKeySet defines a JSON Web Key Set, its location + on disk, or the means with which to fetch a key set from a remote + server. + properties: + local: + description: Local specifies a local source for the key set. + properties: + filename: + description: Filename configures a location on disk where + the JWKS can be found. If specified, the file must be present + on the disk of ALL proxies with intentions referencing this + provider. + type: string + jwks: + description: JWKS contains a base64 encoded JWKS. + type: string + type: object + remote: + description: Remote specifies how to fetch a key set from a remote + server. + properties: + cacheDuration: + description: "CacheDuration is the duration after which cached + keys should be expired. \n Default value is 5 minutes." + type: string + fetchAsynchronously: + description: "FetchAsynchronously indicates that the JWKS + should be fetched when a client request arrives. Client + requests will be paused until the JWKS is fetched. If false, + the proxy listener will wait for the JWKS to be fetched + before being activated. \n Default value is false." + type: boolean + jwksCluster: + description: JWKSCluster defines how the specified Remote + JWKS URI is to be fetched. + properties: + connectTimeout: + description: The timeout for new network connections to + hosts in the cluster. If not set, a default value of + 5s will be used. + type: string + discoveryType: + description: "DiscoveryType refers to the service discovery + type to use for resolving the cluster. \n This defaults + to STRICT_DNS. Other options include STATIC, LOGICAL_DNS, + EDS or ORIGINAL_DST." + type: string + tlsCertificates: + description: "TLSCertificates refers to the data containing + certificate authority certificates to use in verifying + a presented peer certificate. If not specified and a + peer certificate is presented it will not be verified. + \n Must be either CaCertificateProviderInstance or TrustedCA." + properties: + caCertificateProviderInstance: + description: CaCertificateProviderInstance Certificate + provider instance for fetching TLS certificates. + properties: + certificateName: + description: "CertificateName is used to specify + certificate instances or types. For example, + \"ROOTCA\" to specify a root-certificate (validation + context) or \"example.com\" to specify a certificate + for a particular domain. \n The default value + is the empty string." + type: string + instanceName: + description: "InstanceName refers to the certificate + provider instance name. \n The default value + is \"default\"." + type: string + type: object + trustedCA: + description: "TrustedCA defines TLS certificate data + containing certificate authority certificates to + use in verifying a presented peer certificate. \n + Exactly one of Filename, EnvironmentVariable, InlineString + or InlineBytes must be specified." + properties: + environmentVariable: + type: string + filename: + type: string + inlineBytes: + format: byte + type: string + inlineString: + type: string + type: object + type: object + type: object + requestTimeoutMs: + description: RequestTimeoutMs is the number of milliseconds + to time out when making a request for the JWKS. + type: integer + retryPolicy: + description: "RetryPolicy defines a retry policy for fetching + JWKS. \n There is no retry by default." + properties: + numRetries: + description: "NumRetries is the number of times to retry + fetching the JWKS. The retry strategy uses jittered + exponential backoff with a base interval of 1s and max + of 10s. \n Default value is 0." + type: integer + retryPolicyBackOff: + description: "Retry's backoff policy. \n Defaults to Envoy's + backoff policy." + properties: + baseInterval: + description: "BaseInterval to be used for the next + back off computation. \n The default value from + envoy is 1s." + type: string + maxInterval: + description: "MaxInternal to be used to specify the + maximum interval between retries. Optional but should + be greater or equal to BaseInterval. \n Defaults + to 10 times BaseInterval." + type: string + type: object + type: object + uri: + description: URI is the URI of the server to query for the + JWKS. + type: string + type: object + type: object + locations: + description: 'Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. If no + locations are specified Envoy will default to: 1. Authorization + header with Bearer schema: "Authorization: Bearer " 2. accessToken + query parameter.' + items: + description: "JWTLocation is a location where the JWT could be present + in requests. \n Only one of Header, QueryParam, or Cookie can + be specified." + properties: + cookie: + description: Cookie defines how to extract a JWT from an HTTP + request cookie. + properties: + name: + description: Name is the name of the cookie containing the + token. + type: string + type: object + header: + description: Header defines how to extract a JWT from an HTTP + request header. + properties: + forward: + description: "Forward defines whether the header with the + JWT should be forwarded after the token has been verified. + If false, the header will not be forwarded to the backend. + \n Default value is false." + type: boolean + name: + description: Name is the name of the header containing the + token. + type: string + valuePrefix: + description: 'ValuePrefix is an optional prefix that precedes + the token in the header value. For example, "Bearer " + is a standard value prefix for a header named "Authorization", + but the prefix is not part of the token itself: "Authorization: + Bearer "' + type: string + type: object + queryParam: + description: QueryParam defines how to extract a JWT from an + HTTP request query parameter. + properties: + name: + description: Name is the name of the query param containing + the token. + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-meshconfigurations.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-meshconfigurations.yaml new file mode 100644 index 0000000000..21114d723f --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-meshconfigurations.yaml @@ -0,0 +1,100 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: MeshConfiguration + listKind: MeshConfigurationList + plural: meshconfigurations + singular: meshconfiguration + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: MeshConfiguration is the Schema for the Mesh Configuration + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshConfiguration is responsible for configuring the default + behavior of Mesh Gateways. This is a Resource type. + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-meshes.yaml new file mode 100644 index 0000000000..f8ce4fc12e --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-meshes.yaml @@ -0,0 +1,207 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshes.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-meshgateways.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-meshgateways.yaml new file mode 100644 index 0000000000..6202add695 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-meshgateways.yaml @@ -0,0 +1,134 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshgateways.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: MeshGateway + listKind: MeshGatewayList + plural: meshgateways + singular: meshgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: MeshGateway is the Schema for the Mesh Gateway API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + gatewayClassName: + description: GatewayClassName is the name of the GatewayClass used + by the MeshGateway + type: string + listeners: + items: + properties: + name: + type: string + port: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + enum: + - TCP + type: string + type: object + minItems: 1 + type: array + workloads: + description: Selection of workloads to be configured as mesh gateways + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-meshservices.yaml new file mode 100644 index 0000000000..a5d36fb966 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-meshservices.yaml @@ -0,0 +1,56 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService holds a reference to an externally managed Consul + Service Mesh service. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of MeshService. + properties: + name: + description: Name holds the service name for a Consul service. + type: string + peer: + description: Peer optionally specifies the name of the peer exporting + the Consul service. If not specified, the Consul service is assumed + to be in the local datacenter. + type: string + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..2352ba7ad3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-peeringacceptors.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringacceptors.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..09991d2091 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-peeringdialers.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringdialers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-proxyconfigurations.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-proxyconfigurations.yaml new file mode 100644 index 0000000000..3d19d5ea4f --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-proxyconfigurations.yaml @@ -0,0 +1,405 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxyconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: ProxyConfiguration + listKind: ProxyConfigurationList + plural: proxyconfigurations + shortNames: + - proxy-configuration + singular: proxyconfiguration + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: ProxyConfiguration is the Schema for the TCP Routes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: This is a Resource type. + properties: + bootstrapConfig: + description: bootstrap_config is the configuration that requires proxies + to be restarted to be applied. + properties: + dogstatsdUrl: + type: string + overrideJsonTpl: + type: string + prometheusBindAddr: + type: string + readyBindAddr: + type: string + staticClustersJson: + type: string + staticListenersJson: + type: string + statsBindAddr: + type: string + statsConfigJson: + type: string + statsFlushInterval: + type: string + statsSinksJson: + type: string + statsTags: + items: + type: string + type: array + statsdUrl: + type: string + telemetryCollectorBindSocketDir: + type: string + tracingConfigJson: + type: string + type: object + dynamicConfig: + description: dynamic_config is the configuration that could be changed + dynamically (i.e. without needing restart). + properties: + accessLogs: + description: AccessLogs configures the output and format of Envoy + access logs + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have + a matching listener filter. + type: boolean + enabled: + description: Enabled turns off all access logging + type: boolean + jsonFormat: + description: The presence of one format string or the other + implies the access log string encoding. Defining both is + invalid. + type: string + path: + description: Path is the output file to write logs + type: string + textFormat: + type: string + type: + description: 'Type selects the output for logs: "file", "stderr". + "stdout"' + enum: + - LOG_SINK_TYPE_DEFAULT + - LOG_SINK_TYPE_FILE + - LOG_SINK_TYPE_STDERR + - LOG_SINK_TYPE_STDOUT + format: int32 + type: string + type: object + exposeConfig: + properties: + exposePaths: + items: + properties: + listenerPort: + format: int32 + type: integer + localPathPort: + format: int32 + type: integer + path: + type: string + protocol: + enum: + - EXPOSE_PATH_PROTOCOL_HTTP + - EXPOSE_PATH_PROTOCOL_HTTP2 + format: int32 + type: string + type: object + type: array + type: object + inboundConnections: + description: inbound_connections configures inbound connections + to the proxy. + properties: + balanceInboundConnections: + enum: + - BALANCE_CONNECTIONS_DEFAULT + - BALANCE_CONNECTIONS_EXACT + format: int32 + type: string + maxInboundConnections: + format: int32 + type: integer + type: object + listenerTracingJson: + type: string + localClusterJson: + type: string + localConnection: + additionalProperties: + description: Referenced by ProxyConfiguration + properties: + connectTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + requestTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + description: local_connection is the configuration that should + be used to connect to the local application provided per-port. + The map keys should correspond to port names on the workload. + type: object + localWorkloadAddress: + description: "deprecated: local_workload_address, local_workload_port, + and local_workload_socket_path are deprecated and are only needed + for migration of existing resources. \n Deprecated: Marked as + deprecated in pbmesh/v2beta1/proxy_configuration.proto." + type: string + localWorkloadPort: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + format: int32 + type: integer + localWorkloadSocketPath: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + type: string + meshGatewayMode: + enum: + - MESH_GATEWAY_MODE_UNSPECIFIED + - MESH_GATEWAY_MODE_NONE + - MESH_GATEWAY_MODE_LOCAL + - MESH_GATEWAY_MODE_REMOTE + format: int32 + type: string + mode: + description: mode indicates the proxy's mode. This will default + to 'transparent'. + enum: + - PROXY_MODE_DEFAULT + - PROXY_MODE_TRANSPARENT + - PROXY_MODE_DIRECT + format: int32 + type: string + mutualTlsMode: + enum: + - MUTUAL_TLS_MODE_DEFAULT + - MUTUAL_TLS_MODE_STRICT + - MUTUAL_TLS_MODE_PERMISSIVE + format: int32 + type: string + publicListenerJson: + type: string + transparentProxy: + properties: + dialedDirectly: + description: dialed_directly indicates whether this proxy + should be dialed using original destination IP in the connection + rather than load balance between all endpoints. + type: boolean + outboundListenerPort: + description: outbound_listener_port is the port for the proxy's + outbound listener. This defaults to 15001. + format: int32 + type: integer + type: object + type: object + opaqueConfig: + description: "deprecated: prevent usage when using v2 APIs directly. + needed for backwards compatibility \n Deprecated: Marked as deprecated + in pbmesh/v2beta1/proxy_configuration.proto." + type: object + x-kubernetes-preserve-unknown-fields: true + workloads: + description: Selection of workloads this proxy configuration should + apply to. These can be prefixes or specific workload names. + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..ce49c9149a --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-proxydefaults.yaml @@ -0,0 +1,265 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxydefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + failoverPolicy: + description: FailoverPolicy specifies the exact mechanism used for + failover. + properties: + mode: + description: Mode specifies the type of failover that will be + performed. Valid values are "sequential", "" (equivalent to + "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions of the + failover targets. Valid values can be "us-west-1", "us-west-2", + and so on. + items: + type: string + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-referencegrants-external.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-referencegrants-external.yaml new file mode 100644 index 0000000000..db9cf12027 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-referencegrants-external.yaml @@ -0,0 +1,208 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-routeauthfilters.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-routeauthfilters.yaml new file mode 100644 index 0000000000..a51bf226cd --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-routeauthfilters.yaml @@ -0,0 +1,199 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeauthfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteAuthFilter + listKind: RouteAuthFilterList + plural: routeauthfilters + singular: routeauthfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteAuthFilter is the Schema for the routeauthfilters API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteAuthFilterSpec defines the desired state of RouteAuthFilter. + properties: + jwt: + description: This re-uses the JWT requirement type from Gateway Policy + Types. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the actual + claim information to be verified. + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the given + path: - If the type at the path is a list then we + verify that this value is contained in the list. + \n - If the type at the path is a string then we + verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + status: + description: RouteAuthFilterStatus defines the observed state of the gateway. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: ResolvedRefs + description: "Conditions describe the current conditions of the Filter. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-routeretryfilters.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-routeretryfilters.yaml new file mode 100644 index 0000000000..14b6062f60 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-routeretryfilters.yaml @@ -0,0 +1,115 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeretryfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteRetryFilter + listKind: RouteRetryFilterList + plural: routeretryfilters + singular: routeretryfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteRetryFilter is the Schema for the routeretryfilters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteRetryFilterSpec defines the desired state of RouteRetryFilter. + properties: + numRetries: + format: int32 + minimum: 0 + type: integer + retryOn: + items: + type: string + type: array + retryOnConnectFailure: + type: boolean + retryOnStatusCodes: + items: + format: int32 + type: integer + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-routetimeoutfilters.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-routetimeoutfilters.yaml new file mode 100644 index 0000000000..07ebfe9386 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-routetimeoutfilters.yaml @@ -0,0 +1,107 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routetimeoutfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteTimeoutFilter + listKind: RouteTimeoutFilterList + plural: routetimeoutfilters + singular: routetimeoutfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteTimeoutFilter is the Schema for the httproutetimeoutfilters + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteTimeoutFilterSpec defines the desired state of RouteTimeoutFilter. + properties: + idleTimeout: + format: duration + type: string + requestTimeout: + format: duration + type: string + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-samenessgroups.yaml new file mode 100644 index 0000000000..ea0ad7c8a0 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-samenessgroups.yaml @@ -0,0 +1,129 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: samenessgroups.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: SamenessGroup + listKind: SamenessGroupList + plural: samenessgroups + shortNames: + - sameness-group + singular: samenessgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SamenessGroup is the Schema for the samenessgroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SamenessGroupSpec defines the desired state of SamenessGroup. + properties: + defaultForFailover: + description: DefaultForFailover indicates that upstream requests to + members of the given sameness group will implicitly failover between + members of this sameness group. When DefaultForFailover is true, + the local partition must be a member of the sameness group or IncludeLocal + must be set to true. + type: boolean + includeLocal: + description: IncludeLocal is used to include the local partition as + the first member of the sameness group. The local partition can + only be a member of a single sameness group. + type: boolean + members: + description: Members are the partitions and peers that are part of + the sameness group. If a member of a sameness group does not exist, + it will be ignored. + items: + properties: + partition: + description: The partitions and peers that are part of the sameness + group. A sameness group member cannot define both peer and + partition at the same time. + type: string + peer: + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..c7e2b5bb2b --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-servicedefaults.yaml @@ -0,0 +1,565 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicedefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + rateLimits: + description: RateLimits is rate limiting configuration that is applied + to inbound traffic for a service. Rate limiting is a Consul enterprise + feature. + properties: + instanceLevel: + description: InstanceLevel represents rate limit configuration + that is applied per service instance. + properties: + requestsMaxBurst: + description: "RequestsMaxBurst is the maximum number of requests + that can be sent in a burst. Should be equal to or greater + than RequestsPerSecond. If unset, defaults to RequestsPerSecond. + \n Internally, this is the maximum size of the token bucket + used for rate limiting." + type: integer + requestsPerSecond: + description: "RequestsPerSecond is the average number of requests + per second that can be made without being throttled. This + field is required if RequestsMaxBurst is set. The allowed + number of requests may exceed RequestsPerSecond up to the + value specified in RequestsMaxBurst. \n Internally, this + is the refill rate of the token bucket used for rate limiting." + type: integer + routes: + description: Routes is a list of rate limits applied to specific + routes. For a given request, the first matching route will + be applied, if any. Overrides any top-level configuration. + items: + properties: + pathExact: + description: Exact path to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathPrefix: + description: Prefix to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathRegex: + description: Regex to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + requestsMaxBurst: + description: RequestsMaxBurst is the maximum number + of requests that can be sent in a burst. Should be + equal to or greater than RequestsPerSecond. If unset, + defaults to RequestsPerSecond. Internally, this is + the maximum size of the token bucket used for rate + limiting. + type: integer + requestsPerSecond: + description: RequestsPerSecond is the average number + of requests per second that can be made without being + throttled. This field is required if RequestsMaxBurst + is set. The allowed number of requests may exceed + RequestsPerSecond up to the value specified in RequestsMaxBurst. + Internally, this is the refill rate of the token bucket + used for rate limiting. + type: integer + type: object + type: array + type: object + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 + seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set the + interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..75299f016e --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-serviceintentions.yaml @@ -0,0 +1,311 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceintentions.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + jwt: + description: JWT specifies the configuration to validate a JSON Web + Token for all incoming requests. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: Value is the expected value at the given + path. If the type at the path is a list then we + verify that this value is contained in the list. + If the type at the path is a string then we verify + that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: Peer is the peer name for the Name parameter. + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + jwt: + description: JWT specifies configuration to validate a + JSON Web Token for incoming requests. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. + There MUST be a corresponding "jwt-provider" + config entry with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional + claims to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim + in the token JSON. + items: + type: string + type: array + value: + description: Value is the expected value + at the given path. If the type at the + path is a list then we verify that this + value is contained in the list. If the + type at the path is a string then we + verify that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + samenessGroup: + description: SamenessGroup is the name of the sameness group, + if applicable. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..6d89125216 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-serviceresolvers.yaml @@ -0,0 +1,348 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceresolvers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + policy: + description: Policy specifies the exact mechanism used for failover. + properties: + mode: + description: Mode specifies the type of failover that will + be performed. Valid values are "sequential", "" (equivalent + to "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions + of the failover targets. Valid values can be "us-west-1", + "us-west-2", and so on. + items: + type: string + type: array + type: object + samenessGroup: + description: SamenessGroup is the name of the sameness group + to try during failover. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness group to + resolve the service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + requestTimeout: + description: RequestTimeout is the timeout for receiving an HTTP response + from this service before the connection is terminated. + type: string + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..c7924081fd --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-servicerouters.yaml @@ -0,0 +1,323 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicerouters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOn: + description: 'RetryOn is a flat list of conditions for Consul + to retry requests based on the response from an upstream + service. Refer to the valid conditions here: https://developer.hashicorp.com/consul/docs/connect/config-entries/service-router#routes-destination-retryon' + items: + type: string + type: array + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + caseInsensitive: + description: CaseInsensitive configures PathExact and + PathPrefix matches to ignore upper/lower casing. + type: boolean + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..8d5ed58023 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-servicesplitters.yaml @@ -0,0 +1,186 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicesplitters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-tcproutes-external.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-tcproutes-external.yaml new file mode 100644 index 0000000000..b5bc7be13c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-tcproutes-external.yaml @@ -0,0 +1,281 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-tcproutes.yaml new file mode 100644 index 0000000000..ae9d2cd080 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-tcproutes.yaml @@ -0,0 +1,278 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + shortNames: + - tcp-route + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TCPRoute is the Schema for the TCP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute + \n This is a Resource type." + properties: + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + properties: + backendRefs: + description: BackendRefs defines the backend(s) where matching + requests should be sent. If unspecified or invalid (refers + to a non-existent resource or a Service with no endpoints), + the underlying implementation MUST actively reject connection + attempts to this backend. Connection rejections must respect + weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..cd53122e9d --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-terminatinggateways.yaml @@ -0,0 +1,141 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: terminatinggateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + disableAutoHostRewrite: + description: DisableAutoHostRewrite disables terminating gateways + auto host rewrite feature when set to true. + type: boolean + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-tlsroutes-external.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-tlsroutes-external.yaml new file mode 100644 index 0000000000..1acd1b973a --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-tlsroutes-external.yaml @@ -0,0 +1,291 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-trafficpermissions.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-trafficpermissions.yaml new file mode 100644 index 0000000000..27ab6f5e3d --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-trafficpermissions.yaml @@ -0,0 +1,261 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: trafficpermissions.auth.consul.hashicorp.com +spec: + group: auth.consul.hashicorp.com + names: + kind: TrafficPermissions + listKind: TrafficPermissionsList + plural: trafficpermissions + shortNames: + - traffic-permissions + singular: trafficpermissions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TrafficPermissions is the Schema for the traffic-permissions + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + action: + description: "Action can be either allow or deny for the entire object. + It will default to allow. \n If action is allow, we will allow the + connection if one of the rules in Rules matches, in other words, + we will deny all requests except for the ones that match Rules. + If Consul is in default allow mode, then allow actions have no effect + without a deny permission as everything is allowed by default. \n + If action is deny, we will deny the connection if one of the rules + in Rules match, in other words, we will allow all requests except + for the ones that match Rules. If Consul is default deny mode, then + deny permissions have no effect without an allow permission as everything + is denied by default. \n Action unspecified is reserved for compatibility + with the addition of future actions." + enum: + - ACTION_ALLOW + - ACTION_DENY + - ACTION_UNKNOWN + format: int32 + type: string + destination: + description: Destination is a configuration of the destination proxies + where these traffic permissions should apply. + properties: + identityName: + type: string + type: object + permissions: + description: Permissions is a list of permissions to match on. They + are applied using OR semantics. + items: + description: Permissions is a list of permissions to match on. + properties: + destinationRules: + description: DestinationRules is a list of rules to apply for + matching sources in this Permission. These rules are specific + to the request or connection that is going to the destination(s) + selected by the TrafficPermissions resource. + items: + description: DestinationRule contains rules rules to apply + to the incoming connection. + properties: + exclude: + description: Exclude contains a list of rules to exclude + when evaluating rules for the incoming connection. + items: + properties: + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + description: PortNames is a list of workload ports + to apply this rule to. The ports specified here + must be the ports used in the connection. + items: + type: string + type: array + type: object + type: array + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. If no + methods are specified, this rule will apply to all methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + items: + type: string + type: array + type: object + type: array + sources: + description: Sources is a list of sources in this traffic permission. + items: + description: Source represents the source identity. To specify + any of the wildcard sources, the specific fields need to + be omitted. For example, for a wildcard namespace, identity_name + should be omitted. + properties: + exclude: + description: Exclude is a list of sources to exclude from + this source. + items: + description: ExcludeSource is almost the same as source + but it prevents the addition of matching sources. + properties: + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/crd-udproutes-external.yaml b/charts/hashicorp/consul/1.4.2/templates/crd-udproutes-external.yaml new file mode 100644 index 0000000000..0661b24c1a --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/crd-udproutes-external.yaml @@ -0,0 +1,281 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..aff6b5a934 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-job.yaml @@ -0,0 +1,146 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane create-federation-secret \ + -log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/datadog-agent-role.yaml b/charts/hashicorp/consul/1.4.2/templates/datadog-agent-role.yaml new file mode 100644 index 0000000000..191e6433c6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/datadog-agent-role.yaml @@ -0,0 +1,38 @@ +{{- if .Values.global.metrics.datadog.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-datadog-metrics + namespace: {{ .Release.Namespace }} + labels: + app: datadog + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: agent +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +{{- if .Values.global.enablePodSecurityPolicies }} +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-datadog-metrics + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-datadog-metrics + verbs: + - use +{{- end }} +{{- else}} +rules: + - apiGroups: [ "" ] + resources: [ "secrets" ] + resourceNames: + - {{ .Release.Namespace }}-datadog-agent-metrics-acl-token + verbs: [ "get", "watch", "list" ] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.2/templates/datadog-agent-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/datadog-agent-rolebinding.yaml new file mode 100644 index 0000000000..5fc3fdf545 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/datadog-agent-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.global.metrics.datadog.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-datadog-metrics + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: agent +subjects: + - kind: ServiceAccount + apiGroup: "" + name: datadog-agent + namespace: datadog + - kind: ServiceAccount + apiGroup: "" + name: datadog-cluster-agent + namespace: datadog +roleRef: + kind: Role + name: {{ template "consul.fullname" . }}-datadog-metrics + apiGroup: "" +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.2/templates/dns-service.yaml b/charts/hashicorp/consul/1.4.2/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.4.2/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..8db9500a22 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/enterprise-license-job.yaml @@ -0,0 +1,145 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.4.2/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.4.2/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-clusterrole.yaml new file mode 100644 index 0000000000..5518bfc390 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-clusterrole.yaml @@ -0,0 +1,44 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - delete + - apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + - gatewayclasses + - meshgateways + verbs: + - get + - delete +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-cleanup + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-clusterrolebinding.yaml new file mode 100644 index 0000000000..9235f32101 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-job.yaml new file mode 100644 index 0000000000..0d4f84272c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-job.yaml @@ -0,0 +1,67 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup + containers: + - name: gateway-cleanup + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-cleanup + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ffbad130cc --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.connectInject.enabled .Values.global.enablePodSecurityPolicies)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..f50eb72d97 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gateway-cleanup-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.4.2/templates/gateway-resources-clusterrole.yaml new file mode 100644 index 0000000000..ad7082f060 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gateway-resources-clusterrole.yaml @@ -0,0 +1,47 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +rules: + - apiGroups: + - mesh.consul.hashicorp.com + resources: + - meshgateways + verbs: + - get + - update + - create + - apiGroups: + - consul.hashicorp.com + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - update + - create + - apiGroups: + - gateway.networking.k8s.io + - mesh.consul.hashicorp.com + resources: + - gatewayclasses + verbs: + - get + - update + - create +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-resources + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/gateway-resources-clusterrolebinding.yaml new file mode 100644 index 0000000000..921df23239 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gateway-resources-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-resources +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.2/templates/gateway-resources-configmap.yaml b/charts/hashicorp/consul/1.4.2/templates/gateway-resources-configmap.yaml new file mode 100644 index 0000000000..842ba6690d --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gateway-resources-configmap.yaml @@ -0,0 +1,132 @@ +{{- if .Values.connectInject.enabled }} + +# Validation +# For meshGateway.wanAddress, static must be set if source is "Static" +{{if (and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static ""))}}{{fail ".meshGateway.wanAddress.static must be set to a value if .meshGateway.wanAddress.source is Static"}}{{ end }} + +# Configuration of Gateway Resources Job which creates managed Gateway configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +data: + {{- if .Values.connectInject.apiGateway.managedGatewayClass.resources }} + resources.json: | + {{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }} + {{- end }} + {{- if and (mustHas "resource-apis" .Values.global.experiments) .Values.meshGateway.enabled }} + config.yaml: | + gatewayClassConfigs: + - apiVersion: mesh.consul.hashicorp.com/v2beta1 + metadata: + name: consul-mesh-gateway + kind: GatewayClassConfig + spec: + labels: + set: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + deployment: + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.affinity }} + affinity: {{ toJson (default "{}" .Values.meshGateway.affinity) }} + {{- end }} + {{- if .Values.meshGateway.annotations }} + annotations: + set: {{ toJson .Values.meshGateway.annotations }} + {{- end }} + {{- if .Values.global.extraLabels }} + labels: + set: {{ toJson .Values.global.extraLabels }} + {{- end }} + container: + consul: + logging: + level: {{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + portModifier: {{ sub .Values.meshGateway.containerPort .Values.meshGateway.service.port }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + resources: {{ toJson .Values.meshGateway.resources }} + initContainer: + consul: + logging: + level: {{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + resources: {{ toJson .Values.meshGateway.initServiceInitContainer.resources }} + {{- with .Values.meshGateway.nodeSelector }} + nodeSelector: {{ fromYaml . | toJson }} + {{- end }} + {{- with .Values.meshGateway.hostNetwork }} + hostNetwork: {{ . }} + {{- end }} + {{- with .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ fromYamlArray . | toJson }} + {{- end }} + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 16 | trim }} + {{- end }} + replicas: + default: {{ .Values.meshGateway.replicas }} + min: {{ .Values.meshGateway.replicas }} + max: {{ .Values.meshGateway.replicas }} + {{- if .Values.meshGateway.tolerations }} + tolerations: {{ fromYamlArray .Values.meshGateway.tolerations | toJson }} + {{- end }} + service: + {{- if .Values.meshGateway.service.annotations }} + annotations: + set: {{ toJson .Values.meshGateway.service.annotations }} + {{- end }} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.serviceAccount.annotations }} + serviceAccount: + annotations: + set: {{ toJson .Values.meshGateway.serviceAccount.annotations }} + {{- end }} + meshGateways: + - apiVersion: mesh.consul.hashicorp.com/v2beta1 + kind: MeshGateway + metadata: + name: mesh-gateway + namespace: {{ .Release.Namespace }} + annotations: + # TODO are these annotations even necessary? + "consul.hashicorp.com/gateway-wan-address-source": {{ .Values.meshGateway.wanAddress.source | quote }} + "consul.hashicorp.com/gateway-wan-address-static": {{ .Values.meshGateway.wanAddress.static | quote }} + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.service.nodePort | quote }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.service.port | quote }} + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.wanAddress.port | quote }} + {{- end }} + spec: + gatewayClassName: consul-mesh-gateway + listeners: + - name: "wan" + port: {{ .Values.meshGateway.service.port }} + protocol: "TCP" + workloads: + prefixes: + - "mesh-gateway" + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.4.2/templates/gateway-resources-job.yaml new file mode 100644 index 0000000000..ead22833e9 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gateway-resources-job.yaml @@ -0,0 +1,133 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources + containers: + - name: gateway-resources + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-resources + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + - -controller-name=consul.hashicorp.com/gateway-controller + - -app={{template "consul.name" .}} + - -chart={{template "consul.chart" .}} + - -heritage={{ .Release.Service }} + - -release-name={{ .Release.Name }} + - -component=api-gateway + {{- if .Values.apiGateway.enabled }} # Override values from the old stanza. To be removed after ~1.18 (t-eckert 2023-05-19) NET-6263 + {{- if .Values.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} + {{- else }} # the new stanza + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations | nindent 14 -}} + {{- end }} + - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- if .Values.global.openshift.enabled }} + - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + {{- end }} + - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} + {{- if (ne (.Values.connectInject.apiGateway.managedGatewayClass.metrics.enabled | toString) "-") }} + - -enable-metrics={{ .Values.connectInject.apiGateway.managedGatewayClass.metrics.enabled | toString }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.metrics.path }} + - -metrics-path={{ .Values.connectInject.apiGateway.managedGatewayClass.metrics.path }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.metrics.port }} + - -metrics-port={{ .Values.connectInject.apiGateway.managedGatewayClass.metrics.port }} + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/gateway-resources-podsecuritypolicy.yaml new file mode 100644 index 0000000000..da5299194c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gateway-resources-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.connectInject.enabled)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/gateway-resources-serviceaccount.yaml new file mode 100644 index 0000000000..4611dc38e1 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gateway-resources-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..cea13c77fe --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,70 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ default .Values.global.logLevel .Values.global.gossipEncryption.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..508ab64eff --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,370 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + {{- if not (hasKey (default "" $defaults.annotations | fromYaml) "prometheus.io/path")}} + "prometheus.io/path": "/metrics" + {{- end }} + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b847e44ebd --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..3053105105 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,36 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..2fb80fc04c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..3d75d55613 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,323 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + {{- if not (hasKey (default "" .Values.meshGateway.annotations | fromYaml) "prometheus.io/path")}} + "prometheus.io/path": "/metrics" + {{- end }} + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + securityContext: + capabilities: + {{ if not .Values.meshGateway.hostNetwork}} + drop: + - ALL + {{- end }} + add: + - NET_BIND_SERVICE + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..56e4b7924c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..80f82ac897 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-service.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..b1a0661eaa --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.4.2/templates/partition-init-job.yaml new file mode 100644 index 0000000000..21ad2930b8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/partition-init-job.yaml @@ -0,0 +1,131 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and (mustHas "resource-apis" .Values.global.experiments) (mustHas "v2tenancy" .Values.global.experiments) }} + -enable-v2tenancy=true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.4.2/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.4.2/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/prometheus.yaml b/charts/hashicorp/consul/1.4.2/templates/prometheus.yaml new file mode 100644 index 0000000000..a708708daf --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..b47e04188f --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,89 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..2e798a54d5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-job.yaml @@ -0,0 +1,353 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + {{- if .Values.global.argocd.enabled }} + "argocd.argoproj.io/hook": "Sync" + "argocd.argoproj.io/hook-delete-policy": "HookSucceeded" + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- else if .Values.global.secretsBackend.vault.vaultNamespace }} + - name: VAULT_NAMESPACE + value: {{ .Values.global.secretsBackend.vault.vaultNamespace }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + exec consul-k8s-control-plane server-acl-init \ + -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if (and (not .Values.global.metrics.datadog.dogstatsd.enabled) .Values.global.metrics.datadog.enabled .Values.global.acls.manageSystemACLs) }} + -create-dd-agent-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 10 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.4.2/templates/server-clusterrole.yaml new file mode 100644 index 0000000000..c22f562264 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: + - get diff --git a/charts/hashicorp/consul/1.4.2/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..854fda870e --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-server +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.4.2/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..8c74364a29 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-config-configmap.yaml @@ -0,0 +1,220 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} +{{- if and .Values.server.auditLogs.enabled (not .Values.global.acls.manageSystemACLs) }}{{fail "ACLs must be enabled inorder to configure audit logs"}}{{ end -}} +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + {{- if .Values.server.logLevel }} + "log_level": "{{ .Values.server.logLevel | upper }}", + {{- end }} + "enable_debug": {{ .Values.server.enableAgentDebug }}, + "domain": "{{ .Values.global.domain }}", + "limits": { + "request_limits": { + "mode": "{{ .Values.server.limits.requestLimits.mode }}", + "read_rate": {{ .Values.server.limits.requestLimits.readRate }}, + "write_rate": {{ .Values.server.limits.requestLimits.writeRate }} + } + }, + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true, + "leave_on_terminate": true, + "autopilot": { + "min_quorum": {{ template "consul.server.autopilotMinQuorum" . }}, + "disable_upgrade_migration": true + } + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + {{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }} + "namespace": "{{ .vaultNamespace }}", + {{- end }} + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}", + "disable_hostname": {{ .Values.global.metrics.disableAgentHostName }},{{ template "consul.prefixFilter" . }} + "enable_host_metrics": {{ .Values.global.metrics.enableHostMetrics }}{{- if .Values.global.metrics.datadog.dogstatsd.enabled }},{{ template "consul.dogstatsdAaddressInfo" . }} + {{- if .Values.global.metrics.datadog.dogstatsd.enabled }} + "dogstatsd_tags": {{ .Values.global.metrics.datadog.dogstatsd.dogstatsdTags | toJson }} + {{- end }} + {{- end }} + } + } + {{- end }} + {{- if and .Values.server.auditLogs.enabled .Values.global.acls.manageSystemACLs }} + audit-logging.json: |- + { + "audit": { + "enabled": true, + "sink": { + {{- range $index, $element := .Values.server.auditLogs.sinks }} + {{- if ne $index 0 }},{{end}} + "{{ get $element "name" }}": {{ omit $element "name" | toJson }} + {{- end }} + } + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.4.2/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..56805edc2a --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.server.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-role.yaml b/charts/hashicorp/consul/1.4.2/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.4.2/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-service.yaml b/charts/hashicorp/consul/1.4.2/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.4.2/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.4.2/templates/server-statefulset.yaml new file mode 100644 index 0000000000..315c8c4666 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-statefulset.yaml @@ -0,0 +1,749 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateMetricsConfig" . }} +{{ template "consul.validateDatadogConfiguration" . }} +{{ template "consul.validateExtraConfig" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.global.metrics.datadog.enabled }} + "tags.datadoghq.com/version": {{ template "consul.versionInfo" . }} + "tags.datadoghq.com/env": {{ template "consul.name" . }} + "tags.datadoghq.com/service": "consul-server" + {{- end }} + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/server-config-configmap.yaml") .) (include (print $.Template.BasePath "/server-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + {{- if not .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} + "prometheus.io/scrape": "true" + {{- if not (hasKey (default "" .Values.server.annotations | fromYaml) "prometheus.io/path")}} + "prometheus.io/path": "/v1/agent/metrics" + {{- end }} + {{- if .Values.global.tls.enabled }} + "prometheus.io/port": "8501" + "prometheus.io/scheme": "https" + {{- else }} + "prometheus.io/port": "8500" + "prometheus.io/scheme": "http" + {{- end }} + {{- end }} + {{- if .Values.global.metrics.datadog.enabled }} + "ad.datadoghq.com/tolerate-unready": "true" + "ad.datadoghq.com/consul.logs": {{ .Values.global.metrics.datadog.dogstatsd.dogstatsdTags | toJson | replace "[" "[{" | replace "]" "}]" | replace ":" "\": \"" | join "\",\"" | squote }} + {{- if .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} + "ad.datadoghq.com/consul.checks": | + { + "openmetrics": { + "init_config": {}, + "instances": [ + { + {{- if .Values.global.tls.enabled }} + "openmetrics_endpoint": "https://consul-server.{{ .Release.Namespace }}.svc:8501/v1/agent/metrics?format=prometheus", + "tls_cert": "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt", + "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key", + "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt", + {{- else }} + "openmetrics_endpoint": "http://consul-server.{{ .Release.Namespace }}.svc:8500/v1/agent/metrics?format=prometheus", + {{- end }} + {{- if ( .Values.global.acls.manageSystemACLs) }} + "headers": { + "X-Consul-Token": "ENC[k8s_secret@{{ .Release.Namespace }}/{{ .Release.Namespace }}-datadog-agent-metrics-acl-token/token]" + }, + {{- end }} + "namespace": "{{ .Release.Namespace }}", + "metrics": [ ".*" ] + } + ] + } + } + {{- else if (not .Values.global.metrics.datadog.dogstatsd.enabled) }} + "ad.datadoghq.com/consul.checks": | + { + "consul": { + "init_config": {}, + "instances": [ + { + {{- if .Values.global.tls.enabled }} + "url": "https://consul-server.{{ .Release.Namespace }}.svc:8501", + "tls_cert": "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt", + "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key", + "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt", + {{- else }} + "url": "http://consul-server.consul.svc:8500", + {{- end }} + "use_prometheus_endpoint": true, + {{- if ( .Values.global.acls.manageSystemACLs) }} + "acl_token": "ENC[k8s_secret@{{ .Release.Namespace }}/{{ .Release.Namespace }}-datadog-agent-metrics-acl-token/token]", + {{- end }} + "new_leader_checks": true, + "network_latency_checks": true, + "catalog_checks": true, + "auth_type": "basic" + } + ] + } + } + {{- else }} + "ad.datadoghq.com/consul.metrics_exclude": "true" + {{- end }} + {{- end }} + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled (eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" ) }} + - name: dsdsocket + hostPath: + path: /var/run/datadog + type: DirectoryOrCreate + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + initContainers: + - name: locality-init + image: {{ .Values.global.imageK8S }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane fetch-server-region -node-name "$NODE_NAME" -output-file /consul/extra-config/locality.json + volumeMounts: + - name: extra-config + mountPath: /consul/extra-config + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image | trimPrefix "\"" | trimSuffix "\"" }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-dir=/consul/extra-config \ + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + + {{- if .Values.global.experiments }} + {{- $commaSeparatedValues := "" }} + {{- range $index, $value := .Values.global.experiments }} + {{- if ne $index 0 }} + {{- $commaSeparatedValues = printf "%s,\\\"%s\\\"" $commaSeparatedValues $value }} + {{- else }} + {{- $commaSeparatedValues = printf "\\\"%s\\\"" $value }} + {{- end }} + {{- end }} + -hcl="experiments=[{{ $commaSeparatedValues }}]" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled (eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" ) }} + - name: dsdsocket + mountPath: /var/run/datadog + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.containerSecurityContext.server }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- else }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/server-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.4.2/templates/server-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a42d6d09f6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/server-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the server-stateful set where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.2/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.4.2/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..89ea9f3c5c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,60 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.4.2/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..3851f0a8e2 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/sync-catalog-deployment.yaml @@ -0,0 +1,237 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.syncLoadBalancerEndpoints }} + -sync-lb-services-endpoints=true \ + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..f7b6d7bd2e --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,449 @@ +{{- if and .Values.telemetryCollector.enabled (not (mustHas "resource-apis" .Values.global.experiments)) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # Signals to the endpoints controller that we should force Consul NS creation, since we bypass the mesh webhook. + "consul.hashicorp.com/telemetry-collector": "true" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: default + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + exec consul-k8s-control-plane connect-init \ + -log-json={{ .Values.global.logJSON }} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -pod-name=${POD_NAME} \ + -pod-namespace=${POD_NAMESPACE} \ + -proxy-id-file="/consul/connect-inject/proxyid" \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- if .Values.global.metrics.datadog.otlp.enabled }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if eq (.Values.global.metrics.datadog.otlp.protocol | lower ) "http" }} + - name: CO_OTEL_HTTP_ENDPOINT + value: "http://$(HOST_IP):4318" + {{- else if eq (.Values.global.metrics.datadog.otlp.protocol | lower) "grpc" }} + - name: CO_OTEL_HTTP_ENDPOINT + value: "grpc://$(HOST_IP):4317" + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + exec consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f4c05a2f33 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-v2-deployment.yaml b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-v2-deployment.yaml new file mode 100644 index 0000000000..09f4a2dbbc --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/telemetry-collector-v2-deployment.yaml @@ -0,0 +1,415 @@ +{{- if and .Values.telemetryCollector.enabled (mustHas "resource-apis" .Values.global.experiments) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/mesh-inject": "false" + # This annotation tells the pod controller that this pod was injected even though it wasn't. + # This ensures the pod controller will sync a workload for the pod into Consul + "consul.hashicorp.com/mesh-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/consul-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the mesh injector so that we don't run into + # any race conditions on the mesh-injector deployment or upgrade + - name: consul-mesh-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + exec consul-k8s-control-plane mesh-init -proxy-name=${POD_NAME} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + exec consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: DP_PROXY_ID + value: $(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: TMPDIR + value: /consul/mesh-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-mesh-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..9afe938e56 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,347 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + {{- if not (hasKey (default "" $defaults.annotations | fromYaml) "prometheus.io/path")}} + "prometheus.io/path": "/metrics" + {{- end }} + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..7307fb8be9 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-role.yaml similarity index 100% rename from charts/hashicorp/consul/templates/terminating-gateways-role.yaml rename to charts/hashicorp/consul/1.4.2/templates/terminating-gateways-role.yaml diff --git a/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.4.2/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..9500410a53 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,84 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.4.2/templates/tls-init-job.yaml new file mode 100644 index 0000000000..41c0c2827e --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/tls-init-job.yaml @@ -0,0 +1,126 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + exec consul-k8s-control-plane tls-init \ + -log-level={{ default .Values.global.logLevel .Values.global.tls.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.4.2/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.4.2/templates/ui-ingress.yaml new file mode 100644 index 0000000000..f8c7f92a77 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/ui-ingress.yaml @@ -0,0 +1,85 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + {{- if ne .Values.ui.ingress.ingressClassName "" }} + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end }} + rules: + {{- $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/ui-service.yaml b/charts/hashicorp/consul/1.4.2/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..2a5c80d94c --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,54 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..45c87c9ceb --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,81 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.2/values.yaml b/charts/hashicorp/consul/1.4.2/values.yaml new file mode 100644 index 0000000000..1fdb5e6519 --- /dev/null +++ b/charts/hashicorp/consul/1.4.2/values.yaml @@ -0,0 +1,3788 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: "hashicorp/consul-enterprise:1.10.0-ent" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.18.2 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.4.2 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` + # agent annotation and [Vault Connect CA namespace](https://developer.hashicorp.com/consul/docs/connect/ca/vault#namespace). + # To override one of these values individually, see `agentAnnotations` and `connectCA.additionalConfig`. + vaultNamespace: "" + + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + # Override global log verbosity level for gossip-encryption-autogenerate-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # This value defines additional annotations for + # tls init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines additional annotations for + # acl init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # If argocd.enabled is set to true, following annotations are added to + # job - server-acl-init-job + # annotations - + # argocd.argoproj.io/hook: Sync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd: + enabled: false + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # `meshGateway.enabled` or `externalServers.enabled` to be true. + # Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:` + # (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`). + # @type: array + primaryGateways: [] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Override global log verbosity level for the create-federation-secret-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Set to true to stop prepending the machine's hostname to gauge-type metrics. Default is false. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + # @type: boolean + disableAgentHostName: false + + # Configures consul agent underlying host metrics. Default is false. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + # @type: boolean + enableHostMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # Configures the list of filter rules to apply for allowing or blocking + # metrics by prefix in the following format: + # + # A leading "+" will enable any metrics with the given prefix, and a leading "-" will block them. + # If there is overlap between two rules, the more specific rule will take precedence. + # Blocking will take priority if the same prefix is listed multiple times. + prefixFilter: + # @type: array + allowList: [] + # @type: array + blockList: [] + + # Configures consul integration configurations for datadog on kubernetes. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + datadog: + # Enables datadog [Consul Autodiscovery Integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized#metric-collection) + # by configuring the required `ad.datadoghq.com/consul.checks` annotation. The following _Consul_ agent metrics/health statuses + # are monitored by Datadog unless monitoring via OpenMetrics (Prometheus) or DogStatsD: + # - Serf events and member flaps + # - The Raft protocol + # - DNS performance + # - API Endpoints scraped: + # - `/v1/agent/metrics?format=prometheus` + # - `/v1/agent/self` + # - `/v1/status/leader` + # - `/v1/status/peers` + # - `/v1/catalog/services` + # - `/v1/health/service` + # - `/v1/health/state/any` + # - `/v1/coordinate/datacenters` + # - `/v1/coordinate/nodes` + # + # Setting either `global.metrics.datadog.otlp.enabled=true` or `global.metrics.datadog.dogstatsd.enabled=true` disables the above checks + # in lieu of metrics data collection via DogStatsD or by a customer OpenMetrics (Prometheus) collection endpoint. + # + # ~> **Note:** If you have a [dogstatsd_mapper_profile](https://docs.datadoghq.com/integrations/consul/?tab=host#dogstatsd) configured for Consul + # residing on either your Datadog NodeAgent or ClusterAgent the default Consul agent metrics/health status checks will fail. If you do not desire + # to utilize DogStatsD metrics emission from Consul, remove this configuration file, and restart your Datadog agent to permit the checks to run. + # + # @default: false + # @type: boolean + enabled: false + + # Configures Kubernetes Prometheus/OpenMetrics auto-discovery annotations for use with Datadog. + # This configuration is less common and more for advanced usage with custom metrics monitoring + # configurations. Refer to the [Datadog documentation](https://docs.datadoghq.com/containers/kubernetes/prometheus/?tab=kubernetesadv2) for more details. + openMetricsPrometheus: + # @default: false + # @type: boolean + enabled: false + + otlp: + # Enables forwarding of Consul's Telemetry Collector OTLP metrics for + # ingestion by Datadog Agent. + # @default: false + # @type: boolean + enabled: false + # Protocol used for DataDog Endpoint OTLP ingestion. + # + # Valid protocol options are one of either: + # + # - "http": will forward to DataDog HTTP OTLP Node Agent Endpoint default - "0.0.0.0:4318" + # - "grpc": will forward to DataDog gRPC OTLP Node Agent Endpoint default - "0.0.0.0:4317" + # + # @default: "http" + # @type: string + protocol: "http" + + # Configuration settings for DogStatsD metrics aggregation service + # that is bundled with the Datadog Agent. + # DogStatsD implements the StatsD protocol and adds a few Datadog-specific extensions: + # - Histogram metric type + # - Service checks + # - Events + # - Tagging + dogstatsd: + enabled: false + # Sets the socket transport type for dogstatsd: + # - "UDS" (Unix Domain Socket): prefixes `unix://` to URL and appends path to socket (i.e., "unix:///var/run/datadog/dsd.socket") + # If set, this will create the required [hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) mount for + # managing [DogStatsD with Unix Domain Socket on Kubernetes](https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=kubernetes). + # The volume is mounted using the `DirectoryOrCreate` type, thereby setting `0755` permissions with the same kubelet group ownership. + # + # Applies the following `volumes` and `volumeMounts` to the consul-server stateful set consul containers: + # + # ```yaml + # volumes: + # - name: dsdsocket + # hostPath: + # path: /var/run/datadog + # type: DirectoryOrCreate + # volumeMounts: + # - name: dsdsocket + # mountPath: /var/run/datadog + # readOnly: true + # ``` + # - "UDP" (User Datagram Protocol): assigns address to use `hostname/IP:Port` formatted URL for UDP transport to hostIP based + # dogstatsd sink (i.e., 127.0.0.1:8125). HostIP of Datadog agent must be reachable and known to Consul server emitting metrics. + # + # @default: "UDS" + # @type: string + socketTransportType: "UDS" + # Sets URL path for dogstatsd: + # + # Can be either a path to unix domain socket or an IP Address or Hostname that's reachable from the + # consul-server service, server containers. When using "UDS" the path will be appended. When using "UDP" + # the path will be prepended to the specified `dogstatsdPort`. + # + # @default: "/var/run/datadog/dsd.socket" + # @type: string + dogstatsdAddr: "/var/run/datadog/dsd.socket" + # Configures IP based dogstatsd designated port that will be appended to "UDP" based transport socket IP/Hostname URL. + # + # If using a kubernetes service based address (i.e., datadog.default.svc.cluster.local), set this to 0 to + # mitigate appending a port value to the dogstatsd address field. Resultant address would be "datadog.default.svc.cluster.local" with + # default port setting, while appending a non-zero port would result in "172.10.23.6:8125" with a dogstatsdAddr value + # of "172.10.23.6". + # + # @default: 0 + # @type: integer + dogstatsdPort: 0 + # Configures datadog [autodiscovery](https://docs.datadoghq.com/containers/kubernetes/log/?tab=operator#autodiscovery) + # style [log integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized#log-collection) + # configuration for Consul. + # + # The default settings should handle most Consul Kubernetes deployment schemes. The resultant annotation + # will reside on the consul-server statefulset as autodiscovery annotations. + # (i.e., ad.datadoghq.com/consul.logs: ["source:consul","consul_service:consul-server", ""]) + # + # @default: ["source:consul","consul_service:consul-server"] + # @type: array + dogstatsdTags: ["source:consul","consul_service:consul-server"] + # Namespace + # + # @default: "default" + # @type: string + namespace: "default" + + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: hashicorp/consul-dataplane:1.4.2 + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul Central self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will link a [self-managed cluster to HCP](https://developer.hashicorp.com/hcp/docs/consul/self-managed). + # This can either be used to [configure a new cluster](https://developer.hashicorp.com/hcp/docs/consul/self-managed/new) + # or [link an existing one](https://developer.hashicorp.com/hcp/docs/consul/self-managed/existing). + # + # Note: this setting should not be enabled for [HashiCorp-managed clusters](https://developer.hashicorp.com/hcp/docs/consul/hcp-managed). + # It is strictly for linking self-managed clusters. + enabled: false + + # The resource id of the HCP Consul Central cluster to link to. Eg: + # organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The hostname of HCP's API. This setting is used for internal testing and validation. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The URL of HCP's auth API. This setting is used for internal testing and validation. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The address of HCP's scada service. This setting is used for internal testing and validation. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [] + + # Consul feature flags that will be enabled across components. + # Supported feature flags: + # - `resource-apis`: + # _**Warning**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul components will use the + # V2 resources APIs for all operations. + # - `v2tenancy`: + # _**Warning**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul V2 resources (catalog, mesh, auth, etc) + # will use V2 implementations for tenancy (partitions and namesapces) + # instead of bridging to the existing V1 implementations. The + # `resource-apis` feature flag must also be set. + # + # Example: + # + # ```yaml + # experiments: [ "resource-apis" ] + # ``` + # @type: array + experiments: [] + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # The [Persistent Volume Claim (PVC) retention policy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention) + # controls if and how PVCs are deleted during the lifecycle of a StatefulSet. + # WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted, + # and WhenScaled specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is scaled down. + # + # Example: + # + # ```yaml + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + # ``` + # @type: map + persistentVolumeClaimRetentionPolicy: null + + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional service mesh settings can be configured + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). + connect: true + + # When set to true, enables Consul to report additional debugging information, including runtime profiling (pprof) data. + # This setting is only required for clusters without ACL enabled. Sets `enable_debug` in server agent config to `true`. + # If you change this setting, you must restart the agent for the change to take effect. Default is false. + # @type: boolean + enableAgentDebug: false + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + # The acl-init job + # @type: map + # @recurse: false + aclInit: null + # The tls-init job + # @type: map + # @recurse: false + tlsInit: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. In most cases you should not change this as it is automatically set to + # the correct number when left as null. This setting has been kept to preserve backwards compatibility. + # + # By default, this is set to 1 internally in the chart. When server pods are stopped gracefully, they leave the Raft + # consensus pool. When running an odd number of servers, one server leaving the pool does not change the quorum + # size, and so fault tolerance is not affected. However, if more than one server were to leave the pool, the quorum + # size would change. That's why this is set to 1 internally and should not be changed in most cases. + # + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # and configure a sink and filters for their audit logs. Please refer to + # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation + # for further information. + auditLogs: + # Controls whether Consul logs out each time a user performs an operation. + # global.acls.manageSystemACLs must be enabled to use this feature. + enabled: false + + # A single entry of the sink object provides configuration for the destination to which Consul + # will log auditing events. + # + # Example: + # + # ```yaml + # sinks: + # - name: My Sink + # type: file + # format: json + # path: /tmp/audit.json + # delivery_guarantee: best-effort + # rotate_duration: 24h + # rotate_max_files: 15 + # rotate_bytes: 25165824 + # + # ``` + # + # The sink object supports the following keys: + # + # - `name` - Name of the sink. + # + # - `type` - Type specifies what kind of sink this is. Currently only file sinks are available + # + # - `format` - Format specifies what format the events will be emitted with. Currently only `json` + # events are emitted. + # + # - `path` - The directory and filename to write audit events to. + # + # - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul + # only supports `best-effort` event delivery. + # + # - `mode` - The permissions to set on the audit log files. + # + # - `rotate_duration` - Specifies the interval by which the system rotates to a new log file. + # At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging. + # + # - `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file. + # At least one of rotate_bytes or rotate_duration must be configured to enable audit logging. + # + # - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files. + # + # @type: array + sinks: [] + + # Settings for potentially limiting timeouts, rate limiting on clients as well + # as servers, and other settings to limit exposure too many requests, requests + # waiting for too long, and other runtime considerations. + limits: + # This object specifies configurations that limit the rate of RPC and gRPC + # requests on the Consul server. Limiting the rate of gRPC and RPC requests + # also limits HTTP requests to the Consul server. + # https://developer.hashicorp.com/consul/docs/agent/config/config-files#request_limits + requestLimits: + # Setting for disabling or enabling rate limiting. If not disabled, it + # enforces the action that will occur when RequestLimitsReadRate + # or RequestLimitsWriteRate is exceeded. The default value of "disabled" will + # prevent any rate limiting from occuring. A value of "enforce" will block + # the request from processings by returning an error. A value of + # "permissive" will not block the request and will allow the request to + # continue processing. + # @type: string + mode: "disabled" + + # Setting that controls how frequently RPC, gRPC, and HTTP + # queries are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsReadRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + readRate: -1 + + # Setting that controls how frequently RPC, gRPC, and HTTP + # writes are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsWriteRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + writeRate: -1 + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. `tlsServerName` is required if TLS is enabled and 'hosts' is not a DNS name. + # @type: array + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. This name also appears as the hostname in the server certificate's subject field. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul service mesh will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + # If true, LoadBalancer service endpoints instead of ingress addresses will be synced to Consul. + # If false, LoadBalancer endpoints are not synced to Consul. + syncLoadBalancerEndpoints: false + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configuration settings for the Consul API Gateway integration. + apiGateway: + # Enables Consul on Kubernetes to manage the CRDs used for Gateway API. + # Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed. + # These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. + # If this setting is false, you will need to install the Gateway API CRDs manually. + manageExternalCRDs: true + + # Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true + # then all CRDs will be installed; otherwise, if manageNonStandardCRDs is true then only TCPRoute, GatewayClassConfig and MeshService + # will be installed. + manageNonStandardCRDs: false + + # Configuration settings for the GatewayClass installed by Consul on Kubernetes. + managedGatewayClass: + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # Metrics settings for gateways created with this gateway class configuration. + metrics: + # This value enables or disables metrics collection on a gateway, overriding the global gateway metrics collection settings. + # @type: boolean + enabled: "-" + # This value sets the port to use for scraping gateway metrics via prometheus, defaults to 20200 if not set. Must be in the port + # range of 1024-65535. + # @type: int + port: null + # This value sets the path to use for scraping gateway metrics via prometheus, defaults to /metrics if not set. + # @type: string + path: null + + # The resource settings for Pods handling traffic for Gateway API. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + deployment: + defaultInstances: 1 + maxInstances: 1 + minInstances: 1 + + # The name of the OpenShift SecurityContextConstraints resource to use for Gateways. + # Only applicable if `global.openshift.enabled` is true. + # @type: string + openshiftSCCName: "restricted-v2" + + # This value defines the amount we will add to privileged container ports on gateways that use this class. + # This is useful if you don't want to give your containers extra permissions to run privileged ports. + # Example: The gateway listener is defined on port 80, but the underlying value of the port on the container + # will be the 80 + the number defined below. + mapPrivilegedContainerPorts: 0 + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + # Configures metrics for Consul service mesh services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Sets the `logLevel` for the `consul-dataplane` sidecar and the `consul-connect-inject-init` container. When set, this value overrides the global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Consul service mesh sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + # Set default lifecycle management configuration for sidecar proxy. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` + # - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-startup-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-startup-path` + # @type: map + lifecycle: + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultStartupGracePeriodSeconds: 0 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" + # @type: string + defaultGracefulStartupPath: "/graceful_startup" + + # Configures how long the k8s startup probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultStartupFailureSeconds: 0 + # Configures how long the k8s liveness probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultLivenessFailureSeconds: 0 + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul service mesh will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Override global log verbosity level for mesh-gateway-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: Service + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level for ingress-gateways-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. You must provide a unique name for each ingress gateway. These names + # must be unique across different namespaces. + # Values defined here override the defaults, except in the case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# [DEPRECATED] Use connectInject.apiGateway instead. +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.11" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.2" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + # The resource id of the HCP Consul Central cluster to push metrics for. Eg: + # `organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster` + # + # This is used for HCP Consul Central-linked or managed clusters where global.cloud.resourceId is unset. For example, when using externalServers + # with HCP Consul-managed clusters or HCP Consul Central-linked clusters in a different admin partition. + # + # If global.cloud.resourceId is set, this should either be unset (defaulting to global.cloud.resourceId) or be the same as global.cloud.resourceId. + # + # @default: global.cloud.resourceId + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientId + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP. + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientSecret + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the deployment. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} diff --git a/charts/hashicorp/consul/1.4.3/.helmignore b/charts/hashicorp/consul/1.4.3/.helmignore new file mode 100644 index 0000000000..3fa2f24edf --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/.helmignore @@ -0,0 +1,5 @@ +.git/ +.terraform/ +bin/ +test/ +crds/kustomization.yaml diff --git a/charts/hashicorp/consul/1.4.3/Chart.yaml b/charts/hashicorp/consul/1.4.3/Chart.yaml new file mode 100644 index 0000000000..2844d6e74e --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.18.2 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.4.2 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.4.2 + - name: envoy + image: envoyproxy/envoy:v1.25.11 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul +apiVersion: v2 +appVersion: 1.18.2 +description: Official HashiCorp Consul Chart +home: https://www.consul.io +icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png +kubeVersion: '>=1.22.0-0' +name: consul +sources: +- https://github.com/hashicorp/consul +- https://github.com/hashicorp/consul-k8s +version: 1.4.3 diff --git a/charts/hashicorp/consul/1.4.3/README.md b/charts/hashicorp/consul/1.4.3/README.md new file mode 100644 index 0000000000..a0a9929ed4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.26.x - 1.29.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/1.4.3/addons/gen.sh b/charts/hashicorp/consul/1.4.3/addons/gen.sh new file mode 100644 index 0000000000..1d03390bed --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/addons/gen.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.3/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.4.3/addons/values/prometheus.yaml new file mode 100644 index 0000000000..1f90636f2e --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/addons/values/prometheus.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/1.4.3/assets/icon.png b/charts/hashicorp/consul/1.4.3/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.4.3/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.4.3/templates/NOTES.txt b/charts/hashicorp/consul/1.4.3/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/_helpers.tpl b/charts/hashicorp/consul/1.4.3/templates/_helpers.tpl new file mode 100644 index 0000000000..ca87485a78 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/_helpers.tpl @@ -0,0 +1,688 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). Supports the legacy fullnameOverride setting +as well as the global.name setting. +*/}} +{{- define "consul.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.global.name -}} +{{- .Values.global.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "consul.restrictedSecurityContext" -}} +{{- if not .Values.global.enablePodSecurityPolicies -}} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +{{- if not .Values.global.openshift.enabled -}} +{{/* +We must set runAsUser or else the root user will be used in some cases and +containers will fail to start due to runAsNonRoot above (e.g. +tls-init-cleanup). On OpenShift, runAsUser is automatically. We pick user 100 +because it is a non-root user id that exists in the consul, consul-dataplane, +and consul-k8s-control-plane images. +*/}} + runAsUser: 100 +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "consul.vaultSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultCATemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSCATemplate" -}} +{{ include "consul.vaultCATemplate" .Values.global.tls.caCert }} +{{- end -}} + +{{- define "consul.serverTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- if .Data.ca_chain -{{ "}}" }} + {{ "{{" }}- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -{{ "}}" }} + {{ "{{" }} range $index, $cacert := .Data.ca_chain {{ "}}" }} + {{ "{{" }} if (lt $index $lastintermediatecertindex) {{ "}}" }} + {{ "{{" }} $cacert {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }} end {{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.server.serverCert.secretName }}" "{{ printf "common_name=server.%s.%s" .Values.global.datacenter .Values.global.domain }}" + "alt_names={{ include "consul.serverTLSAltNames" . }}" "ip_sans=127.0.0.1{{ include "consul.serverAdditionalIPSANs" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSCertTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.certificate -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.connectInjectWebhookTLSKeyTemplate" -}} + | + {{ "{{" }}- with secret "{{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }}" "{{- $name := include "consul.fullname" . -}}{{ printf "common_name=%s-connect-injector" $name }}" + "alt_names={{ include "consul.connectInjectorTLSAltNames" . }}" -{{ "}}" }} + {{ "{{" }}- .Data.private_key -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.serverTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "localhost,%s-server,*.%s-server,*.%s-server.%s,%s-server.%s,*.%s-server.%s.svc,%s-server.%s.svc,*.server.%s.%s" $name $name $name $ns $name $ns $name $ns $name $ns (.Values.global.datacenter ) (.Values.global.domain) }}{{ include "consul.serverAdditionalDNSSANs" . }} +{{- end -}} + +{{- define "consul.serverAdditionalDNSSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalDNSSANs -}}{{- range $san := .Values.global.tls.serverAdditionalDNSSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.serverAdditionalIPSANs" -}} +{{- if .Values.global.tls -}}{{- if .Values.global.tls.serverAdditionalIPSANs -}}{{- range $san := .Values.global.tls.serverAdditionalIPSANs }},{{ $san }} {{- end -}}{{- end -}}{{- end -}} +{{- end -}} + +{{- define "consul.connectInjectorTLSAltNames" -}} +{{- $name := include "consul.fullname" . -}} +{{- $ns := .Release.Namespace -}} +{{ printf "%s-connect-injector,%s-connect-injector.%s,%s-connect-injector.%s.svc,%s-connect-injector.%s.svc.cluster.local" $name $name $ns $name $ns $name $ns}} +{{- end -}} + +{{- define "consul.vaultReplicationTokenTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultReplicationTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.replicationToken.secretName }}" -{{ "}}" }} + acl { tokens { agent = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}", replication = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.replicationToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{- define "consul.vaultBootstrapTokenConfigTemplate" -}} +| + {{ "{{" }}- with secret "{{ .Values.global.acls.bootstrapToken.secretName }}" -{{ "}}" }} + acl { tokens { initial_management = "{{ "{{" }}- {{ printf ".Data.data.%s" .Values.global.acls.bootstrapToken.secretKey }} -{{ "}}" }}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + +{{/* +Sets up the extra-from-values config file passed to consul and then uses sed to do any necessary +substitution for HOST_IP/POD_IP/HOSTNAME. Useful for dogstats telemetry. The output file +is passed to consul as a -config-file param on command line. +*/}} +{{- define "consul.extraconfig" -}} + cp /consul/tmp/extra-config/extra-from-values.json /consul/extra-config/extra-from-values.json + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /consul/extra-config/extra-from-values.json + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json +{{- end -}} + +{{/* +Cleanup server.extraConfig entries to avoid conflicting entries: + - server.enableAgentDebug: + - `enable_debug` should not exist in extraConfig + - metrics.disableAgentHostName: + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `disable_hostname` should not exist in extraConfig + - metrics.enableHostMetrics: + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `enable_host_metrics` should not exist in extraConfig + - metrics.prefixFilter + - if global.metrics.enabled and global.metrics.enableAgentMetrics are enabled, `prefix_filter` should not exist in extraConfig + - metrics.datadog.enabled: + - if global.metrics.datadog.enabled and global.metrics.datadog.dogstatsd.enabled, `dogstatsd_tags` and `dogstatsd_addr` should not exist in extraConfig + +Usage: {{ template "consul.validateExtraConfig" . }} +*/}} +{{- define "consul.validateExtraConfig" -}} +{{- if (contains "enable_debug" .Values.server.extraConfig) }}{{ fail "The enable_debug key is present in extra-from-values.json. Use server.enableAgentDebug to set this value." }}{{- end }} +{{- if (contains "disable_hostname" .Values.server.extraConfig) }}{{ fail "The disable_hostname key is present in extra-from-values.json. Use global.metrics.disableAgentHostName to set this value." }}{{- end }} +{{- if (contains "enable_host_metrics" .Values.server.extraConfig) }}{{ fail "The enable_host_metrics key is present in extra-from-values.json. Use global.metrics.enableHostMetrics to set this value." }}{{- end }} +{{- if (contains "prefix_filter" .Values.server.extraConfig) }}{{ fail "The prefix_filter key is present in extra-from-values.json. Use global.metrics.prefix_filter to set this value." }}{{- end }} +{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }}{{- if (and .Values.global.metrics.datadog.dogstatsd.enabled) }}{{- if (contains "dogstatsd_tags" .Values.server.extraConfig) }}{{ fail "The dogstatsd_tags key is present in extra-from-values.json. Use global.metrics.datadog.dogstatsd.dogstatsdTags to set this value." }}{{- end }}{{- end }}{{- if (and .Values.global.metrics.datadog.dogstatsd.enabled) }}{{- if (contains "dogstatsd_addr" .Values.server.extraConfig) }}{{ fail "The dogstatsd_addr key is present in extra-from-values.json. Use global.metrics.datadog.dogstatsd.dogstatsd_addr to set this value." }}{{- end }}{{- end }}{{- end }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "consul.chart" -}} +{{- printf "%s-helm" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "consul.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Calculate max number of server pods that are allowed to be voluntarily disrupted. +When there's 1 server, this is set to 0 because this pod should not be disrupted. This is an edge +case and I'm not sure it makes a difference when there's only one server but that's what the previous config was and +I don't want to change it for this edge case. +Otherwise we've changed this to always be 1 as part of the move to set leave_on_terminate +to true. With leave_on_terminate set to true, whenever a server pod is stopped, the number of peers in raft +is reduced. If the number of servers is odd and the count is reduced by 1, the quorum size doesn't change, +but if it's reduced by more than 1, the quorum size can change so that's why this is now always hardcoded to 1. +*/}} +{{- define "consul.server.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.disruptionBudget.maxUnavailable -}} +{{ .Values.server.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{ 1 }} +{{- end -}} +{{- end -}} + +{{- define "consul.server.autopilotMinQuorum" -}} +{{- add (div (int .Values.server.replicas) 2) 1 -}} +{{- end -}} + +{{- define "consul.pdb.connectInject.maxUnavailable" -}} +{{- if eq (int .Values.connectInject.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{ .Values.connectInject.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- if eq (int .Values.connectInject.replicas) 3 -}} +{{- 1 -}} +{{- else -}} +{{- sub (div (int .Values.connectInject.replicas) 2) 1 -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "consul.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ $key }} + value: {{ $value | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{.Values.global.datacenter}}.{{.Values.global.domain}} \ + {{- end}} + {{- if .Values.externalServers.enabled }} + {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} + -server-addr={{ quote (first .Values.externalServers.hosts) }} \ + -server-port={{ .Values.externalServers.httpsPort }} \ + {{- if .Values.externalServers.tlsServerName }} + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + {{- end }} + {{- if or (not .Values.externalServers.enabled) (and .Values.externalServers.enabled (not .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -ca-file=/vault/secrets/serverca.crt + {{- else }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end -}} + +{{/* +Fails when a reserved name is passed in. This should be used to test against +Consul namespaces and partition names. +This template accepts an array that contains two elements. The first element +is the name that's being checked and the second is the name of the values.yaml +key that's setting the name. + +Usage: {{ template "consul.reservedNamesFailer" (list .Values.key "key") }} + +*/}} +{{- define "consul.reservedNamesFailer" -}} +{{- $name := index . 0 -}} +{{- $key := index . 1 -}} +{{- if or (eq "system" $name) (eq "universal" $name) (eq "operator" $name) (eq "root" $name) }} +{{- fail (cat "The name" $name "set for key" $key "is reserved by Consul for future use." ) }} +{{- end }} +{{- end -}} + +{{/* +Fails when at least one but not all of the following have been set: +- global.secretsBackend.vault.connectInjectRole +- global.secretsBackend.vault.connectInject.tlsCert.secretName +- global.secretsBackend.vault.connectInject.caCert.secretName + +The above values are needed in full to turn off web cert manager and allow +connect inject to manage its own webhook certs. + +Usage: {{ template "consul.validateVaultWebhookCertConfiguration" . }} + +*/}} +{{- define "consul.validateVaultWebhookCertConfiguration" -}} +{{- if or .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName}} +{{- if or (not .Values.global.secretsBackend.vault.connectInjectRole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) }} +{{fail "When one of the following has been set, all must be set: global.secretsBackend.vault.connectInjectRole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName"}} +{{ end }} +{{ end }} +{{- end -}} + +{{/* +Consul server environment variables for consul-k8s commands. +*/}} +{{- define "consul.consulK8sConsulServerEnvVars" -}} +- name: CONSUL_ADDRESSES + {{- if .Values.externalServers.enabled }} + value: {{ .Values.externalServers.hosts | first }} + {{- else }} + value: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} +- name: CONSUL_GRPC_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.grpcPort }}" + {{- else }} + value: "8502" + {{- end }} +- name: CONSUL_HTTP_PORT + {{- if .Values.externalServers.enabled }} + value: "{{ .Values.externalServers.httpsPort }}" + {{- else if .Values.global.tls.enabled }} + value: "8501" + {{- else }} + value: "8500" + {{- end }} +- name: CONSUL_DATACENTER + value: {{ .Values.global.datacenter }} +- name: CONSUL_API_TIMEOUT + value: {{ .Values.global.consulAPITimeout }} +{{- if .Values.global.adminPartitions.enabled }} +- name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- if .Values.global.acls.manageSystemACLs }} +- name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} +{{- end }} +{{- end }} +{{- if .Values.global.tls.enabled }} +- name: CONSUL_USE_TLS + value: "true" +{{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} +- name: CONSUL_CACERT_FILE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: "/vault/secrets/serverca.crt" + {{- else }} + value: "/consul/tls/ca/tls.crt" + {{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} +- name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} +{{- else if .Values.global.cloud.enabled }} +- name: CONSUL_TLS_SERVER_NAME + value: server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} +{{- end }} +{{- end }} +{{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} +- name: CONSUL_SKIP_SERVER_WATCH + value: "true" +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets is nil or empty. +- global.cloud.resourceId.secretName +- global.cloud.clientId.secretName +- global.cloud.clientSecret.secretName + +Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }} + +*/}} +{{- define "consul.validateRequiredCloudSecretsExist" -}} +{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }} +{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}} +{{- end }} +{{- end -}} + +{{/* +Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey. +- global.cloud.resourceId.secretName / secretKey +- global.cloud.clientId.secretName / secretKey +- global.cloud.clientSecret.secretName / secretKey +- global.cloud.authUrl.secretName / secretKey +- global.cloud.apiHost.secretName / secretKey +- global.cloud.scadaAddress.secretName / secretKey +Usage: {{ template "consul.validateCloudSecretKeys" . }} + +*/}} +{{- define "consul.validateCloudSecretKeys" -}} +{{- if and .Values.global.cloud.enabled }} +{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }} +{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }} +{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }} +{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }} +{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }} +{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }} +{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}} +{{- end }} +{{- end }} +{{- end -}} + + +{{/* +Fails if telemetryCollector.clientId or telemetryCollector.clientSecret exist and one of other secrets is nil or empty. +- telemetryCollector.cloud.clientId.secretName +- telemetryCollector.cloud.clientSecret.secretName +- global.cloud.resourceId.secretName + +Usage: {{ template "consul.validateTelemetryCollectorCloud" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorCloud" -}} +{{- if (and .Values.telemetryCollector.cloud.clientId.secretName (and (not .Values.global.cloud.clientSecret.secretName) (not .Values.telemetryCollector.cloud.clientSecret.secretName))) }} +{{fail "When telemetryCollector.cloud.clientId.secretName is set, telemetryCollector.cloud.clientSecret.secretName must also be set." }} +{{- end }} +{{- if (and .Values.telemetryCollector.cloud.clientSecret.secretName (and (not .Values.global.cloud.clientId.secretName) (not .Values.telemetryCollector.cloud.clientId.secretName))) }} +{{fail "When telemetryCollector.cloud.clientSecret.secretName is set, telemetryCollector.cloud.clientId.secretName must also be set." }} +{{- end }} +{{- end }} + +{{/**/}} + +{{- define "consul.validateTelemetryCollectorCloudSecretKeys" -}} +{{- if or (and .Values.telemetryCollector.cloud.clientId.secretName (not .Values.telemetryCollector.cloud.clientId.secretKey)) (and .Values.telemetryCollector.cloud.clientId.secretKey (not .Values.telemetryCollector.cloud.clientId.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientId.secretName or telemetryCollector.cloud.clientId.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName (not .Values.telemetryCollector.cloud.clientSecret.secretKey)) (and .Values.telemetryCollector.cloud.clientSecret.secretKey (not .Values.telemetryCollector.cloud.clientSecret.secretName)) }} +{{fail "When either telemetryCollector.cloud.clientSecret.secretName or telemetryCollector.cloud.clientSecret.secretKey is defined, both must be set."}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretName or global.cloud.resourceId.secretName must be set"}} +{{- end }} +{{- if or (and .Values.telemetryCollector.cloud.clientSecret.secretName .Values.telemetryCollector.cloud.clientSecret.secretKey .Values.telemetryCollector.cloud.clientId.secretName .Values.telemetryCollector.cloud.clientId.secretKey (not (or .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey))) }} +{{fail "When telemetryCollector has clientId and clientSecret, telemetryCollector.cloud.resourceId.secretKey or global.cloud.resourceId.secretKey must be set"}} +{{- end }} +{{- end -}} + +{{/* +Fails if telemetryCollector.cloud.resourceId is set but differs from global.cloud.resourceId. This should never happen. Either one or both are set, but they should never differ. +If they differ, that implies we're configuring servers for one HCP Consul cluster but pushing envoy metrics for a different HCP Consul cluster. A user could set the same value +in two secrets (it's questionable whether resourceId should be a secret at all) but we won't know at this point, so we just check secret name+key. + +Usage: {{ template "consul.validateTelemetryCollectorResourceId" . }} + +*/}} +{{- define "consul.validateTelemetryCollectorResourceId" -}} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName) (not (eq .Values.telemetryCollector.cloud.resourceId.secretName .Values.global.cloud.resourceId.secretName)) }} +{{fail "When both global.cloud.resourceId.secretName and telemetryCollector.cloud.resourceId.secretName are set, they should be the same."}} +{{- end }} +{{- if and (and .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey) (not (eq .Values.telemetryCollector.cloud.resourceId.secretKey .Values.global.cloud.resourceId.secretKey)) }} +{{fail "When both global.cloud.resourceId.secretKey and telemetryCollector.cloud.resourceId.secretKey are set, they should be the same."}} +{{- end }} +{{- end }} + +{{/**/}} + +{{/* +Fails if global.experiments.resourceAPIs is set along with any of these unsupported features. +- global.peering.enabled +- global.federation.enabled +- global.cloud.enabled +- client.enabled +- ui.enabled +- syncCatalog.enabled +- meshGateway.enabled +- ingressGateways.enabled +- terminatingGateways.enabled +- apiGateway.enabled + +Usage: {{ template "consul.validateResourceAPIs" . }} + +*/}} +{{- define "consul.validateResourceAPIs" -}} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.peering.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.peering.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) (not (mustHas "v2tenancy" .Values.global.experiments)) .Values.global.adminPartitions.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.experiments.v2tenancy must also be set to support global.adminPartitions.enabled."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.federation.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.federation.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.global.cloud.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, global.cloud.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.client.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, client.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ui.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ui.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.syncCatalog.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, syncCatalog.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.ingressGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, ingressGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.terminatingGateways.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported."}} +{{- end }} +{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.apiGateway.enabled ) }} +{{fail "When the value global.experiments.resourceAPIs is set, apiGateway.enabled is currently unsupported."}} +{{- end }} +{{- end }} + +{{/* +Validation for Consul Metrics configuration: + +Fail if metrics.enabled=true and metrics.disableAgentHostName=true, but metrics.enableAgentMetrics=false + - metrics.enabled = true + - metrics.enableAgentMetrics = false + - metrics.disableAgentHostName = true + +Fail if metrics.enableAgentMetrics=true and metrics.disableAgentHostName=true, but metrics.enabled=false + - metrics.enabled = false + - metrics.enableAgentMetrics = true + - metrics.disableAgentHostName = true + +Fail if metrics.enabled=true and metrics.enableHostMetrics=true, but metrics.enableAgentMetrics=false + - metrics.enabled = true + - metrics.enableAgentMetrics = false + - metrics.enableHostMetrics = true + +Fail if metrics.enableAgentMetrics=true and metrics.enableHostMetrics=true, but metrics.enabled=false + - metrics.enabled = false + - metrics.enableAgentMetrics = true + - metrics.enableHostMetrics = true + +Usage: {{ template "consul.validateMetricsConfig" . }} + +*/}} + +{{- define "consul.validateMetricsConfig" -}} +{{- if and (not .Values.global.metrics.enableAgentMetrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enabled )}} +{{fail "When enabling metrics (global.metrics.enabled) and disabling hostname emission from metrics (global.metrics.disableAgentHostName), global.metrics.enableAgentMetrics must be set to true"}} +{{- end }} +{{- if and (not .Values.global.metrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enableAgentMetrics )}} +{{fail "When enabling Consul agent metrics (global.metrics.enableAgentMetrics) and disabling hostname emission from metrics (global.metrics.disableAgentHostName), global metrics enablement (global.metrics.enabled) must be set to true"}} +{{- end }} +{{- if and (not .Values.global.metrics.enableAgentMetrics) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enabled )}} +{{fail "When disabling hostname emission from metrics (global.metrics.disableAgentHostName) and enabling global metrics (global.metrics.enabled), Consul agent metrics must be enabled(global.metrics.enableAgentMetrics=true)"}} +{{- end }} +{{- if and (not .Values.global.metrics.enabled) (and .Values.global.metrics.disableAgentHostName .Values.global.metrics.enableAgentMetrics)}} +{{fail "When enabling Consul agent metrics (global.metrics.enableAgentMetrics) and disabling hostname metrics emission (global.metrics.disableAgentHostName), global metrics must be enabled (global.metrics.enabled)."}} +{{- end }} +{{- end -}} + +{{/* +Validation for Consul Datadog Integration deployment: + +Fail if Datadog integration enabled and Consul server agent telemetry is not enabled. + - global.metrics.datadog.enabled=true + - global.metrics.enableAgentMetrics=false || global.metrics.enabled=false + +Fail if Consul OpenMetrics (Prometheus) and DogStatsD metrics are both enabled and configured. + - global.metrics.datadog.dogstatsd.enabled (scrapes `/v1/agent/metrics?format=prometheus` via the `use_prometheus_endpoint` option) + - global.metrics.datadog.openMetricsPrometheus.enabled (scrapes `/v1/agent/metrics?format=prometheus`) + - see https://docs.datadoghq.com/integrations/consul/?tab=host#host for recommendation to not have both + +Fail if Datadog OTLP forwarding is enabled and Consul Telemetry Collection is not enabled. + - global.metrics.datadog.otlp.enabled=true + - telemetryCollector.enabled=false + +Fail if Consul Open Telemetry collector forwarding protocol is not one of either "http" or "grpc" + - global.metrics.datadog.otlp.protocol!="http" || global.metrics.datadog.otlp.protocol!="grpc" + +Usage: {{ template "consul.validateDatadogConfiguration" . }} + +*/}} + +{{- define "consul.validateDatadogConfiguration" -}} +{{- if and .Values.global.metrics.datadog.enabled (or (not .Values.global.metrics.enableAgentMetrics) (not .Values.global.metrics.enabled) )}} +{{fail "When enabling datadog metrics collection, the /v1/agent/metrics is required to be accessible, therefore global.metrics.enableAgentMetrics and global.metrics.enabled must be also be enabled."}} +{{- end }} +{{- if and .Values.global.metrics.datadog.dogstatsd.enabled .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} +{{fail "You must have one of DogStatsD (global.metrics.datadog.dogstatsd.enabled) or OpenMetrics (global.metrics.datadog.openMetricsPrometheus.enabled) enabled, not both as this is an unsupported configuration." }} +{{- end }} +{{- if and .Values.global.metrics.datadog.otlp.enabled (not .Values.telemetryCollector.enabled) }} +{{fail "Cannot enable Datadog OTLP metrics collection (global.metrics.datadog.otlp.enabled) without consul-telemetry-collector. Ensure Consul OTLP collection is enabled (telemetryCollector.enabled) and configured." }} +{{- end }} +{{- if and (ne ( lower .Values.global.metrics.datadog.otlp.protocol) "http") (ne ( lower .Values.global.metrics.datadog.otlp.protocol) "grpc") }} +{{fail "Valid values for global.metrics.datadog.otlp.protocol must be one of either \"http\" or \"grpc\"." }} +{{- end }} +{{- end -}} + +{{/* +Sets the dogstatsd_addr field of the agent configuration dependent on the +socket transport type being used: + - "UDS" (Unix Domain Socket): prefixes "unix://" to URL and appends path to socket (i.e., unix:///var/run/datadog/dsd.socket) + - "UDP" (User Datagram Protocol): adds no prefix and appends dogstatsd port number to hostname/IP (i.e., 172.20.180.10:8125) +- global.metrics.enableDatadogIntegration.dogstatsd configuration + +Usage: {{ template "consul.dogstatsdAaddressInfo" . }} +*/}} + +{{- define "consul.dogstatsdAaddressInfo" -}} +{{- if (and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled) }} + "dogstatsd_addr": "{{- if eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" }}unix://{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdAddr }}{{- else }}{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdAddr | trimAll "\"" }}{{- if ne ( .Values.global.metrics.datadog.dogstatsd.dogstatsdPort | int ) 0 }}:{{ .Values.global.metrics.datadog.dogstatsd.dogstatsdPort | toString }}{{- end }}{{- end }}",{{- end }} +{{- end -}} + +{{/* +Configures the metrics prefixing that's required to either allow or dissallow certaing RPC or gRPC server calls: + +Usage: {{ template "consul.prefixFilter" . }} +*/}} +{{- define "consul.prefixFilter" -}} +{{- $allowList := .Values.global.metrics.prefixFilter.allowList }} +{{- $blockList := .Values.global.metrics.prefixFilter.blockList }} +{{- if and (not (empty $allowList)) (not (empty $blockList)) }} + "prefix_filter": [{{- range $index, $value := concat $allowList $blockList -}} + "{{- if (has $value $allowList) }}{{ printf "+%s" ($value | trimAll "\"") }}{{- else }}{{ printf "-%s" ($value | trimAll "\"") }}{{- end }}"{{- if lt $index (sub (len (concat $allowList $blockList)) 1) -}},{{- end -}} + {{- end -}}], +{{- else if not (empty $allowList) }} + "prefix_filter": [{{- range $index, $value := $allowList -}} + "{{ printf "+%s" ($value | trimAll "\"") }}"{{- if lt $index (sub (len $allowList) 1) -}},{{- end -}} + {{- end -}}], +{{- else if not (empty $blockList) }} + "prefix_filter": [{{- range $index, $value := $blockList -}} + "{{ printf "-%s" ($value | trimAll "\"") }}"{{- if lt $index (sub (len $blockList) 1) -}},{{- end -}} + {{- end -}}], +{{- end }} +{{- end -}} + +{{/* +Retrieves the global consul/consul-enterprise version string for use with labels or tags. +Requirements for valid labels: + - a valid label must be an empty string or consist of + => alphanumeric characters + => '-', '_' or '.' + => must start and end with an alphanumeric character + (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is + '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?') + +Usage: {{ template "consul.versionInfo" }} +*/}} +{{- define "consul.versionInfo" -}} +{{- $imageVersion := regexSplit ":" .Values.global.image -1 }} +{{- $versionInfo := printf "%s" (index $imageVersion 1 ) | trimSuffix "\"" }} +{{- $sanitizedVersion := "" }} +{{- $pattern := "^([A-Za-z0-9][-A-Za-z0-9_.]*[A-Za-z0-9])?$" }} +{{- if not (regexMatch $pattern $versionInfo) -}} + {{- $sanitizedVersion = regexReplaceAll "[^A-Za-z0-9-_.]|sha256" $versionInfo "" }} + {{- $sanitizedVersion = printf "%s" (trimSuffix "-" (trimPrefix "-" $sanitizedVersion)) -}} +{{- else }} + {{- $sanitizedVersion = $versionInfo }} +{{- end -}} +{{- printf "%s" $sanitizedVersion | quote }} +{{- end -}} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-clusterrole.yaml b/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-clusterrole.yaml new file mode 100644 index 0000000000..eac2bd1f69 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-clusterrole.yaml @@ -0,0 +1,265 @@ +{{- if .Values.apiGateway.enabled }} +# The ClusterRole to enable the API Gateway controller to access required api endpoints. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +rules: +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - list + - update + - watch +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - gatewayclassconfigs/finalizers + verbs: + - update +- apiGroups: + - api-gateway.consul.hashicorp.com + resources: + - meshservices + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - update + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencepolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - patch + - update +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-clusterrolebinding.yaml new file mode 100644 index 0000000000..d083a08129 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-api-gateway-controller +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-deployment.yaml b/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-deployment.yaml new file mode 100644 index 0000000000..453be66054 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-deployment.yaml @@ -0,0 +1,306 @@ +{{- if .Values.apiGateway.enabled }} +{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} +{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.apiGateway.controller.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{ end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- end }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller + containers: + - name: api-gateway-controller + image: {{ .Values.apiGateway.image }} + ports: + - containerPort: 9090 + name: sds + protocol: TCP + env: + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate + root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are + enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} + {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway + v0.4 and older, which requires connectivity between the registered Consul agent node and a + deployment for health checking (originating from the Consul node). Always leveraging the agents in + the case that they're explicitly opted into allows us to support users with agent node + + "externalServers" configuration upgrading a Helm chart without upgrading API gateways. + */}} + {{- if .Values.global.tls.enabled }} + value: $(HOST_IP):8501 + {{- else }} + value: $(HOST_IP):8500 + {{- end }} + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work with + Consul API Gateway v0.5 or newer + */}} + value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of Consul API Gateway + */}} + {{- if .Values.global.tls.enabled }} + value: {{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: {{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- end }} + - name: CONSUL_HTTP_SSL + value: "{{ .Values.global.tls.enabled }}" + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - name: CONSUL_TLS_SERVER_NAME + value: {{ .Values.externalServers.tlsServerName }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - name: CONSUL_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_PARTITION + value: {{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if not .Values.client.enabled }} + - name: CONSUL_DYNAMIC_SERVER_DISCOVERY + value: "true" + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-api-gateway server \ + -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ + -k8s-namespace {{ .Release.Namespace }} \ + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -mirroring-k8s=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- end }} + -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + mountPath: /consul-bin + {{- end }} + {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} + {{- if .Values.global.tls.enabled }} + {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.apiGateway.resources }} + resources: + {{- toYaml .Values.apiGateway.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: ["/consul-bin/consul", "logout" ] + {{- end }} + volumes: + {{- if .Values.global.acls.manageSystemACLs }} + - name: consul-bin + emptyDir: { } + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + - name: consul-data + emptyDir: + medium: "Memory" + {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: copy-consul-bin + image: {{ .Values.global.image | quote }} + command: + - cp + - /bin/consul + - /consul-bin/consul + volumeMounts: + - name: consul-bin + mountPath: /consul-bin + {{- if .Values.apiGateway.initCopyConsulContainer }} + {{- if .Values.apiGateway.initCopyConsulContainer.resources }} + resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: api-gateway-controller-acl-init + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: CONSUL_LOGIN_META + value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end}} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + {{- if .Values.global.tls.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + {{- else }} + -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} + {{- end }} + {{- if .Values.apiGateway.controller.priorityClassName }} + priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} + {{- end }} + {{- if .Values.apiGateway.controller.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.apiGateway.controller.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-podsecuritypolicy.yaml new file mode 100644 index 0000000000..390d084303 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-service.yaml b/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-service.yaml new file mode 100644 index 0000000000..aa79ff9fc3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-service.yaml @@ -0,0 +1,27 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + annotations: + {{- if .Values.apiGateway.controller.service.annotations }} + {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + ports: + - name: sds + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: api-gateway-controller +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-serviceaccount.yaml new file mode 100644 index 0000000000..98292a8dbe --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/api-gateway-controller-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.apiGateway.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-api-gateway-controller + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller + {{- if .Values.apiGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/api-gateway-gatewayclass.yaml b/charts/hashicorp/consul/1.4.3/templates/api-gateway-gatewayclass.yaml new file mode 100644 index 0000000000..d9ba85e633 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/api-gateway-gatewayclass.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: GatewayClass +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + controllerName: hashicorp.com/consul-api-gateway-controller + parametersRef: + group: api-gateway.consul.hashicorp.com + kind: GatewayClassConfig + name: consul-api-gateway +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/api-gateway-gatewayclassconfig.yaml b/charts/hashicorp/consul/1.4.3/templates/api-gateway-gatewayclassconfig.yaml new file mode 100644 index 0000000000..ba0e6c63db --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/api-gateway-gatewayclassconfig.yaml @@ -0,0 +1,84 @@ +{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} +apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 +kind: GatewayClassConfig +metadata: + name: consul-api-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway +spec: + consul: + {{- if .Values.client.enabled }} + {{/* + We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which + require connectivity between the registered Consul agent node and a deployment for health checking + (originating from the Consul node). Always leveraging the agents in the case that they're explicitly + opted into allows us to support users with agent node + "externalServers" configuration upgrading a + helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided + without local agents will break gateways <=0.4. + */}} + address: $(HOST_IP) + {{- else if .Values.externalServers.enabled }} + {{/* + "externalServers" specified and running in "agentless" mode, this will only work 0.5+ + */}} + address: {{ first .Values.externalServers.hosts }} + {{- else }} + {{/* + We have local network connectivity between deployments and the internal cluster, this + should be supported in all versions of api-gateway + */}} + address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + authentication: + {{- if .Values.global.acls.manageSystemACLs }} + managed: true + method: {{ template "consul.fullname" . }}-k8s-auth-method + {{- if .Values.global.enablePodSecurityPolicies }} + podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + scheme: https + {{- else }} + scheme: http + {{- end }} + ports: + {{- if .Values.externalServers.enabled }} + grpc: {{ .Values.externalServers.grpcPort }} + http: {{ .Values.externalServers.httpsPort }} + {{- else }} + grpc: 8502 + {{- if .Values.global.tls.enabled }} + http: 8501 + {{- else }} + http: 8500 + {{- end }} + {{- end }} + {{- with .Values.apiGateway.managedGatewayClass.deployment }} + deployment: + {{- toYaml . | nindent 4 }} + {{- end }} + image: + consulAPIGateway: {{ .Values.apiGateway.image }} + envoy: {{ .Values.apiGateway.imageEnvoy }} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + nodeSelector: + {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + tolerations: + {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + copyAnnotations: + service: + {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} + {{- end }} + serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} + useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} + logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/api-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/api-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..48f826f995 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/api-gateway-podsecuritypolicy.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-api-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: api-gateway-controller +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + allowedCapabilities: + - NET_BIND_SERVICE + hostNetwork: false + hostIPC: false + hostPID: false + hostPorts: + - max: 65535 + min: 1025 + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.4.3/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.4.3/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.4.3/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..cab2c7c043 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/client-config-configmap.yaml @@ -0,0 +1,40 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + log-level.json: |- + { + {{- if .Values.client.logLevel }} + "log_level": "{{ .Values.client.logLevel | upper }}" + {{- end }} + } + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.4.3/templates/client-daemonset.yaml new file mode 100644 index 0000000000..cf0cb1d686 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/client-daemonset.yaml @@ -0,0 +1,608 @@ +{{- if .Values.global.imageK8s }}{{ fail "global.imageK8s is not a valid key, use global.imageK8S (note the capital 'S')" }}{{ end -}} +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled $serverEnabled (ne .Values.global.adminPartitions.name "default"))}}{{ fail "global.adminPartitions.name has to be \"default\" in the server cluster" }}{{ end -}} +{{- if (and (not .Values.global.secretsBackend.vault.consulClientRole) .Values.global.secretsBackend.vault.enabled) }}{{ fail "global.secretsBackend.vault.consulClientRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.enableAutoEncrypt)) }}{{ fail "global.tls.enableAutoEncrypt must be true if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# DaemonSet to run the Consul clients on every node. +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.client.updateStrategy }} + updateStrategy: + {{ tpl .Values.client.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: client + hasDNS: "true" + {{- if .Values.client.extraLabels }} + {{- toYaml .Values.client.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulClientRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/client-config-configmap.yaml") .) (include (print $.Template.BasePath "/client-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.client.annotations }} + {{- tpl .Values.client.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + "prometheus.io/scrape": "true" + {{- if not (hasKey (default "" .Values.client.annotations | fromYaml) "prometheus.io/path")}} + "prometheus.io/path": "/v1/agent/metrics" + {{- end }} + "prometheus.io/port": "8500" + {{- end }} + spec: + {{- if .Values.client.affinity }} + affinity: + {{ tpl .Values.client.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-client + + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.securityContext | nindent 8 -}} + {{- end }} + + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + + {{- if .Values.client.dnsPolicy }} + dnsPolicy: {{ .Values.client.dnsPolicy }} + {{- end }} + + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- end }} + + volumes: + - name: data + {{- if .Values.client.dataDirectoryHostPath }} + hostPath: + path: {{ .Values.client.dataDirectoryHostPath }} + type: DirectoryOrCreate + {{- else }} + emptyDir: {} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-client-config + - name: extra-config + emptyDir: {} + - name: consul-data + emptyDir: + medium: "Memory" + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if (and (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.tls.enableAutoEncrypt)) }} + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + - name: consul-client-cert + emptyDir: + # We're using tmpfs here so that + # client certs are not written to disk + medium: "Memory" + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + emptyDir: {} + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- end }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.client.image }}" + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/consul" + - "logout" + {{- end }} + env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.client.exposeGossipPorts }} + {{- /* Clients will be exposed on their node's hostPort for external-to-k8s communication, + so they need to advertise their host ip instead of their pod ip. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: "false" + {{- else }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -node="${NODE}" \ + -advertise="${ADVERTISE_IP}" \ + -bind=0.0.0.0 \ + -client=0.0.0.0 \ + {{- range $k, $v := .Values.client.nodeMeta }} + -node-meta={{ $k }}:{{ $v }} \ + {{- end }} + -hcl='leave_on_terminate = true' \ + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.peering.enabled }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ + {{- else }} + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + -hcl='tls { grpc { use_auto_cert = true } }' \ + {{- else }} + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='tls { defaults { verify_outgoing = true }}' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- else}} + {{- if .Values.global.secretsBackend.vault.enabled }} + -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + {{- else }} + -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ + {{- else }} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} + {{- if .Values.global.tls.verify }} + -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ + {{- end }} + {{- end }} + -hcl='ports { https = 8501 }' \ + {{- if .Values.global.tls.httpsOnly }} + -hcl='ports { http = -1 }' \ + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.grpc }} + {{- if .Values.global.tls.enabled }} + -hcl='ports { grpc = -1, grpc_tls = 8502 }' \ + {{- else }} + -hcl='ports { grpc = 8502, grpc_tls = -1 }' \ + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + -hcl='telemetry { prometheus_retention_time = "{{ .Values.global.metrics.agentMetricsRetentionTime }}" }' \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -hcl='partition = "{{ .Values.global.adminPartitions.name }}"' \ + {{- end }} + -config-dir=/consul/config \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-dir=/consul/aclconfig \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.client.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -datacenter={{ .Values.global.datacenter }} \ + -data-dir=/consul/data \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if .Values.client.join }} + {{- range $value := .Values.client.join }} + -retry-join={{ quote $value }} \ + {{- end }} + {{- else }} + {{- if .Values.server.enabled }} + {{- $serverSerfLANPort := .Values.server.ports.serflan.port -}} + {{- range $index := until (.Values.server.replicas | int) }} + -retry-join="${CONSUL_FULLNAME}-server-{{ $index }}.${CONSUL_FULLNAME}-server.${NAMESPACE}.svc:{{ $serverSerfLANPort }}" \ + {{- end }} + {{- end }} + {{- end }} + {{- range $value := .Values.global.recursors }} + -recursor={{ quote $value }} \ + {{- end }} + -config-dir=/consul/extra-config \ + -domain={{ .Values.global.domain }} + volumeMounts: + - name: data + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + - mountPath: /consul/login + name: consul-data + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert + mountPath: /consul/tls/client + readOnly: true + {{- end }} + {{- end }} + {{- end }} + {{- range .Values.client.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: aclconfig + mountPath: /consul/aclconfig + {{- else }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - containerPort: 8500 + hostPort: 8500 + name: http + {{- end }} + {{- if .Values.global.tls.enabled }} + - containerPort: 8501 + hostPort: 8501 + name: https + {{- end }} + - containerPort: 8502 + hostPort: 8502 + name: grpc + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "TCP" + name: serflan-tcp + - containerPort: 8301 + {{- if .Values.client.exposeGossipPorts }} + hostPort: 8301 + {{- end }} + protocol: "UDP" + name: serflan-udp + - containerPort: 8600 + name: dns-tcp + protocol: "TCP" + - containerPort: 8600 + name: dns-udp + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl \ + -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + {{- if .Values.client.resources }} + resources: + {{- if eq (typeOf .Values.client.resources) "string" }} + {{ tpl .Values.client.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.client.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }} + {{- end }} + {{- if .Values.client.extraContainers }} + {{ toYaml .Values.client.extraContainers | nindent 8 }} + {{- end }} + {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} + initContainers: + {{- if .Values.global.acls.manageSystemACLs }} + - name: client-acl-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + - name: CONSUL_LOGIN_META + value: "component=client,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + -log-level={{ default .Values.global.logLevel .Values.client.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -init-type="client" + volumeMounts: + - name: aclconfig + mountPath: /consul/aclconfig + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) (not .Values.externalServers.useSystemRoots)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: false + {{- end }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.aclInit | nindent 10 }} + {{- end }} + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} + - name: client-tls-init + image: "{{ default .Values.global.image .Values.client.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + - "/bin/sh" + - "-ec" + - | + cd /consul/tls/client + consul tls cert create -client \ + -additional-ipaddress=${HOST_IP} \ + -additional-ipaddress=${POD_IP} \ + -dc={{ .Values.global.datacenter }} \ + -domain={{ .Values.global.domain }} \ + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt + mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key + volumeMounts: + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: consul-client-cert + mountPath: /consul/tls/client + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.client.containerSecurityContext.tlsInit | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/client-role.yaml b/charts/hashicorp/consul/1.4.3/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.4.3/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.4.3/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/client-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.4.3/templates/client-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a379157f57 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/client-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the client-daemonset where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.4.3/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.4.3/templates/cni-daemonset.yaml new file mode 100644 index 0000000000..258924f449 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/cni-daemonset.yaml @@ -0,0 +1,91 @@ +{{- if (and (.Values.connectInject.cni.enabled) (not .Values.connectInject.enabled)) }}{{ fail "connectInject.enabled must be true if connectInject.cni.enabled is true" }}{{ end -}} +{{- if .Values.connectInject.cni.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + {{- if .Values.connectInject.cni.updateStrategy }} + updateStrategy: + {{ tpl .Values.connectInject.cni.updateStrategy . | nindent 4 | trim }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: cni + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + spec: + # consul-cni only runs on linux operating systems + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + # Tell kubernetes that this daemonset is critical so that it will be scheduled on a new node before other pods + priorityClassName: system-node-critical + serviceAccountName: {{ template "consul.fullname" . }}-cni + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.connectInject.cni.securityContext | nindent 8 -}} + {{- end }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 10 + containers: + # This container installs the consul CNI binaries and CNI network config file on each node + - name: install-cni + image: {{ .Values.global.imageK8S }} + securityContext: + privileged: true + command: + - consul-k8s-control-plane + - install-cni + - -log-level={{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }} + - -cni-bin-dir={{ .Values.connectInject.cni.cniBinDir }} + - -cni-net-dir={{ .Values.connectInject.cni.cniNetDir }} + - -multus={{ .Values.connectInject.cni.multus }} + {{- with .Values.connectInject.cni.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.connectInject.cni.cniBinDir }} + name: cni-bin-dir + - mountPath: {{ .Values.connectInject.cni.cniNetDir }} + name: cni-net-dir + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.connectInject.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.connectInject.cni.cniNetDir }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.4.3/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.4.3/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.4.3/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.4.3/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.4.3/templates/connect-inject-clusterrole.yaml new file mode 100644 index 0000000000..c6845870ba --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/connect-inject-clusterrole.yaml @@ -0,0 +1,287 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults + - serviceresolvers + - proxydefaults + - meshes + - exportedservices + - servicerouters + - servicesplitters + - serviceintentions + - ingressgateways + - terminatinggateways + - gatewayclassconfigs + - meshservices + - samenessgroups + - controlplanerequestlimits + - routeretryfilters + - routetimeoutfilters + - routeauthfilters + - gatewaypolicies + {{- if .Values.global.peering.enabled }} + - peeringacceptors + - peeringdialers + {{- end }} + - jwtproviders + - routeauthfilters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - consul.hashicorp.com + resources: + - servicedefaults/status + - serviceresolvers/status + - proxydefaults/status + - meshes/status + - exportedservices/status + - servicerouters/status + - servicesplitters/status + - serviceintentions/status + - ingressgateways/status + - terminatinggateways/status + - samenessgroups/status + - controlplanerequestlimits/status + {{- if .Values.global.peering.enabled }} + - peeringacceptors/status + - peeringdialers/status + {{- end }} + - jwtproviders/status + - routeauthfilters/status + - gatewaypolicies/status + verbs: + - get + - patch + - update +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - auth.consul.hashicorp.com + resources: + - trafficpermissions/status + verbs: + - get + - patch + - update +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + - gatewayclasses + - meshconfigurations + - grpcroutes + - httproutes + - meshgateways + - tcproutes + - proxyconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs/status + - gatewayclasses/status + - meshconfigurations/status + - grpcroutes/status + - httproutes/status + - meshgateways/status + - tcproutes/status + - proxyconfigurations/status + verbs: + - get + - patch + - update +- apiGroups: + - multicluster.consul.hashicorp.com + resources: + - exportedservices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - multicluster.consul.hashicorp.com + resources: + - exportedservices/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} +- apiGroups: [ "" ] + resources: [ "secrets", "serviceaccounts", "endpoints", "services", "namespaces", "nodes" ] + verbs: + - create + - get + - list + - watch + - delete + - update +- apiGroups: [ "rbac.authorization.k8s.io" ] + resources: [ "roles", "rolebindings" ] + verbs: + - get + - list + - watch + - delete + - create + - update +- apiGroups: [ "" ] + resources: + - pods + verbs: + - "get" + - "list" + - "watch" + - "update" +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - list + - update +{{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName)}} +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +{{- end }} +{{- if .Values.global.peering.enabled }} +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "delete" +{{- end }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - httproutes + - tcproutes + - referencegrants + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gateways/finalizers + - httproutes/finalizers + - tcproutes/finalizers + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + - tcproutes/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - update + - watch + - delete +- apiGroups: + - core + resources: + - services + verbs: + - watch + - list +- apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: + - "get" + - "list" + - "watch" +{{- if .Values.global.openshift.enabled }} +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - {{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + verbs: + - use + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.3/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.4.3/templates/connect-inject-deployment.yaml new file mode 100644 index 0000000000..fe07c2581a --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/connect-inject-deployment.yaml @@ -0,0 +1,370 @@ +{{- if and .Values.global.peering.enabled (not .Values.connectInject.enabled) }}{{ fail "setting global.peering.enabled to true requires connectInject.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.global.tls.enabled) }}{{ fail "setting global.peering.enabled to true requires global.tls.enabled to be true" }}{{ end }} +{{- if and .Values.global.peering.enabled (not .Values.meshGateway.enabled) }}{{ fail "setting global.peering.enabled to true requires meshGateway.enabled to be true" }}{{ end }} +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateVaultWebhookCertConfiguration" . }} +{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +{{- if and .Values.externalServers.enabled .Values.global.cloud.enabled }} + {{- if and (gt (len .Values.externalServers.hosts) 0) (regexMatch ".+.hashicorp.cloud$" ( first .Values.externalServers.hosts )) }}{{fail "global.cloud.enabled cannot be used in combination with an HCP-managed cluster address in externalServers.hosts. global.cloud.enabled is for linked self-managed clusters."}}{{- end }} +{{- end }} +{{- if and .Values.externalServers.skipServerWatch (not .Values.externalServers.enabled) }}{{ fail "externalServers.enabled must be set if externalServers.skipServerWatch is true" }}{{ end -}} +{{- $dnsEnabled := (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{- $dnsRedirectionEnabled := (or (and (ne (.Values.dns.enableRedirection | toString) "-") .Values.dns.enableRedirection) (and (eq (.Values.dns.enableRedirection | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateResourceAPIs" . }} +# The deployment for running the Connect sidecar injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.connectInject.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.extraLabels }} + {{- toYaml .Values.connectInject.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.connectInject.annotations }} + {{- tpl .Values.connectInject.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.secretsBackend.vault.connectInjectRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.connectInjectRole }} + {{ else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{ end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if .Values.global.secretsBackend.vault.connectInject.caCert.secretName }} + {{- with .Values.global.secretsBackend.vault.connectInject.caCert }} + "vault.hashicorp.com/agent-inject-secret-ca.crt": {{ .secretName }} + "vault.hashicorp.com/agent-inject-template-ca.crt": {{ template "consul.vaultCATemplate" . }} + "vault.hashicorp.com/secret-volume-path-ca.crt": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-tls.crt": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.crt": {{ include "consul.connectInjectWebhookTLSCertTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.crt": "/vault/secrets/connect-injector/certs" + "vault.hashicorp.com/agent-inject-secret-tls.key": {{ .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + "vault.hashicorp.com/agent-inject-template-tls.key": {{ include "consul.connectInjectWebhookTLSKeyTemplate" . }} + "vault.hashicorp.com/secret-volume-path-tls.key": "/vault/secrets/connect-injector/certs" + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector + containers: + - name: sidecar-injector + image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 12 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=connect-injector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + {{- if (and .Values.connectInject.aclInjectToken.secretName .Values.connectInject.aclInjectToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.connectInject.aclInjectToken.secretName }} + key: {{ .Values.connectInject.aclInjectToken.secretKey }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane inject-connect \ + {{- if .Values.global.federation.enabled }} + -enable-federation \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.connectInject.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -default-inject={{ .Values.connectInject.default }} \ + -consul-image="{{ default .Values.global.image .Values.connectInject.imageConsul }}" \ + -consul-dataplane-image="{{ .Values.global.imageConsulDataplane }}" \ + -consul-k8s-image="{{ default .Values.global.imageK8S .Values.connectInject.image }}" \ + -release-name="{{ .Release.Name }}" \ + -release-namespace="{{ .Release.Namespace }}" \ + -resource-prefix={{ template "consul.fullname" . }} \ + -listen=:8080 \ + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + {{- if (mustHas "v2tenancy" .Values.global.experiments) }} + -enable-v2tenancy=true \ + {{- end }} + {{- range $k, $v := .Values.connectInject.consulNode.meta }} + -node-meta={{ $k }}={{ $v }} \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultEnabled }} + -default-enable-transparent-proxy=true \ + {{- else }} + -default-enable-transparent-proxy=false \ + {{- end }} + -enable-cni={{ .Values.connectInject.cni.enabled }} \ + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if .Values.connectInject.transparentProxy.defaultOverwriteProbes }} + -transparent-proxy-default-overwrite-probes=true \ + {{- else }} + -transparent-proxy-default-overwrite-probes=false \ + {{- end }} + {{- if (and $dnsEnabled $dnsRedirectionEnabled) }} + -enable-consul-dns=true \ + {{- end }} + {{- if .Values.global.openshift.enabled }} + -enable-openshift \ + {{- end }} + {{- if (or (and (ne (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.connectInject.metrics.defaultEnabled) (and (eq (.Values.connectInject.metrics.defaultEnabled | toString) "-") .Values.global.metrics.enabled)) }} + -default-enable-metrics=true \ + {{- else }} + -default-enable-metrics=false \ + {{- end }} + -enable-gateway-metrics={{ .Values.global.metrics.enableGatewayMetrics }} \ + -default-enable-metrics-merging={{ .Values.connectInject.metrics.defaultEnableMerging }} \ + -default-merged-metrics-port={{ .Values.connectInject.metrics.defaultMergedMetricsPort }} \ + -default-prometheus-scrape-port={{ .Values.connectInject.metrics.defaultPrometheusScrapePort }} \ + -default-prometheus-scrape-path="{{ .Values.connectInject.metrics.defaultPrometheusScrapePath }}" \ + {{- if .Values.connectInject.envoyExtraArgs }} + -envoy-extra-args="{{ .Values.connectInject.envoyExtraArgs }}" \ + {{- end }} + {{- if .Values.connectInject.overrideAuthMethodName }} + -acl-auth-method="{{ .Values.connectInject.overrideAuthMethodName }}" \ + {{- else if .Values.global.acls.manageSystemACLs }} + -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.connectInject.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -enable-partitions=true \ + {{- end }} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if and .Values.global.enableConsulNamespaces .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName }} + -tls-cert-dir=/vault/secrets/connect-injector/certs \ + -enable-webhook-ca-update \ + {{- else }} + -tls-cert-dir=/etc/connect-injector/certs \ + {{- end }} + {{- $resources := .Values.connectInject.sidecarProxy.resources }} + {{- /* kindIs is used here to differentiate between null and 0 */}} + {{- if not (kindIs "invalid" $resources.limits.memory) }} + -default-sidecar-proxy-memory-limit={{ $resources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.memory) }} + -default-sidecar-proxy-memory-request={{ $resources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.limits.cpu) }} + -default-sidecar-proxy-cpu-limit={{ $resources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $resources.requests.cpu) }} + -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \ + {{- end }} + -default-envoy-proxy-concurrency={{ .Values.connectInject.sidecarProxy.concurrency }} \ + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnabled }} + -default-enable-sidecar-proxy-lifecycle=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle=false \ + {{- end }} + {{- if .Values.connectInject.sidecarProxy.lifecycle.defaultEnableShutdownDrainListeners }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=true \ + {{- else }} + -default-enable-sidecar-proxy-lifecycle-shutdown-drain-listeners=false \ + {{- end }} + -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-startup-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultStartupGracePeriodSeconds }} \ + -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ + -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ + -default-sidecar-proxy-lifecycle-graceful-startup-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulStartupPath }}" \ + -default-sidecar-proxy-startup-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultStartupFailureSeconds }} \ + -default-sidecar-proxy-liveness-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultLivenessFailureSeconds }} \ + {{- if .Values.connectInject.initContainer }} + {{- $initResources := .Values.connectInject.initContainer.resources }} + {{- if not (kindIs "invalid" $initResources.limits.memory) }} + -init-container-memory-limit={{ $initResources.limits.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.memory) }} + -init-container-memory-request={{ $initResources.requests.memory }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.limits.cpu) }} + -init-container-cpu-limit={{ $initResources.limits.cpu }} \ + {{- end }} + {{- if not (kindIs "invalid" $initResources.requests.cpu) }} + -init-container-cpu-request={{ $initResources.requests.cpu }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + -enable-auto-encrypt \ + {{- end }} + -enable-telemetry-collector={{ .Values.global.metrics.enableTelemetryCollector}} \ + startupProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + initialDelaySeconds: 30 + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /readyz/ready + port: 9445 + scheme: HTTP + failureThreshold: 2 + initialDelaySeconds: 2 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled))}} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.connectInject.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + {{- if not (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.connectInject.priorityClassName }} + priorityClassName: {{ .Values.connectInject.priorityClassName | quote }} + {{- end }} + {{- if .Values.connectInject.nodeSelector }} + nodeSelector: + {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.affinity }} + affinity: + {{ tpl .Values.connectInject.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.connectInject.tolerations }} + tolerations: + {{ tpl .Values.connectInject.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.4.3/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.4.3/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..e65c386636 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,381 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-controlplanerequestlimits + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-controlplanerequestlimit.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - controlplanerequestlimits + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-samenessgroup + failurePolicy: Fail + name: mutate-samenessgroup.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - samenessgroups + sideEffects: None +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v2beta1-trafficpermissions + failurePolicy: Fail + name: mutate-trafficpermissions.auth.consul.hashicorp.com + rules: + - apiGroups: + - auth.consul.hashicorp.com + apiVersions: + - v2beta1 + operations: + - CREATE + - UPDATE + resources: + - trafficpermissions + sideEffects: None +{{- end }} +{{- end }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-jwtprovider + failurePolicy: Fail + name: mutate-jwtprovider.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwtproviders + sideEffects: None +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.4.3/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.4.3/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/connect-inject-validatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.4.3/templates/connect-inject-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8d01ace911 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/connect-inject-validatingwebhookconfiguration.yaml @@ -0,0 +1,31 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The ValidatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- name: validate-gatewaypolicy.consul.hashicorp.com + matchPolicy: Equivalent + rules: + - operations: [ "CREATE" , "UPDATE" ] + apiGroups: [ "consul.hashicorp.com" ] + apiVersions: [ "v1alpha1" ] + resources: [ "gatewaypolicies" ] + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /validate-v1alpha1-gatewaypolicy +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.4.3/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-apigateways.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-apigateways.yaml new file mode 100644 index 0000000000..755fb05b64 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-apigateways.yaml @@ -0,0 +1,240 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: apigateways.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: APIGateway + listKind: APIGatewayList + plural: apigateways + singular: apigateway + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: APIGateway is the Schema for the API Gateway + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + gatewayClassName: + description: GatewayClassName is the name of the GatewayClass used + by the APIGateway + type: string + listeners: + items: + properties: + hostname: + description: Hostname is the host name that a listener should + be bound to, if unspecified, the listener accepts requests + for all hostnames. + type: string + name: + description: Name is the name of the listener in a given gateway. + This must be unique within a gateway. + type: string + port: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + description: Protocol is the protocol that a listener should + use, it must either be "http" or "tcp" + type: string + tls: + description: TLS is the TLS settings for the listener. + properties: + certificates: + description: Certificates is a set of references to certificates + that a gateway listener uses for TLS termination. + items: + description: Reference identifies which resource a condition + relates to, when it is not the core resource itself. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the + resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all partitions." + type: string + peerName: + description: "PeerName identifies which peer the + resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list resources + across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes are + made to the group's resource types. + type: string + kind: + description: Kind identifies the specific resource + type within the group. + type: string + type: object + type: object + type: array + tlsParameters: + description: TLSParameters contains optional configuration + for running TLS termination. + properties: + cipherSuites: + items: + enum: + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_AES256_SHA + - TLS_CIPHER_SUITE_ECDHE_ECDSA_CHACHA20_POLY1305 + - TLS_CIPHER_SUITE_ECDHE_RSA_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_ECDHE_RSA_CHACHA20_POLY1305 + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_SHA + - TLS_CIPHER_SUITE_ECDHE_RSA_AES128_SHA + - TLS_CIPHER_SUITE_AES128_GCM_SHA256 + - TLS_CIPHER_SUITE_AES128_SHA + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_GCM_SHA384 + - TLS_CIPHER_SUITE_ECDHE_RSA_AES256_GCM_SHA384 + - TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_SHA + - TLS_CIPHER_SUITE_ECDHE_RSA_AES256_SHA + - TLS_CIPHER_SUITE_AES256_GCM_SHA384 + format: int32 + type: string + type: array + maxVersion: + enum: + - TLS_VERSION_AUTO + - TLS_VERSION_1_0 + - TLS_VERSION_1_1 + - TLS_VERSION_1_2 + - TLS_VERSION_1_3 + - TLS_VERSION_INVALID + - TLS_VERSION_UNSPECIFIED + format: int32 + type: string + minVersion: + enum: + - TLS_VERSION_AUTO + - TLS_VERSION_1_0 + - TLS_VERSION_1_1 + - TLS_VERSION_1_2 + - TLS_VERSION_1_3 + - TLS_VERSION_INVALID + - TLS_VERSION_UNSPECIFIED + format: int32 + type: string + type: object + type: object + type: object + minItems: 1 + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-controlplanerequestlimits.yaml new file mode 100644 index 0000000000..1939a8d373 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-controlplanerequestlimits.yaml @@ -0,0 +1,195 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: controlplanerequestlimits.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ControlPlaneRequestLimit + listKind: ControlPlaneRequestLimitList + plural: controlplanerequestlimits + singular: controlplanerequestlimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControlPlaneRequestLimitSpec defines the desired state of + ControlPlaneRequestLimit. + properties: + acl: + properties: + readRate: + type: number + writeRate: + type: number + type: object + catalog: + properties: + readRate: + type: number + writeRate: + type: number + type: object + configEntry: + properties: + readRate: + type: number + writeRate: + type: number + type: object + connectCA: + properties: + readRate: + type: number + writeRate: + type: number + type: object + coordinate: + properties: + readRate: + type: number + writeRate: + type: number + type: object + discoveryChain: + properties: + readRate: + type: number + writeRate: + type: number + type: object + health: + properties: + readRate: + type: number + writeRate: + type: number + type: object + intention: + properties: + readRate: + type: number + writeRate: + type: number + type: object + kv: + properties: + readRate: + type: number + writeRate: + type: number + type: object + mode: + type: string + preparedQuery: + properties: + readRate: + type: number + writeRate: + type: number + type: object + readRate: + type: number + session: + properties: + readRate: + type: number + writeRate: + type: number + type: object + tenancy: + properties: + readRate: + type: number + writeRate: + type: number + type: object + txn: + properties: + readRate: + type: number + writeRate: + type: number + type: object + writeRate: + type: number + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-exportedservices-v1.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-exportedservices-v1.yaml new file mode 100644 index 0000000000..081a2b0cf0 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-exportedservices-v1.yaml @@ -0,0 +1,139 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-exportedservices.yaml new file mode 100644 index 0000000000..6613e3da7e --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-exportedservices.yaml @@ -0,0 +1,108 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.multicluster.consul.hashicorp.com +spec: + group: multicluster.consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the Exported Services API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + consumers: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + services: + items: + type: string + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-gatewayclassconfigs-v1.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-gatewayclassconfigs-v1.yaml new file mode 100644 index 0000000000..41023c19dc --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-gatewayclassconfigs-v1.yaml @@ -0,0 +1,218 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayClassConfig defines the values that may be set on a GatewayClass + for Consul API Gateway. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClassConfig. + properties: + copyAnnotations: + description: Annotation Information to copy to services or deployments + properties: + service: + description: List of annotations to copy to the gateway service. + items: + type: string + type: array + type: object + deployment: + description: Deployment defines the deployment configuration for the + gateway. + properties: + defaultInstances: + default: 1 + description: Number of gateway instances that should be deployed + by default + format: int32 + maximum: 8 + minimum: 1 + type: integer + maxInstances: + default: 8 + description: Max allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + minInstances: + default: 1 + description: Minimum allowed number of gateway instances + format: int32 + maximum: 8 + minimum: 1 + type: integer + resources: + description: Resources defines the resource requirements for the + gateway. + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. It can only be + set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in + pod.spec.resourceClaims of the Pod where this field + is used. It makes that resource available inside a + container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + mapPrivilegedContainerPorts: + description: The value to add to privileged ports ( ports < 1024) + for gateway containers + format: int32 + type: integer + metrics: + description: Metrics defines how to configure the metrics for a gateway. + properties: + enabled: + description: Enable metrics for this class of gateways. If unspecified, + will inherit behavior from the global Helm configuration. + type: boolean + path: + description: The path used for metrics. + type: string + port: + description: The port used for metrics. + format: int32 + maximum: 65535 + minimum: 1024 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + openshiftSCCName: + description: The name of the OpenShift SecurityContextConstraints + resource for this gateway class to use. + type: string + podSecurityPolicy: + description: The name of an existing Kubernetes PodSecurityPolicy + to bind to the managed ServiceAccount if ACLs are managed. + type: string + serviceType: + description: Service Type string describes ingress methods for a service + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + tolerations: + description: 'Tolerations allow the scheduler to schedule nodes with + matching taints. More Info: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/' + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-gatewayclassconfigs.yaml new file mode 100644 index 0000000000..93effd843b --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-gatewayclassconfigs.yaml @@ -0,0 +1,1826 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclassconfigs.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GatewayClassConfig + listKind: GatewayClassConfigList + plural: gatewayclassconfigs + singular: gatewayclassconfig + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GatewayClassConfig is the Schema for the Mesh Gateway API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GatewayClassConfigSpec specifies the desired state of the + GatewayClassConfig CRD. + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key included + here will override those in Set if specified on the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included here + will be overridden if present in InheritFromGateway and set + on the Gateway. + type: object + type: object + deployment: + description: Deployment contains config specific to the Deployment + created from this GatewayClass + properties: + affinity: + description: Affinity specifies the affinity to use on the created + Deployment. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects + (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term + matches no objects. The requirements of them are + ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to a pod label update), + the system may or may not try to eventually evict the + pod from its node. When there are multiple elements, + the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by + this field and the ones listed in the namespaces + field. null selector and null or empty namespaces + list means "this pod's namespace". An empty + selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. + The term is applied to the union of the namespaces + listed in this field and the ones selected + by namespaceSelector. null or empty namespaces + list and null namespaceSelector means "this + pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + container: + description: Container contains config specific to the created + Deployment's container. + properties: + consul: + description: Consul specifies configuration for the consul-dataplane + container + properties: + logging: + description: Logging specifies the logging configuration + for Consul Dataplane + properties: + level: + description: Level sets the logging level for Consul + Dataplane (debug, info, etc.) + type: string + type: object + type: object + hostPort: + description: HostPort specifies a port to be exposed to the + external host network + format: int32 + type: integer + portModifier: + description: PortModifier specifies the value to be added + to every port value for listeners on this gateway. This + is generally used to avoid binding to privileged ports in + the container. + format: int32 + type: integer + resources: + description: Resources specifies the resource requirements + for the created Deployment's container + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + dnsPolicy: + description: DNSPolicy specifies the dns policy to use. These + are set on a per pod basis. + enum: + - Default + - ClusterFirst + - ClusterFirstWithHostNet + - None + type: string + hostNetwork: + description: HostNetwork specifies whether the gateway pods should + run on the host network. + type: boolean + initContainer: + description: InitContainer contains config specific to the created + Deployment's init container. + properties: + consul: + description: Consul specifies configuration for the consul-k8s-control-plane + init container + properties: + logging: + description: Logging specifies the logging configuration + for Consul Dataplane + properties: + level: + description: Level sets the logging level for Consul + Dataplane (debug, info, etc.) + type: string + type: object + type: object + resources: + description: Resources specifies the resource requirements + for the created Deployment's init container + properties: + claims: + description: "Claims lists the names of resources, defined + in spec.resourceClaims, that are used by this container. + \n This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. \n This field + is immutable. It can only be set for containers." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry + in pod.spec.resourceClaims of the Pod where this + field is used. It makes that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of + compute resources required. If Requests is omitted for + a container, it defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined value. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a feature that constrains the scheduling + of a pod to nodes that match specified labels. By defining NodeSelector + in a pod''s configuration, you can ensure that the pod is only + scheduled to nodes with the corresponding labels, providing + a way to influence the placement of workloads based on node + attributes. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: PriorityClassName specifies the priority class name + to use on the created Deployment. + type: string + replicas: + description: Replicas specifies the configuration to control the + number of replicas for the created Deployment. + properties: + default: + description: Default is the number of replicas assigned to + the Deployment when created + format: int32 + type: integer + max: + description: Max is the maximum number of replicas allowed + for a gateway with this class. If the replica count exceeds + this value due to manual or automated scaling, the replica + count will be restored to this value. + format: int32 + type: integer + min: + description: Min is the minimum number of replicas allowed + for a gateway with this class. If the replica count drops + below this value due to manual or automated scaling, the + replica count will be restored to this value. + format: int32 + type: integer + type: object + securityContext: + description: SecurityContext specifies the security context for + the created Deployment's Pod. + properties: + fsGroup: + description: "A special supplemental group that applies to + all containers in a pod. Some volume types allow the Kubelet + to change the ownership of that volume to be owned by the + pod: \n 1. The owning GID will be the FSGroup 2. The setgid + bit is set (new files created in the volume will be owned + by FSGroup) 3. The permission bits are OR'd with rw-rw---- + \n If unset, the Kubelet will not modify the ownership and + permissions of any volume. Note that this field cannot be + set when spec.os.name is windows." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior of changing + ownership and permission of the volume before being exposed + inside Pod. This field will only apply to volume types which + support fsGroup based ownership(and permissions). It will + have no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used. Note that + this field cannot be set when spec.os.name is windows.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the container + process. Uses runtime default if unset. May also be set + in SecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. Note that this field + cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail + to start the container if it does. If unset or false, no + such validation will be performed. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container + process. Defaults to user specified in image metadata if + unspecified. May also be set in SecurityContext. If set + in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name is + windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random + SELinux context for each container. May also be set in + SecurityContext. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot be set when + spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile defined + in a file on the node should be used. The profile must + be preconfigured on the node to work. Must be a descending + path, relative to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile + will be applied. Valid options are: \n Localhost - a + profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile + should be used. Unconfined - no profile should be applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first process + run in each container, in addition to the container's primary + GID, the fsGroup (if specified), and group memberships defined + in the container image for the uid of the container process. + If unspecified, no additional groups are added to any container. + Note that group memberships defined in the container image + for the uid of the container process are still effective, + even if they are not included in this list. Note that this + field cannot be set when spec.os.name is windows. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls used + for the pod. Pods with unsupported sysctls (by the container + runtime) might fail to launch. Note that this field cannot + be set when spec.os.name is windows. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied to all + containers. If unspecified, the options within a container's + SecurityContext will be used. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence. Note that this field cannot be set when + spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named + by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the + GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container should + be run as a 'Host Process' container. This field is + alpha-level and will only be honored by components that + enable the WindowsHostProcessContainers feature flag. + Setting this field without the feature flag will result + in errors when validating the Pod. All of a Pod's containers + must have the same effective HostProcess value (it is + not allowed to have a mix of HostProcess containers + and non-HostProcess containers). In addition, if HostProcess + is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: The UserName in Windows to run the entrypoint + of the container process. Defaults to the user specified + in image metadata if unspecified. May also be set in + PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + tolerations: + description: Tolerations specifies the tolerations to use on the + created Deployment. + items: + description: The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: 'TopologySpreadConstraints is a feature that controls + how pods are spead across your topology. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/' + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine + the number of pods in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to + select the pods over which spreading will be calculated. + The keys are used to lookup values from the incoming pod + labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading + will be calculated for the incoming pod. Keys that don't + exist in the incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: 'MaxSkew describes the degree to which pods + may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between the number + of matching pods in the target topology and the global + minimum. The global minimum is the minimum number of matching + pods in an eligible domain or zero if the number of eligible + domains is less than MinDomains. For example, in a 3-zone + cluster, MaxSkew is set to 1, and pods with the same labelSelector + spread as 2/2/1: In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | | P P | P P | P | - + if MaxSkew is 1, incoming pod can only be scheduled to + zone3 to become 2/2/2; scheduling it onto zone1(zone2) + would make the ActualSkew(3-1) on zone1(zone2) violate + MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled + onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, + it is used to give higher precedence to topologies that + satisfy it. It''s a required field. Default value is 1 + and 0 is not allowed.' + format: int32 + type: integer + minDomains: + description: "MinDomains indicates a minimum number of eligible + domains. When the number of eligible domains with matching + topology keys is less than minDomains, Pod Topology Spread + treats \"global minimum\" as 0, and then the calculation + of Skew is performed. And when the number of eligible + domains with matching topology keys equals or greater + than minDomains, this value has no effect on scheduling. + As a result, when the number of eligible domains is less + than minDomains, scheduler won't schedule more than maxSkew + Pods to those domains. If value is nil, the constraint + behaves as if MinDomains is equal to 1. Valid values are + integers greater than 0. When value is not nil, WhenUnsatisfiable + must be DoNotSchedule. \n For example, in a 3-zone cluster, + MaxSkew is set to 2, MinDomains is set to 5 and pods with + the same labelSelector spread as 2/2/2: | zone1 | zone2 + | zone3 | | P P | P P | P P | The number of domains + is less than 5(MinDomains), so \"global minimum\" is treated + as 0. In this situation, new pod with the same labelSelector + cannot be scheduled, because computed skew will be 3(3 + - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. \n This is a beta field and requires + the MinDomainsInPodTopologySpread feature gate to be enabled + (enabled by default)." + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how we will treat + Pod's nodeAffinity/nodeSelector when calculating pod topology + spread skew. Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this value is + nil, the behavior is equivalent to the Honor policy. This + is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we will treat + node taints when calculating pod topology spread skew. + Options are: - Honor: nodes without taints, along with + tainted nodes for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. All nodes + are included. \n If this value is nil, the behavior is + equivalent to the Ignore policy. This is a beta-level + feature default enabled by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string + topologyKey: + description: TopologyKey is the key of node labels. Nodes + that have a label with this key and identical values are + considered to be in the same topology. We consider each + as a "bucket", and try to put balanced number + of pods into each bucket. We define a domain as a particular + instance of a topology. Also, we define an eligible domain + as a domain whose nodes meet the requirements of nodeAffinityPolicy + and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", + each Node is a domain of that topology. And, if TopologyKey + is "topology.kubernetes.io/zone", each zone is a domain + of that topology. It's a required field. + type: string + whenUnsatisfiable: + description: 'WhenUnsatisfiable indicates how to deal with + a pod if it doesn''t satisfy the spread constraint. - + DoNotSchedule (default) tells the scheduler not to schedule + it. - ScheduleAnyway tells the scheduler to schedule the + pod in any location, but giving higher precedence to topologies + that would help reduce the skew. A constraint is considered + "Unsatisfiable" for an incoming pod if and only if every + possible node assignment for that pod would violate "MaxSkew" + on some topology. For example, in a 3-zone cluster, MaxSkew + is set to 1, and pods with the same labelSelector spread + as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming + pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) + as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). + In other words, the cluster can still be imbalanced, but + scheduler won''t make it *more* imbalanced. It''s a required + field.' + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key included + here will override those in Set if specified on the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included here + will be overridden if present in InheritFromGateway and set + on the Gateway. + type: object + type: object + role: + description: Role contains config specific to the Role created from + this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + roleBinding: + description: RoleBinding contains config specific to the RoleBinding + created from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + service: + description: Service contains config specific to the Service created + from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: + description: Type specifies the type of Service to use (LoadBalancer, + ClusterIP, etc.) + enum: + - ClusterIP + - NodePort + - LoadBalancer + type: string + type: object + serviceAccount: + description: ServiceAccount contains config specific to the corev1.ServiceAccount + created from this GatewayClass + properties: + annotations: + description: Annotations are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + labels: + description: Labels are applied to the created resource + properties: + inheritFromGateway: + description: InheritFromGateway lists the names/keys of annotations + or labels to copy from the Gateway resource. Any name/key + included here will override those in Set if specified on + the Gateway. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set lists the names/keys and values of annotations + or labels to set on the resource. Any name/key included + here will be overridden if present in InheritFromGateway + and set on the Gateway. + type: object + type: object + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-gatewayclasses-external.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-gatewayclasses-external.yaml new file mode 100644 index 0000000000..93435b7fce --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-gatewayclasses-external.yaml @@ -0,0 +1,328 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + deprecated: true + deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-gatewayclasses.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-gatewayclasses.yaml new file mode 100644 index 0000000000..70763f9104 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-gatewayclasses.yaml @@ -0,0 +1,122 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclasses.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GatewayClass is the Schema for the Gateway Class API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + controllerName: + description: ControllerName is the name of the Kubernetes controller + that manages Gateways of this class + type: string + description: + description: Description of GatewayClass + type: string + parametersRef: + description: ParametersRef refers to a resource responsible for configuring + the behavior of the GatewayClass. + properties: + group: + description: The Kubernetes Group that the referred object belongs + to + type: string + kind: + description: The Kubernetes Kind that the referred object is + type: string + name: + description: The Name of the referred object + type: string + namespace: + description: The kubernetes namespace that the referred object + is in + type: string + required: + - name + type: object + required: + - controllerName + - parametersRef + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-gatewaypolicies.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-gatewaypolicies.yaml new file mode 100644 index 0000000000..1cdfa331f5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-gatewaypolicies.yaml @@ -0,0 +1,282 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewaypolicies.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayPolicy + listKind: GatewayPolicyList + plural: gatewaypolicies + singular: gatewaypolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayPolicy is the Schema for the gatewaypolicies API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GatewayPolicySpec defines the desired state of GatewayPolicy. + properties: + default: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + override: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + targetRef: + description: TargetRef identifies an API object to apply policy to. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it may only apply + to traffic originating from the same namespace as the policy. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: SectionName refers to the listener targeted by this + policy. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + status: + description: GatewayPolicyStatus defines the observed state of the gateway. + properties: + conditions: + description: "Conditions describe the current conditions of the Policy. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-gateways-external.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-gateways-external.yaml new file mode 100644 index 0000000000..41df34942a --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-gateways-external.yaml @@ -0,0 +1,882 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-grpcroutes-external.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-grpcroutes-external.yaml new file mode 100644 index 0000000000..739ed2c659 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-grpcroutes-external.yaml @@ -0,0 +1,766 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - method: + type: Exact + description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. + items: + description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + default: + type: Exact + description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. + properties: + method: + description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)." + maxLength: 1024 + pattern: ^[A-Za-z_][A-Za-z_0-9]*$ + type: string + service: + description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)." + maxLength: 1024 + pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$ + type: string + type: + default: Exact + description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-grpcroutes.yaml new file mode 100644 index 0000000000..31812fff35 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-grpcroutes.yaml @@ -0,0 +1,617 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + shortNames: + - grpc-route + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GRPCRoute is the Schema for the GRPC Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this GRPCRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. Failure behavior here depends on + how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the GRPCBackendRef definition for the rules about what + makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies gRPC request header matchers. + Multiple match values are ANDed together, meaning, a + request MUST match all the specified headers to select + the route. + items: + properties: + name: + type: string + type: + description: "HeaderMatchType specifies the semantics + of how HTTP header values should be compared. + Valid HeaderMatchType values, along with their + conformance levels, are: \n Note that values may + be added to this enum, implementations must ensure + that unknown values will not cause a crash. \n + Unknown values here must result in the implementation + setting the Accepted Condition for the Route to + status: False, with a Reason of UnsupportedValue." + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + type: string + type: object + type: array + method: + description: Method specifies a gRPC request service/method + matcher. If this field is not specified, all services + and methods will match. + properties: + method: + description: "Value of the method to match against. + If left empty or omitted, will match all services. + \n At least one of Service and Method MUST be a + non-empty string.}" + type: string + service: + description: "Value of the service to match against. + If left empty or omitted, will match any service. + \n At least one of Service and Method MUST be a + non-empty string." + type: string + type: + description: 'Type specifies how to match against + the service and/or method. Support: Core (Exact + with service and method specified)' + enum: + - GRPC_METHOD_MATCH_TYPE_UNSPECIFIED + - GRPC_METHOD_MATCH_TYPE_EXACT + - GRPC_METHOD_MATCH_TYPE_REGEX + format: int32 + type: string + type: object + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-httproutes-external.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-httproutes-external.yaml new file mode 100644 index 0000000000..bba3672d16 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-httproutes-external.yaml @@ -0,0 +1,1914 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-httproutes.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-httproutes.yaml new file mode 100644 index 0000000000..3da6e1e637 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-httproutes.yaml @@ -0,0 +1,673 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + shortNames: + - http-route + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: HTTPRoute is the Schema for the HTTP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute + \n This is a Resource type." + properties: + hostnames: + description: "Hostnames are the hostnames for which this HTTPRoute + should respond to requests. \n This is only valid for north/south." + items: + type: string + type: array + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of HTTP-based routing rules that this + route should use for constructing a routing table. + items: + description: HTTPRouteRule specifies the routing rules used to determine + what upstream service an HTTP request is routed to. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If all entries in BackendRefs are invalid, and there are + also no filters specified in this route rule, all traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined." + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + filters: + description: Filters defined at this level should be executed + if and only if the request is being forwarded to the + backend defined here. + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema + for a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema + for a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with + the given header (name, value) before the + action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: RequestHeaderModifier defines a schema for + a filter that modifies request headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + responseHeaderModifier: + description: ResponseHeaderModifier defines a schema for + a filter that modifies response headers. + properties: + add: + description: Add adds the given header(s) (name, value) + to the request before the action. It appends to + any existing values associated with the header name. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + remove: + description: Remove the given header(s) from the HTTP + request before the action. The value of Remove is + a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + items: + type: string + type: array + set: + description: Set overwrites the request with the given + header (name, value) before the action. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + urlRewrite: + description: URLRewrite defines a schema for a filter + that modifies a request during forwarding. + properties: + pathPrefix: + type: string + type: object + type: object + type: array + matches: + items: + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + properties: + invert: + description: 'NOTE: not in gamma; service-router + compat' + type: boolean + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, “foo” and “Foo” are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for “Set-Cookie”." + type: string + type: + description: Type specifies how to match against + the value of the header. + enum: + - HEADER_MATCH_TYPE_UNSPECIFIED + - HEADER_MATCH_TYPE_EXACT + - HEADER_MATCH_TYPE_REGEX + - HEADER_MATCH_TYPE_PRESENT + - HEADER_MATCH_TYPE_PREFIX + - HEADER_MATCH_TYPE_SUFFIX + format: int32 + type: string + value: + description: Value is the value of HTTP Header to + be matched. + type: string + type: object + type: array + method: + description: Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. + type: string + path: + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the “/” path is provided. + properties: + type: + description: Type specifies how to match against the + path Value. + enum: + - PATH_MATCH_TYPE_UNSPECIFIED + - PATH_MATCH_TYPE_EXACT + - PATH_MATCH_TYPE_PREFIX + - PATH_MATCH_TYPE_REGEX + format: int32 + type: string + value: + description: Value of the HTTP path to match against. + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is recommended that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + type: string + type: + description: Type specifies how to match against + the value of the query parameter. + enum: + - QUERY_PARAM_MATCH_TYPE_UNSPECIFIED + - QUERY_PARAM_MATCH_TYPE_EXACT + - QUERY_PARAM_MATCH_TYPE_REGEX + - QUERY_PARAM_MATCH_TYPE_PRESENT + format: int32 + type: string + value: + description: Value is the value of HTTP query param + to be matched. + type: string + type: object + type: array + type: object + type: array + retries: + properties: + number: + description: Number is the number of times to retry the + request when a retryable result occurs. + properties: + value: + description: The uint32 value. + format: int32 + type: integer + type: object + onConditions: + description: RetryOn allows setting envoy specific conditions + when a request should be automatically retried. + items: + type: string + type: array + onConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + onStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. This again should + be feasible in any reasonable proxy. + items: + format: int32 + type: integer + type: array + type: object + timeouts: + description: HTTPRouteTimeouts defines timeouts that can be + configured for an HTTPRoute or GRPCRoute. + properties: + idle: + description: Idle specifies the total amount of time permitted + for the request stream to be idle. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + request: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..dcbc543525 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-ingressgateways.yaml @@ -0,0 +1,447 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: ingressgateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how upstream + proxy instances will be monitored for removal from the load + balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. The + real time is equal to the base time multiplied by the number + of times the host has been ejected and is capped by max_ejection_time + (Default 300s). Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status is + detected through consecutive 5xx. This setting can be used + to disable ejection or to ramp it up slowly. Ex. Setting + this to 10 will make it a 10% chance that the host will + be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that can + be ejected due to outlier detection. Defaults to 10% but + will eject at least one host regardless of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected + for. The real time is equal to the base time multiplied + by the number of times the host has been ejected + and is capped by max_ejection_time (Default 300s). + Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This + setting can be used to disable ejection or to ramp + it up slowly. Ex. Setting this to 10 will make it + a 10% chance that the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster + that can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-jwtproviders.yaml new file mode 100644 index 0000000000..94c9697b33 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-jwtproviders.yaml @@ -0,0 +1,313 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: jwtproviders.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: JWTProvider + listKind: JWTProviderList + plural: jwtproviders + singular: jwtprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTProvider is the Schema for the jwtproviders API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTProviderSpec defines the desired state of JWTProvider + properties: + audiences: + description: Audiences is the set of audiences the JWT is allowed + to access. If specified, all JWTs verified with this provider must + address at least one of these to be considered valid. + items: + type: string + type: array + cacheConfig: + description: CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up verification + when individual tokens are expected to be handled multiple times. + properties: + size: + description: "Size specifies the maximum number of JWT verification + results to cache. \n Defaults to 0, meaning that JWT caching + is disabled." + type: integer + type: object + clockSkewSeconds: + description: "ClockSkewSeconds specifies the maximum allowable time + difference from clock skew when validating the \"exp\" (Expiration) + and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + type: integer + forwarding: + description: Forwarding defines rules for forwarding verified JWTs + to the backend. + properties: + headerName: + description: "HeaderName is a header name to use when forwarding + a verified JWT to the backend. The verified JWT could have been + extracted from any location (query param, header, or cookie). + \n The header value will be base64-URL-encoded, and will not + be padded unless PadForwardPayloadHeader is true." + type: string + padForwardPayloadHeader: + description: "PadForwardPayloadHeader determines whether padding + should be added to the base64 encoded token forwarded with ForwardPayloadHeader. + \n Default value is false." + type: boolean + type: object + issuer: + description: Issuer is the entity that must have issued the JWT. This + value must match the "iss" claim of the token. + type: string + jsonWebKeySet: + description: JSONWebKeySet defines a JSON Web Key Set, its location + on disk, or the means with which to fetch a key set from a remote + server. + properties: + local: + description: Local specifies a local source for the key set. + properties: + filename: + description: Filename configures a location on disk where + the JWKS can be found. If specified, the file must be present + on the disk of ALL proxies with intentions referencing this + provider. + type: string + jwks: + description: JWKS contains a base64 encoded JWKS. + type: string + type: object + remote: + description: Remote specifies how to fetch a key set from a remote + server. + properties: + cacheDuration: + description: "CacheDuration is the duration after which cached + keys should be expired. \n Default value is 5 minutes." + type: string + fetchAsynchronously: + description: "FetchAsynchronously indicates that the JWKS + should be fetched when a client request arrives. Client + requests will be paused until the JWKS is fetched. If false, + the proxy listener will wait for the JWKS to be fetched + before being activated. \n Default value is false." + type: boolean + jwksCluster: + description: JWKSCluster defines how the specified Remote + JWKS URI is to be fetched. + properties: + connectTimeout: + description: The timeout for new network connections to + hosts in the cluster. If not set, a default value of + 5s will be used. + type: string + discoveryType: + description: "DiscoveryType refers to the service discovery + type to use for resolving the cluster. \n This defaults + to STRICT_DNS. Other options include STATIC, LOGICAL_DNS, + EDS or ORIGINAL_DST." + type: string + tlsCertificates: + description: "TLSCertificates refers to the data containing + certificate authority certificates to use in verifying + a presented peer certificate. If not specified and a + peer certificate is presented it will not be verified. + \n Must be either CaCertificateProviderInstance or TrustedCA." + properties: + caCertificateProviderInstance: + description: CaCertificateProviderInstance Certificate + provider instance for fetching TLS certificates. + properties: + certificateName: + description: "CertificateName is used to specify + certificate instances or types. For example, + \"ROOTCA\" to specify a root-certificate (validation + context) or \"example.com\" to specify a certificate + for a particular domain. \n The default value + is the empty string." + type: string + instanceName: + description: "InstanceName refers to the certificate + provider instance name. \n The default value + is \"default\"." + type: string + type: object + trustedCA: + description: "TrustedCA defines TLS certificate data + containing certificate authority certificates to + use in verifying a presented peer certificate. \n + Exactly one of Filename, EnvironmentVariable, InlineString + or InlineBytes must be specified." + properties: + environmentVariable: + type: string + filename: + type: string + inlineBytes: + format: byte + type: string + inlineString: + type: string + type: object + type: object + type: object + requestTimeoutMs: + description: RequestTimeoutMs is the number of milliseconds + to time out when making a request for the JWKS. + type: integer + retryPolicy: + description: "RetryPolicy defines a retry policy for fetching + JWKS. \n There is no retry by default." + properties: + numRetries: + description: "NumRetries is the number of times to retry + fetching the JWKS. The retry strategy uses jittered + exponential backoff with a base interval of 1s and max + of 10s. \n Default value is 0." + type: integer + retryPolicyBackOff: + description: "Retry's backoff policy. \n Defaults to Envoy's + backoff policy." + properties: + baseInterval: + description: "BaseInterval to be used for the next + back off computation. \n The default value from + envoy is 1s." + type: string + maxInterval: + description: "MaxInternal to be used to specify the + maximum interval between retries. Optional but should + be greater or equal to BaseInterval. \n Defaults + to 10 times BaseInterval." + type: string + type: object + type: object + uri: + description: URI is the URI of the server to query for the + JWKS. + type: string + type: object + type: object + locations: + description: 'Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. If no + locations are specified Envoy will default to: 1. Authorization + header with Bearer schema: "Authorization: Bearer " 2. accessToken + query parameter.' + items: + description: "JWTLocation is a location where the JWT could be present + in requests. \n Only one of Header, QueryParam, or Cookie can + be specified." + properties: + cookie: + description: Cookie defines how to extract a JWT from an HTTP + request cookie. + properties: + name: + description: Name is the name of the cookie containing the + token. + type: string + type: object + header: + description: Header defines how to extract a JWT from an HTTP + request header. + properties: + forward: + description: "Forward defines whether the header with the + JWT should be forwarded after the token has been verified. + If false, the header will not be forwarded to the backend. + \n Default value is false." + type: boolean + name: + description: Name is the name of the header containing the + token. + type: string + valuePrefix: + description: 'ValuePrefix is an optional prefix that precedes + the token in the header value. For example, "Bearer " + is a standard value prefix for a header named "Authorization", + but the prefix is not part of the token itself: "Authorization: + Bearer "' + type: string + type: object + queryParam: + description: QueryParam defines how to extract a JWT from an + HTTP request query parameter. + properties: + name: + description: Name is the name of the query param containing + the token. + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-meshconfigurations.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-meshconfigurations.yaml new file mode 100644 index 0000000000..21114d723f --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-meshconfigurations.yaml @@ -0,0 +1,100 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: MeshConfiguration + listKind: MeshConfigurationList + plural: meshconfigurations + singular: meshconfiguration + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: MeshConfiguration is the Schema for the Mesh Configuration + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshConfiguration is responsible for configuring the default + behavior of Mesh Gateways. This is a Resource type. + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-meshes.yaml new file mode 100644 index 0000000000..f8ce4fc12e --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-meshes.yaml @@ -0,0 +1,207 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshes.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-meshgateways.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-meshgateways.yaml new file mode 100644 index 0000000000..6202add695 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-meshgateways.yaml @@ -0,0 +1,134 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshgateways.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: MeshGateway + listKind: MeshGatewayList + plural: meshgateways + singular: meshgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: MeshGateway is the Schema for the Mesh Gateway API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + gatewayClassName: + description: GatewayClassName is the name of the GatewayClass used + by the MeshGateway + type: string + listeners: + items: + properties: + name: + type: string + port: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + enum: + - TCP + type: string + type: object + minItems: 1 + type: array + workloads: + description: Selection of workloads to be configured as mesh gateways + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-meshservices.yaml new file mode 100644 index 0000000000..a5d36fb966 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-meshservices.yaml @@ -0,0 +1,56 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService holds a reference to an externally managed Consul + Service Mesh service. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of MeshService. + properties: + name: + description: Name holds the service name for a Consul service. + type: string + peer: + description: Peer optionally specifies the name of the peer exporting + the Consul service. If not specified, the Consul service is assumed + to be in the local datacenter. + type: string + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..2352ba7ad3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-peeringacceptors.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringacceptors.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..09991d2091 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-peeringdialers.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringdialers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-proxyconfigurations.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-proxyconfigurations.yaml new file mode 100644 index 0000000000..3d19d5ea4f --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-proxyconfigurations.yaml @@ -0,0 +1,405 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxyconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: ProxyConfiguration + listKind: ProxyConfigurationList + plural: proxyconfigurations + shortNames: + - proxy-configuration + singular: proxyconfiguration + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: ProxyConfiguration is the Schema for the TCP Routes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: This is a Resource type. + properties: + bootstrapConfig: + description: bootstrap_config is the configuration that requires proxies + to be restarted to be applied. + properties: + dogstatsdUrl: + type: string + overrideJsonTpl: + type: string + prometheusBindAddr: + type: string + readyBindAddr: + type: string + staticClustersJson: + type: string + staticListenersJson: + type: string + statsBindAddr: + type: string + statsConfigJson: + type: string + statsFlushInterval: + type: string + statsSinksJson: + type: string + statsTags: + items: + type: string + type: array + statsdUrl: + type: string + telemetryCollectorBindSocketDir: + type: string + tracingConfigJson: + type: string + type: object + dynamicConfig: + description: dynamic_config is the configuration that could be changed + dynamically (i.e. without needing restart). + properties: + accessLogs: + description: AccessLogs configures the output and format of Envoy + access logs + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have + a matching listener filter. + type: boolean + enabled: + description: Enabled turns off all access logging + type: boolean + jsonFormat: + description: The presence of one format string or the other + implies the access log string encoding. Defining both is + invalid. + type: string + path: + description: Path is the output file to write logs + type: string + textFormat: + type: string + type: + description: 'Type selects the output for logs: "file", "stderr". + "stdout"' + enum: + - LOG_SINK_TYPE_DEFAULT + - LOG_SINK_TYPE_FILE + - LOG_SINK_TYPE_STDERR + - LOG_SINK_TYPE_STDOUT + format: int32 + type: string + type: object + exposeConfig: + properties: + exposePaths: + items: + properties: + listenerPort: + format: int32 + type: integer + localPathPort: + format: int32 + type: integer + path: + type: string + protocol: + enum: + - EXPOSE_PATH_PROTOCOL_HTTP + - EXPOSE_PATH_PROTOCOL_HTTP2 + format: int32 + type: string + type: object + type: array + type: object + inboundConnections: + description: inbound_connections configures inbound connections + to the proxy. + properties: + balanceInboundConnections: + enum: + - BALANCE_CONNECTIONS_DEFAULT + - BALANCE_CONNECTIONS_EXACT + format: int32 + type: string + maxInboundConnections: + format: int32 + type: integer + type: object + listenerTracingJson: + type: string + localClusterJson: + type: string + localConnection: + additionalProperties: + description: Referenced by ProxyConfiguration + properties: + connectTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + requestTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + description: local_connection is the configuration that should + be used to connect to the local application provided per-port. + The map keys should correspond to port names on the workload. + type: object + localWorkloadAddress: + description: "deprecated: local_workload_address, local_workload_port, + and local_workload_socket_path are deprecated and are only needed + for migration of existing resources. \n Deprecated: Marked as + deprecated in pbmesh/v2beta1/proxy_configuration.proto." + type: string + localWorkloadPort: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + format: int32 + type: integer + localWorkloadSocketPath: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + type: string + meshGatewayMode: + enum: + - MESH_GATEWAY_MODE_UNSPECIFIED + - MESH_GATEWAY_MODE_NONE + - MESH_GATEWAY_MODE_LOCAL + - MESH_GATEWAY_MODE_REMOTE + format: int32 + type: string + mode: + description: mode indicates the proxy's mode. This will default + to 'transparent'. + enum: + - PROXY_MODE_DEFAULT + - PROXY_MODE_TRANSPARENT + - PROXY_MODE_DIRECT + format: int32 + type: string + mutualTlsMode: + enum: + - MUTUAL_TLS_MODE_DEFAULT + - MUTUAL_TLS_MODE_STRICT + - MUTUAL_TLS_MODE_PERMISSIVE + format: int32 + type: string + publicListenerJson: + type: string + transparentProxy: + properties: + dialedDirectly: + description: dialed_directly indicates whether this proxy + should be dialed using original destination IP in the connection + rather than load balance between all endpoints. + type: boolean + outboundListenerPort: + description: outbound_listener_port is the port for the proxy's + outbound listener. This defaults to 15001. + format: int32 + type: integer + type: object + type: object + opaqueConfig: + description: "deprecated: prevent usage when using v2 APIs directly. + needed for backwards compatibility \n Deprecated: Marked as deprecated + in pbmesh/v2beta1/proxy_configuration.proto." + type: object + x-kubernetes-preserve-unknown-fields: true + workloads: + description: Selection of workloads this proxy configuration should + apply to. These can be prefixes or specific workload names. + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..ce49c9149a --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-proxydefaults.yaml @@ -0,0 +1,265 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxydefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + failoverPolicy: + description: FailoverPolicy specifies the exact mechanism used for + failover. + properties: + mode: + description: Mode specifies the type of failover that will be + performed. Valid values are "sequential", "" (equivalent to + "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions of the + failover targets. Valid values can be "us-west-1", "us-west-2", + and so on. + items: + type: string + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-referencegrants-external.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-referencegrants-external.yaml new file mode 100644 index 0000000000..db9cf12027 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-referencegrants-external.yaml @@ -0,0 +1,208 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-routeauthfilters.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-routeauthfilters.yaml new file mode 100644 index 0000000000..a51bf226cd --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-routeauthfilters.yaml @@ -0,0 +1,199 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeauthfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteAuthFilter + listKind: RouteAuthFilterList + plural: routeauthfilters + singular: routeauthfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteAuthFilter is the Schema for the routeauthfilters API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteAuthFilterSpec defines the desired state of RouteAuthFilter. + properties: + jwt: + description: This re-uses the JWT requirement type from Gateway Policy + Types. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the actual + claim information to be verified. + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the given + path: - If the type at the path is a list then we + verify that this value is contained in the list. + \n - If the type at the path is a string then we + verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + status: + description: RouteAuthFilterStatus defines the observed state of the gateway. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: ResolvedRefs + description: "Conditions describe the current conditions of the Filter. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-routeretryfilters.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-routeretryfilters.yaml new file mode 100644 index 0000000000..14b6062f60 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-routeretryfilters.yaml @@ -0,0 +1,115 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeretryfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteRetryFilter + listKind: RouteRetryFilterList + plural: routeretryfilters + singular: routeretryfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteRetryFilter is the Schema for the routeretryfilters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteRetryFilterSpec defines the desired state of RouteRetryFilter. + properties: + numRetries: + format: int32 + minimum: 0 + type: integer + retryOn: + items: + type: string + type: array + retryOnConnectFailure: + type: boolean + retryOnStatusCodes: + items: + format: int32 + type: integer + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-routetimeoutfilters.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-routetimeoutfilters.yaml new file mode 100644 index 0000000000..07ebfe9386 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-routetimeoutfilters.yaml @@ -0,0 +1,107 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routetimeoutfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteTimeoutFilter + listKind: RouteTimeoutFilterList + plural: routetimeoutfilters + singular: routetimeoutfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteTimeoutFilter is the Schema for the httproutetimeoutfilters + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteTimeoutFilterSpec defines the desired state of RouteTimeoutFilter. + properties: + idleTimeout: + format: duration + type: string + requestTimeout: + format: duration + type: string + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-samenessgroups.yaml new file mode 100644 index 0000000000..ea0ad7c8a0 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-samenessgroups.yaml @@ -0,0 +1,129 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: samenessgroups.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: SamenessGroup + listKind: SamenessGroupList + plural: samenessgroups + shortNames: + - sameness-group + singular: samenessgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SamenessGroup is the Schema for the samenessgroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SamenessGroupSpec defines the desired state of SamenessGroup. + properties: + defaultForFailover: + description: DefaultForFailover indicates that upstream requests to + members of the given sameness group will implicitly failover between + members of this sameness group. When DefaultForFailover is true, + the local partition must be a member of the sameness group or IncludeLocal + must be set to true. + type: boolean + includeLocal: + description: IncludeLocal is used to include the local partition as + the first member of the sameness group. The local partition can + only be a member of a single sameness group. + type: boolean + members: + description: Members are the partitions and peers that are part of + the sameness group. If a member of a sameness group does not exist, + it will be ignored. + items: + properties: + partition: + description: The partitions and peers that are part of the sameness + group. A sameness group member cannot define both peer and + partition at the same time. + type: string + peer: + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..c7e2b5bb2b --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-servicedefaults.yaml @@ -0,0 +1,565 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicedefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + rateLimits: + description: RateLimits is rate limiting configuration that is applied + to inbound traffic for a service. Rate limiting is a Consul enterprise + feature. + properties: + instanceLevel: + description: InstanceLevel represents rate limit configuration + that is applied per service instance. + properties: + requestsMaxBurst: + description: "RequestsMaxBurst is the maximum number of requests + that can be sent in a burst. Should be equal to or greater + than RequestsPerSecond. If unset, defaults to RequestsPerSecond. + \n Internally, this is the maximum size of the token bucket + used for rate limiting." + type: integer + requestsPerSecond: + description: "RequestsPerSecond is the average number of requests + per second that can be made without being throttled. This + field is required if RequestsMaxBurst is set. The allowed + number of requests may exceed RequestsPerSecond up to the + value specified in RequestsMaxBurst. \n Internally, this + is the refill rate of the token bucket used for rate limiting." + type: integer + routes: + description: Routes is a list of rate limits applied to specific + routes. For a given request, the first matching route will + be applied, if any. Overrides any top-level configuration. + items: + properties: + pathExact: + description: Exact path to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathPrefix: + description: Prefix to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathRegex: + description: Regex to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + requestsMaxBurst: + description: RequestsMaxBurst is the maximum number + of requests that can be sent in a burst. Should be + equal to or greater than RequestsPerSecond. If unset, + defaults to RequestsPerSecond. Internally, this is + the maximum size of the token bucket used for rate + limiting. + type: integer + requestsPerSecond: + description: RequestsPerSecond is the average number + of requests per second that can be made without being + throttled. This field is required if RequestsMaxBurst + is set. The allowed number of requests may exceed + RequestsPerSecond up to the value specified in RequestsMaxBurst. + Internally, this is the refill rate of the token bucket + used for rate limiting. + type: integer + type: object + type: array + type: object + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 + seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set the + interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..75299f016e --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-serviceintentions.yaml @@ -0,0 +1,311 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceintentions.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + jwt: + description: JWT specifies the configuration to validate a JSON Web + Token for all incoming requests. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: Value is the expected value at the given + path. If the type at the path is a list then we + verify that this value is contained in the list. + If the type at the path is a string then we verify + that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: Peer is the peer name for the Name parameter. + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + jwt: + description: JWT specifies configuration to validate a + JSON Web Token for incoming requests. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. + There MUST be a corresponding "jwt-provider" + config entry with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional + claims to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim + in the token JSON. + items: + type: string + type: array + value: + description: Value is the expected value + at the given path. If the type at the + path is a list then we verify that this + value is contained in the list. If the + type at the path is a string then we + verify that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + samenessGroup: + description: SamenessGroup is the name of the sameness group, + if applicable. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..6d89125216 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-serviceresolvers.yaml @@ -0,0 +1,348 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceresolvers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + policy: + description: Policy specifies the exact mechanism used for failover. + properties: + mode: + description: Mode specifies the type of failover that will + be performed. Valid values are "sequential", "" (equivalent + to "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions + of the failover targets. Valid values can be "us-west-1", + "us-west-2", and so on. + items: + type: string + type: array + type: object + samenessGroup: + description: SamenessGroup is the name of the sameness group + to try during failover. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness group to + resolve the service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + requestTimeout: + description: RequestTimeout is the timeout for receiving an HTTP response + from this service before the connection is terminated. + type: string + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..c7924081fd --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-servicerouters.yaml @@ -0,0 +1,323 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicerouters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOn: + description: 'RetryOn is a flat list of conditions for Consul + to retry requests based on the response from an upstream + service. Refer to the valid conditions here: https://developer.hashicorp.com/consul/docs/connect/config-entries/service-router#routes-destination-retryon' + items: + type: string + type: array + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + caseInsensitive: + description: CaseInsensitive configures PathExact and + PathPrefix matches to ignore upper/lower casing. + type: boolean + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..8d5ed58023 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-servicesplitters.yaml @@ -0,0 +1,186 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicesplitters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-tcproutes-external.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-tcproutes-external.yaml new file mode 100644 index 0000000000..b5bc7be13c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-tcproutes-external.yaml @@ -0,0 +1,281 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-tcproutes.yaml new file mode 100644 index 0000000000..ae9d2cd080 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-tcproutes.yaml @@ -0,0 +1,278 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + shortNames: + - tcp-route + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TCPRoute is the Schema for the TCP Route API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: "NOTE: this should align to the GAMMA/gateway-api version, + or at least be easily translatable. \n https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute + \n This is a Resource type." + properties: + parentRefs: + description: "ParentRefs references the resources (usually Services) + that a Route wants to be attached to. \n It is invalid to reference + an identical parent more than once. It is valid to reference multiple + distinct sections within the same parent resource." + items: + description: 'NOTE: roughly equivalent to structs.ResourceReference' + properties: + port: + description: For east/west this is the name of the Consul Service + port to direct traffic to or empty to imply all. For north/south + this is TBD. + type: string + ref: + description: For east/west configuration, this should point + to a Service. For north/south it should point to a Gateway. + properties: + name: + description: Name is the user-given name of the resource + (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of the resource + the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units (i.e. + partition, namespace) in which the resource resides. + properties: + namespace: + description: "Namespace further isolates resources within + a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all partitions." + type: string + peerName: + description: "PeerName identifies which peer the resource + is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, provide + the wildcard value \"*\" to list resources across + all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. "catalog", + "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when sweeping + or backward-incompatible changes are made to the group's + resource types. + type: string + kind: + description: Kind identifies the specific resource type + within the group. + type: string + type: object + type: object + type: object + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + properties: + backendRefs: + description: BackendRefs defines the backend(s) where matching + requests should be sent. If unspecified or invalid (refers + to a non-existent resource or a Service with no endpoints), + the underlying implementation MUST actively reject connection + attempts to this backend. Connection rejections must respect + weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. + items: + properties: + backendRef: + properties: + datacenter: + type: string + port: + description: "For east/west this is the name of the + Consul Service port to direct traffic to or empty + to imply using the same value as the parent ref. + \n For north/south this is TBD." + type: string + ref: + description: For east/west configuration, this should + point to a Service. + properties: + name: + description: Name is the user-given name of the + resource (e.g. the "billing" service). + type: string + section: + description: Section identifies which part of + the resource the condition relates to. + type: string + tenancy: + description: Tenancy identifies the tenancy units + (i.e. partition, namespace) in which the resource + resides. + properties: + namespace: + description: "Namespace further isolates resources + within a partition. https://developer.hashicorp.com/consul/docs/enterprise/namespaces + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all namespaces." + type: string + partition: + description: "Partition is the topmost administrative + boundary within a cluster. https://developer.hashicorp.com/consul/docs/enterprise/admin-partitions + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all partitions." + type: string + peerName: + description: "PeerName identifies which peer + the resource is imported from. https://developer.hashicorp.com/consul/docs/connect/cluster-peering + \n When using the List and WatchList endpoints, + provide the wildcard value \"*\" to list + resources across all peers." + type: string + type: object + type: + description: Type identifies the resource's type. + properties: + group: + description: Group describes the area of functionality + to which this resource type relates (e.g. + "catalog", "authorization"). + type: string + groupVersion: + description: GroupVersion is incremented when + sweeping or backward-incompatible changes + are made to the group's resource types. + type: string + kind: + description: Kind identifies the specific + resource type within the group. + type: string + type: object + type: object + type: object + weight: + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1." + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..cd53122e9d --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-terminatinggateways.yaml @@ -0,0 +1,141 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: terminatinggateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + disableAutoHostRewrite: + description: DisableAutoHostRewrite disables terminating gateways + auto host rewrite feature when set to true. + type: boolean + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-tlsroutes-external.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-tlsroutes-external.yaml new file mode 100644 index 0000000000..1acd1b973a --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-tlsroutes-external.yaml @@ -0,0 +1,291 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-trafficpermissions.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-trafficpermissions.yaml new file mode 100644 index 0000000000..27ab6f5e3d --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-trafficpermissions.yaml @@ -0,0 +1,261 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: trafficpermissions.auth.consul.hashicorp.com +spec: + group: auth.consul.hashicorp.com + names: + kind: TrafficPermissions + listKind: TrafficPermissionsList + plural: trafficpermissions + shortNames: + - traffic-permissions + singular: trafficpermissions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: TrafficPermissions is the Schema for the traffic-permissions + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + action: + description: "Action can be either allow or deny for the entire object. + It will default to allow. \n If action is allow, we will allow the + connection if one of the rules in Rules matches, in other words, + we will deny all requests except for the ones that match Rules. + If Consul is in default allow mode, then allow actions have no effect + without a deny permission as everything is allowed by default. \n + If action is deny, we will deny the connection if one of the rules + in Rules match, in other words, we will allow all requests except + for the ones that match Rules. If Consul is default deny mode, then + deny permissions have no effect without an allow permission as everything + is denied by default. \n Action unspecified is reserved for compatibility + with the addition of future actions." + enum: + - ACTION_ALLOW + - ACTION_DENY + - ACTION_UNKNOWN + format: int32 + type: string + destination: + description: Destination is a configuration of the destination proxies + where these traffic permissions should apply. + properties: + identityName: + type: string + type: object + permissions: + description: Permissions is a list of permissions to match on. They + are applied using OR semantics. + items: + description: Permissions is a list of permissions to match on. + properties: + destinationRules: + description: DestinationRules is a list of rules to apply for + matching sources in this Permission. These rules are specific + to the request or connection that is going to the destination(s) + selected by the TrafficPermissions resource. + items: + description: DestinationRule contains rules rules to apply + to the incoming connection. + properties: + exclude: + description: Exclude contains a list of rules to exclude + when evaluating rules for the incoming connection. + items: + properties: + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + description: PortNames is a list of workload ports + to apply this rule to. The ports specified here + must be the ports used in the connection. + items: + type: string + type: array + type: object + type: array + header: + properties: + exact: + type: string + invert: + type: boolean + name: + type: string + prefix: + type: string + present: + type: boolean + regex: + type: string + suffix: + type: string + type: object + methods: + description: Methods is the list of HTTP methods. If no + methods are specified, this rule will apply to all methods. + items: + type: string + type: array + pathExact: + type: string + pathPrefix: + type: string + pathRegex: + type: string + portNames: + items: + type: string + type: array + type: object + type: array + sources: + description: Sources is a list of sources in this traffic permission. + items: + description: Source represents the source identity. To specify + any of the wildcard sources, the specific fields need to + be omitted. For example, for a wildcard namespace, identity_name + should be omitted. + properties: + exclude: + description: Exclude is a list of sources to exclude from + this source. + items: + description: ExcludeSource is almost the same as source + but it prevents the addition of matching sources. + properties: + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + identityName: + type: string + namespace: + type: string + partition: + type: string + peer: + type: string + samenessGroup: + type: string + type: object + type: array + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/crd-udproutes-external.yaml b/charts/hashicorp/consul/1.4.3/templates/crd-udproutes-external.yaml new file mode 100644 index 0000000000..0661b24c1a --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/crd-udproutes-external.yaml @@ -0,0 +1,281 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-job.yaml new file mode 100644 index 0000000000..aff6b5a934 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-job.yaml @@ -0,0 +1,146 @@ +{{- if .Values.global.federation.createFederationSecret }} +{{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }} +{{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }} +{{- if eq (int .Values.server.updatePartition) 0 }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: create-federation-secret + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-create-federation-secret + {{- if .Values.client.tolerations }} + tolerations: + {{ tpl .Values.client.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.client.priorityClassName }} + priorityClassName: {{ .Values.client.priorityClassName | quote }} + {{- end }} + {{- if .Values.client.nodeSelector }} + nodeSelector: + {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} + {{- end }} + volumes: + {{- /* We can assume tls is enabled because there is a check in server-statefulset + that requires tls to be enabled if federation is enabled. */}} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + {{- if .Values.global.tls.caKey.secretName }} + secretName: {{ .Values.global.tls.caKey.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-key + {{- end }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + - name: gossip-encryption-key + secret: + secretName: {{ .Values.global.gossipEncryption.secretName }} + items: + - key: {{ .Values.global.gossipEncryption.secretKey }} + path: gossip.key + {{- else if .Values.global.gossipEncryption.autoGenerate }} + - name: gossip-encryption-key + secret: + secretName: {{ template "consul.fullname" . }}-gossip-encryption-key + items: + - key: key + path: gossip.key + {{- end }} + + containers: + - name: create-federation-secret + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONSUL_HTTP_ADDR + value: "https://{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:8501" + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/server/ca + readOnly: true + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + - name: gossip-encryption-key + mountPath: /consul/gossip + readOnly: true + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane create-federation-secret \ + -log-level={{ default .Values.global.logLevel .Values.global.federation.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -gossip-key-file=/consul/gossip/gossip.key \ + {{- end }} + {{- if .Values.global.acls.createReplicationToken }} + -export-replication-token=true \ + {{- end }} + -mesh-gateway-service-name={{ .Values.meshGateway.consulServiceName }} \ + -k8s-namespace="${NAMESPACE}" \ + -resource-prefix="{{ template "consul.fullname" . }}" \ + -server-ca-cert-file=/consul/tls/ca/tls.crt \ + -server-ca-key-file=/consul/tls/server/ca/tls.key \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/datadog-agent-role.yaml b/charts/hashicorp/consul/1.4.3/templates/datadog-agent-role.yaml new file mode 100644 index 0000000000..191e6433c6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/datadog-agent-role.yaml @@ -0,0 +1,38 @@ +{{- if .Values.global.metrics.datadog.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-datadog-metrics + namespace: {{ .Release.Namespace }} + labels: + app: datadog + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: agent +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +{{- if .Values.global.enablePodSecurityPolicies }} +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-datadog-metrics + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-datadog-metrics + verbs: + - use +{{- end }} +{{- else}} +rules: + - apiGroups: [ "" ] + resources: [ "secrets" ] + resourceNames: + - {{ .Release.Namespace }}-datadog-agent-metrics-acl-token + verbs: [ "get", "watch", "list" ] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.3/templates/datadog-agent-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/datadog-agent-rolebinding.yaml new file mode 100644 index 0000000000..5fc3fdf545 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/datadog-agent-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.global.metrics.datadog.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-datadog-metrics + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: agent +subjects: + - kind: ServiceAccount + apiGroup: "" + name: datadog-agent + namespace: datadog + - kind: ServiceAccount + apiGroup: "" + name: datadog-cluster-agent + namespace: datadog +roleRef: + kind: Role + name: {{ template "consul.fullname" . }}-datadog-metrics + apiGroup: "" +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.3/templates/dns-service.yaml b/charts/hashicorp/consul/1.4.3/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.4.3/templates/enterprise-license-job.yaml new file mode 100644 index 0000000000..8db9500a22 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/enterprise-license-job.yaml @@ -0,0 +1,145 @@ +{{- if .Values.server.enterpriseLicense }}{{ fail "server.enterpriseLicense has been moved to global.enterpriseLicense" }}{{ end -}} +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "100" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-license + labels: + app.kubernetes.io/managed-by: {{.Release.Service | quote }} + app.kubernetes.io/instance: {{.Release.Name | quote }} + helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}" + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: license + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-enterprise-license + {{- if .Values.global.tls.enabled }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + containers: + - name: apply-enterprise-license + image: "{{ default .Values.global.image .Values.server.image }}" + env: + - name: ENTERPRISE_LICENSE + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.global.enterpriseLicense.secretName }} + key: {{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://{{ template "consul.fullname" . }}-server:8501 + {{- else }} + value: http://{{ template "consul.fullname" . }}-server:8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end}} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN + valueFrom: + secretKeyRef: + name: "{{ template "consul.fullname" . }}-enterprise-license-acl-token" + key: "token" + {{- end}} + command: + - "/bin/sh" + - "-c" + - | + # Create a script that we can execute with the timeout command. + mkdir -p /tmp/scripts/ + cat > /tmp/scripts/apply-license.sh << 'EOF' + #!/bin/sh + while true; do + echo "Applying license..." + if consul license put "${ENTERPRISE_LICENSE}" 2>&1; then + echo "License applied successfully" + break + fi + echo "Retrying in 2s..." + sleep 2 + done + EOF + chmod +x /tmp/scripts/apply-license.sh + + # Time out after 20 minutes. Use || to support new timeout versions that don't accept -t + timeout -t 1200 /tmp/scripts/apply-license.sh 2> /dev/null || timeout 1200 /tmp/scripts/apply-license.sh 2> /dev/null + {{- if .Values.global.tls.enabled }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + {{- if .Values.global.acls.manageSystemACLs }} + initContainers: + - name: ent-license-acl-init + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane acl-init \ + -secret-name="{{ template "consul.fullname" . }}-enterprise-license-acl-token" \ + -k8s-namespace={{ .Release.Namespace }} \ + -consul-api-timeout={{ .Values.global.consulAPITimeout }} + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "25Mi" + cpu: "50m" + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.4.3/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.4.3/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-clusterrole.yaml new file mode 100644 index 0000000000..5518bfc390 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-clusterrole.yaml @@ -0,0 +1,44 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - delete + - apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + - gatewayclasses + - meshgateways + verbs: + - get + - delete +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-cleanup + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-clusterrolebinding.yaml new file mode 100644 index 0000000000..9235f32101 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-job.yaml new file mode 100644 index 0000000000..0d4f84272c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-job.yaml @@ -0,0 +1,67 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup + containers: + - name: gateway-cleanup + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-cleanup + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ffbad130cc --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.connectInject.enabled .Values.global.enablePodSecurityPolicies)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..f50eb72d97 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gateway-cleanup-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.4.3/templates/gateway-resources-clusterrole.yaml new file mode 100644 index 0000000000..ad7082f060 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gateway-resources-clusterrole.yaml @@ -0,0 +1,47 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +rules: + - apiGroups: + - mesh.consul.hashicorp.com + resources: + - meshgateways + verbs: + - get + - update + - create + - apiGroups: + - consul.hashicorp.com + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - update + - create + - apiGroups: + - gateway.networking.k8s.io + - mesh.consul.hashicorp.com + resources: + - gatewayclasses + verbs: + - get + - update + - create +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-resources + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/gateway-resources-clusterrolebinding.yaml new file mode 100644 index 0000000000..921df23239 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gateway-resources-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-resources +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.3/templates/gateway-resources-configmap.yaml b/charts/hashicorp/consul/1.4.3/templates/gateway-resources-configmap.yaml new file mode 100644 index 0000000000..842ba6690d --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gateway-resources-configmap.yaml @@ -0,0 +1,132 @@ +{{- if .Values.connectInject.enabled }} + +# Validation +# For meshGateway.wanAddress, static must be set if source is "Static" +{{if (and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static ""))}}{{fail ".meshGateway.wanAddress.static must be set to a value if .meshGateway.wanAddress.source is Static"}}{{ end }} + +# Configuration of Gateway Resources Job which creates managed Gateway configuration. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +data: + {{- if .Values.connectInject.apiGateway.managedGatewayClass.resources }} + resources.json: | + {{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }} + {{- end }} + {{- if and (mustHas "resource-apis" .Values.global.experiments) .Values.meshGateway.enabled }} + config.yaml: | + gatewayClassConfigs: + - apiVersion: mesh.consul.hashicorp.com/v2beta1 + metadata: + name: consul-mesh-gateway + kind: GatewayClassConfig + spec: + labels: + set: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + deployment: + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.affinity }} + affinity: {{ toJson (default "{}" .Values.meshGateway.affinity) }} + {{- end }} + {{- if .Values.meshGateway.annotations }} + annotations: + set: {{ toJson .Values.meshGateway.annotations }} + {{- end }} + {{- if .Values.global.extraLabels }} + labels: + set: {{ toJson .Values.global.extraLabels }} + {{- end }} + container: + consul: + logging: + level: {{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + portModifier: {{ sub .Values.meshGateway.containerPort .Values.meshGateway.service.port }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + resources: {{ toJson .Values.meshGateway.resources }} + initContainer: + consul: + logging: + level: {{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + resources: {{ toJson .Values.meshGateway.initServiceInitContainer.resources }} + {{- with .Values.meshGateway.nodeSelector }} + nodeSelector: {{ fromYaml . | toJson }} + {{- end }} + {{- with .Values.meshGateway.hostNetwork }} + hostNetwork: {{ . }} + {{- end }} + {{- with .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ fromYamlArray . | toJson }} + {{- end }} + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 16 | trim }} + {{- end }} + replicas: + default: {{ .Values.meshGateway.replicas }} + min: {{ .Values.meshGateway.replicas }} + max: {{ .Values.meshGateway.replicas }} + {{- if .Values.meshGateway.tolerations }} + tolerations: {{ fromYamlArray .Values.meshGateway.tolerations | toJson }} + {{- end }} + service: + {{- if .Values.meshGateway.service.annotations }} + annotations: + set: {{ toJson .Values.meshGateway.service.annotations }} + {{- end }} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.serviceAccount.annotations }} + serviceAccount: + annotations: + set: {{ toJson .Values.meshGateway.serviceAccount.annotations }} + {{- end }} + meshGateways: + - apiVersion: mesh.consul.hashicorp.com/v2beta1 + kind: MeshGateway + metadata: + name: mesh-gateway + namespace: {{ .Release.Namespace }} + annotations: + # TODO are these annotations even necessary? + "consul.hashicorp.com/gateway-wan-address-source": {{ .Values.meshGateway.wanAddress.source | quote }} + "consul.hashicorp.com/gateway-wan-address-static": {{ .Values.meshGateway.wanAddress.static | quote }} + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.service.nodePort | quote }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.service.port | quote }} + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": {{ .Values.meshGateway.wanAddress.port | quote }} + {{- end }} + spec: + gatewayClassName: consul-mesh-gateway + listeners: + - name: "wan" + port: {{ .Values.meshGateway.service.port }} + protocol: "TCP" + workloads: + prefixes: + - "mesh-gateway" + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.4.3/templates/gateway-resources-job.yaml new file mode 100644 index 0000000000..ead22833e9 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gateway-resources-job.yaml @@ -0,0 +1,133 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gateway-resources + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources + containers: + - name: gateway-resources + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - consul-k8s-control-plane + args: + - gateway-resources + - -gateway-class-name=consul + - -gateway-class-config-name=consul-api-gateway + - -controller-name=consul.hashicorp.com/gateway-controller + - -app={{template "consul.name" .}} + - -chart={{template "consul.chart" .}} + - -heritage={{ .Release.Service }} + - -release-name={{ .Release.Name }} + - -component=api-gateway + {{- if .Values.apiGateway.enabled }} # Override values from the old stanza. To be removed after ~1.18 (t-eckert 2023-05-19) NET-6263 + {{- if .Values.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} + {{- end }} + - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} + {{- else }} # the new stanza + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + - -deployment-max-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.maxInstances }} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + - -deployment-min-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.minInstances }} + {{- end}} + {{- end}} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector }} + - -node-selector + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.nodeSelector | nindent 14 -}} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + - -tolerations={{ .Values.connectInject.apiGateway.managedGatewayClass.tolerations }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service }} + - -service-annotations + - {{- toYaml .Values.connectInject.apiGateway.managedGatewayClass.copyAnnotations.service.annotations | nindent 14 -}} + {{- end }} + - -service-type={{ .Values.connectInject.apiGateway.managedGatewayClass.serviceType }} + {{- if .Values.global.openshift.enabled }} + - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} + {{- end }} + - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} + {{- if (ne (.Values.connectInject.apiGateway.managedGatewayClass.metrics.enabled | toString) "-") }} + - -enable-metrics={{ .Values.connectInject.apiGateway.managedGatewayClass.metrics.enabled | toString }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.metrics.path }} + - -metrics-path={{ .Values.connectInject.apiGateway.managedGatewayClass.metrics.path }} + {{- end }} + {{- if .Values.connectInject.apiGateway.managedGatewayClass.metrics.port }} + - -metrics-port={{ .Values.connectInject.apiGateway.managedGatewayClass.metrics.port }} + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + volumeMounts: + - name: config + mountPath: /consul/config + readOnly: true + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-gateway-resources-config +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/gateway-resources-podsecuritypolicy.yaml new file mode 100644 index 0000000000..da5299194c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gateway-resources-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.connectInject.enabled)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/gateway-resources-serviceaccount.yaml new file mode 100644 index 0000000000..4611dc38e1 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gateway-resources-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-job.yaml new file mode 100644 index 0000000000..cea13c77fe --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-job.yaml @@ -0,0 +1,70 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} +{{ end }} +# automatically generate encryption key for gossip protocol and save it in Kubernetes secret +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + {{- if not .Values.global.openshift.enabled }} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + {{- end }} + containers: + - name: gossip-encryption-autogen + image: "{{ .Values.global.imageK8S }}" + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane gossip-encryption-autogenerate \ + -namespace={{ .Release.Namespace }} \ + -secret-name={{ template "consul.fullname" . }}-gossip-encryption-key \ + -secret-key="key" \ + -log-level={{ default .Values.global.logLevel .Values.global.gossipEncryption.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-deployment.yaml new file mode 100644 index 0000000000..508ab64eff --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-deployment.yaml @@ -0,0 +1,370 @@ +{{- if .Values.ingressGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- $names := dict }} + +{{- /* Check if gateway names are unique. */ -}} +{{- $gateways := .Values.ingressGateways.gateways }} +{{- range $outerIngressIndex, $outerIngressVal := $gateways }} + +{{- range $innerIngressIndex, $innerIngressVal := $gateways }} +{{- if (and (ne $outerIngressIndex $innerIngressIndex) (eq $outerIngressVal.name $innerIngressVal.name)) }} +{{ fail (cat "ingress gateways must have unique names but found duplicate name" $innerIngressVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} + +{{- if empty .name }} +# Check that the gateway name is provided +{{ fail "Ingress gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the gateway name is unique +{{ fail "Ingress gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "ingress-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + "consul.hashicorp.com/gateway-wan-address-source": "Service" + {{- $serviceType := (default $defaults.service.type $service.type) }} + {{- if (eq $serviceType "NodePort") }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.nodePort }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.nodePort }}" + {{- else }}{{ fail "if ingressGateways .service.type=NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a nodePort" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type=NodePort, the first port entry in either the defaults or specific gateway must include a nodePort" }} + {{- end }} + {{- else }} + {{- if $service.ports }} + {{- $firstPort := first $service.ports}} + {{- if $firstPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and defining ingressGateways.gateways.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else if $defaults.service.ports }} + {{- $firstDefaultPort := first $defaults.service.ports}} + {{- if $firstDefaultPort.port }} + "consul.hashicorp.com/gateway-wan-port": "{{ $firstDefaultPort.port }}" + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort and using ingressGateways.defaults.service.ports, the first port entry must include a port" }} + {{- end }} + {{- else }}{{ fail "if ingressGateways .service.type is not NodePort, the first port entry in either the defaults or specific gateway must include a port" }} + {{- end }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + {{- if not (hasKey (default "" $defaults.annotations | fromYaml) "prometheus.io/path")}} + "prometheus.io/path": "/metrics" + {{- end }} + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: {{ default $defaults.terminationGracePeriodSeconds .terminationGracePeriodSeconds }} + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # ingress-gateway-init registers the ingress gateway service with Consul. + - name: ingress-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 8 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=ingress-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="ingress-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ template "consul.fullname" $root }}-{{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: ingress-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 8 }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} + {{- end }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.ingressGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 21000 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway-health + containerPort: 21000 + {{- range $index, $allPorts := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + containerPort: {{ $allPorts.port }} + {{- end }} + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ default $defaults.priorityClassName .priorityClassName | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b847e44ebd --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..3053105105 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,36 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..2fb80fc04c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-deployment.yaml new file mode 100644 index 0000000000..3d75d55613 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-deployment.yaml @@ -0,0 +1,323 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.acls.manageSystemACLs (ne .Values.meshGateway.consulServiceName "") (ne .Values.meshGateway.consulServiceName "mesh-gateway") }}{{ fail "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" }}{{ end -}} +{{- if .Values.meshGateway.globalMode }}{{ fail "meshGateway.globalMode is no longer supported; instead, you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }} +{{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.meshGateway.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: mesh-gateway + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "mesh-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .Values.meshGateway.consulServiceName }}" + "consul.hashicorp.com/mesh-gateway-container-port": "{{ .Values.meshGateway.containerPort }}" + "consul.hashicorp.com/gateway-wan-address-source": "{{ .Values.meshGateway.wanAddress.source }}" + "consul.hashicorp.com/gateway-wan-address-static": "{{ .Values.meshGateway.wanAddress.static }}" + {{- if eq .Values.meshGateway.wanAddress.source "Service" }} + {{- if eq .Values.meshGateway.service.type "NodePort" }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.nodePort }}" + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.service.port }}" + {{- end }} + {{- else }} + "consul.hashicorp.com/gateway-wan-port": "{{ .Values.meshGateway.wanAddress.port }}" + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + {{- if not (hasKey (default "" .Values.meshGateway.annotations | fromYaml) "prometheus.io/path")}} + "prometheus.io/path": "/metrics" + {{- end }} + "prometheus.io/port": "20200" + {{- end }} + {{- if .Values.meshGateway.annotations }} + {{- tpl .Values.meshGateway.annotations . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.meshGateway.affinity }} + affinity: + {{ tpl .Values.meshGateway.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.tolerations }} + tolerations: + {{ tpl .Values.meshGateway.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.meshGateway.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.meshGateway.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-mesh-gateway + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- end }} + {{- if .Values.meshGateway.dnsPolicy }} + dnsPolicy: {{ .Values.meshGateway.dnsPolicy }} + {{- end }} + initContainers: + - name: mesh-gateway-init + image: {{ .Values.global.imageK8S }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=mesh-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="mesh-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .Values.meshGateway.consulServiceName }} \ + -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if .Values.meshGateway.initServiceInitContainer.resources }} + resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 10 }} + {{- end }} + containers: + - name: mesh-gateway + image: {{ .Values.global.imageConsulDataplane | quote }} + securityContext: + capabilities: + {{ if not .Values.meshGateway.hostNetwork}} + drop: + - ALL + {{- end }} + add: + - NET_BIND_SERVICE + {{- if .Values.meshGateway.resources }} + resources: + {{- if eq (typeOf .Values.meshGateway.resources) "string" }} + {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.meshGateway.resources | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /consul/service + name: consul-service + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.meshGateway.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: {{ .Values.meshGateway.containerPort }} + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.hostPort }} + hostPort: {{ .Values.meshGateway.hostPort }} + {{- end }} + {{- if .Values.meshGateway.priorityClassName }} + priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }} + {{- end }} + {{- if .Values.meshGateway.nodeSelector }} + nodeSelector: + {{ tpl .Values.meshGateway.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..56e4b7924c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..80f82ac897 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-service.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..b1a0661eaa --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.4.3/templates/partition-init-job.yaml new file mode 100644 index 0000000000..21ad2930b8 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/partition-init-job.yaml @@ -0,0 +1,131 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled) (ne .Values.global.adminPartitions.name "default")) }} +{{- template "consul.reservedNamesFailer" (list .Values.global.adminPartitions.name "global.adminPartitions.name") }} +{{- if and (not .Values.externalServers.enabled) (ne .Values.global.adminPartitions.name "default") }}{{ fail "externalServers.enabled needs to be true and configured to create a non-default partition." }}{{ end -}} +{{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.manageSystemACLs (not .Values.global.secretsBackend.vault.adminPartitionsRole) }}{{ fail "global.secretsBackend.vault.adminPartitionsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true." }}{{ end -}} +{{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-partition-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: partition-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if (and .Values.global.secretsBackend.vault.enabled (or .Values.global.tls.enabled .Values.global.acls.manageSystemACLs)) }} + "vault.hashicorp.com/agent-pre-populate-only": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.manageSystemACLs }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.adminPartitionsRole }} + {{- if .Values.global.acls.bootstrapToken.secretName }} + {{- with .Values.global.acls.bootstrapToken }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- else }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-partition-init + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumes: + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: partition-init-job + image: {{ .Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + {{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - name: CONSUL_ACL_TOKEN_FILE + value: /vault/secrets/bootstrap-token + {{- else }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName }} + key: {{ .Values.global.acls.bootstrapToken.secretKey }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or .Values.externalServers.useSystemRoots .Values.global.secretsBackend.vault.enabled) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane partition-init \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} + {{- if and (mustHas "resource-apis" .Values.global.experiments) (mustHas "v2tenancy" .Values.global.experiments) }} + -enable-v2tenancy=true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.4.3/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.4.3/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/prometheus.yaml b/charts/hashicorp/consul/1.4.3/templates/prometheus.yaml new file mode 100644 index 0000000000..a708708daf --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-job.yaml new file mode 100644 index 0000000000..b47e04188f --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-job.yaml @@ -0,0 +1,89 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- /* See reason for this in server-acl-init-job.yaml */ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +# This job deletes the server-acl-init job once it completes successfully. +# It runs as a helm hook because it only needs to run when the server-acl-init +# Job gets recreated which only happens during an install or upgrade. +# We also utilize the helm hook-delete-policy to delete this job itself. +# We want to delete the server-acl-init job because once it runs successfully +# it's not needed and also because if it stays around then when users run +# helm upgrade with values that change the spec of the job, Kubernetes errors +# because the job spec is immutable. If the job is deleted, then a new job +# is created and there's no error. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "0" + # If the hook fails then all that happens is we didn't delete the job. + # There's no reason for *this* job to stay around in that case so delete + # regardless of success. + "helm.sh/hook-delete-policy": hook-succeeded,hook-failed +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + containers: + - name: server-acl-init-cleanup + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + command: + - consul-k8s-control-plane + args: + - delete-completed-job + - -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -k8s-namespace={{ .Release.Namespace }} + - {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 12 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-job.yaml new file mode 100644 index 0000000000..2e798a54d5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-job.yaml @@ -0,0 +1,353 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and $serverEnabled .Values.externalServers.enabled) }}{{ fail "only one of server.enabled or externalServers.enabled can be set" }}{{ end -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if and .Values.global.acls.createReplicationToken (not .Values.global.acls.manageSystemACLs) }}{{ fail "if global.acls.createReplicationToken is true, global.acls.manageSystemACLs must be true" }}{{ end -}} +{{- if .Values.global.bootstrapACLs }}{{ fail "global.bootstrapACLs was removed, use global.acls.manageSystemACLs instead" }}{{ end -}} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey)) (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}} + {{- /* We don't render this job when server.updatePartition > 0 because that + means a server rollout is in progress and this job won't complete unless + the rollout is finished (which won't happen until the partition is 0). + If we ran it in this case, then the job would not complete which would cause + the server-acl-init-cleanup hook to run indefinitely which would cause the + helm upgrade command to hang. +*/ -}} +{{- if eq (int .Values.server.updatePartition) 0 }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server-acl-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.acls.annotations }} + {{- tpl .Values.global.acls.annotations . | nindent 8 }} + {{- end }} + {{- if .Values.global.argocd.enabled }} + "argocd.argoproj.io/hook": "Sync" + "argocd.argoproj.io/hook-delete-policy": "HookSucceeded" + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + + {{- /* Run the Vault agent as both an init container and sidecar. + The Vault agent sidecar is needed when server-acl-init bootstraps ACLs + and writes the bootstrap token back to Vault. + * agent-pre-populate: true - Run the Vault agent init container. + * agent-pre-populate-only: false - Also, run the Vault agent sidecar. + * agent-cache-enable: true - Enable the Agent cache listener. + * agent-cache-listener-port: 8200 - (optional) Listen on 127.0.0.1:8200. + * agent-enable-quit: true - Enable a "quit" endpoint. server-acl-init + tells the Vault agent to stop (without this the Job will not complete). + */}} + "vault.hashicorp.com/agent-pre-populate": "true" + "vault.hashicorp.com/agent-pre-populate-only": "false" + "vault.hashicorp.com/agent-cache-enable": "true" + "vault.hashicorp.com/agent-cache-listener-port": "8200" + "vault.hashicorp.com/agent-enable-quit": "true" + "vault.hashicorp.com/agent-inject": "true" + {{- if .Values.global.acls.partitionToken.secretName }} + {{- with .Values.global.acls.partitionToken }} + "vault.hashicorp.com/agent-inject-secret-partition-token": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-partition-token": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.manageSystemACLsRole }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.manageSystemACLsRole }} + {{- else if .Values.global.tls.enabled }} + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.acls.replicationToken.secretName }} + "vault.hashicorp.com/agent-inject-secret-replication-token": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token": {{ template "consul.vaultReplicationTokenTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init + {{- if .Values.server.containerSecurityContext.aclInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }} + {{- end }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumes: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + secret: + secretName: {{ .Values.global.acls.replicationToken.secretName }} + items: + - key: {{ .Values.global.acls.replicationToken.secretKey }} + path: acl-replication-token + {{- end }} + {{- end }} + containers: + - name: server-acl-init-job + image: {{ .Values.global.imageK8S }} + {{- if not .Values.server.containerSecurityContext.aclInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # Extract the Vault namespace from the Vault agent annotations. + {{- if .Values.global.secretsBackend.vault.enabled }} + {{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }} + - name: VAULT_NAMESPACE + value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }} + {{- else if .Values.global.secretsBackend.vault.vaultNamespace }} + - name: VAULT_NAMESPACE + value: {{ .Values.global.secretsBackend.vault.vaultNamespace }} + {{- end }} + {{- end }} + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }} + volumeMounts: + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- if and .Values.global.acls.replicationToken.secretName (not .Values.global.secretsBackend.vault.enabled) }} + - name: acl-replication-token + mountPath: /consul/acl/tokens + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + CONSUL_FULLNAME="{{template "consul.fullname" . }}" + + exec consul-k8s-control-plane server-acl-init \ + -log-level={{ default .Values.global.logLevel .Values.global.acls.logLevel}} \ + -log-json={{ .Values.global.logJSON }} \ + -resource-prefix=${CONSUL_FULLNAME} \ + -k8s-namespace={{ .Release.Namespace }} \ + -set-server-tokens={{ $serverEnabled }} \ + {{- if .Values.global.secretsBackend.vault.enabled }} + -secrets-backend=vault \ + {{- else }} + -secrets-backend=kubernetes \ + {{- end }} + + {{- if (mustHas "resource-apis" .Values.global.experiments) }} + -enable-resource-apis=true \ + {{- end }} + + {{- if .Values.global.acls.bootstrapToken.secretName }} + -bootstrap-token-secret-name={{ .Values.global.acls.bootstrapToken.secretName }} \ + -bootstrap-token-secret-key={{ .Values.global.acls.bootstrapToken.secretKey }} \ + {{- end }} + + {{- if .Values.syncCatalog.enabled }} + -sync-catalog=true \ + {{- if .Values.syncCatalog.consulNodeName }} + -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- end }} + + {{- if .Values.global.peering.enabled }} + -enable-peering=true \ + {{- end }} + {{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} + -allow-dns=true \ + {{- end }} + + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + -connect-inject=true \ + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.k8sAuthMethodHost }} + -auth-method-host={{ .Values.externalServers.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.global.federation.k8sAuthMethodHost }} + -auth-method-host={{ .Values.global.federation.k8sAuthMethodHost }} \ + {{- end }} + + {{- if .Values.meshGateway.enabled }} + -mesh-gateway=true \ + {{- end }} + + {{- if .Values.ingressGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.ingressGateways.gateways }} + {{- if (or $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }} + -ingress-gateway-name="{{ .name }}.{{ (default $root.Values.ingressGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ingressGateways.gateways }} + -ingress-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.terminatingGateways.enabled }} + {{- if .Values.global.enableConsulNamespaces }} + {{- $root := . }} + {{- range .Values.terminatingGateways.gateways }} + {{- if (or $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }} + -terminating-gateway-name="{{ .name }}.{{ (default $root.Values.terminatingGateways.defaults.consulNamespace .consulNamespace) }}" \ + {{- else }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.terminatingGateways.gateways }} + -terminating-gateway-name="{{ .name }}" \ + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.connectInject.aclBindingRuleSelector }} + -acl-binding-rule-selector={{ .Values.connectInject.aclBindingRuleSelector }} \ + {{- end }} + + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey) }} + -create-enterprise-license-token=true \ + {{- end }} + + {{- if (and (not .Values.global.metrics.datadog.dogstatsd.enabled) .Values.global.metrics.datadog.enabled .Values.global.acls.manageSystemACLs) }} + -create-dd-agent-token=true \ + {{- end }} + + {{- if .Values.server.snapshotAgent.enabled }} + -snapshot-agent=true \ + {{- end }} + + {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} + -client=false \ + {{- end }} + + {{- if .Values.global.acls.createReplicationToken }} + -create-acl-replication-token=true \ + {{- end }} + + {{- if .Values.global.federation.enabled }} + -federation=true \ + {{- end }} + + {{- if .Values.global.acls.replicationToken.secretName }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -acl-replication-token-file=/vault/secrets/replication-token \ + {{- else }} + -acl-replication-token-file=/consul/acl/tokens/acl-replication-token \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.partitionToken.secretName }} + -partition-token-file=/vault/secrets/partition-token \ + {{- end }} + + {{- if .Values.apiGateway.enabled }} + -api-gateway-controller=true \ + {{- end }} + + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- /* syncCatalog must be enabled to set sync flags */}} + {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-sync-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-sync-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -sync-k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + + {{- /* connectInject must be enabled to set inject flags */}} + {{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} + {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + -consul-inject-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + -enable-inject-k8s-namespace-mirroring=true \ + {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} + -inject-k8s-namespace-mirroring-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.resources }} + resources: + {{- toYaml .Values.global.acls.resources | nindent 10 }} + {{- end }} + {{- if .Values.global.acls.tolerations }} + tolerations: + {{ tpl .Values.global.acls.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.global.acls.nodeSelector }} + nodeSelector: + {{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.4.3/templates/server-clusterrole.yaml new file mode 100644 index 0000000000..c22f562264 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: + - get diff --git a/charts/hashicorp/consul/1.4.3/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..854fda870e --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-server +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.4.3/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..8c74364a29 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-config-configmap.yaml @@ -0,0 +1,220 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} +{{- if and .Values.server.auditLogs.enabled (not .Values.global.acls.manageSystemACLs) }}{{fail "ACLs must be enabled inorder to configure audit logs"}}{{ end -}} +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + {{- if .Values.server.logLevel }} + "log_level": "{{ .Values.server.logLevel | upper }}", + {{- end }} + "enable_debug": {{ .Values.server.enableAgentDebug }}, + "domain": "{{ .Values.global.domain }}", + "limits": { + "request_limits": { + "mode": "{{ .Values.server.limits.requestLimits.mode }}", + "read_rate": {{ .Values.server.limits.requestLimits.readRate }}, + "write_rate": {{ .Values.server.limits.requestLimits.writeRate }} + } + }, + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true, + "leave_on_terminate": true, + "autopilot": { + "min_quorum": {{ template "consul.server.autopilotMinQuorum" . }}, + "disable_upgrade_migration": true + } + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + {{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }} + "namespace": "{{ .vaultNamespace }}", + {{- end }} + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}", + "disable_hostname": {{ .Values.global.metrics.disableAgentHostName }},{{ template "consul.prefixFilter" . }} + "enable_host_metrics": {{ .Values.global.metrics.enableHostMetrics }}{{- if .Values.global.metrics.datadog.dogstatsd.enabled }},{{ template "consul.dogstatsdAaddressInfo" . }} + {{- if .Values.global.metrics.datadog.dogstatsd.enabled }} + "dogstatsd_tags": {{ .Values.global.metrics.datadog.dogstatsd.dogstatsdTags | toJson }} + {{- end }} + {{- end }} + } + } + {{- end }} + {{- if and .Values.server.auditLogs.enabled .Values.global.acls.manageSystemACLs }} + audit-logging.json: |- + { + "audit": { + "enabled": true, + "sink": { + {{- range $index, $element := .Values.server.auditLogs.sinks }} + {{- if ne $index 0 }},{{end}} + "{{ get $element "name" }}": {{ omit $element "name" | toJson }} + {{- end }} + } + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.4.3/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..56805edc2a --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.server.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-role.yaml b/charts/hashicorp/consul/1.4.3/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.4.3/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-service.yaml b/charts/hashicorp/consul/1.4.3/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.4.3/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.4.3/templates/server-statefulset.yaml new file mode 100644 index 0000000000..315c8c4666 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-statefulset.yaml @@ -0,0 +1,749 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if and .Values.global.federation.enabled .Values.global.adminPartitions.enabled }}{{ fail "If global.federation.enabled is true, global.adminPartitions.enabled must be false because they are mutually exclusive" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.global.tls.enabled) }}{{ fail "If global.federation.enabled is true, global.tls.enabled must be true because federation is only supported with TLS enabled" }}{{ end }} +{{- if and .Values.global.federation.enabled (not .Values.meshGateway.enabled) }}{{ fail "If global.federation.enabled is true, meshGateway.enabled must be true because mesh gateways are required for federation" }}{{ end }} +{{- if and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert must also be provided" }}{{ end }} +{{- if .Values.server.disableFsGroupSecurityContext }}{{ fail "server.disableFsGroupSecurityContext has been removed. Please use global.openshift.enabled instead." }}{{ end }} +{{- if .Values.server.bootstrapExpect }}{{ if lt (int .Values.server.bootstrapExpect) (int .Values.server.replicas) }}{{ fail "server.bootstrapExpect cannot be less than server.replicas" }}{{ end }}{{ end }} +{{- if (and .Values.global.gossipEncryption.secretName (not .Values.global.gossipEncryption.secretKey)) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.gossipEncryption.secretName) .Values.global.gossipEncryption.secretKey) }}{{fail "gossipEncryption.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} +{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} +{{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} +{{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateMetricsConfig" . }} +{{ template "consul.validateDatadogConfiguration" . }} +{{ template "consul.validateExtraConfig" . }} +# StatefulSet to run the actual Consul server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + serviceName: {{ template "consul.fullname" . }}-server + podManagementPolicy: Parallel + replicas: {{ .Values.server.replicas }} + {{- if (gt (int .Values.server.updatePartition) 0) }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + partition: {{ .Values.server.updatePartition }} + {{- end }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: server + hasDNS: "true" + {{- if .Values.global.metrics.datadog.enabled }} + "tags.datadoghq.com/version": {{ template "consul.versionInfo" . }} + "tags.datadoghq.com/env": {{ template "consul.name" . }} + "tags.datadoghq.com/service": "consul-server" + {{- end }} + {{- if .Values.server.extraLabels }} + {{- toYaml .Values.server.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.global.secretsBackend.vault.enabled }} + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": "{{ .Values.global.secretsBackend.vault.consulServerRole }}" + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ .Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if .Values.global.gossipEncryption.secretName }} + {{- with .Values.global.gossipEncryption }} + "vault.hashicorp.com/agent-inject-secret-gossip.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-gossip.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-secret-servercert.crt": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.crt": {{ include "consul.serverTLSCertTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-servercert.key": {{ .Values.server.serverCert.secretName }} + "vault.hashicorp.com/agent-inject-template-servercert.key": {{ include "consul.serverTLSKeyTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ include "consul.serverTLSCATemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.createReplicationToken)) }} + "vault.hashicorp.com/agent-inject-secret-replication-token-config.hcl": "{{ .Values.global.acls.replicationToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-replication-token-config.hcl": {{ template "consul.vaultReplicationTokenConfigTemplate" . }} + {{- end }} + {{- if (and .Values.global.acls.manageSystemACLs .Values.global.acls.bootstrapToken.secretName) }} + "vault.hashicorp.com/agent-inject-secret-bootstrap-token-config.hcl": "{{ .Values.global.acls.bootstrapToken.secretName }}" + "vault.hashicorp.com/agent-inject-template-bootstrap-token-config.hcl": {{ template "consul.vaultBootstrapTokenConfigTemplate" . }} + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- if .Values.global.enterpriseLicense.secretName }} + {{- with .Values.global.enterpriseLicense }} + "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} + {{- end }} + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ print (include (print $.Template.BasePath "/server-config-configmap.yaml") .) (include (print $.Template.BasePath "/server-tmp-extra-config-configmap.yaml") .) | sha256sum }} + {{- if .Values.server.annotations }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + {{- if not .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} + "prometheus.io/scrape": "true" + {{- if not (hasKey (default "" .Values.server.annotations | fromYaml) "prometheus.io/path")}} + "prometheus.io/path": "/v1/agent/metrics" + {{- end }} + {{- if .Values.global.tls.enabled }} + "prometheus.io/port": "8501" + "prometheus.io/scheme": "https" + {{- else }} + "prometheus.io/port": "8500" + "prometheus.io/scheme": "http" + {{- end }} + {{- end }} + {{- if .Values.global.metrics.datadog.enabled }} + "ad.datadoghq.com/tolerate-unready": "true" + "ad.datadoghq.com/consul.logs": {{ .Values.global.metrics.datadog.dogstatsd.dogstatsdTags | toJson | replace "[" "[{" | replace "]" "}]" | replace ":" "\": \"" | join "\",\"" | squote }} + {{- if .Values.global.metrics.datadog.openMetricsPrometheus.enabled }} + "ad.datadoghq.com/consul.checks": | + { + "openmetrics": { + "init_config": {}, + "instances": [ + { + {{- if .Values.global.tls.enabled }} + "openmetrics_endpoint": "https://consul-server.{{ .Release.Namespace }}.svc:8501/v1/agent/metrics?format=prometheus", + "tls_cert": "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt", + "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key", + "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt", + {{- else }} + "openmetrics_endpoint": "http://consul-server.{{ .Release.Namespace }}.svc:8500/v1/agent/metrics?format=prometheus", + {{- end }} + {{- if ( .Values.global.acls.manageSystemACLs) }} + "headers": { + "X-Consul-Token": "ENC[k8s_secret@{{ .Release.Namespace }}/{{ .Release.Namespace }}-datadog-agent-metrics-acl-token/token]" + }, + {{- end }} + "namespace": "{{ .Release.Namespace }}", + "metrics": [ ".*" ] + } + ] + } + } + {{- else if (not .Values.global.metrics.datadog.dogstatsd.enabled) }} + "ad.datadoghq.com/consul.checks": | + { + "consul": { + "init_config": {}, + "instances": [ + { + {{- if .Values.global.tls.enabled }} + "url": "https://consul-server.{{ .Release.Namespace }}.svc:8501", + "tls_cert": "/etc/datadog-agent/conf.d/consul.d/certs/tls.crt", + "tls_private_key": "/etc/datadog-agent/conf.d/consul.d/certs/tls.key", + "tls_ca_cert": "/etc/datadog-agent/conf.d/consul.d/ca/tls.crt", + {{- else }} + "url": "http://consul-server.consul.svc:8500", + {{- end }} + "use_prometheus_endpoint": true, + {{- if ( .Values.global.acls.manageSystemACLs) }} + "acl_token": "ENC[k8s_secret@{{ .Release.Namespace }}/{{ .Release.Namespace }}-datadog-agent-metrics-acl-token/token]", + {{- end }} + "new_leader_checks": true, + "network_latency_checks": true, + "catalog_checks": true, + "auth_type": "basic" + } + ] + } + } + {{- else }} + "ad.datadoghq.com/consul.metrics_exclude": "true" + {{- end }} + {{- end }} + {{- end }} + spec: + {{- if .Values.server.affinity }} + affinity: + {{ tpl .Values.server.affinity . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- end }} + {{- if .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "consul.fullname" . }}-server + {{- if not .Values.global.openshift.enabled }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-server-config + - name: extra-config + emptyDir: {} + - name: tmp-extra-config + configMap: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-server-cert + secret: + {{- if .Values.server.serverCert.secretName }} + secretName: {{ .Values.server.serverCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-server-cert + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + secret: + secretName: {{ .Values.global.enterpriseLicense.secretName }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + secret: + secretName: {{ .Values.global.secretsBackend.vault.ca.secretName }} + items: + - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled (eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" ) }} + - name: dsdsocket + hostPath: + path: /var/run/datadog + type: DirectoryOrCreate + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName | quote }} + {{- end }} + initContainers: + - name: locality-init + image: {{ .Values.global.imageK8S }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane fetch-server-region -node-name "$NODE_NAME" -output-file /consul/extra-config/locality.json + volumeMounts: + - name: extra-config + mountPath: /consul/extra-config + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + containers: + - name: consul + image: "{{ default .Values.global.image .Values.server.image | trimPrefix "\"" | trimSuffix "\"" }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + env: + - name: ADVERTISE_IP + valueFrom: + fieldRef: + {{- if .Values.server.exposeGossipAndRPCPorts }} + {{- /* Server gossip and RPC ports will be exposed as a hostPort + on the hostIP, so they need to advertise their host ip + instead of their pod ip. This is to support external client + agents. */}} + fieldPath: status.hostIP + {{- else }} + fieldPath: status.podIP + {{- end }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CONSUL_DISABLE_PERM_MGMT + value: "true" + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + {{- if not .Values.global.secretsBackend.vault.enabled }} + - name: GOSSIP_KEY + valueFrom: + secretKeyRef: + {{- if .Values.global.gossipEncryption.autoGenerate }} + name: {{ template "consul.fullname" . }}-gossip-encryption-key + key: key + {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} + name: {{ .Values.global.gossipEncryption.secretName }} + key: {{ .Values.global.gossipEncryption.secretKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://localhost:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + {{- if and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName }} + - name: ACL_BOOTSTRAP_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.bootstrapToken.secretName | quote }} + key: {{ .Values.global.acls.bootstrapToken.secretKey | quote }} + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: ACL_REPLICATION_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.global.acls.replicationToken.secretName | quote }} + key: {{ .Values.global.acls.replicationToken.secretKey | quote }} + {{- end }} + {{- if .Values.global.cloud.enabled}} + # These are mounted as secrets so that the consul server agent can use them. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created for use in the + # `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below. + {{- if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 14 }} + EOF + {{- end }} + {{- end }} + + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} + GOSSIP_KEY=`cat /vault/secrets/gossip.txt` + {{- end }} + + {{ template "consul.extraconfig" }} + + exec /usr/local/bin/docker-entrypoint.sh consul agent \ + -advertise="${ADVERTISE_IP}" \ + -config-dir=/consul/config \ + {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }} + -encrypt="${GOSSIP_KEY}" \ + {{- end }} + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.acls.createReplicationToken)) }} + -config-file=/vault/secrets/replication-token-config.hcl \ + {{- else }} + -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ + {{- end }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} + -config-file=/vault/secrets/bootstrap-token-config.hcl \ + {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} + -hcl="acl { tokens { initial_management = \"${ACL_BOOTSTRAP_TOKEN}\" } }" \ + {{- end }} + {{- /* Always include the extraVolumes at the end so that users can + override other Consul settings. The last -config-dir takes + precedence. */}} + {{- range .Values.server.extraVolumes }} + {{- if .load }} + -config-dir=/consul/userconfig/{{ .name }} \ + {{- end }} + {{- end }} + -config-dir=/consul/extra-config \ + {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }} + -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }" + {{- end }} + + {{- if .Values.global.experiments }} + {{- $commaSeparatedValues := "" }} + {{- range $index, $value := .Values.global.experiments }} + {{- if ne $index 0 }} + {{- $commaSeparatedValues = printf "%s,\\\"%s\\\"" $commaSeparatedValues $value }} + {{- else }} + {{- $commaSeparatedValues = printf "\\\"%s\\\"" $value }} + {{- end }} + {{- end }} + -hcl="experiments=[{{ $commaSeparatedValues }}]" + {{- end }} + volumeMounts: + - name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + mountPath: /consul/data + - name: config + mountPath: /consul/config + - name: extra-config + mountPath: /consul/extra-config + - name: tmp-extra-config + mountPath: /consul/tmp/extra-config + {{- if (and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca/ + readOnly: true + - name: consul-server-cert + mountPath: /consul/tls/server + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled)) }} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.metrics.datadog.enabled .Values.global.metrics.datadog.dogstatsd.enabled (eq .Values.global.metrics.datadog.dogstatsd.socketTransportType "UDS" ) }} + - name: dsdsocket + mountPath: /var/run/datadog + readOnly: true + {{- end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + - name: vault-ca + mountPath: /consul/vault-ca/ + readOnly: true + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + containerPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + containerPort: 8501 + {{- end }} + - name: grpc + containerPort: 8502 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8502 + {{- end }} + protocol: "TCP" + - name: serflan-tcp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "TCP" + - name: serflan-udp + containerPort: {{ .Values.server.ports.serflan.port }} + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: {{ .Values.server.ports.serflan.port }} + {{- end }} + protocol: "UDP" + - name: serfwan-tcp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "TCP" + - name: serfwan-udp + containerPort: 8302 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8302 + {{- end }} + protocol: "UDP" + - name: server + containerPort: 8300 + {{- if .Values.server.exposeGossipAndRPCPorts }} + hostPort: 8300 + {{- end }} + - name: dns-tcp + containerPort: 8600 + protocol: "TCP" + - name: dns-udp + containerPort: 8600 + protocol: "UDP" + readinessProbe: + # NOTE(mitchellh): when our HTTP status endpoints support the + # proper status codes, we should switch to that. This is temporary. + exec: + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.tls.enabled }} + curl -k \ + https://127.0.0.1:8501/v1/status/leader \ + {{- else }} + curl http://127.0.0.1:8500/v1/status/leader \ + {{- end }} + 2>/dev/null | grep -E '".+"' + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 3 + successThreshold: 1 + timeoutSeconds: 5 + {{- if .Values.server.resources }} + resources: + {{- if eq (typeOf .Values.server.resources) "string" }} + {{ tpl .Values.server.resources . | nindent 12 | trim }} + {{- else }} + {{- toYaml .Values.server.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.containerSecurityContext.server }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }} + {{- else }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8 }} + {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: + {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: data-{{ .Release.Namespace | trunc 58 | trimSuffix "-" }} + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.server.storage }} + {{- if .Values.server.storageClass }} + storageClassName: {{ .Values.server.storageClass }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/server-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.4.3/templates/server-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a42d6d09f6 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/server-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the server-stateful set where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.3/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.4.3/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..89ea9f3c5c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,60 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.4.3/templates/sync-catalog-deployment.yaml new file mode 100644 index 0000000000..3851f0a8e2 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/sync-catalog-deployment.yaml @@ -0,0 +1,237 @@ +{{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} +# The deployment for running the sync-catalog pod +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.extraLabels }} + {{- toYaml .Values.syncCatalog.extraLabels | nindent 8 }} + {{- end }} + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.syncCatalog.annotations }} + {{- tpl .Values.syncCatalog.annotations . | nindent 8 }} + {{- end }} + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + spec: + serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog + volumes: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + containers: + - name: sync-catalog + image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + env: + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + {{- else }} + value: {{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + - name: CONSUL_LOGIN_DATACENTER + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + value: {{ .Values.global.federation.primaryDatacenter }} + {{- else }} + value: {{ .Values.global.datacenter }} + {{- end }} + - name: CONSUL_LOGIN_META + value: "component=sync-catalog,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if (and .Values.syncCatalog.aclSyncToken.secretName .Values.syncCatalog.aclSyncToken.secretKey) }} + - name: CONSUL_ACL_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.syncCatalog.aclSyncToken.secretName }} + key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} + {{- end }} + volumeMounts: + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane sync-catalog \ + -log-level={{ default .Values.global.logLevel .Values.syncCatalog.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -k8s-default-sync={{ .Values.syncCatalog.default }} \ + {{- if (not .Values.syncCatalog.toConsul) }} + -to-consul=false \ + {{- end }} + {{- if (not .Values.syncCatalog.toK8S) }} + -to-k8s=false \ + {{- end }} + -consul-domain={{ .Values.global.domain }} \ + {{- if .Values.syncCatalog.k8sPrefix }} + -k8s-service-prefix="{{ .Values.syncCatalog.k8sPrefix}}" \ + {{- end }} + {{- if .Values.syncCatalog.k8sSourceNamespace }} + -k8s-source-namespace="{{ .Values.syncCatalog.k8sSourceNamespace}}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sAllowNamespaces }} + -allow-k8s-namespace="{{ $value }}" \ + {{- end }} + {{- range $value := .Values.syncCatalog.k8sDenyNamespaces }} + -deny-k8s-namespace="{{ $value }}" \ + {{- end }} + -k8s-write-namespace=${NAMESPACE} \ + {{- if (not .Values.syncCatalog.syncClusterIPServices) }} + -sync-clusterip-services=false \ + {{- end }} + {{- if .Values.syncCatalog.nodePortSyncType }} + -node-port-sync-type={{ .Values.syncCatalog.nodePortSyncType }} \ + {{- end }} + {{- if .Values.syncCatalog.consulWriteInterval }} + -consul-write-interval={{ .Values.syncCatalog.consulWriteInterval }} \ + {{- end }} + {{- if .Values.syncCatalog.k8sTag }} + -consul-k8s-tag={{ .Values.syncCatalog.k8sTag }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNodeName }} + -consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + {{- if .Values.syncCatalog.consulPrefix}} + -consul-service-prefix="{{ .Values.syncCatalog.consulPrefix}}" \ + {{- end}} + {{- if .Values.syncCatalog.addK8SNamespaceSuffix}} + -add-k8s-namespace-suffix \ + {{- end}} + {{- if .Values.global.enableConsulNamespaces }} + -enable-namespaces=true \ + {{- if .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} + -consul-destination-namespace={{ .Values.syncCatalog.consulNamespaces.consulDestinationNamespace }} \ + {{- end }} + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8S }} + -enable-k8s-namespace-mirroring=true \ + {{- if .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} + -k8s-namespace-mirroring-prefix={{ .Values.syncCatalog.consulNamespaces.mirroringK8SPrefix }} \ + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + -consul-cross-namespace-acl-policy=cross-namespace-policy \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.ingress.enabled }} + -enable-ingress=true \ + {{- if .Values.syncCatalog.ingress.loadBalancerIPs }} + -loadBalancer-ips=true \ + {{- end }} + {{- end }} + {{- if .Values.syncCatalog.syncLoadBalancerEndpoints }} + -sync-lb-services-endpoints=true \ + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + scheme: HTTP + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + {{- with .Values.syncCatalog.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.syncCatalog.priorityClassName }} + priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} + {{- end }} + {{- if .Values.syncCatalog.nodeSelector }} + nodeSelector: + {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.affinity }} + affinity: + {{ tpl .Values.syncCatalog.affinity . | indent 8 | trim }} + {{- end }} + {{- if .Values.syncCatalog.tolerations }} + tolerations: + {{ tpl .Values.syncCatalog.tolerations . | indent 8 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-deployment.yaml new file mode 100644 index 0000000000..f7b6d7bd2e --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-deployment.yaml @@ -0,0 +1,449 @@ +{{- if and .Values.telemetryCollector.enabled (not (mustHas "resource-apis" .Values.global.experiments)) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/connect-inject": "false" + # This annotation tells the endpoints controller that this pod was injected even though it wasn't. The + # endpoints controller would then sync the endpoint into Consul + "consul.hashicorp.com/connect-inject-status": "injected" + # Signals to the endpoints controller that we should force Consul NS creation, since we bypass the mesh webhook. + "consul.hashicorp.com/telemetry-collector": "true" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/connect-service-port": "metricsserver" + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/connect-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the connect injector so that we don't run into + # any race conditions on the connect-injector deployment or upgrade + - name: consul-connect-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }} + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: default + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + exec consul-k8s-control-plane connect-init \ + -log-json={{ .Values.global.logJSON }} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -pod-name=${POD_NAME} \ + -pod-namespace=${POD_NAMESPACE} \ + -proxy-id-file="/consul/connect-inject/proxyid" \ + -service-account-name="consul-telemetry-collector" \ + -service-name="" + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- if .Values.global.metrics.datadog.otlp.enabled }} + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if eq (.Values.global.metrics.datadog.otlp.protocol | lower ) "http" }} + - name: CO_OTEL_HTTP_ENDPOINT + value: "http://$(HOST_IP):4318" + {{- else if eq (.Values.global.metrics.datadog.otlp.protocol | lower) "grpc" }} + - name: CO_OTEL_HTTP_ENDPOINT + value: "grpc://$(HOST_IP):4317" + {{- end }} + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + exec consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/connect-inject/proxyid + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + - name: TMPDIR + value: /consul/connect-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/connect-inject + name: consul-connect-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-connect-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f4c05a2f33 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-v2-deployment.yaml b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-v2-deployment.yaml new file mode 100644 index 0000000000..09f4a2dbbc --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/telemetry-collector-v2-deployment.yaml @@ -0,0 +1,415 @@ +{{- if and .Values.telemetryCollector.enabled (mustHas "resource-apis" .Values.global.experiments) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/mesh-inject": "false" + # This annotation tells the pod controller that this pod was injected even though it wasn't. + # This ensures the pod controller will sync a workload for the pod into Consul + "consul.hashicorp.com/mesh-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/consul-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the mesh injector so that we don't run into + # any race conditions on the mesh-injector deployment or upgrade + - name: consul-mesh-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + exec consul-k8s-control-plane mesh-init -proxy-name=${POD_NAME} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + exec consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: DP_PROXY_ID + value: $(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: TMPDIR + value: /consul/mesh-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-mesh-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-deployment.yaml new file mode 100644 index 0000000000..9afe938e56 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-deployment.yaml @@ -0,0 +1,347 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateRequiredCloudSecretsExist" . }} +{{ template "consul.validateCloudSecretKeys" . }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- $names := dict }} + +{{- $gateways := .Values.terminatingGateways.gateways }} +{{- range $outerTerminatingIndex, $outerTerminatingVal := $gateways }} + +{{- range $innerTerminatingIndex, $innerTerminatingVal := $gateways }} +{{- if (and (ne $outerTerminatingIndex $innerTerminatingIndex) (eq $outerTerminatingVal.name $innerTerminatingVal.name)) }} +{{ fail (cat "terminating gateways must have unique names but found duplicate name" $innerTerminatingVal.name) }} +{{ end -}} +{{ end -}} + +{{- range $outerIngressIndex, $outerIngressVal := $root.Values.ingressGateways.gateways }} +{{- if (eq $outerTerminatingVal.name $outerIngressVal.name) }} +{{ fail (cat "terminating gateways cannot have duplicate names of any ingress gateways but found duplicate name" $outerTerminatingVal.name) }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- range .Values.terminatingGateways.gateways }} + +{{- if empty .name }} +# Check that name is not empty +{{ fail "Terminating gateway names cannot be empty"}} +{{ end -}} +{{- if hasKey $names .name }} +# Check that the name doesn't already exist +{{ fail "Terminating gateway names must be unique"}} +{{ end -}} +{{- /* Add the gateway name to the $names dict to ensure uniqueness */ -}} +{{- $_ := set $names .name .name }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ default $defaults.replicas .replicas }} + selector: + matchLabels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + template: + metadata: + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + consul.hashicorp.com/connect-inject-managed-by: consul-k8s-endpoints-controller + {{- if $root.Values.global.extraLabels }} + {{- toYaml $root.Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/gateway-kind": "terminating-gateway" + "consul.hashicorp.com/gateway-consul-service-name": "{{ .name }}" + {{- if $root.Values.global.enableConsulNamespaces }} + "consul.hashicorp.com/gateway-namespace": {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if (and $root.Values.global.secretsBackend.vault.enabled $root.Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ $root.Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ $root.Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" $root }} + {{- if and $root.Values.global.secretsBackend.vault.ca.secretName $root.Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": {{ $root.Values.global.secretsBackend.vault.ca.secretName }} + "vault.hashicorp.com/ca-cert": /vault/custom/{{ $root.Values.global.secretsBackend.vault.ca.secretKey }} + {{- end }} + {{- if $root.Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }} + {{- end }} + {{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + "prometheus.io/scrape": "true" + {{- if not (hasKey (default "" $defaults.annotations | fromYaml) "prometheus.io/path")}} + "prometheus.io/path": "/metrics" + {{- end }} + "prometheus.io/port": "20200" + {{- end }} + {{- if $defaults.annotations }} + # We allow both default annotations and gateway-specific annotations + {{- tpl $defaults.annotations $root | nindent 8 }} + {{- end }} + {{- if .annotations }} + {{- tpl .annotations $root | nindent 8 }} + {{- end }} + spec: + {{- if (or $defaults.affinity .affinity) }} + affinity: + {{ tpl (default $defaults.affinity .affinity) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.tolerations .tolerations) }} + tolerations: + {{ tpl (default $defaults.tolerations .tolerations) $root | nindent 8 | trim }} + {{- end }} + {{- if (or $defaults.topologySpreadConstraints .topologySpreadConstraints) }} + topologySpreadConstraints: + {{ tpl (default $defaults.topologySpreadConstraints .topologySpreadConstraints) $root | nindent 8 | trim }} + {{- end }} + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" $root }}-{{ .name }} + volumes: + - name: consul-service + emptyDir: + medium: "Memory" + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + secret: + {{- if $root.Values.global.tls.caCert.secretName }} + secretName: {{ $root.Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" $root }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" $root.Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + initContainers: + # terminating-gateway-init registers the terminating gateway service with Consul. + - name: terminating-gateway-init + image: {{ $root.Values.global.imageK8S }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- include "consul.consulK8sConsulServerEnvVars" $root | nindent 10 }} + {{- if $root.Values.global.enableConsulNamespaces }} + - name: CONSUL_NAMESPACE + value: {{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" $root }}-k8s-component-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ $root.Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + - name: CONSUL_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${NAMESPACE} \ + -gateway-kind="terminating-gateway" \ + -proxy-id-file=/consul/service/proxy-id \ + -service-name={{ .name }} \ + -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} \ + -log-json={{ $root.Values.global.logJSON }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + containers: + - name: terminating-gateway + image: {{ $root.Values.global.imageConsulDataplane | quote }} + {{- include "consul.restrictedSecurityContext" $ | nindent 10 }} + volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true + {{- if $root.Values.global.tls.enabled }} + {{- if not (or (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots) ($root.Values.global.secretsBackend.vault.enabled)) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + {{- range (default $defaults.extraVolumes .extraVolumes) }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} + {{- if (default $defaults.resources .resources) }} + resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + - name: DP_SERVICE_NODE_NAME + value: $(NODE_NAME)-virtual + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + {{- if $root.Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel $root.Values.terminatingGateways.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + livenessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + tcpSocket: + port: 8443 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: gateway + containerPort: 8443 + {{- if (default $defaults.priorityClassName .priorityClassName) }} + priorityClassName: {{ (default $defaults.priorityClassName .priorityClassName) | quote }} + {{- end }} + {{- if (default $defaults.nodeSelector .nodeSelector) }} + nodeSelector: + {{ tpl (default $defaults.nodeSelector .nodeSelector) $root | indent 8 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..7307fb8be9 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..51e37664d3 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if $root.Values.global.enablePodSecurityPolicies }} +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.4.3/templates/tests/test-runner.yaml new file mode 100644 index 0000000000..b8b078003b --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/tests/test-runner.yaml @@ -0,0 +1,78 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ template "consul.fullname" . }}-test" + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test-success +spec: + {{- if .Values.global.tls.enabled }} + volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} + {{- end }} + containers: + - name: consul-test + image: "{{ .Values.global.image }}" + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://$(HOST_IP):8501 + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://$(HOST_IP):8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + consul members | tee members.txt + if [ $(grep -c consul-server members.txt) != $(grep consul-server members.txt | grep -c alive) ] + then + echo "Failed because not all consul servers are available" + exit 1 + fi + + restartPolicy: Never +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-job.yaml new file mode 100644 index 0000000000..9500410a53 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-job.yaml @@ -0,0 +1,84 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init-cleanup job deletes Kubernetes secrets created by tls-init +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded + {{- /* Hook weight needs to be 1 so that the service account is provisioned first */}} + "helm.sh/hook-weight": "1" +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init-cleanup + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + containers: + - name: tls-init-cleanup + image: "{{ .Values.global.image }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - "/bin/sh" + - "-ec" + - | + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-ca-key \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + {{- end }} + curl -s -X DELETE --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ + https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets/{{ template "consul.fullname" . }}-server-cert \ + -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.4.3/templates/tls-init-job.yaml new file mode 100644 index 0000000000..41c0c2827e --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/tls-init-job.yaml @@ -0,0 +1,126 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +# tls-init job generate Consul cluster CA and certificates for the Consul servers +# and creates Kubernetes secrets for them. +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + name: {{ template "consul.fullname" . }}-tls-init + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: tls-init + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + {{- if .Values.global.tls.annotations }} + {{- tpl .Values.global.tls.annotations . | nindent 8 }} + {{- end }} + spec: + restartPolicy: Never + serviceAccountName: {{ template "consul.fullname" . }}-tls-init + {{- if .Values.server.containerSecurityContext.tlsInit }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }} + {{- end }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumes: + - name: consul-ca-cert + secret: + secretName: {{ .Values.global.tls.caCert.secretName }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + - name: consul-ca-key + secret: + secretName: {{ .Values.global.tls.caKey.secretName }} + items: + - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} + path: tls.key + {{- end }} + containers: + - name: tls-init + image: "{{ .Values.global.imageK8S }}" + {{- if not .Values.server.containerSecurityContext.tlsInit }} + {{- include "consul.restrictedSecurityContext" . | nindent 10 }} + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + workingDir: /tmp + command: + - "/bin/sh" + - "-ec" + - | + # Suppress globbing so we can interpolate the $NAMESPACE environment variable + # and use * at the start of the dns name when setting -additional-dnsname. + set -o noglob + exec consul-k8s-control-plane tls-init \ + -log-level={{ default .Values.global.logLevel .Values.global.tls.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -domain={{ .Values.global.domain }} \ + -days=730 \ + -name-prefix={{ template "consul.fullname" . }} \ + -k8s-namespace=${NAMESPACE} \ + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + -ca=/consul/tls/ca/cert/tls.crt \ + -key=/consul/tls/ca/key/tls.key \ + {{- end }} + -additional-dnsname="{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}" \ + -additional-dnsname="*.{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="{{ template "consul.fullname" . }}-server.${NAMESPACE}.svc" \ + -additional-dnsname="*.server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }}" \ + {{- range .Values.global.tls.serverAdditionalIPSANs }} + -additional-ipaddress={{ . }} \ + {{- end }} + {{- range .Values.global.tls.serverAdditionalDNSSANs }} + -additional-dnsname={{ . }} \ + {{- end }} + -dc={{ .Values.global.datacenter }} + {{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }} + volumeMounts: + - name: consul-ca-cert + mountPath: /consul/tls/ca/cert + readOnly: true + - name: consul-ca-key + mountPath: /consul/tls/ca/key + readOnly: true + {{- end }} + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.4.3/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.4.3/templates/ui-ingress.yaml new file mode 100644 index 0000000000..f8c7f92a77 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/ui-ingress.yaml @@ -0,0 +1,85 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + {{- if ne .Values.ui.ingress.ingressClassName "" }} + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end }} + rules: + {{- $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/ui-service.yaml b/charts/hashicorp/consul/1.4.3/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..2a5c80d94c --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,54 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-deployment.yaml new file mode 100644 index 0000000000..45c87c9ceb --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-deployment.yaml @@ -0,0 +1,81 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + template: + metadata: + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + annotations: + "consul.hashicorp.com/connect-inject": "false" + "consul.hashicorp.com/mesh-inject": "false" + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/webhook-cert-manager-configmap.yaml") . | sha256sum }} + spec: + containers: + - command: + - "/bin/sh" + - "-ec" + - | + exec consul-k8s-control-plane webhook-cert-manager \ + -log-level={{ .Values.global.logLevel }} \ + -log-json={{ .Values.global.logJSON }} \ + -config-file=/bootstrap/config/webhook-config.json \ + -deployment-name={{ template "consul.fullname" . }}-webhook-cert-manager \ + -deployment-namespace={{ .Release.Namespace }} + image: {{ .Values.global.imageK8S }} + name: webhook-cert-manager + {{- include "consul.restrictedSecurityContext" . | nindent 8 }} + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumeMounts: + - name: config + mountPath: /bootstrap/config + terminationGracePeriodSeconds: 10 + serviceAccountName: {{ template "consul.fullname" . }}-webhook-cert-manager + volumes: + - name: config + configMap: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + {{- if .Values.webhookCertManager.tolerations }} + tolerations: + {{ tpl .Values.webhookCertManager.tolerations . | indent 8 | trim }} + {{- end }} + {{- if .Values.webhookCertManager.nodeSelector }} + nodeSelector: + {{ tpl .Values.webhookCertManager.nodeSelector . | indent 8 | trim }} + {{- end }} + +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.4.3/values.yaml b/charts/hashicorp/consul/1.4.3/values.yaml new file mode 100644 index 0000000000..43cfe02f9b --- /dev/null +++ b/charts/hashicorp/consul/1.4.3/values.yaml @@ -0,0 +1,3788 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Consul chart. + +# Holds values that affect multiple components of the chart. +global: + # The main enabled/disabled setting. If true, servers, + # clients, Consul DNS and the Consul UI will be enabled. Each component can override + # this default via its component-specific "enabled" config. If false, no components + # will be installed by default and per-component opt-in is required, such as by + # setting `server.enabled` to true. + enabled: true + + # The default log level to apply to all components which do not otherwise override this setting. + # It is recommended to generally not set this below "info" unless actively debugging due to logging verbosity. + # One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "info" + + # Enable all component logs to be output in JSON format. + # @type: boolean + logJSON: false + + # Set the prefix used for all resources in the Helm chart. If not set, + # the prefix will be `-consul`. + # @type: string + name: null + + # The domain Consul will answer DNS queries for + # (Refer to [`-domain`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_domain)) and the domain services synced from + # Consul into Kubernetes will have, e.g. `service-name.service.consul`. + domain: consul + + # Configures the Cluster Peering feature. Requires Consul v1.14+ and Consul-K8s v1.0.0+. + peering: + # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and + # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. + enabled: false + + # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. + # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise + # license. Admin partitions enables deploying services across partitions, while sharing + # a set of Consul servers. + adminPartitions: + # If true, the Helm chart will enable Admin Partitions for the cluster. The clients in the server cluster + # must be installed in the default partition. Creation of Admin Partitions is only supported during installation. + # Admin Partitions cannot be installed via a Helm upgrade operation. Only Helm installs are supported. + enabled: false + + # The name of the Admin Partition. The partition name cannot be modified once the partition has been installed. + # Changing the partition name would require an un-install and a re-install with the updated name. + # Must be "default" in the server cluster ie the Kubernetes cluster that the Consul server pods are deployed onto. + name: "default" + + # The name (and tag) of the Consul Docker image for clients and servers. + # This can be overridden per component. This should be pinned to a specific + # version tag, otherwise you may inadvertently upgrade your Consul version. + # + # Examples: + # + # ```yaml + # # Consul 1.10.0 + # image: "consul:1.10.0" + # # Consul Enterprise 1.10.0 + # image: "hashicorp/consul-enterprise:1.10.0-ent" + # ``` + # @default: hashicorp/consul: + image: hashicorp/consul:1.18.2 + + # Array of objects containing image pull secret names that will be applied to each service account. + # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. + # Refer to https://kubernetes.io/docs/concepts/containers/images/#using-a-private-registry. + # + # Example: + # + # ```yaml + # imagePullSecrets: + # - name: pull-secret-name + # - name: pull-secret-name-2 + # ``` + # @type: array + imagePullSecrets: [] + + # The name (and tag) of the consul-k8s-control-plane Docker + # image that is used for functionality such as catalog sync. + # This can be overridden per component. + # @default: hashicorp/consul-k8s-control-plane: + imageK8S: hashicorp/consul-k8s-control-plane:1.4.3 + + # The name of the datacenter that the agents should + # register as. This can't be changed once the Consul cluster is up and running + # since Consul doesn't support an automatic way to change this value currently: + # https://github.com/hashicorp/consul/issues/1858. + datacenter: dc1 + + # Controls whether pod security policies are created for the Consul components + # created by this chart. Refer to https://kubernetes.io/docs/concepts/policy/pod-security-policy/. + enablePodSecurityPolicies: false + + # secretsBackend is used to configure Vault as the secrets backend for the Consul on Kubernetes installation. + # The Vault cluster needs to have the Kubernetes Auth Method, KV2 and PKI secrets engines enabled + # and have necessary secrets, policies and roles created prior to installing Consul. + # Refer to [Vault as the Secrets Backend](https://developer.hashicorp.com/consul/docs/k8s/deployment-configurations/vault) + # documentation for full instructions. + # + # The Vault cluster _must_ not have the Consul cluster installed by this Helm chart as its storage backend + # as that would cause a circular dependency. + # Vault can have Consul as its storage backend as long as that Consul cluster is not running on this Kubernetes cluster + # and is being managed separately from this Helm installation. + # + # Note: When using Vault KV2 secrets engines the "data" field is implicitly required for Vault API calls, + # secretName should be in the form of "vault-kv2-mount-path/data/secret-name". + # secretKey should be in the form of "key". + secretsBackend: + vault: + # Vault namespace (optional). This sets the Vault namespace for the `vault.hashicorp.com/namespace` + # agent annotation and [Vault Connect CA namespace](https://developer.hashicorp.com/consul/docs/connect/ca/vault#namespace). + # To override one of these values individually, see `agentAnnotations` and `connectCA.additionalConfig`. + vaultNamespace: "" + + # Enabling the Vault secrets backend will replace Kubernetes secrets with referenced Vault secrets. + enabled: false + + # The Vault role for the Consul server. + # The role must be connected to the Consul server's service account. + # The role must also have a policy with read capabilities for the following secrets: + # - gossip encryption key defined by the `global.gossipEncryption.secretName` value + # - certificate issue path defined by the `server.serverCert.secretName` value + # - CA certificate defined by the `global.tls.caCert.secretName` value + # - replication token defined by the `global.acls.replicationToken.secretName` value if `global.federation.enabled` is `true` + # To discover the service account name of the Consul server, run + # ```shell-session + # $ helm template --show-only templates/server-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulServerRole: "" + + # The Vault role for the Consul client. + # The role must be connected to the Consul client's service account. + # The role must also have a policy with read capabilities for the gossip encryption + # key defined by the `global.gossipEncryption.secretName` value. + # To discover the service account name of the Consul client, run + # ```shell-session + # $ helm template --show-only templates/client-serviceaccount.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + consulClientRole: "" + + # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. + # The role must be connected to the `server-acl-init` job's service account. + # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens + # To discover the service account name of the `server-acl-init` job, run + # ```shell-session + # $ helm template --show-only templates/server-acl-init-serviceaccount.yaml \ + # --set global.acls.manageSystemACLs=true hashicorp/consul + # ``` + # and check the name of `metadata.name`. + manageSystemACLsRole: "" + + # [Enterprise Only] A Vault role that allows the Consul `partition-init` job to read a Vault secret for the partition ACL token. + # The `partition-init` job bootstraps Admin Partitions on Consul servers. + # . + # This role must be bound the `partition-init` job's service account. + # To discover the service account name of the `partition-init` job, run with Helm values for the client cluster: + # ```shell-session + # $ helm template --show-only templates/partition-init-serviceaccount.yaml -f client-cluster-values.yaml hashicorp/consul + # ``` + # and check the name of `metadata.name`. + adminPartitionsRole: "" + + # The Vault role to read Consul connect-injector webhook's CA + # and issue a certificate and private key. + # A Vault policy must be created which grants issue capabilities to + # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. + connectInjectRole: "" + + # The Vault role for all Consul components to read the Consul's server's CA Certificate (unauthenticated). + # The role should be connected to the service accounts of all Consul components, or alternatively `*` since it + # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants + # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. + consulCARole: "" + + # This value defines additional annotations for + # Vault agent on any pods where it'll be running. + # This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + agentAnnotations: null + + # Configuration for Vault server CA certificate. This certificate will be mounted + # to any pod where Vault agent needs to run. + ca: + # The name of the Kubernetes or Vault secret that holds the Vault CA certificate. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes or Vault secret that holds the Vault CA certificate. + secretKey: "" + + # Configuration for the Vault Connect CA provider. + # The provider will be configured to use the Vault Kubernetes auth method + # and therefore requires the role provided by `global.secretsBackend.vault.consulServerRole` + # to have permissions to the root and intermediate PKI paths. + # Please refer to [Vault ACL policies](https://developer.hashicorp.com/consul/docs/connect/ca/vault#vault-acl-policies) + # documentation for information on how to configure the Vault policies. + connectCA: + # The address of the Vault server. + address: "" + + # The mount path of the Kubernetes auth method in Vault. + authMethodPath: "kubernetes" + + # The path to a PKI secrets engine for the root certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#rootpkipath). + rootPKIPath: "" + + # The path to a PKI secrets engine for the generated intermediate certificate. + # For more details, please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#intermediatepkipath). + intermediatePKIPath: "" + + # Additional Connect CA configuration in JSON format. + # Please refer to [Vault Connect CA configuration](https://developer.hashicorp.com/consul/docs/connect/ca/vault#configuration) + # for all configuration options available for that provider. + # + # Example: + # + # ```yaml + # additionalConfig: | + # { + # "connect": [{ + # "ca_config": [{ + # "leaf_cert_ttl": "36h" + # }] + # }] + # } + # ``` + additionalConfig: | + {} + + connectInject: + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get CA certificates + # used issued from vault to send webhooks to the ConnectInject. + caCert: + # The Vault secret path that contains the CA certificate for + # Connect Inject webhooks. + # @type: string + secretName: null + + # Configuration to the Vault Secret that Kubernetes uses on + # Kubernetes pod creation, deletion, and update, to get TLS certificates + # used issued from vault to send webhooks to the ConnectInject. + tlsCert: + # The Vault secret path that issues TLS certificates for connect + # inject webhooks. + # @type: string + secretName: null + + # Configures Consul's gossip encryption key. + # (Refer to [`-encrypt`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_encrypt)). + # By default, gossip encryption is not enabled. The gossip encryption key may be set automatically or manually. + # The recommended method is to automatically generate the key. + # To automatically generate and set a gossip encryption key, set autoGenerate to true. + # Values for secretName and secretKey should not be set if autoGenerate is true. + # To manually generate a gossip encryption key, set secretName and secretKey and use Consul to generate + # a key, saving this as a Kubernetes secret or Vault secret path and key. + # If `global.secretsBackend.vault.enabled=true`, be sure to add the "data" component of the secretName path as required by + # the Vault KV-2 secrets engine [refer to example]. + # + # ```shell-session + # $ kubectl create secret generic consul-gossip-encryption-key --from-literal=key=$(consul keygen) + # ``` + # + # Vault CLI Example: + # ```shell-session + # $ vault kv put consul/secrets/gossip key=$(consul keygen) + # ``` + # `gossipEncryption.secretName="consul/data/secrets/gossip"` + # `gossipEncryption.secretKey="key"` + + gossipEncryption: + # Automatically generate a gossip encryption key and save it to a Kubernetes or Vault secret. + autoGenerate: false + # The name of the Kubernetes secret or Vault secret path that holds the gossip + # encryption key. A Kubernetes secret must be in the same namespace that Consul is installed into. + secretName: "" + # The key within the Kubernetes secret or Vault secret key that holds the gossip + # encryption key. + secretKey: "" + # Override global log verbosity level for gossip-encryption-autogenerate-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A list of addresses of upstream DNS servers that are used to recursively resolve DNS queries. + # These values are given as `-recursor` flags to Consul servers and clients. + # Refer to [`-recursor`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_recursor) for more details. + # If this is an empty array (the default), then Consul DNS will only resolve queries for the Consul top level domain (by default `.consul`). + # @type: array + recursors: [] + + # Enables [TLS](https://developer.hashicorp.com/consul/tutorials/security/tls-encryption-secure) + # across the cluster to verify authenticity of the Consul servers and clients. + # Requires Consul v1.4.1+. + tls: + # If true, the Helm chart will enable TLS for Consul + # servers and clients and all consul-k8s-control-plane components, as well as generate certificate + # authority (optional) and server and client certificates. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # If true, turns on the auto-encrypt feature on clients and servers. + # It also switches consul-k8s-control-plane components to retrieve the CA from the servers + # via the API. Requires Consul 1.7.1+. + enableAutoEncrypt: false + + # A list of additional DNS names to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalDNSSANs: [] + + # A list of additional IP addresses to set as Subject Alternative Names (SANs) + # in the server certificate. This is useful when you need to access the + # Consul server(s) externally, for example, if you're using the UI. + # @type: array + serverAdditionalIPSANs: [] + + # If true, `verify_outgoing`, `verify_server_hostname`, + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. + # Set this to false to incrementally roll out TLS on an existing Consul cluster. + # Please refer to [TLS on existing clusters](https://developer.hashicorp.com/consul/docs/k8s/operations/tls-on-existing-cluster) + # for more details. + verify: true + + # If true, the Helm chart will configure Consul to disable the HTTP port on + # both clients and servers and to only accept HTTPS connections. + httpsOnly: true + + # A secret containing the certificate of the CA to use for TLS communication within the Consul cluster. + # If you have generated the CA yourself with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-cert \ + # --from-file='tls.crt=./consul-agent-ca.pem' + # ``` + # If you are using Vault as a secrets backend with TLS, `caCert.secretName` must be provided and should reference + # the CA path for your PKI secrets engine. This should be of the form `pki/cert/ca` where `pki` is the mount point of your PKI secrets engine. + # A read policy must be created and associated with the CA cert path for `global.tls.caCert.secretName`. + # This will be consumed by the `global.secretsBackend.vault.consulCARole` role by all Consul components. + # When using Vault the secretKey is not used. + caCert: + # The name of the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA certificate. + # @type: string + secretKey: null + + # A Kubernetes or Vault secret containing the private key of the CA to use for + # TLS communication within the Consul cluster. If you have generated the CA yourself + # with the consul CLI, you could use the following command to create the secret + # in Kubernetes: + # + # ```shell-session + # $ kubectl create secret generic consul-ca-key \ + # --from-file='tls.key=./consul-agent-ca-key.pem' + # ``` + # + # Note that we need the CA key so that we can generate server and client certificates. + # It is particularly important for the client certificates since they need to have host IPs + # as Subject Alternative Names. If you are setting server certs yourself via `server.serverCert` + # and you are not enabling clients (or clients are enabled with autoEncrypt) then you do not + # need to provide the CA key. + caKey: + # The name of the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the CA key. + # @type: string + secretKey: null + + # This value defines additional annotations for + # tls init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `enableConsulNamespaces` indicates that you are running + # Consul Enterprise v1.7+ with a valid Consul Enterprise license and would + # like to make use of configuration beyond registering everything into + # the `default` Consul namespace. Additional configuration + # options are found in the `consulNamespaces` section of both the catalog sync + # and connect injector. + enableConsulNamespaces: false + + # Configure ACLs. + acls: + # If true, the Helm chart will automatically manage ACL tokens and policies + # for all Consul and consul-k8s-control-plane components. + # This requires Consul >= 1.4. + manageSystemACLs: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # A Kubernetes or Vault secret containing the bootstrap token to use for creating policies and + # tokens for all Consul and consul-k8s-control-plane components. If `secretName` and `secretKey` + # are unset, a default secret name and secret key are used. If the secret is populated, then + # we will skip ACL bootstrapping of the servers and will only initialize ACLs for the Consul + # clients and consul-k8s-control-plane system components. + # If the secret is empty, then we will bootstrap ACLs on the Consul servers, and write the + # bootstrap token to this secret. If ACLs are already bootstrapped on the servers, then the + # secret must contain the bootstrap token. + bootstrapToken: + # The name of the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `{{ global.name }}-bootstrap-acl-token`. + secretName: null + # The key within the Kubernetes or Vault secret that holds the bootstrap token. + # If unset, this defaults to `token`. + secretKey: null + + # If true, an ACL token will be created that can be used in secondary + # datacenters for replication. This should only be set to true in the + # primary datacenter since the replication token must be created from that + # datacenter. + # In secondary datacenters, the secret needs to be imported from the primary + # datacenter and referenced via `global.acls.replicationToken`. + createReplicationToken: false + + # replicationToken references a secret containing the replication ACL token. + # This token will be used by secondary datacenters to perform ACL replication + # and create ACL tokens and policies. + # This value is ignored if `bootstrapToken` is also set. + replicationToken: + # The name of the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the replication token. + # @type: string + secretKey: null + + # The resource requests (CPU, memory, etc.) for the server-acl-init and server-acl-init-cleanup pods. + # This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#resourcerequirements-v1-core) + # object. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # partitionToken references a Vault secret containing the ACL token to be used in non-default partitions. + # This value should only be provided in the default partition and only when setting + # the `global.secretsBackend.vault.enabled` value to true. + # Consul will use the value of the secret stored in Vault to create an ACL token in Consul with the value of the + # secret as the secretID for the token. + # In non-default, partitions set this secret as the `bootstrapToken`. + partitionToken: + # The name of the Vault secret that holds the partition token. + # @type: string + secretName: null + # The key within the Vault secret that holds the parition token. + # @type: string + secretKey: null + + # tolerations configures the taints and tolerations for the server-acl-init + # and server-acl-init-cleanup jobs. This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + tolerations: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the server-acl-init and server-acl-init-cleanup jobs pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines additional annotations for + # acl init jobs. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # If argocd.enabled is set to true, following annotations are added to + # job - server-acl-init-job + # annotations - + # argocd.argoproj.io/hook: Sync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded + argocd: + enabled: false + + # [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created + # that contains your enterprise license. It is required if you are using an + # enterprise binary. Defining it here applies it to your cluster once a leader + # has been elected. If you are not using an enterprise image or if you plan to + # introduce the license key via another route, then set these fields to null. + # Note: the job to apply license runs on both Helm installs and upgrades. + enterpriseLicense: + # The name of the Kubernetes or Vault secret that holds the enterprise license. + # A Kubernetes secret must be in the same namespace that Consul is installed into. + # @type: string + secretName: null + # The key within the Kubernetes or Vault secret that holds the enterprise license. + # @type: string + secretKey: null + # Manages license autoload. Required in Consul 1.10.0+, 1.9.7+ and 1.8.12+. + enableLicenseAutoload: true + + # Configure federation. + federation: + # If enabled, this datacenter will be federation-capable. Only federation + # via mesh gateways is supported. + # Mesh gateways and servers will be configured to allow federation. + # Requires `global.tls.enabled`, `connectInject.enabled`, and one of + # `meshGateway.enabled` or `externalServers.enabled` to be true. + # Requires Consul 1.8+. + enabled: false + + # If true, the chart will create a Kubernetes secret that can be imported + # into secondary datacenters so they can federate with this datacenter. The + # secret contains all the information secondary datacenters need to contact + # and authenticate with this datacenter. This should only be set to true + # in your primary datacenter. The secret name is + # `-federation` (if setting `global.name`), otherwise + # `-consul-federation`. + createFederationSecret: false + + # The name of the primary datacenter. + # @type: string + primaryDatacenter: null + + # A list of addresses of the primary mesh gateways in the form `:` + # (e.g. `["1.1.1.1:443", "2.3.4.5:443"]`). + # @type: array + primaryGateways: [] + + # If you are setting `global.federation.enabled` to true and are in a secondary datacenter, + # set `k8sAuthMethodHost` to the address of the Kubernetes API server of the secondary datacenter. + # This address must be reachable from the Consul servers in the primary datacenter. + # This auth method will be used to provision ACL tokens for Consul components and is different + # from the one used by the Consul Service Mesh. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `externalServers.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You can retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # Override global log verbosity level for the create-federation-secret-job pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Configures metrics for Consul service mesh + metrics: + # Configures the Helm chart’s components + # to expose Prometheus metrics for the Consul service mesh. By default + # this includes gateway metrics and sidecar metrics. + # @type: boolean + enabled: false + + # Configures consul agent metrics. Only applicable if + # `global.metrics.enabled` is true. + # @type: boolean + enableAgentMetrics: false + + # Set to true to stop prepending the machine's hostname to gauge-type metrics. Default is false. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + # @type: boolean + disableAgentHostName: false + + # Configures consul agent underlying host metrics. Default is false. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + # @type: boolean + enableHostMetrics: false + + # Configures the retention time for metrics in Consul clients and + # servers. This must be greater than 0 for Consul clients and servers + # to expose any metrics at all. + # Only applicable if `global.metrics.enabled` is true. + # @type: string + agentMetricsRetentionTime: 1m + + # If true, mesh, terminating, and ingress gateways will expose their + # Envoy metrics on port `20200` at the `/metrics` path and all gateway pods + # will have Prometheus scrape annotations. Only applicable if `global.metrics.enabled` is true. + # @type: boolean + enableGatewayMetrics: true + + # Configures the Helm chart’s components to forward envoy metrics for the Consul service mesh to the + # consul-telemetry-collector. This includes gateway metrics and sidecar metrics. + # @type: boolean + enableTelemetryCollector: false + + # Configures the list of filter rules to apply for allowing or blocking + # metrics by prefix in the following format: + # + # A leading "+" will enable any metrics with the given prefix, and a leading "-" will block them. + # If there is overlap between two rules, the more specific rule will take precedence. + # Blocking will take priority if the same prefix is listed multiple times. + prefixFilter: + # @type: array + allowList: [] + # @type: array + blockList: [] + + # Configures consul integration configurations for datadog on kubernetes. + # Only applicable if `global.metrics.enabled` and `global.metrics.enableAgentMetrics` is true. + datadog: + # Enables datadog [Consul Autodiscovery Integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized#metric-collection) + # by configuring the required `ad.datadoghq.com/consul.checks` annotation. The following _Consul_ agent metrics/health statuses + # are monitored by Datadog unless monitoring via OpenMetrics (Prometheus) or DogStatsD: + # - Serf events and member flaps + # - The Raft protocol + # - DNS performance + # - API Endpoints scraped: + # - `/v1/agent/metrics?format=prometheus` + # - `/v1/agent/self` + # - `/v1/status/leader` + # - `/v1/status/peers` + # - `/v1/catalog/services` + # - `/v1/health/service` + # - `/v1/health/state/any` + # - `/v1/coordinate/datacenters` + # - `/v1/coordinate/nodes` + # + # Setting either `global.metrics.datadog.otlp.enabled=true` or `global.metrics.datadog.dogstatsd.enabled=true` disables the above checks + # in lieu of metrics data collection via DogStatsD or by a customer OpenMetrics (Prometheus) collection endpoint. + # + # ~> **Note:** If you have a [dogstatsd_mapper_profile](https://docs.datadoghq.com/integrations/consul/?tab=host#dogstatsd) configured for Consul + # residing on either your Datadog NodeAgent or ClusterAgent the default Consul agent metrics/health status checks will fail. If you do not desire + # to utilize DogStatsD metrics emission from Consul, remove this configuration file, and restart your Datadog agent to permit the checks to run. + # + # @default: false + # @type: boolean + enabled: false + + # Configures Kubernetes Prometheus/OpenMetrics auto-discovery annotations for use with Datadog. + # This configuration is less common and more for advanced usage with custom metrics monitoring + # configurations. Refer to the [Datadog documentation](https://docs.datadoghq.com/containers/kubernetes/prometheus/?tab=kubernetesadv2) for more details. + openMetricsPrometheus: + # @default: false + # @type: boolean + enabled: false + + otlp: + # Enables forwarding of Consul's Telemetry Collector OTLP metrics for + # ingestion by Datadog Agent. + # @default: false + # @type: boolean + enabled: false + # Protocol used for DataDog Endpoint OTLP ingestion. + # + # Valid protocol options are one of either: + # + # - "http": will forward to DataDog HTTP OTLP Node Agent Endpoint default - "0.0.0.0:4318" + # - "grpc": will forward to DataDog gRPC OTLP Node Agent Endpoint default - "0.0.0.0:4317" + # + # @default: "http" + # @type: string + protocol: "http" + + # Configuration settings for DogStatsD metrics aggregation service + # that is bundled with the Datadog Agent. + # DogStatsD implements the StatsD protocol and adds a few Datadog-specific extensions: + # - Histogram metric type + # - Service checks + # - Events + # - Tagging + dogstatsd: + enabled: false + # Sets the socket transport type for dogstatsd: + # - "UDS" (Unix Domain Socket): prefixes `unix://` to URL and appends path to socket (i.e., "unix:///var/run/datadog/dsd.socket") + # If set, this will create the required [hostPath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath) mount for + # managing [DogStatsD with Unix Domain Socket on Kubernetes](https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=kubernetes). + # The volume is mounted using the `DirectoryOrCreate` type, thereby setting `0755` permissions with the same kubelet group ownership. + # + # Applies the following `volumes` and `volumeMounts` to the consul-server stateful set consul containers: + # + # ```yaml + # volumes: + # - name: dsdsocket + # hostPath: + # path: /var/run/datadog + # type: DirectoryOrCreate + # volumeMounts: + # - name: dsdsocket + # mountPath: /var/run/datadog + # readOnly: true + # ``` + # - "UDP" (User Datagram Protocol): assigns address to use `hostname/IP:Port` formatted URL for UDP transport to hostIP based + # dogstatsd sink (i.e., 127.0.0.1:8125). HostIP of Datadog agent must be reachable and known to Consul server emitting metrics. + # + # @default: "UDS" + # @type: string + socketTransportType: "UDS" + # Sets URL path for dogstatsd: + # + # Can be either a path to unix domain socket or an IP Address or Hostname that's reachable from the + # consul-server service, server containers. When using "UDS" the path will be appended. When using "UDP" + # the path will be prepended to the specified `dogstatsdPort`. + # + # @default: "/var/run/datadog/dsd.socket" + # @type: string + dogstatsdAddr: "/var/run/datadog/dsd.socket" + # Configures IP based dogstatsd designated port that will be appended to "UDP" based transport socket IP/Hostname URL. + # + # If using a kubernetes service based address (i.e., datadog.default.svc.cluster.local), set this to 0 to + # mitigate appending a port value to the dogstatsd address field. Resultant address would be "datadog.default.svc.cluster.local" with + # default port setting, while appending a non-zero port would result in "172.10.23.6:8125" with a dogstatsdAddr value + # of "172.10.23.6". + # + # @default: 0 + # @type: integer + dogstatsdPort: 0 + # Configures datadog [autodiscovery](https://docs.datadoghq.com/containers/kubernetes/log/?tab=operator#autodiscovery) + # style [log integration](https://docs.datadoghq.com/integrations/consul/?tab=containerized#log-collection) + # configuration for Consul. + # + # The default settings should handle most Consul Kubernetes deployment schemes. The resultant annotation + # will reside on the consul-server statefulset as autodiscovery annotations. + # (i.e., ad.datadoghq.com/consul.logs: ["source:consul","consul_service:consul-server", ""]) + # + # @default: ["source:consul","consul_service:consul-server"] + # @type: array + dogstatsdTags: ["source:consul","consul_service:consul-server"] + # Namespace + # + # @default: "default" + # @type: string + namespace: "default" + + + # The name (and tag) of the consul-dataplane Docker image used for the + # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. + # @default: hashicorp/consul-dataplane: + imageConsulDataplane: hashicorp/consul-dataplane:1.4.2 + + # Configuration for running this Helm chart on the Red Hat OpenShift platform. + # This Helm chart currently supports OpenShift v4.x+. + openshift: + # If true, the Helm chart will create necessary configuration for running + # its components on OpenShift. + enabled: false + + # The time in seconds that the consul API client will wait for a response from + # the API before cancelling the request. + consulAPITimeout: 5s + + # Enables installing an HCP Consul Central self-managed cluster. + # Requires Consul v1.14+. + cloud: + # If true, the Helm chart will link a [self-managed cluster to HCP](https://developer.hashicorp.com/hcp/docs/consul/self-managed). + # This can either be used to [configure a new cluster](https://developer.hashicorp.com/hcp/docs/consul/self-managed/new) + # or [link an existing one](https://developer.hashicorp.com/hcp/docs/consul/self-managed/existing). + # + # Note: this setting should not be enabled for [HCP Consul Dedicated clusters](/hcp/docs/consul/dedicated). + # It is strictly for linking self-managed clusters. + enabled: false + + # The resource id of the HCP Consul Central cluster to link to. Eg: + # organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster + # This is required when global.cloud.enabled is true. + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to link the cluster + # in global.cloud.resourceId to HCP Consul Central. + # This is required when global.cloud.enabled is true. + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + # The hostname of HCP's API. This setting is used for internal testing and validation. + apiHost: + # The name of the Kubernetes secret that holds the api hostname. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the api hostname. + # @type: string + secretKey: null + + # The URL of HCP's auth API. This setting is used for internal testing and validation. + authUrl: + # The name of the Kubernetes secret that holds the authorization url. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the authorization url. + # @type: string + secretKey: null + + # The address of HCP's scada service. This setting is used for internal testing and validation. + scadaAddress: + # The name of the Kubernetes secret that holds the scada address. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the scada address. + # @type: string + secretKey: null + + # Extra labels to attach to all pods, deployments, daemonsets, statefulsets, and jobs. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: {} + + # Optional PEM-encoded CA certificates that will be added to trusted system CAs. + # + # Example: + # + # ```yaml + # trustedCAs: [ + # | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ] + # ``` + # @type: array + trustedCAs: [] + + # Consul feature flags that will be enabled across components. + # Supported feature flags: + # - `resource-apis`: + # _**Warning**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul components will use the + # V2 resources APIs for all operations. + # - `v2tenancy`: + # _**Warning**_! This feature is under active development. It is not + # recommended for production use. Setting this flag during an + # upgrade could risk breaking your Consul cluster. + # If this flag is set, Consul V2 resources (catalog, mesh, auth, etc) + # will use V2 implementations for tenancy (partitions and namesapces) + # instead of bridging to the existing V1 implementations. The + # `resource-apis` feature flag must also be set. + # + # Example: + # + # ```yaml + # experiments: [ "resource-apis" ] + # ``` + # @type: array + experiments: [] + +# Server, when enabled, configures a server cluster to run. This should +# be disabled if you plan on connecting to a Consul cluster external to +# the Kube cluster. +server: + # If true, the chart will install all the resources necessary for a + # Consul server cluster. If you're running Consul externally and want agents + # within Kubernetes to join that cluster, this should probably be false. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # Consul server agents. + # @type: string + image: null + + # The number of server agents to run. This determines the fault tolerance of + # the cluster. Please refer to the [deployment table](https://developer.hashicorp.com/consul/docs/architecture/consensus#deployment-table) + # for more information. + replicas: 1 + + # The number of servers that are expected to be running. + # It defaults to server.replicas. + # In most cases the default should be used, however if there are more + # servers in this datacenter than server.replicas it might make sense + # to override the default. This would be the case if two kube clusters + # were joined into the same datacenter and each cluster ran a certain number + # of servers. + # @type: int + bootstrapExpect: null + + # A secret containing a certificate & key for the server agents to use + # for TLS communication within the Consul cluster. Cert needs to be provided with + # additional DNS name SANs so that it will work within the Kubernetes cluster: + # + # Kubernetes Secrets backend: + # ```bash + # consul tls cert create -server -days=730 -domain=consul -ca=consul-agent-ca.pem \ + # -key=consul-agent-ca-key.pem -dc={{datacenter}} \ + # -additional-dnsname="{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}" \ + # -additional-dnsname="*.{{fullname}}-server.{{namespace}}.svc" \ + # -additional-dnsname="*.server.{{datacenter}}.{{domain}}" \ + # -additional-dnsname="server.{{datacenter}}.{{domain}}" + # ``` + # + # If you have generated the server-cert yourself with the consul CLI, you could use the following command + # to create the secret in Kubernetes: + # + # ```bash + # kubectl create secret generic consul-server-cert \ + # --from-file='tls.crt=./dc1-server-consul-0.pem' + # --from-file='tls.key=./dc1-server-consul-0-key.pem' + # ``` + # + # Vault Secrets backend: + # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # Complete [this tutorial](https://developer.hashicorp.com/consul/tutorials/vault-secure/vault-pki-consul-secure-tls) + # to learn how to generate a compatible certificate. + # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine + # must be provided. + serverCert: + # The name of the Vault secret that holds the PEM encoded server certificate. + # @type: string + secretName: null + + # Exposes the servers' gossip and RPC ports as hostPorts. To enable a client + # agent outside of the k8s cluster to join the datacenter, you would need to + # enable `server.exposeGossipAndRPCPorts`, `client.exposeGossipPorts`, and + # set `server.ports.serflan.port` to a port not being used on the host. Since + # `client.exposeGossipPorts` uses the hostPort 8301, + # `server.ports.serflan.port` must be set to something other than 8301. + exposeGossipAndRPCPorts: false + + # Configures ports for the consul servers. + ports: + # Configures the LAN gossip port for the consul servers. If you choose to + # enable `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, + # that will configure the LAN gossip ports on the servers and clients to be + # hostPorts, so if you are running clients and servers on the same node the + # ports will conflict if they are both 8301. When you enable + # `server.exposeGossipAndRPCPorts` and `client.exposeGossipPorts`, you must + # change this from the default to an unused port on the host, e.g. 9301. By + # default the LAN gossip port is 8301 and configured as a containerPort on + # the consul server Pods. + serflan: + port: 8301 + + # This defines the disk size for configuring the + # servers' StatefulSet storage. For dynamically provisioned storage classes, this is the + # desired size. For manually defined persistent volumes, this should be set to + # the disk size of the attached volume. + storage: 10Gi + + # The StorageClass to use for the servers' StatefulSet storage. It must be + # able to be dynamically provisioned if you want the storage + # to be automatically created. For example, to use + # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) + # storage classes, the PersistentVolumeClaims would need to be manually created. + # A `null` value will use the Kubernetes cluster's default StorageClass. If a default + # StorageClass does not exist, you will need to create one. + # Refer to the [Read/Write Tuning](https://developer.hashicorp.com/consul/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations + # around choosing a performant storage class. + # + # ~> **Note:** The [Reference Architecture](https://developer.hashicorp.com/consul/tutorials/production-deploy/reference-architecture#hardware-sizing-for-consul-servers) + # contains best practices and recommendations for selecting suitable + # hardware sizes for your Consul servers. + # @type: string + storageClass: null + + # The [Persistent Volume Claim (PVC) retention policy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention) + # controls if and how PVCs are deleted during the lifecycle of a StatefulSet. + # WhenDeleted specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is deleted, + # and WhenScaled specifies what happens to PVCs created from StatefulSet VolumeClaimTemplates when the StatefulSet is scaled down. + # + # Example: + # + # ```yaml + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + # ``` + # @type: map + persistentVolumeClaimRetentionPolicy: null + + # This will enable/disable [service mesh](https://developer.hashicorp.com/consul/docs/connect). Setting this to true + # _will not_ automatically secure pod communication, this + # setting will only enable usage of the feature. Consul will automatically initialize + # a new CA and set of certificates. Additional service mesh settings can be configured + # by setting the `server.extraConfig` value or by applying [configuration entries](https://developer.hashicorp.com/consul/docs/connect/config-entries). + connect: true + + # When set to true, enables Consul to report additional debugging information, including runtime profiling (pprof) data. + # This setting is only required for clusters without ACL enabled. Sets `enable_debug` in server agent config to `true`. + # If you change this setting, you must restart the agent for the change to take effect. Default is false. + # @type: boolean + enableAgentDebug: false + + serviceAccount: + # This value defines additional annotations for the server service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource requests (CPU, memory, etc.) + # for each of the server agents. This should be a YAML map corresponding to a Kubernetes + # [`ResourceRequirements``](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#resourcerequirements-v1-core) + # object. NOTE: The use of a YAML string is deprecated. + # + # Example: + # + # ```yaml + # resources: + # requests: + # memory: '200Mi' + # cpu: '100m' + # limits: + # memory: '200Mi' + # cpu: '100m' + # ``` + # + # @recurse: false + # @type: map + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "200Mi" + cpu: "100m" + + # The security context for the server pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the server pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul server agent container + # @type: map + # @recurse: false + server: null + # The acl-init job + # @type: map + # @recurse: false + aclInit: null + # The tls-init job + # @type: map + # @recurse: false + tlsInit: null + + # This value is used to carefully + # control a rolling update of Consul server agents. This value specifies the + # [partition](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions) + # for performing a rolling update. Please read the linked Kubernetes + # and [Upgrade Consul](https://developer.hashicorp.com/consul/docs/k8s/upgrade#upgrading-consul-servers) + # documentation for more information. + updatePartition: 0 + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the server cluster. + disruptionBudget: + # Enables registering a PodDisruptionBudget for the server + # cluster. If enabled, it only registers the budget so long as + # the server cluster is enabled. To disable, set to `false`. + enabled: true + + # The maximum number of unavailable pods. In most cases you should not change this as it is automatically set to + # the correct number when left as null. This setting has been kept to preserve backwards compatibility. + # + # By default, this is set to 1 internally in the chart. When server pods are stopped gracefully, they leave the Raft + # consensus pool. When running an odd number of servers, one server leaving the pool does not change the quorum + # size, and so fault tolerance is not affected. However, if more than one server were to leave the pool, the quorum + # size would change. That's why this is set to 1 internally and should not be changed in most cases. + # + # If you need to set this to `0`, you will need to add a + # --set 'server.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # servers. This will be saved as-is into a ConfigMap that is read by the Consul + # server agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'server.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for server agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for server pods. It defaults to allowing only a single server pod on each node, which + # minimizes risk of the cluster becoming unusable if a node is lost. If you need + # to run more pods per node (for example, testing on Minikube), set this value + # to `null`. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # topologyKey: kubernetes.io/hostname + # ``` + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Toleration settings for server pods. This + # should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) + # array in a Pod spec. + tolerations: "" + + # Pod topology spread constraints for server pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: server + # ``` + topologySpreadConstraints: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for server pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to server pods. + priorityClassName: "" + + # Extra labels to attach to the server pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures a service to expose ports on the Consul servers over a Kubernetes Service. + exposeService: + # When enabled, deploys a Kubernetes Service to reach the Consul servers. + # @type: boolean + enabled: "-" + # Type of service, supports LoadBalancer or NodePort. + # @type: string + type: LoadBalancer + # If service is of type NodePort, configures the nodePorts. + nodePort: + # Configures the nodePort to expose the Consul server http port. + # @type: integer + http: null + # Configures the nodePort to expose the Consul server https port. + # @type: integer + https: null + # Configures the nodePort to expose the Consul server serf port. + # @type: integer + serf: null + # Configures the nodePort to expose the Consul server rpc port. + # @type: integer + rpc: null + # Configures the nodePort to expose the Consul server grpc port. + # @type: integer + grpc: null + # This value defines additional annotations for + # server pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Server service properties. + service: + # Annotations to apply to the server service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # [Enterprise Only] Values for setting up and running + # [snapshot agents](https://developer.hashicorp.com/consul/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # Refer to [`interval`](https://developer.hashicorp.com/consul/commands/snapshot/agent#interval) + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please refer to the [Snapshot agent config](https://developer.hashicorp.com/consul/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing + # and configure a sink and filters for their audit logs. Please refer to + # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation + # for further information. + auditLogs: + # Controls whether Consul logs out each time a user performs an operation. + # global.acls.manageSystemACLs must be enabled to use this feature. + enabled: false + + # A single entry of the sink object provides configuration for the destination to which Consul + # will log auditing events. + # + # Example: + # + # ```yaml + # sinks: + # - name: My Sink + # type: file + # format: json + # path: /tmp/audit.json + # delivery_guarantee: best-effort + # rotate_duration: 24h + # rotate_max_files: 15 + # rotate_bytes: 25165824 + # + # ``` + # + # The sink object supports the following keys: + # + # - `name` - Name of the sink. + # + # - `type` - Type specifies what kind of sink this is. Currently only file sinks are available + # + # - `format` - Format specifies what format the events will be emitted with. Currently only `json` + # events are emitted. + # + # - `path` - The directory and filename to write audit events to. + # + # - `delivery_guarantee` - Specifies the rules governing how audit events are written. Consul + # only supports `best-effort` event delivery. + # + # - `mode` - The permissions to set on the audit log files. + # + # - `rotate_duration` - Specifies the interval by which the system rotates to a new log file. + # At least one of `rotate_duration` or `rotate_bytes` must be configured to enable audit logging. + # + # - `rotate_bytes` - Specifies how large an individual log file can grow before Consul rotates to a new file. + # At least one of rotate_bytes or rotate_duration must be configured to enable audit logging. + # + # - `rotate_max_files` - Defines the limit that Consul should follow before it deletes old log files. + # + # @type: array + sinks: [] + + # Settings for potentially limiting timeouts, rate limiting on clients as well + # as servers, and other settings to limit exposure too many requests, requests + # waiting for too long, and other runtime considerations. + limits: + # This object specifies configurations that limit the rate of RPC and gRPC + # requests on the Consul server. Limiting the rate of gRPC and RPC requests + # also limits HTTP requests to the Consul server. + # https://developer.hashicorp.com/consul/docs/agent/config/config-files#request_limits + requestLimits: + # Setting for disabling or enabling rate limiting. If not disabled, it + # enforces the action that will occur when RequestLimitsReadRate + # or RequestLimitsWriteRate is exceeded. The default value of "disabled" will + # prevent any rate limiting from occuring. A value of "enforce" will block + # the request from processings by returning an error. A value of + # "permissive" will not block the request and will allow the request to + # continue processing. + # @type: string + mode: "disabled" + + # Setting that controls how frequently RPC, gRPC, and HTTP + # queries are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsReadRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + readRate: -1 + + # Setting that controls how frequently RPC, gRPC, and HTTP + # writes are allowed to happen. In any large enough time interval, rate + # limiter limits the rate to RequestLimitsWriteRate tokens per second. + # + # See https://en.wikipedia.org/wiki/Token_bucket for more about token + # buckets. + # @type: integer + writeRate: -1 + +# Configuration for Consul servers when the servers are running outside of Kubernetes. +# When running external servers, configuring these values is recommended +# if setting `global.tls.enableAutoEncrypt` to true +# or `global.acls.manageSystemACLs` to true. +externalServers: + # If true, the Helm chart will be configured to talk to the external servers. + # If setting this to true, you must also set `server.enabled` to false. + enabled: false + + # An array of external Consul server hosts that are used to make + # HTTPS connections from the components in this Helm chart. + # Valid values include an IP, a DNS name, or an [exec=](https://github.com/hashicorp/go-netaddrs) string. + # The port must be provided separately below. + # Note: This slice can only contain a single element. + # Note: If enabling clients, `client.join` must also be set to the hosts that should be + # used to join the cluster. In most cases, the `client.join` values + # should be the same, however, they may be different if you + # wish to use separate hosts for the HTTPS connections. `tlsServerName` is required if TLS is enabled and 'hosts' is not a DNS name. + # @type: array + hosts: [] + + # The HTTPS port of the Consul servers. + httpsPort: 8501 + + # The GRPC port of the Consul servers. + grpcPort: 8502 + + # The server name to use as the SNI host header when connecting with HTTPS. This name also appears as the hostname in the server certificate's subject field. + # @type: string + tlsServerName: null + + # If true, consul-k8s-control-plane components will ignore the CA set in + # `global.tls.caCert` when making HTTPS calls to Consul servers and + # will instead use the consul-k8s-control-plane image's system CAs for TLS verification. + # If false, consul-k8s-control-plane components will use `global.tls.caCert` when + # making HTTPS calls to Consul servers. + # **NOTE:** This does not affect Consul's internal RPC communication which will + # always use `global.tls.caCert`. + useSystemRoots: false + + # If you are setting `global.acls.manageSystemACLs` and + # `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server. + # This address must be reachable from the Consul servers. + # Please refer to the [Kubernetes Auth Method documentation](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes). + # + # If `global.federation.enabled` is set to true, `global.federation.k8sAuthMethodHost` and + # `externalServers.k8sAuthMethodHost` should be set to the same value. + # + # You could retrieve this value from your `kubeconfig` by running: + # + # ```shell-session + # $ kubectl config view \ + # -o jsonpath="{.clusters[?(@.name=='')].cluster.server}" + # ``` + # + # @type: string + k8sAuthMethodHost: null + + # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is + # useful for situations where Consul servers are behind a load balancer. + skipServerWatch: false + +# Values that configure running a Consul client on Kubernetes nodes. +client: + # If true, the chart will install all + # the resources necessary for a Consul client on every Kubernetes node. This _does not_ require + # `server.enabled`, since the agents can be configured to join an external cluster. + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers + # running Consul client agents. + # @type: string + image: null + + # A list of valid [`-retry-join` values](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_retry_join). + # If this is `null` (default), then the clients will attempt to automatically + # join the server cluster running within Kubernetes. + # This means that with `server.enabled` set to true, clients will automatically + # join that cluster. If `server.enabled` is not true, then a value must be + # specified so the clients can join a valid cluster. + # @type: array + join: null + + # An absolute path to a directory on the host machine to use as the Consul + # client data directory. If set to the empty string or null, the Consul agent + # will store its data in the Pod's local filesystem (which will + # be lost if the Pod is deleted). Security Warning: If setting this, Pod Security + # Policies _must_ be enabled on your cluster and in this Helm chart (via the + # `global.enablePodSecurityPolicies` setting) to prevent other pods from + # mounting the same host path and gaining access to all of Consul's data. + # Consul's data is not encrypted at rest. + # @type: string + dataDirectoryHostPath: null + + # If true, agents will enable their GRPC listener on + # port 8502 and expose it to the host. This will use slightly more resources, but is + # required for Connect. + grpc: true + + # nodeMeta specifies an arbitrary metadata key/value pair to associate with the node + # (refer to [`-node-meta`](https://developer.hashicorp.com/consul/docs/agent/config/cli-flags#_node_meta)) + nodeMeta: + pod-name: ${HOSTNAME} + host-ip: ${HOST_IP} + + # If true, the Helm chart will expose the clients' gossip ports as hostPorts. + # This is only necessary if pod IPs in the k8s cluster are not directly routable + # and the Consul servers are outside of the k8s cluster. + # This also changes the clients' advertised IP to the `hostIP` rather than `podIP`. + exposeGossipPorts: false + + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for Client agents. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The security context for the client pods. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as non-root, with user ID `100` and group ID `1000`, + # which correspond to the consul user and group created by the Consul docker image. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + + # The container securityContext for each container in the client pods. In + # addition to the Pod's SecurityContext this can + # set the capabilities of processes running in the container and ensure the + # root file systems in the container is read-only. + # @type: map + # @recurse: true + containerSecurityContext: + # The consul client agent container + # @type: map + # @recurse: false + client: null + # The acl-init initContainer + # @type: map + # @recurse: false + aclInit: null + # The tls-init initContainer + # @type: map + # @recurse: false + tlsInit: null + + # A raw string of extra [JSON configuration](https://developer.hashicorp.com/consul/docs/agent/config/config-files) for Consul + # clients. This will be saved as-is into a ConfigMap that is read by the Consul + # client agents. This can be used to add additional configuration that + # isn't directly exposed by the chart. + # + # Example: + # + # ```yaml + # extraConfig: | + # { + # "log_level": "DEBUG" + # } + # ``` + # + # This can also be set using Helm's `--set` flag using the following syntax: + # + # ```shell-session + # --set 'client.extraConfig="{"log_level": "DEBUG"}"' + # ``` + extraConfig: | + {} + + # A list of extra volumes to mount for client agents. This + # is useful for bringing in extra data that can be referenced by other configurations + # at a well known path, such as TLS certificates or Gossip encryption keys. The + # value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: consul-certs + # load: false + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # - `load` - If true, then the agent will be + # configured to automatically load HCL/JSON configuration files from this volume + # with `-config-dir`. This defaults to false. + # + # @type: array + extraVolumes: [] + + # A list of sidecar containers. + # Example: + # + # ```yaml + # extraContainers: + # - name: extra-container + # image: example-image:latest + # command: + # - ... + # ``` + # @type: array + extraContainers: [] + + # Toleration Settings for Client pods + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # The example below will allow Client pods to run on every node + # regardless of taints + # + # ```yaml + # tolerations: | + # - operator: Exists + # ``` + tolerations: "" + + # nodeSelector labels for client pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings for Client pods, formatted as a multi-line YAML string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + # + # Example: + # + # ```yaml + # affinity: | + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: node-role.kubernetes.io/master + # operator: DoesNotExist + # ``` + # @type: string + affinity: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to client pods. + priorityClassName: "" + + # This value defines additional annotations for + # client pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Extra labels to attach to the client pods. This should be a regular YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # A list of extra environment variables to set within the stateful set. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} + + # This value defines the [Pod DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) + # for client pods to use. + # @type: string + dnsPolicy: null + + # hostNetwork defines whether or not we use host networking instead of hostPort in the event + # that a CNI plugin doesn't support `hostPort`. This has security implications and is not recommended + # as doing so gives the consul client unnecessary access to all network traffic on the host. + # In most cases, pod network and host network are on different networks so this should be + # combined with `dnsPolicy: ClusterFirstWithHostNet` + hostNetwork: false + + # updateStrategy for the DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + +# Configuration for DNS configuration within the Kubernetes cluster. +# This creates a service that routes to all agents (client or server) +# for serving DNS requests. This DOES NOT automatically configure kube-dns +# today, so you must still manually configure a `stubDomain` with kube-dns +# for this to have any effect: +# https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configure-stub-domain-and-upstream-dns-servers +dns: + # @type: boolean + enabled: "-" + + # If true, services using Consul service mesh will use Consul DNS + # for default DNS resolution. The DNS lookups fall back to the nameserver IPs + # listed in /etc/resolv.conf if not found in Consul. + # @type: boolean + enableRedirection: "-" + + # Used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) + type: ClusterIP + + # Set a predefined cluster IP for the DNS service. + # Useful if you need to reference the DNS service's IP + # address in CoreDNS config. + # @type: string + clusterIP: null + + # Extra annotations to attach to the dns service + # This should be a multi-line string of + # annotations to apply to the dns Service + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + +# Values that configure the Consul UI. +ui: + # If true, the UI will be enabled. This will + # only _enable_ the UI, it doesn't automatically register any service for external + # access. The UI will only be enabled on server agents. If `server.enabled` is + # false, then this setting has no effect. To expose the UI in some way, you must + # configure `ui.service`. + # @default: global.enabled + # @type: boolean + enabled: "-" + + # Configure the service for the Consul UI. + service: + # This will enable/disable registering a + # Kubernetes Service for the Consul UI. This value only takes effect if `ui.enabled` is + # true and taking effect. + enabled: true + + # The service type to register. + # @type: string + type: null + + # Set the port value of the UI service. + port: + # HTTP port. + http: 80 + + # HTTPS port. + https: 443 + + # Optionally set the nodePort value of the ui service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + nodePort: + # HTTP node port + # @type: integer + http: null + + # HTTPS node port + # @type: integer + https: null + + # Annotations to apply to the UI service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Additional ServiceSpec values + # This should be a multi-line string mapping directly to a Kubernetes + # ServiceSpec object. + # @type: string + additionalSpec: null + + # Configure Ingress for the Consul UI. + # If `global.tls.enabled` is set to `true`, the Ingress will expose + # the port 443 on the UI service. Please ensure the Ingress Controller + # supports SSL pass-through and it is enabled to ensure traffic forwarded + # to port 443 has not been TLS terminated. + ingress: + # This will create an Ingress resource for the Consul UI. + # @type: boolean + enabled: false + + # Optionally set the ingressClassName. + ingressClassName: "" + + # pathType override - refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types + pathType: Prefix + + # hosts is a list of host name to create Ingress rules. + # + # ```yaml + # hosts: + # - host: foo.bar + # paths: + # - /example + # - /test + # ``` + # + # @type: array + hosts: [] + + # tls is a list of hosts and secret name in an Ingress + # which tells the Ingress controller to secure the channel. + # + # ```yaml + # tls: + # - hosts: + # - chart-example.local + # secretName: testsecret-tls + # ``` + # @type: array + tls: [] + + # Annotations to apply to the UI ingress. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Configurations for displaying metrics in the UI. + metrics: + # Enable displaying metrics in the UI. The default value of "-" + # will inherit from `global.metrics.enabled` value. + # @type: boolean + # @default: global.metrics.enabled + enabled: "-" + # Provider for metrics. Refer to + # [`metrics_provider`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_metrics_provider) + # This value is only used if `ui.enabled` is set to true. + # @type: string + provider: "prometheus" + + # baseURL is the URL of the prometheus server, usually the service URL. + # This value is only used if `ui.enabled` is set to true. + # @type: string + baseURL: http://prometheus-server + + # Corresponds to [`dashboard_url_templates`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates) + # configuration. + dashboardURLTemplates: + # Sets [`dashboardURLTemplates.service`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#ui_config_dashboard_url_templates_service). + service: "" + +# Configure the catalog sync process to sync K8S with Consul +# services. This can run bidirectional (default) or unidirectionally (Consul +# to K8S or K8S to Consul only). +# +# This process assumes that a Consul agent is available on the host IP. +# This is done automatically if clients are enabled. If clients are not +# enabled then set the node selection so that it chooses a node with a +# Consul agent. +syncCatalog: + # True if you want to enable the catalog sync. Set to "-" to inherit from + # global.enabled. + enabled: false + + # The name of the Docker image (including any tag) for consul-k8s-control-plane + # to run the sync program. + # @type: string + image: null + + # If true, all valid services in K8S are + # synced by default. If false, the service must be [annotated](https://developer.hashicorp.com/consul/docs/k8s/service-sync#enable-and-disable-sync) + # properly to sync. + # In either case an annotation can override the default. + default: true + + # Optional priorityClassName. + priorityClassName: "" + + # If true, will sync Kubernetes services to Consul. This can be disabled to + # have a one-way sync. + toConsul: true + + # If true, will sync Consul services to Kubernetes. This can be disabled to + # have a one-way sync. + toK8S: true + + # Service prefix to prepend to services before registering + # with Kubernetes. For example "consul-" will register all services + # prepended with "consul-". (Consul -> Kubernetes sync) + # @type: string + k8sPrefix: null + + # List of k8s namespaces to sync the k8s services from. + # If a k8s namespace is not included in this list or is listed in `k8sDenyNamespaces`, + # services in that k8s namespace will not be synced even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow services in the k8s + # namespaces `namespace1` and `namespace2` to be synced and registered + # with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not have their + # services synced. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to sync. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and `k8sDenyNamespaces` is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides `namespace1` + # and `namespace2` will be synced. + # @type: array + k8sDenyNamespaces: ["kube-system", "kube-public"] + + # [DEPRECATED] Use k8sAllowNamespaces and k8sDenyNamespaces instead. For + # backwards compatibility, if both this and the allow/deny lists are set, + # the allow/deny lists will be ignored. + # k8sSourceNamespace is the Kubernetes namespace to watch for service + # changes and sync to Consul. If this is not set then it will default + # to all namespaces. + # @type: string + k8sSourceNamespace: null + + # [Enterprise Only] These settings manage the catalog sync's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s services into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # If true, k8s services will be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. + # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # service in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Appends Kubernetes namespace suffix to + # each service name synced to Consul, separated by a dash. + # For example, for a service 'foo' in the default namespace, + # the sync process will create a Consul service named 'foo-default'. + # Set this flag to true to avoid registering services with the same name + # but in different namespaces as instances for the same Consul service. + # Namespace suffix is not added if 'annotationServiceName' is provided. + addK8SNamespaceSuffix: true + + # Service prefix which prepends itself + # to Kubernetes services registered within Consul + # For example, "k8s-" will register all services prepended with "k8s-". + # (Kubernetes -> Consul sync) + # consulPrefix is ignored when 'annotationServiceName' is provided. + # NOTE: Updating this property to a non-null value for an existing installation will result in deregistering + # of existing services in Consul and registering them with a new name. + # @type: string + consulPrefix: null + + # Optional tag that is applied to all of the Kubernetes services + # that are synced into Consul. If nothing is set, defaults to "k8s". + # (Kubernetes -> Consul sync) + # @type: string + k8sTag: null + + # Defines the Consul synthetic node that all services + # will be registered to. + # NOTE: Changing the node name and upgrading the Helm chart will leave + # all of the previously sync'd services registered with Consul and + # register them again under the new Consul node name. The out-of-date + # registrations will need to be explicitly removed. + consulNodeName: "k8s-sync" + + # Syncs services of the ClusterIP type, which may + # or may not be broadly accessible depending on your Kubernetes cluster. + # Set this to false to skip syncing ClusterIP services. + syncClusterIPServices: true + + # If true, LoadBalancer service endpoints instead of ingress addresses will be synced to Consul. + # If false, LoadBalancer endpoints are not synced to Consul. + syncLoadBalancerEndpoints: false + + ingress: + # Syncs the hostname from a Kubernetes Ingress resource to service registrations + # when a rule matched a service. Currently only supports host based routing and + # not path based routing. The only supported path on an ingress rule is "/". + # Set this to false to skip syncing Ingress services. + # + # Currently, port 80 is synced if there is not TLS entry for the hostname. Syncs the port + # 443 if there is a TLS entry that matches the hostname. + enabled: false + # Requires syncIngress to be `true`. syncs the LoadBalancer IP from a Kubernetes Ingress + # resource instead of the hostname to service registrations when a rule matched a service. + loadBalancerIPs: false + + # Configures the type of syncing that happens for NodePort + # services. The valid options are: ExternalOnly, InternalOnly, ExternalFirst. + # + # - ExternalOnly will only use a node's ExternalIP address for the sync + # - InternalOnly use's the node's InternalIP address + # - ExternalFirst will preferentially use the node's ExternalIP address, but + # if it doesn't exist, it will use the node's InternalIP address instead. + nodePortSyncType: ExternalFirst + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the sync process the correct + # permissions. This is only needed if ACLs are managed manually within the Consul cluster, i.e. `global.acls.manageSystemACLs` is `false`. + aclSyncToken: + # The name of the Kubernetes secret that holds the acl sync token. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the acl sync token. + # @type: string + secretKey: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for catalog sync pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for sync catalog pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Override global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Override the default interval to perform syncing operations creating Consul services. + # @type: string + consulWriteInterval: null + + # Extra labels to attach to the sync catalog pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # the catalog sync pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + +# Configures the automatic Connect sidecar injector. +connectInject: + # True if you want to enable connect injection. Set to "-" to inherit from + # global.enabled. + enabled: true + + # The number of deployment replicas. + replicas: 1 + + # Image for consul-k8s-control-plane that contains the injector. + # @type: string + image: null + + # If true, the injector will inject the + # Connect sidecar into all pods by default. Otherwise, pods must specify the + # [injection annotation](https://developer.hashicorp.com/consul/docs/k8s/connect#consul-hashicorp-com-connect-inject) + # to opt-in to Connect injection. If this is true, pods can use the same annotation + # to explicitly opt-out of injection. + default: false + + # Configures Transparent Proxy for Consul Service mesh services. + # Using this feature requires Consul 1.10.0-beta1+. + transparentProxy: + # If true, then all Consul Service mesh will run with transparent proxy enabled by default, + # i.e. we enforce that all traffic within the pod will go through the proxy. + # This value is overridable via the "consul.hashicorp.com/transparent-proxy" pod annotation. + defaultEnabled: true + + # If true, we will overwrite Kubernetes HTTP probes of the pod to point to the Envoy proxy instead. + # This setting is recommended because with traffic being enforced to go through the Envoy proxy, + # the probes on the pod will fail because kube-proxy doesn't have the right certificates + # to talk to Envoy. + # This value is also overridable via the "consul.hashicorp.com/transparent-proxy-overwrite-probes" annotation. + # Note: This value has no effect if transparent proxy is disabled on the pod. + defaultOverwriteProbes: true + + # This configures the [`PodDisruptionBudget`](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + # for the service mesh sidecar injector. + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the + # service mesh sidecar injector. If this is enabled, it will only register the budget so long as + # the service mesh is enabled. + enabled: true + + # The maximum number of unavailable pods. By default, this will be + # automatically computed based on the `connectInject.replicas` value to be `(n/2)-1`. + # If you need to set this to `0`, you will need to add a + # --set 'connectInject.disruptionBudget.maxUnavailable=0'` flag to the helm chart installation + # command because of a limitation in the Helm templating language. + # @type: integer + maxUnavailable: null + + # The minimum number of available pods. + # Takes precedence over maxUnavailable if set. + # @type: integer + minAvailable: null + + # Configuration settings for the Consul API Gateway integration. + apiGateway: + # Enables Consul on Kubernetes to manage the CRDs used for Gateway API. + # Setting this to true will install the CRDs used for the Gateway API when Consul on Kubernetes is installed. + # These CRDs can clash with existing Gateway API CRDs if they are already installed in your cluster. + # If this setting is false, you will need to install the Gateway API CRDs manually. + manageExternalCRDs: true + + # Enables Consul on Kubernets to manage only the non-standard CRDs used for Gateway API. If manageExternalCRDs is true + # then all CRDs will be installed; otherwise, if manageNonStandardCRDs is true then only TCPRoute, GatewayClassConfig and MeshService + # will be installed. + manageNonStandardCRDs: false + + # Configuration settings for the GatewayClass installed by Consul on Kubernetes. + managedGatewayClass: + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of Service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # Metrics settings for gateways created with this gateway class configuration. + metrics: + # This value enables or disables metrics collection on a gateway, overriding the global gateway metrics collection settings. + # @type: boolean + enabled: "-" + # This value sets the port to use for scraping gateway metrics via prometheus, defaults to 20200 if not set. Must be in the port + # range of 1024-65535. + # @type: int + port: null + # This value sets the path to use for scraping gateway metrics via prometheus, defaults to /metrics if not set. + # @type: string + path: null + + # The resource settings for Pods handling traffic for Gateway API. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + deployment: + defaultInstances: 1 + maxInstances: 1 + minInstances: 1 + + # The name of the OpenShift SecurityContextConstraints resource to use for Gateways. + # Only applicable if `global.openshift.enabled` is true. + # @type: string + openshiftSCCName: "restricted-v2" + + # This value defines the amount we will add to privileged container ports on gateways that use this class. + # This is useful if you don't want to give your containers extra permissions to run privileged ports. + # Example: The gateway listener is defined on port 80, but the underlying value of the port on the container + # will be the 80 + the number defined below. + mapPrivilegedContainerPorts: 0 + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configures consul-cni plugin for Consul Service mesh services + cni: + # If true, then all traffic redirection setup uses the consul-cni plugin. + # Requires connectInject.enabled to also be true. + # @type: boolean + enabled: false + + # Log level for the installer and plugin. Overrides global.logLevel + # @type: string + logLevel: null + + # Set the namespace to install the CNI plugin into. Overrides global namespace settings for CNI resources. + # Ex: "kube-system" + # @type: string + namespace: null + + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' + # Example on GKE: + # + # ```yaml + # cniBinDir: "/home/kubernetes/bin" + # ``` + # @type: string + cniBinDir: "/opt/cni/bin" + + # Location on the kubernetes node of all CNI configuration. Should be the absolute path and start with a '/' + # @type: string + cniNetDir: "/etc/cni/net.d" + + # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained + # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm + # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin + # to be executed and for your service to be added to the Consul Service Mesh. + # + # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod + # to use the default installed NetworkAttachementDefinition CRD. + # + # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) + # for more information about using multus. + # @type: string + multus: false + + # The resource settings for CNI installer daemonset. + # @recurse: false + # @type: map + resources: + requests: + memory: "75Mi" + cpu: "75m" + limits: + memory: "100Mi" + cpu: "100m" + + # Resource quotas for running the daemonset as system critical pods + resourceQuota: + pods: 5000 + + # The security context for the CNI installer daemonset. This should be a YAML map corresponding to a + # Kubernetes [SecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) object. + # By default, servers will run as root, with user ID `0` and group ID `0`. + # Note: if running on OpenShift, this setting is ignored because the user and group are set automatically + # by the OpenShift platform. + # @type: map + # @recurse: false + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + + # updateStrategy for the CNI installer DaemonSet. + # Refer to the Kubernetes [Daemonset upgrade strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) + # documentation. + # This should be a multi-line string mapping directly to the updateStrategy + # + # Example: + # + # ```yaml + # updateStrategy: | + # rollingUpdate: + # maxUnavailable: 5 + # type: RollingUpdate + # ``` + # + # @type: string + updateStrategy: null + + consulNode: + # meta specifies an arbitrary metadata key/value pair to associate with the node. + # + # Example: + # + # ```yaml + # meta: + # cluster: test-cluster + # persistent: true + # ``` + # + # @type: map + meta: null + + # Configures metrics for Consul service mesh services. All values are overridable + # via annotations on a per-pod basis. + metrics: + # If true, the connect-injector will automatically + # add prometheus annotations to connect-injected pods. It will also + # add a listener on the Envoy sidecar to expose metrics. The exposed + # metrics will depend on whether metrics merging is enabled: + # - If metrics merging is enabled: + # the consul-dataplane will run a merged metrics server + # combining Envoy sidecar and Connect service metrics, + # i.e. if your service exposes its own Prometheus metrics. + # - If metrics merging is disabled: + # the listener will just expose Envoy sidecar metrics. + # This will inherit from `global.metrics.enabled`. + defaultEnabled: "-" + # Configures the consul-dataplane to run a merged metrics server + # to combine and serve both Envoy and Connect service metrics. + # This feature is available only in Consul v1.10.0 or greater. + defaultEnableMerging: false + # Configures the port at which the consul-dataplane will listen on to return + # combined metrics. This port only needs to be changed if it conflicts with + # the application's ports. + defaultMergedMetricsPort: 20100 + # Configures the port Prometheus will scrape metrics from, by configuring + # the Pod annotation `prometheus.io/port` and the corresponding listener in + # the Envoy sidecar. + # NOTE: This is *not* the port that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-port` annotation. + defaultPrometheusScrapePort: 20200 + # Configures the path Prometheus will scrape metrics from, by configuring the pod + # annotation `prometheus.io/path` and the corresponding handler in the Envoy + # sidecar. + # NOTE: This is *not* the path that your application exposes metrics on. + # That can be configured with the + # `consul.hashicorp.com/service-metrics-path` annotation. + defaultPrometheusScrapePath: "/metrics" + + # Used to pass arguments to the injected envoy sidecar. + # Valid arguments to pass to envoy can be found here: https://www.envoyproxy.io/docs/envoy/latest/operations/cli + # e.g "--log-level debug --disable-hot-restart" + # @type: string + envoyExtraArgs: null + + # Optional priorityClassName. + priorityClassName: "" + + # Extra labels to attach to the connect inject pods. This should be a YAML map. + # + # Example: + # + # ```yaml + # extraLabels: + # labelKey: label-value + # anotherLabelKey: another-label-value + # ``` + # + # @type: map + extraLabels: null + + # This value defines additional annotations for + # connect inject pods. This should be formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The Docker image for Consul to use when performing Connect injection. + # Defaults to global.image. + # @type: string + imageConsul: null + + # Sets the `logLevel` for the `consul-dataplane` sidecar and the `consul-connect-inject-init` container. When set, this value overrides the global log verbosity level. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + serviceAccount: + # This value defines additional annotations for the injector service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for connect inject pods. The defaults, are optimized for getting started worklows on developer deployments. The settings should be tweaked for production deployments. + # @type: map + resources: + requests: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 500Mi + # @type: string + memory: "200Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + + # Sets the failurePolicy for the mutating webhook. By default this will cause pods not part of the consul installation to fail scheduling while the webhook + # is offline. This prevents a pod from skipping mutation if the webhook were to be momentarily offline. + # Once the webhook is back online the pod will be scheduled. + # In some environments such as Kind this may have an undesirable effect as it may prevent volume provisioner pods from running + # which can lead to hangs. In these environments it is recommend to use "Ignore" instead. + # This setting can be safely disabled by setting to "Ignore". + failurePolicy: "Fail" + + # Selector for restricting the webhook to only specific namespaces. + # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. + # Refer to https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # + # By default, we exclude kube-system since usually users won't + # want those pods injected and local-path-storage and openebs so that + # Kind (Kubernetes In Docker) and [OpenEBS](https://openebs.io/) respectively can provision Pods used to create PVCs. + # Note that this exclusion is only supported in Kubernetes v1.21.1+. + # + # Example: + # + # ```yaml + # namespaceSelector: | + # matchLabels: + # namespace-label: label-value + # ``` + # @type: string + namespaceSelector: | + matchExpressions: + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","local-path-storage","openebs"] + + # List of k8s namespaces to allow Connect sidecar + # injection in. If a k8s namespace is not included or is listed in `k8sDenyNamespaces`, + # pods in that k8s namespace will not be injected even if they are explicitly + # annotated. Use `["*"]` to automatically allow all k8s namespaces. + # + # For example, `["namespace1", "namespace2"]` will only allow pods in the k8s + # namespaces `namespace1` and `namespace2` to have Consul service mesh sidecars injected + # and registered with Consul. All other k8s namespaces will be ignored. + # + # To deny all namespaces, set this to `[]`. + # + # Note: `k8sDenyNamespaces` takes precedence over values defined here and + # `namespaceSelector` takes precedence over both since it is applied first. + # `kube-system` and `kube-public` are never injected, even if included here. + # @type: array + k8sAllowNamespaces: ["*"] + + # List of k8s namespaces that should not allow Connect + # sidecar injection. This list takes precedence over `k8sAllowNamespaces`. + # `*` is not supported because then nothing would be allowed to be injected. + # + # For example, if `k8sAllowNamespaces` is `["*"]` and k8sDenyNamespaces is + # `["namespace1", "namespace2"]`, then all k8s namespaces besides "namespace1" + # and "namespace2" will be available for injection. + # + # Note: `namespaceSelector` takes precedence over this since it is applied first. + # `kube-system` and `kube-public` are never injected. + # @type: array + k8sDenyNamespaces: [] + + # [Enterprise Only] These settings manage the connect injector's interaction with + # Consul namespaces (requires consul-ent v1.7+). + # Also, `global.enableConsulNamespaces` must be true. + consulNamespaces: + # Name of the Consul namespace to register all + # k8s pods into. If the Consul namespace does not already exist, + # it will be created. This will be ignored if `mirroringK8S` is true. + consulDestinationNamespace: "default" + + # Causes k8s pods to be registered into a Consul namespace + # of the same name as their k8s namespace, optionally prefixed if + # `mirroringK8SPrefix` is set below. If the Consul namespace does not + # already exist, it will be created. Turning this on overrides the + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". + mirroringK8S: true + + # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace + # to be given a prefix. For example, if `mirroringK8SPrefix` is set to "k8s-", a + # pod in the k8s `staging` namespace will be registered into the + # `k8s-staging` Consul namespace. + mirroringK8SPrefix: "" + + # Selector labels for connectInject pod assignment, formatted as a multi-line string. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # @type: string + nodeSelector: null + + # Affinity Settings + # This should be a multi-line string matching the affinity object + # @type: string + affinity: null + + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # Query that defines which Service Accounts + # can authenticate to Consul and receive an ACL token during Connect injection. + # The default setting, i.e. serviceaccount.name!=default, prevents the + # 'default' Service Account from logging in. + # If set to an empty string all service accounts can log in. + # This only has effect if ACLs are enabled. + # + # Refer to Auth methods [Binding rules](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods#binding-rules) + # and [Trusted identiy attributes](https://developer.hashicorp.com/consul/docs/security/acl/auth-methods/kubernetes#trusted-identity-attributes) + # for more details. + # Requires Consul >= v1.5. + aclBindingRuleSelector: "serviceaccount.name!=default" + + # If you are not using global.acls.manageSystemACLs and instead manually setting up an + # auth method for Connect inject, set this to the name of your auth method. + overrideAuthMethodName: "" + + # Refers to a Kubernetes secret that you have created that contains + # an ACL token for your Consul cluster which allows the Connect injector the correct + # permissions. This is only needed if Consul namespaces [Enterprise Only] and ACLs + # are enabled on the Consul cluster and you are not setting + # `global.acls.manageSystemACLs` to `true`. + # This token needs to have `operator = "write"` privileges to be able to + # create Consul namespaces. + aclInjectToken: + # The name of the Vault secret that holds the ACL inject token. + # @type: string + secretName: null + # The key within the Vault secret that holds the ACL inject token. + # @type: string + secretKey: null + + sidecarProxy: + # The number of worker threads to be used by the Envoy proxy. + # By default the threading model of Envoy will use one thread per CPU core per envoy proxy. This + # leads to unnecessary thread and memory usage and leaves unnecessary idle connections open. It is + # advised to keep this number low for sidecars and high for edge proxies. + # This will control the `--concurrency` flag to Envoy. + # For additional information, refer to https://blog.envoyproxy.io/envoy-threading-model-a8d44b922310 + # + # This setting can be overridden on a per-pod basis via this annotation: + # - `consul.hashicorp.com/consul-envoy-proxy-concurrency` + # @type: string + concurrency: 2 + + # Set default resources for sidecar proxy. If null, that resource won't + # be set. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/sidecar-proxy-cpu-limit` + # - `consul.hashicorp.com/sidecar-proxy-cpu-request` + # - `consul.hashicorp.com/sidecar-proxy-memory-limit` + # - `consul.hashicorp.com/sidecar-proxy-memory-request` + # @type: map + resources: + requests: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + limits: + # Recommended production default: 100Mi + # @type: string + memory: null + # Recommended production default: 100m + # @type: string + cpu: null + # Set default lifecycle management configuration for sidecar proxy. + # These settings can be overridden on a per-pod basis via these annotations: + # + # - `consul.hashicorp.com/enable-sidecar-proxy-lifecycle` + # - `consul.hashicorp.com/enable-sidecar-proxy-shutdown-drain-listeners` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-shutdown-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-startup-grace-period-seconds` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-port` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-shutdown-path` + # - `consul.hashicorp.com/sidecar-proxy-lifecycle-graceful-startup-path` + # @type: map + lifecycle: + # @type: boolean + defaultEnabled: true + # @type: boolean + defaultEnableShutdownDrainListeners: true + # @type: integer + defaultShutdownGracePeriodSeconds: 30 + # @type: integer + defaultStartupGracePeriodSeconds: 0 + # @type: integer + defaultGracefulPort: 20600 + # @type: string + defaultGracefulShutdownPath: "/graceful_shutdown" + # @type: string + defaultGracefulStartupPath: "/graceful_startup" + + # Configures how long the k8s startup probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultStartupFailureSeconds: 0 + # Configures how long the k8s liveness probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultLivenessFailureSeconds: 0 + + # The resource settings for the Connect injected init container. If null, the resources + # won't be set for the initContainer. The defaults are optimized for developer instances of + # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. + # @type: map + initContainer: + resources: + requests: + # Recommended production default: 150Mi + # @type: string + memory: "25Mi" + # Recommended production default: 250m + # @type: string + cpu: "50m" + limits: + # Recommended production default: 150Mi + # @type: string + memory: "150Mi" + # Recommended production default: 500m + # @type: string + cpu: null + +# [Mesh Gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) enable Consul Connect to work across Consul datacenters. +meshGateway: + # If [mesh gateways](https://developer.hashicorp.com/consul/docs/connect/gateways/mesh-gateway) are enabled, a Deployment will be created that runs + # gateways and Consul service mesh will be configured to use gateways. + # This setting is required for [Cluster Peering](https://developer.hashicorp.com/consul/docs/connect/cluster-peering/k8s). + # Requirements: consul 1.6.0+ if using `global.acls.manageSystemACLs``. + enabled: false + + # Override global log verbosity level for mesh-gateway-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Number of replicas for the Deployment. + replicas: 1 + + # What gets registered as WAN address for the gateway. + wanAddress: + # source configures where to retrieve the WAN address (and possibly port) + # for the mesh gateway from. + # Can be set to either: `Service`, `NodeIP`, `NodeName` or `Static`. + # + # - `Service` - Determine the address based on the service type. + # + # - If `service.type=LoadBalancer` use the external IP or hostname of + # the service. Use the port set by `service.port`. + # + # - If `service.type=NodePort` use the Node IP. The port will be set to + # `service.nodePort` so `service.nodePort` cannot be null. + # + # - If `service.type=ClusterIP` use the `ClusterIP`. The port will be set to + # `service.port`. + # + # - `service.type=ExternalName` is not supported. + # + # - `NodeIP` - The node IP as provided by the Kubernetes downward API. + # + # - `NodeName` - The name of the node as provided by the Kubernetes downward + # API. This is useful if the node names are DNS entries that + # are routable from other datacenters. + # + # - `Static` - Use the address hardcoded in `meshGateway.wanAddress.static`. + source: Service + + # Port that gets registered for WAN traffic. + # If source is set to "Service" then this setting will have no effect. + # Refer to the documentation for source as to which port will be used in that + # case. + port: 443 + + # If source is set to "Static" then this value will be used as the WAN + # address of the mesh gateways. This is useful if you've configured a + # DNS entry to point to your mesh gateways. + static: "" + + # The service option configures the Service that fronts the Gateway Deployment. + service: + # Type of service, ex. LoadBalancer, ClusterIP. + type: LoadBalancer + + # Port that the service will be exposed on. + # The targetPort will be set to meshGateway.containerPort. + port: 443 + + # Optionally set the nodePort value of the service if using a NodePort service. + # If not set and using a NodePort service, Kubernetes will automatically assign + # a port. + # @type: integer + nodePort: null + + # Annotations to apply to the mesh gateway service. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + # If set to true, gateway Pods will run on the host network. + hostNetwork: false + + # dnsPolicy to use. + # @type: string + dnsPolicy: null + + # Consul service name for the mesh gateways. + # Cannot be set to anything other than "mesh-gateway" if + # global.acls.manageSystemACLs is true since the ACL token + # generated is only for the name 'mesh-gateway'. + consulServiceName: "mesh-gateway" + + # Port that the gateway will run on inside the container. + containerPort: 8443 + + # Optional hostPort for the gateway to be exposed on. + # This can be used with wanAddress.port and wanAddress.useNodeIP + # to expose the gateways directly from the node. + # If hostNetwork is true, this must be null or set to the same port as + # containerPort. + # NOTE: Cannot set to 8500 or 8502 because those are reserved for the Consul + # agent. + # @type: integer + hostPort: null + + serviceAccount: + # This value defines additional annotations for the mesh gateways' service account. This should be formatted as a + # multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # The resource settings for mesh gateway pods. + # NOTE: The use of a YAML string is deprecated. Instead, set directly as a + # YAML map. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `service-init` init container. + # @recurse: false + # @type: map + initServiceInitContainer: + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for mesh gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for mesh gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: mesh-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Annotations to apply to the mesh gateway deployment. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + +# Configuration options for ingress gateways. Default values for all +# ingress gateways are defined in `ingressGateways.defaults`. Any of +# these values may be overridden in `ingressGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +ingressGateways: + # Enable ingress gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level for ingress-gateways-deployment pods. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each ingress gateway defined. + replicas: 1 + + # The service options configure the Service that fronts the gateway Deployment. + service: + # Type of service: LoadBalancer, ClusterIP or NodePort. If using NodePort service + # type, you must set the desired nodePorts in the `ports` setting below. + type: ClusterIP + + # Ports that will be exposed on the service and gateway container. Any + # ports defined as ingress listeners on the gateway's Consul configuration + # entry should be included here. The first port will be used as part of + # the Consul service registration for the gateway and be listed in its + # SRV record. If using a NodePort service type, you must specify the + # desired nodePort for each exposed port. + # @type: array + # @default: [{port: 8080, port: 8443}] + # @recurse: false + ports: + - port: 8080 + nodePort: null + - port: 8443 + nodePort: null + + # Annotations to apply to the ingress gateway service. Annotations defined + # here will be applied to all ingress gateway services in addition to any + # service annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + # Optional YAML string that will be appended to the Service spec. + # @type: string + additionalSpec: null + + serviceAccount: + # This value defines additional annotations for the ingress gateways' service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Resource limits for all ingress gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for ingress gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for ingress gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: ingress-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + priorityClassName: "" + + # Amount of seconds to wait for graceful termination before killing the pod. + terminationGracePeriodSeconds: 10 + + # Annotations to apply to the ingress gateway deployment. Annotations defined + # here will be applied to all ingress gateway deployments in addition to any + # annotations defined for a specific gateway in `ingressGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # "annotation-key": 'annotation-value' + # ``` + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. You must provide a unique name for each ingress gateway. These names + # must be unique across different namespaces. + # Values defined here override the defaults, except in the case of annotations where both will be applied. + # @type: array + gateways: + - name: ingress-gateway + +# Configuration options for terminating gateways. Default values for all +# terminating gateways are defined in `terminatingGateways.defaults`. Any of +# these values may be overridden in `terminatingGateways.gateways` for a +# specific gateway with the exception of annotations. Annotations will +# include both the default annotations and any additional ones defined +# for a specific gateway. +# Requirements: consul >= 1.8.0 +terminatingGateways: + # Enable terminating gateway deployment. Requires `connectInject.enabled=true`. + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # Defaults sets default values for all gateway fields. With the exception + # of annotations, defining any of these values in the `gateways` list + # will override the default values provided here. Annotations will + # include both the default annotations and any additional ones defined + # for a specific gateway. + defaults: + # Number of replicas for each terminating gateway defined. + replicas: 1 + + # A list of extra volumes to mount. These will be exposed to Consul in the path `/consul/userconfig//`. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: my-secret + # items: # optional items array + # - key: key + # path: path # secret will now mount to /consul/userconfig/my-secret/path + # ``` + # @type: array + extraVolumes: [] + + # Resource limits for all terminating gateway pods + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # This value defines the [affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) + # for terminating gateway pods. It defaults to `null` thereby allowing multiple gateway pods on each node. But if one would prefer + # a mode which minimizes risk of the cluster becoming unusable if a node is lost, set this value + # to the value in the example below. + # + # Example: + # + # ```yaml + # affinity: | + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # topologyKey: kubernetes.io/hostname + # ``` + # @type: string + affinity: null + + # Optional YAML string to specify tolerations. + # @type: string + tolerations: null + + # Pod topology spread constraints for terminating gateway pods. + # This should be a multi-line YAML string matching the + # [`topologySpreadConstraints`](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) + # array in a Pod Spec. + # + # This requires K8S >= 1.18 (beta) or 1.19 (stable). + # + # Example: + # + # ```yaml + # topologySpreadConstraints: | + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app: {{ template "consul.name" . }} + # release: "{{ .Release.Name }}" + # component: terminating-gateway + # ``` + topologySpreadConstraints: "" + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # Annotations to apply to the terminating gateway deployment. Annotations defined + # here will be applied to all terminating gateway deployments in addition to any + # annotations defined for a specific gateway in `terminatingGateways.gateways`. + # + # Example: + # + # ```yaml + # annotations: | + # 'annotation-key': annotation-value + # ``` + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the terminating gateways' service account. This should be + # formatted as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # [Enterprise Only] `consulNamespace` defines the Consul namespace to register + # the gateway into. Requires `global.enableConsulNamespaces` to be true and + # Consul Enterprise v1.7+ with a valid Consul Enterprise license. + # Note: The Consul namespace MUST exist before the gateway is deployed. + consulNamespace: "default" + + # Gateways is a list of gateway objects. The only required field for + # each is `name`, though they can also contain any of the fields in + # `defaults`. Values defined here override the defaults except in the + # case of annotations where both will be applied. + # @type: array + gateways: + - name: terminating-gateway + +# [DEPRECATED] Use connectInject.apiGateway instead. +# Configuration settings for the Consul API Gateway integration +apiGateway: + # When true the helm chart will install the Consul API Gateway controller + enabled: false + + # Image to use for the api-gateway-controller pods and gateway instances + # + # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. + # @type: string + image: null + + # The name (and tag) of the Envoy Docker image used for the + # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. + # @default: envoyproxy/envoy: + imageEnvoy: "envoyproxy/envoy:v1.25.11" + + # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". + # @type: string + logLevel: info + + # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) + managedGatewayClass: + # When true a GatewayClass is configured to automatically work with Consul as installed by helm. + enabled: true + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for gateway pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # Toleration settings for gateway pods created with the managed gateway class. + # This should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) + serviceType: LoadBalancer + + # This value toggles if the gateway ports should be mapped to host ports + useHostPorts: false + + # Configuration settings for annotations to be copied from the Gateway to other child resources. + copyAnnotations: + # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # service: + # annotations: | + # - external-dns.alpha.kubernetes.io/hostname + # ``` + # + # @type: string + service: null + + # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways + # + # Example: + # + # ```yaml + # deployment: + # defaultInstances: 3 + # maxInstances: 8 + # minInstances: 1 + # ``` + # + # @type: map + deployment: null + + # Configuration for the ServiceAccount created for the api-gateway component + serviceAccount: + # This value defines additional annotations for the client service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + # Configuration for the api-gateway controller component + controller: + # This value sets the number of controller replicas to deploy. + replicas: 1 + + # Annotations to apply to the api-gateway-controller pods. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # This value references an existing + # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) + # that can be assigned to api-gateway-controller pods. + priorityClassName: "" + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for api-gateway-controller pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + + # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the + # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. + # + # @type: string + tolerations: null + + # Configuration for the Service created for the api-gateway-controller + service: + # Annotations to apply to the api-gateway-controller service. + # + # ```yaml + # annotations: | + # "annotation-key": "annotation-value" + # ``` + # + # @type: string + annotations: null + + # The resource settings for api gateway pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "100Mi" + cpu: "100m" + limits: + memory: "100Mi" + cpu: "100m" + + # The resource settings for the `copy-consul-bin` init container. + # @recurse: false + # @type: map + initCopyConsulContainer: + resources: + requests: + memory: "25Mi" + cpu: "50m" + limits: + memory: "150Mi" + cpu: "50m" + +# Configuration settings for the webhook-cert-manager +# `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. +webhookCertManager: + # Toleration Settings + # This should be a multi-line string matching the Toleration array + # in a PodSpec. + # @type: string + tolerations: null + + # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) + # labels for the webhook-cert-manager pod assignment, formatted as a multi-line string. + # + # Example: + # + # ```yaml + # nodeSelector: | + # beta.kubernetes.io/arch: amd64 + # ``` + # + # @type: string + nodeSelector: null + +# Configures a demo Prometheus installation. +prometheus: + # When true, the Helm chart will install a demo Prometheus server instance + # alongside Consul. + enabled: false + +# Control whether a test Pod manifest is generated when running helm template. +# When using helm install, the test Pod is not submitted to the cluster so this +# is only useful when running helm template. +tests: + enabled: true + +telemetryCollector: + # Enables the consul-telemetry-collector deployment + # @type: boolean + enabled: false + + # Override global log verbosity level. One of "trace", "debug", "info", "warn", or "error". + # @type: string + logLevel: "" + + # The name of the Docker image (including any tag) for the containers running + # the consul-telemetry-collector + # @type: string + image: "hashicorp/consul-telemetry-collector:0.0.2" + + # The resource settings for consul-telemetry-collector pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "512Mi" + cpu: "1000m" + limits: + memory: "512Mi" + cpu: "1000m" + + # This value sets the number of consul-telemetry-collector replicas to deploy. + replicas: 1 + + # This value defines additional configuration for the telemetry collector. It should be formatted as a multi-line + # json blob string + # + # ```yaml + # customExporterConfig: | + # {"http_collector_endpoint": "other-otel-collector"} + # ``` + # + # @type: string + customExporterConfig: null + + service: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted as a multi-line + # string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + serviceAccount: + # This value defines additional annotations for the telemetry-collector's service account. This should be formatted + # as a multi-line string. + # + # ```yaml + # annotations: | + # "sample/annotation1": "foo" + # "sample/annotation2": "bar" + # ``` + # + # @type: string + annotations: null + + cloud: + # The resource id of the HCP Consul Central cluster to push metrics for. Eg: + # `organization/27109cd4-a309-4bf3-9986-e1d071914b18/project/fcef6c24-259d-4510-bb8d-1d812e120e34/hashicorp.consul.global-network-manager.cluster/consul-cluster` + # + # This is used for HCP Consul Central-linked or HCP Consul Dedicated clusters where global.cloud.resourceId is unset. For example, when using externalServers + # with HCP Consul Dedicated clusters or HCP Consul Central-linked clusters in a different admin partition. + # + # If global.cloud.resourceId is set, this should either be unset (defaulting to global.cloud.resourceId) or be the same as global.cloud.resourceId. + # + # @default: global.cloud.resourceId + resourceId: + # The name of the Kubernetes secret that holds the resource id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the resource id. + # @type: string + secretKey: null + + # The client id portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientId + clientId: + # The name of the Kubernetes secret that holds the client id. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client id. + # @type: string + secretKey: null + + # The client secret portion of a [service principal](https://developer.hashicorp.com/hcp/docs/hcp/admin/iam/service-principals#service-principals) with authorization to push metrics to HCP. + # + # This is set in two scenarios: + # - the service principal in global.cloud is unset + # - the HCP UI provides a service principal with more narrowly scoped permissions that the service principal used in global.cloud + # + # @default: global.cloud.clientSecret + clientSecret: + # The name of the Kubernetes secret that holds the client secret. + # @type: string + secretName: null + # The key within the Kubernetes secret that holds the client secret. + # @type: string + secretKey: null + + initContainer: + # The resource settings for consul-telemetry-collector initContainer. + # @recurse: false + # @type: map + resources: {} + + # Optional YAML string to specify a nodeSelector config. + # @type: string + nodeSelector: null + + # Optional priorityClassName. + # @type: string + priorityClassName: "" + + # A list of extra environment variables to set within the deployment. + # These could be used to include proxy settings required for cloud auto-join + # feature, in case kubernetes cluster is behind egress http proxies. Additionally, + # it could be used to configure custom consul parameters. + # @type: map + extraEnvironmentVars: {} diff --git a/charts/hashicorp/consul/1.5.0/.helmignore b/charts/hashicorp/consul/1.5.0/.helmignore new file mode 100644 index 0000000000..3fa2f24edf --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/.helmignore @@ -0,0 +1,5 @@ +.git/ +.terraform/ +bin/ +test/ +crds/kustomization.yaml diff --git a/charts/hashicorp/consul/Chart.yaml b/charts/hashicorp/consul/1.5.0/Chart.yaml similarity index 100% rename from charts/hashicorp/consul/Chart.yaml rename to charts/hashicorp/consul/1.5.0/Chart.yaml diff --git a/charts/hashicorp/consul/1.5.0/README.md b/charts/hashicorp/consul/1.5.0/README.md new file mode 100644 index 0000000000..a0a9929ed4 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/README.md @@ -0,0 +1,109 @@ +# Consul on Kubernetes Helm Chart + +--- + + **We're looking for feedback on how folks are using Consul on Kubernetes. Please fill out our brief [survey](https://hashicorp.sjc1.qualtrics.com/jfe/form/SV_4MANbw1BUku7YhL)!** + +## Overview + +This is the Official HashiCorp Helm chart for installing and configuring Consul on Kubernetes. This chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can use Consul with Kubernetes, please see the Consul and Kubernetes documentation. + +> :warning: **Please note**: We take Consul's security and our users' trust very seriously. If +you believe you have found a security issue in Consul K8s, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +## Features + + * [**Consul Service Mesh**](https://www.consul.io/docs/k8s/connect): + Run Consul Service Mesh on Kubernetes. This feature + injects Envoy sidecars and registers your Pods with Consul. + + * [**Catalog Sync**](https://www.consul.io/docs/k8s/service-sync): + Sync Consul services into first-class Kubernetes services and vice versa. + This enables Kubernetes to easily access external services and for + non-Kubernetes nodes to easily discover and access Kubernetes services. + +## Installation + +`consul-k8s` is distributed in multiple forms: + + * The recommended installation method is the official + [Consul Helm chart](https://github.com/hashicorp/consul-k8s/tree/main/charts/consul). This will + automatically configure the Consul and Kubernetes integration to run within + an existing Kubernetes cluster. + + * A [Docker image `hashicorp/consul-k8s-control-plane`](https://hub.docker.com/r/hashicorp/consul-k8s-control-plane) is available. This can be used to manually run `consul-k8s-control-plane` within a scheduled environment. + + * Consul K8s CLI, distributed as `consul-k8s`, can be used to install and uninstall Consul Kubernetes. See the [Consul K8s CLI Reference](https://www.consul.io/docs/k8s/k8s-cli) for more details on usage. + +### Prerequisites + +The following pre-requisites must be met before installing Consul on Kubernetes. + + * **Kubernetes 1.26.x - 1.29.x** - This represents the earliest versions of Kubernetes tested. + It is possible that this chart works with earlier versions, but it is + untested. + * Helm install + * **Helm 3.6+** for Helm based installs. + * Consul K8s CLI based install + * `kubectl` configured to authenticate to a Kubernetes cluster with a valid `kubeconfig` file. + * `brew`, `yum`, or `apt` package manager on your local machine + +### CLI + +The Consul K8s CLI is the easiest way to get up and running with Consul on Kubernetes. See [Install Consul on K8s CLI](https://developer.hashicorp.com/consul/docs/k8s/installation/install-cli#install-the-cli) for more details on installation, and refer to +[Consul on Kubernetes CLI Reference](https://developer.hashicorp.com/consul/docs/k8s/k8s-cli) for more details on subcommands and a list of all available flags +for each subcommand. + + + 1. Install the HashiCorp tap, which is a repository of all Homebrew packages for HashiCorp: + + ``` bash + brew tap hashicorp/tap + ``` + +2. Install the Consul K8s CLI with hashicorp/tap/consul formula. + + ``` bash + brew install hashicorp/tap/consul-k8s + ``` + +3. Issue the install subcommand to install Consul on Kubernetes: + + ``` bash + consul-k8s install + ``` + +### Helm + +The Helm chart is ideal for those who prefer to use Helm for automation for either the installation or upgrade of Consul on Kubernetes. The chart supports multiple use cases of Consul on Kubernetes, depending on the values provided. Detailed installation instructions for Consul on Kubernetes are found [here](https://www.consul.io/docs/k8s/installation/overview). + +1. Add the HashiCorp Helm repository: + + ``` bash + helm repo add hashicorp https://helm.releases.hashicorp.com + ``` + +2. Ensure you have access to the Consul Helm chart and you see the latest chart version listed. If you have previously added the + HashiCorp Helm repository, run `helm repo update`. + + ``` bash + helm search repo hashicorp/consul + ``` + +3. Now you're ready to install Consul! To install Consul with the default configuration using Helm 3.2 run the following command below. + This will create a `consul` Kubernetes namespace if not already present, and install Consul on the dedicated namespace. + + ``` bash + helm install consul hashicorp/consul --set global.name=consul --create-namespace -n consul + +Please see the many options supported in the `values.yaml` +file. These are also fully documented directly on the +[Consul website](https://www.consul.io/docs/platform/k8s/helm.html). + +## Tutorials + +You can find examples and complete tutorials on how to deploy Consul on +Kubernetes using Helm on the [HashiCorp Learn website](https://learn.hashicorp.com/collections/consul/kubernetes). diff --git a/charts/hashicorp/consul/1.5.0/addons/gen.sh b/charts/hashicorp/consul/1.5.0/addons/gen.sh new file mode 100644 index 0000000000..1d03390bed --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/addons/gen.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + + +WD=$(dirname "$0") +WD=$(cd "$WD"; pwd) + +set -eux + +TEMPLATES="${WD}/../templates" +DASHBOARDS="${WD}/dashboards" +TMP=$(mktemp -d) + +# create Prometheus template +helm template prometheus prometheus \ + --repo https://prometheus-community.github.io/helm-charts \ + --namespace "replace-me-namespace" \ + --version 13.2.1 \ + -f "${WD}/values/prometheus.yaml" \ + > "${TEMPLATES}/prometheus.yaml" + +# Find and replace `replace-me-namespace` with `{{ .Release.Namespace }}` in Prometheus template. +sed -i'.orig' 's/replace-me-namespace/{{ .Release.Namespace }}/g' "${TEMPLATES}/prometheus.yaml" +# Add a comment to the top of the template file mentioning that the file is auto-generated. +sed -i'.orig' '1i\ +# This file is auto-generated, see addons/gen.sh +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- if .Values.prometheus.enabled }} to the top of the Prometheus template to ensure it is only templated when enabled. +sed -i'.orig' '1i\ +{{- if .Values.prometheus.enabled }} +' "${TEMPLATES}/prometheus.yaml" +# Add `{{- end }} to the bottom of the Prometheus template to ensure it is only templated when enabled (closes the `if` statement). +sed -i'.orig' -e '$a\ +{{- end }}' "${TEMPLATES}/prometheus.yaml" +# Remove the `prometheus.yaml.orig` file that is created as a side-effect of the `sed` command on OS X. +rm "${TEMPLATES}/prometheus.yaml.orig" \ No newline at end of file diff --git a/charts/hashicorp/consul/1.5.0/addons/values/prometheus.yaml b/charts/hashicorp/consul/1.5.0/addons/values/prometheus.yaml new file mode 100644 index 0000000000..1f90636f2e --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/addons/values/prometheus.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Disable non-essential components +alertmanager: + enabled: false +pushgateway: + enabled: false +kubeStateMetrics: + enabled: false +nodeExporter: + enabled: false +server: + podAnnotations: + "consul.hashicorp.com/connect-inject": "false" + persistentVolume: + enabled: false + readinessProbeInitialDelay: 0 + # Speed up scraping a bit from the default + global: + scrape_interval: 15s diff --git a/charts/hashicorp/consul/1.5.0/assets/icon.png b/charts/hashicorp/consul/1.5.0/assets/icon.png new file mode 100644 index 0000000000..0798b2445d Binary files /dev/null and b/charts/hashicorp/consul/1.5.0/assets/icon.png differ diff --git a/charts/hashicorp/consul/1.5.0/templates/NOTES.txt b/charts/hashicorp/consul/1.5.0/templates/NOTES.txt new file mode 100644 index 0000000000..1f8f744154 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/NOTES.txt @@ -0,0 +1,21 @@ + +Thank you for installing HashiCorp Consul! + +Your release is named {{ .Release.Name }}. + +To learn more about the release, run: + + $ helm status {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + $ helm get all {{ .Release.Name }} {{- if .Release.Namespace }} --namespace {{ .Release.Namespace }}{{ end }} + +Consul on Kubernetes Documentation: +https://www.consul.io/docs/platform/k8s + +Consul on Kubernetes CLI Reference: +https://www.consul.io/docs/k8s/k8s-cli + +{{- if (and .Values.global.acls.manageSystemACLs (gt (len .Values.server.extraConfig) 3)) }} +Warning: Defining server extraConfig potentially disrupts the automatic ACL + bootstrapping required settings. This may cause future issues if + there are conflicts. +{{- end }} diff --git a/charts/hashicorp/consul/templates/_helpers.tpl b/charts/hashicorp/consul/1.5.0/templates/_helpers.tpl similarity index 100% rename from charts/hashicorp/consul/templates/_helpers.tpl rename to charts/hashicorp/consul/1.5.0/templates/_helpers.tpl diff --git a/charts/hashicorp/consul/1.5.0/templates/auth-method-clusterrole.yaml b/charts/hashicorp/consul/1.5.0/templates/auth-method-clusterrole.yaml new file mode 100644 index 0000000000..6b8f2c5451 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/auth-method-clusterrole.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +rules: +- apiGroups: [ "" ] + resources: + - serviceaccounts + verbs: + - get +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/auth-method-clusterrolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/auth-method-clusterrolebinding.yaml new file mode 100644 index 0000000000..9bd6c64113 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/auth-method-clusterrolebinding.yaml @@ -0,0 +1,39 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-authdelegator + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:auth-delegator" +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-auth-method + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-auth-method +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/auth-method-secret.yaml b/charts/hashicorp/consul/1.5.0/templates/auth-method-secret.yaml new file mode 100644 index 0000000000..af0aeb4e1b --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/auth-method-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method + annotations: + kubernetes.io/service-account.name: {{ template "consul.fullname" . }}-auth-method +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/auth-method-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/auth-method-serviceaccount.yaml new file mode 100644 index 0000000000..098339b8c8 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/auth-method-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-auth-method + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: auth-method +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/client-config-configmap.yaml b/charts/hashicorp/consul/1.5.0/templates/client-config-configmap.yaml new file mode 100644 index 0000000000..cab2c7c043 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/client-config-configmap.yaml @@ -0,0 +1,40 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap with extra configuration specified directly to the chart +# for client agents only. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + client.json: |- + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true + {{- end }} + } + log-level.json: |- + { + {{- if .Values.client.logLevel }} + "log_level": "{{ .Values.client.logLevel | upper }}" + {{- end }} + } + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.connectInject.enabled }} + {{/* We set check_update_interval to 0s so that check output is immediately viewable + in the UI. */}} + config.json: |- + { + "check_update_interval": "0s" + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/client-daemonset.yaml b/charts/hashicorp/consul/1.5.0/templates/client-daemonset.yaml similarity index 100% rename from charts/hashicorp/consul/templates/client-daemonset.yaml rename to charts/hashicorp/consul/1.5.0/templates/client-daemonset.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/client-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/client-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0121bdf586 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/client-podsecuritypolicy.yaml @@ -0,0 +1,76 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.client.dataDirectoryHostPath }} + - 'hostPath' + {{- end }} + {{- if .Values.client.hostNetwork }} + hostNetwork: {{ .Values.client.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if (not (and .Values.global.tls.enabled .Values.global.tls.httpsOnly)) }} + # HTTP Port + - min: 8500 + max: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + # HTTPS port + - min: 8501 + max: 8501 + {{- end }} + {{- if .Values.client.grpc }} + # gRPC Port + - min: 8502 + max: 8502 + {{- end }} + {{- if (or .Values.client.exposeGossipPorts .Values.client.hostNetwork) }} + - min: 8301 + max: 8301 + {{- end }} + {{- if .Values.client.hostNetwork }} + - min: 8600 + max: 8600 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- if .Values.client.dataDirectoryHostPath }} + allowedHostPaths: + - pathPrefix: {{ .Values.client.dataDirectoryHostPath | quote }} + readOnly: false + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/client-role.yaml b/charts/hashicorp/consul/1.5.0/templates/client-role.yaml new file mode 100644 index 0000000000..7f05b82e6b --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/client-role.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +{{- if (or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies .Values.global.openshift.enabled) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end }} +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-client-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.openshift.enabled}} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-client + verbs: + - use +{{- end}} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/client-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/client-rolebinding.yaml new file mode 100644 index 0000000000..b034c70e55 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/client-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-client +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-client +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/client-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.5.0/templates/client-securitycontextconstraints.yaml new file mode 100644 index 0000000000..07e7711384 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/client-securitycontextconstraints.yaml @@ -0,0 +1,56 @@ +{{- if (and .Values.global.openshift.enabled (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required + to run the consul client. +{{- if .Values.client.dataDirectoryHostPath }} +allowHostDirVolumePlugin: true +{{- else }} +allowHostDirVolumePlugin: false +{{- end}} +allowHostIPC: false +allowHostNetwork: {{ .Values.client.hostNetwork }} +allowHostPID: false +allowHostPorts: true +allowPrivilegeEscalation: true +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- if .Values.client.dataDirectoryHostPath }} +- hostPath +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/1.5.0/templates/client-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/client-serviceaccount.yaml new file mode 100644 index 0000000000..addd757b84 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/client-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-client + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client + {{- if .Values.client.serviceAccount.annotations }} + annotations: + {{ tpl .Values.client.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/client-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.5.0/templates/client-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a379157f57 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/client-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the client-daemonset where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-client-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: client +data: + extra-from-values.json: |- +{{ tpl .Values.client.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/cni-clusterrole.yaml b/charts/hashicorp/consul/1.5.0/templates/cni-clusterrole.yaml new file mode 100644 index 0000000000..773942cca8 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/cni-clusterrole.yaml @@ -0,0 +1,38 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +rules: +- apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + - patch + - update +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- if .Values.global.openshift.enabled}} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-cni + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/cni-clusterrolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/cni-clusterrolebinding.yaml new file mode 100644 index 0000000000..4b860388b6 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/cni-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-cni + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-cni +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/cni-daemonset.yaml b/charts/hashicorp/consul/1.5.0/templates/cni-daemonset.yaml similarity index 100% rename from charts/hashicorp/consul/templates/cni-daemonset.yaml rename to charts/hashicorp/consul/1.5.0/templates/cni-daemonset.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/cni-networkattachmentdefinition.yaml b/charts/hashicorp/consul/1.5.0/templates/cni-networkattachmentdefinition.yaml new file mode 100644 index 0000000000..80ef50bac6 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/cni-networkattachmentdefinition.yaml @@ -0,0 +1,25 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.connectInject.cni.multus)) }} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "consul-cni", + "cni_bin_dir": "{{ .Values.connectInject.cni.cniBinDir }}", + "cni_net_dir": "{{ .Values.connectInject.cni.cniNetDir }}", + "kubeconfig": "ZZZ-consul-cni-kubeconfig", + "log_level": "{{ default .Values.global.logLevel .Values.connectInject.cni.logLevel }}", + "multus": true, + "name": "consul-cni", + "type": "consul-cni" + }' +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/cni-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/cni-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b600ed1b4b --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/cni-podsecuritypolicy.yaml @@ -0,0 +1,31 @@ +{{- if (and .Values.connectInject.cni.enabled .Values.global.enablePodSecurityPolicies) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + privileged: true + # GKE requires that allowPrivilegeEscalation:true if privileged: true. + allowPrivilegeEscalation: true + volumes: + - hostPath + - secret + - emptyDir + hostNetwork: false + readOnlyRootFilesystem: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/cni-resourcequota.yaml b/charts/hashicorp/consul/1.5.0/templates/cni-resourcequota.yaml new file mode 100644 index 0000000000..054c3061f5 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/cni-resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +spec: + hard: + pods: {{ .Values.connectInject.cni.resourceQuota.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/cni-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.5.0/templates/cni-securitycontextconstraints.yaml new file mode 100644 index 0000000000..2c09dba9b8 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/cni-securitycontextconstraints.yaml @@ -0,0 +1,50 @@ +{{- if (and (.Values.connectInject.cni.enabled) (.Values.global.openshift.enabled)) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required + to run consul-cni. +allowHostDirVolumePlugin: true +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: true +allowPrivilegedContainer: true +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +- hostPath +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/cni-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/cni-serviceaccount.yaml new file mode 100644 index 0000000000..cf4250b696 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/cni-serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.connectInject.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-cni + namespace: {{ default .Release.Namespace .Values.connectInject.cni.namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: cni +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end}} diff --git a/charts/hashicorp/consul/templates/connect-inject-clusterrole.yaml b/charts/hashicorp/consul/1.5.0/templates/connect-inject-clusterrole.yaml similarity index 100% rename from charts/hashicorp/consul/templates/connect-inject-clusterrole.yaml rename to charts/hashicorp/consul/1.5.0/templates/connect-inject-clusterrole.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/connect-inject-clusterrolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/connect-inject-clusterrolebinding.yaml new file mode 100644 index 0000000000..c380adb311 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/connect-inject-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-connect-injector +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/1.5.0/templates/connect-inject-deployment.yaml similarity index 100% rename from charts/hashicorp/consul/templates/connect-inject-deployment.yaml rename to charts/hashicorp/consul/1.5.0/templates/connect-inject-deployment.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/connect-inject-leader-election-role.yaml b/charts/hashicorp/consul/1.5.0/templates/connect-inject-leader-election-role.yaml new file mode 100644 index 0000000000..703aaffaac --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/connect-inject-leader-election-role.yaml @@ -0,0 +1,41 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/connect-inject-leader-election-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/connect-inject-leader-election-rolebinding.yaml new file mode 100644 index 0000000000..9a27d3c868 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/connect-inject-leader-election-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-connect-inject-leader-election + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-connect-inject-leader-election +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.5.0/templates/connect-inject-mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..e65c386636 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -0,0 +1,381 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The MutatingWebhookConfiguration to enable the Connect injector. +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +webhooks: +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-proxydefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-proxydefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - proxydefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-mesh + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-mesh.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicedefaults + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicedefaults.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicedefaults + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceresolver + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceresolver.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceresolvers + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicerouter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicerouter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicerouters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-servicesplitter + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-servicesplitter.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - servicesplitters + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-serviceintentions + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-serviceintentions.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - serviceintentions + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-ingressgateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-ingressgateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - ingressgateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-terminatinggateway + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-terminatinggateway.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - terminatinggateways + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-exportedservices + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-exportedservices.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - exportedservices + sideEffects: None +- clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-controlplanerequestlimits + failurePolicy: Fail + admissionReviewVersions: + - "v1beta1" + - "v1" + name: mutate-controlplanerequestlimit.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - controlplanerequestlimits + sideEffects: None +- name: {{ template "consul.fullname" . }}-connect-injector.consul.hashicorp.com + # The webhook will fail scheduling all pods that are not part of consul if all replicas of the webhook are unhealthy. + objectSelector: + matchExpressions: + - key: app + operator: NotIn + values: [ {{ template "consul.name" . }} ] + failurePolicy: {{ .Values.connectInject.failurePolicy }} + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate" + rules: + - operations: [ "CREATE" ] + apiGroups: [ "" ] + apiVersions: [ "v1" ] + resources: [ "pods" ] +{{- if .Values.connectInject.namespaceSelector }} + namespaceSelector: +{{ tpl .Values.connectInject.namespaceSelector . | indent 6 }} +{{- end }} +{{- if .Values.global.peering.enabled }} +- name: {{ template "consul.fullname" . }}-mutate-peeringacceptors.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringacceptors" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringacceptors + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- name: {{ template "consul.fullname" . }}-mutate-peeringdialers.consul.hashicorp.com + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: "/mutate-v1alpha1-peeringdialers" + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - peeringdialers + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - "v1beta1" + - "v1" +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-samenessgroup + failurePolicy: Fail + name: mutate-samenessgroup.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - samenessgroups + sideEffects: None +{{- if (mustHas "resource-apis" .Values.global.experiments) }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v2beta1-trafficpermissions + failurePolicy: Fail + name: mutate-trafficpermissions.auth.consul.hashicorp.com + rules: + - apiGroups: + - auth.consul.hashicorp.com + apiVersions: + - v2beta1 + operations: + - CREATE + - UPDATE + resources: + - trafficpermissions + sideEffects: None +{{- end }} +{{- end }} +- admissionReviewVersions: + - v1beta1 + - v1 + clientConfig: + service: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + path: /mutate-v1alpha1-jwtprovider + failurePolicy: Fail + name: mutate-jwtprovider.consul.hashicorp.com + rules: + - apiGroups: + - consul.hashicorp.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwtproviders + sideEffects: None +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/connect-inject-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/connect-inject-podsecuritypolicy.yaml new file mode 100644 index 0000000000..0fafef7c40 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/connect-inject-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/connect-inject-service.yaml b/charts/hashicorp/consul/1.5.0/templates/connect-inject-service.yaml new file mode 100644 index 0000000000..b0284af74d --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/connect-inject-service.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +# The service for the Connect sidecar injector +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + ports: + - port: 443 + targetPort: 8080 + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} + diff --git a/charts/hashicorp/consul/1.5.0/templates/connect-inject-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/connect-inject-serviceaccount.yaml new file mode 100644 index 0000000000..ea2352c7ac --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/connect-inject-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector + {{- if .Values.connectInject.serviceAccount.annotations }} + annotations: + {{ tpl .Values.connectInject.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} +- name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/connect-inject-validatingwebhookconfiguration.yaml b/charts/hashicorp/consul/1.5.0/templates/connect-inject-validatingwebhookconfiguration.yaml similarity index 100% rename from charts/hashicorp/consul/templates/connect-inject-validatingwebhookconfiguration.yaml rename to charts/hashicorp/consul/1.5.0/templates/connect-inject-validatingwebhookconfiguration.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/connect-injector-disruptionbudget.yaml b/charts/hashicorp/consul/1.5.0/templates/connect-injector-disruptionbudget.yaml new file mode 100644 index 0000000000..9b9cf2e39e --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/connect-injector-disruptionbudget.yaml @@ -0,0 +1,30 @@ +{{- if (and .Values.connectInject.disruptionBudget.enabled (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the connectInject cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-connect-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: connect-injector +spec: + {{- if .Values.connectInject.disruptionBudget.minAvailable }} + minAvailable: {{ .Values.connectInject.disruptionBudget.minAvailable }} + {{- else }} + maxUnavailable: {{ template "consul.pdb.connectInject.maxUnavailable" . }} + {{- end }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: connect-injector +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-apigateways.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-apigateways.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-apigateways.yaml rename to charts/hashicorp/consul/1.5.0/templates/crd-apigateways.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-controlplanerequestlimits.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-controlplanerequestlimits.yaml new file mode 100644 index 0000000000..1939a8d373 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-controlplanerequestlimits.yaml @@ -0,0 +1,195 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: controlplanerequestlimits.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ControlPlaneRequestLimit + listKind: ControlPlaneRequestLimitList + plural: controlplanerequestlimits + singular: controlplanerequestlimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ControlPlaneRequestLimit is the Schema for the controlplanerequestlimits + API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ControlPlaneRequestLimitSpec defines the desired state of + ControlPlaneRequestLimit. + properties: + acl: + properties: + readRate: + type: number + writeRate: + type: number + type: object + catalog: + properties: + readRate: + type: number + writeRate: + type: number + type: object + configEntry: + properties: + readRate: + type: number + writeRate: + type: number + type: object + connectCA: + properties: + readRate: + type: number + writeRate: + type: number + type: object + coordinate: + properties: + readRate: + type: number + writeRate: + type: number + type: object + discoveryChain: + properties: + readRate: + type: number + writeRate: + type: number + type: object + health: + properties: + readRate: + type: number + writeRate: + type: number + type: object + intention: + properties: + readRate: + type: number + writeRate: + type: number + type: object + kv: + properties: + readRate: + type: number + writeRate: + type: number + type: object + mode: + type: string + preparedQuery: + properties: + readRate: + type: number + writeRate: + type: number + type: object + readRate: + type: number + session: + properties: + readRate: + type: number + writeRate: + type: number + type: object + tenancy: + properties: + readRate: + type: number + writeRate: + type: number + type: object + txn: + properties: + readRate: + type: number + writeRate: + type: number + type: object + writeRate: + type: number + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-exportedservices-v1.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-exportedservices-v1.yaml new file mode 100644 index 0000000000..081a2b0cf0 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-exportedservices-v1.yaml @@ -0,0 +1,139 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + shortNames: + - exported-services + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the exportedservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExportedServicesSpec defines the desired state of ExportedServices. + properties: + services: + description: Services is a list of services to be exported and the + list of partitions to expose them to. + items: + description: ExportedService manages the exporting of a service + in the local partition to other partitions. + properties: + consumers: + description: Consumers is a list of downstream consumers of + the service to be exported. + items: + description: ServiceConsumer represents a downstream consumer + of the service to be exported. + properties: + partition: + description: Partition is the admin partition to export + the service to. + type: string + peer: + description: Peer is the name of the peer to export the + service to. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness + group to export the service to. + type: string + type: object + type: array + name: + description: Name is the name of the service to be exported. + type: string + namespace: + description: Namespace is the namespace to export the service + from. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-exportedservices.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-exportedservices.yaml new file mode 100644 index 0000000000..6613e3da7e --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-exportedservices.yaml @@ -0,0 +1,108 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: exportedservices.multicluster.consul.hashicorp.com +spec: + group: multicluster.consul.hashicorp.com + names: + kind: ExportedServices + listKind: ExportedServicesList + plural: exportedservices + singular: exportedservices + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: ExportedServices is the Schema for the Exported Services API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + consumers: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + services: + items: + type: string + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-gatewayclassconfigs-v1.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-gatewayclassconfigs-v1.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-gatewayclassconfigs-v1.yaml rename to charts/hashicorp/consul/1.5.0/templates/crd-gatewayclassconfigs-v1.yaml diff --git a/charts/hashicorp/consul/templates/crd-gatewayclassconfigs.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-gatewayclassconfigs.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-gatewayclassconfigs.yaml rename to charts/hashicorp/consul/1.5.0/templates/crd-gatewayclassconfigs.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-gatewayclasses-external.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-gatewayclasses-external.yaml new file mode 100644 index 0000000000..93435b7fce --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-gatewayclasses-external.yaml @@ -0,0 +1,328 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + deprecated: true + deprecationWarning: The v1alpha2 version of GatewayClass has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: "GatewayClass describes a class of Gateways available to the user for creating Gateway resources. \n It is recommended that this resource be used as a template for Gateways. This means that a Gateway is based on the state of the GatewayClass at the time it was created and changes to the GatewayClass or associated parameters are not propagated down to existing Gateways. This recommendation is intended to limit the blast radius of changes to GatewayClass or associated parameters. If implementations choose to propagate GatewayClass changes to existing Gateways, that MUST be clearly documented by the implementation. \n Whenever one or more Gateways are using a GatewayClass, implementations MUST add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the associated GatewayClass. This ensures that a GatewayClass associated with a Gateway is not deleted while in use. \n GatewayClass is a Cluster level resource." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: "ControllerName is the name of the controller that is managing Gateways of this class. The value of this field MUST be a domain prefixed path. \n Example: \"example.net/gateway-controller\". \n This field is not mutable and cannot be empty. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: "ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the GatewayClass. This is optional if the controller does not require any additional configuration. \n ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, or an implementation-specific custom resource. The resource can be cluster-scoped or namespace-scoped. \n If the referent cannot be found, the GatewayClass's \"InvalidParameters\" status condition will be true. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. This field is required when referring to a Namespace-scoped resource and MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Waiting + status: Unknown + type: Accepted + description: Status defines the current state of GatewayClass. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: "Conditions is the current status from the controller for this GatewayClass. \n Controllers should prefer to publish conditions using values of GatewayClassConditionType for the type of each Condition." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-gatewayclasses.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-gatewayclasses.yaml new file mode 100644 index 0000000000..70763f9104 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-gatewayclasses.yaml @@ -0,0 +1,122 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewayclasses.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: GatewayClass is the Schema for the Gateway Class API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + controllerName: + description: ControllerName is the name of the Kubernetes controller + that manages Gateways of this class + type: string + description: + description: Description of GatewayClass + type: string + parametersRef: + description: ParametersRef refers to a resource responsible for configuring + the behavior of the GatewayClass. + properties: + group: + description: The Kubernetes Group that the referred object belongs + to + type: string + kind: + description: The Kubernetes Kind that the referred object is + type: string + name: + description: The Name of the referred object + type: string + namespace: + description: The kubernetes namespace that the referred object + is in + type: string + required: + - name + type: object + required: + - controllerName + - parametersRef + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-gatewaypolicies.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-gatewaypolicies.yaml new file mode 100644 index 0000000000..1cdfa331f5 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-gatewaypolicies.yaml @@ -0,0 +1,282 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gatewaypolicies.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: GatewayPolicy + listKind: GatewayPolicyList + plural: gatewaypolicies + singular: gatewaypolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: GatewayPolicy is the Schema for the gatewaypolicies API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GatewayPolicySpec defines the desired state of GatewayPolicy. + properties: + default: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + override: + properties: + jwt: + description: GatewayJWTRequirement holds the list of JWT providers + to be verified against. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry + with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the + actual claim information to be verified. + properties: + path: + description: Path is the path to the claim in + the token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the + given path: - If the type at the path is a list + then we verify that this value is contained + in the list. \n - If the type at the path is + a string then we verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + targetRef: + description: TargetRef identifies an API object to apply policy to. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + minLength: 1 + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: Namespace is the namespace of the referent. When + unspecified, the local namespace is inferred. Even when policy + targets a resource in a different namespace, it may only apply + to traffic originating from the same namespace as the policy. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: SectionName refers to the listener targeted by this + policy. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + required: + - targetRef + type: object + status: + description: GatewayPolicyStatus defines the observed state of the gateway. + properties: + conditions: + description: "Conditions describe the current conditions of the Policy. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-gateways-external.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-gateways-external.yaml new file mode 100644 index 0000000000..41df34942a --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-gateways-external.yaml @@ -0,0 +1,882 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of Gateway has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: "Addresses requested for this Gateway. This is optional and behavior can depend on the implementation. If a value is set in the spec and the requested address is invalid or unavailable, the implementation MUST indicate this in the associated entry in GatewayStatus.Addresses. \n The Addresses field represents a request for the address(es) on the \"outside of the Gateway\", that traffic bound for this Gateway will use. This could be the IP address or hostname of an external load balancer or other networking infrastructure, or some other address that traffic will be sent to. \n The .listener.hostname field is used to route traffic that has already arrived at the Gateway to the correct in-cluster destination. \n If no Addresses are specified, the implementation MAY schedule the Gateway in an implementation-specific manner, assigning an appropriate set of Addresses. \n The implementation MUST bind all Listeners to every GatewayAddress that it assigns to the Gateway and add a corresponding entry in GatewayStatus.Addresses. \n Support: Extended" + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + gatewayClassName: + description: GatewayClassName used for this Gateway. This is the name of a GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + listeners: + description: "Listeners associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway's addresses. At least one Listener MUST be specified. \n Each listener in a Gateway must have a unique combination of Hostname, Port, and Protocol. \n An implementation MAY group Listeners by Port and then collapse each group of Listeners into a single Listener if the implementation determines that the Listeners in the group are \"compatible\". An implementation MAY also group together and collapse compatible Listeners belonging to different Gateways. \n For example, an implementation might consider Listeners to be compatible with each other if all of the following conditions are met: \n 1. Either each Listener within the group specifies the \"HTTP\" Protocol or each Listener within the group specifies either the \"HTTPS\" or \"TLS\" Protocol. \n 2. Each Listener within the group specifies a Hostname that is unique within the group. \n 3. As a special case, one Listener within a group may omit Hostname, in which case this Listener matches when no other Listener matches. \n If the implementation does collapse compatible Listeners, the hostname provided in the incoming client request MUST be matched to a Listener to find the correct set of Routes. The incoming hostname MUST be matched using the Hostname field for each Listener in order of most to least specific. That is, exact matches must be processed before wildcard matches. \n If this field specifies multiple Listeners that have the same Port value but are not compatible, the implementation must raise a \"Conflicted\" condition in the Listener status. \n Support: Core" + items: + description: Listener embodies the concept of a logical endpoint where a Gateway accepts network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: "AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. \n Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria: \n * The most specific match as defined by the Route type. * The oldest Route based on creation timestamp. For example, a Route with a creation timestamp of \"2020-09-08 01:02:03\" is given precedence over a Route with a creation timestamp of \"2020-09-08 01:02:04\". * If everything else is equivalent, the Route appearing first in alphabetical order (namespace/name) should be given precedence. For example, foo/bar is given precedence over foo/baz. \n All valid rules within a Route attached to this Listener should be implemented. Invalid Route rules can be ignored (sometimes that will mean the full Route). If a Route rule transitions from valid to invalid, support for that Route rule should be dropped to ensure consistency. For example, even if a filter specified by a Route rule is invalid, the rest of the rules within that Route should still be supported. \n Support: Core" + properties: + kinds: + description: "Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. \n A RouteGroupKind MUST correspond to kinds of Routes that are compatible with the application protocol specified in the Listener's Protocol field. If an implementation does not support or recognize this resource type, it MUST set the \"ResolvedRefs\" condition to False for this Listener with the \"InvalidRouteKinds\" reason. \n Support: Core" + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: "Namespaces indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. \n Support: Core" + properties: + from: + default: Same + description: "From indicates where Routes will be selected for this Gateway. Possible values are: * All: Routes in all namespaces may be used by this Gateway. * Selector: Routes in namespaces selected by the selector may be used by this Gateway. * Same: Only Routes in the same namespace may be used by this Gateway. \n Support: Core" + enum: + - All + - Selector + - Same + type: string + selector: + description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of \"From\". \n Support: Core" + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + type: object + type: object + hostname: + description: "Hostname specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don't require hostname based matching. \n Implementations MUST apply Hostname matching appropriately for each of the following protocols: \n * TLS: The Listener Hostname MUST match the SNI. * HTTP: The Listener Hostname MUST match the Host header of the request. * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP protocol layers as described above. If an implementation does not ensure that both the SNI and Host header match the Listener hostname, it MUST clearly document that. \n For HTTPRoute and TLSRoute resources, there is an interaction with the `spec.hostnames` array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: "Name is the name of the Listener. This name MUST be unique within a Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: "Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. \n Support: Core" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: "Protocol specifies the network protocol this listener expects to receive. \n Support: Core" + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: "TLS is the TLS configuration for the Listener. This field is required if the Protocol field is \"HTTPS\" or \"TLS\". It is invalid to set this field if the Protocol field is \"HTTP\", \"TCP\", or \"UDP\". \n The association of SNIs to Certificate defined in GatewayTLSConfig is defined based on the Hostname field for this listener. \n The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. \n Support: Core" + properties: + certificateRefs: + description: "CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. \n A single CertificateRef to a Kubernetes Secret has \"Core\" support. Implementations MAY choose to support attaching multiple certificates to a Listener, but this behavior is implementation-specific. \n References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached. If a ReferenceGrant does not allow this reference, the \"ResolvedRefs\" condition MUST be set to False for this listener with the \"RefNotPermitted\" reason. \n This field is required to have at least one element when the mode is set to \"Terminate\" (default) and is optional otherwise. \n CertificateRefs can reference to standard Kubernetes resources, i.e. Secret, or implementation-specific custom resources. \n Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls \n Support: Implementation-specific (More than one reference or other resource types)" + items: + description: "SecretObjectReference identifies an API object including its namespace, defaulting to Secret. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. \n References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: "Mode defines the TLS behavior for the TLS session initiated by the client. There are two possible modes: \n - Terminate: The TLS session between the downstream client and the Gateway is terminated at the Gateway. This mode requires certificateRefs to be set and contain at least one element. - Passthrough: The TLS session is NOT terminated by the Gateway. This implies that the Gateway can't decipher the TLS stream except for the ClientHello message of the TLS protocol. CertificateRefs field is ignored in this mode. \n Support: Core" + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: AnnotationValue is the value of an annotation in Gateway API. This is used for validation of maps such as TLS options. This roughly matches Kubernetes annotation validation, although the length validation in that case is based on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: "Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites. \n A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`. Un-prefixed names are reserved for key names defined by Gateway API. \n Support: Implementation-specific" + maxProperties: 16 + type: object + type: object + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: NotReconciled + status: Unknown + type: Accepted + description: Status defines the current state of Gateway. + properties: + addresses: + description: Addresses lists the IP addresses that have actually been bound to the Gateway. These addresses may differ from the addresses in the Spec, e.g. if the Gateway automatically assigns an address from a reserved pool. + items: + description: GatewayAddress describes an address that can be bound to a Gateway. + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: "Value of the address. The validity of the values will depend on the type and support by the controller. \n Examples: `1.2.3.4`, `128::1`, `my-ip-address`." + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the Gateway. \n Implementations should prefer to express Gateway conditions using the `GatewayConditionType` and `GatewayConditionReason` constants so that operators and tools can converge on a common vocabulary to describe Gateway state. \n Known condition types are: \n * \"Accepted\" * \"Ready\"" + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: AttachedRoutes represents the total number of Routes that have been successfully attached to this Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this listener. + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: "SupportedKinds is the list indicating the Kinds supported by this listener. This MUST represent the kinds an implementation supports for that Listener configuration. \n If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\" reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified." + items: + description: RouteGroupKind indicates the group and kind of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-grpcroutes-external.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-grpcroutes-external.yaml new file mode 100644 index 0000000000..739ed2c659 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-grpcroutes-external.yaml @@ -0,0 +1,766 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes the capability to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. Filters can be used to specify additional processing steps. Backends specify where matching requests will be routed. \n GRPCRoute falls under extended support within the Gateway API. Within the following specification, the word \"MUST\" indicates that an implementation supporting GRPCRoute must conform to the indicated requirement, but an implementation not supporting this route type need not follow the requirement unless explicitly indicated. \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via ALPN. If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation does not support this, then it MUST set the \"Accepted\" condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 connections with an upgrade from HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against the GRPC Host header to select a GRPCRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label MUST appear by itself as the first label. \n If a hostname is specified by both the Listener and GRPCRoute, there MUST be at least one intersecting hostname for the GRPCRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches GRPCRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and GRPCRoute have specified hostnames, any GRPCRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the GRPCRoute specified `test.example.com` and `test.example.net`, `test.example.net` MUST NOT be considered for a match. \n If both the Listener and GRPCRoute have specified hostnames, and none match with the criteria above, then the GRPCRoute MUST NOT be accepted by the implementation. The implementation MUST raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute is attached to a Listener and that listener already has another Route (B) of the other type attached and the intersection of the hostnames of A and B is non-empty, then the implementation MUST accept exactly one of these two routes, determined by the following criteria, in order: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n The rejected Route MUST raise an 'Accepted' condition with a status of 'False' in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching an gRPC request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive an `UNAVAILABLE` status. \n See the GRPCBackendRef definition for the rules about what makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive an `UNAVAILABLE` status. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations that support GRPCRoute. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that must be completed during the request or response lifecycle. GRPCRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations supporting GRPCRoute MUST support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - method: + type: Exact + description: "Matches define conditions used for matching the rule against incoming gRPC requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - method: service: foo.bar headers: values: version: 2 - method: service: foo.bar.v2 ``` \n For a request to match against this rule, it MUST satisfy EITHER of the two conditions: \n - service of foo.bar AND contains the header `version: 2` - service of foo.bar.v2 \n See the documentation for GRPCRouteMatch on how to specify multiple match conditions to be ANDed together. \n If no matches are specified, the implementation MUST match every gRPC request. \n Proxy or Load Balancer routing configuration generated from GRPCRoutes MUST prioritize rules based on the following criteria, continuing on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. Precedence MUST be given to the rule with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. * Characters in a matching service. * Characters in a matching method. * Header matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within the Route that has been given precedence, matching precedence MUST be granted to the first matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a gRPC request only if its service is `foo` AND it contains the `version: v1` header: \n ``` matches: - method: type: Exact service: \"foo\" headers: - name: \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. Multiple match values are ANDed together, meaning, a request MUST match all the specified headers to select the route. + items: + description: GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header to be matched. \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + default: + type: Exact + description: Method specifies a gRPC request service/method matcher. If this field is not specified, all services and methods will match. + properties: + method: + description: "Value of the method to match against. If left empty or omitted, will match all services. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Method must be a valid Protobuf Method (https://protobuf.com/docs/language-spec#methods)." + maxLength: 1024 + pattern: ^[A-Za-z_][A-Za-z_0-9]*$ + type: string + service: + description: "Value of the service to match against. If left empty or omitted, will match any service. \n At least one of Service and Method MUST be a non-empty string. \n A GRPC Service must be a valid Protobuf Type Name (https://protobuf.com/docs/language-spec#type-references)." + maxLength: 1024 + pattern: ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$ + type: string + type: + default: Exact + description: "Type specifies how to match against the service and/or method. Support: Core (Exact with service and method specified) \n Support: Implementation-specific (Exact with method specified but no service specified) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-grpcroutes.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-grpcroutes.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-grpcroutes.yaml rename to charts/hashicorp/consul/1.5.0/templates/crd-grpcroutes.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-httproutes-external.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-httproutes-external.yaml new file mode 100644 index 0000000000..bba3672d16 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-httproutes-external.yaml @@ -0,0 +1,1914 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to specify additional processing steps. Backends specify where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match against the HTTP Host header to select a HTTPRoute to process the request. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and HTTPRoute, there must be at least one intersecting hostname for the HTTPRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches HTTPRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `*.example.com`, `test.example.com`, and `foo.test.example.com` would all match. On the other hand, `example.com` and `test.example.net` would not match. \n Hostnames that are prefixed with a wildcard label (`*.`) are interpreted as a suffix match. That means that a match for `*.example.com` would match both `test.example.com`, and `foo.test.example.com`, but not `example.com`. \n If both the Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the HTTPRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and HTTPRoute have specified hostnames, and none match with the criteria above, then the HTTPRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. overlapping wildcard matching and exact matching hostnames), precedence must be given to rules from the HTTPRoute with the largest number of: \n * Characters in a matching non-wildcard hostname. * Characters in a matching hostname. \n If ties exist across multiple Routes, the matching precedence rules for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. \n Failure behavior here depends on how many BackendRefs are specified and how many are invalid. \n If *all* entries in BackendRefs are invalid, and there are also no filters specified in this route rule, *all* traffic which matches this rule MUST receive a 500 status code. \n See the HTTPBackendRef definition for the rules about what makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef is invalid, 500 status codes MUST be returned for requests that would have otherwise been routed to an invalid backend. If multiple backends are specified, and some are invalid, the proportion of requests that would otherwise have been routed to an invalid backend MUST receive a 500 status code. \n For example, if two backends are specified with equal weights, and one is invalid, 50 percent of traffic must receive a 500. Implementations may choose how that 50 percent is determined. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. \n Support: Implementation-specific (For broader support of filters, use the Filters field in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to requests that match this rule. \n The effects of ordering of multiple behaviors are currently unspecified. This can change in the future based on feedback during the alpha stage. \n Conformance-levels at this level are defined based on the type of filter: \n - ALL core filters MUST be supported by all implementations. - Implementers are encouraged to support extended filters. - Implementation-specific custom filters have no API guarantees across implementations. \n Specifying a core filter multiple times has unspecified or implementation-specific conformance. \n All filters are expected to be compatible with each other except for the URLRewrite and RequestRedirect filters, which may not be combined. If an implementation can not support other combinations of filters, they must clearly document that limitation. In all cases where incompatible or unsupported filters are specified, implementations MUST add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle. HTTPRouteFilters are meant as an extension point to express processing that may be done in Gateway implementations. Some examples include request or response modification, implementing authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific extension to the \"filter\" behavior. For example, resource \"myroutefilter\" in group \"networking.example.net\"). ExtensionRef MUST NOT be used for core and extended filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for a filter that modifies request headers. \n Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter that mirrors requests. Requests are sent to the specified destination, but responses from that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where mirrored requests are sent. \n If the referent cannot be found, this BackendRef is invalid and must be dropped from the Gateway. The controller must ensure the \"ResolvedRefs\" condition on the Route status is set to `status: False` and not configure this backend in the underlying implementation. \n If there is a cross-namespace reference to an *existing* object that is not allowed by a ReferenceGrant, the controller must ensure the \"ResolvedRefs\" condition on the Route is set to `status: False`, with the \"RefNotPermitted\" reason and not configure this backend in the underlying implementation. \n In either error case, the Message of the `ResolvedRefs` Condition should be used to provide more detail about the problem. \n Support: Extended for Kubernetes Service \n Support: Implementation-specific for any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter that responds to the request with an HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname of the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value of the `Location` header in the response. When empty, port (if specified) of the request is used. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to be used in response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema for a filter that modifies response headers. \n Support: Extended \n " + properties: + add: + description: "Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: add: - name: \"my-header\" value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz \n Config: remove: [\"my-header1\", \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the given header (name, value) before the action. \n Input: GET /foo HTTP/1.1 my-header: foo \n Config: set: - name: \"my-header\" value: \"bar\" \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. As with other API fields, types are classified into three conformance levels: \n - Core: Filter types and their corresponding configuration defined by \"Support: Core\" in this package, e.g. \"RequestHeaderModifier\". All implementations must support core filters. \n - Extended: Filter types and their corresponding configuration defined by \"Support: Extended\" in this package, e.g. \"RequestMirror\". Implementers are encouraged to support extended filters. \n - Implementation-specific: Filters that are defined and supported by specific vendors. In the future, filters showing convergence in behavior across multiple implementations will be considered for inclusion in extended or core conformance levels. Filter-specific configuration for such filters is specified using the ExtensionRef field. `Type` should be set to \"ExtensionRef\" for custom filters. \n Implementers are encouraged to define custom implementation types to extend the core API with implementation-specific behavior. \n If a reference to a custom filter type cannot be resolved, the filter MUST NOT be skipped. Instead, requests that would have been processed by that filter MUST receive a HTTP error response. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter that modifies a request during forwarding. \n Support: Extended \n " + properties: + hostname: + description: "Hostname is the value to be used to replace the Host header value during forwarding. \n Support: Extended \n " + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: Extended \n " + properties: + replaceFullPath: + description: "ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect. \n " + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to \"/foo/bar\" with a prefix match of \"/foo\" would be modified to \"/bar\". \n Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. \n " + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. Additional types may be added in a future release of the API. \n Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. \n Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. \n " + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if **any** one of the matches is satisfied. \n For example, take the following matches configuration: \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request to match against this rule, a request must satisfy EITHER of the two conditions: \n - path prefixed with `/foo` AND contains the header `version: v2` - path prefix of `/v2/foo` \n See the documentation for HTTPRouteMatch on how to specify multiple match conditions that should be ANDed together. \n If no matches are specified, the default is a prefix path match on \"/\", which has the effect of matching every HTTP request. \n Proxy or Load Balancer routing configuration generated from HTTPRoutes MUST prioritize matches based on the following criteria, continuing on ties. Across all rules specified on applicable Routes, precedence must be given to the match with the largest number of: \n * Characters in a matching path. * Header matches. * Query param matches. \n If ties still exist across multiple Routes, matching precedence MUST be determined in order of the following criteria, continuing on ties: \n * The oldest Route based on creation timestamp. * The Route appearing first in alphabetical order by \"{namespace}/{name}\". \n If ties still exist within an HTTPRoute, matching precedence MUST be granted to the FIRST matching rule (in list order) with a match meeting the above criteria. \n When no rules matching a request have been successfully attached to the parent a request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together, i.e. the match will evaluate to true only if all conditions are satisfied. \n For example, the match below will match a HTTP request only if its path starts with `/foo` AND it contains the `version: v1` header: \n ``` match: \n \tpath: \t value: \"/foo\" \theaders: \t- name: \"version\" \t value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. Multiple match values are ANDed together, meaning, a request must match all the specified headers to select the route. + items: + description: HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header to be matched. Name matching MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). \n If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, \"foo\" and \"Foo\" are considered equivalent. \n When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the header. \n Support: Core (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When specified, this route will be matched only if the request has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. If this field is not specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against the path Value. \n Support: Core (Exact, PathPrefix) \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter matchers. Multiple match values are ANDed together, meaning, a request must match all the specified query parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query param to be matched. This must be an exact string match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). \n If multiple entries specify equivalent query param names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent query param name MUST be ignored. \n If a query param is repeated in an HTTP request, the behavior is purposely left undefined, since different data planes have different capabilities. However, it is *recommended* that implementations should match against the first value of the param if the data plane supports it, as this behavior is expected in other load balancing contexts outside of the Gateway API. \n Users SHOULD NOT route traffic based on repeated query params to guard themselves against potential differences in the implementations." + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against the value of the query parameter. \n Support: Extended (Exact) \n Support: Implementation-specific (RegularExpression) \n Since RegularExpression QueryParamMatchType has Implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-httproutes.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-httproutes.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-httproutes.yaml rename to charts/hashicorp/consul/1.5.0/templates/crd-httproutes.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-ingressgateways.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-ingressgateways.yaml new file mode 100644 index 0000000000..dcbc543525 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-ingressgateways.yaml @@ -0,0 +1,447 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: ingressgateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: IngressGateway + listKind: IngressGatewayList + plural: ingressgateways + shortNames: + - ingress-gateway + singular: ingressgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressGateway is the Schema for the ingressgateways API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IngressGatewaySpec defines the desired state of IngressGateway. + properties: + defaults: + description: Defaults is default configuration for all upstream services + properties: + maxConcurrentRequests: + description: The maximum number of concurrent requests that will + be allowed at a single point in time. Use this to limit HTTP/2 + traffic, since HTTP/2 has many requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service instance + will be allowed to establish against the given upstream. Use + this to limit HTTP/1.1 traffic, since HTTP/1.1 has a request + per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will be queued + while waiting for a connection to be established. + format: int32 + type: integer + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how upstream + proxy instances will be monitored for removal from the load + balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. The + real time is equal to the base time multiplied by the number + of times the host has been ejected and is capped by max_ejection_time + (Default 300s). Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status is + detected through consecutive 5xx. This setting can be used + to disable ejection or to ramp it up slowly. Ex. Setting + this to 10 will make it a 10% chance that the host will + be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that can + be ejected due to outlier detection. Defaults to 10% but + will eject at least one host regardless of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + type: object + listeners: + description: Listeners declares what ports the ingress gateway should + listen on, and what services to associated to those ports. + items: + description: IngressListener manages the configuration for a listener + on a specific port. + properties: + port: + description: Port declares the port on which the ingress gateway + should listen for traffic. + type: integer + protocol: + description: 'Protocol declares what type of traffic this listener + is expected to receive. Depending on the protocol, a listener + might support multiplexing services over a single port, or + additional discovery chain features. The current supported + values are: (tcp | http | http2 | grpc).' + type: string + services: + description: Services declares the set of services to which + the listener forwards traffic. For "tcp" protocol listeners, + only a single service is allowed. For "http" listeners, multiple + services can be declared. + items: + description: IngressService manages configuration for services + that are exposed to ingress traffic. + properties: + hosts: + description: "Hosts is a list of hostnames which should + be associated to this service on the defined listener. + Only allowed on layer 7 protocols, this will be used + to route traffic to the service by matching the Host + header of the HTTP request. \n If a host is provided + for a service that also has a wildcard specifier defined, + the host will override the wildcard-specifier-provided + \".*\" domain for that listener. \n This + cannot be specified when using the wildcard specifier, + \"*\", or when using a \"tcp\" listener." + items: + type: string + type: array + maxConcurrentRequests: + description: The maximum number of concurrent requests + that will be allowed at a single point in time. Use + this to limit HTTP/2 traffic, since HTTP/2 has many + requests per connection. + format: int32 + type: integer + maxConnections: + description: The maximum number of connections a service + instance will be allowed to establish against the given + upstream. Use this to limit HTTP/1.1 traffic, since + HTTP/1.1 has a request per connection. + format: int32 + type: integer + maxPendingRequests: + description: The maximum number of requests that will + be queued while waiting for a connection to be established. + format: int32 + type: integer + name: + description: "Name declares the service to which traffic + should be forwarded. \n This can either be a specific + service, or the wildcard specifier, \"*\". If the wildcard + specifier is provided, the listener must be of \"http\" + protocol and means that the listener will forward traffic + to all services. \n A name can be specified on multiple + listeners, and will be exposed on both of the listeners." + type: string + namespace: + description: Namespace is the namespace where the service + is located. Namespacing is a Consul Enterprise feature. + type: string + partition: + description: Partition is the admin-partition where the + service is located. Partitioning is a Consul Enterprise + feature. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected + for. The real time is equal to the base time multiplied + by the number of times the host has been ejected + and is capped by max_ejection_time (Default 300s). + Defaults to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This + setting can be used to disable ejection or to ramp + it up slowly. Ex. Setting this to 10 will make it + a 10% chance that the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set + the interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster + that can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for + HTTP header modification that should be performed by + proxies as the request passes through them. It can operate + on either request or response headers depending on the + context in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + tls: + description: TLS allows specifying some TLS configuration + per listener. + properties: + sds: + description: SDS allows configuring TLS certificate + from an SDS service. + properties: + certResource: + description: CertResource is the SDS resource + name to request when fetching the certificate + from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name + to connect to, to retrieve certificates. This + cluster must be specified in the Gateway's bootstrap + configuration. + type: string + type: object + type: object + type: object + type: array + tls: + description: TLS config for this listener. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict + Only applicable to connections negotiated via TLS 1.2 + or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this + gateway service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from + an SDS service. + properties: + certResource: + description: CertResource is the SDS resource name to + request when fetching the certificate from the SDS + service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to + connect to, to retrieve certificates. This cluster + must be specified in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS + version supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or + `TLSv1_3`. If unspecified, Envoy will default to TLS 1.3 + as a max version for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS + version supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, + `TLSv1_2`, or `TLSv1_3`. If unspecified, Envoy v1.22.0 + and newer will default to TLS 1.2 as a min version, while + older releases of Envoy default to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + type: array + tls: + description: TLS holds the TLS configuration for this gateway. + properties: + cipherSuites: + description: Define a subset of cipher suites to restrict Only + applicable to connections negotiated via TLS 1.2 or earlier. + items: + type: string + type: array + enabled: + description: Indicates that TLS should be enabled for this gateway + service. + type: boolean + sds: + description: SDS allows configuring TLS certificate from an SDS + service. + properties: + certResource: + description: CertResource is the SDS resource name to request + when fetching the certificate from the SDS service. + type: string + clusterName: + description: ClusterName is the SDS cluster name to connect + to, to retrieve certificates. This cluster must be specified + in the Gateway's bootstrap configuration. + type: string + type: object + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will default + to TLS 1.2 as a min version, while older releases of Envoy default + to TLS 1.0. + type: string + required: + - enabled + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-jwtproviders.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-jwtproviders.yaml new file mode 100644 index 0000000000..94c9697b33 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-jwtproviders.yaml @@ -0,0 +1,313 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: jwtproviders.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: JWTProvider + listKind: JWTProviderList + plural: jwtproviders + singular: jwtprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWTProvider is the Schema for the jwtproviders API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: JWTProviderSpec defines the desired state of JWTProvider + properties: + audiences: + description: Audiences is the set of audiences the JWT is allowed + to access. If specified, all JWTs verified with this provider must + address at least one of these to be considered valid. + items: + type: string + type: array + cacheConfig: + description: CacheConfig defines configuration for caching the validation + result for previously seen JWTs. Caching results can speed up verification + when individual tokens are expected to be handled multiple times. + properties: + size: + description: "Size specifies the maximum number of JWT verification + results to cache. \n Defaults to 0, meaning that JWT caching + is disabled." + type: integer + type: object + clockSkewSeconds: + description: "ClockSkewSeconds specifies the maximum allowable time + difference from clock skew when validating the \"exp\" (Expiration) + and \"nbf\" (Not Before) claims. \n Default value is 30 seconds." + type: integer + forwarding: + description: Forwarding defines rules for forwarding verified JWTs + to the backend. + properties: + headerName: + description: "HeaderName is a header name to use when forwarding + a verified JWT to the backend. The verified JWT could have been + extracted from any location (query param, header, or cookie). + \n The header value will be base64-URL-encoded, and will not + be padded unless PadForwardPayloadHeader is true." + type: string + padForwardPayloadHeader: + description: "PadForwardPayloadHeader determines whether padding + should be added to the base64 encoded token forwarded with ForwardPayloadHeader. + \n Default value is false." + type: boolean + type: object + issuer: + description: Issuer is the entity that must have issued the JWT. This + value must match the "iss" claim of the token. + type: string + jsonWebKeySet: + description: JSONWebKeySet defines a JSON Web Key Set, its location + on disk, or the means with which to fetch a key set from a remote + server. + properties: + local: + description: Local specifies a local source for the key set. + properties: + filename: + description: Filename configures a location on disk where + the JWKS can be found. If specified, the file must be present + on the disk of ALL proxies with intentions referencing this + provider. + type: string + jwks: + description: JWKS contains a base64 encoded JWKS. + type: string + type: object + remote: + description: Remote specifies how to fetch a key set from a remote + server. + properties: + cacheDuration: + description: "CacheDuration is the duration after which cached + keys should be expired. \n Default value is 5 minutes." + type: string + fetchAsynchronously: + description: "FetchAsynchronously indicates that the JWKS + should be fetched when a client request arrives. Client + requests will be paused until the JWKS is fetched. If false, + the proxy listener will wait for the JWKS to be fetched + before being activated. \n Default value is false." + type: boolean + jwksCluster: + description: JWKSCluster defines how the specified Remote + JWKS URI is to be fetched. + properties: + connectTimeout: + description: The timeout for new network connections to + hosts in the cluster. If not set, a default value of + 5s will be used. + type: string + discoveryType: + description: "DiscoveryType refers to the service discovery + type to use for resolving the cluster. \n This defaults + to STRICT_DNS. Other options include STATIC, LOGICAL_DNS, + EDS or ORIGINAL_DST." + type: string + tlsCertificates: + description: "TLSCertificates refers to the data containing + certificate authority certificates to use in verifying + a presented peer certificate. If not specified and a + peer certificate is presented it will not be verified. + \n Must be either CaCertificateProviderInstance or TrustedCA." + properties: + caCertificateProviderInstance: + description: CaCertificateProviderInstance Certificate + provider instance for fetching TLS certificates. + properties: + certificateName: + description: "CertificateName is used to specify + certificate instances or types. For example, + \"ROOTCA\" to specify a root-certificate (validation + context) or \"example.com\" to specify a certificate + for a particular domain. \n The default value + is the empty string." + type: string + instanceName: + description: "InstanceName refers to the certificate + provider instance name. \n The default value + is \"default\"." + type: string + type: object + trustedCA: + description: "TrustedCA defines TLS certificate data + containing certificate authority certificates to + use in verifying a presented peer certificate. \n + Exactly one of Filename, EnvironmentVariable, InlineString + or InlineBytes must be specified." + properties: + environmentVariable: + type: string + filename: + type: string + inlineBytes: + format: byte + type: string + inlineString: + type: string + type: object + type: object + type: object + requestTimeoutMs: + description: RequestTimeoutMs is the number of milliseconds + to time out when making a request for the JWKS. + type: integer + retryPolicy: + description: "RetryPolicy defines a retry policy for fetching + JWKS. \n There is no retry by default." + properties: + numRetries: + description: "NumRetries is the number of times to retry + fetching the JWKS. The retry strategy uses jittered + exponential backoff with a base interval of 1s and max + of 10s. \n Default value is 0." + type: integer + retryPolicyBackOff: + description: "Retry's backoff policy. \n Defaults to Envoy's + backoff policy." + properties: + baseInterval: + description: "BaseInterval to be used for the next + back off computation. \n The default value from + envoy is 1s." + type: string + maxInterval: + description: "MaxInternal to be used to specify the + maximum interval between retries. Optional but should + be greater or equal to BaseInterval. \n Defaults + to 10 times BaseInterval." + type: string + type: object + type: object + uri: + description: URI is the URI of the server to query for the + JWKS. + type: string + type: object + type: object + locations: + description: 'Locations where the JWT will be present in requests. + Envoy will check all of these locations to extract a JWT. If no + locations are specified Envoy will default to: 1. Authorization + header with Bearer schema: "Authorization: Bearer " 2. accessToken + query parameter.' + items: + description: "JWTLocation is a location where the JWT could be present + in requests. \n Only one of Header, QueryParam, or Cookie can + be specified." + properties: + cookie: + description: Cookie defines how to extract a JWT from an HTTP + request cookie. + properties: + name: + description: Name is the name of the cookie containing the + token. + type: string + type: object + header: + description: Header defines how to extract a JWT from an HTTP + request header. + properties: + forward: + description: "Forward defines whether the header with the + JWT should be forwarded after the token has been verified. + If false, the header will not be forwarded to the backend. + \n Default value is false." + type: boolean + name: + description: Name is the name of the header containing the + token. + type: string + valuePrefix: + description: 'ValuePrefix is an optional prefix that precedes + the token in the header value. For example, "Bearer " + is a standard value prefix for a header named "Authorization", + but the prefix is not part of the token itself: "Authorization: + Bearer "' + type: string + type: object + queryParam: + description: QueryParam defines how to extract a JWT from an + HTTP request query parameter. + properties: + name: + description: Name is the name of the query param containing + the token. + type: string + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-meshconfigurations.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-meshconfigurations.yaml new file mode 100644 index 0000000000..21114d723f --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-meshconfigurations.yaml @@ -0,0 +1,100 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: MeshConfiguration + listKind: MeshConfigurationList + plural: meshconfigurations + singular: meshconfiguration + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: MeshConfiguration is the Schema for the Mesh Configuration + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshConfiguration is responsible for configuring the default + behavior of Mesh Gateways. This is a Resource type. + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-meshes.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-meshes.yaml new file mode 100644 index 0000000000..f8ce4fc12e --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-meshes.yaml @@ -0,0 +1,207 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshes.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Mesh is the Schema for the mesh API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: MeshSpec defines the desired state of Mesh. + properties: + allowEnablingPermissiveMutualTLS: + description: AllowEnablingPermissiveMutualTLS must be true in order + to allow setting MutualTLSMode=permissive in either service-defaults + or proxy-defaults. + type: boolean + http: + description: HTTP defines the HTTP configuration for the service mesh. + properties: + sanitizeXForwardedClientCert: + type: boolean + required: + - sanitizeXForwardedClientCert + type: object + peering: + description: Peering defines the peering configuration for the service + mesh. + properties: + peerThroughMeshGateways: + description: PeerThroughMeshGateways determines whether peering + traffic between control planes should flow through mesh gateways. + If enabled, Consul servers will advertise mesh gateway addresses + as their own. Additionally, mesh gateways will configure themselves + to expose the local servers using a peering-specific SNI. + type: boolean + type: object + tls: + description: TLS defines the TLS configuration for the service mesh. + properties: + incoming: + description: Incoming defines the TLS configuration for inbound + mTLS connections targeting the public listener on Connect and + TerminatingGateway proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + outgoing: + description: Outgoing defines the TLS configuration for outbound + mTLS connections dialing upstreams from Connect and IngressGateway + proxy kinds. + properties: + cipherSuites: + description: CipherSuites sets the default list of TLS cipher + suites to support when negotiating connections using TLS + 1.2 or earlier. If unspecified, Envoy will use a default + server cipher list. The list of supported cipher suites + can be seen in https://github.com/hashicorp/consul/blob/v1.11.2/types/tls.go#L154-L169 + and is dependent on underlying support in Envoy. Future + releases of Envoy may remove currently-supported but insecure + cipher suites, and future releases of Consul may add new + supported cipher suites if any are added to Envoy. + items: + type: string + type: array + tlsMaxVersion: + description: TLSMaxVersion sets the default maximum TLS version + supported. Must be greater than or equal to `TLSMinVersion`. + One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, or `TLSv1_3`. + If unspecified, Envoy will default to TLS 1.3 as a max version + for incoming connections. + type: string + tlsMinVersion: + description: TLSMinVersion sets the default minimum TLS version + supported. One of `TLS_AUTO`, `TLSv1_0`, `TLSv1_1`, `TLSv1_2`, + or `TLSv1_3`. If unspecified, Envoy v1.22.0 and newer will + default to TLS 1.2 as a min version, while older releases + of Envoy default to TLS 1.0. + type: string + type: object + type: object + transparentProxy: + description: TransparentProxy controls the configuration specific + to proxies in "transparent" mode. Added in v1.10.0. + properties: + meshDestinationsOnly: + description: MeshDestinationsOnly determines whether sidecar proxies + operating in "transparent" mode can proxy traffic to IP addresses + not registered in Consul's catalog. If enabled, traffic will + only be proxied to upstreams with service registrations in the + catalog. + type: boolean + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-meshgateways.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-meshgateways.yaml new file mode 100644 index 0000000000..6202add695 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-meshgateways.yaml @@ -0,0 +1,134 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshgateways.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: MeshGateway + listKind: MeshGatewayList + plural: meshgateways + singular: meshgateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: MeshGateway is the Schema for the Mesh Gateway API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + gatewayClassName: + description: GatewayClassName is the name of the GatewayClass used + by the MeshGateway + type: string + listeners: + items: + properties: + name: + type: string + port: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + protocol: + enum: + - TCP + type: string + type: object + minItems: 1 + type: array + workloads: + description: Selection of workloads to be configured as mesh gateways + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-meshservices.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-meshservices.yaml new file mode 100644 index 0000000000..a5d36fb966 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-meshservices.yaml @@ -0,0 +1,56 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: meshservices.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService holds a reference to an externally managed Consul + Service Mesh service. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of MeshService. + properties: + name: + description: Name holds the service name for a Consul service. + type: string + peer: + description: Peer optionally specifies the name of the peer exporting + the Consul service. If not specified, the Consul service is assumed + to be in the local datacenter. + type: string + type: object + type: object + served: true + storage: true +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-peeringacceptors.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-peeringacceptors.yaml new file mode 100644 index 0000000000..2352ba7ad3 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-peeringacceptors.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringacceptors.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringAcceptor + listKind: PeeringAcceptorList + plural: peeringacceptors + shortNames: + - peering-acceptor + singular: peeringacceptor + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringAcceptor is the Schema for the peeringacceptors API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringAcceptorSpec defines the desired state of PeeringAcceptor. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringAcceptorStatus defines the observed state of PeeringAcceptor. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-peeringdialers.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-peeringdialers.yaml new file mode 100644 index 0000000000..09991d2091 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-peeringdialers.yaml @@ -0,0 +1,146 @@ +{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: peeringdialers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: PeeringDialer + listKind: PeeringDialerList + plural: peeringdialers + shortNames: + - peering-dialer + singular: peeringdialer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PeeringDialer is the Schema for the peeringdialers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PeeringDialerSpec defines the desired state of PeeringDialer. + properties: + peer: + description: Peer describes the information needed to create a peering. + properties: + secret: + description: Secret describes how to store the generated peering + token. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + type: object + type: object + required: + - peer + type: object + status: + description: PeeringDialerStatus defines the observed state of PeeringDialer. + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + latestPeeringVersion: + description: LatestPeeringVersion is the latest version of the resource + that was reconciled. + format: int64 + type: integer + secret: + description: SecretRef shows the status of the secret. + properties: + backend: + description: 'Backend is where the generated secret is stored. + Currently supports the value: "kubernetes".' + type: string + key: + description: Key is the key of the secret generated. + type: string + name: + description: Name is the name of the secret generated. + type: string + resourceVersion: + description: ResourceVersion is the resource version for the secret. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-proxyconfigurations.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-proxyconfigurations.yaml new file mode 100644 index 0000000000..3d19d5ea4f --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-proxyconfigurations.yaml @@ -0,0 +1,405 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxyconfigurations.mesh.consul.hashicorp.com +spec: + group: mesh.consul.hashicorp.com + names: + kind: ProxyConfiguration + listKind: ProxyConfigurationList + plural: proxyconfigurations + shortNames: + - proxy-configuration + singular: proxyconfiguration + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2beta1 + schema: + openAPIV3Schema: + description: ProxyConfiguration is the Schema for the TCP Routes API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: This is a Resource type. + properties: + bootstrapConfig: + description: bootstrap_config is the configuration that requires proxies + to be restarted to be applied. + properties: + dogstatsdUrl: + type: string + overrideJsonTpl: + type: string + prometheusBindAddr: + type: string + readyBindAddr: + type: string + staticClustersJson: + type: string + staticListenersJson: + type: string + statsBindAddr: + type: string + statsConfigJson: + type: string + statsFlushInterval: + type: string + statsSinksJson: + type: string + statsTags: + items: + type: string + type: array + statsdUrl: + type: string + telemetryCollectorBindSocketDir: + type: string + tracingConfigJson: + type: string + type: object + dynamicConfig: + description: dynamic_config is the configuration that could be changed + dynamically (i.e. without needing restart). + properties: + accessLogs: + description: AccessLogs configures the output and format of Envoy + access logs + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have + a matching listener filter. + type: boolean + enabled: + description: Enabled turns off all access logging + type: boolean + jsonFormat: + description: The presence of one format string or the other + implies the access log string encoding. Defining both is + invalid. + type: string + path: + description: Path is the output file to write logs + type: string + textFormat: + type: string + type: + description: 'Type selects the output for logs: "file", "stderr". + "stdout"' + enum: + - LOG_SINK_TYPE_DEFAULT + - LOG_SINK_TYPE_FILE + - LOG_SINK_TYPE_STDERR + - LOG_SINK_TYPE_STDOUT + format: int32 + type: string + type: object + exposeConfig: + properties: + exposePaths: + items: + properties: + listenerPort: + format: int32 + type: integer + localPathPort: + format: int32 + type: integer + path: + type: string + protocol: + enum: + - EXPOSE_PATH_PROTOCOL_HTTP + - EXPOSE_PATH_PROTOCOL_HTTP2 + format: int32 + type: string + type: object + type: array + type: object + inboundConnections: + description: inbound_connections configures inbound connections + to the proxy. + properties: + balanceInboundConnections: + enum: + - BALANCE_CONNECTIONS_DEFAULT + - BALANCE_CONNECTIONS_EXACT + format: int32 + type: string + maxInboundConnections: + format: int32 + type: integer + type: object + listenerTracingJson: + type: string + localClusterJson: + type: string + localConnection: + additionalProperties: + description: Referenced by ProxyConfiguration + properties: + connectTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + requestTimeout: + description: "A Duration represents a signed, fixed-length + span of time represented as a count of seconds and fractions + of seconds at nanosecond resolution. It is independent + of any calendar and concepts like \"day\" or \"month\". + It is related to Timestamp in that the difference between + two Timestamp values is a Duration and it can be added + or subtracted from a Timestamp. Range is approximately + +-10,000 years. \n # Examples \n Example 1: Compute Duration + from two Timestamps in pseudo code. \n Timestamp start + = ...; Timestamp end = ...; Duration duration = ...; \n + duration.seconds = end.seconds - start.seconds; duration.nanos + = end.nanos - start.nanos; \n if (duration.seconds < 0 + && duration.nanos > 0) { duration.seconds += 1; duration.nanos + -= 1000000000; } else if (duration.seconds > 0 && duration.nanos + < 0) { duration.seconds -= 1; duration.nanos += 1000000000; + } \n Example 2: Compute Timestamp from Timestamp + Duration + in pseudo code. \n Timestamp start = ...; Duration duration + = ...; Timestamp end = ...; \n end.seconds = start.seconds + + duration.seconds; end.nanos = start.nanos + duration.nanos; + \n if (end.nanos < 0) { end.seconds -= 1; end.nanos += + 1000000000; } else if (end.nanos >= 1000000000) { end.seconds + += 1; end.nanos -= 1000000000; } \n Example 3: Compute + Duration from datetime.timedelta in Python. \n td = datetime.timedelta(days=3, + minutes=10) duration = Duration() duration.FromTimedelta(td) + \n # JSON Mapping \n In JSON format, the Duration type + is encoded as a string rather than an object, where the + string ends in the suffix \"s\" (indicating seconds) and + is preceded by the number of seconds, with nanoseconds + expressed as fractional seconds. For example, 3 seconds + with 0 nanoseconds should be encoded in JSON format as + \"3s\", while 3 seconds and 1 nanosecond should be expressed + in JSON format as \"3.000000001s\", and 3 seconds and + 1 microsecond should be expressed in JSON format as \"3.000001s\"." + format: duration + properties: + nanos: + description: Signed fractions of a second at nanosecond + resolution of the span of time. Durations less than + one second are represented with a 0 `seconds` field + and a positive or negative `nanos` field. For durations + of one second or more, a non-zero value for the `nanos` + field must be of the same sign as the `seconds` field. + Must be from -999,999,999 to +999,999,999 inclusive. + format: int32 + type: integer + seconds: + description: 'Signed seconds of the span of time. Must + be from -315,576,000,000 to +315,576,000,000 inclusive. + Note: these bounds are computed from: 60 sec/min * + 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years' + format: int64 + type: integer + type: object + type: object + description: local_connection is the configuration that should + be used to connect to the local application provided per-port. + The map keys should correspond to port names on the workload. + type: object + localWorkloadAddress: + description: "deprecated: local_workload_address, local_workload_port, + and local_workload_socket_path are deprecated and are only needed + for migration of existing resources. \n Deprecated: Marked as + deprecated in pbmesh/v2beta1/proxy_configuration.proto." + type: string + localWorkloadPort: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + format: int32 + type: integer + localWorkloadSocketPath: + description: 'Deprecated: Marked as deprecated in pbmesh/v2beta1/proxy_configuration.proto.' + type: string + meshGatewayMode: + enum: + - MESH_GATEWAY_MODE_UNSPECIFIED + - MESH_GATEWAY_MODE_NONE + - MESH_GATEWAY_MODE_LOCAL + - MESH_GATEWAY_MODE_REMOTE + format: int32 + type: string + mode: + description: mode indicates the proxy's mode. This will default + to 'transparent'. + enum: + - PROXY_MODE_DEFAULT + - PROXY_MODE_TRANSPARENT + - PROXY_MODE_DIRECT + format: int32 + type: string + mutualTlsMode: + enum: + - MUTUAL_TLS_MODE_DEFAULT + - MUTUAL_TLS_MODE_STRICT + - MUTUAL_TLS_MODE_PERMISSIVE + format: int32 + type: string + publicListenerJson: + type: string + transparentProxy: + properties: + dialedDirectly: + description: dialed_directly indicates whether this proxy + should be dialed using original destination IP in the connection + rather than load balance between all endpoints. + type: boolean + outboundListenerPort: + description: outbound_listener_port is the port for the proxy's + outbound listener. This defaults to 15001. + format: int32 + type: integer + type: object + type: object + opaqueConfig: + description: "deprecated: prevent usage when using v2 APIs directly. + needed for backwards compatibility \n Deprecated: Marked as deprecated + in pbmesh/v2beta1/proxy_configuration.proto." + type: object + x-kubernetes-preserve-unknown-fields: true + workloads: + description: Selection of workloads this proxy configuration should + apply to. These can be prefixes or specific workload names. + properties: + filter: + type: string + names: + items: + type: string + type: array + prefixes: + items: + type: string + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-proxydefaults.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-proxydefaults.yaml new file mode 100644 index 0000000000..ce49c9149a --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-proxydefaults.yaml @@ -0,0 +1,265 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: proxydefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ProxyDefaults + listKind: ProxyDefaultsList + plural: proxydefaults + shortNames: + - proxy-defaults + singular: proxydefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProxyDefaults is the Schema for the proxydefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProxyDefaultsSpec defines the desired state of ProxyDefaults. + properties: + accessLogs: + description: AccessLogs controls all envoy instances' access logging + configuration. + properties: + disableListenerLogs: + description: DisableListenerLogs turns off just listener logs + for connections rejected by Envoy because they don't have a + matching listener filter. + type: boolean + enabled: + description: Enabled turns on all access logging + type: boolean + jsonFormat: + description: 'JSONFormat is a JSON-formatted string of an Envoy + access log format dictionary. See for more info on formatting: + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-dictionaries + Defining JSONFormat and TextFormat is invalid.' + type: string + path: + description: Path is the output file to write logs for file-type + logging + type: string + textFormat: + description: 'TextFormat is a representation of Envoy access logs + format. See for more info on formatting: https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-strings + Defining JSONFormat and TextFormat is invalid.' + type: string + type: + description: Type selects the output for logs one of "file", "stderr". + "stdout" + type: string + type: object + config: + description: Config is an arbitrary map of configuration values used + by Connect proxies. Any values that your proxy allows can be configured + globally here. Supports JSON config values. See https://www.consul.io/docs/connect/proxies/envoy#configuration-formatting + type: object + x-kubernetes-preserve-unknown-fields: true + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + failoverPolicy: + description: FailoverPolicy specifies the exact mechanism used for + failover. + properties: + mode: + description: Mode specifies the type of failover that will be + performed. Valid values are "sequential", "" (equivalent to + "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions of the + failover targets. Valid values can be "us-west-1", "us-west-2", + and so on. + items: + type: string + type: array + type: object + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-referencegrants-external.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-referencegrants-external.yaml new file mode 100644 index 0000000000..db9cf12027 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-referencegrants-external.yaml @@ -0,0 +1,208 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: "ReferenceGrant identifies kinds of resources in other namespaces that are trusted to reference the specified kinds of resources in the same namespace as the policy. \n Each ReferenceGrant can be used to represent a unique trust relationship. Additional Reference Grants can be used to add to the set of trusted sources of inbound references for the namespace they are defined within. \n All cross-namespace references in Gateway API (with the exception of cross-namespace Gateway-route attachment) require a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing users to assert which cross-namespace object references are permitted. Implementations that support ReferenceGrant MUST NOT permit cross-namespace references which have no grant, and MUST respond to the removal of a grant by revoking the access that the grant allowed. \n Support: Core" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: "From describes the trusted namespaces and kinds that can reference the resources described in \"To\". Each entry in this list MUST be considered to be an additional place that references can be valid from, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantFrom describes trusted namespaces and kinds. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field. \n When used to permit a SecretObjectReference: \n * Gateway \n When used to permit a BackendObjectReference: \n * GRPCRoute * HTTPRoute * TCPRoute * TLSRoute * UDPRoute" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: "Namespace is the namespace of the referent. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: "To describes the resources that may be referenced by the resources described in \"From\". Each entry in this list MUST be considered to be an additional place that references can be valid to, or to put this another way, entries MUST be combined using OR. \n Support: Core" + items: + description: ReferenceGrantTo describes what Kinds are allowed as targets of the references. + properties: + group: + description: "Group is the group of the referent. When empty, the Kubernetes core API group is inferred. \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: "Kind is the kind of the referent. Although implementations may support additional resources, the following types are part of the \"Core\" support level for this field: \n * Secret when used to permit a SecretObjectReference * Service when used to permit a BackendObjectReference" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. When unspecified, this policy refers to all resources of the specified Group and Kind in the local namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: false + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-registrations.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-registrations.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-registrations.yaml rename to charts/hashicorp/consul/1.5.0/templates/crd-registrations.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-routeauthfilters.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-routeauthfilters.yaml new file mode 100644 index 0000000000..a51bf226cd --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-routeauthfilters.yaml @@ -0,0 +1,199 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeauthfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteAuthFilter + listKind: RouteAuthFilterList + plural: routeauthfilters + singular: routeauthfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteAuthFilter is the Schema for the routeauthfilters API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteAuthFilterSpec defines the desired state of RouteAuthFilter. + properties: + jwt: + description: This re-uses the JWT requirement type from Gateway Policy + Types. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + description: GatewayJWTProvider holds the provider and claim + verification information. + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + description: GatewayJWTClaimVerification holds the actual + claim information to be verified. + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: "Value is the expected value at the given + path: - If the type at the path is a list then we + verify that this value is contained in the list. + \n - If the type at the path is a string then we + verify that this value matches." + type: string + required: + - path + - value + type: object + type: array + required: + - name + type: object + type: array + required: + - providers + type: object + type: object + status: + description: RouteAuthFilterStatus defines the observed state of the gateway. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: ResolvedRefs + description: "Conditions describe the current conditions of the Filter. + \n Known condition types are: \n * \"Accepted\" * \"ResolvedRefs\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-routeretryfilters.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-routeretryfilters.yaml new file mode 100644 index 0000000000..14b6062f60 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-routeretryfilters.yaml @@ -0,0 +1,115 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routeretryfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteRetryFilter + listKind: RouteRetryFilterList + plural: routeretryfilters + singular: routeretryfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteRetryFilter is the Schema for the routeretryfilters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteRetryFilterSpec defines the desired state of RouteRetryFilter. + properties: + numRetries: + format: int32 + minimum: 0 + type: integer + retryOn: + items: + type: string + type: array + retryOnConnectFailure: + type: boolean + retryOnStatusCodes: + items: + format: int32 + type: integer + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-routetimeoutfilters.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-routetimeoutfilters.yaml new file mode 100644 index 0000000000..07ebfe9386 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-routetimeoutfilters.yaml @@ -0,0 +1,107 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: routetimeoutfilters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: RouteTimeoutFilter + listKind: RouteTimeoutFilterList + plural: routetimeoutfilters + singular: routetimeoutfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: RouteTimeoutFilter is the Schema for the httproutetimeoutfilters + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RouteTimeoutFilterSpec defines the desired state of RouteTimeoutFilter. + properties: + idleTimeout: + format: duration + type: string + requestTimeout: + format: duration + type: string + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-samenessgroups.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-samenessgroups.yaml new file mode 100644 index 0000000000..ea0ad7c8a0 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-samenessgroups.yaml @@ -0,0 +1,129 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: samenessgroups.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: SamenessGroup + listKind: SamenessGroupList + plural: samenessgroups + shortNames: + - sameness-group + singular: samenessgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SamenessGroup is the Schema for the samenessgroups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SamenessGroupSpec defines the desired state of SamenessGroup. + properties: + defaultForFailover: + description: DefaultForFailover indicates that upstream requests to + members of the given sameness group will implicitly failover between + members of this sameness group. When DefaultForFailover is true, + the local partition must be a member of the sameness group or IncludeLocal + must be set to true. + type: boolean + includeLocal: + description: IncludeLocal is used to include the local partition as + the first member of the sameness group. The local partition can + only be a member of a single sameness group. + type: boolean + members: + description: Members are the partitions and peers that are part of + the sameness group. If a member of a sameness group does not exist, + it will be ignored. + items: + properties: + partition: + description: The partitions and peers that are part of the sameness + group. A sameness group member cannot define both peer and + partition at the same time. + type: string + peer: + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-servicedefaults.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-servicedefaults.yaml new file mode 100644 index 0000000000..c7e2b5bb2b --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-servicedefaults.yaml @@ -0,0 +1,565 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicedefaults.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceDefaults + listKind: ServiceDefaultsList + plural: servicedefaults + shortNames: + - service-defaults + singular: servicedefaults + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceDefaults is the Schema for the servicedefaults API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceDefaultsSpec defines the desired state of ServiceDefaults. + properties: + balanceInboundConnections: + description: BalanceInboundConnections sets the strategy for allocating + inbound connections to the service across proxy threads. The only + supported value is exact_balance. By default, no connection balancing + is used. Refer to the Envoy Connection Balance config for details. + type: string + destination: + description: Destination is an address(es)/port combination that represents + an endpoint outside the mesh. This is only valid when the mesh is + configured in "transparent" mode. Destinations live outside of Consul's + catalog, and because of this, they do not require an artificial + node to be created. + properties: + addresses: + description: Addresses is a list of IPs and/or hostnames that + can be dialed and routed through a terminating gateway. + items: + type: string + type: array + port: + description: Port is the port that can be dialed on any of the + addresses in this Destination. + format: int32 + type: integer + type: object + envoyExtensions: + description: EnvoyExtensions are a list of extensions to modify Envoy + proxy configuration. + items: + description: EnvoyExtension has configuration for an extension that + patches Envoy resources. + properties: + arguments: + type: object + x-kubernetes-preserve-unknown-fields: true + name: + type: string + required: + type: boolean + type: object + type: array + expose: + description: Expose controls the default expose path configuration + for Envoy. + properties: + checks: + description: Checks defines whether paths associated with Consul + checks will be exposed. This flag triggers exposing all HTTP + and GRPC check paths registered for the service. + type: boolean + paths: + description: Paths is the list of paths exposed through the proxy. + items: + properties: + listenerPort: + description: ListenerPort defines the port of the proxy's + listener for exposed paths. + type: integer + localPathPort: + description: LocalPathPort is the port that the service + is listening on for the given path. + type: integer + path: + description: Path is the path to expose through the proxy, + ie. "/metrics". + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "http" and "http2", defaults to "http". + type: string + type: object + type: array + type: object + externalSNI: + description: ExternalSNI is an optional setting that allows for the + TLS SNI value to be changed to a non-connect value when federating + with an external system. + type: string + localConnectTimeoutMs: + description: LocalConnectTimeoutMs is the number of milliseconds allowed + to make connections to the local application instance before timing + out. Defaults to 5000. + type: integer + localRequestTimeoutMs: + description: LocalRequestTimeoutMs is the timeout for HTTP requests + to the local application instance in milliseconds. Applies to HTTP-based + protocols only. If not specified, inherits the Envoy default for + route timeouts (15s). + type: integer + maxInboundConnections: + description: MaxInboundConnections is the maximum number of concurrent + inbound connections to each service instance. Defaults to 0 (using + consul's default) if not set. + type: integer + meshGateway: + description: MeshGateway controls the default mesh gateway configuration + for this service. + properties: + mode: + description: Mode is the mode that should be used for the upstream + connection. One of none, local, or remote. + type: string + type: object + mode: + description: 'Mode can be one of "direct" or "transparent". "transparent" + represents that inbound and outbound application traffic is being + captured and redirected through the proxy. This mode does not enable + the traffic redirection itself. Instead it signals Consul to configure + Envoy as if traffic is already being redirected. "direct" represents + that the proxy''s listeners must be dialed directly by the local + application and other proxies. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + type: string + mutualTLSMode: + description: 'MutualTLSMode controls whether mutual TLS is required + for all incoming connections when transparent proxy is enabled. + This can be set to "permissive" or "strict". "strict" is the default + which requires mutual TLS for incoming connections. In the insecure + "permissive" mode, connections to the sidecar proxy public listener + port require mutual TLS, but connections to the service port do + not require mutual TLS and are proxied to the application unmodified. + Note: Intentions are not enforced for non-mTLS connections. To keep + your services secure, we recommend using "strict" mode whenever + possible and enabling "permissive" mode only when necessary.' + type: string + protocol: + description: Protocol sets the protocol of the service. This is used + by Connect proxies for things like observability features and to + unlock usage of the service-splitter and service-router config entries + for a service. + type: string + rateLimits: + description: RateLimits is rate limiting configuration that is applied + to inbound traffic for a service. Rate limiting is a Consul enterprise + feature. + properties: + instanceLevel: + description: InstanceLevel represents rate limit configuration + that is applied per service instance. + properties: + requestsMaxBurst: + description: "RequestsMaxBurst is the maximum number of requests + that can be sent in a burst. Should be equal to or greater + than RequestsPerSecond. If unset, defaults to RequestsPerSecond. + \n Internally, this is the maximum size of the token bucket + used for rate limiting." + type: integer + requestsPerSecond: + description: "RequestsPerSecond is the average number of requests + per second that can be made without being throttled. This + field is required if RequestsMaxBurst is set. The allowed + number of requests may exceed RequestsPerSecond up to the + value specified in RequestsMaxBurst. \n Internally, this + is the refill rate of the token bucket used for rate limiting." + type: integer + routes: + description: Routes is a list of rate limits applied to specific + routes. For a given request, the first matching route will + be applied, if any. Overrides any top-level configuration. + items: + properties: + pathExact: + description: Exact path to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathPrefix: + description: Prefix to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + pathRegex: + description: Regex to match. Exactly one of PathExact, + PathPrefix, or PathRegex must be specified. + type: string + requestsMaxBurst: + description: RequestsMaxBurst is the maximum number + of requests that can be sent in a burst. Should be + equal to or greater than RequestsPerSecond. If unset, + defaults to RequestsPerSecond. Internally, this is + the maximum size of the token bucket used for rate + limiting. + type: integer + requestsPerSecond: + description: RequestsPerSecond is the average number + of requests per second that can be made without being + throttled. This field is required if RequestsMaxBurst + is set. The allowed number of requests may exceed + RequestsPerSecond up to the value specified in RequestsMaxBurst. + Internally, this is the refill rate of the token bucket + used for rate limiting. + type: integer + type: object + type: array + type: object + type: object + transparentProxy: + description: 'TransparentProxy controls configuration specific to + proxies in transparent mode. Note: This cannot be set using the + CRD and should be set using annotations on the services that are + part of the mesh.' + properties: + dialedDirectly: + description: DialedDirectly indicates whether transparent proxies + can dial this proxy instance directly. The discovery chain is + not considered when dialing a service instance directly. This + setting is useful when addressing stateful services, such as + a database cluster with a leader node. + type: boolean + outboundListenerPort: + description: OutboundListenerPort is the port of the listener + where outbound application traffic is being redirected to. + type: integer + type: object + upstreamConfig: + description: UpstreamConfig controls default configuration settings + that apply across all upstreams, and per-upstream configuration + overrides. Note that per-upstream configuration applies across all + federated datacenters to the pairing of source and upstream destination + services. + properties: + defaults: + description: Defaults contains default configuration for all upstreams + of a given service. The name field must be empty. + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the upstream + cluster at a point in time. This is mostly applicable + to HTTP/2 clusters since all HTTP/1.1 requests are limited + by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of connections + the local proxy can make to the upstream service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 clusters + since all HTTP/2 requests are streamed over a single + connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines how + upstream proxy instances will be monitored for removal from + the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied by + the number of times the host has been ejected and is + capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance that + a host will be actually ejected when an outlier status + is detected through consecutive 5xx. This setting can + be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis sweeps. + Each sweep may remove hosts or return hosts to the pool. + Ex. setting this to "10s" will set the interval to 10 + seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults to + 10% but will eject at least one host regardless of the + value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive failures + that results in a host being removed from the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + overrides: + description: Overrides is a slice of per-service configuration. + The name field is required. + items: + properties: + connectTimeoutMs: + description: ConnectTimeoutMs is the number of milliseconds + to timeout making a new connection to this upstream. Defaults + to 5000 (5 seconds) if not set. + type: integer + envoyClusterJSON: + description: 'EnvoyClusterJSON is a complete override ("escape + hatch") for the upstream''s cluster. The Connect client + TLS certificate and context will be injected overriding + any TLS settings present. Note: This escape hatch is NOT + compatible with the discovery chain and will be ignored + if a discovery chain is active.' + type: string + envoyListenerJSON: + description: 'EnvoyListenerJSON is a complete override ("escape + hatch") for the upstream''s listener. Note: This escape + hatch is NOT compatible with the discovery chain and will + be ignored if a discovery chain is active.' + type: string + limits: + description: Limits are the set of limits that are applied + to the proxy for a specific upstream of a service instance. + properties: + maxConcurrentRequests: + description: MaxConcurrentRequests is the maximum number + of in-flight requests that will be allowed to the + upstream cluster at a point in time. This is mostly + applicable to HTTP/2 clusters since all HTTP/1.1 requests + are limited by MaxConnections. + type: integer + maxConnections: + description: MaxConnections is the maximum number of + connections the local proxy can make to the upstream + service. + type: integer + maxPendingRequests: + description: MaxPendingRequests is the maximum number + of requests that will be queued waiting for an available + connection. This is mostly applicable to HTTP/1.1 + clusters since all HTTP/2 requests are streamed over + a single connection. + type: integer + type: object + meshGateway: + description: MeshGatewayConfig controls how Mesh Gateways + are configured and used. + properties: + mode: + description: Mode is the mode that should be used for + the upstream connection. One of none, local, or remote. + type: string + type: object + name: + description: Name is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + namespace: + description: Namespace is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + partition: + description: Partition is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + passiveHealthCheck: + description: PassiveHealthCheck configuration determines + how upstream proxy instances will be monitored for removal + from the load balancing pool. + properties: + baseEjectionTime: + description: The base time that a host is ejected for. + The real time is equal to the base time multiplied + by the number of times the host has been ejected and + is capped by max_ejection_time (Default 300s). Defaults + to 30s. + type: string + enforcingConsecutive5xx: + description: EnforcingConsecutive5xx is the % chance + that a host will be actually ejected when an outlier + status is detected through consecutive 5xx. This setting + can be used to disable ejection or to ramp it up slowly. + Ex. Setting this to 10 will make it a 10% chance that + the host will be ejected. + format: int32 + type: integer + interval: + description: Interval between health check analysis + sweeps. Each sweep may remove hosts or return hosts + to the pool. Ex. setting this to "10s" will set the + interval to 10 seconds. + type: string + maxEjectionPercent: + description: The maximum % of an upstream cluster that + can be ejected due to outlier detection. Defaults + to 10% but will eject at least one host regardless + of the value. + format: int32 + type: integer + maxFailures: + description: MaxFailures is the count of consecutive + failures that results in a host being removed from + the pool. + format: int32 + type: integer + type: object + peer: + description: Peer is only accepted within service ServiceDefaultsSpec.UpstreamConfig.Overrides + config entry. + type: string + protocol: + description: Protocol describes the upstream's service protocol. + Valid values are "tcp", "http" and "grpc". Anything else + is treated as tcp. This enables protocol aware features + like per-request metrics and connection pooling, tracing, + routing etc. + type: string + type: object + type: array + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-serviceintentions.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-serviceintentions.yaml new file mode 100644 index 0000000000..75299f016e --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-serviceintentions.yaml @@ -0,0 +1,311 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceintentions.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceIntentions + listKind: ServiceIntentionsList + plural: serviceintentions + shortNames: + - service-intentions + singular: serviceintentions + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceIntentions is the Schema for the serviceintentions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceIntentionsSpec defines the desired state of ServiceIntentions. + properties: + destination: + description: Destination is the intention destination that will have + the authorization granted to. + properties: + name: + description: Name is the destination of all intentions defined + in this config entry. This may be set to the wildcard character + (*) to match all services that don't otherwise have intentions + defined. + type: string + namespace: + description: Namespace specifies the namespace the config entry + will apply to. This may be set to the wildcard character (*) + to match all services in all namespaces that don't otherwise + have intentions defined. + type: string + type: object + jwt: + description: JWT specifies the configuration to validate a JSON Web + Token for all incoming requests. + properties: + providers: + description: Providers is a list of providers to consider when + verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. There + MUST be a corresponding "jwt-provider" config entry with + this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional claims + to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim in the + token JSON. + items: + type: string + type: array + value: + description: Value is the expected value at the given + path. If the type at the path is a list then we + verify that this value is contained in the list. + If the type at the path is a string then we verify + that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + sources: + description: Sources is the list of all intention sources and the + authorization granted to those sources. The order of this list does + not matter, but out of convenience Consul will always store this + reverse sorted by intention precedence, as that is the order that + they will be evaluated at enforcement time. + items: + properties: + action: + description: Action is required for an L4 intention, and should + be set to one of "allow" or "deny" for the action that should + be taken if this intention matches a request. + type: string + description: + description: Description for the intention. This is not used + by Consul, but is presented in API responses to assist tooling. + type: string + name: + description: Name is the source of the intention. This is the + name of a Consul service. The service doesn't need to be registered. + type: string + namespace: + description: Namespace is the namespace for the Name parameter. + type: string + partition: + description: Partition is the Admin Partition for the Name parameter. + type: string + peer: + description: Peer is the peer name for the Name parameter. + type: string + permissions: + description: Permissions is the list of all additional L7 attributes + that extend the intention match criteria. Permission precedence + is applied top to bottom. For any given request the first + permission to match in the list is terminal and stops further + evaluation. As with L4 intentions, traffic that fails to match + any of the provided permissions in this intention will be + subject to the default intention behavior is defined by the + default ACL policy. This should be omitted for an L4 intention + as it is mutually exclusive with the Action field. + items: + properties: + action: + description: Action is one of "allow" or "deny" for the + action that should be taken if this permission matches + a request. + type: string + http: + description: HTTP is a set of HTTP-specific authorization + criteria. + properties: + header: + description: Header is a set of criteria that can + match on HTTP request headers. If more than one + is configured all must match for the overall match + to apply. + items: + properties: + exact: + description: Exact matches if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the + match. + type: boolean + name: + description: Name is the name of the header + to match. + type: string + prefix: + description: Prefix matches if the header with + the given name has this prefix. + type: string + present: + description: Present matches if the header with + the given name is present with any value. + type: boolean + regex: + description: Regex matches if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix matches if the header with + the given name has this suffix. + type: string + type: object + type: array + methods: + description: Methods is a list of HTTP methods for + which this match applies. If unspecified all HTTP + methods are matched. If provided the names must + be a valid method. + items: + type: string + type: array + pathExact: + description: PathExact is the exact path to match + on the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is the path prefix to match + on the HTTP request path. + type: string + pathRegex: + description: PathRegex is the regular expression to + match on the HTTP request path. + type: string + type: object + jwt: + description: JWT specifies configuration to validate a + JSON Web Token for incoming requests. + properties: + providers: + description: Providers is a list of providers to consider + when verifying a JWT. + items: + properties: + name: + description: Name is the name of the JWT provider. + There MUST be a corresponding "jwt-provider" + config entry with this name. + type: string + verifyClaims: + description: VerifyClaims is a list of additional + claims to verify in a JWT's payload. + items: + properties: + path: + description: Path is the path to the claim + in the token JSON. + items: + type: string + type: array + value: + description: Value is the expected value + at the given path. If the type at the + path is a list then we verify that this + value is contained in the list. If the + type at the path is a string then we + verify that this value matches. + type: string + type: object + type: array + type: object + type: array + type: object + type: object + type: array + samenessGroup: + description: SamenessGroup is the name of the sameness group, + if applicable. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-serviceresolvers.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-serviceresolvers.yaml new file mode 100644 index 0000000000..6d89125216 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-serviceresolvers.yaml @@ -0,0 +1,348 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: serviceresolvers.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceResolver + listKind: ServiceResolverList + plural: serviceresolvers + shortNames: + - service-resolver + singular: serviceresolver + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceResolver is the Schema for the serviceresolvers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceResolverSpec defines the desired state of ServiceResolver. + properties: + connectTimeout: + description: ConnectTimeout is the timeout for establishing new network + connections to this service. + type: string + defaultSubset: + description: DefaultSubset is the subset to use when no explicit subset + is requested. If empty the unnamed subset is used. + type: string + failover: + additionalProperties: + properties: + datacenters: + description: Datacenters is a fixed list of datacenters to try + during failover. + items: + type: string + type: array + namespace: + description: Namespace is the namespace to resolve the requested + service from to form the failover group of instances. If empty + the current namespace is used. + type: string + policy: + description: Policy specifies the exact mechanism used for failover. + properties: + mode: + description: Mode specifies the type of failover that will + be performed. Valid values are "sequential", "" (equivalent + to "sequential") and "order-by-locality". + type: string + regions: + description: Regions is the ordered list of the regions + of the failover targets. Valid values can be "us-west-1", + "us-west-2", and so on. + items: + type: string + type: array + type: object + samenessGroup: + description: SamenessGroup is the name of the sameness group + to try during failover. + type: string + service: + description: Service is the service to resolve instead of the + default as the failover group of instances during failover. + type: string + serviceSubset: + description: ServiceSubset is the named subset of the requested + service to resolve as the failover group of instances. If + empty the default subset for the requested service is used. + type: string + targets: + description: Targets specifies a fixed list of failover targets + to try during failover. + items: + properties: + datacenter: + description: Datacenter specifies the datacenter to try + during failover. + type: string + namespace: + description: Namespace specifies the namespace to try + during failover. + type: string + partition: + description: Partition specifies the partition to try + during failover. + type: string + peer: + description: Peer specifies the name of the cluster peer + to try during failover. + type: string + service: + description: Service specifies the name of the service + to try during failover. + type: string + serviceSubset: + description: ServiceSubset specifies the service subset + to try during failover. + type: string + type: object + type: array + type: object + description: Failover controls when and how to reroute traffic to + an alternate pool of service instances. The map is keyed by the + service subset it applies to and the special string "*" is a wildcard + that applies to any subset not otherwise specified here. + type: object + loadBalancer: + description: LoadBalancer determines the load balancing policy and + configuration for services issuing requests to this upstream service. + properties: + hashPolicies: + description: HashPolicies is a list of hash policies to use for + hashing load balancing algorithms. Hash policies are evaluated + individually and combined such that identical lists result in + the same hash. If no hash policies are present, or none are + successfully evaluated, then a random backend host will be selected. + items: + properties: + cookieConfig: + description: CookieConfig contains configuration for the + "cookie" hash policy type. + properties: + path: + description: Path is the path to set for the cookie. + type: string + session: + description: Session determines whether to generate + a session cookie with no expiration. + type: boolean + ttl: + description: TTL is the ttl for generated cookies. Cannot + be specified for session cookies. + type: string + type: object + field: + description: Field is the attribute type to hash on. Must + be one of "header", "cookie", or "query_parameter". Cannot + be specified along with sourceIP. + type: string + fieldValue: + description: FieldValue is the value to hash. ie. header + name, cookie name, URL query parameter name Cannot be + specified along with sourceIP. + type: string + sourceIP: + description: SourceIP determines whether the hash should + be of the source IP rather than of a field and field value. + Cannot be specified along with field or fieldValue. + type: boolean + terminal: + description: Terminal will short circuit the computation + of the hash when multiple hash policies are present. If + a hash is computed when a Terminal policy is evaluated, + then that hash will be used and subsequent hash policies + will be ignored. + type: boolean + type: object + type: array + leastRequestConfig: + description: LeastRequestConfig contains configuration for the + "leastRequest" policy type. + properties: + choiceCount: + description: ChoiceCount determines the number of random healthy + hosts from which to select the one with the least requests. + format: int32 + type: integer + type: object + policy: + description: Policy is the load balancing policy used to select + a host. + type: string + ringHashConfig: + description: RingHashConfig contains configuration for the "ringHash" + policy type. + properties: + maximumRingSize: + description: MaximumRingSize determines the maximum number + of entries in the hash ring. + format: int64 + type: integer + minimumRingSize: + description: MinimumRingSize determines the minimum number + of entries in the hash ring. + format: int64 + type: integer + type: object + type: object + prioritizeByLocality: + description: PrioritizeByLocality controls whether the locality of + services within the local partition will be used to prioritize connectivity. + properties: + mode: + description: 'Mode specifies the type of prioritization that will + be performed when selecting nodes in the local partition. Valid + values are: "" (default "none"), "none", and "failover".' + type: string + type: object + redirect: + description: Redirect when configured, all attempts to resolve the + service this resolver defines will be substituted for the supplied + redirect EXCEPT when the redirect has already been applied. When + substituting the supplied redirect, all other fields besides Kind, + Name, and Redirect will be ignored. + properties: + datacenter: + description: Datacenter is the datacenter to resolve the service + from instead of the current one. + type: string + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + peer: + description: Peer is the name of the cluster peer to resolve the + service from instead of the current one. + type: string + samenessGroup: + description: SamenessGroup is the name of the sameness group to + resolve the service from instead of the current one. + type: string + service: + description: Service is a service to resolve instead of the current + service. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset + If empty the default subset is used. + type: string + type: object + requestTimeout: + description: RequestTimeout is the timeout for receiving an HTTP response + from this service before the connection is terminated. + type: string + subsets: + additionalProperties: + properties: + filter: + description: Filter is the filter expression to be used for + selecting instances of the requested service. If empty all + healthy instances are returned. This expression can filter + on the same selectors as the Health API endpoint. + type: string + onlyPassing: + description: OnlyPassing specifies the behavior of the resolver's + health check interpretation. If this is set to false, instances + with checks in the passing as well as the warning states will + be considered healthy. If this is set to true, only instances + with checks in the passing state will be considered healthy. + type: boolean + type: object + description: Subsets is map of subset name to subset definition for + all usable named subsets of this service. The map key is the name + of the subset and all names must be valid DNS subdomain elements. + This may be empty, in which case only the unnamed default subset + will be usable. + type: object + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-servicerouters.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-servicerouters.yaml new file mode 100644 index 0000000000..c7924081fd --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-servicerouters.yaml @@ -0,0 +1,323 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicerouters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceRouter + listKind: ServiceRouterList + plural: servicerouters + shortNames: + - service-router + singular: servicerouter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceRouter is the Schema for the servicerouters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceRouterSpec defines the desired state of ServiceRouter. + properties: + routes: + description: Routes are the list of routes to consider when processing + L7 requests. The first route to match in the list is terminal and + stops further evaluation. Traffic that fails to match any of the + provided routes will be routed to the default service. + items: + properties: + destination: + description: Destination controls how to proxy the matching + request(s) to a service. + properties: + idleTimeout: + description: IdleTimeout is total amount of time permitted + for the request stream to be idle. + type: string + namespace: + description: Namespace is the Consul namespace to resolve + the service from instead of the current namespace. If + empty the current namespace is assumed. + type: string + numRetries: + description: NumRetries is the number of times to retry + the request when a retryable result occurs + format: int32 + type: integer + partition: + description: Partition is the Consul partition to resolve + the service from instead of the current partition. If + empty the current partition is assumed. + type: string + prefixRewrite: + description: PrefixRewrite defines how to rewrite the HTTP + request path before proxying it to its final destination. + This requires that either match.http.pathPrefix or match.http.pathExact + be configured on this route. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + requestTimeout: + description: RequestTimeout is the total amount of time + permitted for the entire downstream request (and retries) + to be processed. + type: string + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies + as the request passes through them. It can operate on + either request or response headers depending on the context + in which it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that + should be appended to the request or response (i.e. + allowing duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that + should be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that + should be added to the request or response, overwriting + any existing header values of the same name. + type: object + type: object + retryOn: + description: 'RetryOn is a flat list of conditions for Consul + to retry requests based on the response from an upstream + service. Refer to the valid conditions here: https://developer.hashicorp.com/consul/docs/connect/config-entries/service-router#routes-destination-retryon' + items: + type: string + type: array + retryOnConnectFailure: + description: RetryOnConnectFailure allows for connection + failure errors to trigger a retry. + type: boolean + retryOnStatusCodes: + description: RetryOnStatusCodes is a flat list of http response + status codes that are eligible for retry. + items: + format: int32 + type: integer + type: array + service: + description: Service is the service to resolve instead of + the default service. If empty then the default service + name is used. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given + service to resolve instead of the one defined as that + service's DefaultSubset. If empty, the default subset + is used. + type: string + type: object + match: + description: Match is a set of criteria that can match incoming + L7 requests. If empty or omitted it acts as a catch-all. + properties: + http: + description: HTTP is a set of http-specific match criteria. + properties: + caseInsensitive: + description: CaseInsensitive configures PathExact and + PathPrefix matches to ignore upper/lower casing. + type: boolean + header: + description: Header is a set of criteria that can match + on HTTP request headers. If more than one is configured + all must match for the overall match to apply. + items: + properties: + exact: + description: Exact will match if the header with + the given name is this value. + type: string + invert: + description: Invert inverts the logic of the match. + type: boolean + name: + description: Name is the name of the header to + match. + type: string + prefix: + description: Prefix will match if the header with + the given name has this prefix. + type: string + present: + description: Present will match if the header + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the header with + the given name matches this pattern. + type: string + suffix: + description: Suffix will match if the header with + the given name has this suffix. + type: string + required: + - name + type: object + type: array + methods: + description: Methods is a list of HTTP methods for which + this match applies. If unspecified all http methods + are matched. + items: + type: string + type: array + pathExact: + description: PathExact is an exact path to match on + the HTTP request path. + type: string + pathPrefix: + description: PathPrefix is a path prefix to match on + the HTTP request path. + type: string + pathRegex: + description: PathRegex is a regular expression to match + on the HTTP request path. + type: string + queryParam: + description: QueryParam is a set of criteria that can + match on HTTP query parameters. If more than one is + configured all must match for the overall match to + apply. + items: + properties: + exact: + description: Exact will match if the query parameter + with the given name is this value. + type: string + name: + description: Name is the name of the query parameter + to match on. + type: string + present: + description: Present will match if the query parameter + with the given name is present with any value. + type: boolean + regex: + description: Regex will match if the query parameter + with the given name matches this pattern. + type: string + required: + - name + type: object + type: array + type: object + type: object + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-servicesplitters.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-servicesplitters.yaml new file mode 100644 index 0000000000..8d5ed58023 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-servicesplitters.yaml @@ -0,0 +1,186 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: servicesplitters.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: ServiceSplitter + listKind: ServiceSplitterList + plural: servicesplitters + shortNames: + - service-splitter + singular: servicesplitter + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ServiceSplitter is the Schema for the servicesplitters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSplitterSpec defines the desired state of ServiceSplitter. + properties: + splits: + description: Splits defines how much traffic to send to which set + of service instances during a traffic split. The sum of weights + across all splits must add up to 100. + items: + properties: + namespace: + description: Namespace is the Consul namespace to resolve the + service from instead of the current namespace. If empty the + current namespace is assumed. + type: string + partition: + description: Partition is the Consul partition to resolve the + service from instead of the current partition. If empty the + current partition is assumed. + type: string + requestHeaders: + description: Allow HTTP header manipulation to be configured. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + responseHeaders: + description: HTTPHeaderModifiers is a set of rules for HTTP + header modification that should be performed by proxies as + the request passes through them. It can operate on either + request or response headers depending on the context in which + it is used. + properties: + add: + additionalProperties: + type: string + description: Add is a set of name -> value pairs that should + be appended to the request or response (i.e. allowing + duplicates if the same header already exists). + type: object + remove: + description: Remove is the set of header names that should + be stripped from the request or response. + items: + type: string + type: array + set: + additionalProperties: + type: string + description: Set is a set of name -> value pairs that should + be added to the request or response, overwriting any existing + header values of the same name. + type: object + type: object + service: + description: Service is the service to resolve instead of the + default. + type: string + serviceSubset: + description: ServiceSubset is a named subset of the given service + to resolve instead of one defined as that service's DefaultSubset. + If empty the default subset is used. + type: string + weight: + description: Weight is a value between 0 and 100 reflecting + what portion of traffic should be directed to this split. + The smallest representable weight is 1/10000 or .01%. + type: number + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-tcproutes-external.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-tcproutes-external.yaml new file mode 100644 index 0000000000..b5bc7be13c --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-tcproutes-external.yaml @@ -0,0 +1,281 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: TCPRoute provides a way to route TCP requests. When combined with a Gateway listener, it can be used to forward connections on the port specified by the listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Connection rejections must respect weight; if an invalid backend is requested to have 80% of connections, then 80% of connections must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-tcproutes.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-tcproutes.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-tcproutes.yaml rename to charts/hashicorp/consul/1.5.0/templates/crd-tcproutes.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-terminatinggateways.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-terminatinggateways.yaml new file mode 100644 index 0000000000..cd53122e9d --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-terminatinggateways.yaml @@ -0,0 +1,141 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: terminatinggateways.consul.hashicorp.com +spec: + group: consul.hashicorp.com + names: + kind: TerminatingGateway + listKind: TerminatingGatewayList + plural: terminatinggateways + shortNames: + - terminating-gateway + singular: terminatinggateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The sync status of the resource with Consul + jsonPath: .status.conditions[?(@.type=="Synced")].status + name: Synced + type: string + - description: The last successful synced time of the resource with Consul + jsonPath: .status.lastSyncedTime + name: Last Synced + type: date + - description: The age of the resource + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: TerminatingGateway is the Schema for the terminatinggateways + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TerminatingGatewaySpec defines the desired state of TerminatingGateway. + properties: + services: + description: Services is a list of service names represented by the + terminating gateway. + items: + description: A LinkedService is a service represented by a terminating + gateway. + properties: + caFile: + description: CAFile is the optional path to a CA certificate + to use for TLS connections from the gateway to the linked + service. + type: string + certFile: + description: CertFile is the optional path to a client certificate + to use for TLS connections from the gateway to the linked + service. + type: string + disableAutoHostRewrite: + description: DisableAutoHostRewrite disables terminating gateways + auto host rewrite feature when set to true. + type: boolean + keyFile: + description: KeyFile is the optional path to a private key to + use for TLS connections from the gateway to the linked service. + type: string + name: + description: Name is the name of the service, as defined in + Consul's catalog. + type: string + namespace: + description: The namespace the service is registered in. + type: string + sni: + description: SNI is the optional name to specify during the + TLS handshake with a linked service. + type: string + type: object + type: array + type: object + status: + properties: + conditions: + description: Conditions indicate the latest available observations + of a resource's current state. + items: + description: 'Conditions define a readiness condition for a Consul + resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + required: + - status + - type + type: object + type: array + lastSyncedTime: + description: LastSyncedTime is the last time the resource successfully + synced with Consul. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-tlsroutes-external.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-tlsroutes-external.yaml new file mode 100644 index 0000000000..1acd1b973a --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-tlsroutes-external.yaml @@ -0,0 +1,291 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "The TLSRoute resource is similar to TCPRoute, but can be configured to match against TLS-specific metadata. This allows more flexibility in matching streams for a given TLS listener. \n If you need to forward traffic to a single target for a TLS listener, you could choose to use a TCPRoute with a TLS listener." + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match against the SNI attribute of TLS ClientHello message in TLS handshake. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n If a hostname is specified by both the Listener and TLSRoute, there must be at least one intersecting hostname for the TLSRoute to be attached to the Listener. For example: \n * A Listener with `test.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames, or have specified at least one of `test.example.com` or `*.example.com`. * A Listener with `*.example.com` as the hostname matches TLSRoutes that have either not specified any hostnames or have specified at least one hostname that matches the Listener hostname. For example, `test.example.com` and `*.example.com` would both match. On the other hand, `example.com` and `test.example.net` would not match. \n If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored. For example, if a Listener specified `*.example.com`, and the TLSRoute specified `test.example.com` and `test.example.net`, `test.example.net` must not be considered for a match. \n If both the Listener and TLSRoute have specified hostnames, and none match with the criteria above, then the TLSRoute is not accepted. The implementation must raise an 'Accepted' Condition with a status of `False` in the corresponding RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network host. This matches the RFC 1123 definition of a hostname with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard label must appear by itself as the first label. \n Hostname can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. `*.example.com`). \n Note that as per RFC1035 and RFC1123, a *label* must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the rule performs no forwarding; if no filters are specified that would result in a response being sent, the underlying implementation must actively reject request attempts to this backend, by rejecting the connection or returning a 500 status code. Request rejections must respect weight; if an invalid backend is requested to have 80% of requests, then 80% of requests must be rejected instead. \n Support: Core for Kubernetes Service \n Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/templates/crd-trafficpermissions.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-trafficpermissions.yaml similarity index 100% rename from charts/hashicorp/consul/templates/crd-trafficpermissions.yaml rename to charts/hashicorp/consul/1.5.0/templates/crd-trafficpermissions.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/crd-udproutes-external.yaml b/charts/hashicorp/consul/1.5.0/templates/crd-udproutes-external.yaml new file mode 100644 index 0000000000..0661b24c1a --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/crd-udproutes-external.yaml @@ -0,0 +1,281 @@ +{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538 + gateway.networking.k8s.io/bundle-version: v0.6.2 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: crd + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: UDPRoute provides a way to route UDP traffic. When combined with a Gateway listener, it can be used to forward traffic on the port specified by the listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways) that a Route wants to be attached to. Note that the referenced parent resource needs to allow this for the attachment to be complete. For Gateways, that means the Gateway needs to allow attachment from Routes of this kind and namespace. \n The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources such as one of the route kinds. \n It is invalid to reference an identical parent more than once. It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway. \n It is possible to separately reference multiple distinct objects that may be collapsed by an implementation. For example, some implementations may choose to merge compatible Gateway Listeners together. If that is the case, the list of routes attached to those resources should also be merged. \n Note that for ParentRefs that cross namespace boundaries, there are specific rules. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example, Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually a Gateway) that can be considered a parent of this resource (usually a route). The only kind of parent resource with \"Core\" support is Gateway. This API may be extended in the future to support additional kinds of parent resources, such as HTTPRoute. \n The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + description: Rules are a list of UDP matchers and actions. + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching requests should be sent. If unspecified or invalid (refers to a non-existent resource or a Service with no endpoints), the underlying implementation MUST actively reject connection attempts to this backend. Packet drops must respect weight; if an invalid backend is requested to have 80% of the packets, then 80% of packets must be dropped instead. \n Support: Core for Kubernetes Service Support: Implementation-specific for any other resource \n Support for weight: Extended" + items: + description: "BackendRef defines how a Route should forward a request to a Kubernetes resource. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details." + properties: + group: + default: "" + description: Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example "HTTPRoute" or "Service". Defaults to "Service" when not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. \n Note that when a namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests forwarded to the referenced backend. This is computed as weight/(sum of all weights in this BackendRefs list). For non-zero values, there may be some epsilon from the exact proportion defined here depending on the precision an implementation supports. Weight is not a percentage and the sum of weights does not need to equal 100. \n If only one backend is specified and it has a weight greater than 0, 100% of the traffic is forwarded to that backend. If weight is set to 0, no traffic should be forwarded for this entry. If unspecified, weight defaults to 1. \n Support for this field varies based on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + minItems: 1 + type: array + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) that are associated with the route, and the status of the route with respect to each parent. When this route attaches to a parent, the controller that manages the parent must add an entry to this list when the controller first sees the route and should update the entry as appropriate when the route or gateway is modified. \n Note that parent references that cannot be resolved by an implementation of this API will not be added to this list. Implementations of this API can only populate Route status for the Gateways/parent resources they are responsible for. \n A maximum of 32 Gateways will be represented in this list. An empty list means the route has not been attached to any Gateway." + items: + description: RouteParentStatus describes the status of a route with respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with respect to the Gateway. Note that the route's availability is also subject to the Gateway's own status conditions and listener status. \n If the Route's ParentRef specifies an existing Gateway that supports Routes of this kind AND that Gateway's controller has sufficient access, then that Gateway's controller MUST set the \"Accepted\" condition on the Route, to indicate whether the route has been accepted or rejected by the Gateway, and why. \n A Route MUST be considered \"Accepted\" if at least one of the Route's rules is implemented by the Gateway. \n There are a number of cases where the \"Accepted\" condition may not be set due to lack of controller visibility, that includes when: \n * The Route refers to a non-existent parent. * The Route is of a type that the controller does not support. * The Route is in a namespace the controller does not have access to." + items: + description: "Condition contains details for one aspect of the current state of this API Resource. --- This struct is intended for direct use as an array at the field path .status.conditions. For example, \n \ttype FooStatus struct{ \t // Represents the observations of a foo's current state. \t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\" \t // +patchMergeKey=type \t // +patchStrategy=merge \t // +listType=map \t // +listMapKey=type \t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` \n \t // other fields \t}" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. \n Example: \"example.net/gateway-controller\". \n The format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). \n Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, \"gateway.networking.k8s.io\" is inferred. To set the core API group (such as for a \"Service\" kind referent), Group must be explicitly set to \"\" (empty string). \n Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: \n * Gateway: Listener Name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. \n Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. \n When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/hashicorp/consul/templates/create-federation-secret-job.yaml b/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-job.yaml similarity index 100% rename from charts/hashicorp/consul/templates/create-federation-secret-job.yaml rename to charts/hashicorp/consul/1.5.0/templates/create-federation-secret-job.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-podsecuritypolicy.yaml new file mode 100644 index 0000000000..8217311992 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if .Values.global.enablePodSecurityPolicies }} +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-role.yaml b/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-role.yaml new file mode 100644 index 0000000000..086932a831 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-role.yaml @@ -0,0 +1,49 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{/* Must have separate rule for create secret permissions vs update because + can't set resourceNames for create (https://github.com/kubernetes/kubernetes/issues/80295) */}} + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-federation + verbs: + - update + {{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-acl-replication-acl-token + verbs: + - get + {{- end }} + {{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-create-federation-secret + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-rolebinding.yaml new file mode 100644 index 0000000000..3db8e7cb06 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-create-federation-secret +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-create-federation-secret +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-serviceaccount.yaml new file mode 100644 index 0000000000..e398ec69c4 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/create-federation-secret-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.federation.createFederationSecret }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-create-federation-secret + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: create-federation-secret + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/datadog-agent-role.yaml b/charts/hashicorp/consul/1.5.0/templates/datadog-agent-role.yaml new file mode 100644 index 0000000000..191e6433c6 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/datadog-agent-role.yaml @@ -0,0 +1,38 @@ +{{- if .Values.global.metrics.datadog.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-datadog-metrics + namespace: {{ .Release.Namespace }} + labels: + app: datadog + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: agent +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +{{- if .Values.global.enablePodSecurityPolicies }} +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-datadog-metrics + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-datadog-metrics + verbs: + - use +{{- end }} +{{- else}} +rules: + - apiGroups: [ "" ] + resources: [ "secrets" ] + resourceNames: + - {{ .Release.Namespace }}-datadog-agent-metrics-acl-token + verbs: [ "get", "watch", "list" ] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.5.0/templates/datadog-agent-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/datadog-agent-rolebinding.yaml new file mode 100644 index 0000000000..5fc3fdf545 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/datadog-agent-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.global.metrics.datadog.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-datadog-metrics + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: agent +subjects: + - kind: ServiceAccount + apiGroup: "" + name: datadog-agent + namespace: datadog + - kind: ServiceAccount + apiGroup: "" + name: datadog-cluster-agent + namespace: datadog +roleRef: + kind: Role + name: {{ template "consul.fullname" . }}-datadog-metrics + apiGroup: "" +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.5.0/templates/dns-service.yaml b/charts/hashicorp/consul/1.5.0/templates/dns-service.yaml new file mode 100644 index 0000000000..5bb446bc19 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/dns-service.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.dns.enabled | toString) "-") .Values.dns.enabled) (and (eq (.Values.dns.enabled | toString) "-") .Values.connectInject.transparentProxy.defaultEnabled)) }} +# Service for Consul DNS. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-dns + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: dns + {{- if .Values.dns.annotations }} + annotations: + {{ tpl .Values.dns.annotations . | nindent 4 | trim }} + {{- end }} +spec: +{{- if .Values.dns.type }} + type: {{ .Values.dns.type }} +{{- end }} +{{- if .Values.dns.clusterIP }} + clusterIP: {{ .Values.dns.clusterIP }} +{{- end }} + ports: + - name: dns-tcp + port: 53 + protocol: "TCP" + targetPort: dns-tcp + - name: dns-udp + port: 53 + protocol: "UDP" + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + hasDNS: "true" + {{- if .Values.dns.additionalSpec }} + {{ tpl .Values.dns.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/enterprise-license-job.yaml b/charts/hashicorp/consul/1.5.0/templates/enterprise-license-job.yaml similarity index 100% rename from charts/hashicorp/consul/templates/enterprise-license-job.yaml rename to charts/hashicorp/consul/1.5.0/templates/enterprise-license-job.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/enterprise-license-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/enterprise-license-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cf96367473 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/enterprise-license-podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/enterprise-license-role.yaml b/charts/hashicorp/consul/1.5.0/templates/enterprise-license-role.yaml new file mode 100644 index 0000000000..6a1b7fdffa --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/enterprise-license-role.yaml @@ -0,0 +1,37 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies }} +rules: +{{- if .Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license-acl-token + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-enterprise-license + verbs: + - use +{{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/enterprise-license-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/enterprise-license-rolebinding.yaml new file mode 100644 index 0000000000..a21118b431 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/enterprise-license-rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-enterprise-license +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-enterprise-license +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/enterprise-license-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/enterprise-license-serviceaccount.yaml new file mode 100644 index 0000000000..31c9da841e --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/enterprise-license-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey (not .Values.global.enterpriseLicense.enableLicenseAutoload)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-enterprise-license + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: license +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/expose-servers-service.yaml b/charts/hashicorp/consul/1.5.0/templates/expose-servers-service.yaml new file mode 100644 index 0000000000..d86cec9042 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/expose-servers-service.yaml @@ -0,0 +1,63 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} +{{- if (and $serverEnabled $serverExposeServiceEnabled) }} + +# Service with an external IP to reach Consul servers. +# Used for exposing gRPC port for peering and ports for client partitions to discover servers. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-expose-servers + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.exposeService.annotations }} + {{ tpl .Values.server.exposeService.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: "{{ .Values.server.exposeService.type }}" + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.http) }} + nodePort: {{ .Values.server.exposeService.nodePort.http }} + {{- end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.https) }} + nodePort: {{ .Values.server.exposeService.nodePort.https }} + {{- end }} + {{- end }} + - name: serflan + port: 8301 + targetPort: 8301 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.serf) }} + nodePort: {{ .Values.server.exposeService.nodePort.serf }} + {{- end }} + - name: rpc + port: 8300 + targetPort: 8300 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.rpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.rpc }} + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + {{ if (and (eq .Values.server.exposeService.type "NodePort") .Values.server.exposeService.nodePort.grpc) }} + nodePort: {{ .Values.server.exposeService.nodePort.grpc }} + {{- end }} + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-clusterrole.yaml b/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-clusterrole.yaml new file mode 100644 index 0000000000..5518bfc390 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-clusterrole.yaml @@ -0,0 +1,44 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +rules: + - apiGroups: + - consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - delete + - apiGroups: + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + - gatewayclasses + - meshgateways + verbs: + - get + - delete +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-cleanup + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-clusterrolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-clusterrolebinding.yaml new file mode 100644 index 0000000000..9235f32101 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/templates/gateway-cleanup-job.yaml b/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-job.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gateway-cleanup-job.yaml rename to charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-job.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ffbad130cc --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.connectInject.enabled .Values.global.enablePodSecurityPolicies)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..f50eb72d97 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/gateway-cleanup-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-cleanup +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/gateway-resources-clusterrole.yaml b/charts/hashicorp/consul/1.5.0/templates/gateway-resources-clusterrole.yaml new file mode 100644 index 0000000000..ad7082f060 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/gateway-resources-clusterrole.yaml @@ -0,0 +1,47 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +rules: + - apiGroups: + - mesh.consul.hashicorp.com + resources: + - meshgateways + verbs: + - get + - update + - create + - apiGroups: + - consul.hashicorp.com + - mesh.consul.hashicorp.com + resources: + - gatewayclassconfigs + verbs: + - get + - update + - create + - apiGroups: + - gateway.networking.k8s.io + - mesh.consul.hashicorp.com + resources: + - gatewayclasses + verbs: + - get + - update + - create +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-gateway-resources + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/gateway-resources-clusterrolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/gateway-resources-clusterrolebinding.yaml new file mode 100644 index 0000000000..921df23239 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/gateway-resources-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-gateway-resources +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/templates/gateway-resources-configmap.yaml b/charts/hashicorp/consul/1.5.0/templates/gateway-resources-configmap.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gateway-resources-configmap.yaml rename to charts/hashicorp/consul/1.5.0/templates/gateway-resources-configmap.yaml diff --git a/charts/hashicorp/consul/templates/gateway-resources-job.yaml b/charts/hashicorp/consul/1.5.0/templates/gateway-resources-job.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gateway-resources-job.yaml rename to charts/hashicorp/consul/1.5.0/templates/gateway-resources-job.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/gateway-resources-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/gateway-resources-podsecuritypolicy.yaml new file mode 100644 index 0000000000..da5299194c --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/gateway-resources-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.connectInject.enabled)}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +spec: + privileged: false + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/gateway-resources-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/gateway-resources-serviceaccount.yaml new file mode 100644 index 0000000000..4611dc38e1 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/gateway-resources-serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.connectInject.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gateway-resources + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gateway-resources +{{- end }} diff --git a/charts/hashicorp/consul/templates/gossip-encryption-autogenerate-job.yaml b/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-job.yaml similarity index 100% rename from charts/hashicorp/consul/templates/gossip-encryption-autogenerate-job.yaml rename to charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-job.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml new file mode 100644 index 0000000000..209b3aa343 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.global.gossipEncryption.autoGenerate .Values.global.enablePodSecurityPolicies }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-role.yaml b/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-role.yaml new file mode 100644 index 0000000000..8c51c96ffe --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-rolebinding.yaml new file mode 100644 index 0000000000..7118475f64 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-serviceaccount.yaml new file mode 100644 index 0000000000..1fd620237f --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/gossip-encryption-autogenerate-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.gossipEncryption.autoGenerate }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: gossip-encryption-autogenerate + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/ingress-gateways-deployment.yaml b/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-deployment.yaml similarity index 100% rename from charts/hashicorp/consul/templates/ingress-gateways-deployment.yaml rename to charts/hashicorp/consul/1.5.0/templates/ingress-gateways-deployment.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..b847e44ebd --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.ingressGateways.enabled) }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-role.yaml b/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-role.yaml new file mode 100644 index 0000000000..49e8486e58 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +rules: + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - get +{{- if $root.Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- end }} +{{- if $root.Values.global.acls.manageSystemACLs }} + - apiGroups: [""] + resources: + - secrets + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }}-acl-token + verbs: + - get +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-rolebinding.yaml new file mode 100644 index 0000000000..601de775f4 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- range .Values.ingressGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-service.yaml b/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-service.yaml new file mode 100644 index 0000000000..cf54a740fe --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-service.yaml @@ -0,0 +1,51 @@ +{{- if .Values.ingressGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} + +{{- range .Values.ingressGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.service.annotations $service.annotations) }} + # We allow both default annotations and gateway-specific annotations + annotations: + {{- if $defaults.service.annotations }} + {{ tpl $defaults.service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $service.annotations }} + {{ tpl $service.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + ports: + {{- range $index, $ports := (default $defaults.service.ports $service.ports) }} + - name: gateway-{{ $index }} + port: {{ $ports.port }} + {{- if (and (eq (default $defaults.service.type $service.type) "NodePort") $ports.nodePort) }} + nodePort: {{ $ports.nodePort }} + {{- end}} + {{- end }} + type: {{ default $defaults.service.type $service.type }} + {{- if (default $defaults.service.additionalSpec $service.additionalSpec) }} + {{ tpl (default $defaults.service.additionalSpec $service.additionalSpec) $root | nindent 2 | trim }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..cea6cafc21 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/ingress-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.ingressGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.ingressGateways.defaults }} +{{- range .Values.ingressGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: ingress-gateway + ingress-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-clusterrole.yaml b/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-clusterrole.yaml new file mode 100644 index 0000000000..3053105105 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-clusterrole.yaml @@ -0,0 +1,36 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +{{- if or .Values.global.acls.manageSystemACLs .Values.global.enablePodSecurityPolicies (eq .Values.meshGateway.wanAddress.source "Service") }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - use +{{- end }} +{{- if eq .Values.meshGateway.wanAddress.source "Service" }} + - apiGroups: [""] + resources: + - services + resourceNames: + - {{ template "consul.fullname" . }}-mesh-gateway + verbs: + - get + {{- end }} +{{- else }} +rules: [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-clusterrolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-clusterrolebinding.yaml new file mode 100644 index 0000000000..2fb80fc04c --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-clusterrolebinding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-mesh-gateway +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/mesh-gateway-deployment.yaml b/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-deployment.yaml similarity index 100% rename from charts/hashicorp/consul/templates/mesh-gateway-deployment.yaml rename to charts/hashicorp/consul/1.5.0/templates/mesh-gateway-deployment.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-podsecuritypolicy.yaml new file mode 100644 index 0000000000..56e4b7924c --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-podsecuritypolicy.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + {{- if .Values.meshGateway.hostNetwork }} + hostNetwork: {{ .Values.meshGateway.hostNetwork }} + {{- else }} + hostNetwork: false + {{- end }} + hostPorts: + {{- if .Values.meshGateway.hostPort }} + - min: {{ .Values.meshGateway.hostPort }} + max: {{ .Values.meshGateway.hostPort }} + {{- else if .Values.meshGateway.hostNetwork }} + - min: {{ .Values.meshGateway.containerPort }} + max: {{ .Values.meshGateway.containerPort }} + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-service.yaml b/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-service.yaml new file mode 100644 index 0000000000..80f82ac897 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-service.yaml @@ -0,0 +1,35 @@ +{{- if and .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.service.annotations }} + annotations: + {{ tpl .Values.meshGateway.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: mesh-gateway + ports: + - name: gateway + port: {{ .Values.meshGateway.service.port }} + targetPort: {{ .Values.meshGateway.containerPort }} + {{- if .Values.meshGateway.service.nodePort }} + nodePort: {{ .Values.meshGateway.service.nodePort }} + {{- end}} + type: {{ .Values.meshGateway.service.type }} + {{- if .Values.meshGateway.service.additionalSpec }} + {{ tpl .Values.meshGateway.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-serviceaccount.yaml new file mode 100644 index 0000000000..b1a0661eaa --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/mesh-gateway-serviceaccount.yaml @@ -0,0 +1,25 @@ +{{- if .Values.meshGateway.enabled }} +{{- if not (mustHas "resource-apis" .Values.global.experiments) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-mesh-gateway + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: mesh-gateway + {{- if .Values.meshGateway.serviceAccount.annotations }} + annotations: + {{ tpl .Values.meshGateway.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/partition-init-job.yaml b/charts/hashicorp/consul/1.5.0/templates/partition-init-job.yaml similarity index 100% rename from charts/hashicorp/consul/templates/partition-init-job.yaml rename to charts/hashicorp/consul/1.5.0/templates/partition-init-job.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/partition-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/partition-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..2bc6782394 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/partition-init-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled .Values.global.enablePodSecurityPolicies (not $serverEnabled)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/partition-init-role.yaml b/charts/hashicorp/consul/1.5.0/templates/partition-init-role.yaml new file mode 100644 index 0000000000..c13a5378eb --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/partition-init-role.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: + - apiGroups: [""] + resources: + - secrets + verbs: + - create + - get +{{- if .Values.connectInject.enabled }} + - apiGroups: [""] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-connect-injector + verbs: + - get +{{- end }} +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-partition-init + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/partition-init-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/partition-init-rolebinding.yaml new file mode 100644 index 0000000000..432d6df6ec --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/partition-init-rolebinding.yaml @@ -0,0 +1,24 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-partition-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-partition-init +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/partition-init-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/partition-init-serviceaccount.yaml new file mode 100644 index 0000000000..65fcf43b08 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/partition-init-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-partition-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/partition-name-configmap.yaml b/charts/hashicorp/consul/1.5.0/templates/partition-name-configmap.yaml new file mode 100644 index 0000000000..ee330b0f46 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/partition-name-configmap.yaml @@ -0,0 +1,19 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (and .Values.global.adminPartitions.enabled (not $serverEnabled)) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-partition + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: partition-init +immutable: true +data: + partitionName: {{ .Values.global.adminPartitions.name }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/prometheus.yaml b/charts/hashicorp/consul/1.5.0/templates/prometheus.yaml new file mode 100644 index 0000000000..a708708daf --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/prometheus.yaml @@ -0,0 +1,488 @@ +{{- if .Values.prometheus.enabled }} +# This file is auto-generated, see addons/gen.sh +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-server +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + name: prometheus-server + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + consul.hashicorp.com/connect-inject: "false" + consul.hashicorp.com/mesh-inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.2.1 + heritage: Helm + spec: + serviceAccountName: prometheus-server + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.4.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "quay.io/prometheus/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus-server + - name: storage-volume + emptyDir: + {} +{{- end }} diff --git a/charts/hashicorp/consul/templates/server-acl-init-cleanup-job.yaml b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-job.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-acl-init-cleanup-job.yaml rename to charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-job.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..dd5dad24df --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-role.yaml b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-role.yaml new file mode 100644 index 0000000000..0a2f296a60 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-role.yaml @@ -0,0 +1,28 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +rules: + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "delete"] +{{- if .Values.global.enablePodSecurityPolicies }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init-cleanup + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..268eaa5677 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..604e6d784c --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-cleanup-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init-cleanup +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/server-acl-init-job.yaml b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-job.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-acl-init-job.yaml rename to charts/hashicorp/consul/1.5.0/templates/server-acl-init-job.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/server-acl-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..9bf93e2551 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-podsecuritypolicy.yaml @@ -0,0 +1,41 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +{{- if .Values.global.enablePodSecurityPolicies }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +spec: + privileged: false + # Allow core volume types. + volumes: + - 'secret' + - 'emptyDir' + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-acl-init-role.yaml b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-role.yaml new file mode 100644 index 0000000000..eb7b6a928e --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-role.yaml @@ -0,0 +1,38 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +rules: +- apiGroups: [ "" ] + resources: + - secrets + verbs: + - create + - get +- apiGroups: [ "" ] + resources: + - serviceaccounts + resourceNames: + - {{ template "consul.fullname" . }}-auth-method + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + resourceNames: + - {{ template "consul.fullname" . }}-server-acl-init + verbs: + - use +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-acl-init-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-rolebinding.yaml new file mode 100644 index 0000000000..fda4726d9f --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-rolebinding.yaml @@ -0,0 +1,23 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server-acl-init +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server-acl-init +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-acl-init-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-serviceaccount.yaml new file mode 100644 index 0000000000..c0e257de96 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-acl-init-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} +{{- if (or $serverEnabled .Values.externalServers.enabled) }} +{{- if .Values.global.acls.manageSystemACLs }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server-acl-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server-acl-init +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-clusterrole.yaml b/charts/hashicorp/consul/1.5.0/templates/server-clusterrole.yaml new file mode 100644 index 0000000000..c22f562264 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +rules: +- apiGroups: [""] + resources: ["nodes"] + verbs: + - get diff --git a/charts/hashicorp/consul/1.5.0/templates/server-clusterrolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..854fda870e --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-server +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-config-configmap.yaml b/charts/hashicorp/consul/1.5.0/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..8c74364a29 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-config-configmap.yaml @@ -0,0 +1,220 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (not (or (eq .Values.server.limits.requestLimits.mode "disabled") (eq .Values.server.limits.requestLimits.mode "permissive") (eq .Values.server.limits.requestLimits.mode "enforce"))) }}{{fail "server.limits.requestLimits.mode must be one of the following values: disabled, permissive, and enforce." }}{{ end -}} +{{- if and .Values.server.auditLogs.enabled (not .Values.global.acls.manageSystemACLs) }}{{fail "ACLs must be enabled inorder to configure audit logs"}}{{ end -}} +# StatefulSet to run the actual Consul server cluster. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + server.json: | + { + {{- if and .Values.global.secretsBackend.vault.enabled }} + "auto_reload_config": true, + {{- end }} + "bind_addr": "0.0.0.0", + "bootstrap_expect": {{ if .Values.server.bootstrapExpect }}{{ .Values.server.bootstrapExpect }}{{ else }}{{ .Values.server.replicas }}{{ end }}, + "client_addr": "0.0.0.0", + "connect": { + "enabled": {{ .Values.server.connect }} + }, + "datacenter": "{{ .Values.global.datacenter }}", + "data_dir": "/consul/data", + {{- if .Values.server.logLevel }} + "log_level": "{{ .Values.server.logLevel | upper }}", + {{- end }} + "enable_debug": {{ .Values.server.enableAgentDebug }}, + "domain": "{{ .Values.global.domain }}", + "limits": { + "request_limits": { + "mode": "{{ .Values.server.limits.requestLimits.mode }}", + "read_rate": {{ .Values.server.limits.requestLimits.readRate }}, + "write_rate": {{ .Values.server.limits.requestLimits.writeRate }} + } + }, + "ports": { + {{- if not .Values.global.tls.enabled }} + "grpc": 8502, + "grpc_tls": -1, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc": -1, + "grpc_tls": 8502, + {{- end }} + "serf_lan": {{ .Values.server.ports.serflan.port }} + }, + "recursors": {{ .Values.global.recursors | toJson }}, + "retry_join": ["{{template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc:{{ .Values.server.ports.serflan.port }}"], + {{- if .Values.global.peering.enabled }} + "peering": { + "enabled": true + }, + {{- end }} + "server": true, + "leave_on_terminate": true, + "autopilot": { + "min_quorum": {{ template "consul.server.autopilotMinQuorum" . }}, + "disable_upgrade_migration": true + } + } + {{- $vaultConnectCAEnabled := and .Values.global.secretsBackend.vault.connectCA.address .Values.global.secretsBackend.vault.connectCA.rootPKIPath .Values.global.secretsBackend.vault.connectCA.intermediatePKIPath -}} + {{- if and .Values.global.secretsBackend.vault.enabled $vaultConnectCAEnabled }} + {{- with .Values.global.secretsBackend.vault }} + connect-ca-config.json: | + { + "connect": [ + { + "ca_config": [ + { + "address": "{{ .connectCA.address }}", + {{- if and .ca.secretName .ca.secretKey }} + "ca_file": "/consul/vault-ca/tls.crt", + {{- end }} + "intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}", + {{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }} + "namespace": "{{ .vaultNamespace }}", + {{- end }} + "root_pki_path": "{{ .connectCA.rootPKIPath }}", + "auth_method": { + "type": "kubernetes", + "mount_path": "{{ .connectCA.authMethodPath }}", + "params": { + "role": "{{ .consulServerRole }}" + } + } + } + ], + "ca_provider": "vault" + } + ] + } + {{- if .connectCA.additionalConfig }} + additional-connect-ca-config.json: | +{{ tpl .connectCA.additionalConfig $ | trimAll "\"" | indent 4 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + acl-config.json: |- + { + "acl": { + "enabled": true, + "default_policy": "deny", + "down_policy": "extend-cache", + {{- if (and .Values.global.acls.replicationToken.secretName .Values.global.acls.replicationToken.secretKey) }} + "enable_token_replication": true, + {{- end }} + "enable_token_persistence": true + } + } + {{- end }} + {{- if .Values.global.tls.enabled }} + tls-config.json: |- + { + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + "grpc": { + "verify_incoming": false + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, + {{- if .Values.global.tls.enableAutoEncrypt }} + "auto_encrypt": { + "allow_tls": true + }, + {{- end }} + "ports": { + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } + } + {{- end }} + {{- if .Values.ui.enabled }} + ui-config.json: |- + { + "ui_config": { + {{- if (or (eq "true" (.Values.ui.metrics.enabled | toString) ) (and .Values.global.metrics.enabled (eq "-" (.Values.ui.metrics.enabled | toString)))) }} + "metrics_provider": "{{ .Values.ui.metrics.provider }}", + "metrics_proxy": { + "base_url": "{{ .Values.ui.metrics.baseURL }}" + }, + {{- end }} + {{- if .Values.ui.dashboardURLTemplates.service }} + "dashboard_url_templates": { + "service": "{{ .Values.ui.dashboardURLTemplates.service }}" + }, + {{- end }} + "enabled": true + } + } + {{- end }} + central-config.json: |- + { + "enable_central_service_config": true + } + {{- if .Values.global.federation.enabled }} + federation-config.json: |- + { + "primary_datacenter": "{{ .Values.global.federation.primaryDatacenter }}", + "primary_gateways": {{ .Values.global.federation.primaryGateways | toJson }}, + "connect": { + "enable_mesh_gateway_wan_federation": true + } + } + {{- end }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableAgentMetrics) }} + telemetry-config.json: |- + { + "telemetry": { + "prometheus_retention_time": "{{ .Values.global.metrics.agentMetricsRetentionTime }}", + "disable_hostname": {{ .Values.global.metrics.disableAgentHostName }},{{ template "consul.prefixFilter" . }} + "enable_host_metrics": {{ .Values.global.metrics.enableHostMetrics }}{{- if .Values.global.metrics.datadog.dogstatsd.enabled }},{{ template "consul.dogstatsdAaddressInfo" . }} + {{- if .Values.global.metrics.datadog.dogstatsd.enabled }} + "dogstatsd_tags": {{ .Values.global.metrics.datadog.dogstatsd.dogstatsdTags | toJson }} + {{- end }} + {{- end }} + } + } + {{- end }} + {{- if and .Values.server.auditLogs.enabled .Values.global.acls.manageSystemACLs }} + audit-logging.json: |- + { + "audit": { + "enabled": true, + "sink": { + {{- range $index, $element := .Values.server.auditLogs.sinks }} + {{- if ne $index 0 }},{{end}} + "{{ get $element "name" }}": {{ omit $element "name" | toJson }} + {{- end }} + } + } + } + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-disruptionbudget.yaml b/charts/hashicorp/consul/1.5.0/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..56805edc2a --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-disruptionbudget.yaml @@ -0,0 +1,26 @@ +{{- if (and .Values.server.disruptionBudget.enabled (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + maxUnavailable: {{ template "consul.server.pdb.maxUnavailable" . }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/server-podsecuritypolicy.yaml new file mode 100644 index 0000000000..09e8d75bd1 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-podsecuritypolicy.yaml @@ -0,0 +1,53 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostPorts: + {{- if .Values.server.exposeGossipAndRPCPorts }} + - min: 8300 + max: 8300 + - min: {{ .Values.server.ports.serflan.port }} + max: {{ .Values.server.ports.serflan.port }} + - min: 8302 + max: 8302 + - min: 8502 + max: 8502 + {{- end }} + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-role.yaml b/charts/hashicorp/consul/1.5.0/templates/server-role.yaml new file mode 100644 index 0000000000..202518bf67 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-role.yaml @@ -0,0 +1,34 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +{{- if (or (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts) .Values.global.enablePodSecurityPolicies) }} +rules: +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts ) }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: + - {{ template "consul.fullname" . }}-server + verbs: + - use +{{- end }} +{{- else}} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/server-rolebinding.yaml new file mode 100644 index 0000000000..8ab705ddbc --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-server +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-server +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-securitycontextconstraints.yaml b/charts/hashicorp/consul/1.5.0/templates/server-securitycontextconstraints.yaml new file mode 100644 index 0000000000..8edd784ea7 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-securitycontextconstraints.yaml @@ -0,0 +1,49 @@ +{{- if (and .Values.global.openshift.enabled .Values.server.exposeGossipAndRPCPorts (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + kubernetes.io/description: {{ template "consul.fullname" . }}-server are the security context constraints required + to run the consul server. +allowHostPorts: true +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostPID: false +allowHostNetwork: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +defaultAddCapabilities: null +fsGroup: + type: MustRunAs +groups: [] +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsRange +seLinuxContext: + type: MustRunAs +supplementalGroups: + type: MustRunAs +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +{{- end -}} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-service.yaml b/charts/hashicorp/consul/1.5.0/templates/server-service.yaml new file mode 100644 index 0000000000..a392f0e76b --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-service.yaml @@ -0,0 +1,72 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# Headless service for Consul server DNS entries. This service should only +# point to Consul servers. For access to an agent, one should assume that +# the agent is installed locally on the node and the NODE_IP should be used. +# If the node can't run a Consul agent, then this service can be used to +# communicate directly to a server agent. +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + annotations: + {{- if .Values.server.service.annotations }} + {{ tpl .Values.server.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + clusterIP: None + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: true + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: 8500 + targetPort: 8500 + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: 8501 + targetPort: 8501 + {{- end }} + - name: grpc + port: 8502 + targetPort: 8502 + - name: serflan-tcp + protocol: "TCP" + port: 8301 + targetPort: 8301 + - name: serflan-udp + protocol: "UDP" + port: 8301 + targetPort: 8301 + - name: serfwan-tcp + protocol: "TCP" + port: 8302 + targetPort: 8302 + - name: serfwan-udp + protocol: "UDP" + port: 8302 + targetPort: 8302 + - name: server + port: 8300 + targetPort: 8300 + - name: dns-tcp + protocol: "TCP" + port: 8600 + targetPort: dns-tcp + - name: dns-udp + protocol: "UDP" + port: 8600 + targetPort: dns-udp + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..a1617975ae --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-server + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server + {{- if .Values.server.serviceAccount.annotations }} + annotations: + {{ tpl .Values.server.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/server-snapshot-agent-configmap.yaml b/charts/hashicorp/consul/1.5.0/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/hashicorp/consul/templates/server-statefulset.yaml b/charts/hashicorp/consul/1.5.0/templates/server-statefulset.yaml similarity index 100% rename from charts/hashicorp/consul/templates/server-statefulset.yaml rename to charts/hashicorp/consul/1.5.0/templates/server-statefulset.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/server-tmp-extra-config-configmap.yaml b/charts/hashicorp/consul/1.5.0/templates/server-tmp-extra-config-configmap.yaml new file mode 100644 index 0000000000..a42d6d09f6 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/server-tmp-extra-config-configmap.yaml @@ -0,0 +1,21 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +# ConfigMap that is used as a temporary landing spot so that the container command +# in the server-stateful set where it needs to be transformed. ConfigMaps create +# read only volumes so it needs to be copied and transformed to the extra-config +# emptyDir volume where all final extra cofngi lives for use in consul. (locality-init +# also writes to extra-config volume.) +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-server-tmp-extra-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + extra-from-values.json: |- +{{ tpl .Values.server.extraConfig . | trimAll "\"" | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.5.0/templates/sync-catalog-clusterrole.yaml b/charts/hashicorp/consul/1.5.0/templates/sync-catalog-clusterrole.yaml new file mode 100644 index 0000000000..89ea9f3c5c --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/sync-catalog-clusterrole.yaml @@ -0,0 +1,60 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +rules: +- apiGroups: [ "" ] + resources: + - services + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: + - get + - list + - watch +{{- if .Values.syncCatalog.toK8S }} + - update + - patch + - delete + - create +{{- end }} +- apiGroups: [ "" ] + resources: + - nodes + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: [ "policy" ] + resources: [ "podsecuritypolicies" ] + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-sync-catalog +{{- end }} +- apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/sync-catalog-clusterrolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/sync-catalog-clusterrolebinding.yaml new file mode 100644 index 0000000000..818823cca3 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/sync-catalog-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-sync-catalog +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/sync-catalog-deployment.yaml b/charts/hashicorp/consul/1.5.0/templates/sync-catalog-deployment.yaml similarity index 100% rename from charts/hashicorp/consul/templates/sync-catalog-deployment.yaml rename to charts/hashicorp/consul/1.5.0/templates/sync-catalog-deployment.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/sync-catalog-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/sync-catalog-podsecuritypolicy.yaml new file mode 100644 index 0000000000..cc70feaab1 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/sync-catalog-podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled))) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/sync-catalog-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/sync-catalog-serviceaccount.yaml new file mode 100644 index 0000000000..deab1ad075 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/sync-catalog-serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- $syncEnabled := (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }} +{{- if $syncEnabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-sync-catalog + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: sync-catalog + {{- if .Values.syncCatalog.serviceAccount.annotations }} + annotations: + {{ tpl .Values.syncCatalog.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-configmap.yaml b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-configmap.yaml new file mode 100644 index 0000000000..0bf5b8753c --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (and .Values.telemetryCollector.enabled .Values.telemetryCollector.customExporterConfig) }} +# Immutable ConfigMap which saves the partition name. Attempting to update this configmap +# with a new Admin Partition name will cause the helm upgrade to fail +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +data: + config.json: |- + {{ tpl .Values.telemetryCollector.customExporterConfig . | trimAll "\"" | indent 4 }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/telemetry-collector-deployment.yaml b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-deployment.yaml similarity index 100% rename from charts/hashicorp/consul/templates/telemetry-collector-deployment.yaml rename to charts/hashicorp/consul/1.5.0/templates/telemetry-collector-deployment.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-podsecuritypolicy.yaml new file mode 100644 index 0000000000..f4c05a2f33 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-podsecuritypolicy.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: telemetry-collector +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-role.yaml b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-role.yaml new file mode 100644 index 0000000000..f89373252d --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-role.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" . }}-telemetry-collector + verbs: + - use +{{- end }} + diff --git a/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-rolebinding.yaml new file mode 100644 index 0000000000..1f9a896997 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.global.enablePodSecurityPolicies .Values.telemetryCollector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-telemetry-collector +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} + diff --git a/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-service.yaml b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-service.yaml new file mode 100644 index 0000000000..266c80b4bf --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{ if .Values.telemetryCollector.service.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + type: ClusterIP + ports: + - port: 9356 + targetPort: 9356 + selector: + app: consul + component: consul-telemetry-collector +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-serviceaccount.yaml new file mode 100644 index 0000000000..fca58eede9 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if .Values.telemetryCollector.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: consul-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.telemetryCollector.serviceAccount.annotations }} + annotations: + {{ tpl .Values.telemetryCollector.serviceAccount.annotations . | nindent 4 | trim }} + {{- end }} +automountServiceAccountToken: true +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-v2-deployment.yaml b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-v2-deployment.yaml new file mode 100644 index 0000000000..09f4a2dbbc --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/telemetry-collector-v2-deployment.yaml @@ -0,0 +1,415 @@ +{{- if and .Values.telemetryCollector.enabled (mustHas "resource-apis" .Values.global.experiments) }} +{{- if not .Values.telemetryCollector.image}}{{ fail "telemetryCollector.image must be set to enable consul-telemetry-collector" }}{{ end }} +{{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}} +{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} +{{ template "consul.validateCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorCloud" . }} +{{ template "consul.validateTelemetryCollectorCloudSecretKeys" . }} +{{ template "consul.validateTelemetryCollectorResourceId" . }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "consul.fullname" . }}-telemetry-collector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.telemetryCollector.replicas }} + selector: + matchLabels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + template: + metadata: + annotations: + "consul.hashicorp.com/mesh-inject": "false" + # This annotation tells the pod controller that this pod was injected even though it wasn't. + # This ensures the pod controller will sync a workload for the pod into Consul + "consul.hashicorp.com/mesh-inject-status": "injected" + # We aren't using tproxy and we don't have an original pod. This would be simpler if we made a path similar + # to gateways + "consul.hashicorp.com/transparent-proxy": "false" + "consul.hashicorp.com/transparent-proxy-overwrite-probes": "false" + "consul.hashicorp.com/consul-k8s-version": {{ $.Chart.Version }} + {{- if .Values.telemetryCollector.customExporterConfig }} + # configmap checksum + "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/telemetry-collector-configmap.yaml") . | sha256sum }} + {{- end }} + # vault annotations + {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} + "vault.hashicorp.com/agent-init-first": "true" + "vault.hashicorp.com/agent-inject": "true" + "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} + "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} + "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} + {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} + "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" + "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" + {{- end }} + {{- if .Values.global.secretsBackend.vault.agentAnnotations }} + {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} + {{- end }} + {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} + "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" + {{- end }} + {{- end }} + + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + release: {{ .Release.Name }} + component: consul-telemetry-collector + {{- if .Values.global.extraLabels }} + {{- toYaml .Values.global.extraLabels | nindent 8 }} + {{- end }} + spec: + # This needs to explicitly be consul-telemetry-collector because we look this up from each service consul-dataplane + # to forward metrics to it. + serviceAccountName: consul-telemetry-collector + initContainers: + # We're manually managing this init container instead of using the mesh injector so that we don't run into + # any race conditions on the mesh-injector deployment or upgrade + - name: consul-mesh-init + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + # acl login info + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_LOGIN_AUTH_METHOD + value: {{ template "consul.fullname" . }}-k8s-auth-method + - name: CONSUL_LOGIN_DATACENTER + value: {{ .Values.global.datacenter }} + - name: CONSUL_LOGIN_META + value: "component=consul-telemetry-collector,pod=$(NAMESPACE)/$(POD_NAME)" + {{- end }} + # service and login namespace + # this is attempting to replicate the behavior of webhooks in calculating namespace + # https://github.com/hashicorp/consul-k8s/blob/b84339050bb2c4b62b60cec96275f74952b0ac9d/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go#L200 + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - name: CONSUL_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - name: CONSUL_LOGIN_NAMESPACE + value: "default" + {{- else }} + - name: CONSUL_LOGIN_NAMESPACE + value: {{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - |- + exec consul-k8s-control-plane mesh-init -proxy-name=${POD_NAME} \ + -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} \ + -log-json={{ .Values.global.logJSON }} + + image: {{ .Values.global.imageK8S }} + imagePullPolicy: IfNotPresent + {{- if .Values.telemetryCollector.initContainer.resources }} + resources: + {{- toYaml .Values.telemetryCollector.initContainer.resources | nindent 12 }} + {{- else }} + resources: + limits: + cpu: 50m + memory: 150Mi + requests: + cpu: 50m + memory: 25Mi + {{- end }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + containers: + - name: consul-telemetry-collector + image: {{ .Values.telemetryCollector.image }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 9090 + name: metrics + protocol: TCP + - containerPort: 9356 + name: metricsserver + protocol: TCP + env: + # These are mounted as secrets so that the telemetry-collector can use them when cloud is enabled. + # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, + # HCP_SCADA_ADDRESS, and HCP_API_HOST. so nothing more needs to be done. + # - HCP_RESOURCE_ID is created either in the global cloud section or in telemetryCollector.cloud + {{- if .Values.telemetryCollector.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.resourceId.secretName }} + key: {{ .Values.telemetryCollector.cloud.resourceId.secretKey }} + {{- else if .Values.global.cloud.resourceId.secretName }} + - name: HCP_RESOURCE_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.resourceId.secretName }} + key: {{ .Values.global.cloud.resourceId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientId.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientId.secretKey }} + {{- else if .Values.global.cloud.clientId.secretName }} + - name: HCP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientId.secretName }} + key: {{ .Values.global.cloud.clientId.secretKey }} + {{- end }} + {{- if .Values.telemetryCollector.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.telemetryCollector.cloud.clientSecret.secretName }} + key: {{ .Values.telemetryCollector.cloud.clientSecret.secretKey }} + {{- else if .Values.global.cloud.clientSecret.secretName }} + - name: HCP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.clientSecret.secretName }} + key: {{ .Values.global.cloud.clientSecret.secretKey }} + {{- end}} + {{- if .Values.global.cloud.authUrl.secretName }} + - name: HCP_AUTH_URL + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.authUrl.secretName }} + key: {{ .Values.global.cloud.authUrl.secretKey }} + {{- end}} + {{- if .Values.global.cloud.apiHost.secretName }} + - name: HCP_API_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.apiHost.secretName }} + key: {{ .Values.global.cloud.apiHost.secretKey }} + {{- end}} + {{- if .Values.global.cloud.scadaAddress.secretName }} + - name: HCP_SCADA_ADDRESS + valueFrom: + secretKeyRef: + name: {{ .Values.global.cloud.scadaAddress.secretName }} + key: {{ .Values.global.cloud.scadaAddress.secretKey }} + {{- end}} + {{- if .Values.global.trustedCAs }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/trusted-cas" + {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.telemetryCollector | nindent 12 }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.global.trustedCAs }} + {{- range $i, $cert := .Values.global.trustedCAs }} + cat < /trusted-cas/custom-ca-{{$i}}.pem + {{- $cert | nindent 10 }} + EOF + {{- end }} + {{- end }} + + exec consul-telemetry-collector agent \ + {{- if .Values.telemetryCollector.customExporterConfig }} + -config-file-path /consul/config/config.json \ + {{ end }} + volumeMounts: + {{- if .Values.telemetryCollector.customExporterConfig }} + - name: config + mountPath: /consul/config + {{- end }} + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + mountPath: /trusted-cas + readOnly: false + {{- end }} + resources: + {{- if .Values.telemetryCollector.resources }} + {{- toYaml .Values.telemetryCollector.resources | nindent 12 }} + {{- end }} + # consul-dataplane container + - name: consul-dataplane + image: "{{ .Values.global.imageConsulDataplane }}" + imagePullPolicy: IfNotPresent + command: + - consul-dataplane + args: + # addresses + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + # grpc + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + # tls + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + - -ca-certs=/vault/secrets/serverca.crt + {{- else }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + # credentials + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" . }}-k8s-auth-method + {{- end }} + # service and login namespace + {{- if .Values.global.enableConsulNamespaces }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }}{{ .Release.Namespace }} + {{- else }} + - -service-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} + - -login-namespace=default + {{- else }} + - -login-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} + {{- end }} + {{- end }} + {{- end }} + # service and login partition + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- if .Values.global.acls.manageSystemACLs }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + # telemetry + {{- if .Values.global.metrics.enabled }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + - -log-level={{ default .Values.global.logLevel .Values.telemetryCollector.logLevel }} + - -log-json={{ .Values.global.logJSON }} + - -envoy-concurrency=2 + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: DP_PROXY_ID + value: $(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=consul-telemetry-collector + - name: TMPDIR + value: /consul/mesh-inject + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 20000 + timeoutSeconds: 1 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: 5995 + runAsNonRoot: true + runAsUser: 5995 + # dataplane volume mounts + volumeMounts: + - mountPath: /consul/mesh-inject + name: consul-mesh-inject-data + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- end }} + + {{- if .Values.telemetryCollector.nodeSelector }} + nodeSelector: + {{ tpl .Values.telemetryCollector.nodeSelector . | indent 8 | trim }} + {{- end }} + {{- if .Values.telemetryCollector.priorityClassName }} + priorityClassName: {{ .Values.telemetryCollector.priorityClassName }} + {{- end }} + volumes: + - emptyDir: + medium: Memory + name: consul-mesh-inject-data + {{- if .Values.global.trustedCAs }} + - name: trusted-cas + emptyDir: + medium: "Memory" + {{- end }} + {{- if .Values.global.tls.enabled }} + {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ template "consul.fullname" . }}-telemetry-collector +{{- end }} diff --git a/charts/hashicorp/consul/templates/terminating-gateways-deployment.yaml b/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-deployment.yaml similarity index 100% rename from charts/hashicorp/consul/templates/terminating-gateways-deployment.yaml rename to charts/hashicorp/consul/1.5.0/templates/terminating-gateways-deployment.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-podsecuritypolicy.yaml new file mode 100644 index 0000000000..7307fb8be9 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-podsecuritypolicy.yaml @@ -0,0 +1,47 @@ +{{- if (and .Values.global.enablePodSecurityPolicies .Values.terminatingGateways.enabled) }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + defaultAddCapabilities: + - NET_BIND_SERVICE + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-role.yaml b/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-role.yaml new file mode 100644 index 0000000000..51e37664d3 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-role.yaml @@ -0,0 +1,32 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +{{- if $root.Values.global.enablePodSecurityPolicies }} +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: + - {{ template "consul.fullname" $root }}-{{ .name }} + verbs: + - use +{{- else }} +rules: [] +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-rolebinding.yaml new file mode 100644 index 0000000000..4271f8f59c --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-rolebinding.yaml @@ -0,0 +1,26 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- range .Values.terminatingGateways.gateways }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" $root }}-{{ .name }} +subjects: + - kind: ServiceAccount + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-service.yaml b/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-service.yaml new file mode 100644 index 0000000000..124900e727 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.terminatingGateways.enabled }} + +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} + +{{- range .Values.terminatingGateways.gateways }} + +{{- $service := .service }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway +spec: + selector: + app: {{ template "consul.name" $root }} + release: "{{ $root.Release.Name }}" + component: terminating-gateway + type: ClusterIP + ports: + - port: 80 + targetPort: 8443 +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-serviceaccount.yaml new file mode 100644 index 0000000000..211fb5c72f --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/terminating-gateways-serviceaccount.yaml @@ -0,0 +1,35 @@ +{{- if .Values.terminatingGateways.enabled }} +{{- $root := . }} +{{- $defaults := .Values.terminatingGateways.defaults }} +{{- range .Values.terminatingGateways.gateways }} +{{- $serviceAccount := .serviceAccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" $root }}-{{ .name }} + namespace: {{ $root.Release.Namespace }} + labels: + app: {{ template "consul.name" $root }} + chart: {{ template "consul.chart" $root }} + heritage: {{ $root.Release.Service }} + release: {{ $root.Release.Name }} + component: terminating-gateway + terminating-gateway-name: {{ template "consul.fullname" $root }}-{{ .name }} + {{- if (or $defaults.serviceAccount.annotations $serviceAccount.annotations) }} + annotations: + {{- if $defaults.serviceAccount.annotations }} + {{ tpl $defaults.serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- if $serviceAccount.annotations }} + {{ tpl $serviceAccount.annotations $root | nindent 4 | trim }} + {{- end }} + {{- end }} +{{- with $root.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/tests/test-runner.yaml b/charts/hashicorp/consul/1.5.0/templates/tests/test-runner.yaml similarity index 100% rename from charts/hashicorp/consul/templates/tests/test-runner.yaml rename to charts/hashicorp/consul/1.5.0/templates/tests/test-runner.yaml diff --git a/charts/hashicorp/consul/templates/tls-init-cleanup-job.yaml b/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-job.yaml similarity index 100% rename from charts/hashicorp/consul/templates/tls-init-cleanup-job.yaml rename to charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-job.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-podsecuritypolicy.yaml new file mode 100644 index 0000000000..ed99d5f297 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-role.yaml b/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-role.yaml new file mode 100644 index 0000000000..aa66e3edc4 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-role.yaml @@ -0,0 +1,41 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: +- apiGroups: [""] + resources: + - secrets + resourceNames: + {{- if (not (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName)) }} + - {{ template "consul.fullname" . }}-ca-cert + - {{ template "consul.fullname" . }}-ca-key + {{- end }} + - {{ template "consul.fullname" . }}-server-cert + verbs: + - delete +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-rolebinding.yaml new file mode 100644 index 0000000000..0d3bfe38e7 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init-cleanup +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init-cleanup +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-serviceaccount.yaml new file mode 100644 index 0000000000..57e40dd3af --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/tls-init-cleanup-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init-cleanup + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init-cleanup + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/templates/tls-init-job.yaml b/charts/hashicorp/consul/1.5.0/templates/tls-init-job.yaml similarity index 100% rename from charts/hashicorp/consul/templates/tls-init-job.yaml rename to charts/hashicorp/consul/1.5.0/templates/tls-init-job.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/tls-init-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/tls-init-podsecuritypolicy.yaml new file mode 100644 index 0000000000..5d2a393955 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/tls-init-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and (and .Values.global.tls.enabled .Values.global.enablePodSecurityPolicies) (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/tls-init-role.yaml b/charts/hashicorp/consul/1.5.0/templates/tls-init-role.yaml new file mode 100644 index 0000000000..216602ee9f --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/tls-init-role.yaml @@ -0,0 +1,38 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - create + - update + - get + - list +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: ["policy"] + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/tls-init-rolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/tls-init-rolebinding.yaml new file mode 100644 index 0000000000..9b68d97d8c --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/tls-init-rolebinding.yaml @@ -0,0 +1,27 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "consul.fullname" . }}-tls-init +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-tls-init +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/tls-init-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/tls-init-serviceaccount.yaml new file mode 100644 index 0000000000..f8504da94c --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/tls-init-serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) }} +{{- if (and .Values.global.tls.enabled (not .Values.server.serverCert.secretName)) }} +{{- if not .Values.global.secretsBackend.vault.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-tls-init + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: tls-init + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range . }} + - name: {{ .name }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/ui-ingress.yaml b/charts/hashicorp/consul/1.5.0/templates/ui-ingress.yaml new file mode 100644 index 0000000000..f8c7f92a77 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/ui-ingress.yaml @@ -0,0 +1,85 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and (ne (.Values.ui.ingress.enabled | toString) "-") .Values.ui.ingress.enabled) }} +{{- $serviceName := printf "%s-%s" (include "consul.fullname" .) "ui" -}} +{{- /* We use the kube version to determine if the apiVersion of networking.k8s.io should be v1 or v1beta1. +This is because while networks.k8s.io/v1 was introduced in Kubernetes v1.15+, the Ingress resource was +promoted to v1 only in Kubernetes v1.19+. This ensures the correct API version is chosen that supports +the Ingress resource. */}} +{{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} +apiVersion: networking.k8s.io/v1 +{{- else }} +apiVersion: networking.k8s.io/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.ingress.annotations }} + annotations: + {{ tpl .Values.ui.ingress.annotations . | nindent 4 | trim }} + {{- end }} +spec: + {{- if ne .Values.ui.ingress.ingressClassName "" }} + ingressClassName: {{ .Values.ui.ingress.ingressClassName }} + {{- end }} + rules: + {{- $global := .Values.global }} + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "19" ) }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 80 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + service: + name: {{ $serviceName }} + port: + number: 443 + path: {{ . }} + pathType: {{ $.Values.ui.ingress.pathType }} + {{- end }} + {{- end }} + {{- end }} + {{- else }} + {{- range .Values.ui.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range (.paths | default (list "/")) }} + {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 80 + path: {{ . }} + {{- end }} + {{- if $global.tls.enabled }} + - backend: + serviceName: {{ $serviceName }} + servicePort: 443 + path: {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.ui.ingress.tls }} + tls: + {{- toYaml .Values.ui.ingress.tls | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/ui-service.yaml b/charts/hashicorp/consul/1.5.0/templates/ui-service.yaml new file mode 100644 index 0000000000..dc2abf4fc5 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/ui-service.yaml @@ -0,0 +1,46 @@ +{{- if (and (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.enabled | toString) "-") .Values.ui.enabled) (and (eq (.Values.ui.enabled | toString) "-") .Values.global.enabled)) (or (and (ne (.Values.ui.service.enabled | toString) "-") .Values.ui.service.enabled) (and (eq (.Values.ui.service.enabled | toString) "-") .Values.global.enabled))) }} +# UI Service for Consul Server +apiVersion: v1 +kind: Service +metadata: + name: {{ template "consul.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: ui + {{- if .Values.ui.service.annotations }} + annotations: + {{ tpl .Values.ui.service.annotations . | nindent 4 | trim }} + {{- end }} +spec: + selector: + app: {{ template "consul.name" . }} + release: "{{ .Release.Name }}" + component: server + ports: + {{- if (or (not .Values.global.tls.enabled) (not .Values.global.tls.httpsOnly)) }} + - name: http + port: {{ .Values.ui.service.port.http }} + targetPort: 8500 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.http) }} + nodePort: {{ .Values.ui.service.nodePort.http }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: https + port: {{ .Values.ui.service.port.https }} + targetPort: 8501 + {{- if .Values.ui.service.type }}{{ if (and (eq .Values.ui.service.type "NodePort") .Values.ui.service.nodePort.https) }} + nodePort: {{ .Values.ui.service.nodePort.https }} + {{- end }}{{ end }} + {{- end }} + {{- if .Values.ui.service.type }} + type: {{ .Values.ui.service.type }} + {{- end }} + {{- if .Values.ui.service.additionalSpec }} + {{ tpl .Values.ui.service.additionalSpec . | nindent 2 | trim }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-clusterrole.yaml b/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-clusterrole.yaml new file mode 100644 index 0000000000..2a5c80d94c --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-clusterrole.yaml @@ -0,0 +1,54 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - patch +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - get +{{- if .Values.global.enablePodSecurityPolicies }} +- apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - {{ template "consul.fullname" . }}-webhook-cert-manager + verbs: + - use +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-clusterrolebinding.yaml b/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-clusterrolebinding.yaml new file mode 100644 index 0000000000..472ef4ee1d --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -0,0 +1,21 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "consul.fullname" . }}-webhook-cert-manager +subjects: +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-configmap.yaml b/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-configmap.yaml new file mode 100644 index 0000000000..293dd32d9f --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-configmap.yaml @@ -0,0 +1,29 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +data: + webhook-config.json: |- + [ + { + "name": "{{ template "consul.fullname" . }}-connect-injector", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + } + ] + {{- end }} diff --git a/charts/hashicorp/consul/templates/webhook-cert-manager-deployment.yaml b/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-deployment.yaml similarity index 100% rename from charts/hashicorp/consul/templates/webhook-cert-manager-deployment.yaml rename to charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-deployment.yaml diff --git a/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-podsecuritypolicy.yaml b/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-podsecuritypolicy.yaml new file mode 100644 index 0000000000..4d685edc39 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -0,0 +1,43 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled))) }} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-serviceaccount.yaml b/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-serviceaccount.yaml new file mode 100644 index 0000000000..68c54f3c27 --- /dev/null +++ b/charts/hashicorp/consul/1.5.0/templates/webhook-cert-manager-serviceaccount.yaml @@ -0,0 +1,20 @@ +{{ $hasConfiguredWebhookCertsUsingVault := (and .Values.global.secretsBackend.vault.enabled .Values.global.secretsBackend.vault.connectInjectRole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName) -}} +{{- if (and .Values.connectInject.enabled (not $hasConfiguredWebhookCertsUsingVault)) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "consul.fullname" . }}-webhook-cert-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: webhook-cert-manager + {{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} +- name: {{ .name }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/hashicorp/consul/values.yaml b/charts/hashicorp/consul/1.5.0/values.yaml similarity index 100% rename from charts/hashicorp/consul/values.yaml rename to charts/hashicorp/consul/1.5.0/values.yaml diff --git a/charts/hashicorp/vault/.helmignore b/charts/hashicorp/vault/0.25.0/.helmignore similarity index 100% rename from charts/hashicorp/vault/.helmignore rename to charts/hashicorp/vault/0.25.0/.helmignore diff --git a/charts/hashicorp/vault/0.25.0/CHANGELOG.md b/charts/hashicorp/vault/0.25.0/CHANGELOG.md new file mode 100644 index 0000000000..f3c466f2c4 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/CHANGELOG.md @@ -0,0 +1,484 @@ +## Unreleased + +## 0.25.0 (June 26, 2023) + +Changes: +* Latest Kubernetes version tested is now 1.27 +* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902) +* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) +* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Improvements: +* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862) +* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798) +* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Bugs: +* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) + +## 0.24.1 (April 17, 2023) + +Bugs: +* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872) + +## 0.24.0 (April 6, 2023) + +Changes: +* Earliest Kubernetes version tested is now 1.22 +* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863) +* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868) +* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749) + +Features: +* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) +* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831) +* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) +* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749) + +## 0.23.0 (November 28th, 2022) + +Changes: +* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) + +Features: +* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) +* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813) + +Bugs: +* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) + +## 0.22.1 (October 26th, 2022) + +Changes: +* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) +* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) + +## 0.22.0 (September 8th, 2022) + +Features: +* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772) + +Changes: +* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) +* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) +* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785) + +## 0.21.0 (August 10th, 2022) + +CHANGES: +* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) +* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) +* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) + +Features: +* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) +* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) + +## 0.20.1 (May 25th, 2022) +CHANGES: +* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739) + +Improvements: +* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) + +Bugs: +* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) + +## 0.20.0 (May 16th, 2022) + +CHANGES: +* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Vault default image to 1.10.3 +* CSI provider default image to 1.1.0 +* Vault K8s default image to 0.16.0 +* Earliest Kubernetes version tested is now 1.16 +* Helm 3.6+ now required + +Features: +* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) + +Improvements: +* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) +* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) +* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) +* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) +* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694) +* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684) +* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) + +## 0.19.0 (January 20th, 2022) + +CHANGES: +* Vault image default 1.9.2 +* Vault K8s image default 0.14.2 + +Features: +* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) +* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) +* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661) +* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670) + +Improvements: +* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679) +* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673) +* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686) + +## 0.18.0 (November 17th, 2021) + +CHANGES: +* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649) +* Vault image default 1.9.0 +* Vault K8s image default 0.14.1 + +Improvements: +* Added templateConfig.staticSecretRenderInterval chart option for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) + +## 0.17.1 (October 25th, 2021) + +Improvements: + * Add option for Ingress PathType [GH-634](https://github.com/hashicorp/vault-helm/pull/634) + +## 0.17.0 (October 21st, 2021) + +KNOWN ISSUES: +* The chart will fail to deploy on Kubernetes 1.19+ with `server.ingress.enabled=true` because no `pathType` is set + +CHANGES: +* Vault image default 1.8.4 +* Vault K8s image default 0.14.0 + +Improvements: +* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590) +* Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626) +* Support setting ingressClassName on server Ingress [GH-630](https://github.com/hashicorp/vault-helm/pull/630) + +Bugs: +* Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628) + +## 0.16.1 (September 29th, 2021) + +CHANGES: +* Vault image default 1.8.3 +* Vault K8s image default 0.13.1 + +## 0.16.0 (September 16th, 2021) + +CHANGES: +* Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`. + +Improvements: + * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603) + * Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) [GH-607](https://github.com/hashicorp/vault-helm/pull/607) + +## 0.15.0 (August 23rd, 2021) + +Improvements: +* Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572) +* Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584) + +## 0.14.0 (July 28th, 2021) + +Features: +* Added templateConfig.exitOnRetryFailure chart option for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560) + +Improvements: +* Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565) +* Set the default vault image to come from the hashicorp organization [GH-567](https://github.com/hashicorp/vault-helm/pull/567) +* Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567) +* Add `server.ingress.activeService` to configure if the ingress should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570) +* Add `server.route.activeService` to configure if the route should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570) +* Support configuring `global.imagePullSecrets` from a string array [GH-576](https://github.com/hashicorp/vault-helm/pull/576) + + +## 0.13.0 (June 17th, 2021) + +Improvements: +* Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) +* Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547) +* Added OpenShift overrides [GH-549](https://github.com/hashicorp/vault-helm/pull/549) + +Bugs: +* Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) +* Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535) +* Added webhook-certs volume mount to sidecar injector [GH-545](https://github.com/hashicorp/vault-helm/pull/545) + +## 0.12.0 (May 25th, 2021) + +Features: +* Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526) + +Improvements: +* Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) +* Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) +* Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521) +* UI target port is now configurable [GH-437](https://github.com/hashicorp/vault-helm/pull/437) + +Bugs: +* CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) + +## 0.11.0 (April 14th, 2021) + +Features: +* Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) +* Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) +* Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489) +* Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493) +* Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) +* Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) + +Improvements: +* Added `https` name to injector service port [GH-495](https://github.com/hashicorp/vault-helm/pull/495) + +Bugs: +* CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) + +## 0.10.0 (March 25th, 2021) + +Features: +* Add support for [Vault CSI provider](https://github.com/hashicorp/vault-csi-provider) [GH-461](https://github.com/hashicorp/vault-helm/pull/461) + +Improvements: +* `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456) + +## 0.9.1 (February 2nd, 2021) + +Bugs: +* Injector: fix labels for default anti-affinity rule [GH-441](https://github.com/hashicorp/vault-helm/pull/441), [GH-442](https://github.com/hashicorp/vault-helm/pull/442) +* Set VAULT_DEV_LISTEN_ADDRESS in dev mode [GH-446](https://github.com/hashicorp/vault-helm/pull/446) + +## 0.9.0 (January 5th, 2021) + +Features: +* Injector now supports configurable number of replicas [GH-436](https://github.com/hashicorp/vault-helm/pull/436) +* Injector now supports auto TLS for multiple replicas using leader elections [GH-436](https://github.com/hashicorp/vault-helm/pull/436) + +Improvements: +* Dev mode now supports `server.extraArgs` [GH-421](https://github.com/hashicorp/vault-helm/pull/421) +* Dev mode root token is now configurable with `server.dev.devRootToken` [GH-415](https://github.com/hashicorp/vault-helm/pull/415) +* ClusterRoleBinding updated to `v1` [GH-395](https://github.com/hashicorp/vault-helm/pull/395) +* MutatingWebhook updated to `v1` [GH-408](https://github.com/hashicorp/vault-helm/pull/408) +* Injector service now supports `injector.service.annotations` [425](https://github.com/hashicorp/vault-helm/pull/425) +* Injector now supports `injector.extraLabels` [428](https://github.com/hashicorp/vault-helm/pull/428) +* Added `allowPrivilegeEscalation: false` to Vault and Injector containers [429](https://github.com/hashicorp/vault-helm/pull/429) +* Network Policy now supports `server.networkPolicy.egress` [389](https://github.com/hashicorp/vault-helm/pull/389) + +## 0.8.0 (October 20th, 2020) + +Improvements: +* Make server NetworkPolicy independent of OpenShift [GH-381](https://github.com/hashicorp/vault-helm/pull/381) +* Added configurables for all probe values [GH-387](https://github.com/hashicorp/vault-helm/pull/387) +* MountPath for audit and data storage is now configurable [GH-393](https://github.com/hashicorp/vault-helm/pull/393) +* Annotations can now be added to the Injector pods [GH-394](https://github.com/hashicorp/vault-helm/pull/394) +* The injector can now be configured with a failurePolicy [GH-400](https://github.com/hashicorp/vault-helm/pull/400) +* Added additional environment variables for rendering within Vault config [GH-398](https://github.com/hashicorp/vault-helm/pull/398) +* Service account for Vault K8s auth is automatically created when `injector.externalVaultAddr` is set [GH-392](https://github.com/hashicorp/vault-helm/pull/392) + +Bugs: +* Fixed install output using Helm V2 command [GH-378](https://github.com/hashicorp/vault-helm/pull/378) + +## 0.7.0 (August 24th, 2020) + +Features: +* Added `volumes` and `volumeMounts` for mounting _any_ type of volume [GH-314](https://github.com/hashicorp/vault-helm/pull/314). +* Added configurable to enable prometheus telemetery exporter for Vault Agent Injector [GH-372](https://github.com/hashicorp/vault-helm/pull/372) + +Improvements: +* Added `defaultMode` configurable to `extraVolumes`[GH-321](https://github.com/hashicorp/vault-helm/pull/321) +* Option to install and use PodSecurityPolicy's for vault server and injector [GH-177](https://github.com/hashicorp/vault-helm/pull/177) +* `VAULT_API_ADDR` is now configurable [GH-290](https://github.com/hashicorp/vault-helm/pull/290) +* Removed deprecated tolerate unready endpoint annotations [GH-363](https://github.com/hashicorp/vault-helm/pull/363) +* Add an option to set annotations on the StatefulSet [GH-199](https://github.com/hashicorp/vault-helm/pull/199) +* Make the vault server serviceAccount name a configuration option [GH-367](https://github.com/hashicorp/vault-helm/pull/367) +* Removed annotation striction from `dev` mode [GH-371](https://github.com/hashicorp/vault-helm/pull/371) +* Add an option to set annotations on PVCs [GH-364](https://github.com/hashicorp/vault-helm/pull/364) +* Added service configurables for UI [GH-285](https://github.com/hashicorp/vault-helm/pull/285) + +Bugs: +* Fix python dependency in test image [GH-337](https://github.com/hashicorp/vault-helm/pull/337) +* Fix caBundle not being quoted causing validation issues with Helm 3 [GH-352](https://github.com/hashicorp/vault-helm/pull/352) +* Fix injector network policy being rendered when injector is not enabled [GH-358](https://github.com/hashicorp/vault-helm/pull/358) + +## 0.6.0 (June 3rd, 2020) + +Features: +* Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258) +* Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315) +* Beta: Added OpenShift support [GH-319](https://github.com/hashicorp/vault-helm/pull/319) + +Improvements: +* Server configs can now be defined in YAML. Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213) +* Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)] +* Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)] +* Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)] +* Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)] +* Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)] +* Added support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)] +* Added configurable to change service type for the HA active service [GH-317](https://github.com/hashicorp/vault-helm/pull/317) + +Bugs: +* Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] +* Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)] +* Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)] +* Use active service on ingress when ha [[GH-270](https://github.com/hashicorp/vault-helm/pull/270)] +* Fixed bug where pull secrets weren't being used for injector image [GH-298](https://github.com/hashicorp/vault-helm/pull/298) + +## 0.5.0 (April 9th, 2020) + +Features: + +* Added Raft support for HA mode [[GH-228](https://github.com/hashicorp/vault-helm/pull/229)] +* Now supports Vault Enterprise [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)] +* Added K8s Service Registration for HA modes [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)] + +* Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)] +* Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)] +* Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)] +* Added affinity, tolerations, and nodeSelector options for the injector deployment [[GH-234](https://github.com/hashicorp/vault-helm/pull/234)] +* Made all annotations multi-line strings [[GH-227](https://github.com/hashicorp/vault-helm/pull/227)] + +## 0.4.0 (February 21st, 2020) + +Improvements: + +* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)] +* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172)] +* Added sleep in the preStop lifecycle step [[GH-188](https://github.com/hashicorp/vault-helm/pull/188)] +* Updated chart and tests to Helm 3 [[GH-195](https://github.com/hashicorp/vault-helm/pull/195)] +* Adds Values.injector.externalVaultAddr to use the injector with an external vault [[GH-207](https://github.com/hashicorp/vault-helm/pull/207)] + +Bugs: + +* Fix bug where Vault lifecycle was appended after extra containers. [[GH-179](https://github.com/hashicorp/vault-helm/pull/179)] + +## 0.3.3 (January 14th, 2020) + +Security: + +* Added `server.extraArgs` to allow loading of additional Vault configurations containing sensitive settings [GH-175](https://github.com/hashicorp/vault-helm/issues/175) + +Bugs: + +* Fixed injection bug where wrong environment variables were being used for manually mounted TLS files + +## 0.3.2 (January 8th, 2020) + +Bugs: + +* Fixed injection bug where TLS Skip Verify was true by default [VK8S-35] + +## 0.3.1 (January 2nd, 2020) + +Bugs: + +* Fixed injection bug causing kube-system pods to be rejected [VK8S-14] + +## 0.3.0 (December 19th, 2019) + +Features: + +* Extra containers can now be added to the Vault pods +* Added configurability of pod probes +* Added Vault Agent Injector + +Improvements: + +* Moved `global.image` to `server.image` +* Changed UI service template to route pods that aren't ready via `publishNotReadyAddresses: true` +* Added better HTTP/HTTPS scheme support to http probes +* Added configurable node port for Vault service +* `server.authDelegator` is now enabled by default + +Bugs: + +* Fixed upgrade bug by removing chart label which contained the version +* Fixed typo on `serviceAccount` (was `serviceaccount`) +* Fixed readiness/liveliness HTTP probe default to accept standbys + +## 0.2.1 (November 12th, 2019) + +Bugs: + +* Removed `readOnlyRootFilesystem` causing issues when validating deployments + +## 0.2.0 (October 29th, 2019) + +Features: + +* Added load balancer support +* Added ingress support +* Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc) +* Removed root requirements, now runs as Vault user + +Improvements: + +* Added namespace value to all rendered objects +* Made ports configurable in services +* Added the ability to add custom annotations to services +* Added docker image for running bats test in CircleCI +* Removed restrictions around `dev` mode such as annotations +* `readOnlyRootFilesystem` is now configurable +* Image Pull Policy is now configurable + +Bugs: + +* Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption) +* Fixed bug where audit storage was not being mounted in HA mode +* Fixed bug where Vault pod wasn't receiving SIGTERM signals + + +## 0.1.2 (August 22nd, 2019) + +Features: + +* Added `extraSecretEnvironmentVars` to allow users to mount secrets as + environment variables +* Added `tlsDisable` configurable to change HTTP protocols from HTTP/HTTPS + depending on the value +* Added `serviceNodePort` to configure a NodePort value when setting `serviceType` + to "NodePort" + +Improvements: + +* Changed UI port to 8200 for better HTTP protocol support +* Added `path` to `extraVolumes` to define where the volume should be + mounted. Defaults to `/vault/userconfig` +* Upgraded Vault to 1.2.2 + +Bugs: + +* Fixed bug where upgrade would fail because immutable labels were being + changed (Helm Version label) +* Fixed bug where UI service used wrong selector after updating helm labels +* Added `VAULT_API_ADDR` env to Vault pod to fixed bug where Vault thinks + Consul is the active node +* Removed `step-down` preStop since it requires authentication. Shutdown signal + sent by Kube acts similar to `step-down` + + +## 0.1.1 (August 7th, 2019) + +Features: + +* Added `authDelegator` Cluster Role Binding to Vault service account for + bootstrapping Kube auth method + +Improvements: + +* Added `server.service.clusterIP` to `values.yml` so users can toggle + the Vault service to headless by using the value `None`. +* Upgraded Vault to 1.2.1 + +## 0.1.0 (August 6th, 2019) + +Initial release diff --git a/charts/hashicorp/vault/0.25.0/CODEOWNERS b/charts/hashicorp/vault/0.25.0/CODEOWNERS new file mode 100644 index 0000000000..af6a3500f5 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/CODEOWNERS @@ -0,0 +1 @@ +* @hashicorp/vault-ecosystem-foundations diff --git a/charts/hashicorp/vault/CONTRIBUTING.md b/charts/hashicorp/vault/0.25.0/CONTRIBUTING.md similarity index 100% rename from charts/hashicorp/vault/CONTRIBUTING.md rename to charts/hashicorp/vault/0.25.0/CONTRIBUTING.md diff --git a/charts/hashicorp/vault/0.25.0/Chart.yaml b/charts/hashicorp/vault/0.25.0/Chart.yaml new file mode 100644 index 0000000000..c9d3562545 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Vault + catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/release-name: vault + charts.openshift.io/name: HashiCorp Vault +apiVersion: v2 +appVersion: 1.14.0 +description: Official HashiCorp Vault Chart +home: https://www.vaultproject.io +icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png +keywords: +- vault +- security +- encryption +- secrets +- management +- automation +- infrastructure +kubeVersion: '>= 1.20.0-0' +name: vault +sources: +- https://github.com/hashicorp/vault +- https://github.com/hashicorp/vault-helm +- https://github.com/hashicorp/vault-k8s +- https://github.com/hashicorp/vault-csi-provider +version: 0.25.0 diff --git a/charts/hashicorp/vault/LICENSE b/charts/hashicorp/vault/0.25.0/LICENSE similarity index 100% rename from charts/hashicorp/vault/LICENSE rename to charts/hashicorp/vault/0.25.0/LICENSE diff --git a/charts/hashicorp/vault/0.25.0/Makefile b/charts/hashicorp/vault/0.25.0/Makefile new file mode 100644 index 0000000000..5600220645 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/Makefile @@ -0,0 +1,101 @@ +TEST_IMAGE?=vault-helm-test +GOOGLE_CREDENTIALS?=vault-helm-test.json +CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 +# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats +ACCEPTANCE_TESTS?=acceptance + +# filter bats unit tests to run. +UNIT_TESTS_FILTER?='.*' + +# set to 'true' to run acceptance tests locally in a kind cluster +LOCAL_ACCEPTANCE_TESTS?=false + +# kind cluster name +KIND_CLUSTER_NAME?=vault-helm + +# kind k8s version +KIND_K8S_VERSION?=v1.26.3 + +# Generate json schema for chart values. See test/README.md for more details. +values-schema: + helm schema-gen values.yaml > values.schema.json + +test-image: + @docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) + +test-unit: + @docker run --rm -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats -f $(UNIT_TESTS_FILTER) /helm-test/test/unit + +test-bats: test-unit test-acceptance + +test: test-image test-bats + +# run acceptance tests on GKE +# set google project/credential vars above +test-acceptance: +ifeq ($(LOCAL_ACCEPTANCE_TESTS),true) + make setup-kind acceptance +else + @docker run -it -v ${PWD}:/helm-test \ + -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ + -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ + -e KUBECONFIG=/helm-test/.kube/config \ + -e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \ + -w /helm-test \ + $(TEST_IMAGE) \ + make acceptance +endif + +# destroy GKE cluster using terraform +test-destroy: + @docker run -it -v ${PWD}:/helm-test \ + -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ + -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ + -w /helm-test \ + $(TEST_IMAGE) \ + make destroy-cluster + +# provision GKE cluster using terraform +test-provision: + @docker run -it -v ${PWD}:/helm-test \ + -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ + -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ + -e KUBECONFIG=/helm-test/.kube/config \ + -w /helm-test \ + $(TEST_IMAGE) \ + make provision-cluster + +# this target is for running the acceptance tests +# it is run in the docker container above when the test-acceptance target is invoked +acceptance: +ifneq ($(LOCAL_ACCEPTANCE_TESTS),true) + gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} +endif + bats --tap --timing test/${ACCEPTANCE_TESTS} + +# this target is for provisioning the GKE cluster +# it is run in the docker container above when the test-provision target is invoked +provision-cluster: + gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} + terraform init test/terraform + terraform apply -var project=${CLOUDSDK_CORE_PROJECT} -var init_cli=true -auto-approve test/terraform + +# this target is for removing the GKE cluster +# it is run in the docker container above when the test-destroy target is invoked +destroy-cluster: + terraform destroy -auto-approve + +# create a kind cluster for running the acceptance tests locally +setup-kind: + kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$$" || \ + kind create cluster \ + --image kindest/node:${KIND_K8S_VERSION} \ + --name ${KIND_CLUSTER_NAME} \ + --config $(CURDIR)/test/kind/config.yaml + kubectl config use-context kind-${KIND_CLUSTER_NAME} + +# delete the kind cluster +delete-kind: + kind delete cluster --name ${KIND_CLUSTER_NAME} || : + +.PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster diff --git a/charts/hashicorp/vault/0.25.0/README.md b/charts/hashicorp/vault/0.25.0/README.md new file mode 100644 index 0000000000..6e7014360f --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/README.md @@ -0,0 +1,43 @@ +# Vault Helm Chart + +> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If +you believe you have found a security issue in Vault Helm, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +This repository contains the official HashiCorp Helm chart for installing +and configuring Vault on Kubernetes. This chart supports multiple use +cases of Vault on Kubernetes depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can +use Vault with Kubernetes, please see the +[Vault and Kubernetes documentation](https://www.vaultproject.io/docs/platform/k8s/). + +## Prerequisites + +To use the charts here, [Helm](https://helm.sh/) must be configured for your +Kubernetes cluster. Setting up Kubernetes and Helm is outside the scope of +this README. Please refer to the Kubernetes and Helm documentation. + +The versions required are: + + * **Helm 3.6+** + * **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested. + It is possible that this chart works with earlier versions but it is + untested. + +## Usage + +To install the latest version of this chart, add the Hashicorp helm repository +and run `helm install`: + +```console +$ helm repo add hashicorp https://helm.releases.hashicorp.com +"hashicorp" has been added to your repositories + +$ helm install vault hashicorp/vault +``` + +Please see the many options supported in the `values.yaml` file. These are also +fully documented directly on the [Vault +website](https://www.vaultproject.io/docs/platform/k8s/helm) along with more +detailed installation instructions. diff --git a/charts/hashicorp/vault/0.25.0/templates/NOTES.txt b/charts/hashicorp/vault/0.25.0/templates/NOTES.txt new file mode 100644 index 0000000000..8e267121c8 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/NOTES.txt @@ -0,0 +1,14 @@ + +Thank you for installing HashiCorp Vault! + +Now that you have deployed Vault, you should look over the docs on using +Vault with Kubernetes available here: + +https://www.vaultproject.io/docs/ + + +Your release is named {{ .Release.Name }}. To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get manifest {{ .Release.Name }} + diff --git a/charts/hashicorp/vault/0.25.0/templates/_helpers.tpl b/charts/hashicorp/vault/0.25.0/templates/_helpers.tpl new file mode 100644 index 0000000000..dafac3787b --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/_helpers.tpl @@ -0,0 +1,996 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). If release name contains chart name it will +be used as a full name. +*/}} +{{- define "vault.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "vault.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "vault.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Compute if the csi driver is enabled. +*/}} +{{- define "vault.csiEnabled" -}} +{{- $_ := set . "csiEnabled" (or + (eq (.Values.csi.enabled | toString) "true") + (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the injector is enabled. +*/}} +{{- define "vault.injectorEnabled" -}} +{{- $_ := set . "injectorEnabled" (or + (eq (.Values.injector.enabled | toString) "true") + (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server is enabled. +*/}} +{{- define "vault.serverEnabled" -}} +{{- $_ := set . "serverEnabled" (or + (eq (.Values.server.enabled | toString) "true") + (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server serviceaccount is enabled. +*/}} +{{- define "vault.serverServiceAccountEnabled" -}} +{{- $_ := set . "serverServiceAccountEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true" ) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server auth delegator serviceaccount is enabled. +*/}} +{{- define "vault.serverAuthDelegator" -}} +{{- $_ := set . "serverAuthDelegator" + (and + (eq (.Values.server.authDelegator.enabled | toString) "true" ) + (or (eq (.Values.server.serviceAccount.create | toString) "true") + (not (eq .Values.server.serviceAccount.name ""))) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server service is enabled. +*/}} +{{- define "vault.serverServiceEnabled" -}} +{{- template "vault.serverEnabled" . -}} +{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} +{{- end -}} + +{{/* +Compute if the ui is enabled. +*/}} +{{- define "vault.uiEnabled" -}} +{{- $_ := set . "uiEnabled" (or + (eq (.Values.ui.enabled | toString) "true") + (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute the maximum number of unavailable replicas for the PodDisruptionBudget. +This defaults to (n/2)-1 where n is the number of members of the server cluster. +Add a special case for replicas=1, where it should default to 0 as well. +*/}} +{{- define "vault.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.ha.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}} +{{ .Values.server.ha.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- div (sub (div (mul (int .Values.server.ha.replicas) 10) 2) 1) 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Set the variable 'mode' to the server mode requested by the user to simplify +template logic. +*/}} +{{- define "vault.mode" -}} + {{- template "vault.serverEnabled" . -}} + {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}} + {{- $_ := set . "mode" "external" -}} + {{- else if not .serverEnabled -}} + {{- $_ := set . "mode" "external" -}} + {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} + {{- $_ := set . "mode" "dev" -}} + {{- else if eq (.Values.server.ha.enabled | toString) "true" -}} + {{- $_ := set . "mode" "ha" -}} + {{- else if or (eq (.Values.server.standalone.enabled | toString) "true") (eq (.Values.server.standalone.enabled | toString) "-") -}} + {{- $_ := set . "mode" "standalone" -}} + {{- else -}} + {{- $_ := set . "mode" "" -}} + {{- end -}} +{{- end -}} + +{{/* +Set's the replica count based on the different modes configured by user +*/}} +{{- define "vault.replicas" -}} + {{ if eq .mode "standalone" }} + {{- default 1 -}} + {{ else if eq .mode "ha" }} + {{- .Values.server.ha.replicas | default 3 -}} + {{ else }} + {{- default 1 -}} + {{ end }} +{{- end -}} + +{{/* +Set's up configmap mounts if this isn't a dev deployment and the user +defined a custom configuration. Additionally iterates over any +extra volumes the user may have specified (such as a secret with TLS). +*/}} +{{- define "vault.volumes" -}} + {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} + - name: config + configMap: + name: {{ template "vault.fullname" . }}-config + {{ end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + defaultMode: {{ .defaultMode | default 420 }} + {{- end }} + {{- if .Values.server.volumes }} + {{- toYaml .Values.server.volumes | nindent 8}} + {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: vault-license + secret: + secretName: {{ .Values.server.enterpriseLicense.secretName }} + defaultMode: 0440 + {{- end }} +{{- end -}} + +{{/* +Set's the args for custom command to render the Vault configuration +file with IP addresses to make the out of box experience easier +for users looking to use this chart with Consul Helm. +*/}} +{{- define "vault.args" -}} + {{ if or (eq .mode "standalone") (eq .mode "ha") }} + - | + cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; + [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; + [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; + [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; + /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} + {{ else if eq .mode "dev" }} + - | + /usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }} + {{ end }} +{{- end -}} + +{{/* +Set's additional environment variables based on the mode. +*/}} +{{- define "vault.envs" -}} + {{ if eq .mode "dev" }} + - name: VAULT_DEV_ROOT_TOKEN_ID + value: {{ .Values.server.dev.devRootToken }} + - name: VAULT_DEV_LISTEN_ADDRESS + value: "[::]:8200" + {{ end }} +{{- end -}} + +{{/* +Set's which additional volumes should be mounted to the container +based on the mode configured. +*/}} +{{- define "vault.mounts" -}} + {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }} + - name: audit + mountPath: {{ .Values.server.auditStorage.mountPath }} + {{ end }} + {{ if or (eq .mode "standalone") (and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true")) }} + {{ if eq (.Values.server.dataStorage.enabled | toString) "true" }} + - name: data + mountPath: {{ .Values.server.dataStorage.mountPath }} + {{ end }} + {{ end }} + {{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} + - name: config + mountPath: /vault/config + {{ end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} + {{- end }} + {{- if .Values.server.volumeMounts }} + {{- toYaml .Values.server.volumeMounts | nindent 12}} + {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: vault-license + mountPath: /vault/license + readOnly: true + {{- end }} +{{- end -}} + +{{/* +Set's up the volumeClaimTemplates when data or audit storage is required. HA +might not use data storage since Consul is likely it's backend, however, audit +storage might be desired by the user. +*/}} +{{- define "vault.volumeclaims" -}} + {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }} + volumeClaimTemplates: + {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }} + - metadata: + name: data + {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }} + spec: + accessModes: + - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} + resources: + requests: + storage: {{ .Values.server.dataStorage.size }} + {{- if .Values.server.dataStorage.storageClass }} + storageClassName: {{ .Values.server.dataStorage.storageClass }} + {{- end }} + {{ end }} + {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }} + - metadata: + name: audit + {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }} + spec: + accessModes: + - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} + resources: + requests: + storage: {{ .Values.server.auditStorage.size }} + {{- if .Values.server.auditStorage.storageClass }} + storageClassName: {{ .Values.server.auditStorage.storageClass }} + {{- end }} + {{ end }} + {{ end }} +{{- end -}} + +{{/* +Set's the affinity for pod placement when running in standalone and HA modes. +*/}} +{{- define "vault.affinity" -}} + {{- if and (ne .mode "dev") .Values.server.affinity }} + affinity: + {{ $tp := typeOf .Values.server.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + +{{/* +Sets the injector affinity for pod placement +*/}} +{{- define "injector.affinity" -}} + {{- if .Values.injector.affinity }} + affinity: + {{ $tp := typeOf .Values.injector.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + +{{/* +Sets the topologySpreadConstraints when running in standalone and HA modes. +*/}} +{{- define "vault.topologySpreadConstraints" -}} + {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.server.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + + +{{/* +Sets the injector topologySpreadConstraints for pod placement +*/}} +{{- define "injector.topologySpreadConstraints" -}} + {{- if .Values.injector.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.injector.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + +{{/* +Sets the toleration for pod placement when running in standalone and HA modes. +*/}} +{{- define "vault.tolerations" -}} + {{- if and (ne .mode "dev") .Values.server.tolerations }} + tolerations: + {{- $tp := typeOf .Values.server.tolerations }} + {{- if eq $tp "string" }} + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.tolerations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the injector toleration for pod placement +*/}} +{{- define "injector.tolerations" -}} + {{- if .Values.injector.tolerations }} + tolerations: + {{- $tp := typeOf .Values.injector.tolerations }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.tolerations . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.tolerations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Set's the node selector for pod placement when running in standalone and HA modes. +*/}} +{{- define "vault.nodeselector" -}} + {{- if and (ne .mode "dev") .Values.server.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.server.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.server.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the injector node selector for pod placement +*/}} +{{- define "injector.nodeselector" -}} + {{- if .Values.injector.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.injector.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the injector deployment update strategy +*/}} +{{- define "injector.strategy" -}} + {{- if .Values.injector.strategy }} + strategy: + {{- $tp := typeOf .Values.injector.strategy }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.strategy . | nindent 4 | trim }} + {{- else }} + {{- toYaml .Values.injector.strategy | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra pod annotations +*/}} +{{- define "vault.annotations" -}} + {{- if .Values.server.annotations }} + annotations: + {{- $tp := typeOf .Values.server.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.server.annotations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra injector pod annotations +*/}} +{{- define "injector.annotations" -}} + {{- if .Values.injector.annotations }} + annotations: + {{- $tp := typeOf .Values.injector.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.injector.annotations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra injector service annotations +*/}} +{{- define "injector.service.annotations" -}} + {{- if .Values.injector.service.annotations }} + annotations: + {{- $tp := typeOf .Values.injector.service.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.service.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.injector.service.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the injector pod level. +*/}} +{{- define "injector.securityContext.pod" -}} + {{- if .Values.injector.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.injector.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.injector.securityContext.pod | nindent 8 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.injector.gid | default 1000 }} + runAsUser: {{ .Values.injector.uid | default 100 }} + fsGroup: {{ .Values.injector.gid | default 1000 }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the injector container level. +*/}} +{{- define "injector.securityContext.container" -}} + {{- if .Values.injector.securityContext.container}} + securityContext: + {{- $tp := typeOf .Values.injector.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.injector.securityContext.container | nindent 12 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + {{- end }} +{{- end -}} + +{{/* +securityContext for the statefulset pod template. +*/}} +{{- define "server.statefulSet.securityContext.pod" -}} + {{- if .Values.server.statefulSet.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.server.statefulSet.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.securityContext.pod | nindent 8 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.server.gid | default 1000 }} + runAsUser: {{ .Values.server.uid | default 100 }} + fsGroup: {{ .Values.server.gid | default 1000 }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the statefulset vault container +*/}} +{{- define "server.statefulSet.securityContext.container" -}} + {{- if .Values.server.statefulSet.securityContext.container }} + securityContext: + {{- $tp := typeOf .Values.server.statefulSet.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.securityContext.container | nindent 12 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + allowPrivilegeEscalation: false + {{- end }} +{{- end -}} + + +{{/* +Sets extra injector service account annotations +*/}} +{{- define "injector.serviceAccount.annotations" -}} + {{- if and (ne .mode "dev") .Values.injector.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.injector.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.injector.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra injector webhook annotations +*/}} +{{- define "injector.webhookAnnotations" -}} + {{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }} + annotations: + {{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }} + {{- if eq $tp "string" }} + {{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }} + {{- else }} + {{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Set's the injector webhook objectSelector +*/}} +{{- define "injector.objectSelector" -}} + {{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}} + {{ if $v }} + objectSelector: + {{- $tp := typeOf $v -}} + {{ if eq $tp "string" }} + {{ tpl $v . | indent 6 | trim }} + {{ else }} + {{ toYaml $v | indent 6 | trim }} + {{ end }} + {{ end }} +{{ end }} + +{{/* +Sets extra ui service annotations +*/}} +{{- define "vault.ui.annotations" -}} + {{- if .Values.ui.annotations }} + annotations: + {{- $tp := typeOf .Values.ui.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.ui.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.ui.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "vault.serviceAccount.name" -}} +{{- if .Values.server.serviceAccount.create -}} + {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.server.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Sets extra service account annotations +*/}} +{{- define "vault.serviceAccount.annotations" -}} + {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.server.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra ingress annotations +*/}} +{{- define "vault.ingress.annotations" -}} + {{- if .Values.server.ingress.annotations }} + annotations: + {{- $tp := typeOf .Values.server.ingress.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.ingress.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.ingress.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra route annotations +*/}} +{{- define "vault.route.annotations" -}} + {{- if .Values.server.route.annotations }} + annotations: + {{- $tp := typeOf .Values.server.route.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.route.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.route.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra vault server Service annotations +*/}} +{{- define "vault.service.annotations" -}} + {{- if .Values.server.service.annotations }} + {{- $tp := typeOf .Values.server.service.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets PodSecurityPolicy annotations +*/}} +{{- define "vault.psp.annotations" -}} + {{- if .Values.global.psp.annotations }} + annotations: + {{- $tp := typeOf .Values.global.psp.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.global.psp.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.global.psp.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra statefulset annotations +*/}} +{{- define "vault.statefulSet.annotations" -}} + {{- if .Values.server.statefulSet.annotations }} + annotations: + {{- $tp := typeOf .Values.server.statefulSet.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets VolumeClaim annotations for data volume +*/}} +{{- define "vault.dataVolumeClaim.annotations" -}} + {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }} + annotations: + {{- $tp := typeOf .Values.server.dataStorage.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.dataStorage.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.dataStorage.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets VolumeClaim annotations for audit volume +*/}} +{{- define "vault.auditVolumeClaim.annotations" -}} + {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }} + annotations: + {{- $tp := typeOf .Values.server.auditStorage.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.auditStorage.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.auditStorage.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Set's the container resources if the user has set any. +*/}} +{{- define "vault.resources" -}} + {{- if .Values.server.resources -}} + resources: +{{ toYaml .Values.server.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets the container resources if the user has set any. +*/}} +{{- define "injector.resources" -}} + {{- if .Values.injector.resources -}} + resources: +{{ toYaml .Values.injector.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets the container resources if the user has set any. +*/}} +{{- define "csi.resources" -}} + {{- if .Values.csi.resources -}} + resources: +{{ toYaml .Values.csi.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets the container resources for CSI's Agent sidecar if the user has set any. +*/}} +{{- define "csi.agent.resources" -}} + {{- if .Values.csi.agent.resources -}} + resources: +{{ toYaml .Values.csi.agent.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets extra CSI daemonset annotations +*/}} +{{- define "csi.daemonSet.annotations" -}} + {{- if .Values.csi.daemonSet.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.daemonSet.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets CSI daemonset securityContext for pod template +*/}} +{{- define "csi.daemonSet.securityContext.pod" -}} + {{- if .Values.csi.daemonSet.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.csi.daemonSet.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.securityContext.pod | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets CSI daemonset securityContext for container +*/}} +{{- define "csi.daemonSet.securityContext.container" -}} + {{- if .Values.csi.daemonSet.securityContext.container }} + securityContext: + {{- $tp := typeOf .Values.csi.daemonSet.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.securityContext.container | nindent 12 }} + {{- end }} + {{- end }} +{{- end -}} + + +{{/* +Sets the injector toleration for pod placement +*/}} +{{- define "csi.pod.tolerations" -}} + {{- if .Values.csi.pod.tolerations }} + tolerations: + {{- $tp := typeOf .Values.csi.pod.tolerations }} + {{- if eq $tp "string" }} + {{ tpl .Values.csi.pod.tolerations . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.tolerations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the CSI provider nodeSelector for pod placement +*/}} +{{- define "csi.pod.nodeselector" -}} + {{- if .Values.csi.pod.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.csi.pod.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets the CSI provider affinity for pod placement. +*/}} +{{- define "csi.pod.affinity" -}} + {{- if .Values.csi.pod.affinity }} + affinity: + {{ $tp := typeOf .Values.csi.pod.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} +{{/* +Sets extra CSI provider pod annotations +*/}} +{{- define "csi.pod.annotations" -}} + {{- if .Values.csi.pod.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.pod.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.csi.pod.annotations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra CSI service account annotations +*/}} +{{- define "csi.serviceAccount.annotations" -}} + {{- if .Values.csi.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.csi.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "vault.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ printf "%s" $key | replace "." "_" | upper | quote }} + value: {{ $value | quote }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment populated by secrets, if populated +*/}} +{{- define "vault.extraSecretEnvironmentVars" -}} +{{- if .extraSecretEnvironmentVars -}} +{{- range .extraSecretEnvironmentVars }} +- name: {{ .envName }} + valueFrom: + secretKeyRef: + name: {{ .secretName }} + key: {{ .secretKey }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* Scheme for health check and local endpoint */}} +{{- define "vault.scheme" -}} +{{- if .Values.global.tlsDisable -}} +{{ "http" }} +{{- else -}} +{{ "https" }} +{{- end -}} +{{- end -}} + +{{/* +imagePullSecrets generates pull secrets from either string or map values. +A map value must be indexable by the key 'name'. +*/}} +{{- define "imagePullSecrets" -}} +{{- with .Values.global.imagePullSecrets -}} +imagePullSecrets: +{{- range . -}} +{{- if typeIs "string" . }} + - name: {{ . }} +{{- else if index . "name" }} + - name: {{ .name }} +{{- end }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +externalTrafficPolicy sets a Service's externalTrafficPolicy if applicable. +Supported inputs are Values.server.service and Values.ui +*/}} +{{- define "service.externalTrafficPolicy" -}} +{{- $type := "" -}} +{{- if .serviceType -}} +{{- $type = .serviceType -}} +{{- else if .type -}} +{{- $type = .type -}} +{{- end -}} +{{- if and .externalTrafficPolicy (or (eq $type "LoadBalancer") (eq $type "NodePort")) }} + externalTrafficPolicy: {{ .externalTrafficPolicy }} +{{- else }} +{{- end }} +{{- end -}} + +{{/* +loadBalancer configuration for the the UI service. +Supported inputs are Values.ui +*/}} +{{- define "service.loadBalancer" -}} +{{- if eq (.serviceType | toString) "LoadBalancer" }} +{{- if .loadBalancerIP }} + loadBalancerIP: {{ .loadBalancerIP }} +{{- end }} +{{- with .loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{- range . }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end }} +{{- end -}} diff --git a/charts/hashicorp/vault/0.25.0/templates/csi-agent-configmap.yaml b/charts/hashicorp/vault/0.25.0/templates/csi-agent-configmap.yaml new file mode 100644 index 0000000000..7af08e8f9b --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/csi-agent-configmap.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + config.hcl: | + vault { + {{- if .Values.global.externalVaultAddr }} + "address" = "{{ .Values.global.externalVaultAddr }}" + {{- else }} + "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }}" + {{- end }} + } + + cache {} + + listener "unix" { + address = "/var/run/vault/agent.sock" + tls_disable = true + } +{{- end }} diff --git a/charts/hashicorp/vault/templates/csi-clusterrole.yaml b/charts/hashicorp/vault/0.25.0/templates/csi-clusterrole.yaml similarity index 100% rename from charts/hashicorp/vault/templates/csi-clusterrole.yaml rename to charts/hashicorp/vault/0.25.0/templates/csi-clusterrole.yaml diff --git a/charts/hashicorp/vault/0.25.0/templates/csi-clusterrolebinding.yaml b/charts/hashicorp/vault/0.25.0/templates/csi-clusterrolebinding.yaml new file mode 100644 index 0000000000..d5a9346885 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/csi-clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "vault.fullname" . }}-csi-provider-clusterrole +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/csi-daemonset.yaml b/charts/hashicorp/vault/0.25.0/templates/csi-daemonset.yaml new file mode 100644 index 0000000000..28e7cd0705 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/csi-daemonset.yaml @@ -0,0 +1,157 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.daemonSet.extraLabels -}} + {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} + {{- end -}} + {{ template "csi.daemonSet.annotations" . }} +spec: + updateStrategy: + type: {{ .Values.csi.daemonSet.updateStrategy.type }} + {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + rollingUpdate: + maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.csi.pod.extraLabels -}} + {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} + {{- end -}} + {{ template "csi.pod.annotations" . }} + spec: + {{ template "csi.daemonSet.securityContext.pod" . }} + {{- if .Values.csi.priorityClassName }} + priorityClassName: {{ .Values.csi.priorityClassName }} + {{- end }} + serviceAccountName: {{ template "vault.fullname" . }}-csi-provider + {{- template "csi.pod.tolerations" . }} + {{- template "csi.pod.nodeselector" . }} + {{- template "csi.pod.affinity" . }} + containers: + - name: {{ include "vault.name" . }}-csi-provider + {{ template "csi.resources" . }} + {{ template "csi.daemonSet.securityContext.container" . }} + image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" + imagePullPolicy: {{ .Values.csi.image.pullPolicy }} + args: + - --endpoint=/provider/vault.sock + - --debug={{ .Values.csi.debug }} + {{- if .Values.csi.hmacSecretName }} + - --hmac-secret-name={{ .Values.csi.hmacSecretName }} + {{- else }} + - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key + {{- end }} + {{- if .Values.csi.extraArgs }} + {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- end }} + env: + - name: VAULT_ADDR + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + value: "unix:///var/run/vault/agent.sock" + {{- else if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + {{- end }} + volumeMounts: + - name: providervol + mountPath: "/provider" + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-unix-socket + mountPath: /var/run/vault + {{- end }} + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12}} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: {{ include "vault.name" . }}-agent + image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" + imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} + {{ template "csi.agent.resources" . }} + command: + - vault + args: + - agent + - -config=/etc/vault/config.hcl + {{- if .Values.csi.agent.extraArgs }} + {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }} + {{- end }} + ports: + - containerPort: 8200 + env: + - name: VAULT_LOG_LEVEL + value: "{{ .Values.csi.agent.logLevel }}" + - name: VAULT_LOG_FORMAT + value: "{{ .Values.csi.agent.logFormat }}" + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 100 + runAsGroup: 1000 + volumeMounts: + - name: agent-config + mountPath: /etc/vault/config.hcl + subPath: config.hcl + readOnly: true + - name: agent-unix-socket + mountPath: /var/run/vault + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12 }} + {{- end }} + {{- end }} + volumes: + - name: providervol + hostPath: + path: {{ .Values.csi.daemonSet.providersDir }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-config + configMap: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + - name: agent-unix-socket + emptyDir: + medium: Memory + {{- end }} + {{- if .Values.csi.volumes }} + {{- toYaml .Values.csi.volumes | nindent 8}} + {{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/csi-role.yaml b/charts/hashicorp/vault/0.25.0/templates/csi-role.yaml new file mode 100644 index 0000000000..dd23af6551 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/csi-role.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-role + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + resourceNames: + {{- if .Values.csi.hmacSecretName }} + - {{ .Values.csi.hmacSecretName }} + {{- else }} + - {{ include "vault.name" . }}-csi-provider-hmac-key + {{- end }} +# 'create' permissions cannot be restricted by resource name: +# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/csi-rolebinding.yaml b/charts/hashicorp/vault/0.25.0/templates/csi-rolebinding.yaml new file mode 100644 index 0000000000..e61f2dc2de --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/csi-rolebinding.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-rolebinding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-csi-provider-role +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/csi-serviceaccount.yaml b/charts/hashicorp/vault/0.25.0/templates/csi-serviceaccount.yaml new file mode 100644 index 0000000000..25e123ee9f --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/csi-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.serviceAccount.extraLabels -}} + {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} + {{ template "csi.serviceAccount.annotations" . }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/injector-certs-secret.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-certs-secret.yaml new file mode 100644 index 0000000000..3e5ddb7b94 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/injector-certs-secret.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +apiVersion: v1 +kind: Secret +metadata: + name: vault-injector-certs + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.25.0/templates/injector-clusterrole.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-clusterrole.yaml new file mode 100644 index 0000000000..d5682dd76a --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/injector-clusterrole.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-clusterrole + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: + - "get" + - "list" + - "watch" + - "patch" +{{ end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/injector-clusterrolebinding.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-clusterrolebinding.yaml new file mode 100644 index 0000000000..9253e4f0a8 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/injector-clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-binding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "vault.fullname" . }}-agent-injector-clusterrole +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ .Release.Namespace }} +{{ end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/injector-deployment.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-deployment.yaml new file mode 100644 index 0000000000..fbf32c0939 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/injector-deployment.yaml @@ -0,0 +1,179 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +# Deployment for the injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + component: webhook +spec: + replicas: {{ .Values.injector.replicas }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + {{ template "injector.strategy" . }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + {{- if .Values.injector.extraLabels -}} + {{- toYaml .Values.injector.extraLabels | nindent 8 -}} + {{- end -}} + {{ template "injector.annotations" . }} + spec: + {{ template "injector.affinity" . }} + {{ template "injector.topologySpreadConstraints" . }} + {{ template "injector.tolerations" . }} + {{ template "injector.nodeselector" . }} + {{- if .Values.injector.priorityClassName }} + priorityClassName: {{ .Values.injector.priorityClassName }} + {{- end }} + serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" + {{ template "injector.securityContext.pod" . -}} + {{- if not .Values.global.openshift }} + hostNetwork: {{ .Values.injector.hostNetwork }} + {{- end }} + containers: + - name: sidecar-injector + {{ template "injector.resources" . }} + image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" + imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" + {{- template "injector.securityContext.container" . }} + env: + - name: AGENT_INJECT_LISTEN + value: {{ printf ":%v" .Values.injector.port }} + - name: AGENT_INJECT_LOG_LEVEL + value: {{ .Values.injector.logLevel | default "info" }} + - name: AGENT_INJECT_VAULT_ADDR + {{- if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else if .Values.injector.externalVaultAddr }} + value: "{{ .Values.injector.externalVaultAddr }}" + {{- else }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + {{- end }} + - name: AGENT_INJECT_VAULT_AUTH_PATH + value: {{ .Values.injector.authPath }} + - name: AGENT_INJECT_VAULT_IMAGE + value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" + {{- if .Values.injector.certs.secretName }} + - name: AGENT_INJECT_TLS_CERT_FILE + value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}" + - name: AGENT_INJECT_TLS_KEY_FILE + value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}" + {{- else }} + - name: AGENT_INJECT_TLS_AUTO + value: {{ template "vault.fullname" . }}-agent-injector-cfg + - name: AGENT_INJECT_TLS_AUTO_HOSTS + value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ .Release.Namespace }}.svc + {{- end }} + - name: AGENT_INJECT_LOG_FORMAT + value: {{ .Values.injector.logFormat | default "standard" }} + - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN + value: "{{ .Values.injector.revokeOnShutdown | default false }}" + {{- if .Values.global.openshift }} + - name: AGENT_INJECT_SET_SECURITY_CONTEXT + value: "false" + {{- end }} + {{- if .Values.injector.metrics.enabled }} + - name: AGENT_INJECT_TELEMETRY_PATH + value: "/metrics" + {{- end }} + {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} + - name: AGENT_INJECT_USE_LEADER_ELECTOR + value: "true" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- end }} + - name: AGENT_INJECT_CPU_REQUEST + value: "{{ .Values.injector.agentDefaults.cpuRequest }}" + - name: AGENT_INJECT_CPU_LIMIT + value: "{{ .Values.injector.agentDefaults.cpuLimit }}" + - name: AGENT_INJECT_MEM_REQUEST + value: "{{ .Values.injector.agentDefaults.memRequest }}" + - name: AGENT_INJECT_MEM_LIMIT + value: "{{ .Values.injector.agentDefaults.memLimit }}" + {{- if .Values.injector.agentDefaults.ephemeralRequest }} + - name: AGENT_INJECT_EPHEMERAL_REQUEST + value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}" + {{- end }} + {{- if .Values.injector.agentDefaults.ephemeralLimit }} + - name: AGENT_INJECT_EPHEMERAL_LIMIT + value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}" + {{- end }} + - name: AGENT_INJECT_DEFAULT_TEMPLATE + value: "{{ .Values.injector.agentDefaults.template }}" + - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE + value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}" + {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }} + - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL + value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" + {{- end }} + {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + args: + - agent-inject + - 2>&1 + livenessProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }} + readinessProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }} + startupProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }} + successThreshold: {{ .Values.injector.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }} +{{- if .Values.injector.certs.secretName }} + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true +{{- end }} +{{- if .Values.injector.certs.secretName }} + volumes: + - name: webhook-certs + secret: + secretName: "{{ .Values.injector.certs.secretName }}" +{{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} +{{ end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/injector-disruptionbudget.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-disruptionbudget.yaml new file mode 100644 index 0000000000..6ae714bae8 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/injector-disruptionbudget.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- if .Values.injector.podDisruptionBudget }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + component: webhook +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} +{{- end -}} diff --git a/charts/hashicorp/vault/0.25.0/templates/injector-mutating-webhook.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-mutating-webhook.yaml new file mode 100644 index 0000000000..d03cd136d7 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/injector-mutating-webhook.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} +apiVersion: admissionregistration.k8s.io/v1 +{{- else }} +apiVersion: admissionregistration.k8s.io/v1beta1 +{{- end }} +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-cfg + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- template "injector.webhookAnnotations" . }} +webhooks: + - name: vault.hashicorp.com + failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }} + matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }} + sideEffects: None + timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }} + admissionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: {{ template "vault.fullname" . }}-agent-injector-svc + namespace: {{ .Release.Namespace }} + path: "/mutate" + caBundle: {{ .Values.injector.certs.caBundle | quote }} + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] +{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }} + namespaceSelector: +{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} +{{ end }} +{{- template "injector.objectSelector" . -}} +{{ end }} diff --git a/charts/hashicorp/vault/templates/injector-network-policy.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-network-policy.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-network-policy.yaml rename to charts/hashicorp/vault/0.25.0/templates/injector-network-policy.yaml diff --git a/charts/hashicorp/vault/0.25.0/templates/injector-psp-role.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-psp-role.yaml new file mode 100644 index 0000000000..65d8e9ba96 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/injector-psp-role.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-psp + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "vault.fullname" . }}-agent-injector +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/injector-psp-rolebinding.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-psp-rolebinding.yaml new file mode 100644 index 0000000000..48a3a26a25 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/injector-psp-rolebinding.yaml @@ -0,0 +1,26 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-psp + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + kind: Role + name: {{ template "vault.fullname" . }}-agent-injector-psp + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ template "vault.fullname" . }}-agent-injector +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/templates/injector-psp.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-psp.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-psp.yaml rename to charts/hashicorp/vault/0.25.0/templates/injector-psp.yaml diff --git a/charts/hashicorp/vault/0.25.0/templates/injector-role.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-role.yaml new file mode 100644 index 0000000000..df7b0ed747 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/injector-role.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: + - apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: + - "create" + - "get" + - "watch" + - "list" + - "update" + - apiGroups: [""] + resources: ["pods"] + verbs: + - "get" + - "patch" + - "delete" +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.25.0/templates/injector-rolebinding.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-rolebinding.yaml new file mode 100644 index 0000000000..0848e43d81 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/injector-rolebinding.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role +subjects: + - kind: ServiceAccount + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.25.0/templates/injector-service.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-service.yaml new file mode 100644 index 0000000000..5b2069286b --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/injector-service.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-svc + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "injector.service.annotations" . }} +spec: + ports: + - name: https + port: 443 + targetPort: {{ .Values.injector.port }} + selector: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/injector-serviceaccount.yaml b/charts/hashicorp/vault/0.25.0/templates/injector-serviceaccount.yaml new file mode 100644 index 0000000000..9b5c2f6ed1 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/injector-serviceaccount.yaml @@ -0,0 +1,18 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "injector.serviceAccount.annotations" . }} +{{ end }} diff --git a/charts/hashicorp/vault/templates/prometheus-prometheusrules.yaml b/charts/hashicorp/vault/0.25.0/templates/prometheus-prometheusrules.yaml similarity index 100% rename from charts/hashicorp/vault/templates/prometheus-prometheusrules.yaml rename to charts/hashicorp/vault/0.25.0/templates/prometheus-prometheusrules.yaml diff --git a/charts/hashicorp/vault/0.25.0/templates/prometheus-servicemonitor.yaml b/charts/hashicorp/vault/0.25.0/templates/prometheus-servicemonitor.yaml new file mode 100644 index 0000000000..60f2729a0d --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/prometheus-servicemonitor.yaml @@ -0,0 +1,49 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} + {{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }} + {{- if $selectors }} + {{- toYaml $selectors | nindent 4 }} + {{- else }} + release: prometheus + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if eq .mode "ha" }} + vault-active: "true" + {{- else }} + vault-internal: "true" + {{- end }} + endpoints: + - port: {{ include "vault.scheme" . }} + interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} + scheme: {{ include "vault.scheme" . | lower }} + path: /v1/sys/metrics + params: + format: + - prometheus + tlsConfig: + insecureSkipVerify: true + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{ end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-clusterrolebinding.yaml b/charts/hashicorp/vault/0.25.0/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..b694129b5f --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-clusterrolebinding.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverAuthDelegator" . }} +{{- if .serverAuthDelegator -}} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: {{ template "vault.fullname" . }}-server-binding + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: {{ template "vault.serviceAccount.name" . }} + namespace: {{ .Release.Namespace }} +{{ end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.25.0/templates/server-config-configmap.yaml b/charts/hashicorp/vault/0.25.0/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..5d29e98d66 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-config-configmap.yaml @@ -0,0 +1,45 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if .serverEnabled -}} +{{- if ne .mode "dev" -}} +{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-config + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + extraconfig-from-values.hcl: |- + {{- if or (eq .mode "ha") (eq .mode "standalone") }} + {{- $type := typeOf (index .Values.server .mode).config }} + {{- if eq $type "string" }} + disable_mlock = true + {{- if eq .mode "standalone" }} + {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} + {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }} + {{ tpl .Values.server.ha.config . | nindent 4 | trim }} + {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} + {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }} + {{ end }} + {{- else }} + {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} +{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }} + {{- else }} +{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-discovery-role.yaml b/charts/hashicorp/vault/0.25.0/templates/server-discovery-role.yaml new file mode 100644 index 0000000000..adae42a2bb --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-discovery-role.yaml @@ -0,0 +1,26 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ .Release.Namespace }} + name: {{ template "vault.fullname" . }}-discovery-role + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list", "update", "patch"] +{{ end }} +{{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-discovery-rolebinding.yaml b/charts/hashicorp/vault/0.25.0/templates/server-discovery-rolebinding.yaml new file mode 100644 index 0000000000..853ee870c8 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-discovery-rolebinding.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-discovery-rolebinding + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-discovery-role +subjects: +- kind: ServiceAccount + name: {{ template "vault.serviceAccount.name" . }} + namespace: {{ .Release.Namespace }} +{{ end }} +{{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-disruptionbudget.yaml b/charts/hashicorp/vault/0.25.0/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..3ff11099bf --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-disruptionbudget.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" -}} +{{- if .serverEnabled -}} +{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-ha-active-service.yaml b/charts/hashicorp/vault/0.25.0/templates/server-ha-active-service.yaml new file mode 100644 index 0000000000..58d540fd5c --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-ha-active-service.yaml @@ -0,0 +1,55 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.active.enabled | toString) "true" }} +# Service for active Vault pod +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-active + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + vault-active: "true" + annotations: +{{ template "vault.service.annotations" .}} +spec: + {{- if .Values.server.service.type}} + type: {{ .Values.server.service.type }} + {{- end}} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.activeNodePort }} + {{- end }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + component: server + vault-active: "true" +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-ha-standby-service.yaml b/charts/hashicorp/vault/0.25.0/templates/server-ha-standby-service.yaml new file mode 100644 index 0000000000..b9f6435861 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-ha-standby-service.yaml @@ -0,0 +1,54 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.standby.enabled | toString) "true" }} +# Service for standby Vault pod +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-standby + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: +{{ template "vault.service.annotations" .}} +spec: + {{- if .Values.server.service.type}} + type: {{ .Values.server.service.type }} + {{- end}} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.standbyNodePort }} + {{- end }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + component: server + vault-active: "false" +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-headless-service.yaml b/charts/hashicorp/vault/0.25.0/templates/server-headless-service.yaml new file mode 100644 index 0000000000..42e1aa0004 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-headless-service.yaml @@ -0,0 +1,39 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +# Service for Vault cluster +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-internal + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + vault-internal: "true" + annotations: +{{ template "vault.service.annotations" .}} +spec: + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: "{{ include "vault.scheme" . }}" + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-ingress.yaml b/charts/hashicorp/vault/0.25.0/templates/server-ingress.yaml new file mode 100644 index 0000000000..3aba66885a --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-ingress.yaml @@ -0,0 +1,69 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- if not .Values.global.openshift }} +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if .Values.server.ingress.enabled -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} +{{- $serviceName := include "vault.fullname" . -}} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} +{{- $serviceName = printf "%s-%s" $serviceName "active" -}} +{{- end }} +{{- $servicePort := .Values.server.service.port -}} +{{- $pathType := .Values.server.ingress.pathType -}} +{{- $kubeVersion := .Capabilities.KubeVersion.Version }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.server.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- template "vault.ingress.annotations" . }} +spec: +{{- if .Values.server.ingress.tls }} + tls: + {{- range .Values.server.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} +{{- if .Values.server.ingress.ingressClassName }} + ingressClassName: {{ .Values.server.ingress.ingressClassName }} +{{- end }} + rules: + {{- range .Values.server.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + {{- range (.paths | default (list "/")) }} + - path: {{ . }} + pathType: {{ $pathType }} + backend: + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-network-policy.yaml b/charts/hashicorp/vault/0.25.0/templates/server-network-policy.yaml new file mode 100644 index 0000000000..62d4ae1ac5 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-network-policy.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vault.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8200 + protocol: TCP + - port: 8201 + protocol: TCP + {{- if .Values.server.networkPolicy.egress }} + egress: + {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }} + {{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-psp-role.yaml b/charts/hashicorp/vault/0.25.0/templates/server-psp-role.yaml new file mode 100644 index 0000000000..0c8c983ea6 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-psp-role.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-psp + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "vault.fullname" . }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-psp-rolebinding.yaml b/charts/hashicorp/vault/0.25.0/templates/server-psp-rolebinding.yaml new file mode 100644 index 0000000000..9b975d5565 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-psp-rolebinding.yaml @@ -0,0 +1,26 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-psp + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + kind: Role + name: {{ template "vault.fullname" . }}-psp + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ template "vault.fullname" . }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/templates/server-psp.yaml b/charts/hashicorp/vault/0.25.0/templates/server-psp.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-psp.yaml rename to charts/hashicorp/vault/0.25.0/templates/server-psp.yaml diff --git a/charts/hashicorp/vault/0.25.0/templates/server-route.yaml b/charts/hashicorp/vault/0.25.0/templates/server-route.yaml new file mode 100644 index 0000000000..3f35aefe28 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-route.yaml @@ -0,0 +1,39 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- if .Values.global.openshift }} +{{- if ne .mode "external" }} +{{- if .Values.server.route.enabled -}} +{{- $serviceName := include "vault.fullname" . -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }} +{{- $serviceName = printf "%s-%s" $serviceName "active" -}} +{{- end }} +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.server.route.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- template "vault.route.annotations" . }} +spec: + host: {{ .Values.server.route.host }} + to: + kind: Service + name: {{ $serviceName }} + weight: 100 + port: + targetPort: 8200 + tls: + {{- toYaml .Values.server.route.tls | nindent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-service.yaml b/charts/hashicorp/vault/0.25.0/templates/server-service.yaml new file mode 100644 index 0000000000..8e34c88c59 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-service.yaml @@ -0,0 +1,51 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +# Service for Vault cluster +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: +{{ template "vault.service.annotations" .}} +spec: + {{- if .Values.server.service.type}} + type: {{ .Values.server.service.type }} + {{- end}} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.nodePort }} + {{- end }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + component: server +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-serviceaccount.yaml b/charts/hashicorp/vault/0.25.0/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..e154f8dc27 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverServiceAccountEnabled" . }} +{{- if .serverServiceAccountEnabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "vault.serviceAccount.name" . }} + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.server.serviceAccount.extraLabels -}} + {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} + {{ template "vault.serviceAccount.annotations" . }} +{{ end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/server-statefulset.yaml b/charts/hashicorp/vault/0.25.0/templates/server-statefulset.yaml new file mode 100644 index 0000000000..7ab7de8e2f --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/server-statefulset.yaml @@ -0,0 +1,217 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if ne .mode "" }} +{{- if .serverEnabled -}} +# StatefulSet to run the actual vault server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- template "vault.statefulSet.annotations" . }} +spec: + serviceName: {{ template "vault.fullname" . }}-internal + podManagementPolicy: Parallel + replicas: {{ template "vault.replicas" . }} + updateStrategy: + type: {{ .Values.server.updateStrategyType }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + template: + metadata: + labels: + helm.sh/chart: {{ template "vault.chart" . }} + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + {{- if .Values.server.extraLabels -}} + {{- toYaml .Values.server.extraLabels | nindent 8 -}} + {{- end -}} + {{ template "vault.annotations" . }} + spec: + {{ template "vault.affinity" . }} + {{ template "vault.topologySpreadConstraints" . }} + {{ template "vault.tolerations" . }} + {{ template "vault.nodeselector" . }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + serviceAccountName: {{ template "vault.serviceAccount.name" . }} + {{ if .Values.server.shareProcessNamespace }} + shareProcessNamespace: true + {{ end }} + {{- template "server.statefulSet.securityContext.pod" . }} + {{- if not .Values.global.openshift }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- end }} + volumes: + {{ template "vault.volumes" . }} + - name: home + emptyDir: {} + {{- if .Values.server.extraInitContainers }} + initContainers: + {{ toYaml .Values.server.extraInitContainers | nindent 8}} + {{- end }} + containers: + - name: vault + {{ template "vault.resources" . }} + image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + command: + - "/bin/sh" + - "-ec" + args: {{ template "vault.args" . }} + {{- template "server.statefulSet.securityContext.container" . }} + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: VAULT_K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: VAULT_K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: VAULT_ADDR + value: "{{ include "vault.scheme" . }}://127.0.0.1:8200" + - name: VAULT_API_ADDR + {{- if .Values.server.ha.apiAddr }} + value: {{ .Values.server.ha.apiAddr }} + {{- else }} + value: "{{ include "vault.scheme" . }}://$(POD_IP):8200" + {{- end }} + - name: SKIP_CHOWN + value: "true" + - name: SKIP_SETCAP + value: "true" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: VAULT_CLUSTER_ADDR + {{- if .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr | quote }} + {{- else }} + value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + {{- end }} + {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} + - name: VAULT_RAFT_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- end }} + - name: HOME + value: "/home/vault" + {{- if .Values.server.logLevel }} + - name: VAULT_LOG_LEVEL + value: "{{ .Values.server.logLevel }}" + {{- end }} + {{- if .Values.server.logFormat }} + - name: VAULT_LOG_FORMAT + value: "{{ .Values.server.logFormat }}" + {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: VAULT_LICENSE_PATH + value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }} + {{- end }} + {{ template "vault.envs" . }} + {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} + {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} + volumeMounts: + {{ template "vault.mounts" . }} + - name: home + mountPath: /home/vault + ports: + - containerPort: 8200 + name: {{ include "vault.scheme" . }} + - containerPort: 8201 + name: https-internal + - containerPort: 8202 + name: {{ include "vault.scheme" . }}-rep + {{- if .Values.server.extraPorts -}} + {{ toYaml .Values.server.extraPorts | nindent 12}} + {{- end }} + {{- if .Values.server.readinessProbe.enabled }} + readinessProbe: + {{- if .Values.server.readinessProbe.path }} + httpGet: + path: {{ .Values.server.readinessProbe.path | quote }} + port: {{ .Values.server.readinessProbe.port }} + scheme: {{ include "vault.scheme" . | upper }} + {{- else }} + # Check status; unsealed vault servers return 0 + # The exit code reflects the seal status: + # 0 - unsealed + # 1 - error + # 2 - sealed + exec: + command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] + {{- end }} + failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.server.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.server.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.server.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.server.livenessProbe.path | quote }} + port: {{ .Values.server.livenessProbe.port }} + scheme: {{ include "vault.scheme" . | upper }} + failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.server.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }} + {{- end }} + lifecycle: + # Vault container doesn't receive SIGTERM from Kubernetes + # and after the grace period ends, Kube sends SIGKILL. This + # causes issues with graceful shutdowns such as deregistering itself + # from Consul (zombie services). + preStop: + exec: + command: [ + "/bin/sh", "-c", + # Adding a sleep here to give the pod eviction a + # chance to propagate, so requests will not be made + # to this pod while it's terminating + "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)", + ] + {{- if .Values.server.postStart }} + postStart: + exec: + command: + {{- range (.Values.server.postStart) }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8}} + {{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} + {{ template "vault.volumeclaims" . }} +{{ end }} +{{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/tests/server-test.yaml b/charts/hashicorp/vault/0.25.0/templates/tests/server-test.yaml new file mode 100644 index 0000000000..59b1501096 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/tests/server-test.yaml @@ -0,0 +1,56 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if .serverEnabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ .Release.Name }}-server-test" + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": test +spec: + {{- include "imagePullSecrets" . | nindent 2 }} + containers: + - name: {{ .Release.Name }}-server-test + image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + env: + - name: VAULT_ADDR + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.server.service.port }} + {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} + command: + - /bin/sh + - -c + - | + echo "Checking for sealed info in 'vault status' output" + ATTEMPTS=10 + n=0 + until [ "$n" -ge $ATTEMPTS ] + do + echo "Attempt" $n... + vault status -format yaml | grep -E '^sealed: (true|false)' && break + n=$((n+1)) + sleep 5 + done + if [ $n -ge $ATTEMPTS ]; then + echo "timed out looking for sealed info in 'vault status' output" + exit 1 + fi + + exit 0 + volumeMounts: + {{- if .Values.server.volumeMounts }} + {{- toYaml .Values.server.volumeMounts | nindent 8}} + {{- end }} + volumes: + {{- if .Values.server.volumes }} + {{- toYaml .Values.server.volumes | nindent 4}} + {{- end }} + restartPolicy: Never +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/templates/ui-service.yaml b/charts/hashicorp/vault/0.25.0/templates/ui-service.yaml new file mode 100644 index 0000000000..4b2e8f7e40 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/templates/ui-service.yaml @@ -0,0 +1,42 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.uiEnabled" . -}} +{{- if .uiEnabled -}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-ui + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-ui + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- template "vault.ui.annotations" . }} +spec: + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + {{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }} + vault-active: "true" + {{- end }} + publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }} + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.ui.externalPort }} + targetPort: {{ .Values.ui.targetPort }} + {{- if .Values.ui.serviceNodePort }} + nodePort: {{ .Values.ui.serviceNodePort }} + {{- end }} + type: {{ .Values.ui.serviceType }} + {{- include "service.externalTrafficPolicy" .Values.ui }} + {{- include "service.loadBalancer" .Values.ui }} +{{- end -}} +{{- end }} diff --git a/charts/hashicorp/vault/0.25.0/values.openshift.yaml b/charts/hashicorp/vault/0.25.0/values.openshift.yaml new file mode 100644 index 0000000000..6e575e4d4f --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/values.openshift.yaml @@ -0,0 +1,21 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# These overrides are appropriate defaults for deploying this chart on OpenShift + +global: + openshift: true + +injector: + image: + repository: "registry.connect.redhat.com/hashicorp/vault-k8s" + tag: "1.2.1-ubi" + + agentImage: + repository: "registry.connect.redhat.com/hashicorp/vault" + tag: "1.14.0-ubi" + +server: + image: + repository: "registry.connect.redhat.com/hashicorp/vault" + tag: "1.14.0-ubi" diff --git a/charts/hashicorp/vault/0.25.0/values.schema.json b/charts/hashicorp/vault/0.25.0/values.schema.json new file mode 100644 index 0000000000..ecb97dece3 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/values.schema.json @@ -0,0 +1,1144 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "csi": { + "type": "object", + "properties": { + "agent": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "extraArgs": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "resources": { + "type": "object" + } + } + }, + "daemonSet": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "extraLabels": { + "type": "object" + }, + "kubeletRootDir": { + "type": "string" + }, + "providersDir": { + "type": "string" + }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + }, + "updateStrategy": { + "type": "object", + "properties": { + "maxUnavailable": { + "type": "string" + }, + "type": { + "type": "string" + } + } + } + } + }, + "debug": { + "type": "boolean" + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "extraArgs": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "pod": { + "type": "object", + "properties": { + "affinity": { + "type": [ + "null", + "object", + "string" + ] + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "extraLabels": { + "type": "object" + }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, + "tolerations": { + "type": [ + "null", + "array", + "string" + ] + } + } + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "resources": { + "type": "object" + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "extraLabels": { + "type": "object" + } + } + }, + "volumeMounts": { + "type": [ + "null", + "array" + ] + }, + "volumes": { + "type": [ + "null", + "array" + ] + } + } + }, + "global": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "externalVaultAddr": { + "type": "string" + }, + "imagePullSecrets": { + "type": "array" + }, + "openshift": { + "type": "boolean" + }, + "psp": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enable": { + "type": "boolean" + } + } + }, + "tlsDisable": { + "type": "boolean" + } + } + }, + "injector": { + "type": "object", + "properties": { + "affinity": { + "type": [ + "object", + "string" + ] + }, + "agentDefaults": { + "type": "object", + "properties": { + "cpuLimit": { + "type": "string" + }, + "cpuRequest": { + "type": "string" + }, + "memLimit": { + "type": "string" + }, + "memRequest": { + "type": "string" + }, + "ephemeralLimit": { + "type": "string" + }, + "ephemeralRequest": { + "type": "string" + }, + "template": { + "type": "string" + }, + "templateConfig": { + "type": "object", + "properties": { + "exitOnRetryFailure": { + "type": "boolean" + }, + "staticSecretRenderInterval": { + "type": "string" + } + } + } + } + }, + "agentImage": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "authPath": { + "type": "string" + }, + "certs": { + "type": "object", + "properties": { + "caBundle": { + "type": "string" + }, + "certName": { + "type": "string" + }, + "keyName": { + "type": "string" + }, + "secretName": { + "type": [ + "null", + "string" + ] + } + } + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "externalVaultAddr": { + "type": "string" + }, + "extraEnvironmentVars": { + "type": "object" + }, + "extraLabels": { + "type": "object" + }, + "failurePolicy": { + "type": "string" + }, + "hostNetwork": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "leaderElector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "namespaceSelector": { + "type": "object" + }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, + "objectSelector": { + "type": [ + "object", + "string" + ] + }, + "podDisruptionBudget": { + "type": "object" + }, + "port": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "replicas": { + "type": "integer" + }, + "resources": { + "type": "object" + }, + "revokeOnShutdown": { + "type": "boolean" + }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "strategy": { + "type": [ + "object", + "string" + ] + }, + "tolerations": { + "type": [ + "null", + "array", + "string" + ] + }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, + "webhook": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "failurePolicy": { + "type": "string" + }, + "matchPolicy": { + "type": "string" + }, + "namespaceSelector": { + "type": "object" + }, + "objectSelector": { + "type": [ + "object", + "string" + ] + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "webhookAnnotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "server": { + "type": "object", + "properties": { + "affinity": { + "type": [ + "object", + "string" + ] + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "auditStorage": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": [ + "null", + "string" + ] + } + } + }, + "authDelegator": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "dataStorage": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": [ + "null", + "string" + ] + } + } + }, + "dev": { + "type": "object", + "properties": { + "devRootToken": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + } + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "enterpriseLicense": { + "type": "object", + "properties": { + "secretKey": { + "type": "string" + }, + "secretName": { + "type": "string" + } + } + }, + "extraArgs": { + "type": "string" + }, + "extraPorts": { + "type": [ + "null", + "array" + ] + }, + "extraContainers": { + "type": [ + "null", + "array" + ] + }, + "extraEnvironmentVars": { + "type": "object" + }, + "extraInitContainers": { + "type": [ + "null", + "array" + ] + }, + "extraLabels": { + "type": "object" + }, + "extraSecretEnvironmentVars": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "ha": { + "type": "object", + "properties": { + "apiAddr": { + "type": [ + "null", + "string" + ] + }, + "clusterAddr": { + "type": [ + "null", + "string" + ] + }, + "config": { + "type": [ + "string", + "object" + ] + }, + "disruptionBudget": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxUnavailable": { + "type": [ + "null", + "integer" + ] + } + } + }, + "enabled": { + "type": "boolean" + }, + "raft": { + "type": "object", + "properties": { + "config": { + "type": [ + "string", + "object" + ] + }, + "enabled": { + "type": "boolean" + }, + "setNodeId": { + "type": "boolean" + } + } + }, + "replicas": { + "type": "integer" + } + } + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "ingress": { + "type": "object", + "properties": { + "activeService": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "extraPaths": { + "type": "array" + }, + "hosts": { + "type": "array", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "paths": { + "type": "array" + } + } + } + }, + "ingressClassName": { + "type": "string" + }, + "labels": { + "type": "object" + }, + "pathType": { + "type": "string" + }, + "tls": { + "type": "array" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "networkPolicy": { + "type": "object", + "properties": { + "egress": { + "type": "array" + }, + "enabled": { + "type": "boolean" + } + } + }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, + "postStart": { + "type": "array" + }, + "preStopSleepSeconds": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "resources": { + "type": "object" + }, + "route": { + "type": "object", + "properties": { + "activeService": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "host": { + "type": "string" + }, + "labels": { + "type": "object" + }, + "tls": { + "type": "object" + } + } + }, + "service": { + "type": "object", + "properties": { + "active": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "instanceSelector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "port": { + "type": "integer" + }, + "publishNotReadyAddresses": { + "type": "boolean" + }, + "standby": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "targetPort": { + "type": "integer" + }, + "nodePort": { + "type": "integer" + }, + "activeNodePort": { + "type": "integer" + }, + "standbyNodePort": { + "type": "integer" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "create": { + "type": "boolean" + }, + "extraLabels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "serviceDiscovery": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } + }, + "shareProcessNamespace": { + "type": "boolean" + }, + "standalone": { + "type": "object", + "properties": { + "config": { + "type": [ + "string", + "object" + ] + }, + "enabled": { + "type": [ + "string", + "boolean" + ] + } + } + }, + "statefulSet": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + } + } + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "tolerations": { + "type": [ + "null", + "array", + "string" + ] + }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, + "updateStrategyType": { + "type": "string" + }, + "volumeMounts": { + "type": [ + "null", + "array" + ] + }, + "volumes": { + "type": [ + "null", + "array" + ] + }, + "hostNetwork": { + "type": "boolean" + } + } + }, + "serverTelemetry": { + "type": "object", + "properties": { + "prometheusRules": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "rules": { + "type": "array" + }, + "selectors": { + "type": "object" + } + } + } + } + }, + "ui": { + "type": "object", + "properties": { + "activeVaultPodOnly": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "externalPort": { + "type": "integer" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "publishNotReadyAddresses": { + "type": "boolean" + }, + "serviceNodePort": { + "type": [ + "null", + "integer" + ] + }, + "serviceType": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + } +} diff --git a/charts/hashicorp/vault/0.25.0/values.yaml b/charts/hashicorp/vault/0.25.0/values.yaml new file mode 100644 index 0000000000..58eb8a2218 --- /dev/null +++ b/charts/hashicorp/vault/0.25.0/values.yaml @@ -0,0 +1,1230 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Vault chart. + +global: + # enabled is the master enabled switch. Setting this to true or false + # will enable or disable all the components within this chart by default. + enabled: true + + # Image pull secret to use for registry authentication. + # Alternatively, the value may be specified as an array of strings. + imagePullSecrets: [] + # imagePullSecrets: + # - name: image-pull-secret + + # TLS for end-to-end encrypted transport + tlsDisable: true + + # External vault server address for the injector and CSI provider to use. + # Setting this will disable deployment of a vault server. + externalVaultAddr: "" + + # If deploying to OpenShift + openshift: false + + # Create PodSecurityPolicy for pods + psp: + enable: false + # Annotation for PodSecurityPolicy. + # This is a multi-line templated string map, and can also be set as YAML. + annotations: | + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default + apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + + serverTelemetry: + # Enable integration with the Prometheus Operator + # See the top level serverTelemetry section below before enabling this feature. + prometheusOperator: false + +injector: + # True if you want to enable vault agent injection. + # @default: global.enabled + enabled: "-" + + replicas: 1 + + # Configures the port the injector should listen on + port: 8080 + + # If multiple replicas are specified, by default a leader will be determined + # so that only one injector attempts to create TLS certificates. + leaderElector: + enabled: true + + # If true, will enable a node exporter metrics endpoint at /metrics. + metrics: + enabled: false + + # Deprecated: Please use global.externalVaultAddr instead. + externalVaultAddr: "" + + # image sets the repo and tag of the vault-k8s image to use for the injector. + image: + repository: "hashicorp/vault-k8s" + tag: "1.2.1" + pullPolicy: IfNotPresent + + # agentImage sets the repo and tag of the Vault image to use for the Vault Agent + # containers. This should be set to the official Vault image. Vault 1.3.1+ is + # required. + agentImage: + repository: "hashicorp/vault" + tag: "1.14.0" + + # The default values for the injected Vault Agent containers. + agentDefaults: + # For more information on configuring resources, see the K8s documentation: + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + cpuLimit: "500m" + cpuRequest: "250m" + memLimit: "128Mi" + memRequest: "64Mi" + # ephemeralLimit: "128Mi" + # ephemeralRequest: "64Mi" + + # Default template type for secrets when no custom template is specified. + # Possible values include: "json" and "map". + template: "map" + + # Default values within Agent's template_config stanza. + templateConfig: + exitOnRetryFailure: true + staticSecretRenderInterval: "" + + # Used to define custom livenessProbe settings + livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom readinessProbe settings + readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom startupProbe settings + startupProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 12 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + + # Mount Path of the Vault Kubernetes Auth Method. + authPath: "auth/kubernetes" + + # Configures the log verbosity of the injector. + # Supported log levels include: trace, debug, info, warn, error + logLevel: "info" + + # Configures the log format of the injector. Supported log formats: "standard", "json". + logFormat: "standard" + + # Configures all Vault Agent sidecars to revoke their token when shutting down + revokeOnShutdown: false + + webhook: + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while the webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # matchPolicy specifies the approach to accepting changes based on the rules of + # the MutatingWebhookConfiguration. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy + # for more details. + # + matchPolicy: Exact + + # timeoutSeconds is the amount of seconds before the webhook request will be ignored + # or fails. + # If it is ignored or fails depends on the failurePolicy + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts + # for more details. + # + timeoutSeconds: 30 + + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: + # matchLabels: + # sidecar-injector: enabled + namespaceSelector: {} + + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: | + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - {{ template "vault.name" . }}-agent-injector + + # Extra annotations to attach to the webhook + annotations: {} + + # Deprecated: please use 'webhook.failurePolicy' instead + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # Deprecated: please use 'webhook.namespaceSelector' instead + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: + # matchLabels: + # sidecar-injector: enabled + namespaceSelector: {} + + # Deprecated: please use 'webhook.objectSelector' instead + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} + + # Deprecated: please use 'webhook.annotations' instead + # Extra annotations to attach to the webhook + webhookAnnotations: {} + + certs: + # secretName is the name of the secret that has the TLS certificate and + # private key to serve the injector webhook. If this is null, then the + # injector will default to its automatic management mode that will assign + # a service account to the injector to generate its own certificates. + secretName: null + + # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA + # that signed the TLS certificate that the webhook serves. This must be set + # if secretName is non-null unless an external service like cert-manager is + # keeping the caBundle updated. + caBundle: "" + + # certName and keyName are the names of the files within the secret for + # the TLS cert and private key, respectively. These have reasonable + # defaults but can be customized if necessary. + certName: tls.crt + keyName: tls.key + + # Security context for the pod template and the injector container + # The default pod securityContext is: + # runAsNonRoot: true + # runAsGroup: {{ .Values.injector.gid | default 1000 }} + # runAsUser: {{ .Values.injector.uid | default 100 }} + # fsGroup: {{ .Values.injector.gid | default 1000 }} + # and for container is + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + securityContext: + pod: {} + container: {} + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m + + # extraEnvironmentVars is a list of extra environment variables to set in the + # injector deployment. + extraEnvironmentVars: {} + # KUBERNETES_SERVICE_HOST: kubernetes.default.svc + + # Affinity Settings for injector pods + # This can either be a multi-line string or YAML matching the PodSpec's affinity field. + # Commenting out or setting as empty the affinity variable, will allow + # deployment of multiple replicas to single node services such as Minikube. + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: "{{ .Release.Name }}" + component: webhook + topologyKey: kubernetes.io/hostname + + # Topology settings for injector pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + + # Toleration Settings for injector pods + # This should be either a multi-line string or YAML matching the Toleration array + # in a PodSpec. + tolerations: [] + + # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Priority class for injector pods + priorityClassName: "" + + # Extra annotations to attach to the injector pods + # This can either be YAML or a YAML-formatted multi-line templated string map + # of the annotations to apply to the injector pods + annotations: {} + + # Extra labels to attach to the agent-injector + # This should be a YAML map of the labels to apply to the injector + extraLabels: {} + + # Should the injector pods run on the host network (useful when using + # an alternate CNI in EKS) + hostNetwork: false + + # Injector service specific config + service: + # Extra annotations to attach to the injector service + annotations: {} + + # Injector serviceAccount specific config + serviceAccount: + # Extra annotations to attach to the injector serviceAccount + annotations: {} + + # A disruption budget limits the number of pods of a replicated application + # that are down simultaneously from voluntary disruptions + podDisruptionBudget: {} + # podDisruptionBudget: + # maxUnavailable: 1 + + # strategy for updating the deployment. This can be a multi-line string or a + # YAML map. + strategy: {} + # strategy: | + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + # type: RollingUpdate + +server: + # If true, or "-" with global.enabled true, Vault server will be installed. + # See vault.mode in _helpers.tpl for implementation details. + enabled: "-" + + # [Enterprise Only] This value refers to a Kubernetes secret that you have + # created that contains your enterprise license. If you are not using an + # enterprise image or if you plan to introduce the license key via another + # route, then leave secretName blank ("") or set it to null. + # Requires Vault Enterprise 1.8 or later. + enterpriseLicense: + # The name of the Kubernetes secret that holds the enterprise license. The + # secret must be in the same namespace that Vault is installed into. + secretName: "" + # The key within the Kubernetes secret that holds the enterprise license. + secretKey: "license" + + # Resource requests, limits, etc. for the server cluster placement. This + # should map directly to the value of the resources field for a PodSpec. + # By default no direct resource request is made. + + image: + repository: "hashicorp/vault" + tag: "1.14.0" + # Overrides the default Image Pull Policy + pullPolicy: IfNotPresent + + # Configure the Update Strategy Type for the StatefulSet + # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + updateStrategyType: "OnDelete" + + # Configure the logging verbosity for the Vault server. + # Supported log levels include: trace, debug, info, warn, error + logLevel: "" + + # Configure the logging format for the Vault server. + # Supported log formats include: standard, json + logFormat: "" + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m + + # Ingress allows ingress services to be created to allow external access + # from Kubernetes to access Vault pods. + # If deployment is on OpenShift, the following block is ignored. + # In order to expose the service, use the route section below + ingress: + enabled: false + labels: {} + # traffic: external + annotations: {} + # | + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # or + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + # Optionally use ingressClassName instead of deprecated annotation. + # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation + ingressClassName: "" + + # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases. + # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values. + pathType: Prefix + + # When HA mode is enabled and K8s service registration is being used, + # configure the ingress to point to the Vault active service. + activeService: true + hosts: + - host: chart-example.local + paths: [] + ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # service: + # name: ssl-redirect + # port: + # number: use-annotation + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + # OpenShift only - create a route to expose the service + # By default the created route will be of type passthrough + route: + enabled: false + + # When HA mode is enabled and K8s service registration is being used, + # configure the route to point to the Vault active service. + activeService: true + + labels: {} + annotations: {} + host: chart-example.local + # tls will be passed directly to the route's TLS config, which + # can be used to configure other termination methods that terminate + # TLS at the router + tls: + termination: passthrough + + # authDelegator enables a cluster role binding to be attached to the service + # account. This cluster role binding can be used to setup Kubernetes auth + # method. https://www.vaultproject.io/docs/auth/kubernetes.html + authDelegator: + enabled: true + + # extraInitContainers is a list of init containers. Specified as a YAML list. + # This is useful if you need to run a script to provision TLS certificates or + # write out configuration files in a dynamic way. + extraInitContainers: null + # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder, + # # which is defined in the volumes value. + # - name: oauthapp + # image: "alpine" + # command: [sh, -c] + # args: + # - cd /tmp && + # wget https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz -O oauthapp.xz && + # tar -xf oauthapp.xz && + # mv vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vault/oauthapp && + # chmod +x /usr/local/libexec/vault/oauthapp + # volumeMounts: + # - name: plugins + # mountPath: /usr/local/libexec/vault + + # extraContainers is a list of sidecar containers. Specified as a YAML list. + extraContainers: null + + # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers + # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation + shareProcessNamespace: false + + # extraArgs is a string containing additional Vault server arguments. + extraArgs: "" + + # extraPorts is a list of extra ports. Specified as a YAML list. + # This is useful if you need to add additional ports to the statefulset in dynamic way. + extraPorts: null + # - containerPort: 8300 + # name: http-monitoring + + # Used to define custom readinessProbe settings + readinessProbe: + enabled: true + # If you need to use a http path instead of the default exec + # path: /v1/sys/health?standbyok=true + + # Port number on which readinessProbe will be checked. + port: 8200 + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + # Used to enable a livenessProbe for the pods + livenessProbe: + enabled: false + path: "/v1/sys/health?standbyok=true" + # Port number on which livenessProbe will be checked. + port: 8200 + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 60 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + + # Optional duration in seconds the pod needs to terminate gracefully. + # See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 10 + + # Used to set the sleep time during the preStop step + preStopSleepSeconds: 5 + + # Used to define commands to run after the pod is ready. + # This can be used to automate processes such as initialization + # or boostrapping auth methods. + postStart: [] + # - /bin/sh + # - -c + # - /vault/userconfig/myscript/run.sh + + # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be + # used to include variables required for auto-unseal. + extraEnvironmentVars: {} + # GOOGLE_REGION: global + # GOOGLE_PROJECT: myproject + # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json + + # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. + # These variables take value from existing Secret objects. + extraSecretEnvironmentVars: [] + # - envName: AWS_SECRET_ACCESS_KEY + # secretName: vault + # secretKey: AWS_SECRET_ACCESS_KEY + + # Deprecated: please use 'volumes' instead. + # extraVolumes is a list of extra volumes to mount. These will be exposed + # to Vault in the path `/vault/userconfig//`. The value below is + # an array of objects, examples are shown below. + extraVolumes: [] + # - type: secret (or "configMap") + # name: my-secret + # path: null # default is `/vault/userconfig` + + # volumes is a list of volumes made available to all containers. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumes: null + # - name: plugins + # emptyDir: {} + + # volumeMounts is a list of volumeMounts for the main server container. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumeMounts: null + # - mountPath: /usr/local/libexec/vault + # name: plugins + # readOnly: true + + # Affinity Settings + # Commenting out or setting as empty the affinity variable, will allow + # deployment to single node services such as Minikube + # This should be either a multi-line string or YAML matching the PodSpec's affinity field. + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Topology settings for server pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + + # Toleration Settings for server pods + # This should be either a multi-line string or YAML matching the Toleration array + # in a PodSpec. + tolerations: [] + + # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Enables network policy for server pods + networkPolicy: + enabled: false + egress: [] + # egress: + # - to: + # - ipBlock: + # cidr: 10.0.0.0/24 + # ports: + # - protocol: TCP + # port: 443 + + # Priority class for server pods + priorityClassName: "" + + # Extra labels to attach to the server pods + # This should be a YAML map of the labels to apply to the server pods + extraLabels: {} + + # Extra annotations to attach to the server pods + # This can either be YAML or a YAML-formatted multi-line templated string map + # of the annotations to apply to the server pods + annotations: {} + + # Enables a headless service to be used by the Vault Statefulset + service: + enabled: true + # Enable or disable the vault-active service, which selects Vault pods that + # have labelled themselves as the cluster leader with `vault-active: "true"` + active: + enabled: true + # Enable or disable the vault-standby service, which selects Vault pods that + # have labelled themselves as a cluster follower with `vault-active: "false"` + standby: + enabled: true + # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` + # When disabled, services may select Vault pods not deployed from the chart. + # Does not affect the headless vault-internal service with `ClusterIP: None` + instanceSelector: + enabled: true + # clusterIP controls whether a Cluster IP address is attached to the + # Vault service within Kubernetes. By default, the Vault service will + # be given a Cluster IP address, set to None to disable. When disabled + # Kubernetes will create a "headless" service. Headless services can be + # used to communicate with pods directly through DNS instead of a round-robin + # load balancer. + # clusterIP: None + + # Configures the service type for the main Vault service. Can be ClusterIP + # or NodePort. + #type: ClusterIP + + # Do not wait for pods to be ready before including them in the services' + # targets. Does not apply to the headless service, which is used for + # cluster-internal communication. + publishNotReadyAddresses: true + + # The externalTrafficPolicy can be set to either Cluster or Local + # and is only valid for LoadBalancer and NodePort service types. + # The default value is Cluster. + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy + externalTrafficPolicy: Cluster + + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #nodePort: 30000 + + # When HA mode is enabled + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #activeNodePort: 30001 + + # When HA mode is enabled + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #standbyNodePort: 30002 + + # Port on which Vault server is listening + port: 8200 + # Target port to which the service should be mapped to + targetPort: 8200 + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the service. + annotations: {} + + # This configures the Vault Statefulset to create a PVC for data + # storage when using the file or raft backend storage engines. + # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more + dataStorage: + enabled: true + # Size of the PVC created + size: 10Gi + # Location where the PVC will be mounted. + mountPath: "/vault/data" + # Name of the storage class to use. If null it will use the + # configured default Storage Class. + storageClass: null + # Access Mode of the storage device being used for the PVC + accessMode: ReadWriteOnce + # Annotations to apply to the PVC + annotations: {} + + # This configures the Vault Statefulset to create a PVC for audit + # logs. Once Vault is deployed, initialized, and unsealed, Vault must + # be configured to use this for audit logs. This will be mounted to + # /vault/audit + # See https://www.vaultproject.io/docs/audit/index.html to know more + auditStorage: + enabled: false + # Size of the PVC created + size: 10Gi + # Location where the PVC will be mounted. + mountPath: "/vault/audit" + # Name of the storage class to use. If null it will use the + # configured default Storage Class. + storageClass: null + # Access Mode of the storage device being used for the PVC + accessMode: ReadWriteOnce + # Annotations to apply to the PVC + annotations: {} + + # Run Vault in "dev" mode. This requires no further setup, no state management, + # and no initialization. This is useful for experimenting with Vault without + # needing to unseal, store keys, et. al. All data is lost on restart - do not + # use dev mode for anything other than experimenting. + # See https://www.vaultproject.io/docs/concepts/dev-server.html to know more + dev: + enabled: false + + # Set VAULT_DEV_ROOT_TOKEN_ID value + devRootToken: "root" + + # Run Vault in "standalone" mode. This is the default mode that will deploy if + # no arguments are given to helm. This requires a PVC for data storage to use + # the "file" backend. This mode is not highly available and should not be scaled + # past a single replica. + standalone: + enabled: "-" + + # config is a raw string of default configuration when using a Stateful + # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data + # and store data there. This is only used when using a Replica count of 1, and + # using a stateful set. This should be HCL. + + # Note: Configuration files are stored in ConfigMaps so sensitive data + # such as passwords should be either mounted through extraSecretEnvironmentVars + # or through a Kube secret. For more information see: + # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} + } + storage "file" { + path = "/vault/data" + } + + # Example configuration for using auto-unseal, using Google Cloud KMS. The + # GKMS keys must already exist, and the cluster must have a service account + # that is authorized to access GCP KMS. + #seal "gcpckms" { + # project = "vault-helm-dev" + # region = "global" + # key_ring = "vault-helm-unseal-kr" + # crypto_key = "vault-helm-unseal-key" + #} + + # Example configuration for enabling Prometheus metrics in your config. + #telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + #} + + # Run Vault in "HA" mode. There are no storage requirements unless the audit log + # persistence is required. In HA mode Vault will configure itself to use Consul + # for its storage backend. The default configuration provided will work the Consul + # Helm project by default. It is possible to manually configure Vault to use a + # different HA backend. + ha: + enabled: false + replicas: 3 + + # Set the api_addr configuration for Vault HA + # See https://www.vaultproject.io/docs/configuration#api_addr + # If set to null, this will be set to the Pod IP Address + apiAddr: null + + # Set the cluster_addr confuguration for Vault HA + # See https://www.vaultproject.io/docs/configuration#cluster_addr + # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 + clusterAddr: null + + # Enables Vault's integrated Raft storage. Unlike the typical HA modes where + # Vault's persistence is external (such as Consul), enabling Raft mode will create + # persistent volumes for Vault to store data according to the configuration under server.dataStorage. + # The Vault cluster will coordinate leader elections and failovers internally. + raft: + + # Enables Raft integrated storage + enabled: false + # Set the Node Raft ID to the name of the pod + setNodeId: false + + # Note: Configuration files are stored in ConfigMaps so sensitive data + # such as passwords should be either mounted through extraSecretEnvironmentVars + # or through a Kube secret. For more information see: + # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} + } + + storage "raft" { + path = "/vault/data" + } + + service_registration "kubernetes" {} + + # config is a raw string of default configuration when using a Stateful + # deployment. Default is to use a Consul for its HA storage backend. + # This should be HCL. + + # Note: Configuration files are stored in ConfigMaps so sensitive data + # such as passwords should be either mounted through extraSecretEnvironmentVars + # or through a Kube secret. For more information see: + # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + storage "consul" { + path = "vault" + address = "HOST_IP:8500" + } + + service_registration "kubernetes" {} + + # Example configuration for using auto-unseal, using Google Cloud KMS. The + # GKMS keys must already exist, and the cluster must have a service account + # that is authorized to access GCP KMS. + #seal "gcpckms" { + # project = "vault-helm-dev-246514" + # region = "global" + # key_ring = "vault-helm-unseal-kr" + # crypto_key = "vault-helm-unseal-key" + #} + + # Example configuration for enabling Prometheus metrics. + # If you are using Prometheus Operator you can enable a ServiceMonitor resource below. + # You may wish to enable unauthenticated metrics in the listener block above. + #telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + #} + + # A disruption budget limits the number of pods of a replicated application + # that are down simultaneously from voluntary disruptions + disruptionBudget: + enabled: true + + # maxUnavailable will default to (n/2)-1 where n is the number of + # replicas. If you'd like a custom value, you can specify an override here. + maxUnavailable: null + + # Definition of the serviceAccount used to run Vault. + # These options are also used when using an external Vault server to validate + # Kubernetes tokens. + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # Extra annotations for the serviceAccount definition. This can either be + # YAML or a YAML-formatted multi-line templated string map of the + # annotations to apply to the serviceAccount. + annotations: {} + # Extra labels to attach to the serviceAccount + # This should be a YAML map of the labels to apply to the serviceAccount + extraLabels: {} + # Enable or disable a service account role binding with the permissions required for + # Vault's Kubernetes service_registration config option. + # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes + serviceDiscovery: + enabled: true + + # Settings for the statefulSet used to run Vault. + statefulSet: + # Extra annotations for the statefulSet. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the statefulSet. + annotations: {} + + # Set the pod and container security contexts. + # If not set, these will default to, and for *not* OpenShift: + # pod: + # runAsNonRoot: true + # runAsGroup: {{ .Values.server.gid | default 1000 }} + # runAsUser: {{ .Values.server.uid | default 100 }} + # fsGroup: {{ .Values.server.gid | default 1000 }} + # container: + # allowPrivilegeEscalation: false + # + # If not set, these will default to, and for OpenShift: + # pod: {} + # container: {} + securityContext: + pod: {} + container: {} + + # Should the server pods run on the host network + hostNetwork: false + +# Vault UI +ui: + # True if you want to create a Service entry for the Vault UI. + # + # serviceType can be used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) to access the UI. + enabled: false + publishNotReadyAddresses: true + # The service should only contain selectors for active Vault pod + activeVaultPodOnly: false + serviceType: "ClusterIP" + serviceNodePort: null + externalPort: 8200 + targetPort: 8200 + + # The externalTrafficPolicy can be set to either Cluster or Local + # and is only valid for LoadBalancer and NodePort service types. + # The default value is Cluster. + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy + externalTrafficPolicy: Cluster + + #loadBalancerSourceRanges: + # - 10.0.0.0/16 + # - 1.78.23.3/32 + + # loadBalancerIP: + + # Extra annotations to attach to the ui service + # This can either be YAML or a YAML-formatted multi-line templated string map + # of the annotations to apply to the ui service + annotations: {} + +# secrets-store-csi-driver-provider-vault +csi: + # True if you want to install a secrets-store-csi-driver-provider-vault daemonset. + # + # Requires installing the secrets-store-csi-driver separately, see: + # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver + # + # With the driver and provider installed, you can mount Vault secrets into volumes + # similar to the Vault Agent injector, and you can also sync those secrets into + # Kubernetes secrets. + enabled: false + + image: + repository: "hashicorp/vault-csi-provider" + tag: "1.4.0" + pullPolicy: IfNotPresent + + # volumes is a list of volumes made available to all containers. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumes: null + # - name: tls + # secret: + # secretName: vault-tls + + # volumeMounts is a list of volumeMounts for the main server container. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumeMounts: null + # - name: tls + # mountPath: "/vault/tls" + # readOnly: true + + resources: {} + # resources: + # requests: + # cpu: 50m + # memory: 128Mi + # limits: + # cpu: 50m + # memory: 128Mi + + # Override the default secret name for the CSI Provider's HMAC key used for + # generating secret versions. + hmacSecretName: "" + + # Settings for the daemonSet used to run the provider. + daemonSet: + updateStrategy: + type: RollingUpdate + maxUnavailable: "" + # Extra annotations for the daemonSet. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the daemonSet. + annotations: {} + # Provider host path (must match the CSI provider's path) + providersDir: "/etc/kubernetes/secrets-store-csi-providers" + # Kubelet host path + kubeletRootDir: "/var/lib/kubelet" + # Extra labels to attach to the vault-csi-provider daemonSet + # This should be a YAML map of the labels to apply to the csi provider daemonSet + extraLabels: {} + # security context for the pod template and container in the csi provider daemonSet + securityContext: + pod: {} + container: {} + + pod: + # Extra annotations for the provider pods. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the pod. + annotations: {} + + # Toleration Settings for provider pods + # This should be either a multi-line string or YAML matching the Toleration array + # in a PodSpec. + tolerations: [] + + # nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Affinity Settings + # This should be either a multi-line string or YAML matching the PodSpec's affinity field. + affinity: {} + + # Extra labels to attach to the vault-csi-provider pod + # This should be a YAML map of the labels to apply to the csi provider pod + extraLabels: {} + + agent: + enabled: true + extraArgs: [] + + image: + repository: "hashicorp/vault" + tag: "1.14.0" + pullPolicy: IfNotPresent + + logFormat: standard + logLevel: info + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m + + # Priority class for csi pods + priorityClassName: "" + + serviceAccount: + # Extra annotations for the serviceAccount definition. This can either be + # YAML or a YAML-formatted multi-line templated string map of the + # annotations to apply to the serviceAccount. + annotations: {} + + # Extra labels to attach to the vault-csi-provider serviceAccount + # This should be a YAML map of the labels to apply to the csi provider serviceAccount + extraLabels: {} + + # Used to configure readinessProbe for the pods. + readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + # Used to configure livenessProbe for the pods. + livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + + # Enables debug logging. + debug: false + + # Pass arbitrary additional arguments to vault-csi-provider. + # See https://www.vaultproject.io/docs/platform/k8s/csi/configurations#command-line-arguments + # for the available command line flags. + extraArgs: [] + +# Vault is able to collect and publish various runtime metrics. +# Enabling this feature requires setting adding `telemetry{}` stanza to +# the Vault configuration. There are a few examples included in the `config` sections above. +# +# For more information see: +# https://www.vaultproject.io/docs/configuration/telemetry +# https://www.vaultproject.io/docs/internals/telemetry +serverTelemetry: + # Enable support for the Prometheus Operator. Currently, this chart does not support + # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included + # in the `listener "tcp"{}` stanza + # telemetry { + # unauthenticated_metrics_access = "true" + # } + # + # See the `standalone.config` for a more complete example of this. + # + # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration: + # + # example: + # telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + # } + # + # Configuration for monitoring the Vault server. + serviceMonitor: + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + # + # Instructions on how to install the Helm chart can be found here: + # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack + # More information can be found here: + # https://github.com/prometheus-operator/prometheus-operator + # https://github.com/prometheus-operator/kube-prometheus + + # Enable deployment of the Vault Server ServiceMonitor CustomResource. + enabled: false + + # Selector labels to add to the ServiceMonitor. + # When empty, defaults to: + # release: prometheus + selectors: {} + + # Interval at which Prometheus scrapes metrics + interval: 30s + + # Timeout for Prometheus scrapes + scrapeTimeout: 10s + + prometheusRules: + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + + # Deploy the PrometheusRule custom resource for AlertManager based alerts. + # Requires that AlertManager is properly deployed. + enabled: false + + # Selector labels to add to the PrometheusRules. + # When empty, defaults to: + # release: prometheus + selectors: {} + + # Some example rules. + rules: [] + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 500ms on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + # for: 5m + # labels: + # severity: warning + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 1s on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + # for: 5m + # labels: + # severity: critical diff --git a/charts/hashicorp/vault/0.26.1/.helmignore b/charts/hashicorp/vault/0.26.1/.helmignore new file mode 100644 index 0000000000..4007e24350 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/.helmignore @@ -0,0 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.terraform/ +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +# CI and test +.circleci/ +.github/ +.gitlab-ci.yml +test/ diff --git a/charts/hashicorp/vault/0.26.1/CHANGELOG.md b/charts/hashicorp/vault/0.26.1/CHANGELOG.md new file mode 100644 index 0000000000..87ffb2099f --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/CHANGELOG.md @@ -0,0 +1,512 @@ +## Unreleased + +## 0.26.1 (October 30, 2023) + +Bugs: +* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961) + +## 0.26.0 (October 27, 2023) + +Changes: +* Default `vault` version updated to 1.15.1 +* Default `vault-k8s` version updated to 1.3.1 +* Default `vault-csi-provider` version updated to 1.4.1 +* Tested with Kubernetes versions 1.24-1.28 +* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966) + +Features: +* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833) +* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955) +* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896) +* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923) + +Bugs: +* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) + +Improvements: +* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) +* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912) +* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943) + +## 0.25.0 (June 26, 2023) + +Changes: +* Latest Kubernetes version tested is now 1.27 +* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902) +* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) +* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Improvements: +* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862) +* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798) +* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Bugs: +* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) + +## 0.24.1 (April 17, 2023) + +Bugs: +* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872) + +## 0.24.0 (April 6, 2023) + +Changes: +* Earliest Kubernetes version tested is now 1.22 +* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863) +* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868) +* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749) + +Features: +* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) +* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831) +* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) +* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749) + +## 0.23.0 (November 28th, 2022) + +Changes: +* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) + +Features: +* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) +* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813) + +Bugs: +* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) + +## 0.22.1 (October 26th, 2022) + +Changes: +* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) +* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) + +## 0.22.0 (September 8th, 2022) + +Features: +* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772) + +Changes: +* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) +* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) +* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785) + +## 0.21.0 (August 10th, 2022) + +CHANGES: +* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) +* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) +* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) + +Features: +* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) +* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) + +## 0.20.1 (May 25th, 2022) +CHANGES: +* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739) + +Improvements: +* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) + +Bugs: +* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) + +## 0.20.0 (May 16th, 2022) + +CHANGES: +* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Vault default image to 1.10.3 +* CSI provider default image to 1.1.0 +* Vault K8s default image to 0.16.0 +* Earliest Kubernetes version tested is now 1.16 +* Helm 3.6+ now required + +Features: +* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) + +Improvements: +* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) +* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) +* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) +* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) +* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694) +* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684) +* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) + +## 0.19.0 (January 20th, 2022) + +CHANGES: +* Vault image default 1.9.2 +* Vault K8s image default 0.14.2 + +Features: +* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) +* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) +* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661) +* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670) + +Improvements: +* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679) +* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673) +* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686) + +## 0.18.0 (November 17th, 2021) + +CHANGES: +* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649) +* Vault image default 1.9.0 +* Vault K8s image default 0.14.1 + +Improvements: +* Added templateConfig.staticSecretRenderInterval chart option for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) + +## 0.17.1 (October 25th, 2021) + +Improvements: + * Add option for Ingress PathType [GH-634](https://github.com/hashicorp/vault-helm/pull/634) + +## 0.17.0 (October 21st, 2021) + +KNOWN ISSUES: +* The chart will fail to deploy on Kubernetes 1.19+ with `server.ingress.enabled=true` because no `pathType` is set + +CHANGES: +* Vault image default 1.8.4 +* Vault K8s image default 0.14.0 + +Improvements: +* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590) +* Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626) +* Support setting ingressClassName on server Ingress [GH-630](https://github.com/hashicorp/vault-helm/pull/630) + +Bugs: +* Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628) + +## 0.16.1 (September 29th, 2021) + +CHANGES: +* Vault image default 1.8.3 +* Vault K8s image default 0.13.1 + +## 0.16.0 (September 16th, 2021) + +CHANGES: +* Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`. + +Improvements: + * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603) + * Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) [GH-607](https://github.com/hashicorp/vault-helm/pull/607) + +## 0.15.0 (August 23rd, 2021) + +Improvements: +* Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572) +* Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584) + +## 0.14.0 (July 28th, 2021) + +Features: +* Added templateConfig.exitOnRetryFailure chart option for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560) + +Improvements: +* Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565) +* Set the default vault image to come from the hashicorp organization [GH-567](https://github.com/hashicorp/vault-helm/pull/567) +* Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567) +* Add `server.ingress.activeService` to configure if the ingress should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570) +* Add `server.route.activeService` to configure if the route should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570) +* Support configuring `global.imagePullSecrets` from a string array [GH-576](https://github.com/hashicorp/vault-helm/pull/576) + + +## 0.13.0 (June 17th, 2021) + +Improvements: +* Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) +* Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547) +* Added OpenShift overrides [GH-549](https://github.com/hashicorp/vault-helm/pull/549) + +Bugs: +* Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) +* Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535) +* Added webhook-certs volume mount to sidecar injector [GH-545](https://github.com/hashicorp/vault-helm/pull/545) + +## 0.12.0 (May 25th, 2021) + +Features: +* Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526) + +Improvements: +* Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) +* Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) +* Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521) +* UI target port is now configurable [GH-437](https://github.com/hashicorp/vault-helm/pull/437) + +Bugs: +* CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) + +## 0.11.0 (April 14th, 2021) + +Features: +* Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) +* Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) +* Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489) +* Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493) +* Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) +* Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) + +Improvements: +* Added `https` name to injector service port [GH-495](https://github.com/hashicorp/vault-helm/pull/495) + +Bugs: +* CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) + +## 0.10.0 (March 25th, 2021) + +Features: +* Add support for [Vault CSI provider](https://github.com/hashicorp/vault-csi-provider) [GH-461](https://github.com/hashicorp/vault-helm/pull/461) + +Improvements: +* `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456) + +## 0.9.1 (February 2nd, 2021) + +Bugs: +* Injector: fix labels for default anti-affinity rule [GH-441](https://github.com/hashicorp/vault-helm/pull/441), [GH-442](https://github.com/hashicorp/vault-helm/pull/442) +* Set VAULT_DEV_LISTEN_ADDRESS in dev mode [GH-446](https://github.com/hashicorp/vault-helm/pull/446) + +## 0.9.0 (January 5th, 2021) + +Features: +* Injector now supports configurable number of replicas [GH-436](https://github.com/hashicorp/vault-helm/pull/436) +* Injector now supports auto TLS for multiple replicas using leader elections [GH-436](https://github.com/hashicorp/vault-helm/pull/436) + +Improvements: +* Dev mode now supports `server.extraArgs` [GH-421](https://github.com/hashicorp/vault-helm/pull/421) +* Dev mode root token is now configurable with `server.dev.devRootToken` [GH-415](https://github.com/hashicorp/vault-helm/pull/415) +* ClusterRoleBinding updated to `v1` [GH-395](https://github.com/hashicorp/vault-helm/pull/395) +* MutatingWebhook updated to `v1` [GH-408](https://github.com/hashicorp/vault-helm/pull/408) +* Injector service now supports `injector.service.annotations` [425](https://github.com/hashicorp/vault-helm/pull/425) +* Injector now supports `injector.extraLabels` [428](https://github.com/hashicorp/vault-helm/pull/428) +* Added `allowPrivilegeEscalation: false` to Vault and Injector containers [429](https://github.com/hashicorp/vault-helm/pull/429) +* Network Policy now supports `server.networkPolicy.egress` [389](https://github.com/hashicorp/vault-helm/pull/389) + +## 0.8.0 (October 20th, 2020) + +Improvements: +* Make server NetworkPolicy independent of OpenShift [GH-381](https://github.com/hashicorp/vault-helm/pull/381) +* Added configurables for all probe values [GH-387](https://github.com/hashicorp/vault-helm/pull/387) +* MountPath for audit and data storage is now configurable [GH-393](https://github.com/hashicorp/vault-helm/pull/393) +* Annotations can now be added to the Injector pods [GH-394](https://github.com/hashicorp/vault-helm/pull/394) +* The injector can now be configured with a failurePolicy [GH-400](https://github.com/hashicorp/vault-helm/pull/400) +* Added additional environment variables for rendering within Vault config [GH-398](https://github.com/hashicorp/vault-helm/pull/398) +* Service account for Vault K8s auth is automatically created when `injector.externalVaultAddr` is set [GH-392](https://github.com/hashicorp/vault-helm/pull/392) + +Bugs: +* Fixed install output using Helm V2 command [GH-378](https://github.com/hashicorp/vault-helm/pull/378) + +## 0.7.0 (August 24th, 2020) + +Features: +* Added `volumes` and `volumeMounts` for mounting _any_ type of volume [GH-314](https://github.com/hashicorp/vault-helm/pull/314). +* Added configurable to enable prometheus telemetery exporter for Vault Agent Injector [GH-372](https://github.com/hashicorp/vault-helm/pull/372) + +Improvements: +* Added `defaultMode` configurable to `extraVolumes`[GH-321](https://github.com/hashicorp/vault-helm/pull/321) +* Option to install and use PodSecurityPolicy's for vault server and injector [GH-177](https://github.com/hashicorp/vault-helm/pull/177) +* `VAULT_API_ADDR` is now configurable [GH-290](https://github.com/hashicorp/vault-helm/pull/290) +* Removed deprecated tolerate unready endpoint annotations [GH-363](https://github.com/hashicorp/vault-helm/pull/363) +* Add an option to set annotations on the StatefulSet [GH-199](https://github.com/hashicorp/vault-helm/pull/199) +* Make the vault server serviceAccount name a configuration option [GH-367](https://github.com/hashicorp/vault-helm/pull/367) +* Removed annotation striction from `dev` mode [GH-371](https://github.com/hashicorp/vault-helm/pull/371) +* Add an option to set annotations on PVCs [GH-364](https://github.com/hashicorp/vault-helm/pull/364) +* Added service configurables for UI [GH-285](https://github.com/hashicorp/vault-helm/pull/285) + +Bugs: +* Fix python dependency in test image [GH-337](https://github.com/hashicorp/vault-helm/pull/337) +* Fix caBundle not being quoted causing validation issues with Helm 3 [GH-352](https://github.com/hashicorp/vault-helm/pull/352) +* Fix injector network policy being rendered when injector is not enabled [GH-358](https://github.com/hashicorp/vault-helm/pull/358) + +## 0.6.0 (June 3rd, 2020) + +Features: +* Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258) +* Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315) +* Beta: Added OpenShift support [GH-319](https://github.com/hashicorp/vault-helm/pull/319) + +Improvements: +* Server configs can now be defined in YAML. Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213) +* Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)] +* Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)] +* Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)] +* Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)] +* Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)] +* Added support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)] +* Added configurable to change service type for the HA active service [GH-317](https://github.com/hashicorp/vault-helm/pull/317) + +Bugs: +* Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] +* Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)] +* Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)] +* Use active service on ingress when ha [[GH-270](https://github.com/hashicorp/vault-helm/pull/270)] +* Fixed bug where pull secrets weren't being used for injector image [GH-298](https://github.com/hashicorp/vault-helm/pull/298) + +## 0.5.0 (April 9th, 2020) + +Features: + +* Added Raft support for HA mode [[GH-228](https://github.com/hashicorp/vault-helm/pull/229)] +* Now supports Vault Enterprise [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)] +* Added K8s Service Registration for HA modes [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)] + +* Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)] +* Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)] +* Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)] +* Added affinity, tolerations, and nodeSelector options for the injector deployment [[GH-234](https://github.com/hashicorp/vault-helm/pull/234)] +* Made all annotations multi-line strings [[GH-227](https://github.com/hashicorp/vault-helm/pull/227)] + +## 0.4.0 (February 21st, 2020) + +Improvements: + +* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)] +* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172)] +* Added sleep in the preStop lifecycle step [[GH-188](https://github.com/hashicorp/vault-helm/pull/188)] +* Updated chart and tests to Helm 3 [[GH-195](https://github.com/hashicorp/vault-helm/pull/195)] +* Adds Values.injector.externalVaultAddr to use the injector with an external vault [[GH-207](https://github.com/hashicorp/vault-helm/pull/207)] + +Bugs: + +* Fix bug where Vault lifecycle was appended after extra containers. [[GH-179](https://github.com/hashicorp/vault-helm/pull/179)] + +## 0.3.3 (January 14th, 2020) + +Security: + +* Added `server.extraArgs` to allow loading of additional Vault configurations containing sensitive settings [GH-175](https://github.com/hashicorp/vault-helm/issues/175) + +Bugs: + +* Fixed injection bug where wrong environment variables were being used for manually mounted TLS files + +## 0.3.2 (January 8th, 2020) + +Bugs: + +* Fixed injection bug where TLS Skip Verify was true by default [VK8S-35] + +## 0.3.1 (January 2nd, 2020) + +Bugs: + +* Fixed injection bug causing kube-system pods to be rejected [VK8S-14] + +## 0.3.0 (December 19th, 2019) + +Features: + +* Extra containers can now be added to the Vault pods +* Added configurability of pod probes +* Added Vault Agent Injector + +Improvements: + +* Moved `global.image` to `server.image` +* Changed UI service template to route pods that aren't ready via `publishNotReadyAddresses: true` +* Added better HTTP/HTTPS scheme support to http probes +* Added configurable node port for Vault service +* `server.authDelegator` is now enabled by default + +Bugs: + +* Fixed upgrade bug by removing chart label which contained the version +* Fixed typo on `serviceAccount` (was `serviceaccount`) +* Fixed readiness/liveliness HTTP probe default to accept standbys + +## 0.2.1 (November 12th, 2019) + +Bugs: + +* Removed `readOnlyRootFilesystem` causing issues when validating deployments + +## 0.2.0 (October 29th, 2019) + +Features: + +* Added load balancer support +* Added ingress support +* Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc) +* Removed root requirements, now runs as Vault user + +Improvements: + +* Added namespace value to all rendered objects +* Made ports configurable in services +* Added the ability to add custom annotations to services +* Added docker image for running bats test in CircleCI +* Removed restrictions around `dev` mode such as annotations +* `readOnlyRootFilesystem` is now configurable +* Image Pull Policy is now configurable + +Bugs: + +* Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption) +* Fixed bug where audit storage was not being mounted in HA mode +* Fixed bug where Vault pod wasn't receiving SIGTERM signals + + +## 0.1.2 (August 22nd, 2019) + +Features: + +* Added `extraSecretEnvironmentVars` to allow users to mount secrets as + environment variables +* Added `tlsDisable` configurable to change HTTP protocols from HTTP/HTTPS + depending on the value +* Added `serviceNodePort` to configure a NodePort value when setting `serviceType` + to "NodePort" + +Improvements: + +* Changed UI port to 8200 for better HTTP protocol support +* Added `path` to `extraVolumes` to define where the volume should be + mounted. Defaults to `/vault/userconfig` +* Upgraded Vault to 1.2.2 + +Bugs: + +* Fixed bug where upgrade would fail because immutable labels were being + changed (Helm Version label) +* Fixed bug where UI service used wrong selector after updating helm labels +* Added `VAULT_API_ADDR` env to Vault pod to fixed bug where Vault thinks + Consul is the active node +* Removed `step-down` preStop since it requires authentication. Shutdown signal + sent by Kube acts similar to `step-down` + + +## 0.1.1 (August 7th, 2019) + +Features: + +* Added `authDelegator` Cluster Role Binding to Vault service account for + bootstrapping Kube auth method + +Improvements: + +* Added `server.service.clusterIP` to `values.yml` so users can toggle + the Vault service to headless by using the value `None`. +* Upgraded Vault to 1.2.1 + +## 0.1.0 (August 6th, 2019) + +Initial release diff --git a/charts/hashicorp/vault/0.26.1/CODEOWNERS b/charts/hashicorp/vault/0.26.1/CODEOWNERS new file mode 100644 index 0000000000..af6a3500f5 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/CODEOWNERS @@ -0,0 +1 @@ +* @hashicorp/vault-ecosystem-foundations diff --git a/charts/hashicorp/vault/0.26.1/CONTRIBUTING.md b/charts/hashicorp/vault/0.26.1/CONTRIBUTING.md new file mode 100644 index 0000000000..ad31ac92d1 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/CONTRIBUTING.md @@ -0,0 +1,247 @@ +# Contributing to Vault Helm + +**Please note:** We take Vault's security and our users' trust very seriously. +If you believe you have found a security issue in Vault, please responsibly +disclose by contacting us at security@hashicorp.com. + +**First:** if you're unsure or afraid of _anything_, just ask or submit the +issue or pull request anyways. You won't be yelled at for giving it your best +effort. The worst that can happen is that you'll be politely asked to change +something. We appreciate any sort of contributions, and don't want a wall of +rules to get in the way of that. + +That said, if you want to ensure that a pull request is likely to be merged, +talk to us! You can find out our thoughts and ensure that your contribution +won't clash or be obviated by Vault's normal direction. A great way to do this +is via the [Vault Discussion Forum][1]. + +This document will cover what we're looking for in terms of reporting issues. +By addressing all the points we're looking for, it raises the chances we can +quickly merge or address your contributions. + +[1]: https://discuss.hashicorp.com/c/vault + +## Issues + +### Reporting an Issue + +* Make sure you test against the latest released version. It is possible + we already fixed the bug you're experiencing. Even better is if you can test + against `main`, as bugs are fixed regularly but new versions are only + released every few months. + +* Provide steps to reproduce the issue, and if possible include the expected + results as well as the actual results. Please provide text, not screen shots! + +* Respond as promptly as possible to any questions made by the Vault + team to your issue. Stale issues will be closed periodically. + +### Issue Lifecycle + +1. The issue is reported. + +2. The issue is verified and categorized by a Vault Helm collaborator. + Categorization is done via tags. For example, bugs are marked as "bugs". + +3. Unless it is critical, the issue may be left for a period of time (sometimes + many weeks), giving outside contributors -- maybe you!? -- a chance to + address the issue. + +4. The issue is addressed in a pull request or commit. The issue will be + referenced in the commit message so that the code that fixes it is clearly + linked. + +5. The issue is closed. Sometimes, valid issues will be closed to keep + the issue tracker clean. The issue is still indexed and available for + future viewers, or can be re-opened if necessary. + +## Testing + +The Helm chart ships with both unit and acceptance tests. + +The unit tests don't require any active Kubernetes cluster and complete +very quickly. These should be used for fast feedback during development. +The acceptance tests require a Kubernetes cluster with a configured `kubectl`. + +### Test Using Docker Container + +The following are the instructions for running bats tests using a Docker container. + +#### Prerequisites + +* Docker installed +* `vault-helm` checked out locally + +#### Test + +**Note:** the following commands should be run from the `vault-helm` directory. + +First, build the Docker image for running the tests: + +```shell +docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test +``` +Next, execute the tests with the following commands: +```shell +docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit +``` +It's possible to only run specific bats tests using regular expressions. +For example, the following will run only tests with "injector" in the name: +```shell +docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector" +``` + +### Test Manually +The following are the instructions for running bats tests on your workstation. +#### Prerequisites +* [Bats](https://github.com/bats-core/bats-core) + ```bash + brew install bats-core + ``` +* [yq](https://pypi.org/project/yq/) + ```bash + brew install python-yq + ``` +* [helm](https://helm.sh) + ```bash + brew install kubernetes-helm + ``` + +#### Test + +To run the unit tests: + + bats ./test/unit + +To run the acceptance tests: + + bats ./test/acceptance + +If the acceptance tests fail, deployed resources in the Kubernetes cluster +may not be properly cleaned up. We recommend recycling the Kubernetes cluster to +start from a clean slate. + +**Note:** There is a Terraform configuration in the +[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory +that can be used to quickly bring up a GKE cluster and configure +`kubectl` and `helm` locally. This can be used to quickly spin up a test +cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes +cluster. + +### Writing Unit Tests + +Changes to the Helm chart should be accompanied by appropriate unit tests. + +#### Formatting + +- Put tests in the test file in the same order as the variables appear in the `values.yaml`. +- Start tests for a chart value with a header that says what is being tested, like this: + ``` + #-------------------------------------------------------------------- + # annotations + ``` + +- Name the test based on what it's testing in the following format (this will be its first line): + ``` + @test "
: " { + ``` + + When adding tests to an existing file, the first section will be the same as the other tests in the file. + +#### Test Details + +[Bats](https://github.com/bats-core/bats-core) provides a way to run commands in a shell and inspect the output in an automated way. +In all of the tests in this repo, the base command being run is [helm template](https://docs.helm.sh/helm/#helm-template) which turns the templated files into straight yaml output. +In this way, we're able to test that the various conditionals in the templates render as we would expect. + +Each test defines the files that should be rendered using the `--show-only` flag, then it might adjust chart values by adding `--set` flags as well. +The output from this `helm template` command is then piped to [yq](https://pypi.org/project/yq/). +`yq` allows us to pull out just the information we're interested in, either by referencing its position in the yaml file directly or giving information about it (like its length). +The `-r` flag can be used with `yq` to return a raw string instead of a quoted one which is especially useful when looking for an exact match. + +The test passes or fails based on the conditional at the end that is in square brackets, which is a comparison of our expected value and the output of `helm template` piped to `yq`. + +The `| tee /dev/stderr ` pieces direct any terminal output of the `helm template` and `yq` commands to stderr so that it doesn't interfere with `bats`. + +#### Test Examples + +Here are some examples of common test patterns: + +- Check that a value is disabled by default + + ``` + @test "ui/Service: no type by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + . | tee /dev/stderr | + yq -r '.spec.type' | tee /dev/stderr) + [ "${actual}" = "null" ] + } + ``` + + In this example, nothing is changed from the default templates (no `--set` flags), then we use `yq` to retrieve the value we're checking, `.spec.type`. + This output is then compared against our expected value (`null` in this case) in the assertion `[ "${actual}" = "null" ]`. + + +- Check that a template value is rendered to a specific value + ``` + @test "ui/Service: specified type" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.serviceType=LoadBalancer' \ + . | tee /dev/stderr | + yq -r '.spec.type' | tee /dev/stderr) + [ "${actual}" = "LoadBalancer" ] + } + ``` + + This is very similar to the last example, except we've changed a default value with the `--set` flag and correspondingly changed the expected value. + +- Check that a template value contains several values + ``` + @test "server/standalone-StatefulSet: custom resources" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'server.resources.requests.memory=256Mi' \ + --set 'server.resources.requests.cpu=250m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].resources.requests.memory' | tee /dev/stderr) + [ "${actual}" = "256Mi" ] + + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'server.resources.limits.memory=256Mi' \ + --set 'server.resources.limits.cpu=250m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].resources.limits.memory' | tee /dev/stderr) + [ "${actual}" = "256Mi" ] + ``` + + *Note:* If testing more than two conditions, it would be good to separate the `helm template` part of the command from the `yq` sections to reduce redundant work. + +- Check that an entire template file is not rendered + ``` + @test "syncCatalog/Deployment: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + } + ``` + Here we are check the length of the command output to see if the anything is rendered. + This style can easily be switched to check that a file is rendered instead. + +## Contributor License Agreement + +We require that all contributors sign our Contributor License Agreement ("CLA") +before we can accept the contribution. + +[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla) diff --git a/charts/hashicorp/vault/0.26.1/Chart.yaml b/charts/hashicorp/vault/0.26.1/Chart.yaml new file mode 100644 index 0000000000..c943a9577e --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Vault + catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/release-name: vault + charts.openshift.io/name: HashiCorp Vault +apiVersion: v2 +appVersion: 1.15.1 +description: Official HashiCorp Vault Chart +home: https://www.vaultproject.io +icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png +keywords: +- vault +- security +- encryption +- secrets +- management +- automation +- infrastructure +kubeVersion: '>= 1.20.0-0' +name: vault +sources: +- https://github.com/hashicorp/vault +- https://github.com/hashicorp/vault-helm +- https://github.com/hashicorp/vault-k8s +- https://github.com/hashicorp/vault-csi-provider +version: 0.26.1 diff --git a/charts/hashicorp/vault/0.26.1/LICENSE b/charts/hashicorp/vault/0.26.1/LICENSE new file mode 100644 index 0000000000..74f38c0103 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/LICENSE @@ -0,0 +1,355 @@ +Copyright (c) 2018 HashiCorp, Inc. + +Mozilla Public License, version 2.0 + +1. Definitions + +1.1. “Contributor” + + means each individual or legal entity that creates, contributes to the + creation of, or owns Covered Software. + +1.2. “Contributor Version” + + means the combination of the Contributions of others (if any) used by a + Contributor and that particular Contributor’s Contribution. + +1.3. “Contribution” + + means Covered Software of a particular Contributor. + +1.4. “Covered Software” + + means Source Code Form to which the initial Contributor has attached the + notice in Exhibit A, the Executable Form of such Source Code Form, and + Modifications of such Source Code Form, in each case including portions + thereof. + +1.5. “Incompatible With Secondary Licenses” + means + + a. that the initial Contributor has attached the notice described in + Exhibit B to the Covered Software; or + + b. that the Covered Software was made available under the terms of version + 1.1 or earlier of the License, but not also under the terms of a + Secondary License. + +1.6. “Executable Form” + + means any form of the work other than Source Code Form. + +1.7. “Larger Work” + + means a work that combines Covered Software with other material, in a separate + file or files, that is not Covered Software. + +1.8. “License” + + means this document. + +1.9. “Licensable” + + means having the right to grant, to the maximum extent possible, whether at the + time of the initial grant or subsequently, any and all of the rights conveyed by + this License. + +1.10. “Modifications” + + means any of the following: + + a. any file in Source Code Form that results from an addition to, deletion + from, or modification of the contents of Covered Software; or + + b. any new file in Source Code Form that contains any Covered Software. + +1.11. “Patent Claims” of a Contributor + + means any patent claim(s), including without limitation, method, process, + and apparatus claims, in any patent Licensable by such Contributor that + would be infringed, but for the grant of the License, by the making, + using, selling, offering for sale, having made, import, or transfer of + either its Contributions or its Contributor Version. + +1.12. “Secondary License” + + means either the GNU General Public License, Version 2.0, the GNU Lesser + General Public License, Version 2.1, the GNU Affero General Public + License, Version 3.0, or any later versions of those licenses. + +1.13. “Source Code Form” + + means the form of the work preferred for making modifications. + +1.14. “You” (or “Your”) + + means an individual or a legal entity exercising rights under this + License. For legal entities, “You” includes any entity that controls, is + controlled by, or is under common control with You. For purposes of this + definition, “control” means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than fifty percent (50%) of the + outstanding shares or beneficial ownership of such entity. + + +2. License Grants and Conditions + +2.1. Grants + + Each Contributor hereby grants You a world-wide, royalty-free, + non-exclusive license: + + a. under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or as + part of a Larger Work; and + + b. under Patent Claims of such Contributor to make, use, sell, offer for + sale, have made, import, and otherwise transfer either its Contributions + or its Contributor Version. + +2.2. Effective Date + + The licenses granted in Section 2.1 with respect to any Contribution become + effective for each Contribution on the date the Contributor first distributes + such Contribution. + +2.3. Limitations on Grant Scope + + The licenses granted in this Section 2 are the only rights granted under this + License. No additional rights or licenses will be implied from the distribution + or licensing of Covered Software under this License. Notwithstanding Section + 2.1(b) above, no patent license is granted by a Contributor: + + a. for any code that a Contributor has removed from Covered Software; or + + b. for infringements caused by: (i) Your and any other third party’s + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + + c. under Patent Claims infringed by Covered Software in the absence of its + Contributions. + + This License does not grant any rights in the trademarks, service marks, or + logos of any Contributor (except as may be necessary to comply with the + notice requirements in Section 3.4). + +2.4. Subsequent Licenses + + No Contributor makes additional grants as a result of Your choice to + distribute the Covered Software under a subsequent version of this License + (see Section 10.2) or under the terms of a Secondary License (if permitted + under the terms of Section 3.3). + +2.5. Representation + + Each Contributor represents that the Contributor believes its Contributions + are its original creation(s) or it has sufficient rights to grant the + rights to its Contributions conveyed by this License. + +2.6. Fair Use + + This License is not intended to limit any rights You have under applicable + copyright doctrines of fair use, fair dealing, or other equivalents. + +2.7. Conditions + + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in + Section 2.1. + + +3. Responsibilities + +3.1. Distribution of Source Form + + All distribution of Covered Software in Source Code Form, including any + Modifications that You create or to which You contribute, must be under the + terms of this License. You must inform recipients that the Source Code Form + of the Covered Software is governed by the terms of this License, and how + they can obtain a copy of this License. You may not attempt to alter or + restrict the recipients’ rights in the Source Code Form. + +3.2. Distribution of Executable Form + + If You distribute Covered Software in Executable Form then: + + a. such Covered Software must also be made available in Source Code Form, + as described in Section 3.1, and You must inform recipients of the + Executable Form how they can obtain a copy of such Source Code Form by + reasonable means in a timely manner, at a charge no more than the cost + of distribution to the recipient; and + + b. You may distribute such Executable Form under the terms of this License, + or sublicense it under different terms, provided that the license for + the Executable Form does not attempt to limit or alter the recipients’ + rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + + You may create and distribute a Larger Work under terms of Your choice, + provided that You also comply with the requirements of this License for the + Covered Software. If the Larger Work is a combination of Covered Software + with a work governed by one or more Secondary Licenses, and the Covered + Software is not Incompatible With Secondary Licenses, this License permits + You to additionally distribute such Covered Software under the terms of + such Secondary License(s), so that the recipient of the Larger Work may, at + their option, further distribute the Covered Software under the terms of + either this License or such Secondary License(s). + +3.4. Notices + + You may not remove or alter the substance of any license notices (including + copyright notices, patent notices, disclaimers of warranty, or limitations + of liability) contained within the Source Code Form of the Covered + Software, except that You may alter any license notices to the extent + required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + + You may choose to offer, and to charge a fee for, warranty, support, + indemnity or liability obligations to one or more recipients of Covered + Software. However, You may do so only on Your own behalf, and not on behalf + of any Contributor. You must make it absolutely clear that any such + warranty, support, indemnity, or liability obligation is offered by You + alone, and You hereby agree to indemnify every Contributor for any + liability incurred by such Contributor as a result of warranty, support, + indemnity or liability terms You offer. You may include additional + disclaimers of warranty and limitations of liability specific to any + jurisdiction. + +4. Inability to Comply Due to Statute or Regulation + + If it is impossible for You to comply with any of the terms of this License + with respect to some or all of the Covered Software due to statute, judicial + order, or regulation then You must: (a) comply with the terms of this License + to the maximum extent possible; and (b) describe the limitations and the code + they affect. Such description must be placed in a text file included with all + distributions of the Covered Software under this License. Except to the + extent prohibited by statute or regulation, such description must be + sufficiently detailed for a recipient of ordinary skill to be able to + understand it. + +5. Termination + +5.1. The rights granted under this License will terminate automatically if You + fail to comply with any of its terms. However, if You become compliant, + then the rights granted under this License from a particular Contributor + are reinstated (a) provisionally, unless and until such Contributor + explicitly and finally terminates Your grants, and (b) on an ongoing basis, + if such Contributor fails to notify You of the non-compliance by some + reasonable means prior to 60 days after You have come back into compliance. + Moreover, Your grants from a particular Contributor are reinstated on an + ongoing basis if such Contributor notifies You of the non-compliance by + some reasonable means, this is the first time You have received notice of + non-compliance with this License from such Contributor, and You become + compliant prior to 30 days after Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent + infringement claim (excluding declaratory judgment actions, counter-claims, + and cross-claims) alleging that a Contributor Version directly or + indirectly infringes any patent, then the rights granted to You by any and + all Contributors for the Covered Software under Section 2.1 of this License + shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user + license agreements (excluding distributors and resellers) which have been + validly granted by You or Your distributors under this License prior to + termination shall survive termination. + +6. Disclaimer of Warranty + + Covered Software is provided under this License on an “as is” basis, without + warranty of any kind, either expressed, implied, or statutory, including, + without limitation, warranties that the Covered Software is free of defects, + merchantable, fit for a particular purpose or non-infringing. The entire + risk as to the quality and performance of the Covered Software is with You. + Should any Covered Software prove defective in any respect, You (not any + Contributor) assume the cost of any necessary servicing, repair, or + correction. This disclaimer of warranty constitutes an essential part of this + License. No use of any Covered Software is authorized under this License + except under this disclaimer. + +7. Limitation of Liability + + Under no circumstances and under no legal theory, whether tort (including + negligence), contract, or otherwise, shall any Contributor, or anyone who + distributes Covered Software as permitted above, be liable to You for any + direct, indirect, special, incidental, or consequential damages of any + character including, without limitation, damages for lost profits, loss of + goodwill, work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses, even if such party shall have been + informed of the possibility of such damages. This limitation of liability + shall not apply to liability for death or personal injury resulting from such + party’s negligence to the extent applicable law prohibits such limitation. + Some jurisdictions do not allow the exclusion or limitation of incidental or + consequential damages, so this exclusion and limitation may not apply to You. + +8. Litigation + + Any litigation relating to this License may be brought only in the courts of + a jurisdiction where the defendant maintains its principal place of business + and such litigation shall be governed by laws of that jurisdiction, without + reference to its conflict-of-law provisions. Nothing in this Section shall + prevent a party’s ability to bring cross-claims or counter-claims. + +9. Miscellaneous + + This License represents the complete agreement concerning the subject matter + hereof. If any provision of this License is held to be unenforceable, such + provision shall be reformed only to the extent necessary to make it + enforceable. Any law or regulation which provides that the language of a + contract shall be construed against the drafter shall not be used to construe + this License against a Contributor. + + +10. Versions of the License + +10.1. New Versions + + Mozilla Foundation is the license steward. Except as provided in Section + 10.3, no one other than the license steward has the right to modify or + publish new versions of this License. Each version will be given a + distinguishing version number. + +10.2. Effect of New Versions + + You may distribute the Covered Software under the terms of the version of + the License under which You originally received the Covered Software, or + under the terms of any subsequent version published by the license + steward. + +10.3. Modified Versions + + If you create software not governed by this License, and you want to + create a new license for such software, you may create and use a modified + version of this License if you rename the license and remove any + references to the name of the license steward (except to note that such + modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses + If You choose to distribute Source Code Form that is Incompatible With + Secondary Licenses under the terms of this version of the License, the + notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice + + This Source Code Form is subject to the + terms of the Mozilla Public License, v. + 2.0. If a copy of the MPL was not + distributed with this file, You can + obtain one at + http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular file, then +You may include the notice in a location (such as a LICENSE file in a relevant +directory) where a recipient would be likely to look for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - “Incompatible With Secondary Licenses” Notice + + This Source Code Form is “Incompatible + With Secondary Licenses”, as defined by + the Mozilla Public License, v. 2.0. diff --git a/charts/hashicorp/vault/0.26.1/Makefile b/charts/hashicorp/vault/0.26.1/Makefile new file mode 100644 index 0000000000..5600220645 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/Makefile @@ -0,0 +1,101 @@ +TEST_IMAGE?=vault-helm-test +GOOGLE_CREDENTIALS?=vault-helm-test.json +CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 +# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats +ACCEPTANCE_TESTS?=acceptance + +# filter bats unit tests to run. +UNIT_TESTS_FILTER?='.*' + +# set to 'true' to run acceptance tests locally in a kind cluster +LOCAL_ACCEPTANCE_TESTS?=false + +# kind cluster name +KIND_CLUSTER_NAME?=vault-helm + +# kind k8s version +KIND_K8S_VERSION?=v1.26.3 + +# Generate json schema for chart values. See test/README.md for more details. +values-schema: + helm schema-gen values.yaml > values.schema.json + +test-image: + @docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) + +test-unit: + @docker run --rm -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats -f $(UNIT_TESTS_FILTER) /helm-test/test/unit + +test-bats: test-unit test-acceptance + +test: test-image test-bats + +# run acceptance tests on GKE +# set google project/credential vars above +test-acceptance: +ifeq ($(LOCAL_ACCEPTANCE_TESTS),true) + make setup-kind acceptance +else + @docker run -it -v ${PWD}:/helm-test \ + -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ + -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ + -e KUBECONFIG=/helm-test/.kube/config \ + -e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \ + -w /helm-test \ + $(TEST_IMAGE) \ + make acceptance +endif + +# destroy GKE cluster using terraform +test-destroy: + @docker run -it -v ${PWD}:/helm-test \ + -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ + -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ + -w /helm-test \ + $(TEST_IMAGE) \ + make destroy-cluster + +# provision GKE cluster using terraform +test-provision: + @docker run -it -v ${PWD}:/helm-test \ + -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ + -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ + -e KUBECONFIG=/helm-test/.kube/config \ + -w /helm-test \ + $(TEST_IMAGE) \ + make provision-cluster + +# this target is for running the acceptance tests +# it is run in the docker container above when the test-acceptance target is invoked +acceptance: +ifneq ($(LOCAL_ACCEPTANCE_TESTS),true) + gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} +endif + bats --tap --timing test/${ACCEPTANCE_TESTS} + +# this target is for provisioning the GKE cluster +# it is run in the docker container above when the test-provision target is invoked +provision-cluster: + gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} + terraform init test/terraform + terraform apply -var project=${CLOUDSDK_CORE_PROJECT} -var init_cli=true -auto-approve test/terraform + +# this target is for removing the GKE cluster +# it is run in the docker container above when the test-destroy target is invoked +destroy-cluster: + terraform destroy -auto-approve + +# create a kind cluster for running the acceptance tests locally +setup-kind: + kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$$" || \ + kind create cluster \ + --image kindest/node:${KIND_K8S_VERSION} \ + --name ${KIND_CLUSTER_NAME} \ + --config $(CURDIR)/test/kind/config.yaml + kubectl config use-context kind-${KIND_CLUSTER_NAME} + +# delete the kind cluster +delete-kind: + kind delete cluster --name ${KIND_CLUSTER_NAME} || : + +.PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster diff --git a/charts/hashicorp/vault/README.md b/charts/hashicorp/vault/0.26.1/README.md similarity index 100% rename from charts/hashicorp/vault/README.md rename to charts/hashicorp/vault/0.26.1/README.md diff --git a/charts/hashicorp/vault/templates/NOTES.txt b/charts/hashicorp/vault/0.26.1/templates/NOTES.txt similarity index 100% rename from charts/hashicorp/vault/templates/NOTES.txt rename to charts/hashicorp/vault/0.26.1/templates/NOTES.txt diff --git a/charts/hashicorp/vault/0.26.1/templates/_helpers.tpl b/charts/hashicorp/vault/0.26.1/templates/_helpers.tpl new file mode 100644 index 0000000000..965c7f64d3 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/templates/_helpers.tpl @@ -0,0 +1,1045 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). If release name contains chart name it will +be used as a full name. +*/}} +{{- define "vault.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "vault.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "vault.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden +*/}} +{{- define "vault.namespace" -}} +{{- default .Release.Namespace .Values.global.namespace -}} +{{- end -}} + +{{/* +Compute if the csi driver is enabled. +*/}} +{{- define "vault.csiEnabled" -}} +{{- $_ := set . "csiEnabled" (or + (eq (.Values.csi.enabled | toString) "true") + (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the injector is enabled. +*/}} +{{- define "vault.injectorEnabled" -}} +{{- $_ := set . "injectorEnabled" (or + (eq (.Values.injector.enabled | toString) "true") + (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server is enabled. +*/}} +{{- define "vault.serverEnabled" -}} +{{- $_ := set . "serverEnabled" (or + (eq (.Values.server.enabled | toString) "true") + (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server serviceaccount is enabled. +*/}} +{{- define "vault.serverServiceAccountEnabled" -}} +{{- $_ := set . "serverServiceAccountEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true" ) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server serviceaccount should have a token created and mounted to the serviceaccount. +*/}} +{{- define "vault.serverServiceAccountSecretCreationEnabled" -}} +{{- $_ := set . "serverServiceAccountSecretCreationEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true") + (eq (.Values.server.serviceAccount.createSecret | toString) "true")) -}} +{{- end -}} + + +{{/* +Compute if the server auth delegator serviceaccount is enabled. +*/}} +{{- define "vault.serverAuthDelegator" -}} +{{- $_ := set . "serverAuthDelegator" + (and + (eq (.Values.server.authDelegator.enabled | toString) "true" ) + (or (eq (.Values.server.serviceAccount.create | toString) "true") + (not (eq .Values.server.serviceAccount.name ""))) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server service is enabled. +*/}} +{{- define "vault.serverServiceEnabled" -}} +{{- template "vault.serverEnabled" . -}} +{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} +{{- end -}} + +{{/* +Compute if the ui is enabled. +*/}} +{{- define "vault.uiEnabled" -}} +{{- $_ := set . "uiEnabled" (or + (eq (.Values.ui.enabled | toString) "true") + (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute the maximum number of unavailable replicas for the PodDisruptionBudget. +This defaults to (n/2)-1 where n is the number of members of the server cluster. +Add a special case for replicas=1, where it should default to 0 as well. +*/}} +{{- define "vault.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.ha.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}} +{{ .Values.server.ha.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- div (sub (div (mul (int .Values.server.ha.replicas) 10) 2) 1) 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Set the variable 'mode' to the server mode requested by the user to simplify +template logic. +*/}} +{{- define "vault.mode" -}} + {{- template "vault.serverEnabled" . -}} + {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}} + {{- $_ := set . "mode" "external" -}} + {{- else if not .serverEnabled -}} + {{- $_ := set . "mode" "external" -}} + {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} + {{- $_ := set . "mode" "dev" -}} + {{- else if eq (.Values.server.ha.enabled | toString) "true" -}} + {{- $_ := set . "mode" "ha" -}} + {{- else if or (eq (.Values.server.standalone.enabled | toString) "true") (eq (.Values.server.standalone.enabled | toString) "-") -}} + {{- $_ := set . "mode" "standalone" -}} + {{- else -}} + {{- $_ := set . "mode" "" -}} + {{- end -}} +{{- end -}} + +{{/* +Set's the replica count based on the different modes configured by user +*/}} +{{- define "vault.replicas" -}} + {{ if eq .mode "standalone" }} + {{- default 1 -}} + {{ else if eq .mode "ha" }} + {{- if or (kindIs "int64" .Values.server.ha.replicas) (kindIs "float64" .Values.server.ha.replicas) -}} + {{- .Values.server.ha.replicas -}} + {{ else }} + {{- 3 -}} + {{- end -}} + {{ else }} + {{- default 1 -}} + {{ end }} +{{- end -}} + +{{/* +Set's up configmap mounts if this isn't a dev deployment and the user +defined a custom configuration. Additionally iterates over any +extra volumes the user may have specified (such as a secret with TLS). +*/}} +{{- define "vault.volumes" -}} + {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} + - name: config + configMap: + name: {{ template "vault.fullname" . }}-config + {{ end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + defaultMode: {{ .defaultMode | default 420 }} + {{- end }} + {{- if .Values.server.volumes }} + {{- toYaml .Values.server.volumes | nindent 8}} + {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: vault-license + secret: + secretName: {{ .Values.server.enterpriseLicense.secretName }} + defaultMode: 0440 + {{- end }} +{{- end -}} + +{{/* +Set's the args for custom command to render the Vault configuration +file with IP addresses to make the out of box experience easier +for users looking to use this chart with Consul Helm. +*/}} +{{- define "vault.args" -}} + {{ if or (eq .mode "standalone") (eq .mode "ha") }} + - | + cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; + [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; + [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; + [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; + /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} + {{ else if eq .mode "dev" }} + - | + /usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }} + {{ end }} +{{- end -}} + +{{/* +Set's additional environment variables based on the mode. +*/}} +{{- define "vault.envs" -}} + {{ if eq .mode "dev" }} + - name: VAULT_DEV_ROOT_TOKEN_ID + value: {{ .Values.server.dev.devRootToken }} + - name: VAULT_DEV_LISTEN_ADDRESS + value: "[::]:8200" + {{ end }} +{{- end -}} + +{{/* +Set's which additional volumes should be mounted to the container +based on the mode configured. +*/}} +{{- define "vault.mounts" -}} + {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }} + - name: audit + mountPath: {{ .Values.server.auditStorage.mountPath }} + {{ end }} + {{ if or (eq .mode "standalone") (and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true")) }} + {{ if eq (.Values.server.dataStorage.enabled | toString) "true" }} + - name: data + mountPath: {{ .Values.server.dataStorage.mountPath }} + {{ end }} + {{ end }} + {{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} + - name: config + mountPath: /vault/config + {{ end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} + {{- end }} + {{- if .Values.server.volumeMounts }} + {{- toYaml .Values.server.volumeMounts | nindent 12}} + {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: vault-license + mountPath: /vault/license + readOnly: true + {{- end }} +{{- end -}} + +{{/* +Set's up the volumeClaimTemplates when data or audit storage is required. HA +might not use data storage since Consul is likely it's backend, however, audit +storage might be desired by the user. +*/}} +{{- define "vault.volumeclaims" -}} + {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }} + volumeClaimTemplates: + {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }} + - metadata: + name: data + {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }} + spec: + accessModes: + - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} + resources: + requests: + storage: {{ .Values.server.dataStorage.size }} + {{- if .Values.server.dataStorage.storageClass }} + storageClassName: {{ .Values.server.dataStorage.storageClass }} + {{- end }} + {{ end }} + {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }} + - metadata: + name: audit + {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }} + spec: + accessModes: + - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} + resources: + requests: + storage: {{ .Values.server.auditStorage.size }} + {{- if .Values.server.auditStorage.storageClass }} + storageClassName: {{ .Values.server.auditStorage.storageClass }} + {{- end }} + {{ end }} + {{ end }} +{{- end -}} + +{{/* +Set's the affinity for pod placement when running in standalone and HA modes. +*/}} +{{- define "vault.affinity" -}} + {{- if and (ne .mode "dev") .Values.server.affinity }} + affinity: + {{ $tp := typeOf .Values.server.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + +{{/* +Sets the injector affinity for pod placement +*/}} +{{- define "injector.affinity" -}} + {{- if .Values.injector.affinity }} + affinity: + {{ $tp := typeOf .Values.injector.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + +{{/* +Sets the topologySpreadConstraints when running in standalone and HA modes. +*/}} +{{- define "vault.topologySpreadConstraints" -}} + {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.server.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + + +{{/* +Sets the injector topologySpreadConstraints for pod placement +*/}} +{{- define "injector.topologySpreadConstraints" -}} + {{- if .Values.injector.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.injector.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + +{{/* +Sets the toleration for pod placement when running in standalone and HA modes. +*/}} +{{- define "vault.tolerations" -}} + {{- if and (ne .mode "dev") .Values.server.tolerations }} + tolerations: + {{- $tp := typeOf .Values.server.tolerations }} + {{- if eq $tp "string" }} + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.tolerations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the injector toleration for pod placement +*/}} +{{- define "injector.tolerations" -}} + {{- if .Values.injector.tolerations }} + tolerations: + {{- $tp := typeOf .Values.injector.tolerations }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.tolerations . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.tolerations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Set's the node selector for pod placement when running in standalone and HA modes. +*/}} +{{- define "vault.nodeselector" -}} + {{- if and (ne .mode "dev") .Values.server.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.server.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.server.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the injector node selector for pod placement +*/}} +{{- define "injector.nodeselector" -}} + {{- if .Values.injector.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.injector.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the injector deployment update strategy +*/}} +{{- define "injector.strategy" -}} + {{- if .Values.injector.strategy }} + strategy: + {{- $tp := typeOf .Values.injector.strategy }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.strategy . | nindent 4 | trim }} + {{- else }} + {{- toYaml .Values.injector.strategy | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra pod annotations +*/}} +{{- define "vault.annotations" -}} + {{- if .Values.server.annotations }} + annotations: + {{- $tp := typeOf .Values.server.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.server.annotations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra injector pod annotations +*/}} +{{- define "injector.annotations" -}} + {{- if .Values.injector.annotations }} + annotations: + {{- $tp := typeOf .Values.injector.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.injector.annotations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra injector service annotations +*/}} +{{- define "injector.service.annotations" -}} + {{- if .Values.injector.service.annotations }} + annotations: + {{- $tp := typeOf .Values.injector.service.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.service.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.injector.service.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the injector pod level. +*/}} +{{- define "injector.securityContext.pod" -}} + {{- if .Values.injector.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.injector.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.injector.securityContext.pod | nindent 8 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.injector.gid | default 1000 }} + runAsUser: {{ .Values.injector.uid | default 100 }} + fsGroup: {{ .Values.injector.gid | default 1000 }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the injector container level. +*/}} +{{- define "injector.securityContext.container" -}} + {{- if .Values.injector.securityContext.container}} + securityContext: + {{- $tp := typeOf .Values.injector.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.injector.securityContext.container | nindent 12 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + {{- end }} +{{- end -}} + +{{/* +securityContext for the statefulset pod template. +*/}} +{{- define "server.statefulSet.securityContext.pod" -}} + {{- if .Values.server.statefulSet.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.server.statefulSet.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.securityContext.pod | nindent 8 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.server.gid | default 1000 }} + runAsUser: {{ .Values.server.uid | default 100 }} + fsGroup: {{ .Values.server.gid | default 1000 }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the statefulset vault container +*/}} +{{- define "server.statefulSet.securityContext.container" -}} + {{- if .Values.server.statefulSet.securityContext.container }} + securityContext: + {{- $tp := typeOf .Values.server.statefulSet.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.securityContext.container | nindent 12 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + allowPrivilegeEscalation: false + {{- end }} +{{- end -}} + + +{{/* +Sets extra injector service account annotations +*/}} +{{- define "injector.serviceAccount.annotations" -}} + {{- if and (ne .mode "dev") .Values.injector.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.injector.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.injector.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra injector webhook annotations +*/}} +{{- define "injector.webhookAnnotations" -}} + {{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }} + annotations: + {{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }} + {{- if eq $tp "string" }} + {{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }} + {{- else }} + {{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Set's the injector webhook objectSelector +*/}} +{{- define "injector.objectSelector" -}} + {{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}} + {{ if $v }} + objectSelector: + {{- $tp := typeOf $v -}} + {{ if eq $tp "string" }} + {{ tpl $v . | indent 6 | trim }} + {{ else }} + {{ toYaml $v | indent 6 | trim }} + {{ end }} + {{ end }} +{{ end }} + +{{/* +Sets extra ui service annotations +*/}} +{{- define "vault.ui.annotations" -}} + {{- if .Values.ui.annotations }} + annotations: + {{- $tp := typeOf .Values.ui.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.ui.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.ui.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "vault.serviceAccount.name" -}} +{{- if .Values.server.serviceAccount.create -}} + {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.server.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Sets extra service account annotations +*/}} +{{- define "vault.serviceAccount.annotations" -}} + {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.server.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra ingress annotations +*/}} +{{- define "vault.ingress.annotations" -}} + {{- if .Values.server.ingress.annotations }} + annotations: + {{- $tp := typeOf .Values.server.ingress.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.ingress.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.ingress.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra route annotations +*/}} +{{- define "vault.route.annotations" -}} + {{- if .Values.server.route.annotations }} + annotations: + {{- $tp := typeOf .Values.server.route.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.route.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.route.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra vault server Service annotations +*/}} +{{- define "vault.service.annotations" -}} + {{- if .Values.server.service.annotations }} + {{- $tp := typeOf .Values.server.service.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra vault server Service (active) annotations +*/}} +{{- define "vault.service.active.annotations" -}} + {{- if .Values.server.service.active.annotations }} + {{- $tp := typeOf .Values.server.service.active.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.active.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.active.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets extra vault server Service annotations +*/}} +{{- define "vault.service.standby.annotations" -}} + {{- if .Values.server.service.standby.annotations }} + {{- $tp := typeOf .Values.server.service.standby.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.standby.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.standby.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets PodSecurityPolicy annotations +*/}} +{{- define "vault.psp.annotations" -}} + {{- if .Values.global.psp.annotations }} + annotations: + {{- $tp := typeOf .Values.global.psp.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.global.psp.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.global.psp.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra statefulset annotations +*/}} +{{- define "vault.statefulSet.annotations" -}} + {{- if .Values.server.statefulSet.annotations }} + annotations: + {{- $tp := typeOf .Values.server.statefulSet.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets VolumeClaim annotations for data volume +*/}} +{{- define "vault.dataVolumeClaim.annotations" -}} + {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }} + annotations: + {{- $tp := typeOf .Values.server.dataStorage.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.dataStorage.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.dataStorage.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets VolumeClaim annotations for audit volume +*/}} +{{- define "vault.auditVolumeClaim.annotations" -}} + {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }} + annotations: + {{- $tp := typeOf .Values.server.auditStorage.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.auditStorage.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.auditStorage.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Set's the container resources if the user has set any. +*/}} +{{- define "vault.resources" -}} + {{- if .Values.server.resources -}} + resources: +{{ toYaml .Values.server.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets the container resources if the user has set any. +*/}} +{{- define "injector.resources" -}} + {{- if .Values.injector.resources -}} + resources: +{{ toYaml .Values.injector.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets the container resources if the user has set any. +*/}} +{{- define "csi.resources" -}} + {{- if .Values.csi.resources -}} + resources: +{{ toYaml .Values.csi.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets the container resources for CSI's Agent sidecar if the user has set any. +*/}} +{{- define "csi.agent.resources" -}} + {{- if .Values.csi.agent.resources -}} + resources: +{{ toYaml .Values.csi.agent.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets extra CSI daemonset annotations +*/}} +{{- define "csi.daemonSet.annotations" -}} + {{- if .Values.csi.daemonSet.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.daemonSet.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets CSI daemonset securityContext for pod template +*/}} +{{- define "csi.daemonSet.securityContext.pod" -}} + {{- if .Values.csi.daemonSet.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.csi.daemonSet.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.securityContext.pod | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets CSI daemonset securityContext for container +*/}} +{{- define "csi.daemonSet.securityContext.container" -}} + {{- if .Values.csi.daemonSet.securityContext.container }} + securityContext: + {{- $tp := typeOf .Values.csi.daemonSet.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.securityContext.container | nindent 12 }} + {{- end }} + {{- end }} +{{- end -}} + + +{{/* +Sets the injector toleration for pod placement +*/}} +{{- define "csi.pod.tolerations" -}} + {{- if .Values.csi.pod.tolerations }} + tolerations: + {{- $tp := typeOf .Values.csi.pod.tolerations }} + {{- if eq $tp "string" }} + {{ tpl .Values.csi.pod.tolerations . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.tolerations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the CSI provider nodeSelector for pod placement +*/}} +{{- define "csi.pod.nodeselector" -}} + {{- if .Values.csi.pod.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.csi.pod.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets the CSI provider affinity for pod placement. +*/}} +{{- define "csi.pod.affinity" -}} + {{- if .Values.csi.pod.affinity }} + affinity: + {{ $tp := typeOf .Values.csi.pod.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} +{{/* +Sets extra CSI provider pod annotations +*/}} +{{- define "csi.pod.annotations" -}} + {{- if .Values.csi.pod.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.pod.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.csi.pod.annotations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra CSI service account annotations +*/}} +{{- define "csi.serviceAccount.annotations" -}} + {{- if .Values.csi.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.csi.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "vault.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ printf "%s" $key | replace "." "_" | upper | quote }} + value: {{ $value | quote }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment populated by secrets, if populated +*/}} +{{- define "vault.extraSecretEnvironmentVars" -}} +{{- if .extraSecretEnvironmentVars -}} +{{- range .extraSecretEnvironmentVars }} +- name: {{ .envName }} + valueFrom: + secretKeyRef: + name: {{ .secretName }} + key: {{ .secretKey }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* Scheme for health check and local endpoint */}} +{{- define "vault.scheme" -}} +{{- if .Values.global.tlsDisable -}} +{{ "http" }} +{{- else -}} +{{ "https" }} +{{- end -}} +{{- end -}} + +{{/* +imagePullSecrets generates pull secrets from either string or map values. +A map value must be indexable by the key 'name'. +*/}} +{{- define "imagePullSecrets" -}} +{{- with .Values.global.imagePullSecrets -}} +imagePullSecrets: +{{- range . -}} +{{- if typeIs "string" . }} + - name: {{ . }} +{{- else if index . "name" }} + - name: {{ .name }} +{{- end }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +externalTrafficPolicy sets a Service's externalTrafficPolicy if applicable. +Supported inputs are Values.server.service and Values.ui +*/}} +{{- define "service.externalTrafficPolicy" -}} +{{- $type := "" -}} +{{- if .serviceType -}} +{{- $type = .serviceType -}} +{{- else if .type -}} +{{- $type = .type -}} +{{- end -}} +{{- if and .externalTrafficPolicy (or (eq $type "LoadBalancer") (eq $type "NodePort")) }} + externalTrafficPolicy: {{ .externalTrafficPolicy }} +{{- else }} +{{- end }} +{{- end -}} + +{{/* +loadBalancer configuration for the the UI service. +Supported inputs are Values.ui +*/}} +{{- define "service.loadBalancer" -}} +{{- if eq (.serviceType | toString) "LoadBalancer" }} +{{- if .loadBalancerIP }} + loadBalancerIP: {{ .loadBalancerIP }} +{{- end }} +{{- with .loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{- range . }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end }} +{{- end -}} diff --git a/charts/hashicorp/vault/templates/csi-agent-configmap.yaml b/charts/hashicorp/vault/0.26.1/templates/csi-agent-configmap.yaml similarity index 100% rename from charts/hashicorp/vault/templates/csi-agent-configmap.yaml rename to charts/hashicorp/vault/0.26.1/templates/csi-agent-configmap.yaml diff --git a/charts/hashicorp/vault/0.26.1/templates/csi-clusterrole.yaml b/charts/hashicorp/vault/0.26.1/templates/csi-clusterrole.yaml new file mode 100644 index 0000000000..6d979ea40c --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/templates/csi-clusterrole.yaml @@ -0,0 +1,23 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-clusterrole + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +{{- end }} diff --git a/charts/hashicorp/vault/templates/csi-clusterrolebinding.yaml b/charts/hashicorp/vault/0.26.1/templates/csi-clusterrolebinding.yaml similarity index 100% rename from charts/hashicorp/vault/templates/csi-clusterrolebinding.yaml rename to charts/hashicorp/vault/0.26.1/templates/csi-clusterrolebinding.yaml diff --git a/charts/hashicorp/vault/templates/csi-daemonset.yaml b/charts/hashicorp/vault/0.26.1/templates/csi-daemonset.yaml similarity index 100% rename from charts/hashicorp/vault/templates/csi-daemonset.yaml rename to charts/hashicorp/vault/0.26.1/templates/csi-daemonset.yaml diff --git a/charts/hashicorp/vault/templates/csi-role.yaml b/charts/hashicorp/vault/0.26.1/templates/csi-role.yaml similarity index 100% rename from charts/hashicorp/vault/templates/csi-role.yaml rename to charts/hashicorp/vault/0.26.1/templates/csi-role.yaml diff --git a/charts/hashicorp/vault/templates/csi-rolebinding.yaml b/charts/hashicorp/vault/0.26.1/templates/csi-rolebinding.yaml similarity index 100% rename from charts/hashicorp/vault/templates/csi-rolebinding.yaml rename to charts/hashicorp/vault/0.26.1/templates/csi-rolebinding.yaml diff --git a/charts/hashicorp/vault/templates/csi-serviceaccount.yaml b/charts/hashicorp/vault/0.26.1/templates/csi-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/vault/templates/csi-serviceaccount.yaml rename to charts/hashicorp/vault/0.26.1/templates/csi-serviceaccount.yaml diff --git a/charts/hashicorp/vault/templates/injector-certs-secret.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-certs-secret.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-certs-secret.yaml rename to charts/hashicorp/vault/0.26.1/templates/injector-certs-secret.yaml diff --git a/charts/hashicorp/vault/0.26.1/templates/injector-clusterrole.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-clusterrole.yaml new file mode 100644 index 0000000000..d5682dd76a --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/templates/injector-clusterrole.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-clusterrole + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: + - "get" + - "list" + - "watch" + - "patch" +{{ end }} diff --git a/charts/hashicorp/vault/templates/injector-clusterrolebinding.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-clusterrolebinding.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-clusterrolebinding.yaml rename to charts/hashicorp/vault/0.26.1/templates/injector-clusterrolebinding.yaml diff --git a/charts/hashicorp/vault/templates/injector-deployment.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-deployment.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-deployment.yaml rename to charts/hashicorp/vault/0.26.1/templates/injector-deployment.yaml diff --git a/charts/hashicorp/vault/templates/injector-disruptionbudget.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-disruptionbudget.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-disruptionbudget.yaml rename to charts/hashicorp/vault/0.26.1/templates/injector-disruptionbudget.yaml diff --git a/charts/hashicorp/vault/templates/injector-mutating-webhook.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-mutating-webhook.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-mutating-webhook.yaml rename to charts/hashicorp/vault/0.26.1/templates/injector-mutating-webhook.yaml diff --git a/charts/hashicorp/vault/0.26.1/templates/injector-network-policy.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-network-policy.yaml new file mode 100644 index 0000000000..4c3b087828 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/templates/injector-network-policy.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.openshift | toString) "true" }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8080 + protocol: TCP +{{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/templates/injector-psp-role.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-psp-role.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-psp-role.yaml rename to charts/hashicorp/vault/0.26.1/templates/injector-psp-role.yaml diff --git a/charts/hashicorp/vault/templates/injector-psp-rolebinding.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-psp-rolebinding.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-psp-rolebinding.yaml rename to charts/hashicorp/vault/0.26.1/templates/injector-psp-rolebinding.yaml diff --git a/charts/hashicorp/vault/0.26.1/templates/injector-psp.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-psp.yaml new file mode 100644 index 0000000000..0eca9a87c6 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/templates/injector-psp.yaml @@ -0,0 +1,51 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- template "vault.psp.annotations" . }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: MustRunAsNonRoot + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/templates/injector-role.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-role.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-role.yaml rename to charts/hashicorp/vault/0.26.1/templates/injector-role.yaml diff --git a/charts/hashicorp/vault/templates/injector-rolebinding.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-rolebinding.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-rolebinding.yaml rename to charts/hashicorp/vault/0.26.1/templates/injector-rolebinding.yaml diff --git a/charts/hashicorp/vault/templates/injector-service.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-service.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-service.yaml rename to charts/hashicorp/vault/0.26.1/templates/injector-service.yaml diff --git a/charts/hashicorp/vault/templates/injector-serviceaccount.yaml b/charts/hashicorp/vault/0.26.1/templates/injector-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-serviceaccount.yaml rename to charts/hashicorp/vault/0.26.1/templates/injector-serviceaccount.yaml diff --git a/charts/hashicorp/vault/0.26.1/templates/prometheus-prometheusrules.yaml b/charts/hashicorp/vault/0.26.1/templates/prometheus-prometheusrules.yaml new file mode 100644 index 0000000000..7e58a0e522 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/templates/prometheus-prometheusrules.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ if and (.Values.serverTelemetry.prometheusRules.rules) + (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) ) +}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} + {{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }} + {{- if $selectors }} + {{- toYaml $selectors | nindent 4 }} + {{- else }} + release: prometheus + {{- end }} +spec: + groups: + - name: {{ include "vault.fullname" . }} + rules: + {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }} +{{- end }} diff --git a/charts/hashicorp/vault/templates/prometheus-servicemonitor.yaml b/charts/hashicorp/vault/0.26.1/templates/prometheus-servicemonitor.yaml similarity index 100% rename from charts/hashicorp/vault/templates/prometheus-servicemonitor.yaml rename to charts/hashicorp/vault/0.26.1/templates/prometheus-servicemonitor.yaml diff --git a/charts/hashicorp/vault/templates/server-clusterrolebinding.yaml b/charts/hashicorp/vault/0.26.1/templates/server-clusterrolebinding.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-clusterrolebinding.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-clusterrolebinding.yaml diff --git a/charts/hashicorp/vault/0.26.1/templates/server-config-configmap.yaml b/charts/hashicorp/vault/0.26.1/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..5c660579fe --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/templates/server-config-configmap.yaml @@ -0,0 +1,45 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if .serverEnabled -}} +{{- if ne .mode "dev" -}} +{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-config + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + extraconfig-from-values.hcl: |- + {{- if or (eq .mode "ha") (eq .mode "standalone") }} + {{- $type := typeOf (index .Values.server .mode).config }} + {{- if eq $type "string" }} + disable_mlock = true + {{- if eq .mode "standalone" }} + {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} + {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }} + {{ tpl .Values.server.ha.config . | nindent 4 | trim }} + {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} + {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }} + {{ end }} + {{- else }} + {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} +{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }} + {{- else }} +{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/templates/server-discovery-role.yaml b/charts/hashicorp/vault/0.26.1/templates/server-discovery-role.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-discovery-role.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-discovery-role.yaml diff --git a/charts/hashicorp/vault/templates/server-discovery-rolebinding.yaml b/charts/hashicorp/vault/0.26.1/templates/server-discovery-rolebinding.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-discovery-rolebinding.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-discovery-rolebinding.yaml diff --git a/charts/hashicorp/vault/templates/server-disruptionbudget.yaml b/charts/hashicorp/vault/0.26.1/templates/server-disruptionbudget.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-disruptionbudget.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-disruptionbudget.yaml diff --git a/charts/hashicorp/vault/templates/server-ha-active-service.yaml b/charts/hashicorp/vault/0.26.1/templates/server-ha-active-service.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-ha-active-service.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-ha-active-service.yaml diff --git a/charts/hashicorp/vault/templates/server-ha-standby-service.yaml b/charts/hashicorp/vault/0.26.1/templates/server-ha-standby-service.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-ha-standby-service.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-ha-standby-service.yaml diff --git a/charts/hashicorp/vault/templates/server-headless-service.yaml b/charts/hashicorp/vault/0.26.1/templates/server-headless-service.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-headless-service.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-headless-service.yaml diff --git a/charts/hashicorp/vault/templates/server-ingress.yaml b/charts/hashicorp/vault/0.26.1/templates/server-ingress.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-ingress.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-ingress.yaml diff --git a/charts/hashicorp/vault/0.26.1/templates/server-network-policy.yaml b/charts/hashicorp/vault/0.26.1/templates/server-network-policy.yaml new file mode 100644 index 0000000000..62d4ae1ac5 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/templates/server-network-policy.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vault.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8200 + protocol: TCP + - port: 8201 + protocol: TCP + {{- if .Values.server.networkPolicy.egress }} + egress: + {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }} + {{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/templates/server-psp-role.yaml b/charts/hashicorp/vault/0.26.1/templates/server-psp-role.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-psp-role.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-psp-role.yaml diff --git a/charts/hashicorp/vault/templates/server-psp-rolebinding.yaml b/charts/hashicorp/vault/0.26.1/templates/server-psp-rolebinding.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-psp-rolebinding.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-psp-rolebinding.yaml diff --git a/charts/hashicorp/vault/0.26.1/templates/server-psp.yaml b/charts/hashicorp/vault/0.26.1/templates/server-psp.yaml new file mode 100644 index 0000000000..567e66245e --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/templates/server-psp.yaml @@ -0,0 +1,54 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "vault.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- template "vault.psp.annotations" . }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + {{- if eq (.Values.server.dataStorage.enabled | toString) "true" }} + - persistentVolumeClaim + {{- end }} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: MustRunAsNonRoot + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/templates/server-route.yaml b/charts/hashicorp/vault/0.26.1/templates/server-route.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-route.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-route.yaml diff --git a/charts/hashicorp/vault/templates/server-service.yaml b/charts/hashicorp/vault/0.26.1/templates/server-service.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-service.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-service.yaml diff --git a/charts/hashicorp/vault/templates/server-serviceaccount-secret.yaml b/charts/hashicorp/vault/0.26.1/templates/server-serviceaccount-secret.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-serviceaccount-secret.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-serviceaccount-secret.yaml diff --git a/charts/hashicorp/vault/templates/server-serviceaccount.yaml b/charts/hashicorp/vault/0.26.1/templates/server-serviceaccount.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-serviceaccount.yaml rename to charts/hashicorp/vault/0.26.1/templates/server-serviceaccount.yaml diff --git a/charts/hashicorp/vault/0.26.1/templates/server-statefulset.yaml b/charts/hashicorp/vault/0.26.1/templates/server-statefulset.yaml new file mode 100644 index 0000000000..f330927d67 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/templates/server-statefulset.yaml @@ -0,0 +1,221 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if ne .mode "" }} +{{- if .serverEnabled -}} +# StatefulSet to run the actual vault server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- template "vault.statefulSet.annotations" . }} +spec: + serviceName: {{ template "vault.fullname" . }}-internal + podManagementPolicy: Parallel + replicas: {{ template "vault.replicas" . }} + updateStrategy: + type: {{ .Values.server.updateStrategyType }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + template: + metadata: + labels: + helm.sh/chart: {{ template "vault.chart" . }} + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + {{- if .Values.server.extraLabels -}} + {{- toYaml .Values.server.extraLabels | nindent 8 -}} + {{- end -}} + {{ template "vault.annotations" . }} + spec: + {{ template "vault.affinity" . }} + {{ template "vault.topologySpreadConstraints" . }} + {{ template "vault.tolerations" . }} + {{ template "vault.nodeselector" . }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + serviceAccountName: {{ template "vault.serviceAccount.name" . }} + {{ if .Values.server.shareProcessNamespace }} + shareProcessNamespace: true + {{ end }} + {{- template "server.statefulSet.securityContext.pod" . }} + {{- if not .Values.global.openshift }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- end }} + volumes: + {{ template "vault.volumes" . }} + - name: home + emptyDir: {} + {{- if .Values.server.hostAliases }} + hostAliases: + {{ toYaml .Values.server.hostAliases | nindent 8}} + {{- end }} + {{- if .Values.server.extraInitContainers }} + initContainers: + {{ toYaml .Values.server.extraInitContainers | nindent 8}} + {{- end }} + containers: + - name: vault + {{ template "vault.resources" . }} + image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + command: + - "/bin/sh" + - "-ec" + args: {{ template "vault.args" . }} + {{- template "server.statefulSet.securityContext.container" . }} + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: VAULT_K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: VAULT_K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: VAULT_ADDR + value: "{{ include "vault.scheme" . }}://127.0.0.1:8200" + - name: VAULT_API_ADDR + {{- if .Values.server.ha.apiAddr }} + value: {{ .Values.server.ha.apiAddr }} + {{- else }} + value: "{{ include "vault.scheme" . }}://$(POD_IP):8200" + {{- end }} + - name: SKIP_CHOWN + value: "true" + - name: SKIP_SETCAP + value: "true" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: VAULT_CLUSTER_ADDR + {{- if .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr | quote }} + {{- else }} + value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + {{- end }} + {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} + - name: VAULT_RAFT_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- end }} + - name: HOME + value: "/home/vault" + {{- if .Values.server.logLevel }} + - name: VAULT_LOG_LEVEL + value: "{{ .Values.server.logLevel }}" + {{- end }} + {{- if .Values.server.logFormat }} + - name: VAULT_LOG_FORMAT + value: "{{ .Values.server.logFormat }}" + {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: VAULT_LICENSE_PATH + value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }} + {{- end }} + {{ template "vault.envs" . }} + {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} + {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} + volumeMounts: + {{ template "vault.mounts" . }} + - name: home + mountPath: /home/vault + ports: + - containerPort: 8200 + name: {{ include "vault.scheme" . }} + - containerPort: 8201 + name: https-internal + - containerPort: 8202 + name: {{ include "vault.scheme" . }}-rep + {{- if .Values.server.extraPorts -}} + {{ toYaml .Values.server.extraPorts | nindent 12}} + {{- end }} + {{- if .Values.server.readinessProbe.enabled }} + readinessProbe: + {{- if .Values.server.readinessProbe.path }} + httpGet: + path: {{ .Values.server.readinessProbe.path | quote }} + port: {{ .Values.server.readinessProbe.port }} + scheme: {{ include "vault.scheme" . | upper }} + {{- else }} + # Check status; unsealed vault servers return 0 + # The exit code reflects the seal status: + # 0 - unsealed + # 1 - error + # 2 - sealed + exec: + command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] + {{- end }} + failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.server.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.server.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.server.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: {{ .Values.server.livenessProbe.path | quote }} + port: {{ .Values.server.livenessProbe.port }} + scheme: {{ include "vault.scheme" . | upper }} + failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.server.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }} + {{- end }} + lifecycle: + # Vault container doesn't receive SIGTERM from Kubernetes + # and after the grace period ends, Kube sends SIGKILL. This + # causes issues with graceful shutdowns such as deregistering itself + # from Consul (zombie services). + preStop: + exec: + command: [ + "/bin/sh", "-c", + # Adding a sleep here to give the pod eviction a + # chance to propagate, so requests will not be made + # to this pod while it's terminating + "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)", + ] + {{- if .Values.server.postStart }} + postStart: + exec: + command: + {{- range (.Values.server.postStart) }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8}} + {{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} + {{ template "vault.volumeclaims" . }} +{{ end }} +{{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/templates/tests/server-test.yaml b/charts/hashicorp/vault/0.26.1/templates/tests/server-test.yaml similarity index 100% rename from charts/hashicorp/vault/templates/tests/server-test.yaml rename to charts/hashicorp/vault/0.26.1/templates/tests/server-test.yaml diff --git a/charts/hashicorp/vault/templates/ui-service.yaml b/charts/hashicorp/vault/0.26.1/templates/ui-service.yaml similarity index 100% rename from charts/hashicorp/vault/templates/ui-service.yaml rename to charts/hashicorp/vault/0.26.1/templates/ui-service.yaml diff --git a/charts/hashicorp/vault/0.26.1/values.openshift.yaml b/charts/hashicorp/vault/0.26.1/values.openshift.yaml new file mode 100644 index 0000000000..2dbe4df17e --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/values.openshift.yaml @@ -0,0 +1,24 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# These overrides are appropriate defaults for deploying this chart on OpenShift + +global: + openshift: true + +injector: + image: + repository: "registry.connect.redhat.com/hashicorp/vault-k8s" + tag: "1.3.1-ubi" + + agentImage: + repository: "registry.connect.redhat.com/hashicorp/vault" + tag: "1.15.1-ubi" + +server: + image: + repository: "registry.connect.redhat.com/hashicorp/vault" + tag: "1.15.1-ubi" + + readinessProbe: + path: "/v1/sys/health?uninitcode=204" diff --git a/charts/hashicorp/vault/0.26.1/values.schema.json b/charts/hashicorp/vault/0.26.1/values.schema.json new file mode 100644 index 0000000000..6a8b350ce2 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/values.schema.json @@ -0,0 +1,1183 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "csi": { + "type": "object", + "properties": { + "agent": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "extraArgs": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "resources": { + "type": "object" + } + } + }, + "daemonSet": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "extraLabels": { + "type": "object" + }, + "kubeletRootDir": { + "type": "string" + }, + "providersDir": { + "type": "string" + }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + }, + "updateStrategy": { + "type": "object", + "properties": { + "maxUnavailable": { + "type": "string" + }, + "type": { + "type": "string" + } + } + } + } + }, + "debug": { + "type": "boolean" + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "extraArgs": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "pod": { + "type": "object", + "properties": { + "affinity": { + "type": [ + "null", + "object", + "string" + ] + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "extraLabels": { + "type": "object" + }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, + "tolerations": { + "type": [ + "null", + "array", + "string" + ] + } + } + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "resources": { + "type": "object" + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "extraLabels": { + "type": "object" + } + } + }, + "volumeMounts": { + "type": [ + "null", + "array" + ] + }, + "volumes": { + "type": [ + "null", + "array" + ] + } + } + }, + "global": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "namespace": { + "type": "string" + }, + "externalVaultAddr": { + "type": "string" + }, + "imagePullSecrets": { + "type": "array" + }, + "openshift": { + "type": "boolean" + }, + "psp": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enable": { + "type": "boolean" + } + } + }, + "tlsDisable": { + "type": "boolean" + } + } + }, + "injector": { + "type": "object", + "properties": { + "affinity": { + "type": [ + "object", + "string" + ] + }, + "agentDefaults": { + "type": "object", + "properties": { + "cpuLimit": { + "type": "string" + }, + "cpuRequest": { + "type": "string" + }, + "memLimit": { + "type": "string" + }, + "memRequest": { + "type": "string" + }, + "ephemeralLimit": { + "type": "string" + }, + "ephemeralRequest": { + "type": "string" + }, + "template": { + "type": "string" + }, + "templateConfig": { + "type": "object", + "properties": { + "exitOnRetryFailure": { + "type": "boolean" + }, + "staticSecretRenderInterval": { + "type": "string" + } + } + } + } + }, + "agentImage": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "authPath": { + "type": "string" + }, + "certs": { + "type": "object", + "properties": { + "caBundle": { + "type": "string" + }, + "certName": { + "type": "string" + }, + "keyName": { + "type": "string" + }, + "secretName": { + "type": [ + "null", + "string" + ] + } + } + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "externalVaultAddr": { + "type": "string" + }, + "extraEnvironmentVars": { + "type": "object" + }, + "extraLabels": { + "type": "object" + }, + "failurePolicy": { + "type": "string" + }, + "hostNetwork": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "leaderElector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "namespaceSelector": { + "type": "object" + }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, + "objectSelector": { + "type": [ + "object", + "string" + ] + }, + "podDisruptionBudget": { + "type": "object" + }, + "port": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "replicas": { + "type": "integer" + }, + "resources": { + "type": "object" + }, + "revokeOnShutdown": { + "type": "boolean" + }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "strategy": { + "type": [ + "object", + "string" + ] + }, + "tolerations": { + "type": [ + "null", + "array", + "string" + ] + }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, + "webhook": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "failurePolicy": { + "type": "string" + }, + "matchPolicy": { + "type": "string" + }, + "namespaceSelector": { + "type": "object" + }, + "objectSelector": { + "type": [ + "object", + "string" + ] + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "webhookAnnotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "server": { + "type": "object", + "properties": { + "affinity": { + "type": [ + "object", + "string" + ] + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "auditStorage": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": [ + "null", + "string" + ] + } + } + }, + "authDelegator": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "dataStorage": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": [ + "null", + "string" + ] + } + } + }, + "dev": { + "type": "object", + "properties": { + "devRootToken": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + } + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "enterpriseLicense": { + "type": "object", + "properties": { + "secretKey": { + "type": "string" + }, + "secretName": { + "type": "string" + } + } + }, + "extraArgs": { + "type": "string" + }, + "extraPorts": { + "type": [ + "null", + "array" + ] + }, + "extraContainers": { + "type": [ + "null", + "array" + ] + }, + "extraEnvironmentVars": { + "type": "object" + }, + "extraInitContainers": { + "type": [ + "null", + "array" + ] + }, + "extraLabels": { + "type": "object" + }, + "extraSecretEnvironmentVars": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "ha": { + "type": "object", + "properties": { + "apiAddr": { + "type": [ + "null", + "string" + ] + }, + "clusterAddr": { + "type": [ + "null", + "string" + ] + }, + "config": { + "type": [ + "string", + "object" + ] + }, + "disruptionBudget": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxUnavailable": { + "type": [ + "null", + "integer" + ] + } + } + }, + "enabled": { + "type": "boolean" + }, + "raft": { + "type": "object", + "properties": { + "config": { + "type": [ + "string", + "object" + ] + }, + "enabled": { + "type": "boolean" + }, + "setNodeId": { + "type": "boolean" + } + } + }, + "replicas": { + "type": "integer" + } + } + }, + "hostAliases": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "ingress": { + "type": "object", + "properties": { + "activeService": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "extraPaths": { + "type": "array" + }, + "hosts": { + "type": "array", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "paths": { + "type": "array" + } + } + } + }, + "ingressClassName": { + "type": "string" + }, + "labels": { + "type": "object" + }, + "pathType": { + "type": "string" + }, + "tls": { + "type": "array" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "networkPolicy": { + "type": "object", + "properties": { + "egress": { + "type": "array" + }, + "enabled": { + "type": "boolean" + } + } + }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, + "postStart": { + "type": "array" + }, + "preStopSleepSeconds": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "resources": { + "type": "object" + }, + "route": { + "type": "object", + "properties": { + "activeService": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "host": { + "type": "string" + }, + "labels": { + "type": "object" + }, + "tls": { + "type": "object" + } + } + }, + "service": { + "type": "object", + "properties": { + "active": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "instanceSelector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "port": { + "type": "integer" + }, + "publishNotReadyAddresses": { + "type": "boolean" + }, + "standby": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "targetPort": { + "type": "integer" + }, + "nodePort": { + "type": "integer" + }, + "activeNodePort": { + "type": "integer" + }, + "standbyNodePort": { + "type": "integer" + }, + "ipFamilyPolicy": { + "type": "string" + }, + "ipFamilies": { + "type": [ + "array" + ] + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "create": { + "type": "boolean" + }, + "extraLabels": { + "type": "object" + }, + "createSecret": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "serviceDiscovery": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } + }, + "shareProcessNamespace": { + "type": "boolean" + }, + "standalone": { + "type": "object", + "properties": { + "config": { + "type": [ + "string", + "object" + ] + }, + "enabled": { + "type": [ + "string", + "boolean" + ] + } + } + }, + "statefulSet": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + } + } + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "tolerations": { + "type": [ + "null", + "array", + "string" + ] + }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, + "updateStrategyType": { + "type": "string" + }, + "volumeMounts": { + "type": [ + "null", + "array" + ] + }, + "volumes": { + "type": [ + "null", + "array" + ] + }, + "hostNetwork": { + "type": "boolean" + } + } + }, + "serverTelemetry": { + "type": "object", + "properties": { + "prometheusRules": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "rules": { + "type": "array" + }, + "selectors": { + "type": "object" + } + } + } + } + }, + "ui": { + "type": "object", + "properties": { + "activeVaultPodOnly": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "externalPort": { + "type": "integer" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "publishNotReadyAddresses": { + "type": "boolean" + }, + "serviceNodePort": { + "type": [ + "null", + "integer" + ] + }, + "serviceType": { + "type": "string" + }, + "targetPort": { + "type": "integer" + }, + "serviceIPFamilyPolicy": { + "type": [ + "string" + ] + }, + "serviceIPFamilies": { + "type": [ + "array" + ] + } + } + } + } +} diff --git a/charts/hashicorp/vault/0.26.1/values.yaml b/charts/hashicorp/vault/0.26.1/values.yaml new file mode 100644 index 0000000000..781b930af0 --- /dev/null +++ b/charts/hashicorp/vault/0.26.1/values.yaml @@ -0,0 +1,1283 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Vault chart. + +global: + # enabled is the master enabled switch. Setting this to true or false + # will enable or disable all the components within this chart by default. + enabled: true + + # The namespace to deploy to. Defaults to the `helm` installation namespace. + namespace: "" + + # Image pull secret to use for registry authentication. + # Alternatively, the value may be specified as an array of strings. + imagePullSecrets: [] + # imagePullSecrets: + # - name: image-pull-secret + + # TLS for end-to-end encrypted transport + tlsDisable: true + + # External vault server address for the injector and CSI provider to use. + # Setting this will disable deployment of a vault server. + externalVaultAddr: "" + + # If deploying to OpenShift + openshift: false + + # Create PodSecurityPolicy for pods + psp: + enable: false + # Annotation for PodSecurityPolicy. + # This is a multi-line templated string map, and can also be set as YAML. + annotations: | + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default + apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + + serverTelemetry: + # Enable integration with the Prometheus Operator + # See the top level serverTelemetry section below before enabling this feature. + prometheusOperator: false + +injector: + # True if you want to enable vault agent injection. + # @default: global.enabled + enabled: "-" + + replicas: 1 + + # Configures the port the injector should listen on + port: 8080 + + # If multiple replicas are specified, by default a leader will be determined + # so that only one injector attempts to create TLS certificates. + leaderElector: + enabled: true + + # If true, will enable a node exporter metrics endpoint at /metrics. + metrics: + enabled: false + + # Deprecated: Please use global.externalVaultAddr instead. + externalVaultAddr: "" + + # image sets the repo and tag of the vault-k8s image to use for the injector. + image: + repository: "hashicorp/vault-k8s" + tag: "1.3.1" + pullPolicy: IfNotPresent + + # agentImage sets the repo and tag of the Vault image to use for the Vault Agent + # containers. This should be set to the official Vault image. Vault 1.3.1+ is + # required. + agentImage: + repository: "hashicorp/vault" + tag: "1.15.1" + + # The default values for the injected Vault Agent containers. + agentDefaults: + # For more information on configuring resources, see the K8s documentation: + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + cpuLimit: "500m" + cpuRequest: "250m" + memLimit: "128Mi" + memRequest: "64Mi" + # ephemeralLimit: "128Mi" + # ephemeralRequest: "64Mi" + + # Default template type for secrets when no custom template is specified. + # Possible values include: "json" and "map". + template: "map" + + # Default values within Agent's template_config stanza. + templateConfig: + exitOnRetryFailure: true + staticSecretRenderInterval: "" + + # Used to define custom livenessProbe settings + livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom readinessProbe settings + readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom startupProbe settings + startupProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 12 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + + # Mount Path of the Vault Kubernetes Auth Method. + authPath: "auth/kubernetes" + + # Configures the log verbosity of the injector. + # Supported log levels include: trace, debug, info, warn, error + logLevel: "info" + + # Configures the log format of the injector. Supported log formats: "standard", "json". + logFormat: "standard" + + # Configures all Vault Agent sidecars to revoke their token when shutting down + revokeOnShutdown: false + + webhook: + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while the webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # matchPolicy specifies the approach to accepting changes based on the rules of + # the MutatingWebhookConfiguration. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy + # for more details. + # + matchPolicy: Exact + + # timeoutSeconds is the amount of seconds before the webhook request will be ignored + # or fails. + # If it is ignored or fails depends on the failurePolicy + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts + # for more details. + # + timeoutSeconds: 30 + + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: + # matchLabels: + # sidecar-injector: enabled + namespaceSelector: {} + + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: | + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - {{ template "vault.name" . }}-agent-injector + + # Extra annotations to attach to the webhook + annotations: {} + + # Deprecated: please use 'webhook.failurePolicy' instead + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # Deprecated: please use 'webhook.namespaceSelector' instead + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: + # matchLabels: + # sidecar-injector: enabled + namespaceSelector: {} + + # Deprecated: please use 'webhook.objectSelector' instead + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} + + # Deprecated: please use 'webhook.annotations' instead + # Extra annotations to attach to the webhook + webhookAnnotations: {} + + certs: + # secretName is the name of the secret that has the TLS certificate and + # private key to serve the injector webhook. If this is null, then the + # injector will default to its automatic management mode that will assign + # a service account to the injector to generate its own certificates. + secretName: null + + # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA + # that signed the TLS certificate that the webhook serves. This must be set + # if secretName is non-null unless an external service like cert-manager is + # keeping the caBundle updated. + caBundle: "" + + # certName and keyName are the names of the files within the secret for + # the TLS cert and private key, respectively. These have reasonable + # defaults but can be customized if necessary. + certName: tls.crt + keyName: tls.key + + # Security context for the pod template and the injector container + # The default pod securityContext is: + # runAsNonRoot: true + # runAsGroup: {{ .Values.injector.gid | default 1000 }} + # runAsUser: {{ .Values.injector.uid | default 100 }} + # fsGroup: {{ .Values.injector.gid | default 1000 }} + # and for container is + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + securityContext: + pod: {} + container: {} + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m + + # extraEnvironmentVars is a list of extra environment variables to set in the + # injector deployment. + extraEnvironmentVars: {} + # KUBERNETES_SERVICE_HOST: kubernetes.default.svc + + # Affinity Settings for injector pods + # This can either be a multi-line string or YAML matching the PodSpec's affinity field. + # Commenting out or setting as empty the affinity variable, will allow + # deployment of multiple replicas to single node services such as Minikube. + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: "{{ .Release.Name }}" + component: webhook + topologyKey: kubernetes.io/hostname + + # Topology settings for injector pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + + # Toleration Settings for injector pods + # This should be either a multi-line string or YAML matching the Toleration array + # in a PodSpec. + tolerations: [] + + # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Priority class for injector pods + priorityClassName: "" + + # Extra annotations to attach to the injector pods + # This can either be YAML or a YAML-formatted multi-line templated string map + # of the annotations to apply to the injector pods + annotations: {} + + # Extra labels to attach to the agent-injector + # This should be a YAML map of the labels to apply to the injector + extraLabels: {} + + # Should the injector pods run on the host network (useful when using + # an alternate CNI in EKS) + hostNetwork: false + + # Injector service specific config + service: + # Extra annotations to attach to the injector service + annotations: {} + + # Injector serviceAccount specific config + serviceAccount: + # Extra annotations to attach to the injector serviceAccount + annotations: {} + + # A disruption budget limits the number of pods of a replicated application + # that are down simultaneously from voluntary disruptions + podDisruptionBudget: {} + # podDisruptionBudget: + # maxUnavailable: 1 + + # strategy for updating the deployment. This can be a multi-line string or a + # YAML map. + strategy: {} + # strategy: | + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + # type: RollingUpdate + +server: + # If true, or "-" with global.enabled true, Vault server will be installed. + # See vault.mode in _helpers.tpl for implementation details. + enabled: "-" + + # [Enterprise Only] This value refers to a Kubernetes secret that you have + # created that contains your enterprise license. If you are not using an + # enterprise image or if you plan to introduce the license key via another + # route, then leave secretName blank ("") or set it to null. + # Requires Vault Enterprise 1.8 or later. + enterpriseLicense: + # The name of the Kubernetes secret that holds the enterprise license. The + # secret must be in the same namespace that Vault is installed into. + secretName: "" + # The key within the Kubernetes secret that holds the enterprise license. + secretKey: "license" + + # Resource requests, limits, etc. for the server cluster placement. This + # should map directly to the value of the resources field for a PodSpec. + # By default no direct resource request is made. + + image: + repository: "hashicorp/vault" + tag: "1.15.1" + # Overrides the default Image Pull Policy + pullPolicy: IfNotPresent + + # Configure the Update Strategy Type for the StatefulSet + # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + updateStrategyType: "OnDelete" + + # Configure the logging verbosity for the Vault server. + # Supported log levels include: trace, debug, info, warn, error + logLevel: "" + + # Configure the logging format for the Vault server. + # Supported log formats include: standard, json + logFormat: "" + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m + + # Ingress allows ingress services to be created to allow external access + # from Kubernetes to access Vault pods. + # If deployment is on OpenShift, the following block is ignored. + # In order to expose the service, use the route section below + ingress: + enabled: false + labels: {} + # traffic: external + annotations: {} + # | + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # or + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + # Optionally use ingressClassName instead of deprecated annotation. + # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation + ingressClassName: "" + + # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases. + # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values. + pathType: Prefix + + # When HA mode is enabled and K8s service registration is being used, + # configure the ingress to point to the Vault active service. + activeService: true + hosts: + - host: chart-example.local + paths: [] + ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # service: + # name: ssl-redirect + # port: + # number: use-annotation + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list. + hostAliases: [] + # - ip: 127.0.0.1 + # hostnames: + # - chart-example.local + + # OpenShift only - create a route to expose the service + # By default the created route will be of type passthrough + route: + enabled: false + + # When HA mode is enabled and K8s service registration is being used, + # configure the route to point to the Vault active service. + activeService: true + + labels: {} + annotations: {} + host: chart-example.local + # tls will be passed directly to the route's TLS config, which + # can be used to configure other termination methods that terminate + # TLS at the router + tls: + termination: passthrough + + # authDelegator enables a cluster role binding to be attached to the service + # account. This cluster role binding can be used to setup Kubernetes auth + # method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes + authDelegator: + enabled: true + + # extraInitContainers is a list of init containers. Specified as a YAML list. + # This is useful if you need to run a script to provision TLS certificates or + # write out configuration files in a dynamic way. + extraInitContainers: null + # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder, + # # which is defined in the volumes value. + # - name: oauthapp + # image: "alpine" + # command: [sh, -c] + # args: + # - cd /tmp && + # wget https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz -O oauthapp.xz && + # tar -xf oauthapp.xz && + # mv vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vault/oauthapp && + # chmod +x /usr/local/libexec/vault/oauthapp + # volumeMounts: + # - name: plugins + # mountPath: /usr/local/libexec/vault + + # extraContainers is a list of sidecar containers. Specified as a YAML list. + extraContainers: null + + # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers + # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation + shareProcessNamespace: false + + # extraArgs is a string containing additional Vault server arguments. + extraArgs: "" + + # extraPorts is a list of extra ports. Specified as a YAML list. + # This is useful if you need to add additional ports to the statefulset in dynamic way. + extraPorts: null + # - containerPort: 8300 + # name: http-monitoring + + # Used to define custom readinessProbe settings + readinessProbe: + enabled: true + # If you need to use a http path instead of the default exec + # path: /v1/sys/health?standbyok=true + + # Port number on which readinessProbe will be checked. + port: 8200 + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + # Used to enable a livenessProbe for the pods + livenessProbe: + enabled: false + path: "/v1/sys/health?standbyok=true" + # Port number on which livenessProbe will be checked. + port: 8200 + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 60 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + + # Optional duration in seconds the pod needs to terminate gracefully. + # See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 10 + + # Used to set the sleep time during the preStop step + preStopSleepSeconds: 5 + + # Used to define commands to run after the pod is ready. + # This can be used to automate processes such as initialization + # or boostrapping auth methods. + postStart: [] + # - /bin/sh + # - -c + # - /vault/userconfig/myscript/run.sh + + # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be + # used to include variables required for auto-unseal. + extraEnvironmentVars: {} + # GOOGLE_REGION: global + # GOOGLE_PROJECT: myproject + # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json + + # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. + # These variables take value from existing Secret objects. + extraSecretEnvironmentVars: [] + # - envName: AWS_SECRET_ACCESS_KEY + # secretName: vault + # secretKey: AWS_SECRET_ACCESS_KEY + + # Deprecated: please use 'volumes' instead. + # extraVolumes is a list of extra volumes to mount. These will be exposed + # to Vault in the path `/vault/userconfig//`. The value below is + # an array of objects, examples are shown below. + extraVolumes: [] + # - type: secret (or "configMap") + # name: my-secret + # path: null # default is `/vault/userconfig` + + # volumes is a list of volumes made available to all containers. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumes: null + # - name: plugins + # emptyDir: {} + + # volumeMounts is a list of volumeMounts for the main server container. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumeMounts: null + # - mountPath: /usr/local/libexec/vault + # name: plugins + # readOnly: true + + # Affinity Settings + # Commenting out or setting as empty the affinity variable, will allow + # deployment to single node services such as Minikube + # This should be either a multi-line string or YAML matching the PodSpec's affinity field. + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Topology settings for server pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + + # Toleration Settings for server pods + # This should be either a multi-line string or YAML matching the Toleration array + # in a PodSpec. + tolerations: [] + + # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Enables network policy for server pods + networkPolicy: + enabled: false + egress: [] + # egress: + # - to: + # - ipBlock: + # cidr: 10.0.0.0/24 + # ports: + # - protocol: TCP + # port: 443 + + # Priority class for server pods + priorityClassName: "" + + # Extra labels to attach to the server pods + # This should be a YAML map of the labels to apply to the server pods + extraLabels: {} + + # Extra annotations to attach to the server pods + # This can either be YAML or a YAML-formatted multi-line templated string map + # of the annotations to apply to the server pods + annotations: {} + + # Enables a headless service to be used by the Vault Statefulset + service: + enabled: true + # Enable or disable the vault-active service, which selects Vault pods that + # have labeled themselves as the cluster leader with `vault-active: "true"`. + active: + enabled: true + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the active service. + annotations: {} + # Enable or disable the vault-standby service, which selects Vault pods that + # have labeled themselves as a cluster follower with `vault-active: "false"`. + standby: + enabled: true + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the standby service. + annotations: {} + # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` + # When disabled, services may select Vault pods not deployed from the chart. + # Does not affect the headless vault-internal service with `ClusterIP: None` + instanceSelector: + enabled: true + # clusterIP controls whether a Cluster IP address is attached to the + # Vault service within Kubernetes. By default, the Vault service will + # be given a Cluster IP address, set to None to disable. When disabled + # Kubernetes will create a "headless" service. Headless services can be + # used to communicate with pods directly through DNS instead of a round-robin + # load balancer. + # clusterIP: None + + # Configures the service type for the main Vault service. Can be ClusterIP + # or NodePort. + #type: ClusterIP + + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family policy, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + ipFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. + # Can be IPv4 and/or IPv6. + ipFamilies: [] + + # Do not wait for pods to be ready before including them in the services' + # targets. Does not apply to the headless service, which is used for + # cluster-internal communication. + publishNotReadyAddresses: true + + # The externalTrafficPolicy can be set to either Cluster or Local + # and is only valid for LoadBalancer and NodePort service types. + # The default value is Cluster. + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy + externalTrafficPolicy: Cluster + + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #nodePort: 30000 + + # When HA mode is enabled + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #activeNodePort: 30001 + + # When HA mode is enabled + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #standbyNodePort: 30002 + + # Port on which Vault server is listening + port: 8200 + # Target port to which the service should be mapped to + targetPort: 8200 + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the service. + annotations: {} + + # This configures the Vault Statefulset to create a PVC for data + # storage when using the file or raft backend storage engines. + # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more + dataStorage: + enabled: true + # Size of the PVC created + size: 10Gi + # Location where the PVC will be mounted. + mountPath: "/vault/data" + # Name of the storage class to use. If null it will use the + # configured default Storage Class. + storageClass: null + # Access Mode of the storage device being used for the PVC + accessMode: ReadWriteOnce + # Annotations to apply to the PVC + annotations: {} + + # This configures the Vault Statefulset to create a PVC for audit + # logs. Once Vault is deployed, initialized, and unsealed, Vault must + # be configured to use this for audit logs. This will be mounted to + # /vault/audit + # See https://developer.hashicorp.com/vault/docs/audit to know more + auditStorage: + enabled: false + # Size of the PVC created + size: 10Gi + # Location where the PVC will be mounted. + mountPath: "/vault/audit" + # Name of the storage class to use. If null it will use the + # configured default Storage Class. + storageClass: null + # Access Mode of the storage device being used for the PVC + accessMode: ReadWriteOnce + # Annotations to apply to the PVC + annotations: {} + + # Run Vault in "dev" mode. This requires no further setup, no state management, + # and no initialization. This is useful for experimenting with Vault without + # needing to unseal, store keys, et. al. All data is lost on restart - do not + # use dev mode for anything other than experimenting. + # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more + dev: + enabled: false + + # Set VAULT_DEV_ROOT_TOKEN_ID value + devRootToken: "root" + + # Run Vault in "standalone" mode. This is the default mode that will deploy if + # no arguments are given to helm. This requires a PVC for data storage to use + # the "file" backend. This mode is not highly available and should not be scaled + # past a single replica. + standalone: + enabled: "-" + + # config is a raw string of default configuration when using a Stateful + # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data + # and store data there. This is only used when using a Replica count of 1, and + # using a stateful set. This should be HCL. + + # Note: Configuration files are stored in ConfigMaps so sensitive data + # such as passwords should be either mounted through extraSecretEnvironmentVars + # or through a Kube secret. For more information see: + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} + } + storage "file" { + path = "/vault/data" + } + + # Example configuration for using auto-unseal, using Google Cloud KMS. The + # GKMS keys must already exist, and the cluster must have a service account + # that is authorized to access GCP KMS. + #seal "gcpckms" { + # project = "vault-helm-dev" + # region = "global" + # key_ring = "vault-helm-unseal-kr" + # crypto_key = "vault-helm-unseal-key" + #} + + # Example configuration for enabling Prometheus metrics in your config. + #telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + #} + + # Run Vault in "HA" mode. There are no storage requirements unless the audit log + # persistence is required. In HA mode Vault will configure itself to use Consul + # for its storage backend. The default configuration provided will work the Consul + # Helm project by default. It is possible to manually configure Vault to use a + # different HA backend. + ha: + enabled: false + replicas: 3 + + # Set the api_addr configuration for Vault HA + # See https://developer.hashicorp.com/vault/docs/configuration#api_addr + # If set to null, this will be set to the Pod IP Address + apiAddr: null + + # Set the cluster_addr confuguration for Vault HA + # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr + # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 + clusterAddr: null + + # Enables Vault's integrated Raft storage. Unlike the typical HA modes where + # Vault's persistence is external (such as Consul), enabling Raft mode will create + # persistent volumes for Vault to store data according to the configuration under server.dataStorage. + # The Vault cluster will coordinate leader elections and failovers internally. + raft: + + # Enables Raft integrated storage + enabled: false + # Set the Node Raft ID to the name of the pod + setNodeId: false + + # Note: Configuration files are stored in ConfigMaps so sensitive data + # such as passwords should be either mounted through extraSecretEnvironmentVars + # or through a Kube secret. For more information see: + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} + } + + storage "raft" { + path = "/vault/data" + } + + service_registration "kubernetes" {} + + # config is a raw string of default configuration when using a Stateful + # deployment. Default is to use a Consul for its HA storage backend. + # This should be HCL. + + # Note: Configuration files are stored in ConfigMaps so sensitive data + # such as passwords should be either mounted through extraSecretEnvironmentVars + # or through a Kube secret. For more information see: + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + storage "consul" { + path = "vault" + address = "HOST_IP:8500" + } + + service_registration "kubernetes" {} + + # Example configuration for using auto-unseal, using Google Cloud KMS. The + # GKMS keys must already exist, and the cluster must have a service account + # that is authorized to access GCP KMS. + #seal "gcpckms" { + # project = "vault-helm-dev-246514" + # region = "global" + # key_ring = "vault-helm-unseal-kr" + # crypto_key = "vault-helm-unseal-key" + #} + + # Example configuration for enabling Prometheus metrics. + # If you are using Prometheus Operator you can enable a ServiceMonitor resource below. + # You may wish to enable unauthenticated metrics in the listener block above. + #telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + #} + + # A disruption budget limits the number of pods of a replicated application + # that are down simultaneously from voluntary disruptions + disruptionBudget: + enabled: true + + # maxUnavailable will default to (n/2)-1 where n is the number of + # replicas. If you'd like a custom value, you can specify an override here. + maxUnavailable: null + + # Definition of the serviceAccount used to run Vault. + # These options are also used when using an external Vault server to validate + # Kubernetes tokens. + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # Create a Secret API object to store a non-expiring token for the service account. + # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default. + # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible. + # For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets + # serviceAccount.create must be equal to 'true' in order to use this feature. + createSecret: false + # Extra annotations for the serviceAccount definition. This can either be + # YAML or a YAML-formatted multi-line templated string map of the + # annotations to apply to the serviceAccount. + annotations: {} + # Extra labels to attach to the serviceAccount + # This should be a YAML map of the labels to apply to the serviceAccount + extraLabels: {} + # Enable or disable a service account role binding with the permissions required for + # Vault's Kubernetes service_registration config option. + # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes + serviceDiscovery: + enabled: true + + # Settings for the statefulSet used to run Vault. + statefulSet: + # Extra annotations for the statefulSet. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the statefulSet. + annotations: {} + + # Set the pod and container security contexts. + # If not set, these will default to, and for *not* OpenShift: + # pod: + # runAsNonRoot: true + # runAsGroup: {{ .Values.server.gid | default 1000 }} + # runAsUser: {{ .Values.server.uid | default 100 }} + # fsGroup: {{ .Values.server.gid | default 1000 }} + # container: + # allowPrivilegeEscalation: false + # + # If not set, these will default to, and for OpenShift: + # pod: {} + # container: {} + securityContext: + pod: {} + container: {} + + # Should the server pods run on the host network + hostNetwork: false + +# Vault UI +ui: + # True if you want to create a Service entry for the Vault UI. + # + # serviceType can be used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) to access the UI. + enabled: false + publishNotReadyAddresses: true + # The service should only contain selectors for active Vault pod + activeVaultPodOnly: false + serviceType: "ClusterIP" + serviceNodePort: null + externalPort: 8200 + targetPort: 8200 + + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + serviceIPFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well + # Can be IPv4 and/or IPv6. + serviceIPFamilies: [] + + # The externalTrafficPolicy can be set to either Cluster or Local + # and is only valid for LoadBalancer and NodePort service types. + # The default value is Cluster. + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy + externalTrafficPolicy: Cluster + + #loadBalancerSourceRanges: + # - 10.0.0.0/16 + # - 1.78.23.3/32 + + # loadBalancerIP: + + # Extra annotations to attach to the ui service + # This can either be YAML or a YAML-formatted multi-line templated string map + # of the annotations to apply to the ui service + annotations: {} + +# secrets-store-csi-driver-provider-vault +csi: + # True if you want to install a secrets-store-csi-driver-provider-vault daemonset. + # + # Requires installing the secrets-store-csi-driver separately, see: + # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver + # + # With the driver and provider installed, you can mount Vault secrets into volumes + # similar to the Vault Agent injector, and you can also sync those secrets into + # Kubernetes secrets. + enabled: false + + image: + repository: "hashicorp/vault-csi-provider" + tag: "1.4.1" + pullPolicy: IfNotPresent + + # volumes is a list of volumes made available to all containers. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumes: null + # - name: tls + # secret: + # secretName: vault-tls + + # volumeMounts is a list of volumeMounts for the main server container. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumeMounts: null + # - name: tls + # mountPath: "/vault/tls" + # readOnly: true + + resources: {} + # resources: + # requests: + # cpu: 50m + # memory: 128Mi + # limits: + # cpu: 50m + # memory: 128Mi + + # Override the default secret name for the CSI Provider's HMAC key used for + # generating secret versions. + hmacSecretName: "" + + # Settings for the daemonSet used to run the provider. + daemonSet: + updateStrategy: + type: RollingUpdate + maxUnavailable: "" + # Extra annotations for the daemonSet. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the daemonSet. + annotations: {} + # Provider host path (must match the CSI provider's path) + providersDir: "/etc/kubernetes/secrets-store-csi-providers" + # Kubelet host path + kubeletRootDir: "/var/lib/kubelet" + # Extra labels to attach to the vault-csi-provider daemonSet + # This should be a YAML map of the labels to apply to the csi provider daemonSet + extraLabels: {} + # security context for the pod template and container in the csi provider daemonSet + securityContext: + pod: {} + container: {} + + pod: + # Extra annotations for the provider pods. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the pod. + annotations: {} + + # Toleration Settings for provider pods + # This should be either a multi-line string or YAML matching the Toleration array + # in a PodSpec. + tolerations: [] + + # nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Affinity Settings + # This should be either a multi-line string or YAML matching the PodSpec's affinity field. + affinity: {} + + # Extra labels to attach to the vault-csi-provider pod + # This should be a YAML map of the labels to apply to the csi provider pod + extraLabels: {} + + agent: + enabled: true + extraArgs: [] + + image: + repository: "hashicorp/vault" + tag: "1.15.1" + pullPolicy: IfNotPresent + + logFormat: standard + logLevel: info + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m + + # Priority class for csi pods + priorityClassName: "" + + serviceAccount: + # Extra annotations for the serviceAccount definition. This can either be + # YAML or a YAML-formatted multi-line templated string map of the + # annotations to apply to the serviceAccount. + annotations: {} + + # Extra labels to attach to the vault-csi-provider serviceAccount + # This should be a YAML map of the labels to apply to the csi provider serviceAccount + extraLabels: {} + + # Used to configure readinessProbe for the pods. + readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + # Used to configure livenessProbe for the pods. + livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + + # Enables debug logging. + debug: false + + # Pass arbitrary additional arguments to vault-csi-provider. + # See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments + # for the available command line flags. + extraArgs: [] + +# Vault is able to collect and publish various runtime metrics. +# Enabling this feature requires setting adding `telemetry{}` stanza to +# the Vault configuration. There are a few examples included in the `config` sections above. +# +# For more information see: +# https://developer.hashicorp.com/vault/docs/configuration/telemetry +# https://developer.hashicorp.com/vault/docs/internals/telemetry +serverTelemetry: + # Enable support for the Prometheus Operator. Currently, this chart does not support + # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included + # in the `listener "tcp"{}` stanza + # telemetry { + # unauthenticated_metrics_access = "true" + # } + # + # See the `standalone.config` for a more complete example of this. + # + # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration: + # + # example: + # telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + # } + # + # Configuration for monitoring the Vault server. + serviceMonitor: + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + # + # Instructions on how to install the Helm chart can be found here: + # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack + # More information can be found here: + # https://github.com/prometheus-operator/prometheus-operator + # https://github.com/prometheus-operator/kube-prometheus + + # Enable deployment of the Vault Server ServiceMonitor CustomResource. + enabled: false + + # Selector labels to add to the ServiceMonitor. + # When empty, defaults to: + # release: prometheus + selectors: {} + + # Interval at which Prometheus scrapes metrics + interval: 30s + + # Timeout for Prometheus scrapes + scrapeTimeout: 10s + + prometheusRules: + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + + # Deploy the PrometheusRule custom resource for AlertManager based alerts. + # Requires that AlertManager is properly deployed. + enabled: false + + # Selector labels to add to the PrometheusRules. + # When empty, defaults to: + # release: prometheus + selectors: {} + + # Some example rules. + rules: [] + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 500ms on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + # for: 5m + # labels: + # severity: warning + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 1s on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + # for: 5m + # labels: + # severity: critical diff --git a/charts/hashicorp/vault/0.27.0/.helmignore b/charts/hashicorp/vault/0.27.0/.helmignore new file mode 100644 index 0000000000..4007e24350 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/.helmignore @@ -0,0 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.terraform/ +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +# CI and test +.circleci/ +.github/ +.gitlab-ci.yml +test/ diff --git a/charts/hashicorp/vault/0.27.0/CHANGELOG.md b/charts/hashicorp/vault/0.27.0/CHANGELOG.md new file mode 100644 index 0000000000..0e0cb0af82 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/CHANGELOG.md @@ -0,0 +1,528 @@ +## Unreleased + +## 0.27.0 (November 16, 2023) + +Changes: + +* Default `vault` version updated to 1.15.2 + +Features: + +* server: Support setting `persistentVolumeClaimRetentionPolicy` on the StatefulSet [GH-965](https://github.com/hashicorp/vault-helm/pull/965) +* server: Support setting labels on PVCs [GH-969](https://github.com/hashicorp/vault-helm/pull/969) +* server: Support setting ingress rules for networkPolicy [GH-877](https://github.com/hashicorp/vault-helm/pull/877) + +Improvements: + +* Support exec in the server liveness probe [GH-971](https://github.com/hashicorp/vault-helm/pull/971) + +## 0.26.1 (October 30, 2023) + +Bugs: +* Fix templating of `server.ha.replicas` when set via override file. The `0.26.0` chart would ignore `server.ha.replicas` and always deploy 3 server replicas when `server.ha.enabled=true` unless overridden by command line when issuing the helm command: `--set server.ha.replicas=`. Fixed in [GH-961](https://github.com/hashicorp/vault-helm/pull/961) + +## 0.26.0 (October 27, 2023) + +Changes: +* Default `vault` version updated to 1.15.1 +* Default `vault-k8s` version updated to 1.3.1 +* Default `vault-csi-provider` version updated to 1.4.1 +* Tested with Kubernetes versions 1.24-1.28 +* server: OpenShift default readiness probe returns 204 when uninitialized [GH-966](https://github.com/hashicorp/vault-helm/pull/966) + +Features: +* server: Add support for dual stack clusters [GH-833](https://github.com/hashicorp/vault-helm/pull/833) +* server: Support `hostAliases` for the StatefulSet pods [GH-955](https://github.com/hashicorp/vault-helm/pull/955) +* server: Add `server.service.active.annotations` and `server.service.standby.annotations` [GH-896](https://github.com/hashicorp/vault-helm/pull/896) +* server: Add long-lived service account token option [GH-923](https://github.com/hashicorp/vault-helm/pull/923) + +Bugs: +* csi: Add namespace field to `csi-role` and `csi-rolebindings`. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) + +Improvements: +* global: Add `global.namespace` to override the helm installation namespace. [GH-909](https://github.com/hashicorp/vault-helm/pull/909) +* server: use vault.fullname in Helm test [GH-912](https://github.com/hashicorp/vault-helm/pull/912) +* server: Allow scaling HA replicas to zero [GH-943](https://github.com/hashicorp/vault-helm/pull/943) + +## 0.25.0 (June 26, 2023) + +Changes: +* Latest Kubernetes version tested is now 1.27 +* server: Headless service ignores `server.service.publishNotReadyAddresses` setting and always sets it as `true` [GH-902](https://github.com/hashicorp/vault-helm/pull/902) +* `vault` updated to 1.14.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) +* `vault-csi-provider` updated to 1.4.0 [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Improvements: +* CSI: Make `nodeSelector` and `affinity` configurable for CSI daemonset's pods [GH-862](https://github.com/hashicorp/vault-helm/pull/862) +* injector: Add `ephemeralLimit` and `ephemeralRequest` as options for configuring Agent's ephemeral storage resources [GH-798](https://github.com/hashicorp/vault-helm/pull/798) +* Minimum kubernetes version for chart reverted to 1.20.0 to allow installation on clusters older than the oldest tested version [GH-916](https://github.com/hashicorp/vault-helm/pull/916) + +Bugs: +* server: Set the default for `prometheusRules.rules` to an empty list [GH-886](https://github.com/hashicorp/vault-helm/pull/886) + +## 0.24.1 (April 17, 2023) + +Bugs: +* csi: Add RBAC required by v1.3.0 to create secret for HMAC key used to generate secret versions [GH-872](https://github.com/hashicorp/vault-helm/pull/872) + +## 0.24.0 (April 6, 2023) + +Changes: +* Earliest Kubernetes version tested is now 1.22 +* `vault` updated to 1.13.1 [GH-863](https://github.com/hashicorp/vault-helm/pull/863) +* `vault-k8s` updated to 1.2.1 [GH-868](https://github.com/hashicorp/vault-helm/pull/868) +* `vault-csi-provider` updated to 1.3.0 [GH-749](https://github.com/hashicorp/vault-helm/pull/749) + +Features: +* server: New `extraPorts` option for adding ports to the Vault server statefulset [GH-841](https://github.com/hashicorp/vault-helm/pull/841) +* server: Add configurable Port Number in readinessProbe and livenessProbe for the server-statefulset [GH-831](https://github.com/hashicorp/vault-helm/pull/831) +* injector: Make livenessProbe and readinessProbe configurable and add configurable startupProbe [GH-852](https://github.com/hashicorp/vault-helm/pull/852) +* csi: Add an Agent sidecar to Vault CSI Provider pods to provide lease caching and renewals [GH-749](https://github.com/hashicorp/vault-helm/pull/749) + +## 0.23.0 (November 28th, 2022) + +Changes: +* `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) +* `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814) + +Features: +* server: Add `extraLabels` for Vault server serviceAccount [GH-806](https://github.com/hashicorp/vault-helm/pull/806) +* server: Add `server.service.active.enabled` and `server.service.standby.enabled` options to selectively disable additional services [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.serviceAccount.serviceDiscovery.enabled` option to selectively disable a Vault service discovery role and role binding [GH-811](https://github.com/hashicorp/vault-helm/pull/811) +* server: Add `server.service.instanceSelector.enabled` option to allow selecting pods outside the helm chart deployment [GH-813](https://github.com/hashicorp/vault-helm/pull/813) + +Bugs: +* server: Quote `.server.ha.clusterAddr` value [GH-810](https://github.com/hashicorp/vault-helm/pull/810) + +## 0.22.1 (October 26th, 2022) + +Changes: +* `vault` updated to 1.12.0 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) +* `vault-k8s` updated to 1.0.1 [GH-803](https://github.com/hashicorp/vault-helm/pull/803) + +## 0.22.0 (September 8th, 2022) + +Features: +* Add PrometheusOperator support for collecting Vault server metrics. [GH-772](https://github.com/hashicorp/vault-helm/pull/772) + +Changes: +* `vault-k8s` to 1.0.0 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) +* Test against Kubernetes 1.25 [GH-784](https://github.com/hashicorp/vault-helm/pull/784) +* `vault` updated to 1.11.3 [GH-785](https://github.com/hashicorp/vault-helm/pull/785) + +## 0.21.0 (August 10th, 2022) + +CHANGES: +* `vault-k8s` updated to 0.17.0. [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* `vault-csi-provider` updated to 1.2.0 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* `vault` updated to 1.11.2 [GH-771](https://github.com/hashicorp/vault-helm/pull/771) +* Start testing against Kubernetes 1.24. [GH-744](https://github.com/hashicorp/vault-helm/pull/744) +* Deprecated `injector.externalVaultAddr`. Added `global.externalVaultAddr`, which applies to both the Injector and the CSI Provider. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) +* CSI Provider pods now set the `VAULT_ADDR` environment variable to either the internal Vault service or the configured external address. [GH-745](https://github.com/hashicorp/vault-helm/pull/745) + +Features: +* server: Add `server.statefulSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* csi: Add `csi.daemonSet.securityContext` to override pod and container `securityContext`. [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* injector: Add `injector.securityContext` to override pod and container `securityContext`. [GH-750](https://github.com/hashicorp/vault-helm/pull/750) and [GH-767](https://github.com/hashicorp/vault-helm/pull/767) +* Add `server.service.activeNodePort` and `server.service.standbyNodePort` to specify the `nodePort` for active and standby services. [GH-610](https://github.com/hashicorp/vault-helm/pull/610) +* Support for setting annotations on the injector's serviceAccount [GH-753](https://github.com/hashicorp/vault-helm/pull/753) + +## 0.20.1 (May 25th, 2022) +CHANGES: +* `vault-k8s` updated to 0.16.1 [GH-739](https://github.com/hashicorp/vault-helm/pull/739) + +Improvements: +* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736) + +Bugs: +* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737) + +## 0.20.0 (May 16th, 2022) + +CHANGES: +* `global.enabled` now works as documented, that is, setting `global.enabled` to false will disable everything, with individual components able to be turned on individually [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Default value of `-` used for injector and server to indicate that they follow `global.enabled`. [GH-703](https://github.com/hashicorp/vault-helm/pull/703) +* Vault default image to 1.10.3 +* CSI provider default image to 1.1.0 +* Vault K8s default image to 0.16.0 +* Earliest Kubernetes version tested is now 1.16 +* Helm 3.6+ now required + +Features: +* Support topologySpreadConstraints in server and injector. [GH-652](https://github.com/hashicorp/vault-helm/pull/652) + +Improvements: +* CSI: Set `extraLabels` for daemonset, pods, and service account [GH-690](https://github.com/hashicorp/vault-helm/pull/690) +* Add namespace to injector-leader-elector role, rolebinding and secret [GH-683](https://github.com/hashicorp/vault-helm/pull/683) +* Support policy/v1 PodDisruptionBudget in Kubernetes 1.21+ for server and injector [GH-710](https://github.com/hashicorp/vault-helm/pull/710) +* Make the Cluster Address (CLUSTER_ADDR) configurable [GH-629](https://github.com/hashicorp/vault-helm/pull/709) +* server: Make `publishNotReadyAddresses` configurable for services [GH-694](https://github.com/hashicorp/vault-helm/pull/694) +* server: Allow config to be defined as a YAML object in the values file [GH-684](https://github.com/hashicorp/vault-helm/pull/684) +* Maintain default MutatingWebhookConfiguration values from `v1beta1` [GH-692](https://github.com/hashicorp/vault-helm/pull/692) + +## 0.19.0 (January 20th, 2022) + +CHANGES: +* Vault image default 1.9.2 +* Vault K8s image default 0.14.2 + +Features: +* Added configurable podDisruptionBudget for injector [GH-653](https://github.com/hashicorp/vault-helm/pull/653) +* Make terminationGracePeriodSeconds configurable for server [GH-659](https://github.com/hashicorp/vault-helm/pull/659) +* Added configurable update strategy for injector [GH-661](https://github.com/hashicorp/vault-helm/pull/661) +* csi: ability to set priorityClassName for CSI daemonset pods [GH-670](https://github.com/hashicorp/vault-helm/pull/670) + +Improvements: +* Set the namespace on the OpenShift Route [GH-679](https://github.com/hashicorp/vault-helm/pull/679) +* Add volumes and env vars to helm hook test pod [GH-673](https://github.com/hashicorp/vault-helm/pull/673) +* Make TLS configurable for OpenShift routes [GH-686](https://github.com/hashicorp/vault-helm/pull/686) + +## 0.18.0 (November 17th, 2021) + +CHANGES: +* Removed support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector since vault-k8s now uses an internal mechanism to determine leadership [GH-649](https://github.com/hashicorp/vault-helm/pull/649) +* Vault image default 1.9.0 +* Vault K8s image default 0.14.1 + +Improvements: +* Added templateConfig.staticSecretRenderInterval chart option for the injector [GH-621](https://github.com/hashicorp/vault-helm/pull/621) + +## 0.17.1 (October 25th, 2021) + +Improvements: + * Add option for Ingress PathType [GH-634](https://github.com/hashicorp/vault-helm/pull/634) + +## 0.17.0 (October 21st, 2021) + +KNOWN ISSUES: +* The chart will fail to deploy on Kubernetes 1.19+ with `server.ingress.enabled=true` because no `pathType` is set + +CHANGES: +* Vault image default 1.8.4 +* Vault K8s image default 0.14.0 + +Improvements: +* Support Ingress stable networking API [GH-590](https://github.com/hashicorp/vault-helm/pull/590) +* Support setting the `externalTrafficPolicy` for `LoadBalancer` and `NodePort` service types [GH-626](https://github.com/hashicorp/vault-helm/pull/626) +* Support setting ingressClassName on server Ingress [GH-630](https://github.com/hashicorp/vault-helm/pull/630) + +Bugs: +* Ensure `kubeletRootDir` volume path and mounts are the same when `csi.daemonSet.kubeletRootDir` is overridden [GH-628](https://github.com/hashicorp/vault-helm/pull/628) + +## 0.16.1 (September 29th, 2021) + +CHANGES: +* Vault image default 1.8.3 +* Vault K8s image default 0.13.1 + +## 0.16.0 (September 16th, 2021) + +CHANGES: +* Support for deploying a leader-elector container with the [vault-k8s injector](https://github.com/hashicorp/vault-k8s) injector will be removed in version 0.18.0 of this chart since vault-k8s now uses an internal mechanism to determine leadership. To enable the deployment of the leader-elector container for use with vault-k8s 0.12.0 and earlier, set `useContainer=true`. + +Improvements: + * Make CSI provider `hostPaths` configurable via `csi.daemonSet.providersDir` and `csi.daemonSet.kubeletRootDir` [GH-603](https://github.com/hashicorp/vault-helm/pull/603) + * Support vault-k8s internal leader election [GH-568](https://github.com/hashicorp/vault-helm/pull/568) [GH-607](https://github.com/hashicorp/vault-helm/pull/607) + +## 0.15.0 (August 23rd, 2021) + +Improvements: +* Add imagePullSecrets on server test [GH-572](https://github.com/hashicorp/vault-helm/pull/572) +* Add injector.webhookAnnotations chart option [GH-584](https://github.com/hashicorp/vault-helm/pull/584) + +## 0.14.0 (July 28th, 2021) + +Features: +* Added templateConfig.exitOnRetryFailure chart option for the injector [GH-560](https://github.com/hashicorp/vault-helm/pull/560) + +Improvements: +* Support configuring pod tolerations, pod affinity, and node selectors as YAML [GH-565](https://github.com/hashicorp/vault-helm/pull/565) +* Set the default vault image to come from the hashicorp organization [GH-567](https://github.com/hashicorp/vault-helm/pull/567) +* Add support for running the acceptance tests against a local `kind` cluster [GH-567](https://github.com/hashicorp/vault-helm/pull/567) +* Add `server.ingress.activeService` to configure if the ingress should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570) +* Add `server.route.activeService` to configure if the route should use the active service [GH-570](https://github.com/hashicorp/vault-helm/pull/570) +* Support configuring `global.imagePullSecrets` from a string array [GH-576](https://github.com/hashicorp/vault-helm/pull/576) + + +## 0.13.0 (June 17th, 2021) + +Improvements: +* Added a helm test for vault server [GH-531](https://github.com/hashicorp/vault-helm/pull/531) +* Added server.enterpriseLicense option [GH-547](https://github.com/hashicorp/vault-helm/pull/547) +* Added OpenShift overrides [GH-549](https://github.com/hashicorp/vault-helm/pull/549) + +Bugs: +* Fix ui.serviceNodePort schema [GH-537](https://github.com/hashicorp/vault-helm/pull/537) +* Fix server.ha.disruptionBudget.maxUnavailable schema [GH-535](https://github.com/hashicorp/vault-helm/pull/535) +* Added webhook-certs volume mount to sidecar injector [GH-545](https://github.com/hashicorp/vault-helm/pull/545) + +## 0.12.0 (May 25th, 2021) + +Features: +* Pass additional arguments to `vault-csi-provider` using `csi.extraArgs` [GH-526](https://github.com/hashicorp/vault-helm/pull/526) + +Improvements: +* Set chart kubeVersion and added chart-verifier tests [GH-510](https://github.com/hashicorp/vault-helm/pull/510) +* Added values json schema [GH-513](https://github.com/hashicorp/vault-helm/pull/513) +* Ability to set tolerations for CSI daemonset pods [GH-521](https://github.com/hashicorp/vault-helm/pull/521) +* UI target port is now configurable [GH-437](https://github.com/hashicorp/vault-helm/pull/437) + +Bugs: +* CSI: `global.imagePullSecrets` are now also used for CSI daemonset [GH-519](https://github.com/hashicorp/vault-helm/pull/519) + +## 0.11.0 (April 14th, 2021) + +Features: +* Added `server.enabled` to explicitly skip installing a Vault server [GH-486](https://github.com/hashicorp/vault-helm/pull/486) +* Injector now supports enabling host network [GH-471](https://github.com/hashicorp/vault-helm/pull/471) +* Injector port is now configurable [GH-489](https://github.com/hashicorp/vault-helm/pull/489) +* Injector Vault Agent resource defaults are now configurable [GH-493](https://github.com/hashicorp/vault-helm/pull/493) +* Extra paths can now be added to the Vault ingress service [GH-460](https://github.com/hashicorp/vault-helm/pull/460) +* Log level and format can now be set directly using `server.logFormat` and `server.logLevel` [GH-488](https://github.com/hashicorp/vault-helm/pull/488) + +Improvements: +* Added `https` name to injector service port [GH-495](https://github.com/hashicorp/vault-helm/pull/495) + +Bugs: +* CSI: Fix ClusterRole name and DaemonSet's service account to properly match deployment name [GH-486](https://github.com/hashicorp/vault-helm/pull/486) + +## 0.10.0 (March 25th, 2021) + +Features: +* Add support for [Vault CSI provider](https://github.com/hashicorp/vault-csi-provider) [GH-461](https://github.com/hashicorp/vault-helm/pull/461) + +Improvements: +* `objectSelector` can now be set on the mutating admission webhook [GH-456](https://github.com/hashicorp/vault-helm/pull/456) + +## 0.9.1 (February 2nd, 2021) + +Bugs: +* Injector: fix labels for default anti-affinity rule [GH-441](https://github.com/hashicorp/vault-helm/pull/441), [GH-442](https://github.com/hashicorp/vault-helm/pull/442) +* Set VAULT_DEV_LISTEN_ADDRESS in dev mode [GH-446](https://github.com/hashicorp/vault-helm/pull/446) + +## 0.9.0 (January 5th, 2021) + +Features: +* Injector now supports configurable number of replicas [GH-436](https://github.com/hashicorp/vault-helm/pull/436) +* Injector now supports auto TLS for multiple replicas using leader elections [GH-436](https://github.com/hashicorp/vault-helm/pull/436) + +Improvements: +* Dev mode now supports `server.extraArgs` [GH-421](https://github.com/hashicorp/vault-helm/pull/421) +* Dev mode root token is now configurable with `server.dev.devRootToken` [GH-415](https://github.com/hashicorp/vault-helm/pull/415) +* ClusterRoleBinding updated to `v1` [GH-395](https://github.com/hashicorp/vault-helm/pull/395) +* MutatingWebhook updated to `v1` [GH-408](https://github.com/hashicorp/vault-helm/pull/408) +* Injector service now supports `injector.service.annotations` [425](https://github.com/hashicorp/vault-helm/pull/425) +* Injector now supports `injector.extraLabels` [428](https://github.com/hashicorp/vault-helm/pull/428) +* Added `allowPrivilegeEscalation: false` to Vault and Injector containers [429](https://github.com/hashicorp/vault-helm/pull/429) +* Network Policy now supports `server.networkPolicy.egress` [389](https://github.com/hashicorp/vault-helm/pull/389) + +## 0.8.0 (October 20th, 2020) + +Improvements: +* Make server NetworkPolicy independent of OpenShift [GH-381](https://github.com/hashicorp/vault-helm/pull/381) +* Added configurables for all probe values [GH-387](https://github.com/hashicorp/vault-helm/pull/387) +* MountPath for audit and data storage is now configurable [GH-393](https://github.com/hashicorp/vault-helm/pull/393) +* Annotations can now be added to the Injector pods [GH-394](https://github.com/hashicorp/vault-helm/pull/394) +* The injector can now be configured with a failurePolicy [GH-400](https://github.com/hashicorp/vault-helm/pull/400) +* Added additional environment variables for rendering within Vault config [GH-398](https://github.com/hashicorp/vault-helm/pull/398) +* Service account for Vault K8s auth is automatically created when `injector.externalVaultAddr` is set [GH-392](https://github.com/hashicorp/vault-helm/pull/392) + +Bugs: +* Fixed install output using Helm V2 command [GH-378](https://github.com/hashicorp/vault-helm/pull/378) + +## 0.7.0 (August 24th, 2020) + +Features: +* Added `volumes` and `volumeMounts` for mounting _any_ type of volume [GH-314](https://github.com/hashicorp/vault-helm/pull/314). +* Added configurable to enable prometheus telemetery exporter for Vault Agent Injector [GH-372](https://github.com/hashicorp/vault-helm/pull/372) + +Improvements: +* Added `defaultMode` configurable to `extraVolumes`[GH-321](https://github.com/hashicorp/vault-helm/pull/321) +* Option to install and use PodSecurityPolicy's for vault server and injector [GH-177](https://github.com/hashicorp/vault-helm/pull/177) +* `VAULT_API_ADDR` is now configurable [GH-290](https://github.com/hashicorp/vault-helm/pull/290) +* Removed deprecated tolerate unready endpoint annotations [GH-363](https://github.com/hashicorp/vault-helm/pull/363) +* Add an option to set annotations on the StatefulSet [GH-199](https://github.com/hashicorp/vault-helm/pull/199) +* Make the vault server serviceAccount name a configuration option [GH-367](https://github.com/hashicorp/vault-helm/pull/367) +* Removed annotation striction from `dev` mode [GH-371](https://github.com/hashicorp/vault-helm/pull/371) +* Add an option to set annotations on PVCs [GH-364](https://github.com/hashicorp/vault-helm/pull/364) +* Added service configurables for UI [GH-285](https://github.com/hashicorp/vault-helm/pull/285) + +Bugs: +* Fix python dependency in test image [GH-337](https://github.com/hashicorp/vault-helm/pull/337) +* Fix caBundle not being quoted causing validation issues with Helm 3 [GH-352](https://github.com/hashicorp/vault-helm/pull/352) +* Fix injector network policy being rendered when injector is not enabled [GH-358](https://github.com/hashicorp/vault-helm/pull/358) + +## 0.6.0 (June 3rd, 2020) + +Features: +* Added `extraInitContainers` to define init containers for the Vault cluster [GH-258](https://github.com/hashicorp/vault-helm/pull/258) +* Added `postStart` lifecycle hook allowing users to configure commands to run on the Vault pods after they're ready [GH-315](https://github.com/hashicorp/vault-helm/pull/315) +* Beta: Added OpenShift support [GH-319](https://github.com/hashicorp/vault-helm/pull/319) + +Improvements: +* Server configs can now be defined in YAML. Multi-line string configs are still compatible [GH-213](https://github.com/hashicorp/vault-helm/pull/213) +* Removed IPC_LOCK privileges since swap is disabled on containers [[GH-198](https://github.com/hashicorp/vault-helm/pull/198)] +* Use port names that map to vault.scheme [[GH-223](https://github.com/hashicorp/vault-helm/pull/223)] +* Allow both yaml and multi-line string annotations [[GH-272](https://github.com/hashicorp/vault-helm/pull/272)] +* Added configurable to set the Raft node name to hostname [[GH-269](https://github.com/hashicorp/vault-helm/pull/269)] +* Support setting priorityClassName on pods [[GH-282](https://github.com/hashicorp/vault-helm/pull/282)] +* Added support for ingress apiVersion `networking.k8s.io/v1beta1` [[GH-310](https://github.com/hashicorp/vault-helm/pull/310)] +* Added configurable to change service type for the HA active service [GH-317](https://github.com/hashicorp/vault-helm/pull/317) + +Bugs: +* Fixed default ingress path [[GH-224](https://github.com/hashicorp/vault-helm/pull/224)] +* Fixed annotations for HA standby/active services [[GH-268](https://github.com/hashicorp/vault-helm/pull/268)] +* Updated some value defaults to match their use in templates [[GH-309](https://github.com/hashicorp/vault-helm/pull/309)] +* Use active service on ingress when ha [[GH-270](https://github.com/hashicorp/vault-helm/pull/270)] +* Fixed bug where pull secrets weren't being used for injector image [GH-298](https://github.com/hashicorp/vault-helm/pull/298) + +## 0.5.0 (April 9th, 2020) + +Features: + +* Added Raft support for HA mode [[GH-228](https://github.com/hashicorp/vault-helm/pull/229)] +* Now supports Vault Enterprise [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)] +* Added K8s Service Registration for HA modes [[GH-250](https://github.com/hashicorp/vault-helm/pull/250)] + +* Option to set `AGENT_INJECT_VAULT_AUTH_PATH` for the injector [[GH-185](https://github.com/hashicorp/vault-helm/pull/185)] +* Added environment variables for logging and revocation on Vault Agent Injector [[GH-219](https://github.com/hashicorp/vault-helm/pull/219)] +* Option to set environment variables for the injector deployment [[GH-232](https://github.com/hashicorp/vault-helm/pull/232)] +* Added affinity, tolerations, and nodeSelector options for the injector deployment [[GH-234](https://github.com/hashicorp/vault-helm/pull/234)] +* Made all annotations multi-line strings [[GH-227](https://github.com/hashicorp/vault-helm/pull/227)] + +## 0.4.0 (February 21st, 2020) + +Improvements: + +* Allow process namespace sharing between Vault and sidecar containers [[GH-174](https://github.com/hashicorp/vault-helm/pull/174)] +* Added configurable to change updateStrategy [[GH-172](https://github.com/hashicorp/vault-helm/pull/172)] +* Added sleep in the preStop lifecycle step [[GH-188](https://github.com/hashicorp/vault-helm/pull/188)] +* Updated chart and tests to Helm 3 [[GH-195](https://github.com/hashicorp/vault-helm/pull/195)] +* Adds Values.injector.externalVaultAddr to use the injector with an external vault [[GH-207](https://github.com/hashicorp/vault-helm/pull/207)] + +Bugs: + +* Fix bug where Vault lifecycle was appended after extra containers. [[GH-179](https://github.com/hashicorp/vault-helm/pull/179)] + +## 0.3.3 (January 14th, 2020) + +Security: + +* Added `server.extraArgs` to allow loading of additional Vault configurations containing sensitive settings [GH-175](https://github.com/hashicorp/vault-helm/issues/175) + +Bugs: + +* Fixed injection bug where wrong environment variables were being used for manually mounted TLS files + +## 0.3.2 (January 8th, 2020) + +Bugs: + +* Fixed injection bug where TLS Skip Verify was true by default [VK8S-35] + +## 0.3.1 (January 2nd, 2020) + +Bugs: + +* Fixed injection bug causing kube-system pods to be rejected [VK8S-14] + +## 0.3.0 (December 19th, 2019) + +Features: + +* Extra containers can now be added to the Vault pods +* Added configurability of pod probes +* Added Vault Agent Injector + +Improvements: + +* Moved `global.image` to `server.image` +* Changed UI service template to route pods that aren't ready via `publishNotReadyAddresses: true` +* Added better HTTP/HTTPS scheme support to http probes +* Added configurable node port for Vault service +* `server.authDelegator` is now enabled by default + +Bugs: + +* Fixed upgrade bug by removing chart label which contained the version +* Fixed typo on `serviceAccount` (was `serviceaccount`) +* Fixed readiness/liveliness HTTP probe default to accept standbys + +## 0.2.1 (November 12th, 2019) + +Bugs: + +* Removed `readOnlyRootFilesystem` causing issues when validating deployments + +## 0.2.0 (October 29th, 2019) + +Features: + +* Added load balancer support +* Added ingress support +* Added configurable for service types (ClusterIP, NodePort, LoadBalancer, etc) +* Removed root requirements, now runs as Vault user + +Improvements: + +* Added namespace value to all rendered objects +* Made ports configurable in services +* Added the ability to add custom annotations to services +* Added docker image for running bats test in CircleCI +* Removed restrictions around `dev` mode such as annotations +* `readOnlyRootFilesystem` is now configurable +* Image Pull Policy is now configurable + +Bugs: + +* Fixed selector bugs related to Helm label updates (services, affinities, and pod disruption) +* Fixed bug where audit storage was not being mounted in HA mode +* Fixed bug where Vault pod wasn't receiving SIGTERM signals + + +## 0.1.2 (August 22nd, 2019) + +Features: + +* Added `extraSecretEnvironmentVars` to allow users to mount secrets as + environment variables +* Added `tlsDisable` configurable to change HTTP protocols from HTTP/HTTPS + depending on the value +* Added `serviceNodePort` to configure a NodePort value when setting `serviceType` + to "NodePort" + +Improvements: + +* Changed UI port to 8200 for better HTTP protocol support +* Added `path` to `extraVolumes` to define where the volume should be + mounted. Defaults to `/vault/userconfig` +* Upgraded Vault to 1.2.2 + +Bugs: + +* Fixed bug where upgrade would fail because immutable labels were being + changed (Helm Version label) +* Fixed bug where UI service used wrong selector after updating helm labels +* Added `VAULT_API_ADDR` env to Vault pod to fixed bug where Vault thinks + Consul is the active node +* Removed `step-down` preStop since it requires authentication. Shutdown signal + sent by Kube acts similar to `step-down` + + +## 0.1.1 (August 7th, 2019) + +Features: + +* Added `authDelegator` Cluster Role Binding to Vault service account for + bootstrapping Kube auth method + +Improvements: + +* Added `server.service.clusterIP` to `values.yml` so users can toggle + the Vault service to headless by using the value `None`. +* Upgraded Vault to 1.2.1 + +## 0.1.0 (August 6th, 2019) + +Initial release diff --git a/charts/hashicorp/vault/0.27.0/CODEOWNERS b/charts/hashicorp/vault/0.27.0/CODEOWNERS new file mode 100644 index 0000000000..af6a3500f5 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/CODEOWNERS @@ -0,0 +1 @@ +* @hashicorp/vault-ecosystem-foundations diff --git a/charts/hashicorp/vault/0.27.0/CONTRIBUTING.md b/charts/hashicorp/vault/0.27.0/CONTRIBUTING.md new file mode 100644 index 0000000000..ad31ac92d1 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/CONTRIBUTING.md @@ -0,0 +1,247 @@ +# Contributing to Vault Helm + +**Please note:** We take Vault's security and our users' trust very seriously. +If you believe you have found a security issue in Vault, please responsibly +disclose by contacting us at security@hashicorp.com. + +**First:** if you're unsure or afraid of _anything_, just ask or submit the +issue or pull request anyways. You won't be yelled at for giving it your best +effort. The worst that can happen is that you'll be politely asked to change +something. We appreciate any sort of contributions, and don't want a wall of +rules to get in the way of that. + +That said, if you want to ensure that a pull request is likely to be merged, +talk to us! You can find out our thoughts and ensure that your contribution +won't clash or be obviated by Vault's normal direction. A great way to do this +is via the [Vault Discussion Forum][1]. + +This document will cover what we're looking for in terms of reporting issues. +By addressing all the points we're looking for, it raises the chances we can +quickly merge or address your contributions. + +[1]: https://discuss.hashicorp.com/c/vault + +## Issues + +### Reporting an Issue + +* Make sure you test against the latest released version. It is possible + we already fixed the bug you're experiencing. Even better is if you can test + against `main`, as bugs are fixed regularly but new versions are only + released every few months. + +* Provide steps to reproduce the issue, and if possible include the expected + results as well as the actual results. Please provide text, not screen shots! + +* Respond as promptly as possible to any questions made by the Vault + team to your issue. Stale issues will be closed periodically. + +### Issue Lifecycle + +1. The issue is reported. + +2. The issue is verified and categorized by a Vault Helm collaborator. + Categorization is done via tags. For example, bugs are marked as "bugs". + +3. Unless it is critical, the issue may be left for a period of time (sometimes + many weeks), giving outside contributors -- maybe you!? -- a chance to + address the issue. + +4. The issue is addressed in a pull request or commit. The issue will be + referenced in the commit message so that the code that fixes it is clearly + linked. + +5. The issue is closed. Sometimes, valid issues will be closed to keep + the issue tracker clean. The issue is still indexed and available for + future viewers, or can be re-opened if necessary. + +## Testing + +The Helm chart ships with both unit and acceptance tests. + +The unit tests don't require any active Kubernetes cluster and complete +very quickly. These should be used for fast feedback during development. +The acceptance tests require a Kubernetes cluster with a configured `kubectl`. + +### Test Using Docker Container + +The following are the instructions for running bats tests using a Docker container. + +#### Prerequisites + +* Docker installed +* `vault-helm` checked out locally + +#### Test + +**Note:** the following commands should be run from the `vault-helm` directory. + +First, build the Docker image for running the tests: + +```shell +docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test +``` +Next, execute the tests with the following commands: +```shell +docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit +``` +It's possible to only run specific bats tests using regular expressions. +For example, the following will run only tests with "injector" in the name: +```shell +docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector" +``` + +### Test Manually +The following are the instructions for running bats tests on your workstation. +#### Prerequisites +* [Bats](https://github.com/bats-core/bats-core) + ```bash + brew install bats-core + ``` +* [yq](https://pypi.org/project/yq/) + ```bash + brew install python-yq + ``` +* [helm](https://helm.sh) + ```bash + brew install kubernetes-helm + ``` + +#### Test + +To run the unit tests: + + bats ./test/unit + +To run the acceptance tests: + + bats ./test/acceptance + +If the acceptance tests fail, deployed resources in the Kubernetes cluster +may not be properly cleaned up. We recommend recycling the Kubernetes cluster to +start from a clean slate. + +**Note:** There is a Terraform configuration in the +[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory +that can be used to quickly bring up a GKE cluster and configure +`kubectl` and `helm` locally. This can be used to quickly spin up a test +cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes +cluster. + +### Writing Unit Tests + +Changes to the Helm chart should be accompanied by appropriate unit tests. + +#### Formatting + +- Put tests in the test file in the same order as the variables appear in the `values.yaml`. +- Start tests for a chart value with a header that says what is being tested, like this: + ``` + #-------------------------------------------------------------------- + # annotations + ``` + +- Name the test based on what it's testing in the following format (this will be its first line): + ``` + @test "
: " { + ``` + + When adding tests to an existing file, the first section will be the same as the other tests in the file. + +#### Test Details + +[Bats](https://github.com/bats-core/bats-core) provides a way to run commands in a shell and inspect the output in an automated way. +In all of the tests in this repo, the base command being run is [helm template](https://docs.helm.sh/helm/#helm-template) which turns the templated files into straight yaml output. +In this way, we're able to test that the various conditionals in the templates render as we would expect. + +Each test defines the files that should be rendered using the `--show-only` flag, then it might adjust chart values by adding `--set` flags as well. +The output from this `helm template` command is then piped to [yq](https://pypi.org/project/yq/). +`yq` allows us to pull out just the information we're interested in, either by referencing its position in the yaml file directly or giving information about it (like its length). +The `-r` flag can be used with `yq` to return a raw string instead of a quoted one which is especially useful when looking for an exact match. + +The test passes or fails based on the conditional at the end that is in square brackets, which is a comparison of our expected value and the output of `helm template` piped to `yq`. + +The `| tee /dev/stderr ` pieces direct any terminal output of the `helm template` and `yq` commands to stderr so that it doesn't interfere with `bats`. + +#### Test Examples + +Here are some examples of common test patterns: + +- Check that a value is disabled by default + + ``` + @test "ui/Service: no type by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + . | tee /dev/stderr | + yq -r '.spec.type' | tee /dev/stderr) + [ "${actual}" = "null" ] + } + ``` + + In this example, nothing is changed from the default templates (no `--set` flags), then we use `yq` to retrieve the value we're checking, `.spec.type`. + This output is then compared against our expected value (`null` in this case) in the assertion `[ "${actual}" = "null" ]`. + + +- Check that a template value is rendered to a specific value + ``` + @test "ui/Service: specified type" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.serviceType=LoadBalancer' \ + . | tee /dev/stderr | + yq -r '.spec.type' | tee /dev/stderr) + [ "${actual}" = "LoadBalancer" ] + } + ``` + + This is very similar to the last example, except we've changed a default value with the `--set` flag and correspondingly changed the expected value. + +- Check that a template value contains several values + ``` + @test "server/standalone-StatefulSet: custom resources" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'server.resources.requests.memory=256Mi' \ + --set 'server.resources.requests.cpu=250m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].resources.requests.memory' | tee /dev/stderr) + [ "${actual}" = "256Mi" ] + + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'server.resources.limits.memory=256Mi' \ + --set 'server.resources.limits.cpu=250m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].resources.limits.memory' | tee /dev/stderr) + [ "${actual}" = "256Mi" ] + ``` + + *Note:* If testing more than two conditions, it would be good to separate the `helm template` part of the command from the `yq` sections to reduce redundant work. + +- Check that an entire template file is not rendered + ``` + @test "syncCatalog/Deployment: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + } + ``` + Here we are check the length of the command output to see if the anything is rendered. + This style can easily be switched to check that a file is rendered instead. + +## Contributor License Agreement + +We require that all contributors sign our Contributor License Agreement ("CLA") +before we can accept the contribution. + +[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla) diff --git a/charts/hashicorp/vault/0.27.0/Chart.yaml b/charts/hashicorp/vault/0.27.0/Chart.yaml new file mode 100644 index 0000000000..62928ab33d --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Vault + catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/release-name: vault + charts.openshift.io/name: HashiCorp Vault +apiVersion: v2 +appVersion: 1.15.2 +description: Official HashiCorp Vault Chart +home: https://www.vaultproject.io +icon: https://github.com/hashicorp/vault/raw/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png +keywords: +- vault +- security +- encryption +- secrets +- management +- automation +- infrastructure +kubeVersion: '>= 1.20.0-0' +name: vault +sources: +- https://github.com/hashicorp/vault +- https://github.com/hashicorp/vault-helm +- https://github.com/hashicorp/vault-k8s +- https://github.com/hashicorp/vault-csi-provider +version: 0.27.0 diff --git a/charts/hashicorp/vault/0.27.0/LICENSE b/charts/hashicorp/vault/0.27.0/LICENSE new file mode 100644 index 0000000000..74f38c0103 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/LICENSE @@ -0,0 +1,355 @@ +Copyright (c) 2018 HashiCorp, Inc. + +Mozilla Public License, version 2.0 + +1. Definitions + +1.1. “Contributor” + + means each individual or legal entity that creates, contributes to the + creation of, or owns Covered Software. + +1.2. “Contributor Version” + + means the combination of the Contributions of others (if any) used by a + Contributor and that particular Contributor’s Contribution. + +1.3. “Contribution” + + means Covered Software of a particular Contributor. + +1.4. “Covered Software” + + means Source Code Form to which the initial Contributor has attached the + notice in Exhibit A, the Executable Form of such Source Code Form, and + Modifications of such Source Code Form, in each case including portions + thereof. + +1.5. “Incompatible With Secondary Licenses” + means + + a. that the initial Contributor has attached the notice described in + Exhibit B to the Covered Software; or + + b. that the Covered Software was made available under the terms of version + 1.1 or earlier of the License, but not also under the terms of a + Secondary License. + +1.6. “Executable Form” + + means any form of the work other than Source Code Form. + +1.7. “Larger Work” + + means a work that combines Covered Software with other material, in a separate + file or files, that is not Covered Software. + +1.8. “License” + + means this document. + +1.9. “Licensable” + + means having the right to grant, to the maximum extent possible, whether at the + time of the initial grant or subsequently, any and all of the rights conveyed by + this License. + +1.10. “Modifications” + + means any of the following: + + a. any file in Source Code Form that results from an addition to, deletion + from, or modification of the contents of Covered Software; or + + b. any new file in Source Code Form that contains any Covered Software. + +1.11. “Patent Claims” of a Contributor + + means any patent claim(s), including without limitation, method, process, + and apparatus claims, in any patent Licensable by such Contributor that + would be infringed, but for the grant of the License, by the making, + using, selling, offering for sale, having made, import, or transfer of + either its Contributions or its Contributor Version. + +1.12. “Secondary License” + + means either the GNU General Public License, Version 2.0, the GNU Lesser + General Public License, Version 2.1, the GNU Affero General Public + License, Version 3.0, or any later versions of those licenses. + +1.13. “Source Code Form” + + means the form of the work preferred for making modifications. + +1.14. “You” (or “Your”) + + means an individual or a legal entity exercising rights under this + License. For legal entities, “You” includes any entity that controls, is + controlled by, or is under common control with You. For purposes of this + definition, “control” means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than fifty percent (50%) of the + outstanding shares or beneficial ownership of such entity. + + +2. License Grants and Conditions + +2.1. Grants + + Each Contributor hereby grants You a world-wide, royalty-free, + non-exclusive license: + + a. under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or as + part of a Larger Work; and + + b. under Patent Claims of such Contributor to make, use, sell, offer for + sale, have made, import, and otherwise transfer either its Contributions + or its Contributor Version. + +2.2. Effective Date + + The licenses granted in Section 2.1 with respect to any Contribution become + effective for each Contribution on the date the Contributor first distributes + such Contribution. + +2.3. Limitations on Grant Scope + + The licenses granted in this Section 2 are the only rights granted under this + License. No additional rights or licenses will be implied from the distribution + or licensing of Covered Software under this License. Notwithstanding Section + 2.1(b) above, no patent license is granted by a Contributor: + + a. for any code that a Contributor has removed from Covered Software; or + + b. for infringements caused by: (i) Your and any other third party’s + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + + c. under Patent Claims infringed by Covered Software in the absence of its + Contributions. + + This License does not grant any rights in the trademarks, service marks, or + logos of any Contributor (except as may be necessary to comply with the + notice requirements in Section 3.4). + +2.4. Subsequent Licenses + + No Contributor makes additional grants as a result of Your choice to + distribute the Covered Software under a subsequent version of this License + (see Section 10.2) or under the terms of a Secondary License (if permitted + under the terms of Section 3.3). + +2.5. Representation + + Each Contributor represents that the Contributor believes its Contributions + are its original creation(s) or it has sufficient rights to grant the + rights to its Contributions conveyed by this License. + +2.6. Fair Use + + This License is not intended to limit any rights You have under applicable + copyright doctrines of fair use, fair dealing, or other equivalents. + +2.7. Conditions + + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in + Section 2.1. + + +3. Responsibilities + +3.1. Distribution of Source Form + + All distribution of Covered Software in Source Code Form, including any + Modifications that You create or to which You contribute, must be under the + terms of this License. You must inform recipients that the Source Code Form + of the Covered Software is governed by the terms of this License, and how + they can obtain a copy of this License. You may not attempt to alter or + restrict the recipients’ rights in the Source Code Form. + +3.2. Distribution of Executable Form + + If You distribute Covered Software in Executable Form then: + + a. such Covered Software must also be made available in Source Code Form, + as described in Section 3.1, and You must inform recipients of the + Executable Form how they can obtain a copy of such Source Code Form by + reasonable means in a timely manner, at a charge no more than the cost + of distribution to the recipient; and + + b. You may distribute such Executable Form under the terms of this License, + or sublicense it under different terms, provided that the license for + the Executable Form does not attempt to limit or alter the recipients’ + rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + + You may create and distribute a Larger Work under terms of Your choice, + provided that You also comply with the requirements of this License for the + Covered Software. If the Larger Work is a combination of Covered Software + with a work governed by one or more Secondary Licenses, and the Covered + Software is not Incompatible With Secondary Licenses, this License permits + You to additionally distribute such Covered Software under the terms of + such Secondary License(s), so that the recipient of the Larger Work may, at + their option, further distribute the Covered Software under the terms of + either this License or such Secondary License(s). + +3.4. Notices + + You may not remove or alter the substance of any license notices (including + copyright notices, patent notices, disclaimers of warranty, or limitations + of liability) contained within the Source Code Form of the Covered + Software, except that You may alter any license notices to the extent + required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + + You may choose to offer, and to charge a fee for, warranty, support, + indemnity or liability obligations to one or more recipients of Covered + Software. However, You may do so only on Your own behalf, and not on behalf + of any Contributor. You must make it absolutely clear that any such + warranty, support, indemnity, or liability obligation is offered by You + alone, and You hereby agree to indemnify every Contributor for any + liability incurred by such Contributor as a result of warranty, support, + indemnity or liability terms You offer. You may include additional + disclaimers of warranty and limitations of liability specific to any + jurisdiction. + +4. Inability to Comply Due to Statute or Regulation + + If it is impossible for You to comply with any of the terms of this License + with respect to some or all of the Covered Software due to statute, judicial + order, or regulation then You must: (a) comply with the terms of this License + to the maximum extent possible; and (b) describe the limitations and the code + they affect. Such description must be placed in a text file included with all + distributions of the Covered Software under this License. Except to the + extent prohibited by statute or regulation, such description must be + sufficiently detailed for a recipient of ordinary skill to be able to + understand it. + +5. Termination + +5.1. The rights granted under this License will terminate automatically if You + fail to comply with any of its terms. However, if You become compliant, + then the rights granted under this License from a particular Contributor + are reinstated (a) provisionally, unless and until such Contributor + explicitly and finally terminates Your grants, and (b) on an ongoing basis, + if such Contributor fails to notify You of the non-compliance by some + reasonable means prior to 60 days after You have come back into compliance. + Moreover, Your grants from a particular Contributor are reinstated on an + ongoing basis if such Contributor notifies You of the non-compliance by + some reasonable means, this is the first time You have received notice of + non-compliance with this License from such Contributor, and You become + compliant prior to 30 days after Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent + infringement claim (excluding declaratory judgment actions, counter-claims, + and cross-claims) alleging that a Contributor Version directly or + indirectly infringes any patent, then the rights granted to You by any and + all Contributors for the Covered Software under Section 2.1 of this License + shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user + license agreements (excluding distributors and resellers) which have been + validly granted by You or Your distributors under this License prior to + termination shall survive termination. + +6. Disclaimer of Warranty + + Covered Software is provided under this License on an “as is” basis, without + warranty of any kind, either expressed, implied, or statutory, including, + without limitation, warranties that the Covered Software is free of defects, + merchantable, fit for a particular purpose or non-infringing. The entire + risk as to the quality and performance of the Covered Software is with You. + Should any Covered Software prove defective in any respect, You (not any + Contributor) assume the cost of any necessary servicing, repair, or + correction. This disclaimer of warranty constitutes an essential part of this + License. No use of any Covered Software is authorized under this License + except under this disclaimer. + +7. Limitation of Liability + + Under no circumstances and under no legal theory, whether tort (including + negligence), contract, or otherwise, shall any Contributor, or anyone who + distributes Covered Software as permitted above, be liable to You for any + direct, indirect, special, incidental, or consequential damages of any + character including, without limitation, damages for lost profits, loss of + goodwill, work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses, even if such party shall have been + informed of the possibility of such damages. This limitation of liability + shall not apply to liability for death or personal injury resulting from such + party’s negligence to the extent applicable law prohibits such limitation. + Some jurisdictions do not allow the exclusion or limitation of incidental or + consequential damages, so this exclusion and limitation may not apply to You. + +8. Litigation + + Any litigation relating to this License may be brought only in the courts of + a jurisdiction where the defendant maintains its principal place of business + and such litigation shall be governed by laws of that jurisdiction, without + reference to its conflict-of-law provisions. Nothing in this Section shall + prevent a party’s ability to bring cross-claims or counter-claims. + +9. Miscellaneous + + This License represents the complete agreement concerning the subject matter + hereof. If any provision of this License is held to be unenforceable, such + provision shall be reformed only to the extent necessary to make it + enforceable. Any law or regulation which provides that the language of a + contract shall be construed against the drafter shall not be used to construe + this License against a Contributor. + + +10. Versions of the License + +10.1. New Versions + + Mozilla Foundation is the license steward. Except as provided in Section + 10.3, no one other than the license steward has the right to modify or + publish new versions of this License. Each version will be given a + distinguishing version number. + +10.2. Effect of New Versions + + You may distribute the Covered Software under the terms of the version of + the License under which You originally received the Covered Software, or + under the terms of any subsequent version published by the license + steward. + +10.3. Modified Versions + + If you create software not governed by this License, and you want to + create a new license for such software, you may create and use a modified + version of this License if you rename the license and remove any + references to the name of the license steward (except to note that such + modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses + If You choose to distribute Source Code Form that is Incompatible With + Secondary Licenses under the terms of this version of the License, the + notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice + + This Source Code Form is subject to the + terms of the Mozilla Public License, v. + 2.0. If a copy of the MPL was not + distributed with this file, You can + obtain one at + http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular file, then +You may include the notice in a location (such as a LICENSE file in a relevant +directory) where a recipient would be likely to look for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - “Incompatible With Secondary Licenses” Notice + + This Source Code Form is “Incompatible + With Secondary Licenses”, as defined by + the Mozilla Public License, v. 2.0. diff --git a/charts/hashicorp/vault/0.27.0/Makefile b/charts/hashicorp/vault/0.27.0/Makefile new file mode 100644 index 0000000000..5600220645 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/Makefile @@ -0,0 +1,101 @@ +TEST_IMAGE?=vault-helm-test +GOOGLE_CREDENTIALS?=vault-helm-test.json +CLOUDSDK_CORE_PROJECT?=vault-helm-dev-246514 +# set to run a single test - e.g acceptance/server-ha-enterprise-dr.bats +ACCEPTANCE_TESTS?=acceptance + +# filter bats unit tests to run. +UNIT_TESTS_FILTER?='.*' + +# set to 'true' to run acceptance tests locally in a kind cluster +LOCAL_ACCEPTANCE_TESTS?=false + +# kind cluster name +KIND_CLUSTER_NAME?=vault-helm + +# kind k8s version +KIND_K8S_VERSION?=v1.26.3 + +# Generate json schema for chart values. See test/README.md for more details. +values-schema: + helm schema-gen values.yaml > values.schema.json + +test-image: + @docker build --rm -t $(TEST_IMAGE) -f $(CURDIR)/test/docker/Test.dockerfile $(CURDIR) + +test-unit: + @docker run --rm -it -v ${PWD}:/helm-test $(TEST_IMAGE) bats -f $(UNIT_TESTS_FILTER) /helm-test/test/unit + +test-bats: test-unit test-acceptance + +test: test-image test-bats + +# run acceptance tests on GKE +# set google project/credential vars above +test-acceptance: +ifeq ($(LOCAL_ACCEPTANCE_TESTS),true) + make setup-kind acceptance +else + @docker run -it -v ${PWD}:/helm-test \ + -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ + -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ + -e KUBECONFIG=/helm-test/.kube/config \ + -e VAULT_LICENSE_CI=${VAULT_LICENSE_CI} \ + -w /helm-test \ + $(TEST_IMAGE) \ + make acceptance +endif + +# destroy GKE cluster using terraform +test-destroy: + @docker run -it -v ${PWD}:/helm-test \ + -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ + -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ + -w /helm-test \ + $(TEST_IMAGE) \ + make destroy-cluster + +# provision GKE cluster using terraform +test-provision: + @docker run -it -v ${PWD}:/helm-test \ + -e GOOGLE_CREDENTIALS=${GOOGLE_CREDENTIALS} \ + -e CLOUDSDK_CORE_PROJECT=${CLOUDSDK_CORE_PROJECT} \ + -e KUBECONFIG=/helm-test/.kube/config \ + -w /helm-test \ + $(TEST_IMAGE) \ + make provision-cluster + +# this target is for running the acceptance tests +# it is run in the docker container above when the test-acceptance target is invoked +acceptance: +ifneq ($(LOCAL_ACCEPTANCE_TESTS),true) + gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} +endif + bats --tap --timing test/${ACCEPTANCE_TESTS} + +# this target is for provisioning the GKE cluster +# it is run in the docker container above when the test-provision target is invoked +provision-cluster: + gcloud auth activate-service-account --key-file=${GOOGLE_CREDENTIALS} + terraform init test/terraform + terraform apply -var project=${CLOUDSDK_CORE_PROJECT} -var init_cli=true -auto-approve test/terraform + +# this target is for removing the GKE cluster +# it is run in the docker container above when the test-destroy target is invoked +destroy-cluster: + terraform destroy -auto-approve + +# create a kind cluster for running the acceptance tests locally +setup-kind: + kind get clusters | grep -q "^${KIND_CLUSTER_NAME}$$" || \ + kind create cluster \ + --image kindest/node:${KIND_K8S_VERSION} \ + --name ${KIND_CLUSTER_NAME} \ + --config $(CURDIR)/test/kind/config.yaml + kubectl config use-context kind-${KIND_CLUSTER_NAME} + +# delete the kind cluster +delete-kind: + kind delete cluster --name ${KIND_CLUSTER_NAME} || : + +.PHONY: values-schema test-image test-unit test-bats test test-acceptance test-destroy test-provision acceptance provision-cluster destroy-cluster diff --git a/charts/hashicorp/vault/0.27.0/README.md b/charts/hashicorp/vault/0.27.0/README.md new file mode 100644 index 0000000000..256bd8b915 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/README.md @@ -0,0 +1,43 @@ +# Vault Helm Chart + +> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If +you believe you have found a security issue in Vault Helm, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +This repository contains the official HashiCorp Helm chart for installing +and configuring Vault on Kubernetes. This chart supports multiple use +cases of Vault on Kubernetes depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can +use Vault with Kubernetes, please see the +[Vault and Kubernetes documentation](https://developer.hashicorp.com/vault/docs/platform/k8s). + +## Prerequisites + +To use the charts here, [Helm](https://helm.sh/) must be configured for your +Kubernetes cluster. Setting up Kubernetes and Helm is outside the scope of +this README. Please refer to the Kubernetes and Helm documentation. + +The versions required are: + + * **Helm 3.6+** + * **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested. + It is possible that this chart works with earlier versions but it is + untested. + +## Usage + +To install the latest version of this chart, add the Hashicorp helm repository +and run `helm install`: + +```console +$ helm repo add hashicorp https://helm.releases.hashicorp.com +"hashicorp" has been added to your repositories + +$ helm install vault hashicorp/vault +``` + +Please see the many options supported in the `values.yaml` file. These are also +fully documented directly on the [Vault +website](https://developer.hashicorp.com/vault/docs/platform/k8s/helm) along with more +detailed installation instructions. diff --git a/charts/hashicorp/vault/0.27.0/templates/NOTES.txt b/charts/hashicorp/vault/0.27.0/templates/NOTES.txt new file mode 100644 index 0000000000..60d99a4e56 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/NOTES.txt @@ -0,0 +1,14 @@ + +Thank you for installing HashiCorp Vault! + +Now that you have deployed Vault, you should look over the docs on using +Vault with Kubernetes available here: + +https://developer.hashicorp.com/vault/docs + + +Your release is named {{ .Release.Name }}. To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get manifest {{ .Release.Name }} + diff --git a/charts/hashicorp/vault/0.27.0/templates/_helpers.tpl b/charts/hashicorp/vault/0.27.0/templates/_helpers.tpl new file mode 100644 index 0000000000..8f77f92200 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/_helpers.tpl @@ -0,0 +1,1077 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to +this (by the DNS naming spec). If release name contains chart name it will +be used as a full name. +*/}} +{{- define "vault.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "vault.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "vault.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden +*/}} +{{- define "vault.namespace" -}} +{{- default .Release.Namespace .Values.global.namespace -}} +{{- end -}} + +{{/* +Compute if the csi driver is enabled. +*/}} +{{- define "vault.csiEnabled" -}} +{{- $_ := set . "csiEnabled" (or + (eq (.Values.csi.enabled | toString) "true") + (and (eq (.Values.csi.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the injector is enabled. +*/}} +{{- define "vault.injectorEnabled" -}} +{{- $_ := set . "injectorEnabled" (or + (eq (.Values.injector.enabled | toString) "true") + (and (eq (.Values.injector.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server is enabled. +*/}} +{{- define "vault.serverEnabled" -}} +{{- $_ := set . "serverEnabled" (or + (eq (.Values.server.enabled | toString) "true") + (and (eq (.Values.server.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server serviceaccount is enabled. +*/}} +{{- define "vault.serverServiceAccountEnabled" -}} +{{- $_ := set . "serverServiceAccountEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true" ) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server serviceaccount should have a token created and mounted to the serviceaccount. +*/}} +{{- define "vault.serverServiceAccountSecretCreationEnabled" -}} +{{- $_ := set . "serverServiceAccountSecretCreationEnabled" + (and + (eq (.Values.server.serviceAccount.create | toString) "true") + (eq (.Values.server.serviceAccount.createSecret | toString) "true")) -}} +{{- end -}} + + +{{/* +Compute if the server auth delegator serviceaccount is enabled. +*/}} +{{- define "vault.serverAuthDelegator" -}} +{{- $_ := set . "serverAuthDelegator" + (and + (eq (.Values.server.authDelegator.enabled | toString) "true" ) + (or (eq (.Values.server.serviceAccount.create | toString) "true") + (not (eq .Values.server.serviceAccount.name ""))) + (or + (eq (.Values.server.enabled | toString) "true") + (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute if the server service is enabled. +*/}} +{{- define "vault.serverServiceEnabled" -}} +{{- template "vault.serverEnabled" . -}} +{{- $_ := set . "serverServiceEnabled" (and .serverEnabled (eq (.Values.server.service.enabled | toString) "true")) -}} +{{- end -}} + +{{/* +Compute if the ui is enabled. +*/}} +{{- define "vault.uiEnabled" -}} +{{- $_ := set . "uiEnabled" (or + (eq (.Values.ui.enabled | toString) "true") + (and (eq (.Values.ui.enabled | toString) "-") (eq (.Values.global.enabled | toString) "true"))) -}} +{{- end -}} + +{{/* +Compute the maximum number of unavailable replicas for the PodDisruptionBudget. +This defaults to (n/2)-1 where n is the number of members of the server cluster. +Add a special case for replicas=1, where it should default to 0 as well. +*/}} +{{- define "vault.pdb.maxUnavailable" -}} +{{- if eq (int .Values.server.ha.replicas) 1 -}} +{{ 0 }} +{{- else if .Values.server.ha.disruptionBudget.maxUnavailable -}} +{{ .Values.server.ha.disruptionBudget.maxUnavailable -}} +{{- else -}} +{{- div (sub (div (mul (int .Values.server.ha.replicas) 10) 2) 1) 10 -}} +{{- end -}} +{{- end -}} + +{{/* +Set the variable 'mode' to the server mode requested by the user to simplify +template logic. +*/}} +{{- define "vault.mode" -}} + {{- template "vault.serverEnabled" . -}} + {{- if or (.Values.injector.externalVaultAddr) (.Values.global.externalVaultAddr) -}} + {{- $_ := set . "mode" "external" -}} + {{- else if not .serverEnabled -}} + {{- $_ := set . "mode" "external" -}} + {{- else if eq (.Values.server.dev.enabled | toString) "true" -}} + {{- $_ := set . "mode" "dev" -}} + {{- else if eq (.Values.server.ha.enabled | toString) "true" -}} + {{- $_ := set . "mode" "ha" -}} + {{- else if or (eq (.Values.server.standalone.enabled | toString) "true") (eq (.Values.server.standalone.enabled | toString) "-") -}} + {{- $_ := set . "mode" "standalone" -}} + {{- else -}} + {{- $_ := set . "mode" "" -}} + {{- end -}} +{{- end -}} + +{{/* +Set's the replica count based on the different modes configured by user +*/}} +{{- define "vault.replicas" -}} + {{ if eq .mode "standalone" }} + {{- default 1 -}} + {{ else if eq .mode "ha" }} + {{- if or (kindIs "int64" .Values.server.ha.replicas) (kindIs "float64" .Values.server.ha.replicas) -}} + {{- .Values.server.ha.replicas -}} + {{ else }} + {{- 3 -}} + {{- end -}} + {{ else }} + {{- default 1 -}} + {{ end }} +{{- end -}} + +{{/* +Set's up configmap mounts if this isn't a dev deployment and the user +defined a custom configuration. Additionally iterates over any +extra volumes the user may have specified (such as a secret with TLS). +*/}} +{{- define "vault.volumes" -}} + {{- if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} + - name: config + configMap: + name: {{ template "vault.fullname" . }}-config + {{ end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + defaultMode: {{ .defaultMode | default 420 }} + {{- end }} + {{- if .Values.server.volumes }} + {{- toYaml .Values.server.volumes | nindent 8}} + {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: vault-license + secret: + secretName: {{ .Values.server.enterpriseLicense.secretName }} + defaultMode: 0440 + {{- end }} +{{- end -}} + +{{/* +Set's the args for custom command to render the Vault configuration +file with IP addresses to make the out of box experience easier +for users looking to use this chart with Consul Helm. +*/}} +{{- define "vault.args" -}} + {{ if or (eq .mode "standalone") (eq .mode "ha") }} + - | + cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl; + [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl; + [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl; + [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl; + [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl; + [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl; + [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl; + /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl {{ .Values.server.extraArgs }} + {{ else if eq .mode "dev" }} + - | + /usr/local/bin/docker-entrypoint.sh vault server -dev {{ .Values.server.extraArgs }} + {{ end }} +{{- end -}} + +{{/* +Set's additional environment variables based on the mode. +*/}} +{{- define "vault.envs" -}} + {{ if eq .mode "dev" }} + - name: VAULT_DEV_ROOT_TOKEN_ID + value: {{ .Values.server.dev.devRootToken }} + - name: VAULT_DEV_LISTEN_ADDRESS + value: "[::]:8200" + {{ end }} +{{- end -}} + +{{/* +Set's which additional volumes should be mounted to the container +based on the mode configured. +*/}} +{{- define "vault.mounts" -}} + {{ if eq (.Values.server.auditStorage.enabled | toString) "true" }} + - name: audit + mountPath: {{ .Values.server.auditStorage.mountPath }} + {{ end }} + {{ if or (eq .mode "standalone") (and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true")) }} + {{ if eq (.Values.server.dataStorage.enabled | toString) "true" }} + - name: data + mountPath: {{ .Values.server.dataStorage.mountPath }} + {{ end }} + {{ end }} + {{ if and (ne .mode "dev") (or (.Values.server.standalone.config) (.Values.server.ha.config)) }} + - name: config + mountPath: /vault/config + {{ end }} + {{- range .Values.server.extraVolumes }} + - name: userconfig-{{ .name }} + readOnly: true + mountPath: {{ .path | default "/vault/userconfig" }}/{{ .name }} + {{- end }} + {{- if .Values.server.volumeMounts }} + {{- toYaml .Values.server.volumeMounts | nindent 12}} + {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: vault-license + mountPath: /vault/license + readOnly: true + {{- end }} +{{- end -}} + +{{/* +Set's up the volumeClaimTemplates when data or audit storage is required. HA +might not use data storage since Consul is likely it's backend, however, audit +storage might be desired by the user. +*/}} +{{- define "vault.volumeclaims" -}} + {{- if and (ne .mode "dev") (or .Values.server.dataStorage.enabled .Values.server.auditStorage.enabled) }} + volumeClaimTemplates: + {{- if and (eq (.Values.server.dataStorage.enabled | toString) "true") (or (eq .mode "standalone") (eq (.Values.server.ha.raft.enabled | toString ) "true" )) }} + - metadata: + name: data + {{- include "vault.dataVolumeClaim.annotations" . | nindent 6 }} + {{- include "vault.dataVolumeClaim.labels" . | nindent 6 }} + spec: + accessModes: + - {{ .Values.server.dataStorage.accessMode | default "ReadWriteOnce" }} + resources: + requests: + storage: {{ .Values.server.dataStorage.size }} + {{- if .Values.server.dataStorage.storageClass }} + storageClassName: {{ .Values.server.dataStorage.storageClass }} + {{- end }} + {{ end }} + {{- if eq (.Values.server.auditStorage.enabled | toString) "true" }} + - metadata: + name: audit + {{- include "vault.auditVolumeClaim.annotations" . | nindent 6 }} + {{- include "vault.auditVolumeClaim.labels" . | nindent 6 }} + spec: + accessModes: + - {{ .Values.server.auditStorage.accessMode | default "ReadWriteOnce" }} + resources: + requests: + storage: {{ .Values.server.auditStorage.size }} + {{- if .Values.server.auditStorage.storageClass }} + storageClassName: {{ .Values.server.auditStorage.storageClass }} + {{- end }} + {{ end }} + {{ end }} +{{- end -}} + +{{/* +Set's the affinity for pod placement when running in standalone and HA modes. +*/}} +{{- define "vault.affinity" -}} + {{- if and (ne .mode "dev") .Values.server.affinity }} + affinity: + {{ $tp := typeOf .Values.server.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + +{{/* +Sets the injector affinity for pod placement +*/}} +{{- define "injector.affinity" -}} + {{- if .Values.injector.affinity }} + affinity: + {{ $tp := typeOf .Values.injector.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + +{{/* +Sets the topologySpreadConstraints when running in standalone and HA modes. +*/}} +{{- define "vault.topologySpreadConstraints" -}} + {{- if and (ne .mode "dev") .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.server.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + + +{{/* +Sets the injector topologySpreadConstraints for pod placement +*/}} +{{- define "injector.topologySpreadConstraints" -}} + {{- if .Values.injector.topologySpreadConstraints }} + topologySpreadConstraints: + {{ $tp := typeOf .Values.injector.topologySpreadConstraints }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.topologySpreadConstraints . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} + +{{/* +Sets the toleration for pod placement when running in standalone and HA modes. +*/}} +{{- define "vault.tolerations" -}} + {{- if and (ne .mode "dev") .Values.server.tolerations }} + tolerations: + {{- $tp := typeOf .Values.server.tolerations }} + {{- if eq $tp "string" }} + {{ tpl .Values.server.tolerations . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.tolerations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the injector toleration for pod placement +*/}} +{{- define "injector.tolerations" -}} + {{- if .Values.injector.tolerations }} + tolerations: + {{- $tp := typeOf .Values.injector.tolerations }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.tolerations . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.tolerations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Set's the node selector for pod placement when running in standalone and HA modes. +*/}} +{{- define "vault.nodeselector" -}} + {{- if and (ne .mode "dev") .Values.server.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.server.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.server.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.server.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the injector node selector for pod placement +*/}} +{{- define "injector.nodeselector" -}} + {{- if .Values.injector.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.injector.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.injector.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the injector deployment update strategy +*/}} +{{- define "injector.strategy" -}} + {{- if .Values.injector.strategy }} + strategy: + {{- $tp := typeOf .Values.injector.strategy }} + {{- if eq $tp "string" }} + {{ tpl .Values.injector.strategy . | nindent 4 | trim }} + {{- else }} + {{- toYaml .Values.injector.strategy | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra pod annotations +*/}} +{{- define "vault.annotations" -}} + {{- if .Values.server.annotations }} + annotations: + {{- $tp := typeOf .Values.server.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.server.annotations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra injector pod annotations +*/}} +{{- define "injector.annotations" -}} + {{- if .Values.injector.annotations }} + annotations: + {{- $tp := typeOf .Values.injector.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.injector.annotations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra injector service annotations +*/}} +{{- define "injector.service.annotations" -}} + {{- if .Values.injector.service.annotations }} + annotations: + {{- $tp := typeOf .Values.injector.service.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.service.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.injector.service.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the injector pod level. +*/}} +{{- define "injector.securityContext.pod" -}} + {{- if .Values.injector.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.injector.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.injector.securityContext.pod | nindent 8 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.injector.gid | default 1000 }} + runAsUser: {{ .Values.injector.uid | default 100 }} + fsGroup: {{ .Values.injector.gid | default 1000 }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the injector container level. +*/}} +{{- define "injector.securityContext.container" -}} + {{- if .Values.injector.securityContext.container}} + securityContext: + {{- $tp := typeOf .Values.injector.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.injector.securityContext.container | nindent 12 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + {{- end }} +{{- end -}} + +{{/* +securityContext for the statefulset pod template. +*/}} +{{- define "server.statefulSet.securityContext.pod" -}} + {{- if .Values.server.statefulSet.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.server.statefulSet.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.securityContext.pod | nindent 8 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + runAsNonRoot: true + runAsGroup: {{ .Values.server.gid | default 1000 }} + runAsUser: {{ .Values.server.uid | default 100 }} + fsGroup: {{ .Values.server.gid | default 1000 }} + {{- end }} +{{- end -}} + +{{/* +securityContext for the statefulset vault container +*/}} +{{- define "server.statefulSet.securityContext.container" -}} + {{- if .Values.server.statefulSet.securityContext.container }} + securityContext: + {{- $tp := typeOf .Values.server.statefulSet.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.securityContext.container | nindent 12 }} + {{- end }} + {{- else if not .Values.global.openshift }} + securityContext: + allowPrivilegeEscalation: false + {{- end }} +{{- end -}} + + +{{/* +Sets extra injector service account annotations +*/}} +{{- define "injector.serviceAccount.annotations" -}} + {{- if and (ne .mode "dev") .Values.injector.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.injector.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.injector.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.injector.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra injector webhook annotations +*/}} +{{- define "injector.webhookAnnotations" -}} + {{- if or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations) }} + annotations: + {{- $tp := typeOf (or (((.Values.injector.webhook)).annotations) (.Values.injector.webhookAnnotations)) }} + {{- if eq $tp "string" }} + {{- tpl (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) . | nindent 4 }} + {{- else }} + {{- toYaml (((.Values.injector.webhook)).annotations | default .Values.injector.webhookAnnotations) | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Set's the injector webhook objectSelector +*/}} +{{- define "injector.objectSelector" -}} + {{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}} + {{ if $v }} + objectSelector: + {{- $tp := typeOf $v -}} + {{ if eq $tp "string" }} + {{ tpl $v . | indent 6 | trim }} + {{ else }} + {{ toYaml $v | indent 6 | trim }} + {{ end }} + {{ end }} +{{ end }} + +{{/* +Sets extra ui service annotations +*/}} +{{- define "vault.ui.annotations" -}} + {{- if .Values.ui.annotations }} + annotations: + {{- $tp := typeOf .Values.ui.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.ui.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.ui.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "vault.serviceAccount.name" -}} +{{- if .Values.server.serviceAccount.create -}} + {{ default (include "vault.fullname" .) .Values.server.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.server.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Sets extra service account annotations +*/}} +{{- define "vault.serviceAccount.annotations" -}} + {{- if and (ne .mode "dev") .Values.server.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.server.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra ingress annotations +*/}} +{{- define "vault.ingress.annotations" -}} + {{- if .Values.server.ingress.annotations }} + annotations: + {{- $tp := typeOf .Values.server.ingress.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.ingress.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.ingress.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra route annotations +*/}} +{{- define "vault.route.annotations" -}} + {{- if .Values.server.route.annotations }} + annotations: + {{- $tp := typeOf .Values.server.route.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.route.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.route.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra vault server Service annotations +*/}} +{{- define "vault.service.annotations" -}} + {{- if .Values.server.service.annotations }} + {{- $tp := typeOf .Values.server.service.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra vault server Service (active) annotations +*/}} +{{- define "vault.service.active.annotations" -}} + {{- if .Values.server.service.active.annotations }} + {{- $tp := typeOf .Values.server.service.active.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.active.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.active.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets extra vault server Service annotations +*/}} +{{- define "vault.service.standby.annotations" -}} + {{- if .Values.server.service.standby.annotations }} + {{- $tp := typeOf .Values.server.service.standby.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.service.standby.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.service.standby.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets PodSecurityPolicy annotations +*/}} +{{- define "vault.psp.annotations" -}} + {{- if .Values.global.psp.annotations }} + annotations: + {{- $tp := typeOf .Values.global.psp.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.global.psp.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.global.psp.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra statefulset annotations +*/}} +{{- define "vault.statefulSet.annotations" -}} + {{- if .Values.server.statefulSet.annotations }} + annotations: + {{- $tp := typeOf .Values.server.statefulSet.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.statefulSet.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.statefulSet.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets VolumeClaim annotations for data volume +*/}} +{{- define "vault.dataVolumeClaim.annotations" -}} + {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.annotations) }} + annotations: + {{- $tp := typeOf .Values.server.dataStorage.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.dataStorage.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.dataStorage.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets VolumeClaim labels for data volume +*/}} +{{- define "vault.dataVolumeClaim.labels" -}} + {{- if and (ne .mode "dev") (.Values.server.dataStorage.enabled) (.Values.server.dataStorage.labels) }} + labels: + {{- $tp := typeOf .Values.server.dataStorage.labels }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.dataStorage.labels . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.dataStorage.labels | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets VolumeClaim annotations for audit volume +*/}} +{{- define "vault.auditVolumeClaim.annotations" -}} + {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.annotations) }} + annotations: + {{- $tp := typeOf .Values.server.auditStorage.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.auditStorage.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.auditStorage.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets VolumeClaim labels for audit volume +*/}} +{{- define "vault.auditVolumeClaim.labels" -}} + {{- if and (ne .mode "dev") (.Values.server.auditStorage.enabled) (.Values.server.auditStorage.labels) }} + labels: + {{- $tp := typeOf .Values.server.auditStorage.labels }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.auditStorage.labels . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.auditStorage.labels | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Set's the container resources if the user has set any. +*/}} +{{- define "vault.resources" -}} + {{- if .Values.server.resources -}} + resources: +{{ toYaml .Values.server.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets the container resources if the user has set any. +*/}} +{{- define "injector.resources" -}} + {{- if .Values.injector.resources -}} + resources: +{{ toYaml .Values.injector.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets the container resources if the user has set any. +*/}} +{{- define "csi.resources" -}} + {{- if .Values.csi.resources -}} + resources: +{{ toYaml .Values.csi.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets the container resources for CSI's Agent sidecar if the user has set any. +*/}} +{{- define "csi.agent.resources" -}} + {{- if .Values.csi.agent.resources -}} + resources: +{{ toYaml .Values.csi.agent.resources | indent 12}} + {{ end }} +{{- end -}} + +{{/* +Sets extra CSI daemonset annotations +*/}} +{{- define "csi.daemonSet.annotations" -}} + {{- if .Values.csi.daemonSet.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.daemonSet.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets CSI daemonset securityContext for pod template +*/}} +{{- define "csi.daemonSet.securityContext.pod" -}} + {{- if .Values.csi.daemonSet.securityContext.pod }} + securityContext: + {{- $tp := typeOf .Values.csi.daemonSet.securityContext.pod }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.securityContext.pod . | nindent 8 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.securityContext.pod | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets CSI daemonset securityContext for container +*/}} +{{- define "csi.daemonSet.securityContext.container" -}} + {{- if .Values.csi.daemonSet.securityContext.container }} + securityContext: + {{- $tp := typeOf .Values.csi.daemonSet.securityContext.container }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.daemonSet.securityContext.container . | nindent 12 }} + {{- else }} + {{- toYaml .Values.csi.daemonSet.securityContext.container | nindent 12 }} + {{- end }} + {{- end }} +{{- end -}} + + +{{/* +Sets the injector toleration for pod placement +*/}} +{{- define "csi.pod.tolerations" -}} + {{- if .Values.csi.pod.tolerations }} + tolerations: + {{- $tp := typeOf .Values.csi.pod.tolerations }} + {{- if eq $tp "string" }} + {{ tpl .Values.csi.pod.tolerations . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.tolerations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets the CSI provider nodeSelector for pod placement +*/}} +{{- define "csi.pod.nodeselector" -}} + {{- if .Values.csi.pod.nodeSelector }} + nodeSelector: + {{- $tp := typeOf .Values.csi.pod.nodeSelector }} + {{- if eq $tp "string" }} + {{ tpl .Values.csi.pod.nodeSelector . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.nodeSelector | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} +{{/* +Sets the CSI provider affinity for pod placement. +*/}} +{{- define "csi.pod.affinity" -}} + {{- if .Values.csi.pod.affinity }} + affinity: + {{ $tp := typeOf .Values.csi.pod.affinity }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.affinity . | nindent 8 | trim }} + {{- else }} + {{- toYaml .Values.csi.pod.affinity | nindent 8 }} + {{- end }} + {{ end }} +{{- end -}} +{{/* +Sets extra CSI provider pod annotations +*/}} +{{- define "csi.pod.annotations" -}} + {{- if .Values.csi.pod.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.pod.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.pod.annotations . | nindent 8 }} + {{- else }} + {{- toYaml .Values.csi.pod.annotations | nindent 8 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Sets extra CSI service account annotations +*/}} +{{- define "csi.serviceAccount.annotations" -}} + {{- if .Values.csi.serviceAccount.annotations }} + annotations: + {{- $tp := typeOf .Values.csi.serviceAccount.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.csi.serviceAccount.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.csi.serviceAccount.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Inject extra environment vars in the format key:value, if populated +*/}} +{{- define "vault.extraEnvironmentVars" -}} +{{- if .extraEnvironmentVars -}} +{{- range $key, $value := .extraEnvironmentVars }} +- name: {{ printf "%s" $key | replace "." "_" | upper | quote }} + value: {{ $value | quote }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Inject extra environment populated by secrets, if populated +*/}} +{{- define "vault.extraSecretEnvironmentVars" -}} +{{- if .extraSecretEnvironmentVars -}} +{{- range .extraSecretEnvironmentVars }} +- name: {{ .envName }} + valueFrom: + secretKeyRef: + name: {{ .secretName }} + key: {{ .secretKey }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* Scheme for health check and local endpoint */}} +{{- define "vault.scheme" -}} +{{- if .Values.global.tlsDisable -}} +{{ "http" }} +{{- else -}} +{{ "https" }} +{{- end -}} +{{- end -}} + +{{/* +imagePullSecrets generates pull secrets from either string or map values. +A map value must be indexable by the key 'name'. +*/}} +{{- define "imagePullSecrets" -}} +{{- with .Values.global.imagePullSecrets -}} +imagePullSecrets: +{{- range . -}} +{{- if typeIs "string" . }} + - name: {{ . }} +{{- else if index . "name" }} + - name: {{ .name }} +{{- end }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +externalTrafficPolicy sets a Service's externalTrafficPolicy if applicable. +Supported inputs are Values.server.service and Values.ui +*/}} +{{- define "service.externalTrafficPolicy" -}} +{{- $type := "" -}} +{{- if .serviceType -}} +{{- $type = .serviceType -}} +{{- else if .type -}} +{{- $type = .type -}} +{{- end -}} +{{- if and .externalTrafficPolicy (or (eq $type "LoadBalancer") (eq $type "NodePort")) }} + externalTrafficPolicy: {{ .externalTrafficPolicy }} +{{- else }} +{{- end }} +{{- end -}} + +{{/* +loadBalancer configuration for the the UI service. +Supported inputs are Values.ui +*/}} +{{- define "service.loadBalancer" -}} +{{- if eq (.serviceType | toString) "LoadBalancer" }} +{{- if .loadBalancerIP }} + loadBalancerIP: {{ .loadBalancerIP }} +{{- end }} +{{- with .loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{- range . }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end }} +{{- end -}} diff --git a/charts/hashicorp/vault/0.27.0/templates/csi-agent-configmap.yaml b/charts/hashicorp/vault/0.27.0/templates/csi-agent-configmap.yaml new file mode 100644 index 0000000000..18cdb04ac4 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/csi-agent-configmap.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + config.hcl: | + vault { + {{- if .Values.global.externalVaultAddr }} + "address" = "{{ .Values.global.externalVaultAddr }}" + {{- else }} + "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}" + {{- end }} + } + + cache {} + + listener "unix" { + address = "/var/run/vault/agent.sock" + tls_disable = true + } +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/csi-clusterrole.yaml b/charts/hashicorp/vault/0.27.0/templates/csi-clusterrole.yaml new file mode 100644 index 0000000000..6d979ea40c --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/csi-clusterrole.yaml @@ -0,0 +1,23 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-clusterrole + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/csi-clusterrolebinding.yaml b/charts/hashicorp/vault/0.27.0/templates/csi-clusterrolebinding.yaml new file mode 100644 index 0000000000..506ec944a7 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/csi-clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "vault.fullname" . }}-csi-provider-clusterrole +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ include "vault.namespace" . }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/csi-daemonset.yaml b/charts/hashicorp/vault/0.27.0/templates/csi-daemonset.yaml new file mode 100644 index 0000000000..1436ff9058 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/csi-daemonset.yaml @@ -0,0 +1,157 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.daemonSet.extraLabels -}} + {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} + {{- end -}} + {{ template "csi.daemonSet.annotations" . }} +spec: + updateStrategy: + type: {{ .Values.csi.daemonSet.updateStrategy.type }} + {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + rollingUpdate: + maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.csi.pod.extraLabels -}} + {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} + {{- end -}} + {{ template "csi.pod.annotations" . }} + spec: + {{ template "csi.daemonSet.securityContext.pod" . }} + {{- if .Values.csi.priorityClassName }} + priorityClassName: {{ .Values.csi.priorityClassName }} + {{- end }} + serviceAccountName: {{ template "vault.fullname" . }}-csi-provider + {{- template "csi.pod.tolerations" . }} + {{- template "csi.pod.nodeselector" . }} + {{- template "csi.pod.affinity" . }} + containers: + - name: {{ include "vault.name" . }}-csi-provider + {{ template "csi.resources" . }} + {{ template "csi.daemonSet.securityContext.container" . }} + image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" + imagePullPolicy: {{ .Values.csi.image.pullPolicy }} + args: + - --endpoint=/provider/vault.sock + - --debug={{ .Values.csi.debug }} + {{- if .Values.csi.hmacSecretName }} + - --hmac-secret-name={{ .Values.csi.hmacSecretName }} + {{- else }} + - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key + {{- end }} + {{- if .Values.csi.extraArgs }} + {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- end }} + env: + - name: VAULT_ADDR + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + value: "unix:///var/run/vault/agent.sock" + {{- else if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} + {{- end }} + volumeMounts: + - name: providervol + mountPath: "/provider" + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-unix-socket + mountPath: /var/run/vault + {{- end }} + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12}} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: {{ include "vault.name" . }}-agent + image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" + imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} + {{ template "csi.agent.resources" . }} + command: + - vault + args: + - agent + - -config=/etc/vault/config.hcl + {{- if .Values.csi.agent.extraArgs }} + {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }} + {{- end }} + ports: + - containerPort: 8200 + env: + - name: VAULT_LOG_LEVEL + value: "{{ .Values.csi.agent.logLevel }}" + - name: VAULT_LOG_FORMAT + value: "{{ .Values.csi.agent.logFormat }}" + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 100 + runAsGroup: 1000 + volumeMounts: + - name: agent-config + mountPath: /etc/vault/config.hcl + subPath: config.hcl + readOnly: true + - name: agent-unix-socket + mountPath: /var/run/vault + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12 }} + {{- end }} + {{- end }} + volumes: + - name: providervol + hostPath: + path: {{ .Values.csi.daemonSet.providersDir }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-config + configMap: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + - name: agent-unix-socket + emptyDir: + medium: Memory + {{- end }} + {{- if .Values.csi.volumes }} + {{- toYaml .Values.csi.volumes | nindent 8}} + {{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/csi-role.yaml b/charts/hashicorp/vault/0.27.0/templates/csi-role.yaml new file mode 100644 index 0000000000..17e1918b4f --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/csi-role.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-role + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + resourceNames: + {{- if .Values.csi.hmacSecretName }} + - {{ .Values.csi.hmacSecretName }} + {{- else }} + - {{ include "vault.name" . }}-csi-provider-hmac-key + {{- end }} +# 'create' permissions cannot be restricted by resource name: +# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/csi-rolebinding.yaml b/charts/hashicorp/vault/0.27.0/templates/csi-rolebinding.yaml new file mode 100644 index 0000000000..3d3b981b85 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/csi-rolebinding.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-rolebinding + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-csi-provider-role +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ include "vault.namespace" . }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/csi-serviceaccount.yaml b/charts/hashicorp/vault/0.27.0/templates/csi-serviceaccount.yaml new file mode 100644 index 0000000000..6327a7b2fa --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/csi-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.serviceAccount.extraLabels -}} + {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} + {{ template "csi.serviceAccount.annotations" . }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-certs-secret.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-certs-secret.yaml new file mode 100644 index 0000000000..f6995af108 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-certs-secret.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +apiVersion: v1 +kind: Secret +metadata: + name: vault-injector-certs + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-clusterrole.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-clusterrole.yaml new file mode 100644 index 0000000000..d5682dd76a --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-clusterrole.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-clusterrole + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: + - "get" + - "list" + - "watch" + - "patch" +{{ end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-clusterrolebinding.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-clusterrolebinding.yaml new file mode 100644 index 0000000000..82cbce0ced --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-binding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "vault.fullname" . }}-agent-injector-clusterrole +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ include "vault.namespace" . }} +{{ end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-deployment.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-deployment.yaml new file mode 100644 index 0000000000..822e8e41dc --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-deployment.yaml @@ -0,0 +1,179 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +# Deployment for the injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + component: webhook +spec: + replicas: {{ .Values.injector.replicas }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + {{ template "injector.strategy" . }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + {{- if .Values.injector.extraLabels -}} + {{- toYaml .Values.injector.extraLabels | nindent 8 -}} + {{- end -}} + {{ template "injector.annotations" . }} + spec: + {{ template "injector.affinity" . }} + {{ template "injector.topologySpreadConstraints" . }} + {{ template "injector.tolerations" . }} + {{ template "injector.nodeselector" . }} + {{- if .Values.injector.priorityClassName }} + priorityClassName: {{ .Values.injector.priorityClassName }} + {{- end }} + serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" + {{ template "injector.securityContext.pod" . -}} + {{- if not .Values.global.openshift }} + hostNetwork: {{ .Values.injector.hostNetwork }} + {{- end }} + containers: + - name: sidecar-injector + {{ template "injector.resources" . }} + image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" + imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" + {{- template "injector.securityContext.container" . }} + env: + - name: AGENT_INJECT_LISTEN + value: {{ printf ":%v" .Values.injector.port }} + - name: AGENT_INJECT_LOG_LEVEL + value: {{ .Values.injector.logLevel | default "info" }} + - name: AGENT_INJECT_VAULT_ADDR + {{- if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else if .Values.injector.externalVaultAddr }} + value: "{{ .Values.injector.externalVaultAddr }}" + {{- else }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} + {{- end }} + - name: AGENT_INJECT_VAULT_AUTH_PATH + value: {{ .Values.injector.authPath }} + - name: AGENT_INJECT_VAULT_IMAGE + value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" + {{- if .Values.injector.certs.secretName }} + - name: AGENT_INJECT_TLS_CERT_FILE + value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}" + - name: AGENT_INJECT_TLS_KEY_FILE + value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}" + {{- else }} + - name: AGENT_INJECT_TLS_AUTO + value: {{ template "vault.fullname" . }}-agent-injector-cfg + - name: AGENT_INJECT_TLS_AUTO_HOSTS + value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc + {{- end }} + - name: AGENT_INJECT_LOG_FORMAT + value: {{ .Values.injector.logFormat | default "standard" }} + - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN + value: "{{ .Values.injector.revokeOnShutdown | default false }}" + {{- if .Values.global.openshift }} + - name: AGENT_INJECT_SET_SECURITY_CONTEXT + value: "false" + {{- end }} + {{- if .Values.injector.metrics.enabled }} + - name: AGENT_INJECT_TELEMETRY_PATH + value: "/metrics" + {{- end }} + {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} + - name: AGENT_INJECT_USE_LEADER_ELECTOR + value: "true" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- end }} + - name: AGENT_INJECT_CPU_REQUEST + value: "{{ .Values.injector.agentDefaults.cpuRequest }}" + - name: AGENT_INJECT_CPU_LIMIT + value: "{{ .Values.injector.agentDefaults.cpuLimit }}" + - name: AGENT_INJECT_MEM_REQUEST + value: "{{ .Values.injector.agentDefaults.memRequest }}" + - name: AGENT_INJECT_MEM_LIMIT + value: "{{ .Values.injector.agentDefaults.memLimit }}" + {{- if .Values.injector.agentDefaults.ephemeralRequest }} + - name: AGENT_INJECT_EPHEMERAL_REQUEST + value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}" + {{- end }} + {{- if .Values.injector.agentDefaults.ephemeralLimit }} + - name: AGENT_INJECT_EPHEMERAL_LIMIT + value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}" + {{- end }} + - name: AGENT_INJECT_DEFAULT_TEMPLATE + value: "{{ .Values.injector.agentDefaults.template }}" + - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE + value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}" + {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }} + - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL + value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" + {{- end }} + {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + args: + - agent-inject + - 2>&1 + livenessProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }} + readinessProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }} + startupProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }} + successThreshold: {{ .Values.injector.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }} +{{- if .Values.injector.certs.secretName }} + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true +{{- end }} +{{- if .Values.injector.certs.secretName }} + volumes: + - name: webhook-certs + secret: + secretName: "{{ .Values.injector.certs.secretName }}" +{{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} +{{ end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-disruptionbudget.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-disruptionbudget.yaml new file mode 100644 index 0000000000..2b2a61c6fe --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-disruptionbudget.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- if .Values.injector.podDisruptionBudget }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + component: webhook +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} +{{- end -}} diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-mutating-webhook.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-mutating-webhook.yaml new file mode 100644 index 0000000000..b1de1ee3f4 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-mutating-webhook.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} +apiVersion: admissionregistration.k8s.io/v1 +{{- else }} +apiVersion: admissionregistration.k8s.io/v1beta1 +{{- end }} +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-cfg + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- template "injector.webhookAnnotations" . }} +webhooks: + - name: vault.hashicorp.com + failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }} + matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }} + sideEffects: None + timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }} + admissionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: {{ template "vault.fullname" . }}-agent-injector-svc + namespace: {{ include "vault.namespace" . }} + path: "/mutate" + caBundle: {{ .Values.injector.certs.caBundle | quote }} + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] +{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }} + namespaceSelector: +{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} +{{ end }} +{{- template "injector.objectSelector" . -}} +{{ end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-network-policy.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-network-policy.yaml new file mode 100644 index 0000000000..4c3b087828 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-network-policy.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.openshift | toString) "true" }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8080 + protocol: TCP +{{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-psp-role.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-psp-role.yaml new file mode 100644 index 0000000000..a07f8f6c0c --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-psp-role.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-psp + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "vault.fullname" . }}-agent-injector +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-psp-rolebinding.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-psp-rolebinding.yaml new file mode 100644 index 0000000000..3c97e8dad0 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-psp-rolebinding.yaml @@ -0,0 +1,26 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-psp + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + kind: Role + name: {{ template "vault.fullname" . }}-agent-injector-psp + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ template "vault.fullname" . }}-agent-injector +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-psp.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-psp.yaml new file mode 100644 index 0000000000..0eca9a87c6 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-psp.yaml @@ -0,0 +1,51 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- template "vault.psp.annotations" . }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: MustRunAsNonRoot + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-role.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-role.yaml new file mode 100644 index 0000000000..b2ad0c7b98 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-role.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: + - apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: + - "create" + - "get" + - "watch" + - "list" + - "update" + - apiGroups: [""] + resources: ["pods"] + verbs: + - "get" + - "patch" + - "delete" +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-rolebinding.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-rolebinding.yaml new file mode 100644 index 0000000000..6ad25ca695 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-rolebinding.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role +subjects: + - kind: ServiceAccount + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ include "vault.namespace" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-service.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-service.yaml new file mode 100644 index 0000000000..1479cd1ab9 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-service.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-svc + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "injector.service.annotations" . }} +spec: + ports: + - name: https + port: 443 + targetPort: {{ .Values.injector.port }} + selector: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/injector-serviceaccount.yaml b/charts/hashicorp/vault/0.27.0/templates/injector-serviceaccount.yaml new file mode 100644 index 0000000000..2f91c3d4aa --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/injector-serviceaccount.yaml @@ -0,0 +1,18 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "injector.serviceAccount.annotations" . }} +{{ end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/prometheus-prometheusrules.yaml b/charts/hashicorp/vault/0.27.0/templates/prometheus-prometheusrules.yaml new file mode 100644 index 0000000000..7e58a0e522 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/prometheus-prometheusrules.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ if and (.Values.serverTelemetry.prometheusRules.rules) + (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) ) +}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} + {{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }} + {{- if $selectors }} + {{- toYaml $selectors | nindent 4 }} + {{- else }} + release: prometheus + {{- end }} +spec: + groups: + - name: {{ include "vault.fullname" . }} + rules: + {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/prometheus-servicemonitor.yaml b/charts/hashicorp/vault/0.27.0/templates/prometheus-servicemonitor.yaml new file mode 100644 index 0000000000..25d30a468e --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/prometheus-servicemonitor.yaml @@ -0,0 +1,49 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} + {{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }} + {{- if $selectors }} + {{- toYaml $selectors | nindent 4 }} + {{- else }} + release: prometheus + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if eq .mode "ha" }} + vault-active: "true" + {{- else }} + vault-internal: "true" + {{- end }} + endpoints: + - port: {{ include "vault.scheme" . }} + interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} + scheme: {{ include "vault.scheme" . | lower }} + path: /v1/sys/metrics + params: + format: + - prometheus + tlsConfig: + insecureSkipVerify: true + namespaceSelector: + matchNames: + - {{ include "vault.namespace" . }} +{{ end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-clusterrolebinding.yaml b/charts/hashicorp/vault/0.27.0/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..14ec838a04 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-clusterrolebinding.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverAuthDelegator" . }} +{{- if .serverAuthDelegator -}} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: {{ template "vault.fullname" . }}-server-binding + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: {{ template "vault.serviceAccount.name" . }} + namespace: {{ include "vault.namespace" . }} +{{ end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.27.0/templates/server-config-configmap.yaml b/charts/hashicorp/vault/0.27.0/templates/server-config-configmap.yaml new file mode 100644 index 0000000000..5c660579fe --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-config-configmap.yaml @@ -0,0 +1,45 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if .serverEnabled -}} +{{- if ne .mode "dev" -}} +{{ if or (.Values.server.standalone.config) (.Values.server.ha.config) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-config + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + extraconfig-from-values.hcl: |- + {{- if or (eq .mode "ha") (eq .mode "standalone") }} + {{- $type := typeOf (index .Values.server .mode).config }} + {{- if eq $type "string" }} + disable_mlock = true + {{- if eq .mode "standalone" }} + {{ tpl .Values.server.standalone.config . | nindent 4 | trim }} + {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "false") }} + {{ tpl .Values.server.ha.config . | nindent 4 | trim }} + {{- else if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} + {{ tpl .Values.server.ha.raft.config . | nindent 4 | trim }} + {{ end }} + {{- else }} + {{- if and (eq .mode "ha") (eq (.Values.server.ha.raft.enabled | toString) "true") }} +{{ merge (dict "disable_mlock" true) (index .Values.server .mode).raft.config | toPrettyJson | indent 4 }} + {{- else }} +{{ merge (dict "disable_mlock" true) (index .Values.server .mode).config | toPrettyJson | indent 4 }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-discovery-role.yaml b/charts/hashicorp/vault/0.27.0/templates/server-discovery-role.yaml new file mode 100644 index 0000000000..0cbdefaff0 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-discovery-role.yaml @@ -0,0 +1,26 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ include "vault.namespace" . }} + name: {{ template "vault.fullname" . }}-discovery-role + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list", "update", "patch"] +{{ end }} +{{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-discovery-rolebinding.yaml b/charts/hashicorp/vault/0.27.0/templates/server-discovery-rolebinding.yaml new file mode 100644 index 0000000000..87b0f6170d --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-discovery-rolebinding.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-discovery-rolebinding + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-discovery-role +subjects: +- kind: ServiceAccount + name: {{ template "vault.serviceAccount.name" . }} + namespace: {{ include "vault.namespace" . }} +{{ end }} +{{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-disruptionbudget.yaml b/charts/hashicorp/vault/0.27.0/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..bbe9eb2995 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-disruptionbudget.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" -}} +{{- if .serverEnabled -}} +{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-ha-active-service.yaml b/charts/hashicorp/vault/0.27.0/templates/server-ha-active-service.yaml new file mode 100644 index 0000000000..9d2abfbb15 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-ha-active-service.yaml @@ -0,0 +1,64 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.active.enabled | toString) "true" }} +# Service for active Vault pod +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-active + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + vault-active: "true" + annotations: +{{- template "vault.service.active.annotations" . }} +{{- template "vault.service.annotations" . }} +spec: + {{- if .Values.server.service.type}} + type: {{ .Values.server.service.type }} + {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.activeNodePort }} + {{- end }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + component: server + vault-active: "true" +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-ha-standby-service.yaml b/charts/hashicorp/vault/0.27.0/templates/server-ha-standby-service.yaml new file mode 100644 index 0000000000..bae1e28345 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-ha-standby-service.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.standby.enabled | toString) "true" }} +# Service for standby Vault pod +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-standby + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: +{{- template "vault.service.standby.annotations" . }} +{{- template "vault.service.annotations" . }} +spec: + {{- if .Values.server.service.type}} + type: {{ .Values.server.service.type }} + {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.standbyNodePort }} + {{- end }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + component: server + vault-active: "false" +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-headless-service.yaml b/charts/hashicorp/vault/0.27.0/templates/server-headless-service.yaml new file mode 100644 index 0000000000..c0f4d34604 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-headless-service.yaml @@ -0,0 +1,47 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +# Service for Vault cluster +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-internal + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + vault-internal: "true" + annotations: +{{ template "vault.service.annotations" .}} +spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: "{{ include "vault.scheme" . }}" + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-ingress.yaml b/charts/hashicorp/vault/0.27.0/templates/server-ingress.yaml new file mode 100644 index 0000000000..d796bae416 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-ingress.yaml @@ -0,0 +1,69 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- if not .Values.global.openshift }} +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if .Values.server.ingress.enabled -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} +{{- $serviceName := include "vault.fullname" . -}} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} +{{- $serviceName = printf "%s-%s" $serviceName "active" -}} +{{- end }} +{{- $servicePort := .Values.server.service.port -}} +{{- $pathType := .Values.server.ingress.pathType -}} +{{- $kubeVersion := .Capabilities.KubeVersion.Version }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.server.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- template "vault.ingress.annotations" . }} +spec: +{{- if .Values.server.ingress.tls }} + tls: + {{- range .Values.server.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} +{{- if .Values.server.ingress.ingressClassName }} + ingressClassName: {{ .Values.server.ingress.ingressClassName }} +{{- end }} + rules: + {{- range .Values.server.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + {{- range (.paths | default (list "/")) }} + - path: {{ . }} + pathType: {{ $pathType }} + backend: + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/templates/server-network-policy.yaml b/charts/hashicorp/vault/0.27.0/templates/server-network-policy.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-network-policy.yaml rename to charts/hashicorp/vault/0.27.0/templates/server-network-policy.yaml diff --git a/charts/hashicorp/vault/0.27.0/templates/server-psp-role.yaml b/charts/hashicorp/vault/0.27.0/templates/server-psp-role.yaml new file mode 100644 index 0000000000..64cd6c5076 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-psp-role.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-psp + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "vault.fullname" . }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-psp-rolebinding.yaml b/charts/hashicorp/vault/0.27.0/templates/server-psp-rolebinding.yaml new file mode 100644 index 0000000000..342f553796 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-psp-rolebinding.yaml @@ -0,0 +1,26 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-psp + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + kind: Role + name: {{ template "vault.fullname" . }}-psp + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ template "vault.fullname" . }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-psp.yaml b/charts/hashicorp/vault/0.27.0/templates/server-psp.yaml new file mode 100644 index 0000000000..567e66245e --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-psp.yaml @@ -0,0 +1,54 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "vault.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- template "vault.psp.annotations" . }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + {{- if eq (.Values.server.dataStorage.enabled | toString) "true" }} + - persistentVolumeClaim + {{- end }} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: MustRunAsNonRoot + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-route.yaml b/charts/hashicorp/vault/0.27.0/templates/server-route.yaml new file mode 100644 index 0000000000..4e955555ab --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-route.yaml @@ -0,0 +1,39 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- if .Values.global.openshift }} +{{- if ne .mode "external" }} +{{- if .Values.server.route.enabled -}} +{{- $serviceName := include "vault.fullname" . -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }} +{{- $serviceName = printf "%s-%s" $serviceName "active" -}} +{{- end }} +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.server.route.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- template "vault.route.annotations" . }} +spec: + host: {{ .Values.server.route.host }} + to: + kind: Service + name: {{ $serviceName }} + weight: 100 + port: + targetPort: 8200 + tls: + {{- toYaml .Values.server.route.tls | nindent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-service.yaml b/charts/hashicorp/vault/0.27.0/templates/server-service.yaml new file mode 100644 index 0000000000..c12e190cb3 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-service.yaml @@ -0,0 +1,59 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +# Service for Vault cluster +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: +{{ template "vault.service.annotations" .}} +spec: + {{- if .Values.server.service.type}} + type: {{ .Values.server.service.type }} + {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.nodePort }} + {{- end }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + component: server +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/server-serviceaccount-secret.yaml b/charts/hashicorp/vault/0.27.0/templates/server-serviceaccount-secret.yaml new file mode 100644 index 0000000000..74d70f9005 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-serviceaccount-secret.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverServiceAccountSecretCreationEnabled" . }} +{{- if .serverServiceAccountSecretCreationEnabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "vault.serviceAccount.name" . }}-token + namespace: {{ include "vault.namespace" . }} + annotations: + kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: kubernetes.io/service-account-token +{{ end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.27.0/templates/server-serviceaccount.yaml b/charts/hashicorp/vault/0.27.0/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..216ea6178a --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/server-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverServiceAccountEnabled" . }} +{{- if .serverServiceAccountEnabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "vault.serviceAccount.name" . }} + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.server.serviceAccount.extraLabels -}} + {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} + {{ template "vault.serviceAccount.annotations" . }} +{{ end }} diff --git a/charts/hashicorp/vault/templates/server-statefulset.yaml b/charts/hashicorp/vault/0.27.0/templates/server-statefulset.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-statefulset.yaml rename to charts/hashicorp/vault/0.27.0/templates/server-statefulset.yaml diff --git a/charts/hashicorp/vault/0.27.0/templates/tests/server-test.yaml b/charts/hashicorp/vault/0.27.0/templates/tests/server-test.yaml new file mode 100644 index 0000000000..20e2e5a5a1 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/tests/server-test.yaml @@ -0,0 +1,56 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if .serverEnabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "vault.fullname" . }}-server-test + namespace: {{ include "vault.namespace" . }} + annotations: + "helm.sh/hook": test +spec: + {{- include "imagePullSecrets" . | nindent 2 }} + containers: + - name: {{ .Release.Name }}-server-test + image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + env: + - name: VAULT_ADDR + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} + {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} + command: + - /bin/sh + - -c + - | + echo "Checking for sealed info in 'vault status' output" + ATTEMPTS=10 + n=0 + until [ "$n" -ge $ATTEMPTS ] + do + echo "Attempt" $n... + vault status -format yaml | grep -E '^sealed: (true|false)' && break + n=$((n+1)) + sleep 5 + done + if [ $n -ge $ATTEMPTS ]; then + echo "timed out looking for sealed info in 'vault status' output" + exit 1 + fi + + exit 0 + volumeMounts: + {{- if .Values.server.volumeMounts }} + {{- toYaml .Values.server.volumeMounts | nindent 8}} + {{- end }} + volumes: + {{- if .Values.server.volumes }} + {{- toYaml .Values.server.volumes | nindent 4}} + {{- end }} + restartPolicy: Never +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/templates/ui-service.yaml b/charts/hashicorp/vault/0.27.0/templates/ui-service.yaml new file mode 100644 index 0000000000..95370842e7 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/templates/ui-service.yaml @@ -0,0 +1,50 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.uiEnabled" . -}} +{{- if .uiEnabled -}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-ui + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-ui + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- template "vault.ui.annotations" . }} +spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.ui.serviceIPFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }} + {{- end }} + {{- if .Values.ui.serviceIPFamilies }} + ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + {{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }} + vault-active: "true" + {{- end }} + publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }} + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.ui.externalPort }} + targetPort: {{ .Values.ui.targetPort }} + {{- if .Values.ui.serviceNodePort }} + nodePort: {{ .Values.ui.serviceNodePort }} + {{- end }} + type: {{ .Values.ui.serviceType }} + {{- include "service.externalTrafficPolicy" .Values.ui }} + {{- include "service.loadBalancer" .Values.ui }} +{{- end -}} +{{- end }} diff --git a/charts/hashicorp/vault/0.27.0/values.openshift.yaml b/charts/hashicorp/vault/0.27.0/values.openshift.yaml new file mode 100644 index 0000000000..bafc5e699d --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/values.openshift.yaml @@ -0,0 +1,24 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# These overrides are appropriate defaults for deploying this chart on OpenShift + +global: + openshift: true + +injector: + image: + repository: "registry.connect.redhat.com/hashicorp/vault-k8s" + tag: "1.3.1-ubi" + + agentImage: + repository: "registry.connect.redhat.com/hashicorp/vault" + tag: "1.15.2-ubi" + +server: + image: + repository: "registry.connect.redhat.com/hashicorp/vault" + tag: "1.15.2-ubi" + + readinessProbe: + path: "/v1/sys/health?uninitcode=204" diff --git a/charts/hashicorp/vault/0.27.0/values.schema.json b/charts/hashicorp/vault/0.27.0/values.schema.json new file mode 100644 index 0000000000..9760657333 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/values.schema.json @@ -0,0 +1,1215 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "csi": { + "type": "object", + "properties": { + "agent": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "extraArgs": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "resources": { + "type": "object" + } + } + }, + "daemonSet": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "extraLabels": { + "type": "object" + }, + "kubeletRootDir": { + "type": "string" + }, + "providersDir": { + "type": "string" + }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + }, + "updateStrategy": { + "type": "object", + "properties": { + "maxUnavailable": { + "type": "string" + }, + "type": { + "type": "string" + } + } + } + } + }, + "debug": { + "type": "boolean" + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "extraArgs": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "pod": { + "type": "object", + "properties": { + "affinity": { + "type": [ + "null", + "object", + "string" + ] + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "extraLabels": { + "type": "object" + }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, + "tolerations": { + "type": [ + "null", + "array", + "string" + ] + } + } + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "resources": { + "type": "object" + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "extraLabels": { + "type": "object" + } + } + }, + "volumeMounts": { + "type": [ + "null", + "array" + ] + }, + "volumes": { + "type": [ + "null", + "array" + ] + } + } + }, + "global": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "namespace": { + "type": "string" + }, + "externalVaultAddr": { + "type": "string" + }, + "imagePullSecrets": { + "type": "array" + }, + "openshift": { + "type": "boolean" + }, + "psp": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enable": { + "type": "boolean" + } + } + }, + "tlsDisable": { + "type": "boolean" + } + } + }, + "injector": { + "type": "object", + "properties": { + "affinity": { + "type": [ + "object", + "string" + ] + }, + "agentDefaults": { + "type": "object", + "properties": { + "cpuLimit": { + "type": "string" + }, + "cpuRequest": { + "type": "string" + }, + "memLimit": { + "type": "string" + }, + "memRequest": { + "type": "string" + }, + "ephemeralLimit": { + "type": "string" + }, + "ephemeralRequest": { + "type": "string" + }, + "template": { + "type": "string" + }, + "templateConfig": { + "type": "object", + "properties": { + "exitOnRetryFailure": { + "type": "boolean" + }, + "staticSecretRenderInterval": { + "type": "string" + } + } + } + } + }, + "agentImage": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "authPath": { + "type": "string" + }, + "certs": { + "type": "object", + "properties": { + "caBundle": { + "type": "string" + }, + "certName": { + "type": "string" + }, + "keyName": { + "type": "string" + }, + "secretName": { + "type": [ + "null", + "string" + ] + } + } + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "externalVaultAddr": { + "type": "string" + }, + "extraEnvironmentVars": { + "type": "object" + }, + "extraLabels": { + "type": "object" + }, + "failurePolicy": { + "type": "string" + }, + "hostNetwork": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "leaderElector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "namespaceSelector": { + "type": "object" + }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, + "objectSelector": { + "type": [ + "object", + "string" + ] + }, + "podDisruptionBudget": { + "type": "object" + }, + "port": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "replicas": { + "type": "integer" + }, + "resources": { + "type": "object" + }, + "revokeOnShutdown": { + "type": "boolean" + }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "strategy": { + "type": [ + "object", + "string" + ] + }, + "tolerations": { + "type": [ + "null", + "array", + "string" + ] + }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, + "webhook": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "failurePolicy": { + "type": "string" + }, + "matchPolicy": { + "type": "string" + }, + "namespaceSelector": { + "type": "object" + }, + "objectSelector": { + "type": [ + "object", + "string" + ] + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "webhookAnnotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "server": { + "type": "object", + "properties": { + "affinity": { + "type": [ + "object", + "string" + ] + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "auditStorage": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "labels": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": [ + "null", + "string" + ] + } + } + }, + "authDelegator": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "dataStorage": { + "type": "object", + "properties": { + "accessMode": { + "type": "string" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "labels": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": [ + "null", + "string" + ] + } + } + }, + "persistentVolumeClaimRetentionPolicy": { + "type": "object", + "properties": { + "whenDeleted": { + "type": "string" + }, + "whenScaled": { + "type": "string" + } + } + }, + "dev": { + "type": "object", + "properties": { + "devRootToken": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + } + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "enterpriseLicense": { + "type": "object", + "properties": { + "secretKey": { + "type": "string" + }, + "secretName": { + "type": "string" + } + } + }, + "extraArgs": { + "type": "string" + }, + "extraPorts": { + "type": [ + "null", + "array" + ] + }, + "extraContainers": { + "type": [ + "null", + "array" + ] + }, + "extraEnvironmentVars": { + "type": "object" + }, + "extraInitContainers": { + "type": [ + "null", + "array" + ] + }, + "extraLabels": { + "type": "object" + }, + "extraSecretEnvironmentVars": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "ha": { + "type": "object", + "properties": { + "apiAddr": { + "type": [ + "null", + "string" + ] + }, + "clusterAddr": { + "type": [ + "null", + "string" + ] + }, + "config": { + "type": [ + "string", + "object" + ] + }, + "disruptionBudget": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxUnavailable": { + "type": [ + "null", + "integer" + ] + } + } + }, + "enabled": { + "type": "boolean" + }, + "raft": { + "type": "object", + "properties": { + "config": { + "type": [ + "string", + "object" + ] + }, + "enabled": { + "type": "boolean" + }, + "setNodeId": { + "type": "boolean" + } + } + }, + "replicas": { + "type": "integer" + } + } + }, + "hostAliases": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "ingress": { + "type": "object", + "properties": { + "activeService": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "extraPaths": { + "type": "array" + }, + "hosts": { + "type": "array", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "paths": { + "type": "array" + } + } + } + }, + "ingressClassName": { + "type": "string" + }, + "labels": { + "type": "object" + }, + "pathType": { + "type": "string" + }, + "tls": { + "type": "array" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "path": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "execCommand": { + "type": "array" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "logFormat": { + "type": "string" + }, + "logLevel": { + "type": "string" + }, + "networkPolicy": { + "type": "object", + "properties": { + "egress": { + "type": "array" + }, + "enabled": { + "type": "boolean" + }, + "ingress": { + "type": "array" + } + } + }, + "nodeSelector": { + "type": [ + "null", + "object", + "string" + ] + }, + "postStart": { + "type": "array" + }, + "preStopSleepSeconds": { + "type": "integer" + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "resources": { + "type": "object" + }, + "route": { + "type": "object", + "properties": { + "activeService": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "host": { + "type": "string" + }, + "labels": { + "type": "object" + }, + "tls": { + "type": "object" + } + } + }, + "service": { + "type": "object", + "properties": { + "active": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": "boolean" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "instanceSelector": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "port": { + "type": "integer" + }, + "publishNotReadyAddresses": { + "type": "boolean" + }, + "standby": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + } + } + }, + "targetPort": { + "type": "integer" + }, + "nodePort": { + "type": "integer" + }, + "activeNodePort": { + "type": "integer" + }, + "standbyNodePort": { + "type": "integer" + }, + "ipFamilyPolicy": { + "type": "string" + }, + "ipFamilies": { + "type": [ + "array" + ] + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "create": { + "type": "boolean" + }, + "extraLabels": { + "type": "object" + }, + "createSecret": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "serviceDiscovery": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } + }, + "shareProcessNamespace": { + "type": "boolean" + }, + "standalone": { + "type": "object", + "properties": { + "config": { + "type": [ + "string", + "object" + ] + }, + "enabled": { + "type": [ + "string", + "boolean" + ] + } + } + }, + "statefulSet": { + "type": "object", + "properties": { + "annotations": { + "type": [ + "object", + "string" + ] + }, + "securityContext": { + "type": "object", + "properties": { + "container": { + "type": [ + "object", + "string" + ] + }, + "pod": { + "type": [ + "object", + "string" + ] + } + } + } + } + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "tolerations": { + "type": [ + "null", + "array", + "string" + ] + }, + "topologySpreadConstraints": { + "type": [ + "null", + "array", + "string" + ] + }, + "updateStrategyType": { + "type": "string" + }, + "volumeMounts": { + "type": [ + "null", + "array" + ] + }, + "volumes": { + "type": [ + "null", + "array" + ] + }, + "hostNetwork": { + "type": "boolean" + } + } + }, + "serverTelemetry": { + "type": "object", + "properties": { + "prometheusRules": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "rules": { + "type": "array" + }, + "selectors": { + "type": "object" + } + } + } + } + }, + "ui": { + "type": "object", + "properties": { + "activeVaultPodOnly": { + "type": "boolean" + }, + "annotations": { + "type": [ + "object", + "string" + ] + }, + "enabled": { + "type": [ + "boolean", + "string" + ] + }, + "externalPort": { + "type": "integer" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "publishNotReadyAddresses": { + "type": "boolean" + }, + "serviceNodePort": { + "type": [ + "null", + "integer" + ] + }, + "serviceType": { + "type": "string" + }, + "targetPort": { + "type": "integer" + }, + "serviceIPFamilyPolicy": { + "type": [ + "string" + ] + }, + "serviceIPFamilies": { + "type": [ + "array" + ] + } + } + } + } +} diff --git a/charts/hashicorp/vault/0.27.0/values.yaml b/charts/hashicorp/vault/0.27.0/values.yaml new file mode 100644 index 0000000000..17f5ca5722 --- /dev/null +++ b/charts/hashicorp/vault/0.27.0/values.yaml @@ -0,0 +1,1309 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: MPL-2.0 + +# Available parameters and their default values for the Vault chart. + +global: + # enabled is the master enabled switch. Setting this to true or false + # will enable or disable all the components within this chart by default. + enabled: true + + # The namespace to deploy to. Defaults to the `helm` installation namespace. + namespace: "" + + # Image pull secret to use for registry authentication. + # Alternatively, the value may be specified as an array of strings. + imagePullSecrets: [] + # imagePullSecrets: + # - name: image-pull-secret + + # TLS for end-to-end encrypted transport + tlsDisable: true + + # External vault server address for the injector and CSI provider to use. + # Setting this will disable deployment of a vault server. + externalVaultAddr: "" + + # If deploying to OpenShift + openshift: false + + # Create PodSecurityPolicy for pods + psp: + enable: false + # Annotation for PodSecurityPolicy. + # This is a multi-line templated string map, and can also be set as YAML. + annotations: | + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default + apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default + apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + + serverTelemetry: + # Enable integration with the Prometheus Operator + # See the top level serverTelemetry section below before enabling this feature. + prometheusOperator: false + +injector: + # True if you want to enable vault agent injection. + # @default: global.enabled + enabled: "-" + + replicas: 1 + + # Configures the port the injector should listen on + port: 8080 + + # If multiple replicas are specified, by default a leader will be determined + # so that only one injector attempts to create TLS certificates. + leaderElector: + enabled: true + + # If true, will enable a node exporter metrics endpoint at /metrics. + metrics: + enabled: false + + # Deprecated: Please use global.externalVaultAddr instead. + externalVaultAddr: "" + + # image sets the repo and tag of the vault-k8s image to use for the injector. + image: + repository: "hashicorp/vault-k8s" + tag: "1.3.1" + pullPolicy: IfNotPresent + + # agentImage sets the repo and tag of the Vault image to use for the Vault Agent + # containers. This should be set to the official Vault image. Vault 1.3.1+ is + # required. + agentImage: + repository: "hashicorp/vault" + tag: "1.15.2" + + # The default values for the injected Vault Agent containers. + agentDefaults: + # For more information on configuring resources, see the K8s documentation: + # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + cpuLimit: "500m" + cpuRequest: "250m" + memLimit: "128Mi" + memRequest: "64Mi" + # ephemeralLimit: "128Mi" + # ephemeralRequest: "64Mi" + + # Default template type for secrets when no custom template is specified. + # Possible values include: "json" and "map". + template: "map" + + # Default values within Agent's template_config stanza. + templateConfig: + exitOnRetryFailure: true + staticSecretRenderInterval: "" + + # Used to define custom livenessProbe settings + livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom readinessProbe settings + readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 2 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + # Used to define custom startupProbe settings + startupProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 12 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 5 + + # Mount Path of the Vault Kubernetes Auth Method. + authPath: "auth/kubernetes" + + # Configures the log verbosity of the injector. + # Supported log levels include: trace, debug, info, warn, error + logLevel: "info" + + # Configures the log format of the injector. Supported log formats: "standard", "json". + logFormat: "standard" + + # Configures all Vault Agent sidecars to revoke their token when shutting down + revokeOnShutdown: false + + webhook: + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while the webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # matchPolicy specifies the approach to accepting changes based on the rules of + # the MutatingWebhookConfiguration. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy + # for more details. + # + matchPolicy: Exact + + # timeoutSeconds is the amount of seconds before the webhook request will be ignored + # or fails. + # If it is ignored or fails depends on the failurePolicy + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#timeouts + # for more details. + # + timeoutSeconds: 30 + + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: + # matchLabels: + # sidecar-injector: enabled + namespaceSelector: {} + + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: | + matchExpressions: + - key: app.kubernetes.io/name + operator: NotIn + values: + - {{ template "vault.name" . }}-agent-injector + + # Extra annotations to attach to the webhook + annotations: {} + + # Deprecated: please use 'webhook.failurePolicy' instead + # Configures failurePolicy of the webhook. The "unspecified" default behaviour depends on the + # API Version of the WebHook. + # To block pod creation while webhook is unavailable, set the policy to `Fail` below. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy + # + failurePolicy: Ignore + + # Deprecated: please use 'webhook.namespaceSelector' instead + # namespaceSelector is the selector for restricting the webhook to only + # specific namespaces. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector + # for more details. + # Example: + # namespaceSelector: + # matchLabels: + # sidecar-injector: enabled + namespaceSelector: {} + + # Deprecated: please use 'webhook.objectSelector' instead + # objectSelector is the selector for restricting the webhook to only + # specific labels. + # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector + # for more details. + # Example: + # objectSelector: + # matchLabels: + # vault-sidecar-injector: enabled + objectSelector: {} + + # Deprecated: please use 'webhook.annotations' instead + # Extra annotations to attach to the webhook + webhookAnnotations: {} + + certs: + # secretName is the name of the secret that has the TLS certificate and + # private key to serve the injector webhook. If this is null, then the + # injector will default to its automatic management mode that will assign + # a service account to the injector to generate its own certificates. + secretName: null + + # caBundle is a base64-encoded PEM-encoded certificate bundle for the CA + # that signed the TLS certificate that the webhook serves. This must be set + # if secretName is non-null unless an external service like cert-manager is + # keeping the caBundle updated. + caBundle: "" + + # certName and keyName are the names of the files within the secret for + # the TLS cert and private key, respectively. These have reasonable + # defaults but can be customized if necessary. + certName: tls.crt + keyName: tls.key + + # Security context for the pod template and the injector container + # The default pod securityContext is: + # runAsNonRoot: true + # runAsGroup: {{ .Values.injector.gid | default 1000 }} + # runAsUser: {{ .Values.injector.uid | default 100 }} + # fsGroup: {{ .Values.injector.gid | default 1000 }} + # and for container is + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + securityContext: + pod: {} + container: {} + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m + + # extraEnvironmentVars is a list of extra environment variables to set in the + # injector deployment. + extraEnvironmentVars: {} + # KUBERNETES_SERVICE_HOST: kubernetes.default.svc + + # Affinity Settings for injector pods + # This can either be a multi-line string or YAML matching the PodSpec's affinity field. + # Commenting out or setting as empty the affinity variable, will allow + # deployment of multiple replicas to single node services such as Minikube. + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: "{{ .Release.Name }}" + component: webhook + topologyKey: kubernetes.io/hostname + + # Topology settings for injector pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + + # Toleration Settings for injector pods + # This should be either a multi-line string or YAML matching the Toleration array + # in a PodSpec. + tolerations: [] + + # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Priority class for injector pods + priorityClassName: "" + + # Extra annotations to attach to the injector pods + # This can either be YAML or a YAML-formatted multi-line templated string map + # of the annotations to apply to the injector pods + annotations: {} + + # Extra labels to attach to the agent-injector + # This should be a YAML map of the labels to apply to the injector + extraLabels: {} + + # Should the injector pods run on the host network (useful when using + # an alternate CNI in EKS) + hostNetwork: false + + # Injector service specific config + service: + # Extra annotations to attach to the injector service + annotations: {} + + # Injector serviceAccount specific config + serviceAccount: + # Extra annotations to attach to the injector serviceAccount + annotations: {} + + # A disruption budget limits the number of pods of a replicated application + # that are down simultaneously from voluntary disruptions + podDisruptionBudget: {} + # podDisruptionBudget: + # maxUnavailable: 1 + + # strategy for updating the deployment. This can be a multi-line string or a + # YAML map. + strategy: {} + # strategy: | + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + # type: RollingUpdate + +server: + # If true, or "-" with global.enabled true, Vault server will be installed. + # See vault.mode in _helpers.tpl for implementation details. + enabled: "-" + + # [Enterprise Only] This value refers to a Kubernetes secret that you have + # created that contains your enterprise license. If you are not using an + # enterprise image or if you plan to introduce the license key via another + # route, then leave secretName blank ("") or set it to null. + # Requires Vault Enterprise 1.8 or later. + enterpriseLicense: + # The name of the Kubernetes secret that holds the enterprise license. The + # secret must be in the same namespace that Vault is installed into. + secretName: "" + # The key within the Kubernetes secret that holds the enterprise license. + secretKey: "license" + + # Resource requests, limits, etc. for the server cluster placement. This + # should map directly to the value of the resources field for a PodSpec. + # By default no direct resource request is made. + + image: + repository: "hashicorp/vault" + tag: "1.15.2" + # Overrides the default Image Pull Policy + pullPolicy: IfNotPresent + + # Configure the Update Strategy Type for the StatefulSet + # See https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + updateStrategyType: "OnDelete" + + # Configure the logging verbosity for the Vault server. + # Supported log levels include: trace, debug, info, warn, error + logLevel: "" + + # Configure the logging format for the Vault server. + # Supported log formats include: standard, json + logFormat: "" + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m + + # Ingress allows ingress services to be created to allow external access + # from Kubernetes to access Vault pods. + # If deployment is on OpenShift, the following block is ignored. + # In order to expose the service, use the route section below + ingress: + enabled: false + labels: {} + # traffic: external + annotations: {} + # | + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # or + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + # Optionally use ingressClassName instead of deprecated annotation. + # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation + ingressClassName: "" + + # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases. + # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values. + pathType: Prefix + + # When HA mode is enabled and K8s service registration is being used, + # configure the ingress to point to the Vault active service. + activeService: true + hosts: + - host: chart-example.local + paths: [] + ## Extra paths to prepend to the host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # service: + # name: ssl-redirect + # port: + # number: use-annotation + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + # hostAliases is a list of aliases to be added to /etc/hosts. Specified as a YAML list. + hostAliases: [] + # - ip: 127.0.0.1 + # hostnames: + # - chart-example.local + + # OpenShift only - create a route to expose the service + # By default the created route will be of type passthrough + route: + enabled: false + + # When HA mode is enabled and K8s service registration is being used, + # configure the route to point to the Vault active service. + activeService: true + + labels: {} + annotations: {} + host: chart-example.local + # tls will be passed directly to the route's TLS config, which + # can be used to configure other termination methods that terminate + # TLS at the router + tls: + termination: passthrough + + # authDelegator enables a cluster role binding to be attached to the service + # account. This cluster role binding can be used to setup Kubernetes auth + # method. See https://developer.hashicorp.com/vault/docs/auth/kubernetes + authDelegator: + enabled: true + + # extraInitContainers is a list of init containers. Specified as a YAML list. + # This is useful if you need to run a script to provision TLS certificates or + # write out configuration files in a dynamic way. + extraInitContainers: null + # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder, + # # which is defined in the volumes value. + # - name: oauthapp + # image: "alpine" + # command: [sh, -c] + # args: + # - cd /tmp && + # wget https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz -O oauthapp.xz && + # tar -xf oauthapp.xz && + # mv vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vault/oauthapp && + # chmod +x /usr/local/libexec/vault/oauthapp + # volumeMounts: + # - name: plugins + # mountPath: /usr/local/libexec/vault + + # extraContainers is a list of sidecar containers. Specified as a YAML list. + extraContainers: null + + # shareProcessNamespace enables process namespace sharing between Vault and the extraContainers + # This is useful if Vault must be signaled, e.g. to send a SIGHUP for a log rotation + shareProcessNamespace: false + + # extraArgs is a string containing additional Vault server arguments. + extraArgs: "" + + # extraPorts is a list of extra ports. Specified as a YAML list. + # This is useful if you need to add additional ports to the statefulset in dynamic way. + extraPorts: null + # - containerPort: 8300 + # name: http-monitoring + + # Used to define custom readinessProbe settings + readinessProbe: + enabled: true + # If you need to use a http path instead of the default exec + # path: /v1/sys/health?standbyok=true + + # Port number on which readinessProbe will be checked. + port: 8200 + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + # Used to enable a livenessProbe for the pods + livenessProbe: + enabled: false + # Used to define a liveness exec command. If provided, exec is preferred to httpGet (path) as the livenessProbe handler. + execCommand: [] + # - /bin/sh + # - -c + # - /vault/userconfig/mylivenessscript/run.sh + # Path for the livenessProbe to use httpGet as the livenessProbe handler + path: "/v1/sys/health?standbyok=true" + # Port number on which livenessProbe will be checked if httpGet is used as the livenessProbe handler + port: 8200 + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 60 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + + # Optional duration in seconds the pod needs to terminate gracefully. + # See: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + terminationGracePeriodSeconds: 10 + + # Used to set the sleep time during the preStop step + preStopSleepSeconds: 5 + + # Used to define commands to run after the pod is ready. + # This can be used to automate processes such as initialization + # or boostrapping auth methods. + postStart: [] + # - /bin/sh + # - -c + # - /vault/userconfig/myscript/run.sh + + # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be + # used to include variables required for auto-unseal. + extraEnvironmentVars: {} + # GOOGLE_REGION: global + # GOOGLE_PROJECT: myproject + # GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json + + # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. + # These variables take value from existing Secret objects. + extraSecretEnvironmentVars: [] + # - envName: AWS_SECRET_ACCESS_KEY + # secretName: vault + # secretKey: AWS_SECRET_ACCESS_KEY + + # Deprecated: please use 'volumes' instead. + # extraVolumes is a list of extra volumes to mount. These will be exposed + # to Vault in the path `/vault/userconfig//`. The value below is + # an array of objects, examples are shown below. + extraVolumes: [] + # - type: secret (or "configMap") + # name: my-secret + # path: null # default is `/vault/userconfig` + + # volumes is a list of volumes made available to all containers. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumes: null + # - name: plugins + # emptyDir: {} + + # volumeMounts is a list of volumeMounts for the main server container. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumeMounts: null + # - mountPath: /usr/local/libexec/vault + # name: plugins + # readOnly: true + + # Affinity Settings + # Commenting out or setting as empty the affinity variable, will allow + # deployment to single node services such as Minikube + # This should be either a multi-line string or YAML matching the PodSpec's affinity field. + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: "{{ .Release.Name }}" + component: server + topologyKey: kubernetes.io/hostname + + # Topology settings for server pods + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + # This should be either a multi-line string or YAML matching the topologySpreadConstraints array + # in a PodSpec. + topologySpreadConstraints: [] + + # Toleration Settings for server pods + # This should be either a multi-line string or YAML matching the Toleration array + # in a PodSpec. + tolerations: [] + + # nodeSelector labels for server pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Enables network policy for server pods + networkPolicy: + enabled: false + egress: [] + # egress: + # - to: + # - ipBlock: + # cidr: 10.0.0.0/24 + # ports: + # - protocol: TCP + # port: 443 + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8200 + protocol: TCP + - port: 8201 + protocol: TCP + + # Priority class for server pods + priorityClassName: "" + + # Extra labels to attach to the server pods + # This should be a YAML map of the labels to apply to the server pods + extraLabels: {} + + # Extra annotations to attach to the server pods + # This can either be YAML or a YAML-formatted multi-line templated string map + # of the annotations to apply to the server pods + annotations: {} + + # Enables a headless service to be used by the Vault Statefulset + service: + enabled: true + # Enable or disable the vault-active service, which selects Vault pods that + # have labeled themselves as the cluster leader with `vault-active: "true"`. + active: + enabled: true + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the active service. + annotations: {} + # Enable or disable the vault-standby service, which selects Vault pods that + # have labeled themselves as a cluster follower with `vault-active: "false"`. + standby: + enabled: true + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the standby service. + annotations: {} + # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}` + # When disabled, services may select Vault pods not deployed from the chart. + # Does not affect the headless vault-internal service with `ClusterIP: None` + instanceSelector: + enabled: true + # clusterIP controls whether a Cluster IP address is attached to the + # Vault service within Kubernetes. By default, the Vault service will + # be given a Cluster IP address, set to None to disable. When disabled + # Kubernetes will create a "headless" service. Headless services can be + # used to communicate with pods directly through DNS instead of a round-robin + # load balancer. + # clusterIP: None + + # Configures the service type for the main Vault service. Can be ClusterIP + # or NodePort. + #type: ClusterIP + + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family policy, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + ipFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. + # Can be IPv4 and/or IPv6. + ipFamilies: [] + + # Do not wait for pods to be ready before including them in the services' + # targets. Does not apply to the headless service, which is used for + # cluster-internal communication. + publishNotReadyAddresses: true + + # The externalTrafficPolicy can be set to either Cluster or Local + # and is only valid for LoadBalancer and NodePort service types. + # The default value is Cluster. + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy + externalTrafficPolicy: Cluster + + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #nodePort: 30000 + + # When HA mode is enabled + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #activeNodePort: 30001 + + # When HA mode is enabled + # If type is set to "NodePort", a specific nodePort value can be configured, + # will be random if left blank. + #standbyNodePort: 30002 + + # Port on which Vault server is listening + port: 8200 + # Target port to which the service should be mapped to + targetPort: 8200 + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the service. + annotations: {} + + # This configures the Vault Statefulset to create a PVC for data + # storage when using the file or raft backend storage engines. + # See https://developer.hashicorp.com/vault/docs/configuration/storage to know more + dataStorage: + enabled: true + # Size of the PVC created + size: 10Gi + # Location where the PVC will be mounted. + mountPath: "/vault/data" + # Name of the storage class to use. If null it will use the + # configured default Storage Class. + storageClass: null + # Access Mode of the storage device being used for the PVC + accessMode: ReadWriteOnce + # Annotations to apply to the PVC + annotations: {} + # Labels to apply to the PVC + labels: {} + + # Persistent Volume Claim (PVC) retention policy + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + # Example: + # persistentVolumeClaimRetentionPolicy: + # whenDeleted: Retain + # whenScaled: Retain + persistentVolumeClaimRetentionPolicy: {} + + # This configures the Vault Statefulset to create a PVC for audit + # logs. Once Vault is deployed, initialized, and unsealed, Vault must + # be configured to use this for audit logs. This will be mounted to + # /vault/audit + # See https://developer.hashicorp.com/vault/docs/audit to know more + auditStorage: + enabled: false + # Size of the PVC created + size: 10Gi + # Location where the PVC will be mounted. + mountPath: "/vault/audit" + # Name of the storage class to use. If null it will use the + # configured default Storage Class. + storageClass: null + # Access Mode of the storage device being used for the PVC + accessMode: ReadWriteOnce + # Annotations to apply to the PVC + annotations: {} + # Labels to apply to the PVC + labels: {} + + # Run Vault in "dev" mode. This requires no further setup, no state management, + # and no initialization. This is useful for experimenting with Vault without + # needing to unseal, store keys, et. al. All data is lost on restart - do not + # use dev mode for anything other than experimenting. + # See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more + dev: + enabled: false + + # Set VAULT_DEV_ROOT_TOKEN_ID value + devRootToken: "root" + + # Run Vault in "standalone" mode. This is the default mode that will deploy if + # no arguments are given to helm. This requires a PVC for data storage to use + # the "file" backend. This mode is not highly available and should not be scaled + # past a single replica. + standalone: + enabled: "-" + + # config is a raw string of default configuration when using a Stateful + # deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data + # and store data there. This is only used when using a Replica count of 1, and + # using a stateful set. This should be HCL. + + # Note: Configuration files are stored in ConfigMaps so sensitive data + # such as passwords should be either mounted through extraSecretEnvironmentVars + # or through a Kube secret. For more information see: + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} + } + storage "file" { + path = "/vault/data" + } + + # Example configuration for using auto-unseal, using Google Cloud KMS. The + # GKMS keys must already exist, and the cluster must have a service account + # that is authorized to access GCP KMS. + #seal "gcpckms" { + # project = "vault-helm-dev" + # region = "global" + # key_ring = "vault-helm-unseal-kr" + # crypto_key = "vault-helm-unseal-key" + #} + + # Example configuration for enabling Prometheus metrics in your config. + #telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + #} + + # Run Vault in "HA" mode. There are no storage requirements unless the audit log + # persistence is required. In HA mode Vault will configure itself to use Consul + # for its storage backend. The default configuration provided will work the Consul + # Helm project by default. It is possible to manually configure Vault to use a + # different HA backend. + ha: + enabled: false + replicas: 3 + + # Set the api_addr configuration for Vault HA + # See https://developer.hashicorp.com/vault/docs/configuration#api_addr + # If set to null, this will be set to the Pod IP Address + apiAddr: null + + # Set the cluster_addr confuguration for Vault HA + # See https://developer.hashicorp.com/vault/docs/configuration#cluster_addr + # If set to null, this will be set to https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201 + clusterAddr: null + + # Enables Vault's integrated Raft storage. Unlike the typical HA modes where + # Vault's persistence is external (such as Consul), enabling Raft mode will create + # persistent volumes for Vault to store data according to the configuration under server.dataStorage. + # The Vault cluster will coordinate leader elections and failovers internally. + raft: + + # Enables Raft integrated storage + enabled: false + # Set the Node Raft ID to the name of the pod + setNodeId: false + + # Note: Configuration files are stored in ConfigMaps so sensitive data + # such as passwords should be either mounted through extraSecretEnvironmentVars + # or through a Kube secret. For more information see: + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + # Enable unauthenticated metrics access (necessary for Prometheus Operator) + #telemetry { + # unauthenticated_metrics_access = "true" + #} + } + + storage "raft" { + path = "/vault/data" + } + + service_registration "kubernetes" {} + + # config is a raw string of default configuration when using a Stateful + # deployment. Default is to use a Consul for its HA storage backend. + # This should be HCL. + + # Note: Configuration files are stored in ConfigMaps so sensitive data + # such as passwords should be either mounted through extraSecretEnvironmentVars + # or through a Kube secret. For more information see: + # https://developer.hashicorp.com/vault/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations + config: | + ui = true + + listener "tcp" { + tls_disable = 1 + address = "[::]:8200" + cluster_address = "[::]:8201" + } + storage "consul" { + path = "vault" + address = "HOST_IP:8500" + } + + service_registration "kubernetes" {} + + # Example configuration for using auto-unseal, using Google Cloud KMS. The + # GKMS keys must already exist, and the cluster must have a service account + # that is authorized to access GCP KMS. + #seal "gcpckms" { + # project = "vault-helm-dev-246514" + # region = "global" + # key_ring = "vault-helm-unseal-kr" + # crypto_key = "vault-helm-unseal-key" + #} + + # Example configuration for enabling Prometheus metrics. + # If you are using Prometheus Operator you can enable a ServiceMonitor resource below. + # You may wish to enable unauthenticated metrics in the listener block above. + #telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + #} + + # A disruption budget limits the number of pods of a replicated application + # that are down simultaneously from voluntary disruptions + disruptionBudget: + enabled: true + + # maxUnavailable will default to (n/2)-1 where n is the number of + # replicas. If you'd like a custom value, you can specify an override here. + maxUnavailable: null + + # Definition of the serviceAccount used to run Vault. + # These options are also used when using an external Vault server to validate + # Kubernetes tokens. + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + # Create a Secret API object to store a non-expiring token for the service account. + # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default. + # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible. + # For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets + # serviceAccount.create must be equal to 'true' in order to use this feature. + createSecret: false + # Extra annotations for the serviceAccount definition. This can either be + # YAML or a YAML-formatted multi-line templated string map of the + # annotations to apply to the serviceAccount. + annotations: {} + # Extra labels to attach to the serviceAccount + # This should be a YAML map of the labels to apply to the serviceAccount + extraLabels: {} + # Enable or disable a service account role binding with the permissions required for + # Vault's Kubernetes service_registration config option. + # See https://developer.hashicorp.com/vault/docs/configuration/service-registration/kubernetes + serviceDiscovery: + enabled: true + + # Settings for the statefulSet used to run Vault. + statefulSet: + # Extra annotations for the statefulSet. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the statefulSet. + annotations: {} + + # Set the pod and container security contexts. + # If not set, these will default to, and for *not* OpenShift: + # pod: + # runAsNonRoot: true + # runAsGroup: {{ .Values.server.gid | default 1000 }} + # runAsUser: {{ .Values.server.uid | default 100 }} + # fsGroup: {{ .Values.server.gid | default 1000 }} + # container: + # allowPrivilegeEscalation: false + # + # If not set, these will default to, and for OpenShift: + # pod: {} + # container: {} + securityContext: + pod: {} + container: {} + + # Should the server pods run on the host network + hostNetwork: false + +# Vault UI +ui: + # True if you want to create a Service entry for the Vault UI. + # + # serviceType can be used to control the type of service created. For + # example, setting this to "LoadBalancer" will create an external load + # balancer (for supported K8S installations) to access the UI. + enabled: false + publishNotReadyAddresses: true + # The service should only contain selectors for active Vault pod + activeVaultPodOnly: false + serviceType: "ClusterIP" + serviceNodePort: null + externalPort: 8200 + targetPort: 8200 + + # The IP family and IP families options are to set the behaviour in a dual-stack environment. + # Omitting these values will let the service fall back to whatever the CNI dictates the defaults + # should be. + # These are only supported for kubernetes versions >=1.23.0 + # + # Configures the service's supported IP family, can be either: + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. + # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. + serviceIPFamilyPolicy: "" + + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well + # Can be IPv4 and/or IPv6. + serviceIPFamilies: [] + + # The externalTrafficPolicy can be set to either Cluster or Local + # and is only valid for LoadBalancer and NodePort service types. + # The default value is Cluster. + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy + externalTrafficPolicy: Cluster + + #loadBalancerSourceRanges: + # - 10.0.0.0/16 + # - 1.78.23.3/32 + + # loadBalancerIP: + + # Extra annotations to attach to the ui service + # This can either be YAML or a YAML-formatted multi-line templated string map + # of the annotations to apply to the ui service + annotations: {} + +# secrets-store-csi-driver-provider-vault +csi: + # True if you want to install a secrets-store-csi-driver-provider-vault daemonset. + # + # Requires installing the secrets-store-csi-driver separately, see: + # https://github.com/kubernetes-sigs/secrets-store-csi-driver#install-the-secrets-store-csi-driver + # + # With the driver and provider installed, you can mount Vault secrets into volumes + # similar to the Vault Agent injector, and you can also sync those secrets into + # Kubernetes secrets. + enabled: false + + image: + repository: "hashicorp/vault-csi-provider" + tag: "1.4.1" + pullPolicy: IfNotPresent + + # volumes is a list of volumes made available to all containers. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumes: null + # - name: tls + # secret: + # secretName: vault-tls + + # volumeMounts is a list of volumeMounts for the main server container. These are rendered + # via toYaml rather than pre-processed like the extraVolumes value. + # The purpose is to make it easy to share volumes between containers. + volumeMounts: null + # - name: tls + # mountPath: "/vault/tls" + # readOnly: true + + resources: {} + # resources: + # requests: + # cpu: 50m + # memory: 128Mi + # limits: + # cpu: 50m + # memory: 128Mi + + # Override the default secret name for the CSI Provider's HMAC key used for + # generating secret versions. + hmacSecretName: "" + + # Settings for the daemonSet used to run the provider. + daemonSet: + updateStrategy: + type: RollingUpdate + maxUnavailable: "" + # Extra annotations for the daemonSet. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the daemonSet. + annotations: {} + # Provider host path (must match the CSI provider's path) + providersDir: "/etc/kubernetes/secrets-store-csi-providers" + # Kubelet host path + kubeletRootDir: "/var/lib/kubelet" + # Extra labels to attach to the vault-csi-provider daemonSet + # This should be a YAML map of the labels to apply to the csi provider daemonSet + extraLabels: {} + # security context for the pod template and container in the csi provider daemonSet + securityContext: + pod: {} + container: {} + + pod: + # Extra annotations for the provider pods. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the pod. + annotations: {} + + # Toleration Settings for provider pods + # This should be either a multi-line string or YAML matching the Toleration array + # in a PodSpec. + tolerations: [] + + # nodeSelector labels for csi pod assignment, formatted as a multi-line string or YAML map. + # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + # Example: + # nodeSelector: + # beta.kubernetes.io/arch: amd64 + nodeSelector: {} + + # Affinity Settings + # This should be either a multi-line string or YAML matching the PodSpec's affinity field. + affinity: {} + + # Extra labels to attach to the vault-csi-provider pod + # This should be a YAML map of the labels to apply to the csi provider pod + extraLabels: {} + + agent: + enabled: true + extraArgs: [] + + image: + repository: "hashicorp/vault" + tag: "1.15.2" + pullPolicy: IfNotPresent + + logFormat: standard + logLevel: info + + resources: {} + # resources: + # requests: + # memory: 256Mi + # cpu: 250m + # limits: + # memory: 256Mi + # cpu: 250m + + # Priority class for csi pods + priorityClassName: "" + + serviceAccount: + # Extra annotations for the serviceAccount definition. This can either be + # YAML or a YAML-formatted multi-line templated string map of the + # annotations to apply to the serviceAccount. + annotations: {} + + # Extra labels to attach to the vault-csi-provider serviceAccount + # This should be a YAML map of the labels to apply to the csi provider serviceAccount + extraLabels: {} + + # Used to configure readinessProbe for the pods. + readinessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + # Used to configure livenessProbe for the pods. + livenessProbe: + # When a probe fails, Kubernetes will try failureThreshold times before giving up + failureThreshold: 2 + # Number of seconds after the container has started before probe initiates + initialDelaySeconds: 5 + # How often (in seconds) to perform the probe + periodSeconds: 5 + # Minimum consecutive successes for the probe to be considered successful after having failed + successThreshold: 1 + # Number of seconds after which the probe times out. + timeoutSeconds: 3 + + # Enables debug logging. + debug: false + + # Pass arbitrary additional arguments to vault-csi-provider. + # See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments + # for the available command line flags. + extraArgs: [] + +# Vault is able to collect and publish various runtime metrics. +# Enabling this feature requires setting adding `telemetry{}` stanza to +# the Vault configuration. There are a few examples included in the `config` sections above. +# +# For more information see: +# https://developer.hashicorp.com/vault/docs/configuration/telemetry +# https://developer.hashicorp.com/vault/docs/internals/telemetry +serverTelemetry: + # Enable support for the Prometheus Operator. Currently, this chart does not support + # authenticating to Vault's metrics endpoint, so the following `telemetry{}` must be included + # in the `listener "tcp"{}` stanza + # telemetry { + # unauthenticated_metrics_access = "true" + # } + # + # See the `standalone.config` for a more complete example of this. + # + # In addition, a top level `telemetry{}` stanza must also be included in the Vault configuration: + # + # example: + # telemetry { + # prometheus_retention_time = "30s" + # disable_hostname = true + # } + # + # Configuration for monitoring the Vault server. + serviceMonitor: + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + # + # Instructions on how to install the Helm chart can be found here: + # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack + # More information can be found here: + # https://github.com/prometheus-operator/prometheus-operator + # https://github.com/prometheus-operator/kube-prometheus + + # Enable deployment of the Vault Server ServiceMonitor CustomResource. + enabled: false + + # Selector labels to add to the ServiceMonitor. + # When empty, defaults to: + # release: prometheus + selectors: {} + + # Interval at which Prometheus scrapes metrics + interval: 30s + + # Timeout for Prometheus scrapes + scrapeTimeout: 10s + + prometheusRules: + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + + # Deploy the PrometheusRule custom resource for AlertManager based alerts. + # Requires that AlertManager is properly deployed. + enabled: false + + # Selector labels to add to the PrometheusRules. + # When empty, defaults to: + # release: prometheus + selectors: {} + + # Some example rules. + rules: [] + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 500ms on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + # for: 5m + # labels: + # severity: warning + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 1s on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + # for: 5m + # labels: + # severity: critical diff --git a/charts/hashicorp/vault/0.28.0/.helmignore b/charts/hashicorp/vault/0.28.0/.helmignore new file mode 100644 index 0000000000..4007e24350 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/.helmignore @@ -0,0 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.terraform/ +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +# CI and test +.circleci/ +.github/ +.gitlab-ci.yml +test/ diff --git a/charts/hashicorp/vault/CHANGELOG.md b/charts/hashicorp/vault/0.28.0/CHANGELOG.md similarity index 100% rename from charts/hashicorp/vault/CHANGELOG.md rename to charts/hashicorp/vault/0.28.0/CHANGELOG.md diff --git a/charts/hashicorp/vault/CODEOWNERS b/charts/hashicorp/vault/0.28.0/CODEOWNERS similarity index 100% rename from charts/hashicorp/vault/CODEOWNERS rename to charts/hashicorp/vault/0.28.0/CODEOWNERS diff --git a/charts/hashicorp/vault/0.28.0/CONTRIBUTING.md b/charts/hashicorp/vault/0.28.0/CONTRIBUTING.md new file mode 100644 index 0000000000..ad31ac92d1 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/CONTRIBUTING.md @@ -0,0 +1,247 @@ +# Contributing to Vault Helm + +**Please note:** We take Vault's security and our users' trust very seriously. +If you believe you have found a security issue in Vault, please responsibly +disclose by contacting us at security@hashicorp.com. + +**First:** if you're unsure or afraid of _anything_, just ask or submit the +issue or pull request anyways. You won't be yelled at for giving it your best +effort. The worst that can happen is that you'll be politely asked to change +something. We appreciate any sort of contributions, and don't want a wall of +rules to get in the way of that. + +That said, if you want to ensure that a pull request is likely to be merged, +talk to us! You can find out our thoughts and ensure that your contribution +won't clash or be obviated by Vault's normal direction. A great way to do this +is via the [Vault Discussion Forum][1]. + +This document will cover what we're looking for in terms of reporting issues. +By addressing all the points we're looking for, it raises the chances we can +quickly merge or address your contributions. + +[1]: https://discuss.hashicorp.com/c/vault + +## Issues + +### Reporting an Issue + +* Make sure you test against the latest released version. It is possible + we already fixed the bug you're experiencing. Even better is if you can test + against `main`, as bugs are fixed regularly but new versions are only + released every few months. + +* Provide steps to reproduce the issue, and if possible include the expected + results as well as the actual results. Please provide text, not screen shots! + +* Respond as promptly as possible to any questions made by the Vault + team to your issue. Stale issues will be closed periodically. + +### Issue Lifecycle + +1. The issue is reported. + +2. The issue is verified and categorized by a Vault Helm collaborator. + Categorization is done via tags. For example, bugs are marked as "bugs". + +3. Unless it is critical, the issue may be left for a period of time (sometimes + many weeks), giving outside contributors -- maybe you!? -- a chance to + address the issue. + +4. The issue is addressed in a pull request or commit. The issue will be + referenced in the commit message so that the code that fixes it is clearly + linked. + +5. The issue is closed. Sometimes, valid issues will be closed to keep + the issue tracker clean. The issue is still indexed and available for + future viewers, or can be re-opened if necessary. + +## Testing + +The Helm chart ships with both unit and acceptance tests. + +The unit tests don't require any active Kubernetes cluster and complete +very quickly. These should be used for fast feedback during development. +The acceptance tests require a Kubernetes cluster with a configured `kubectl`. + +### Test Using Docker Container + +The following are the instructions for running bats tests using a Docker container. + +#### Prerequisites + +* Docker installed +* `vault-helm` checked out locally + +#### Test + +**Note:** the following commands should be run from the `vault-helm` directory. + +First, build the Docker image for running the tests: + +```shell +docker build -f ${PWD}/test/docker/Test.dockerfile ${PWD}/test/docker/ -t vault-helm-test +``` +Next, execute the tests with the following commands: +```shell +docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit +``` +It's possible to only run specific bats tests using regular expressions. +For example, the following will run only tests with "injector" in the name: +```shell +docker run -it --rm -v "${PWD}:/test" vault-helm-test bats /test/test/unit -f "injector" +``` + +### Test Manually +The following are the instructions for running bats tests on your workstation. +#### Prerequisites +* [Bats](https://github.com/bats-core/bats-core) + ```bash + brew install bats-core + ``` +* [yq](https://pypi.org/project/yq/) + ```bash + brew install python-yq + ``` +* [helm](https://helm.sh) + ```bash + brew install kubernetes-helm + ``` + +#### Test + +To run the unit tests: + + bats ./test/unit + +To run the acceptance tests: + + bats ./test/acceptance + +If the acceptance tests fail, deployed resources in the Kubernetes cluster +may not be properly cleaned up. We recommend recycling the Kubernetes cluster to +start from a clean slate. + +**Note:** There is a Terraform configuration in the +[`test/terraform/`](https://github.com/hashicorp/vault-helm/tree/main/test/terraform) directory +that can be used to quickly bring up a GKE cluster and configure +`kubectl` and `helm` locally. This can be used to quickly spin up a test +cluster for acceptance tests. Unit tests _do not_ require a running Kubernetes +cluster. + +### Writing Unit Tests + +Changes to the Helm chart should be accompanied by appropriate unit tests. + +#### Formatting + +- Put tests in the test file in the same order as the variables appear in the `values.yaml`. +- Start tests for a chart value with a header that says what is being tested, like this: + ``` + #-------------------------------------------------------------------- + # annotations + ``` + +- Name the test based on what it's testing in the following format (this will be its first line): + ``` + @test "
: " { + ``` + + When adding tests to an existing file, the first section will be the same as the other tests in the file. + +#### Test Details + +[Bats](https://github.com/bats-core/bats-core) provides a way to run commands in a shell and inspect the output in an automated way. +In all of the tests in this repo, the base command being run is [helm template](https://docs.helm.sh/helm/#helm-template) which turns the templated files into straight yaml output. +In this way, we're able to test that the various conditionals in the templates render as we would expect. + +Each test defines the files that should be rendered using the `--show-only` flag, then it might adjust chart values by adding `--set` flags as well. +The output from this `helm template` command is then piped to [yq](https://pypi.org/project/yq/). +`yq` allows us to pull out just the information we're interested in, either by referencing its position in the yaml file directly or giving information about it (like its length). +The `-r` flag can be used with `yq` to return a raw string instead of a quoted one which is especially useful when looking for an exact match. + +The test passes or fails based on the conditional at the end that is in square brackets, which is a comparison of our expected value and the output of `helm template` piped to `yq`. + +The `| tee /dev/stderr ` pieces direct any terminal output of the `helm template` and `yq` commands to stderr so that it doesn't interfere with `bats`. + +#### Test Examples + +Here are some examples of common test patterns: + +- Check that a value is disabled by default + + ``` + @test "ui/Service: no type by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + . | tee /dev/stderr | + yq -r '.spec.type' | tee /dev/stderr) + [ "${actual}" = "null" ] + } + ``` + + In this example, nothing is changed from the default templates (no `--set` flags), then we use `yq` to retrieve the value we're checking, `.spec.type`. + This output is then compared against our expected value (`null` in this case) in the assertion `[ "${actual}" = "null" ]`. + + +- Check that a template value is rendered to a specific value + ``` + @test "ui/Service: specified type" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/ui-service.yaml \ + --set 'ui.serviceType=LoadBalancer' \ + . | tee /dev/stderr | + yq -r '.spec.type' | tee /dev/stderr) + [ "${actual}" = "LoadBalancer" ] + } + ``` + + This is very similar to the last example, except we've changed a default value with the `--set` flag and correspondingly changed the expected value. + +- Check that a template value contains several values + ``` + @test "server/standalone-StatefulSet: custom resources" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'server.resources.requests.memory=256Mi' \ + --set 'server.resources.requests.cpu=250m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].resources.requests.memory' | tee /dev/stderr) + [ "${actual}" = "256Mi" ] + + local actual=$(helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'server.standalone.enabled=true' \ + --set 'server.resources.limits.memory=256Mi' \ + --set 'server.resources.limits.cpu=250m' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].resources.limits.memory' | tee /dev/stderr) + [ "${actual}" = "256Mi" ] + ``` + + *Note:* If testing more than two conditions, it would be good to separate the `helm template` part of the command from the `yq` sections to reduce redundant work. + +- Check that an entire template file is not rendered + ``` + @test "syncCatalog/Deployment: disabled by default" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-statefulset.yaml \ + --set 'global.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] + } + ``` + Here we are check the length of the command output to see if the anything is rendered. + This style can easily be switched to check that a file is rendered instead. + +## Contributor License Agreement + +We require that all contributors sign our Contributor License Agreement ("CLA") +before we can accept the contribution. + +[Learn more about why HashiCorp requires a CLA and what the CLA includes](https://www.hashicorp.com/cla) diff --git a/charts/hashicorp/vault/Chart.yaml b/charts/hashicorp/vault/0.28.0/Chart.yaml similarity index 100% rename from charts/hashicorp/vault/Chart.yaml rename to charts/hashicorp/vault/0.28.0/Chart.yaml diff --git a/charts/hashicorp/vault/0.28.0/LICENSE b/charts/hashicorp/vault/0.28.0/LICENSE new file mode 100644 index 0000000000..74f38c0103 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/LICENSE @@ -0,0 +1,355 @@ +Copyright (c) 2018 HashiCorp, Inc. + +Mozilla Public License, version 2.0 + +1. Definitions + +1.1. “Contributor” + + means each individual or legal entity that creates, contributes to the + creation of, or owns Covered Software. + +1.2. “Contributor Version” + + means the combination of the Contributions of others (if any) used by a + Contributor and that particular Contributor’s Contribution. + +1.3. “Contribution” + + means Covered Software of a particular Contributor. + +1.4. “Covered Software” + + means Source Code Form to which the initial Contributor has attached the + notice in Exhibit A, the Executable Form of such Source Code Form, and + Modifications of such Source Code Form, in each case including portions + thereof. + +1.5. “Incompatible With Secondary Licenses” + means + + a. that the initial Contributor has attached the notice described in + Exhibit B to the Covered Software; or + + b. that the Covered Software was made available under the terms of version + 1.1 or earlier of the License, but not also under the terms of a + Secondary License. + +1.6. “Executable Form” + + means any form of the work other than Source Code Form. + +1.7. “Larger Work” + + means a work that combines Covered Software with other material, in a separate + file or files, that is not Covered Software. + +1.8. “License” + + means this document. + +1.9. “Licensable” + + means having the right to grant, to the maximum extent possible, whether at the + time of the initial grant or subsequently, any and all of the rights conveyed by + this License. + +1.10. “Modifications” + + means any of the following: + + a. any file in Source Code Form that results from an addition to, deletion + from, or modification of the contents of Covered Software; or + + b. any new file in Source Code Form that contains any Covered Software. + +1.11. “Patent Claims” of a Contributor + + means any patent claim(s), including without limitation, method, process, + and apparatus claims, in any patent Licensable by such Contributor that + would be infringed, but for the grant of the License, by the making, + using, selling, offering for sale, having made, import, or transfer of + either its Contributions or its Contributor Version. + +1.12. “Secondary License” + + means either the GNU General Public License, Version 2.0, the GNU Lesser + General Public License, Version 2.1, the GNU Affero General Public + License, Version 3.0, or any later versions of those licenses. + +1.13. “Source Code Form” + + means the form of the work preferred for making modifications. + +1.14. “You” (or “Your”) + + means an individual or a legal entity exercising rights under this + License. For legal entities, “You” includes any entity that controls, is + controlled by, or is under common control with You. For purposes of this + definition, “control” means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than fifty percent (50%) of the + outstanding shares or beneficial ownership of such entity. + + +2. License Grants and Conditions + +2.1. Grants + + Each Contributor hereby grants You a world-wide, royalty-free, + non-exclusive license: + + a. under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or as + part of a Larger Work; and + + b. under Patent Claims of such Contributor to make, use, sell, offer for + sale, have made, import, and otherwise transfer either its Contributions + or its Contributor Version. + +2.2. Effective Date + + The licenses granted in Section 2.1 with respect to any Contribution become + effective for each Contribution on the date the Contributor first distributes + such Contribution. + +2.3. Limitations on Grant Scope + + The licenses granted in this Section 2 are the only rights granted under this + License. No additional rights or licenses will be implied from the distribution + or licensing of Covered Software under this License. Notwithstanding Section + 2.1(b) above, no patent license is granted by a Contributor: + + a. for any code that a Contributor has removed from Covered Software; or + + b. for infringements caused by: (i) Your and any other third party’s + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + + c. under Patent Claims infringed by Covered Software in the absence of its + Contributions. + + This License does not grant any rights in the trademarks, service marks, or + logos of any Contributor (except as may be necessary to comply with the + notice requirements in Section 3.4). + +2.4. Subsequent Licenses + + No Contributor makes additional grants as a result of Your choice to + distribute the Covered Software under a subsequent version of this License + (see Section 10.2) or under the terms of a Secondary License (if permitted + under the terms of Section 3.3). + +2.5. Representation + + Each Contributor represents that the Contributor believes its Contributions + are its original creation(s) or it has sufficient rights to grant the + rights to its Contributions conveyed by this License. + +2.6. Fair Use + + This License is not intended to limit any rights You have under applicable + copyright doctrines of fair use, fair dealing, or other equivalents. + +2.7. Conditions + + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in + Section 2.1. + + +3. Responsibilities + +3.1. Distribution of Source Form + + All distribution of Covered Software in Source Code Form, including any + Modifications that You create or to which You contribute, must be under the + terms of this License. You must inform recipients that the Source Code Form + of the Covered Software is governed by the terms of this License, and how + they can obtain a copy of this License. You may not attempt to alter or + restrict the recipients’ rights in the Source Code Form. + +3.2. Distribution of Executable Form + + If You distribute Covered Software in Executable Form then: + + a. such Covered Software must also be made available in Source Code Form, + as described in Section 3.1, and You must inform recipients of the + Executable Form how they can obtain a copy of such Source Code Form by + reasonable means in a timely manner, at a charge no more than the cost + of distribution to the recipient; and + + b. You may distribute such Executable Form under the terms of this License, + or sublicense it under different terms, provided that the license for + the Executable Form does not attempt to limit or alter the recipients’ + rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + + You may create and distribute a Larger Work under terms of Your choice, + provided that You also comply with the requirements of this License for the + Covered Software. If the Larger Work is a combination of Covered Software + with a work governed by one or more Secondary Licenses, and the Covered + Software is not Incompatible With Secondary Licenses, this License permits + You to additionally distribute such Covered Software under the terms of + such Secondary License(s), so that the recipient of the Larger Work may, at + their option, further distribute the Covered Software under the terms of + either this License or such Secondary License(s). + +3.4. Notices + + You may not remove or alter the substance of any license notices (including + copyright notices, patent notices, disclaimers of warranty, or limitations + of liability) contained within the Source Code Form of the Covered + Software, except that You may alter any license notices to the extent + required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + + You may choose to offer, and to charge a fee for, warranty, support, + indemnity or liability obligations to one or more recipients of Covered + Software. However, You may do so only on Your own behalf, and not on behalf + of any Contributor. You must make it absolutely clear that any such + warranty, support, indemnity, or liability obligation is offered by You + alone, and You hereby agree to indemnify every Contributor for any + liability incurred by such Contributor as a result of warranty, support, + indemnity or liability terms You offer. You may include additional + disclaimers of warranty and limitations of liability specific to any + jurisdiction. + +4. Inability to Comply Due to Statute or Regulation + + If it is impossible for You to comply with any of the terms of this License + with respect to some or all of the Covered Software due to statute, judicial + order, or regulation then You must: (a) comply with the terms of this License + to the maximum extent possible; and (b) describe the limitations and the code + they affect. Such description must be placed in a text file included with all + distributions of the Covered Software under this License. Except to the + extent prohibited by statute or regulation, such description must be + sufficiently detailed for a recipient of ordinary skill to be able to + understand it. + +5. Termination + +5.1. The rights granted under this License will terminate automatically if You + fail to comply with any of its terms. However, if You become compliant, + then the rights granted under this License from a particular Contributor + are reinstated (a) provisionally, unless and until such Contributor + explicitly and finally terminates Your grants, and (b) on an ongoing basis, + if such Contributor fails to notify You of the non-compliance by some + reasonable means prior to 60 days after You have come back into compliance. + Moreover, Your grants from a particular Contributor are reinstated on an + ongoing basis if such Contributor notifies You of the non-compliance by + some reasonable means, this is the first time You have received notice of + non-compliance with this License from such Contributor, and You become + compliant prior to 30 days after Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent + infringement claim (excluding declaratory judgment actions, counter-claims, + and cross-claims) alleging that a Contributor Version directly or + indirectly infringes any patent, then the rights granted to You by any and + all Contributors for the Covered Software under Section 2.1 of this License + shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user + license agreements (excluding distributors and resellers) which have been + validly granted by You or Your distributors under this License prior to + termination shall survive termination. + +6. Disclaimer of Warranty + + Covered Software is provided under this License on an “as is” basis, without + warranty of any kind, either expressed, implied, or statutory, including, + without limitation, warranties that the Covered Software is free of defects, + merchantable, fit for a particular purpose or non-infringing. The entire + risk as to the quality and performance of the Covered Software is with You. + Should any Covered Software prove defective in any respect, You (not any + Contributor) assume the cost of any necessary servicing, repair, or + correction. This disclaimer of warranty constitutes an essential part of this + License. No use of any Covered Software is authorized under this License + except under this disclaimer. + +7. Limitation of Liability + + Under no circumstances and under no legal theory, whether tort (including + negligence), contract, or otherwise, shall any Contributor, or anyone who + distributes Covered Software as permitted above, be liable to You for any + direct, indirect, special, incidental, or consequential damages of any + character including, without limitation, damages for lost profits, loss of + goodwill, work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses, even if such party shall have been + informed of the possibility of such damages. This limitation of liability + shall not apply to liability for death or personal injury resulting from such + party’s negligence to the extent applicable law prohibits such limitation. + Some jurisdictions do not allow the exclusion or limitation of incidental or + consequential damages, so this exclusion and limitation may not apply to You. + +8. Litigation + + Any litigation relating to this License may be brought only in the courts of + a jurisdiction where the defendant maintains its principal place of business + and such litigation shall be governed by laws of that jurisdiction, without + reference to its conflict-of-law provisions. Nothing in this Section shall + prevent a party’s ability to bring cross-claims or counter-claims. + +9. Miscellaneous + + This License represents the complete agreement concerning the subject matter + hereof. If any provision of this License is held to be unenforceable, such + provision shall be reformed only to the extent necessary to make it + enforceable. Any law or regulation which provides that the language of a + contract shall be construed against the drafter shall not be used to construe + this License against a Contributor. + + +10. Versions of the License + +10.1. New Versions + + Mozilla Foundation is the license steward. Except as provided in Section + 10.3, no one other than the license steward has the right to modify or + publish new versions of this License. Each version will be given a + distinguishing version number. + +10.2. Effect of New Versions + + You may distribute the Covered Software under the terms of the version of + the License under which You originally received the Covered Software, or + under the terms of any subsequent version published by the license + steward. + +10.3. Modified Versions + + If you create software not governed by this License, and you want to + create a new license for such software, you may create and use a modified + version of this License if you rename the license and remove any + references to the name of the license steward (except to note that such + modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses + If You choose to distribute Source Code Form that is Incompatible With + Secondary Licenses under the terms of this version of the License, the + notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice + + This Source Code Form is subject to the + terms of the Mozilla Public License, v. + 2.0. If a copy of the MPL was not + distributed with this file, You can + obtain one at + http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular file, then +You may include the notice in a location (such as a LICENSE file in a relevant +directory) where a recipient would be likely to look for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - “Incompatible With Secondary Licenses” Notice + + This Source Code Form is “Incompatible + With Secondary Licenses”, as defined by + the Mozilla Public License, v. 2.0. diff --git a/charts/hashicorp/vault/Makefile b/charts/hashicorp/vault/0.28.0/Makefile similarity index 100% rename from charts/hashicorp/vault/Makefile rename to charts/hashicorp/vault/0.28.0/Makefile diff --git a/charts/hashicorp/vault/0.28.0/README.md b/charts/hashicorp/vault/0.28.0/README.md new file mode 100644 index 0000000000..256bd8b915 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/README.md @@ -0,0 +1,43 @@ +# Vault Helm Chart + +> :warning: **Please note**: We take Vault's security and our users' trust very seriously. If +you believe you have found a security issue in Vault Helm, _please responsibly disclose_ +by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). + +This repository contains the official HashiCorp Helm chart for installing +and configuring Vault on Kubernetes. This chart supports multiple use +cases of Vault on Kubernetes depending on the values provided. + +For full documentation on this Helm chart along with all the ways you can +use Vault with Kubernetes, please see the +[Vault and Kubernetes documentation](https://developer.hashicorp.com/vault/docs/platform/k8s). + +## Prerequisites + +To use the charts here, [Helm](https://helm.sh/) must be configured for your +Kubernetes cluster. Setting up Kubernetes and Helm is outside the scope of +this README. Please refer to the Kubernetes and Helm documentation. + +The versions required are: + + * **Helm 3.6+** + * **Kubernetes 1.22+** - This is the earliest version of Kubernetes tested. + It is possible that this chart works with earlier versions but it is + untested. + +## Usage + +To install the latest version of this chart, add the Hashicorp helm repository +and run `helm install`: + +```console +$ helm repo add hashicorp https://helm.releases.hashicorp.com +"hashicorp" has been added to your repositories + +$ helm install vault hashicorp/vault +``` + +Please see the many options supported in the `values.yaml` file. These are also +fully documented directly on the [Vault +website](https://developer.hashicorp.com/vault/docs/platform/k8s/helm) along with more +detailed installation instructions. diff --git a/charts/hashicorp/vault/0.28.0/templates/NOTES.txt b/charts/hashicorp/vault/0.28.0/templates/NOTES.txt new file mode 100644 index 0000000000..60d99a4e56 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/NOTES.txt @@ -0,0 +1,14 @@ + +Thank you for installing HashiCorp Vault! + +Now that you have deployed Vault, you should look over the docs on using +Vault with Kubernetes available here: + +https://developer.hashicorp.com/vault/docs + + +Your release is named {{ .Release.Name }}. To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get manifest {{ .Release.Name }} + diff --git a/charts/hashicorp/vault/templates/_helpers.tpl b/charts/hashicorp/vault/0.28.0/templates/_helpers.tpl similarity index 100% rename from charts/hashicorp/vault/templates/_helpers.tpl rename to charts/hashicorp/vault/0.28.0/templates/_helpers.tpl diff --git a/charts/hashicorp/vault/0.28.0/templates/csi-agent-configmap.yaml b/charts/hashicorp/vault/0.28.0/templates/csi-agent-configmap.yaml new file mode 100644 index 0000000000..18cdb04ac4 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/csi-agent-configmap.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if and (.csiEnabled) (eq (.Values.csi.agent.enabled | toString) "true") -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + config.hcl: | + vault { + {{- if .Values.global.externalVaultAddr }} + "address" = "{{ .Values.global.externalVaultAddr }}" + {{- else }} + "address" = "{{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }}" + {{- end }} + } + + cache {} + + listener "unix" { + address = "/var/run/vault/agent.sock" + tls_disable = true + } +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/csi-clusterrole.yaml b/charts/hashicorp/vault/0.28.0/templates/csi-clusterrole.yaml new file mode 100644 index 0000000000..6d979ea40c --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/csi-clusterrole.yaml @@ -0,0 +1,23 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-clusterrole + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/csi-clusterrolebinding.yaml b/charts/hashicorp/vault/0.28.0/templates/csi-clusterrolebinding.yaml new file mode 100644 index 0000000000..506ec944a7 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/csi-clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-clusterrolebinding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "vault.fullname" . }}-csi-provider-clusterrole +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ include "vault.namespace" . }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/csi-daemonset.yaml b/charts/hashicorp/vault/0.28.0/templates/csi-daemonset.yaml new file mode 100644 index 0000000000..1436ff9058 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/csi-daemonset.yaml @@ -0,0 +1,157 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.daemonSet.extraLabels -}} + {{- toYaml .Values.csi.daemonSet.extraLabels | nindent 4 -}} + {{- end -}} + {{ template "csi.daemonSet.annotations" . }} +spec: + updateStrategy: + type: {{ .Values.csi.daemonSet.updateStrategy.type }} + {{- if .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + rollingUpdate: + maxUnavailable: {{ .Values.csi.daemonSet.updateStrategy.maxUnavailable }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.csi.pod.extraLabels -}} + {{- toYaml .Values.csi.pod.extraLabels | nindent 8 -}} + {{- end -}} + {{ template "csi.pod.annotations" . }} + spec: + {{ template "csi.daemonSet.securityContext.pod" . }} + {{- if .Values.csi.priorityClassName }} + priorityClassName: {{ .Values.csi.priorityClassName }} + {{- end }} + serviceAccountName: {{ template "vault.fullname" . }}-csi-provider + {{- template "csi.pod.tolerations" . }} + {{- template "csi.pod.nodeselector" . }} + {{- template "csi.pod.affinity" . }} + containers: + - name: {{ include "vault.name" . }}-csi-provider + {{ template "csi.resources" . }} + {{ template "csi.daemonSet.securityContext.container" . }} + image: "{{ .Values.csi.image.repository }}:{{ .Values.csi.image.tag }}" + imagePullPolicy: {{ .Values.csi.image.pullPolicy }} + args: + - --endpoint=/provider/vault.sock + - --debug={{ .Values.csi.debug }} + {{- if .Values.csi.hmacSecretName }} + - --hmac-secret-name={{ .Values.csi.hmacSecretName }} + {{- else }} + - --hmac-secret-name={{- include "vault.name" . }}-csi-provider-hmac-key + {{- end }} + {{- if .Values.csi.extraArgs }} + {{- toYaml .Values.csi.extraArgs | nindent 12 }} + {{- end }} + env: + - name: VAULT_ADDR + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + value: "unix:///var/run/vault/agent.sock" + {{- else if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} + {{- end }} + volumeMounts: + - name: providervol + mountPath: "/provider" + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-unix-socket + mountPath: /var/run/vault + {{- end }} + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12}} + {{- end }} + livenessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.livenessProbe.timeoutSeconds }} + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + failureThreshold: {{ .Values.csi.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.csi.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.csi.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.csi.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.csi.readinessProbe.timeoutSeconds }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: {{ include "vault.name" . }}-agent + image: "{{ .Values.csi.agent.image.repository }}:{{ .Values.csi.agent.image.tag }}" + imagePullPolicy: {{ .Values.csi.agent.image.pullPolicy }} + {{ template "csi.agent.resources" . }} + command: + - vault + args: + - agent + - -config=/etc/vault/config.hcl + {{- if .Values.csi.agent.extraArgs }} + {{- toYaml .Values.csi.agent.extraArgs | nindent 12 }} + {{- end }} + ports: + - containerPort: 8200 + env: + - name: VAULT_LOG_LEVEL + value: "{{ .Values.csi.agent.logLevel }}" + - name: VAULT_LOG_FORMAT + value: "{{ .Values.csi.agent.logFormat }}" + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 100 + runAsGroup: 1000 + volumeMounts: + - name: agent-config + mountPath: /etc/vault/config.hcl + subPath: config.hcl + readOnly: true + - name: agent-unix-socket + mountPath: /var/run/vault + {{- if .Values.csi.volumeMounts }} + {{- toYaml .Values.csi.volumeMounts | nindent 12 }} + {{- end }} + {{- end }} + volumes: + - name: providervol + hostPath: + path: {{ .Values.csi.daemonSet.providersDir }} + {{- if eq (.Values.csi.agent.enabled | toString) "true" }} + - name: agent-config + configMap: + name: {{ template "vault.fullname" . }}-csi-provider-agent-config + - name: agent-unix-socket + emptyDir: + medium: Memory + {{- end }} + {{- if .Values.csi.volumes }} + {{- toYaml .Values.csi.volumes | nindent 8}} + {{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/csi-role.yaml b/charts/hashicorp/vault/0.28.0/templates/csi-role.yaml new file mode 100644 index 0000000000..17e1918b4f --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/csi-role.yaml @@ -0,0 +1,32 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-role + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + resourceNames: + {{- if .Values.csi.hmacSecretName }} + - {{ .Values.csi.hmacSecretName }} + {{- else }} + - {{ include "vault.name" . }}-csi-provider-hmac-key + {{- end }} +# 'create' permissions cannot be restricted by resource name: +# https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/csi-rolebinding.yaml b/charts/hashicorp/vault/0.28.0/templates/csi-rolebinding.yaml new file mode 100644 index 0000000000..3d3b981b85 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/csi-rolebinding.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-csi-provider-rolebinding + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-csi-provider-role +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ include "vault.namespace" . }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/csi-serviceaccount.yaml b/charts/hashicorp/vault/0.28.0/templates/csi-serviceaccount.yaml new file mode 100644 index 0000000000..6327a7b2fa --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/csi-serviceaccount.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.csiEnabled" . -}} +{{- if .csiEnabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "vault.fullname" . }}-csi-provider + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-csi-provider + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.csi.serviceAccount.extraLabels -}} + {{- toYaml .Values.csi.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} + {{ template "csi.serviceAccount.annotations" . }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-certs-secret.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-certs-secret.yaml new file mode 100644 index 0000000000..f6995af108 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-certs-secret.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +apiVersion: v1 +kind: Secret +metadata: + name: vault-injector-certs + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/templates/injector-clusterrole.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-clusterrole.yaml similarity index 100% rename from charts/hashicorp/vault/templates/injector-clusterrole.yaml rename to charts/hashicorp/vault/0.28.0/templates/injector-clusterrole.yaml diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-clusterrolebinding.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-clusterrolebinding.yaml new file mode 100644 index 0000000000..82cbce0ced --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-binding + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "vault.fullname" . }}-agent-injector-clusterrole +subjects: +- kind: ServiceAccount + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ include "vault.namespace" . }} +{{ end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-deployment.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-deployment.yaml new file mode 100644 index 0000000000..822e8e41dc --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-deployment.yaml @@ -0,0 +1,179 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +# Deployment for the injector +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + component: webhook +spec: + replicas: {{ .Values.injector.replicas }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + {{ template "injector.strategy" . }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + {{- if .Values.injector.extraLabels -}} + {{- toYaml .Values.injector.extraLabels | nindent 8 -}} + {{- end -}} + {{ template "injector.annotations" . }} + spec: + {{ template "injector.affinity" . }} + {{ template "injector.topologySpreadConstraints" . }} + {{ template "injector.tolerations" . }} + {{ template "injector.nodeselector" . }} + {{- if .Values.injector.priorityClassName }} + priorityClassName: {{ .Values.injector.priorityClassName }} + {{- end }} + serviceAccountName: "{{ template "vault.fullname" . }}-agent-injector" + {{ template "injector.securityContext.pod" . -}} + {{- if not .Values.global.openshift }} + hostNetwork: {{ .Values.injector.hostNetwork }} + {{- end }} + containers: + - name: sidecar-injector + {{ template "injector.resources" . }} + image: "{{ .Values.injector.image.repository }}:{{ .Values.injector.image.tag }}" + imagePullPolicy: "{{ .Values.injector.image.pullPolicy }}" + {{- template "injector.securityContext.container" . }} + env: + - name: AGENT_INJECT_LISTEN + value: {{ printf ":%v" .Values.injector.port }} + - name: AGENT_INJECT_LOG_LEVEL + value: {{ .Values.injector.logLevel | default "info" }} + - name: AGENT_INJECT_VAULT_ADDR + {{- if .Values.global.externalVaultAddr }} + value: "{{ .Values.global.externalVaultAddr }}" + {{- else if .Values.injector.externalVaultAddr }} + value: "{{ .Values.injector.externalVaultAddr }}" + {{- else }} + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} + {{- end }} + - name: AGENT_INJECT_VAULT_AUTH_PATH + value: {{ .Values.injector.authPath }} + - name: AGENT_INJECT_VAULT_IMAGE + value: "{{ .Values.injector.agentImage.repository }}:{{ .Values.injector.agentImage.tag }}" + {{- if .Values.injector.certs.secretName }} + - name: AGENT_INJECT_TLS_CERT_FILE + value: "/etc/webhook/certs/{{ .Values.injector.certs.certName }}" + - name: AGENT_INJECT_TLS_KEY_FILE + value: "/etc/webhook/certs/{{ .Values.injector.certs.keyName }}" + {{- else }} + - name: AGENT_INJECT_TLS_AUTO + value: {{ template "vault.fullname" . }}-agent-injector-cfg + - name: AGENT_INJECT_TLS_AUTO_HOSTS + value: {{ template "vault.fullname" . }}-agent-injector-svc,{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }},{{ template "vault.fullname" . }}-agent-injector-svc.{{ include "vault.namespace" . }}.svc + {{- end }} + - name: AGENT_INJECT_LOG_FORMAT + value: {{ .Values.injector.logFormat | default "standard" }} + - name: AGENT_INJECT_REVOKE_ON_SHUTDOWN + value: "{{ .Values.injector.revokeOnShutdown | default false }}" + {{- if .Values.global.openshift }} + - name: AGENT_INJECT_SET_SECURITY_CONTEXT + value: "false" + {{- end }} + {{- if .Values.injector.metrics.enabled }} + - name: AGENT_INJECT_TELEMETRY_PATH + value: "/metrics" + {{- end }} + {{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} + - name: AGENT_INJECT_USE_LEADER_ELECTOR + value: "true" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- end }} + - name: AGENT_INJECT_CPU_REQUEST + value: "{{ .Values.injector.agentDefaults.cpuRequest }}" + - name: AGENT_INJECT_CPU_LIMIT + value: "{{ .Values.injector.agentDefaults.cpuLimit }}" + - name: AGENT_INJECT_MEM_REQUEST + value: "{{ .Values.injector.agentDefaults.memRequest }}" + - name: AGENT_INJECT_MEM_LIMIT + value: "{{ .Values.injector.agentDefaults.memLimit }}" + {{- if .Values.injector.agentDefaults.ephemeralRequest }} + - name: AGENT_INJECT_EPHEMERAL_REQUEST + value: "{{ .Values.injector.agentDefaults.ephemeralRequest }}" + {{- end }} + {{- if .Values.injector.agentDefaults.ephemeralLimit }} + - name: AGENT_INJECT_EPHEMERAL_LIMIT + value: "{{ .Values.injector.agentDefaults.ephemeralLimit }}" + {{- end }} + - name: AGENT_INJECT_DEFAULT_TEMPLATE + value: "{{ .Values.injector.agentDefaults.template }}" + - name: AGENT_INJECT_TEMPLATE_CONFIG_EXIT_ON_RETRY_FAILURE + value: "{{ .Values.injector.agentDefaults.templateConfig.exitOnRetryFailure }}" + {{- if .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }} + - name: AGENT_INJECT_TEMPLATE_STATIC_SECRET_RENDER_INTERVAL + value: "{{ .Values.injector.agentDefaults.templateConfig.staticSecretRenderInterval }}" + {{- end }} + {{- include "vault.extraEnvironmentVars" .Values.injector | nindent 12 }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + args: + - agent-inject + - 2>&1 + livenessProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.livenessProbe.timeoutSeconds }} + readinessProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.injector.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.readinessProbe.timeoutSeconds }} + startupProbe: + httpGet: + path: /health/ready + port: {{ .Values.injector.port }} + scheme: HTTPS + failureThreshold: {{ .Values.injector.startupProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.injector.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.injector.startupProbe.periodSeconds }} + successThreshold: {{ .Values.injector.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.injector.startupProbe.timeoutSeconds }} +{{- if .Values.injector.certs.secretName }} + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true +{{- end }} +{{- if .Values.injector.certs.secretName }} + volumes: + - name: webhook-certs + secret: + secretName: "{{ .Values.injector.certs.secretName }}" +{{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} +{{ end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-disruptionbudget.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-disruptionbudget.yaml new file mode 100644 index 0000000000..2b2a61c6fe --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-disruptionbudget.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- if .Values.injector.podDisruptionBudget }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + component: webhook +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + {{- toYaml .Values.injector.podDisruptionBudget | nindent 2 }} +{{- end -}} diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-mutating-webhook.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-mutating-webhook.yaml new file mode 100644 index 0000000000..b1de1ee3f4 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-mutating-webhook.yaml @@ -0,0 +1,44 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} +apiVersion: admissionregistration.k8s.io/v1 +{{- else }} +apiVersion: admissionregistration.k8s.io/v1beta1 +{{- end }} +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-cfg + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- template "injector.webhookAnnotations" . }} +webhooks: + - name: vault.hashicorp.com + failurePolicy: {{ ((.Values.injector.webhook)).failurePolicy | default .Values.injector.failurePolicy }} + matchPolicy: {{ ((.Values.injector.webhook)).matchPolicy | default "Exact" }} + sideEffects: None + timeoutSeconds: {{ ((.Values.injector.webhook)).timeoutSeconds | default "30" }} + admissionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: {{ template "vault.fullname" . }}-agent-injector-svc + namespace: {{ include "vault.namespace" . }} + path: "/mutate" + caBundle: {{ .Values.injector.certs.caBundle | quote }} + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] +{{- if or (.Values.injector.namespaceSelector) (((.Values.injector.webhook)).namespaceSelector) }} + namespaceSelector: +{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}} +{{ end }} +{{- template "injector.objectSelector" . -}} +{{ end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-network-policy.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-network-policy.yaml new file mode 100644 index 0000000000..4c3b087828 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-network-policy.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.openshift | toString) "true" }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + labels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8080 + protocol: TCP +{{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-psp-role.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-psp-role.yaml new file mode 100644 index 0000000000..a07f8f6c0c --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-psp-role.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-psp + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "vault.fullname" . }}-agent-injector +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-psp-rolebinding.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-psp-rolebinding.yaml new file mode 100644 index 0000000000..3c97e8dad0 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-psp-rolebinding.yaml @@ -0,0 +1,26 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-psp + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + kind: Role + name: {{ template "vault.fullname" . }}-agent-injector-psp + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ template "vault.fullname" . }}-agent-injector +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-psp.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-psp.yaml new file mode 100644 index 0000000000..0eca9a87c6 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-psp.yaml @@ -0,0 +1,51 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if eq (.Values.global.psp.enable | toString) "true" }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- template "vault.psp.annotations" . }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: MustRunAsNonRoot + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-role.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-role.yaml new file mode 100644 index 0000000000..b2ad0c7b98 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-role.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: + - apiGroups: [""] + resources: ["secrets", "configmaps"] + verbs: + - "create" + - "get" + - "watch" + - "list" + - "update" + - apiGroups: [""] + resources: ["pods"] + verbs: + - "get" + - "patch" + - "delete" +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-rolebinding.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-rolebinding.yaml new file mode 100644 index 0000000000..6ad25ca695 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-rolebinding.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +{{- if and (eq (.Values.injector.leaderElector.enabled | toString) "true") (gt (.Values.injector.replicas | int) 1) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-binding + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-agent-injector-leader-elector-role +subjects: + - kind: ServiceAccount + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ include "vault.namespace" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-service.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-service.yaml new file mode 100644 index 0000000000..1479cd1ab9 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-service.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-agent-injector-svc + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "injector.service.annotations" . }} +spec: + ports: + - name: https + port: 443 + targetPort: {{ .Values.injector.port }} + selector: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + component: webhook +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/injector-serviceaccount.yaml b/charts/hashicorp/vault/0.28.0/templates/injector-serviceaccount.yaml new file mode 100644 index 0000000000..2f91c3d4aa --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/injector-serviceaccount.yaml @@ -0,0 +1,18 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- template "vault.injectorEnabled" . -}} +{{- if .injectorEnabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "vault.fullname" . }}-agent-injector + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{ template "injector.serviceAccount.annotations" . }} +{{ end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/prometheus-prometheusrules.yaml b/charts/hashicorp/vault/0.28.0/templates/prometheus-prometheusrules.yaml new file mode 100644 index 0000000000..7e58a0e522 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/prometheus-prometheusrules.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ if and (.Values.serverTelemetry.prometheusRules.rules) + (or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.prometheusRules.enabled) ) +}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} + {{- $selectors := .Values.serverTelemetry.prometheusRules.selectors }} + {{- if $selectors }} + {{- toYaml $selectors | nindent 4 }} + {{- else }} + release: prometheus + {{- end }} +spec: + groups: + - name: {{ include "vault.fullname" . }} + rules: + {{- toYaml .Values.serverTelemetry.prometheusRules.rules | nindent 6 }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/prometheus-servicemonitor.yaml b/charts/hashicorp/vault/0.28.0/templates/prometheus-servicemonitor.yaml new file mode 100644 index 0000000000..25d30a468e --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/prometheus-servicemonitor.yaml @@ -0,0 +1,49 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{ if or (.Values.global.serverTelemetry.prometheusOperator) (.Values.serverTelemetry.serviceMonitor.enabled) }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "vault.fullname" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- /* update the selectors docs in values.yaml whenever the defaults below change. */ -}} + {{- $selectors := .Values.serverTelemetry.serviceMonitor.selectors }} + {{- if $selectors }} + {{- toYaml $selectors | nindent 4 }} + {{- else }} + release: prometheus + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if eq .mode "ha" }} + vault-active: "true" + {{- else }} + vault-internal: "true" + {{- end }} + endpoints: + - port: {{ include "vault.scheme" . }} + interval: {{ .Values.serverTelemetry.serviceMonitor.interval }} + scrapeTimeout: {{ .Values.serverTelemetry.serviceMonitor.scrapeTimeout }} + scheme: {{ include "vault.scheme" . | lower }} + path: /v1/sys/metrics + params: + format: + - prometheus + tlsConfig: + insecureSkipVerify: true + namespaceSelector: + matchNames: + - {{ include "vault.namespace" . }} +{{ end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-clusterrolebinding.yaml b/charts/hashicorp/vault/0.28.0/templates/server-clusterrolebinding.yaml new file mode 100644 index 0000000000..14ec838a04 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-clusterrolebinding.yaml @@ -0,0 +1,29 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverAuthDelegator" . }} +{{- if .serverAuthDelegator -}} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: {{ template "vault.fullname" . }}-server-binding + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: {{ template "vault.serviceAccount.name" . }} + namespace: {{ include "vault.namespace" . }} +{{ end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/templates/server-config-configmap.yaml b/charts/hashicorp/vault/0.28.0/templates/server-config-configmap.yaml similarity index 100% rename from charts/hashicorp/vault/templates/server-config-configmap.yaml rename to charts/hashicorp/vault/0.28.0/templates/server-config-configmap.yaml diff --git a/charts/hashicorp/vault/0.28.0/templates/server-discovery-role.yaml b/charts/hashicorp/vault/0.28.0/templates/server-discovery-role.yaml new file mode 100644 index 0000000000..0cbdefaff0 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-discovery-role.yaml @@ -0,0 +1,26 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ include "vault.namespace" . }} + name: {{ template "vault.fullname" . }}-discovery-role + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list", "update", "patch"] +{{ end }} +{{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-discovery-rolebinding.yaml b/charts/hashicorp/vault/0.28.0/templates/server-discovery-rolebinding.yaml new file mode 100644 index 0000000000..87b0f6170d --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-discovery-rolebinding.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.serviceAccount.serviceDiscovery.enabled | toString) "true" }} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +{{- end }} +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-discovery-rolebinding + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "vault.fullname" . }}-discovery-role +subjects: +- kind: ServiceAccount + name: {{ template "vault.serviceAccount.name" . }} + namespace: {{ include "vault.namespace" . }} +{{ end }} +{{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-disruptionbudget.yaml b/charts/hashicorp/vault/0.28.0/templates/server-disruptionbudget.yaml new file mode 100644 index 0000000000..bbe9eb2995 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-disruptionbudget.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" -}} +{{- if .serverEnabled -}} +{{- if and (eq .mode "ha") (eq (.Values.server.ha.disruptionBudget.enabled | toString) "true") -}} +# PodDisruptionBudget to prevent degrading the server cluster through +# voluntary cluster changes. +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + maxUnavailable: {{ template "vault.pdb.maxUnavailable" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-ha-active-service.yaml b/charts/hashicorp/vault/0.28.0/templates/server-ha-active-service.yaml new file mode 100644 index 0000000000..9d2abfbb15 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-ha-active-service.yaml @@ -0,0 +1,64 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.active.enabled | toString) "true" }} +# Service for active Vault pod +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-active + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + vault-active: "true" + annotations: +{{- template "vault.service.active.annotations" . }} +{{- template "vault.service.annotations" . }} +spec: + {{- if .Values.server.service.type}} + type: {{ .Values.server.service.type }} + {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + {{- if and (.Values.server.service.activeNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.activeNodePort }} + {{- end }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + component: server + vault-active: "true" +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-ha-standby-service.yaml b/charts/hashicorp/vault/0.28.0/templates/server-ha-standby-service.yaml new file mode 100644 index 0000000000..bae1e28345 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-ha-standby-service.yaml @@ -0,0 +1,63 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if eq .mode "ha" }} +{{- if eq (.Values.server.service.standby.enabled | toString) "true" }} +# Service for standby Vault pod +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-standby + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: +{{- template "vault.service.standby.annotations" . }} +{{- template "vault.service.annotations" . }} +spec: + {{- if .Values.server.service.type}} + type: {{ .Values.server.service.type }} + {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + {{- if and (.Values.server.service.standbyNodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.standbyNodePort }} + {{- end }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + component: server + vault-active: "false" +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-headless-service.yaml b/charts/hashicorp/vault/0.28.0/templates/server-headless-service.yaml new file mode 100644 index 0000000000..c0f4d34604 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-headless-service.yaml @@ -0,0 +1,47 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +# Service for Vault cluster +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-internal + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + vault-internal: "true" + annotations: +{{ template "vault.service.annotations" .}} +spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: "{{ include "vault.scheme" . }}" + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-ingress.yaml b/charts/hashicorp/vault/0.28.0/templates/server-ingress.yaml new file mode 100644 index 0000000000..d796bae416 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-ingress.yaml @@ -0,0 +1,69 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- if not .Values.global.openshift }} +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if .Values.server.ingress.enabled -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} +{{- $serviceName := include "vault.fullname" . -}} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.ingress.activeService | toString) "true") }} +{{- $serviceName = printf "%s-%s" $serviceName "active" -}} +{{- end }} +{{- $servicePort := .Values.server.service.port -}} +{{- $pathType := .Values.server.ingress.pathType -}} +{{- $kubeVersion := .Capabilities.KubeVersion.Version }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.server.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- template "vault.ingress.annotations" . }} +spec: +{{- if .Values.server.ingress.tls }} + tls: + {{- range .Values.server.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} +{{- if .Values.server.ingress.ingressClassName }} + ingressClassName: {{ .Values.server.ingress.ingressClassName }} +{{- end }} + rules: + {{- range .Values.server.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + {{- range (.paths | default (list "/")) }} + - path: {{ . }} + pathType: {{ $pathType }} + backend: + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-network-policy.yaml b/charts/hashicorp/vault/0.28.0/templates/server-network-policy.yaml new file mode 100644 index 0000000000..43dcdb16fd --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-network-policy.yaml @@ -0,0 +1,24 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- if eq (.Values.server.networkPolicy.enabled | toString) "true" }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "vault.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + ingress: {{- toYaml .Values.server.networkPolicy.ingress | nindent 4 }} + {{- if .Values.server.networkPolicy.egress }} + egress: + {{- toYaml .Values.server.networkPolicy.egress | nindent 4 }} + {{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-psp-role.yaml b/charts/hashicorp/vault/0.28.0/templates/server-psp-role.yaml new file mode 100644 index 0000000000..64cd6c5076 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-psp-role.yaml @@ -0,0 +1,25 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "vault.fullname" . }}-psp + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "vault.fullname" . }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-psp-rolebinding.yaml b/charts/hashicorp/vault/0.28.0/templates/server-psp-rolebinding.yaml new file mode 100644 index 0000000000..342f553796 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-psp-rolebinding.yaml @@ -0,0 +1,26 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "vault.fullname" . }}-psp + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +roleRef: + kind: Role + name: {{ template "vault.fullname" . }}-psp + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ template "vault.fullname" . }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-psp.yaml b/charts/hashicorp/vault/0.28.0/templates/server-psp.yaml new file mode 100644 index 0000000000..567e66245e --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-psp.yaml @@ -0,0 +1,54 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if .serverEnabled -}} +{{- if and (ne .mode "") (eq (.Values.global.psp.enable | toString) "true") }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "vault.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- template "vault.psp.annotations" . }} +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + {{- if eq (.Values.server.dataStorage.enabled | toString) "true" }} + - persistentVolumeClaim + {{- end }} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: MustRunAsNonRoot + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: RunAsAny + supplementalGroups: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: MustRunAs + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-route.yaml b/charts/hashicorp/vault/0.28.0/templates/server-route.yaml new file mode 100644 index 0000000000..4e955555ab --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-route.yaml @@ -0,0 +1,39 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{- if .Values.global.openshift }} +{{- if ne .mode "external" }} +{{- if .Values.server.route.enabled -}} +{{- $serviceName := include "vault.fullname" . -}} +{{- if and (eq .mode "ha" ) (eq (.Values.server.route.activeService | toString) "true") }} +{{- $serviceName = printf "%s-%s" $serviceName "active" -}} +{{- end }} +kind: Route +apiVersion: route.openshift.io/v1 +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.server.route.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- template "vault.route.annotations" . }} +spec: + host: {{ .Values.server.route.host }} + to: + kind: Service + name: {{ $serviceName }} + weight: 100 + port: + targetPort: 8200 + tls: + {{- toYaml .Values.server.route.tls | nindent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-service.yaml b/charts/hashicorp/vault/0.28.0/templates/server-service.yaml new file mode 100644 index 0000000000..c12e190cb3 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-service.yaml @@ -0,0 +1,59 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.serverServiceEnabled" . -}} +{{- if .serverServiceEnabled -}} +# Service for Vault cluster +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: +{{ template "vault.service.annotations" .}} +spec: + {{- if .Values.server.service.type}} + type: {{ .Values.server.service.type }} + {{- end}} + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.server.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.server.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.server.service.ipFamilies }} + ipFamilies: {{ .Values.server.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} + {{- include "service.externalTrafficPolicy" .Values.server.service }} + # We want the servers to become available even if they're not ready + # since this DNS is also used for join operations. + publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }} + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.nodePort }} + {{- end }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + {{- if eq (.Values.server.service.instanceSelector.enabled | toString) "true" }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- end }} + component: server +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-serviceaccount-secret.yaml b/charts/hashicorp/vault/0.28.0/templates/server-serviceaccount-secret.yaml new file mode 100644 index 0000000000..74d70f9005 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-serviceaccount-secret.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverServiceAccountSecretCreationEnabled" . }} +{{- if .serverServiceAccountSecretCreationEnabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "vault.serviceAccount.name" . }}-token + namespace: {{ include "vault.namespace" . }} + annotations: + kubernetes.io/service-account.name: {{ template "vault.serviceAccount.name" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +type: kubernetes.io/service-account-token +{{ end }} \ No newline at end of file diff --git a/charts/hashicorp/vault/0.28.0/templates/server-serviceaccount.yaml b/charts/hashicorp/vault/0.28.0/templates/server-serviceaccount.yaml new file mode 100644 index 0000000000..216ea6178a --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.serverServiceAccountEnabled" . }} +{{- if .serverServiceAccountEnabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "vault.serviceAccount.name" . }} + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- if .Values.server.serviceAccount.extraLabels -}} + {{- toYaml .Values.server.serviceAccount.extraLabels | nindent 4 -}} + {{- end -}} + {{ template "vault.serviceAccount.annotations" . }} +{{ end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/server-statefulset.yaml b/charts/hashicorp/vault/0.28.0/templates/server-statefulset.yaml new file mode 100644 index 0000000000..0d8e604d07 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/server-statefulset.yaml @@ -0,0 +1,232 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if ne .mode "" }} +{{- if .serverEnabled -}} +# StatefulSet to run the actual vault server cluster. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "vault.fullname" . }} + namespace: {{ include "vault.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- template "vault.statefulSet.annotations" . }} +spec: + serviceName: {{ template "vault.fullname" . }}-internal + podManagementPolicy: Parallel + replicas: {{ template "vault.replicas" . }} + updateStrategy: + type: {{ .Values.server.updateStrategyType }} + {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.server.persistentVolumeClaimRetentionPolicy) }} + persistentVolumeClaimRetentionPolicy: {{ toYaml .Values.server.persistentVolumeClaimRetentionPolicy | nindent 4 }} + {{- end }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + template: + metadata: + labels: + helm.sh/chart: {{ template "vault.chart" . }} + app.kubernetes.io/name: {{ template "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + {{- if .Values.server.extraLabels -}} + {{- toYaml .Values.server.extraLabels | nindent 8 -}} + {{- end -}} + {{ template "vault.annotations" . }} + spec: + {{ template "vault.affinity" . }} + {{ template "vault.topologySpreadConstraints" . }} + {{ template "vault.tolerations" . }} + {{ template "vault.nodeselector" . }} + {{- if .Values.server.priorityClassName }} + priorityClassName: {{ .Values.server.priorityClassName }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + serviceAccountName: {{ template "vault.serviceAccount.name" . }} + {{ if .Values.server.shareProcessNamespace }} + shareProcessNamespace: true + {{ end }} + {{- template "server.statefulSet.securityContext.pod" . }} + {{- if not .Values.global.openshift }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- end }} + volumes: + {{ template "vault.volumes" . }} + - name: home + emptyDir: {} + {{- if .Values.server.hostAliases }} + hostAliases: + {{ toYaml .Values.server.hostAliases | nindent 8}} + {{- end }} + {{- if .Values.server.extraInitContainers }} + initContainers: + {{ toYaml .Values.server.extraInitContainers | nindent 8}} + {{- end }} + containers: + - name: vault + {{ template "vault.resources" . }} + image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + command: + - "/bin/sh" + - "-ec" + args: {{ template "vault.args" . }} + {{- template "server.statefulSet.securityContext.container" . }} + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: VAULT_K8S_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: VAULT_K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: VAULT_ADDR + value: "{{ include "vault.scheme" . }}://127.0.0.1:8200" + - name: VAULT_API_ADDR + {{- if .Values.server.ha.apiAddr }} + value: {{ .Values.server.ha.apiAddr }} + {{- else }} + value: "{{ include "vault.scheme" . }}://$(POD_IP):8200" + {{- end }} + - name: SKIP_CHOWN + value: "true" + - name: SKIP_SETCAP + value: "true" + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: VAULT_CLUSTER_ADDR + {{- if .Values.server.ha.clusterAddr }} + value: {{ .Values.server.ha.clusterAddr | quote }} + {{- else }} + value: "https://$(HOSTNAME).{{ template "vault.fullname" . }}-internal:8201" + {{- end }} + {{- if and (eq (.Values.server.ha.raft.enabled | toString) "true") (eq (.Values.server.ha.raft.setNodeId | toString) "true") }} + - name: VAULT_RAFT_NODE_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + {{- end }} + - name: HOME + value: "/home/vault" + {{- if .Values.server.logLevel }} + - name: VAULT_LOG_LEVEL + value: "{{ .Values.server.logLevel }}" + {{- end }} + {{- if .Values.server.logFormat }} + - name: VAULT_LOG_FORMAT + value: "{{ .Values.server.logFormat }}" + {{- end }} + {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey) }} + - name: VAULT_LICENSE_PATH + value: /vault/license/{{ .Values.server.enterpriseLicense.secretKey }} + {{- end }} + {{ template "vault.envs" . }} + {{- include "vault.extraEnvironmentVars" .Values.server | nindent 12 }} + {{- include "vault.extraSecretEnvironmentVars" .Values.server | nindent 12 }} + volumeMounts: + {{ template "vault.mounts" . }} + - name: home + mountPath: /home/vault + ports: + - containerPort: 8200 + name: {{ include "vault.scheme" . }} + - containerPort: 8201 + name: https-internal + - containerPort: 8202 + name: {{ include "vault.scheme" . }}-rep + {{- if .Values.server.extraPorts -}} + {{ toYaml .Values.server.extraPorts | nindent 12}} + {{- end }} + {{- if .Values.server.readinessProbe.enabled }} + readinessProbe: + {{- if .Values.server.readinessProbe.path }} + httpGet: + path: {{ .Values.server.readinessProbe.path | quote }} + port: {{ .Values.server.readinessProbe.port }} + scheme: {{ include "vault.scheme" . | upper }} + {{- else }} + # Check status; unsealed vault servers return 0 + # The exit code reflects the seal status: + # 0 - unsealed + # 1 - error + # 2 - sealed + exec: + command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"] + {{- end }} + failureThreshold: {{ .Values.server.readinessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.server.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.server.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.server.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.server.readinessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.server.livenessProbe.enabled }} + livenessProbe: + {{- if .Values.server.livenessProbe.execCommand }} + exec: + command: + {{- range (.Values.server.livenessProbe.execCommand) }} + - {{ . | quote }} + {{- end }} + {{- else }} + httpGet: + path: {{ .Values.server.livenessProbe.path | quote }} + port: {{ .Values.server.livenessProbe.port }} + scheme: {{ include "vault.scheme" . | upper }} + {{- end }} + failureThreshold: {{ .Values.server.livenessProbe.failureThreshold }} + initialDelaySeconds: {{ .Values.server.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.server.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.server.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.server.livenessProbe.timeoutSeconds }} + {{- end }} + lifecycle: + # Vault container doesn't receive SIGTERM from Kubernetes + # and after the grace period ends, Kube sends SIGKILL. This + # causes issues with graceful shutdowns such as deregistering itself + # from Consul (zombie services). + preStop: + exec: + command: [ + "/bin/sh", "-c", + # Adding a sleep here to give the pod eviction a + # chance to propagate, so requests will not be made + # to this pod while it's terminating + "sleep {{ .Values.server.preStopSleepSeconds }} && kill -SIGTERM $(pidof vault)", + ] + {{- if .Values.server.postStart }} + postStart: + exec: + command: + {{- range (.Values.server.postStart) }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- if .Values.server.extraContainers }} + {{ toYaml .Values.server.extraContainers | nindent 8}} + {{- end }} + {{- include "imagePullSecrets" . | nindent 6 }} + {{ template "vault.volumeclaims" . }} +{{ end }} +{{ end }} +{{ end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/tests/server-test.yaml b/charts/hashicorp/vault/0.28.0/templates/tests/server-test.yaml new file mode 100644 index 0000000000..20e2e5a5a1 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/tests/server-test.yaml @@ -0,0 +1,56 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- if .serverEnabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ template "vault.fullname" . }}-server-test + namespace: {{ include "vault.namespace" . }} + annotations: + "helm.sh/hook": test +spec: + {{- include "imagePullSecrets" . | nindent 2 }} + containers: + - name: {{ .Release.Name }}-server-test + image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default "latest" }} + imagePullPolicy: {{ .Values.server.image.pullPolicy }} + env: + - name: VAULT_ADDR + value: {{ include "vault.scheme" . }}://{{ template "vault.fullname" . }}.{{ include "vault.namespace" . }}.svc:{{ .Values.server.service.port }} + {{- include "vault.extraEnvironmentVars" .Values.server | nindent 8 }} + command: + - /bin/sh + - -c + - | + echo "Checking for sealed info in 'vault status' output" + ATTEMPTS=10 + n=0 + until [ "$n" -ge $ATTEMPTS ] + do + echo "Attempt" $n... + vault status -format yaml | grep -E '^sealed: (true|false)' && break + n=$((n+1)) + sleep 5 + done + if [ $n -ge $ATTEMPTS ]; then + echo "timed out looking for sealed info in 'vault status' output" + exit 1 + fi + + exit 0 + volumeMounts: + {{- if .Values.server.volumeMounts }} + {{- toYaml .Values.server.volumeMounts | nindent 8}} + {{- end }} + volumes: + {{- if .Values.server.volumes }} + {{- toYaml .Values.server.volumes | nindent 4}} + {{- end }} + restartPolicy: Never +{{- end }} +{{- end }} diff --git a/charts/hashicorp/vault/0.28.0/templates/ui-service.yaml b/charts/hashicorp/vault/0.28.0/templates/ui-service.yaml new file mode 100644 index 0000000000..95370842e7 --- /dev/null +++ b/charts/hashicorp/vault/0.28.0/templates/ui-service.yaml @@ -0,0 +1,50 @@ +{{/* +Copyright (c) HashiCorp, Inc. +SPDX-License-Identifier: MPL-2.0 +*/}} + +{{ template "vault.mode" . }} +{{- if ne .mode "external" }} +{{- template "vault.uiEnabled" . -}} +{{- if .uiEnabled -}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ template "vault.fullname" . }}-ui + namespace: {{ include "vault.namespace" . }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }}-ui + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- template "vault.ui.annotations" . }} +spec: + {{- if (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) }} + {{- if .Values.ui.serviceIPFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ui.serviceIPFamilyPolicy }} + {{- end }} + {{- if .Values.ui.serviceIPFamilies }} + ipFamilies: {{ .Values.ui.serviceIPFamilies | toYaml | nindent 2 }} + {{- end }} + {{- end }} + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + {{- if and (.Values.ui.activeVaultPodOnly) (eq .mode "ha") }} + vault-active: "true" + {{- end }} + publishNotReadyAddresses: {{ .Values.ui.publishNotReadyAddresses }} + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.ui.externalPort }} + targetPort: {{ .Values.ui.targetPort }} + {{- if .Values.ui.serviceNodePort }} + nodePort: {{ .Values.ui.serviceNodePort }} + {{- end }} + type: {{ .Values.ui.serviceType }} + {{- include "service.externalTrafficPolicy" .Values.ui }} + {{- include "service.loadBalancer" .Values.ui }} +{{- end -}} +{{- end }} diff --git a/charts/hashicorp/vault/values.openshift.yaml b/charts/hashicorp/vault/0.28.0/values.openshift.yaml similarity index 100% rename from charts/hashicorp/vault/values.openshift.yaml rename to charts/hashicorp/vault/0.28.0/values.openshift.yaml diff --git a/charts/hashicorp/vault/values.schema.json b/charts/hashicorp/vault/0.28.0/values.schema.json similarity index 100% rename from charts/hashicorp/vault/values.schema.json rename to charts/hashicorp/vault/0.28.0/values.schema.json diff --git a/charts/hashicorp/vault/values.yaml b/charts/hashicorp/vault/0.28.0/values.yaml similarity index 100% rename from charts/hashicorp/vault/values.yaml rename to charts/hashicorp/vault/0.28.0/values.yaml diff --git a/charts/hpe/hpe-array-exporter/Chart.yaml b/charts/hpe/hpe-array-exporter/1.0.2/Chart.yaml similarity index 100% rename from charts/hpe/hpe-array-exporter/Chart.yaml rename to charts/hpe/hpe-array-exporter/1.0.2/Chart.yaml diff --git a/charts/hpe/hpe-array-exporter/README.md b/charts/hpe/hpe-array-exporter/1.0.2/README.md similarity index 100% rename from charts/hpe/hpe-array-exporter/README.md rename to charts/hpe/hpe-array-exporter/1.0.2/README.md diff --git a/charts/hpe/hpe-array-exporter/app-readme.md b/charts/hpe/hpe-array-exporter/1.0.2/app-readme.md similarity index 100% rename from charts/hpe/hpe-array-exporter/app-readme.md rename to charts/hpe/hpe-array-exporter/1.0.2/app-readme.md diff --git a/charts/hpe/hpe-array-exporter/questions.yml b/charts/hpe/hpe-array-exporter/1.0.2/questions.yml similarity index 100% rename from charts/hpe/hpe-array-exporter/questions.yml rename to charts/hpe/hpe-array-exporter/1.0.2/questions.yml diff --git a/charts/hpe/hpe-array-exporter/templates/NOTES.txt b/charts/hpe/hpe-array-exporter/1.0.2/templates/NOTES.txt similarity index 100% rename from charts/hpe/hpe-array-exporter/templates/NOTES.txt rename to charts/hpe/hpe-array-exporter/1.0.2/templates/NOTES.txt diff --git a/charts/hpe/hpe-array-exporter/templates/_helpers.tpl b/charts/hpe/hpe-array-exporter/1.0.2/templates/_helpers.tpl similarity index 100% rename from charts/hpe/hpe-array-exporter/templates/_helpers.tpl rename to charts/hpe/hpe-array-exporter/1.0.2/templates/_helpers.tpl diff --git a/charts/hpe/hpe-array-exporter/templates/hpe-array-exporter.yaml b/charts/hpe/hpe-array-exporter/1.0.2/templates/hpe-array-exporter.yaml similarity index 100% rename from charts/hpe/hpe-array-exporter/templates/hpe-array-exporter.yaml rename to charts/hpe/hpe-array-exporter/1.0.2/templates/hpe-array-exporter.yaml diff --git a/charts/hpe/hpe-array-exporter/templates/tests/test-hpe-array-exporter.yaml b/charts/hpe/hpe-array-exporter/1.0.2/templates/tests/test-hpe-array-exporter.yaml similarity index 100% rename from charts/hpe/hpe-array-exporter/templates/tests/test-hpe-array-exporter.yaml rename to charts/hpe/hpe-array-exporter/1.0.2/templates/tests/test-hpe-array-exporter.yaml diff --git a/charts/hpe/hpe-array-exporter/values.schema.json b/charts/hpe/hpe-array-exporter/1.0.2/values.schema.json similarity index 100% rename from charts/hpe/hpe-array-exporter/values.schema.json rename to charts/hpe/hpe-array-exporter/1.0.2/values.schema.json diff --git a/charts/hpe/hpe-array-exporter/values.yaml b/charts/hpe/hpe-array-exporter/1.0.2/values.yaml similarity index 100% rename from charts/hpe/hpe-array-exporter/values.yaml rename to charts/hpe/hpe-array-exporter/1.0.2/values.yaml diff --git a/charts/hpe/hpe-csi-driver/2.4.0/Chart.yaml b/charts/hpe/hpe-csi-driver/2.4.0/Chart.yaml new file mode 100644 index 0000000000..d3eccbeef7 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.0/Chart.yaml @@ -0,0 +1,34 @@ +annotations: + artifacthub.io/category: storage + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://scod.hpedev.io/csi_driver + artifacthub.io/prerelease: "false" + artifacthub.io/recommendations: | + - url: https://artifacthub.io/packages/olm/community-operators/hpe-csi-operator + - url: https://artifacthub.io/packages/helm/hpe-storage/hpe-csi-info-metrics + - url: https://artifacthub.io/packages/helm/hpe-storage/hpe-array-exporter + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HPE CSI Driver for Kubernetes + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/namespace: hpe-storage + catalog.cattle.io/release-name: hpe-csi-driver +apiVersion: v1 +appVersion: 2.4.0 +description: A Helm chart for installing the HPE CSI Driver for Kubernetes +home: https://hpe.com/storage/containers +icon: https://raw.githubusercontent.com/hpe-storage/co-deployments/master/docs/assets/hpedev.png +keywords: +- HPE +- Storage +- CSI +maintainers: +- email: dev-hi-containers@hpe.com + name: datamattsson +name: hpe-csi-driver +sources: +- https://github.com/hpe-storage/co-deployments +- https://github.com/hpe-storage/csi-driver +version: 2.4.0 diff --git a/charts/hpe/hpe-csi-driver/2.4.0/README.md b/charts/hpe/hpe-csi-driver/2.4.0/README.md new file mode 100644 index 0000000000..7c5c698508 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.0/README.md @@ -0,0 +1,169 @@ +# HPE CSI Driver for Kubernetes Helm chart + +The [HPE CSI Driver for Kubernetes](https://scod.hpedev.io/csi_driver/index.html) leverages Hewlett Packard Enterprise storage platforms to provide scalable and persistent storage for stateful applications. + +## Prerequisites + +- Most recent Kubernetes distributions are supported +- Recent Ubuntu, SLES or RHEL (and its derives) compute nodes connected to their respective official package repositories +- Helm 3 (Version >= 3.2.0 required) + +Refer to [Compatibility & Support](https://scod.hpedev.io/csi_driver/index.html#compatibility_and_support) on [SCOD](https://scod.hpedev.io/) for currently supported versions of Kubernetes and compute nodes. + +Depending on which [Container Storage Provider](https://scod.hpedev.io/container_storage_provider/index.html) (CSP) is being used, other prerequisites and requirements may apply, such as storage platform OS and features. + +- [HPE Alletra 5000/6000 and Nimble Storage](https://scod.hpedev.io/container_storage_provider/hpe_nimble_storage/index.html) +- [HPE Alletra 9000, Primera and 3PAR](https://scod.hpedev.io/container_storage_provider/hpe_3par_primera/index.html) + +## Configuration and installation + +The following table lists the configurable parameters of the chart and their default values. + +| Parameter | Description | Default | +|---------------------------|------------------------------------------------------------------------|------------------| +| disable.nimble | Disable HPE Nimble Storage CSP `Service`. | false | +| disable.primera | Disable HPE Primera (and 3PAR) CSP `Service`. | false | +| disable.alletra6000 | Disable HPE Alletra 5000/6000 CSP `Service`. | false | +| disable.alletra9000 | Disable HPE Alletra 9000 CSP `Service`. | false | +| disableNodeConformance | Disable automatic installation of iSCSI, multipath and NFS packages. | false | +| disableNodeConfiguration | Disables node conformance and configuration.`*` | false | +| disableNodeGetVolumeStats | Disable NodeGetVolumeStats call to CSI driver. | false | +| imagePullPolicy | Image pull policy (`Always`, `IfNotPresent`, `Never`). | IfNotPresent | +| iscsi.chapUser | Username for iSCSI CHAP authentication. | "" | +| iscsi.chapPassword | Password for iSCSI CHAP authentication. | "" | +| logLevel | Log level. Can be one of `info`, `debug`, `trace`, `warn` and `error`. | info | +| registry | Registry to pull HPE CSI Driver container images from. | quay.io | +| kubeletRootDir | The kubelet root directory path. | /var/lib/kubelet | +| controller.labels | Additional labels for HPE CSI Driver controller Pods. | {} | +| controller.nodeSelector | Node labels for HPE CSI Driver controller Pods assignment. | {} | +| controller.affinity | Affinity rules for the HPE CSI Driver controller Pods. | {} | +| controller.tolerations | Node taints to tolerate for the HPE CSI Driver controller Pods. | [] | +| csp.labels | Additional labels for CSP Pods. | {} | +| csp.nodeSelector | Node labels for CSP Pods assignment. | {} | +| csp.affinity | Affinity rules for the CSP Pods. | {} | +| csp.tolerations | Node taints to tolerate for the CSP Pods. | [] | +| node.labels | Additional labels for HPE CSI Driver node Pods. | {} | +| node.nodeSelector | Node labels for HPE CSI Driver node Pods assignment. | {} | +| node.affinity | Affinity rules for the HPE CSI Driver node Pods. | {} | +| node.tolerations | Node taints to tolerate for the HPE CSI Driver node Pods. | [] | + +`*` = Disabling node conformance and configuration may prevent the CSI driver from functioning properly. See the [manual node configuration](https://scod.hpedev.io/csi_driver/operations.html#manual_node_configuration) section on SCOD to understand the consequences. + +It's recommended to create a [values.yaml](https://github.com/hpe-storage/co-deployments/blob/master/helm/values/csi-driver) file from the corresponding release of the chart and edit it to fit the environment the chart is being deployed to. Download and edit [a sample file](https://github.com/hpe-storage/co-deployments/blob/master/helm/values/csi-driver). + +These are the bare minimum required parameters for a successful deployment to an iSCSI environment if CHAP authentication is required. + +``` +iscsi: + chapUser: "" + chapPassword: "" +``` + +Tweak any additional parameters to suit the environment or as prescribed by HPE. + +### Installing the chart + +To install the chart with the name `my-hpe-csi-driver`: + +Add HPE helm repo: + +``` +helm repo add hpe-storage https://hpe-storage.github.io/co-deployments/ +helm repo update +``` + +Install the latest chart: + +``` +helm install --create-namespace -n hpe-storage my-hpe-csi-driver hpe-storage/hpe-csi-driver +``` + +**Note**: By default, the latest stable chart will be installed. If it's labeled with `prerelease` and a "beta" version tag, add `--version X.Y.Z-beta` to the command line to install a "beta" chart. + +### Upgrading the chart + +Due to the [helm limitation](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations) to not support upgrade of CRDs between different chart versions, helm chart upgrade is not supported. +Our recommendation is to uninstall the existing chart and install the chart with the desired version. CRDs will be preserved between uninstall and install. + +#### Upgrading 2.0.0 to 2.1.0 + +Before version 2.0.0 is uninstalled, the following CRDs needs to be updated. + +**Important:** If there are HPE Alletra 9000, Primera or 3PAR Remote Copy Groups configured on the cluster, follow the [next steps](#update-rcg-info) before uninstallation. + +##### Update RCG Info + +This step is only necessary if there are HPE Alletra 9000, Primera or 3PAR Remote Copy Groups configured on the cluster. If there are none, proceed to the [next step](#update-crds). + +Change kubectl context into the Namespace where the HPE CSI Driver is installed. The most common is "hpe-storage". + +``` +kubectl config set-context --current --namespace=hpe-storage +``` + +Create the Job using the below commands, which will modify the "rcg-info" record to the new key "RCGCreatedByCSP". + +``` +kubectl apply -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/yaml/rcg-info/v1.0.0/convert-rcg-info.yaml +``` + +Completion of job status can be verified using the below command. + +``` +kubectl wait --for=condition=complete --timeout=600s job/primera3par-rcg-info +``` + +Continue to [update the CRDs](#update-crds) followed by [uninstalling the chart](#uninstalling-the-chart). + +##### Update CRDs + +Before reinstallation of the driver, apply the new CRDs. + +``` +kubectl apply -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/helm/charts/hpe-csi-driver/crds/hpevolumeinfos_v2_crd.yaml +kubectl apply -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/helm/charts/hpe-csi-driver/crds/hpevolumegroupinfos_v2_crd.yaml +kubectl apply -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/helm/charts/hpe-csi-driver/crds/snapshotgroupinfos_v2_crd.yaml +kubectl apply -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/helm/charts/hpe-csi-driver/crds/hpereplicated_deviceinfo_v2_crd.yaml +``` + +#### Uninstalling the chart + +To uninstall the `my-hpe-csi-driver` chart: + +``` +helm uninstall my-hpe-csi-driver -n hpe-storage +``` + +**Note**: Due to a limitation in Helm, CRDs are not deleted as part of the chart uninstall. + +### Alternative install method + +In some cases it's more practical to provide the local configuration via the `helm` CLI directly. Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. These will take precedence over entries in [values.yaml](https://github.com/hpe-storage/co-deployments/blob/master/helm/values/csi-driver). For example: + +``` +helm install my-hpe-csi-driver hpe-storage/hpe-csi-driver -n hpe-storage \ + --set iscsi.chapUsername=admin \ + --set iscsi.chapPassword=xxxxxxxx +``` + +## Using persistent storage with Kubernetes + +Enable dynamic provisioning of persistent storage by creating a `StorageClass` API object that references a `Secret` which maps to a supported HPE primary storage backend. Refer to the [HPE CSI Driver for Kubernetes](https://scod.hpedev.io/csi_driver/deployment.html#add_a_hpe_storage_backend) documentation on [HPE Storage Container Orchestration Documentation](https://scod.hpedev.io/). Also, it's helpful to be familiar with [persistent storage concepts](https://kubernetes.io/docs/concepts/storage/volumes/) in Kubernetes prior to deploying stateful workloads. + +## Support + +The HPE CSI Driver for Kubernetes Helm chart is fully supported by HPE. + +Formal support statements for each HPE supported CSP is [available on SCOD](https://scod.hpedev.io/legal/support). Use this facility for formal support of your HPE storage products, including the Helm chart. + +## Community + +Please file any issues, questions or feature requests you may have [here](https://github.com/hpe-storage/co-deployments/issues) (do not use this facility for support inquiries of your HPE storage product, see [SCOD](https://scod.hpedev.io/legal/support) for support). You may also join our Slack community to chat with HPE folks close to this project. We hang out in `#NimbleStorage`, `#3par-primera`, and `#Kubernetes`. Sign up at [slack.hpedev.io](https://slack.hpedev.io/) and login at [hpedev.slack.com](https://hpedev.slack.com/) + +## Contributing + +We value all feedback and contributions. If you find any issues or want to contribute, please feel free to open an issue or file a PR. More details in [CONTRIBUTING.md](https://github.com/hpe-storage/co-deployments/blob/master/CONTRIBUTING.md) + +## License + +This is open source software licensed using the Apache License 2.0. Please see [LICENSE](https://github.com/hpe-storage/co-deployments/blob/master/LICENSE) for details. diff --git a/charts/hpe/hpe-csi-driver/app-readme.md b/charts/hpe/hpe-csi-driver/2.4.0/app-readme.md similarity index 100% rename from charts/hpe/hpe-csi-driver/app-readme.md rename to charts/hpe/hpe-csi-driver/2.4.0/app-readme.md diff --git a/charts/hpe/hpe-csi-driver/crds/hpe-nodeinfo-crd.yaml b/charts/hpe/hpe-csi-driver/2.4.0/crds/hpe-nodeinfo-crd.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/crds/hpe-nodeinfo-crd.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/crds/hpe-nodeinfo-crd.yaml diff --git a/charts/hpe/hpe-csi-driver/crds/hpereplicated_deviceinfo_v2_crd.yaml b/charts/hpe/hpe-csi-driver/2.4.0/crds/hpereplicated_deviceinfo_v2_crd.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/crds/hpereplicated_deviceinfo_v2_crd.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/crds/hpereplicated_deviceinfo_v2_crd.yaml diff --git a/charts/hpe/hpe-csi-driver/crds/hpevolumegroupinfos_v2_crd.yaml b/charts/hpe/hpe-csi-driver/2.4.0/crds/hpevolumegroupinfos_v2_crd.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/crds/hpevolumegroupinfos_v2_crd.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/crds/hpevolumegroupinfos_v2_crd.yaml diff --git a/charts/hpe/hpe-csi-driver/crds/hpevolumeinfos_v2_crd.yaml b/charts/hpe/hpe-csi-driver/2.4.0/crds/hpevolumeinfos_v2_crd.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/crds/hpevolumeinfos_v2_crd.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/crds/hpevolumeinfos_v2_crd.yaml diff --git a/charts/hpe/hpe-csi-driver/crds/snapshotgroupinfos_v2_crd.yaml b/charts/hpe/hpe-csi-driver/2.4.0/crds/snapshotgroupinfos_v2_crd.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/crds/snapshotgroupinfos_v2_crd.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/crds/snapshotgroupinfos_v2_crd.yaml diff --git a/charts/hpe/hpe-csi-driver/crds/storage.hpe.com_snapshotgroupclasses.yaml b/charts/hpe/hpe-csi-driver/2.4.0/crds/storage.hpe.com_snapshotgroupclasses.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/crds/storage.hpe.com_snapshotgroupclasses.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/crds/storage.hpe.com_snapshotgroupclasses.yaml diff --git a/charts/hpe/hpe-csi-driver/crds/storage.hpe.com_snapshotgroupcontents.yaml b/charts/hpe/hpe-csi-driver/2.4.0/crds/storage.hpe.com_snapshotgroupcontents.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/crds/storage.hpe.com_snapshotgroupcontents.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/crds/storage.hpe.com_snapshotgroupcontents.yaml diff --git a/charts/hpe/hpe-csi-driver/crds/storage.hpe.com_snapshotgroups.yaml b/charts/hpe/hpe-csi-driver/2.4.0/crds/storage.hpe.com_snapshotgroups.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/crds/storage.hpe.com_snapshotgroups.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/crds/storage.hpe.com_snapshotgroups.yaml diff --git a/charts/hpe/hpe-csi-driver/crds/storage.hpe.com_volumegroupclasses.yaml b/charts/hpe/hpe-csi-driver/2.4.0/crds/storage.hpe.com_volumegroupclasses.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/crds/storage.hpe.com_volumegroupclasses.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/crds/storage.hpe.com_volumegroupclasses.yaml diff --git a/charts/hpe/hpe-csi-driver/crds/storage.hpe.com_volumegroupcontents.yaml b/charts/hpe/hpe-csi-driver/2.4.0/crds/storage.hpe.com_volumegroupcontents.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/crds/storage.hpe.com_volumegroupcontents.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/crds/storage.hpe.com_volumegroupcontents.yaml diff --git a/charts/hpe/hpe-csi-driver/crds/storage.hpe.com_volumegroups.yaml b/charts/hpe/hpe-csi-driver/2.4.0/crds/storage.hpe.com_volumegroups.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/crds/storage.hpe.com_volumegroups.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/crds/storage.hpe.com_volumegroups.yaml diff --git a/charts/hpe/hpe-csi-driver/files/config.json b/charts/hpe/hpe-csi-driver/2.4.0/files/config.json similarity index 100% rename from charts/hpe/hpe-csi-driver/files/config.json rename to charts/hpe/hpe-csi-driver/2.4.0/files/config.json diff --git a/charts/hpe/hpe-csi-driver/questions.yml b/charts/hpe/hpe-csi-driver/2.4.0/questions.yml similarity index 100% rename from charts/hpe/hpe-csi-driver/questions.yml rename to charts/hpe/hpe-csi-driver/2.4.0/questions.yml diff --git a/charts/hpe/hpe-csi-driver/templates/NOTES.txt b/charts/hpe/hpe-csi-driver/2.4.0/templates/NOTES.txt similarity index 100% rename from charts/hpe/hpe-csi-driver/templates/NOTES.txt rename to charts/hpe/hpe-csi-driver/2.4.0/templates/NOTES.txt diff --git a/charts/hpe/hpe-csi-driver/templates/_helpers.tpl b/charts/hpe/hpe-csi-driver/2.4.0/templates/_helpers.tpl similarity index 100% rename from charts/hpe/hpe-csi-driver/templates/_helpers.tpl rename to charts/hpe/hpe-csi-driver/2.4.0/templates/_helpers.tpl diff --git a/charts/hpe/hpe-csi-driver/templates/csi-driver-crd.yaml b/charts/hpe/hpe-csi-driver/2.4.0/templates/csi-driver-crd.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/templates/csi-driver-crd.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/templates/csi-driver-crd.yaml diff --git a/charts/hpe/hpe-csi-driver/2.4.0/templates/hpe-csi-controller.yaml b/charts/hpe/hpe-csi-driver/2.4.0/templates/hpe-csi-controller.yaml new file mode 100644 index 0000000000..86b3eec226 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.0/templates/hpe-csi-controller.yaml @@ -0,0 +1,241 @@ +--- + +############################################# +############ Controller driver ############ +############################################# + +kind: Deployment +apiVersion: apps/v1 +metadata: + name: hpe-csi-controller + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: hpe-csi-controller + template: + metadata: + labels: + app: hpe-csi-controller + role: hpe-csi + {{- if .Values.controller.labels }} +{{ toYaml .Values.controller.labels | indent 8 }} + {{- end }} + spec: + serviceAccountName: hpe-csi-controller-sa + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} + priorityClassName: system-cluster-critical + {{- end }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + dnsConfig: + options: + - name: ndots + value: "1" + containers: + - name: csi-provisioner + {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} + image: registry.k8s.io/sig-storage/csi-provisioner:v3.5.0 + {{- else if .Values.registry }} + image: {{ .Values.registry }}/sig-storage/csi-provisioner:v3.5.0 + {{- else }} + image: registry.k8s.io/sig-storage/csi-provisioner:v3.5.0 + {{- end }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + - "--extra-create-metadata" + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "13") }} + - "--timeout=30s" + - "--worker-threads=16" + {{- end }} + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy + - name: csi-attacher + {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} + image: registry.k8s.io/sig-storage/csi-attacher:v4.3.0 + {{- else if .Values.registry }} + image: {{ .Values.registry }}/sig-storage/csi-attacher:v4.3.0 + {{- else }} + image: registry.k8s.io/sig-storage/csi-attacher:v4.3.0 + {{- end }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + {{- if and ( or (eq .Values.disable.primera false) (eq .Values.disable.alletra9000 false) ) ( or (eq .Values.disable.nimble true) (eq .Values.disable.alletra6000 true) ) }} + - "--timeout=180s" + {{- end }} + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy + - name: csi-snapshotter + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "20") }} + {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} + image: registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2 + {{- else if .Values.registry }} + image: {{ .Values.registry }}/sig-storage/csi-snapshotter:v6.2.2 + {{- else }} + image: registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2 + {{- end }} + {{- end }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "15") }} + - name: csi-resizer + {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} + image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0 + {{- else if .Values.registry }} + image: {{ .Values.registry }}/sig-storage/csi-resizer:v1.8.0 + {{- else }} + image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0 + {{- end }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy + {{- end }} + - name: hpe-csi-driver + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/csi-driver:v2.4.0 + {{- else }} + image: quay.io/hpestorage/csi-driver:v2.4.0 + {{- end }} + args : + - "--endpoint=$(CSI_ENDPOINT)" + - "--flavor=kubernetes" + - "--pod-monitor" + - "--pod-monitor-interval=30" + env: + - name: CSI_ENDPOINT + value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock + - name: LOG_LEVEL + value: {{ .Values.logLevel }} + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy + - name: log-dir + mountPath: /var/log + - name: k8s + mountPath: /etc/kubernetes + - name: hpeconfig + mountPath: /etc/hpe-storage + - name: root-dir + mountPath: /host + - name: csi-volume-mutator + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/volume-mutator:v1.3.4 + {{- else }} + image: quay.io/hpestorage/volume-mutator:v1.3.4 + {{- end }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi-extensions.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-volume-group-snapshotter + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/volume-group-snapshotter:v1.0.4 + {{- else }} + image: quay.io/hpestorage/volume-group-snapshotter:v1.0.4 + {{- end }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi-extensions.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-volume-group-provisioner + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/volume-group-provisioner:v1.0.4 + {{- else }} + image: quay.io/hpestorage/volume-group-provisioner:v1.0.4 + {{- end }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi-extensions.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-extensions + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/csi-extensions:v1.2.5 + {{- else }} + image: quay.io/hpestorage/csi-extensions:v1.2.5 + {{- end }} + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + env: + - name: CSI_ENDPOINT + value: unix:///var/lib/csi/sockets/pluginproxy/csi-extensions.sock + - name: LOG_LEVEL + value: {{ .Values.logLevel }} + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + volumes: + - name: socket-dir + emptyDir: {} + - name: log-dir + hostPath: + path: /var/log + - name: k8s + hostPath: + path: /etc/kubernetes + - name: hpeconfig + hostPath: + path: /etc/hpe-storage + - name: root-dir + hostPath: + path: / + {{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 8 }} + {{- end }} + {{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} + {{- end }} diff --git a/charts/hpe/hpe-csi-driver/2.4.0/templates/hpe-csi-node.yaml b/charts/hpe/hpe-csi-driver/2.4.0/templates/hpe-csi-node.yaml new file mode 100644 index 0000000000..f12a957e9d --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.0/templates/hpe-csi-node.yaml @@ -0,0 +1,214 @@ +--- + +####################################### +############ Node driver ############ +####################################### + +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: hpe-csi-node + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: hpe-csi-node + template: + metadata: + labels: + app: hpe-csi-node + role: hpe-csi + {{- if .Values.node.labels }} +{{ toYaml .Values.node.labels | indent 8 }} + {{- end }} + spec: + serviceAccountName: hpe-csi-node-sa + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} + priorityClassName: system-node-critical + {{- end }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + dnsConfig: + options: + - name: ndots + value: "1" + containers: + - name: csi-node-driver-registrar + {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0 + {{- else if .Values.registry }} + image: {{ .Values.registry }}/sig-storage/csi-node-driver-registrar:v2.8.0 + {{- else }} + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0 + {{- end}} + args: + - "--csi-address=$(ADDRESS)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--v=5" + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + {{- if .Values.kubeletRootDir }} + value: {{ .Values.kubeletRootDir }}/plugins/csi.hpe.com/csi.sock + {{- else }} + value: /var/lib/kubelet/plugins/csi.hpe.com/csi.sock + {{- end }} + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( eq ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "12") }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + {{- end }} + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + - name: hpe-csi-driver + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/csi-driver:v2.4.0 + {{- else }} + image: quay.io/hpestorage/csi-driver:v2.4.0 + {{- end}} + args : + - "--endpoint=$(CSI_ENDPOINT)" + - "--node-service" + - "--flavor=kubernetes" + env: + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: LOG_LEVEL + value: {{ .Values.logLevel }} + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{ if and .Values.iscsi.chapUser .Values.iscsi.chapPassword }} + - name: CHAP_USER + value: {{ .Values.iscsi.chapUser }} + - name: CHAP_PASSWORD + value: {{ .Values.iscsi.chapPassword }} + {{- end }} + {{ if .Values.disableNodeConformance -}} + - name: DISABLE_NODE_CONFORMANCE + value: "true" + {{- end }} + {{ if .Values.disableNodeConfiguration -}} + - name: DISABLE_NODE_CONFIGURATION + value: "true" + {{- end }} + {{- if .Values.kubeletRootDir }} + - name: KUBELET_ROOT_DIR + value: {{ .Values.kubeletRootDir }} + {{- end }} + {{ if .Values.disableNodeGetVolumeStats -}} + - name: DISABLE_NODE_GET_VOLUMESTATS + value: "true" + {{- end }} + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: pods-mount-dir + {{- if .Values.kubeletRootDir }} + mountPath: {{ .Values.kubeletRootDir }} + {{- else }} + mountPath: /var/lib/kubelet + {{- end }} + # needed so that any mounts setup inside this container are + # propagated back to the host machine. + mountPropagation: "Bidirectional" + - name: root-dir + mountPath: /host + mountPropagation: "Bidirectional" + - name: device-dir + mountPath: /dev + - name: log-dir + mountPath: /var/log + - name: etc-hpe-storage-dir + mountPath: /etc/hpe-storage + - name: etc-kubernetes + mountPath: /etc/kubernetes + - name: sys + mountPath: /sys + - name: runsystemd + mountPath: /run/systemd + - name: etcsystemd + mountPath: /etc/systemd/system + - name: linux-config-file + mountPath: /opt/hpe-storage/nimbletune/config.json + subPath: config.json + volumes: + - name: registration-dir + hostPath: + {{ if .Values.kubeletRootDir }} + path: {{ .Values.kubeletRootDir }}/plugins_registry + {{- else }} + path: /var/lib/kubelet/plugins_registry + {{- end }} + type: Directory + - name: plugin-dir + hostPath: + {{ if .Values.kubeletRootDir }} + path: {{ .Values.kubeletRootDir }}/plugins/csi.hpe.com + {{- else }} + path: /var/lib/kubelet/plugins/csi.hpe.com + {{- end }} + type: DirectoryOrCreate + - name: pods-mount-dir + hostPath: + {{ if .Values.kubeletRootDir }} + path: {{ .Values.kubeletRootDir }} + {{- else }} + path: /var/lib/kubelet + {{- end }} + - name: root-dir + hostPath: + path: / + - name: device-dir + hostPath: + path: /dev + - name: log-dir + hostPath: + path: /var/log + - name: etc-hpe-storage-dir + hostPath: + path: /etc/hpe-storage + - name: etc-kubernetes + hostPath: + path: /etc/kubernetes + - name: runsystemd + hostPath: + path: /run/systemd + - name: etcsystemd + hostPath: + path: /etc/systemd/system + - name: sys + hostPath: + path: /sys + - name: linux-config-file + configMap: + name: hpe-linux-config + {{- if .Values.node.nodeSelector }} + nodeSelector: +{{ toYaml .Values.node.nodeSelector | indent 8 }} + {{- end }} + tolerations: + - effect: NoSchedule + key: csi.hpe.com/hpe-nfs + operator: Exists + {{- if .Values.node.tolerations }} +{{ toYaml .Values.node.tolerations | indent 8 }} + {{- end }} + {{- if .Values.node.affinity }} + affinity: +{{ toYaml .Values.node.affinity | indent 8 }} + {{- end }} diff --git a/charts/hpe/hpe-csi-driver/templates/hpe-csi-rbac.yaml b/charts/hpe/hpe-csi-driver/2.4.0/templates/hpe-csi-rbac.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/templates/hpe-csi-rbac.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/templates/hpe-csi-rbac.yaml diff --git a/charts/hpe/hpe-csi-driver/templates/hpe-linux-config.yaml b/charts/hpe/hpe-csi-driver/2.4.0/templates/hpe-linux-config.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/templates/hpe-linux-config.yaml rename to charts/hpe/hpe-csi-driver/2.4.0/templates/hpe-linux-config.yaml diff --git a/charts/hpe/hpe-csi-driver/2.4.0/templates/nimble-csp.yaml b/charts/hpe/hpe-csi-driver/2.4.0/templates/nimble-csp.yaml new file mode 100644 index 0000000000..ffbec07271 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.0/templates/nimble-csp.yaml @@ -0,0 +1,93 @@ +{{- if not .Values.disable.alletra6000 }} + +--- +### Alletra 5000/6000 CSP Service ### +kind: Service +apiVersion: v1 +metadata: + name: alletra6000-csp-svc + namespace: {{ .Release.Namespace }} + labels: + app: alletra6000-csp-svc +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: nimble-csp +{{- end }} + +{{- if not .Values.disable.nimble }} +--- +### Nimble CSP Service ### +kind: Service +apiVersion: v1 +metadata: + name: nimble-csp-svc + namespace: {{ .Release.Namespace }} + labels: + app: nimble-csp-svc +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: nimble-csp +{{- end }} + + +{{- if or (not .Values.disable.alletra6000) (not .Values.disable.nimble) }} +--- +### CSP deployment ### +kind: Deployment +apiVersion: apps/v1 +metadata: + name: nimble-csp + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: nimble-csp + replicas: 1 + template: + metadata: + labels: + app: nimble-csp + {{- if .Values.csp.labels }} +{{ toYaml .Values.csp.labels | indent 8 }} + {{- end }} + spec: + serviceAccountName: hpe-csp-sa + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} + priorityClassName: system-cluster-critical + {{- end }} + containers: + - name: nimble-csp + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/alletra-6000-and-nimble-csp:v2.4.0 + {{- else }} + image: quay.io/hpestorage/alletra-6000-and-nimble-csp:v2.4.0 + {{- end }} + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + ports: + - containerPort: 8080 + volumeMounts: + - name: log-dir + mountPath: /var/log + volumes: + - name: log-dir + hostPath: + path: /var/log + {{- if .Values.csp.nodeSelector }} + nodeSelector: +{{ toYaml .Values.csp.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.csp.tolerations }} + tolerations: +{{ toYaml .Values.csp.tolerations | indent 8 }} + {{- end }} + {{- if .Values.csp.affinity }} + affinity: +{{ toYaml .Values.csp.affinity | indent 8 }} + {{- end }} +{{- end }} diff --git a/charts/hpe/hpe-csi-driver/2.4.0/templates/primera-3par-csp.yaml b/charts/hpe/hpe-csi-driver/2.4.0/templates/primera-3par-csp.yaml new file mode 100644 index 0000000000..93353d7a87 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.0/templates/primera-3par-csp.yaml @@ -0,0 +1,100 @@ +{{- if not .Values.disable.alletra9000 }} +--- +### Alletra9000 CSP Service ### +kind: Service +apiVersion: v1 +metadata: + name: alletra9000-csp-svc + namespace: {{ .Release.Namespace }} + labels: + app: alletra9000-csp-svc +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: primera3par-csp + +{{- end }} + +{{- if not .Values.disable.primera }} +--- +### Primera3par CSP Service ### +kind: Service +apiVersion: v1 +metadata: + name: primera3par-csp-svc + namespace: {{ .Release.Namespace }} + labels: + app: primera3par-csp-svc +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: primera3par-csp +{{- end }} + +{{- if or (not .Values.disable.alletra9000) (not .Values.disable.primera) }} + +--- +### CSP deployment ### +kind: Deployment +apiVersion: apps/v1 +metadata: + name: primera3par-csp + labels: + app: primera3par-csp + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: primera3par-csp + replicas: 1 + template: + metadata: + labels: + app: primera3par-csp + {{- if .Values.csp.labels }} +{{ toYaml .Values.csp.labels | indent 8 }} + {{- end }} + spec: + serviceAccountName: hpe-csp-sa + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} + priorityClassName: system-cluster-critical + {{- end }} + containers: + - name: primera3par-csp + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/alletra-9000-primera-and-3par-csp:v2.4.0 + {{- else }} + image: quay.io/hpestorage/alletra-9000-primera-and-3par-csp:v2.4.0 + {{- end }} + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + env: + - name: CRD_CLIENT_CONFIG_QPS + value: "35" + - name: CRD_CLIENT_CONFIG_BURST + value: "20" + ports: + - containerPort: 8080 + volumeMounts: + - name: log-dir + mountPath: /var/log + volumes: + - name: log-dir + hostPath: + path: /var/log + {{- if .Values.csp.nodeSelector }} + nodeSelector: +{{ toYaml .Values.csp.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.csp.tolerations }} + tolerations: +{{ toYaml .Values.csp.tolerations | indent 8 }} + {{- end }} + {{- if .Values.csp.affinity }} + affinity: +{{ toYaml .Values.csp.affinity | indent 8 }} + {{- end }} +{{- end }} diff --git a/charts/hpe/hpe-csi-driver/2.4.0/values.schema.json b/charts/hpe/hpe-csi-driver/2.4.0/values.schema.json new file mode 100644 index 0000000000..2818c225fd --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.0/values.schema.json @@ -0,0 +1,283 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "$id": "http://example.com/example.json", + "title": "HPE CSI Driver for Kubernetes Helm Chart JSON Schema", + "type": "object", + "default": + { + "disable": { + "nimble": false, + "primera": false, + "alletra6000": false, + "alletra9000": false + }, + "disableNodeConformance": false, + "disableNodeConfiguration": false, + "imagePullPolicy": "IfNotPresent", + "iscsi": { + "chapUser": "", + "chapPassword": "" + }, + "logLevel": "info", + "registry": "quay.io", + "kubeletRootDir": "/var/lib/kubelet/", + "disableNodeGetVolumeStats": false, + "csp": { + "nodeSelector": {}, + "tolerations": [], + "affinity": {}, + "labels": {} + }, + "controller": { + "nodeSelector": {}, + "tolerations": [], + "affinity": {}, + "labels": {} + }, + "node": { + "nodeSelector": {}, + "tolerations": [], + "affinity": {}, + "labels": {} + } + + }, + "required": [ + "disable", + "disableNodeConformance", + "disableNodeConfiguration", + "imagePullPolicy", + "iscsi", + "logLevel", + "registry", + "kubeletRootDir", + "disableNodeGetVolumeStats", + "csp", + "controller", + "node" + ], + "properties": { + "disable": { + "$id": "#/properties/disable", + "title": "CSP Deployment and Service backend exclusion", + "description": "All backend Deployments and Services are installed by default.", + "type": "object", + "default": + { + "nimble": false, + "primera": false, + "alletra6000": false, + "alletra9000": false + }, + "required": [ + "nimble", + "primera", + "alletra6000", + "alletra9000" + ], + "properties": { + "nimble": { + "$id": "#/properties/disable/properties/nimble", + "title": "HPE Nimble Storage", + "type": "boolean", + "default": false + }, + "primera": { + "$id": "#/properties/disable/properties/primera", + "title": "HPE Primera", + "type": "boolean", + "default": false + }, + "alletra6000": { + "$id": "#/properties/disable/properties/alletra6000", + "title": "HPE Alletra 5000/6000", + "type": "boolean", + "default": false + }, + "alletra9000": { + "$id": "#/properties/disable/properties/alletra9000", + "title": "HPE Alletra 9000", + "type": "boolean", + "default": false + } + }, + "additionalProperties": false + }, + "disableNodeConformance": { + "$id": "#/properties/disableNodeConformance", + "title": "Disable node conformance", + "description": "Disabling node conformance forces the cluster administrator to install required packages and ensure the correct node services are started to use external block storage.", + "type": "boolean", + "default": false + }, + "disableNodeConfiguration": { + "$id": "#/properties/disableNodeConfiguration", + "title": "Disable node configuration", + "description": "Disabling node configuration forces the cluster administrator to ensure all node services are configured and started to use external block storage.", + "type": "boolean", + "default": false + }, + "imagePullPolicy": { + "$id": "#/properties/imagePullPolicy", + "title": "CSI driver image pull policy", + "type": "string", + "default": "IfNotPresent", + "enum": [ "Always", "IfNotPresent", "Never" ] + }, + "iscsi": { + "$id": "#/properties/iscsi", + "title": "iSCSI CHAP credentials", + "type": "object", + "default": + { + "chapUser": "", + "chapPassword": "" + }, + "required": [ + "chapUser", + "chapPassword" + ], + "properties": { + "chapUser": { + "$id": "#/properties/iscsi/properties/chapUser", + "title": "CHAP username", + "type": "string", + "default": "" + }, + "chapPassword": { + "$id": "#/properties/iscsi/properties/chapPassword", + "title": "CHAP password", + "description": "Between 12 and 16 characters", + "type": "string", + "default": "", + "pattern": "^$|^[a-zA-Z0-9+_)(*^%$#@!]{12,16}$" + } + }, + "additionalProperties": false + }, + "logLevel": { + "$id": "#/properties/logLevel", + "title": "Set the log level of the HPE CSI Driver images", + "type": "string", + "default": "info", + "enum": [ "info", "debug", "trace", "warn", "error" ] + }, + "registry": { + "$id": "#/properties/registry", + "title": "Pull images from a different registry than default", + "description": "SIG Storage images needs to be mirrored from k8s.gcr.io to this registry if this parameter is changed.", + "type": "string", + "default": "quay.io" + }, + "kubeletRootDir": { + "$id": "#/properties/kubeletRootDir", + "title": "Kubelet root directory", + "description": "Only change this if the kubelet root dir has been altered by the Kubernetes platform installer.", + "type": "string", + "default": "/var/lib/kubelet", + "pattern": "^/" + }, + "disableNodeGetVolumeStats": { + "$id": "#/properties/disableNodeGetVolumeStats", + "title": "Disable the CSI nodeGetVolumeStats call", + "description": "In very large environments, disabling this feature may alleviate pressure on the CSP.", + "type": "boolean", + "default": false + }, + "csp": { + "nodeSelector": { + "$id": "#/properties/csp/properties/nodeSelector", + "title": "Node selector to control the selection of nodes (optional).", + "description": "Selector which must match a node's labels for the pod to be scheduled on that node.", + "type": "object", + "default": {} + }, + "tolerations": { + "$id": "#/properties/csp/properties/tolerations", + "title": "Set tolerations for the csp pods(optional).", + "description": "Tolerations is the list of tolerations for the csp pods.", + "type": "array", + "default": [] + }, + "affinity": { + "$id": "#/properties/csp/properties/affinity", + "title": "Node affinity for csp plugin (optional).", + "description": "Describes node affinity scheduling rules for the pod.", + "type": "object", + "default": {} + }, + "labels": { + "$id": "#/properties/csp/properties/labels", + "title": "labels", + "description": "labels.", + "type": "object", + "default": {} + } + + }, + "controller": { + "nodeSelector": { + "$id": "#/properties/controller/properties/nodeSelector", + "title": "Node selector to control the selection of nodes (optional).", + "description": "Selector which must match a node's labels for the pod to be scheduled on that node.", + "type": "object", + "default": {} + }, + "tolerations": { + "$id": "#/properties/controller/properties/tolerations", + "title": "Set tolerations for the driver pods(optional)", + "description": "Tolerations is the list of tolerations for the driver pods.", + "type": "array", + "default": [] + }, + "affinity": { + "$id": "#/properties/controller/properties/affinity", + "title": "Node affinity for controller plugin (optional).", + "description": "Describes node affinity scheduling rules for the pod.", + "type": "object", + "default": {} + }, + "labels": { + "$id": "#/properties/controller/properties/labels", + "title": "labels", + "description": "labels.", + "type": "object", + "default": {} + } + + }, + "node": { + "nodeSelector": { + "$id": "#/properties/node/properties/nodeSelector", + "title": "Node selector to control the selection of nodes (optional).", + "description": "Selector which must match a node's labels for the pod to be scheduled on that node.", + "type": "object", + "default": {} + }, + "tolerations": { + "$id": "#/properties/node/properties/tolerations", + "title": "Set tolerations for the node pods(optional).", + "description": "Tolerations is the list of tolerations for the node pods.", + "type": "array", + "default": [] + }, + "affinity": { + "$id": "#/properties/node/properties/affinity", + "title": "Node affinity for node plugin (optional).", + "description": "Describes node affinity scheduling rules for the pod.", + "type": "object", + "default": {} + }, + "labels": { + "$id": "#/properties/node/properties/labels", + "title": "labels", + "description": "labels.", + "type": "object", + "default": {} + } + + }, + "global": {} + }, + "additionalProperties": false +} diff --git a/charts/hpe/hpe-csi-driver/2.4.0/values.yaml b/charts/hpe/hpe-csi-driver/2.4.0/values.yaml new file mode 100644 index 0000000000..b00bb58556 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.0/values.yaml @@ -0,0 +1,76 @@ +# Default values for hpe-csi-driver Helm chart +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Control CSP Service and Deployments for HPE storage products +disable: + nimble: false + primera: false + alletra6000: false + alletra9000: false + +# For controlling automatic iscsi/multipath package installation +disableNodeConformance: false + +# For controlling automatic iscsi/multipath service configuration +disableNodeConfiguration: false + +# imagePullPolicy applied for all hpe-csi-driver images +imagePullPolicy: "IfNotPresent" + +# Cluster wide values for CHAP authentication +iscsi: + chapUser: "" + chapPassword: "" + +# Log level for all hpe-csi-driver components +logLevel: "info" + +# Registry prefix for hpe-csi-driver images +registry: "quay.io" + +# Kubelet root directory path +kubeletRootDir: "/var/lib/kubelet/" + +# NodeGetVolumestats will be called by default, set true to disable the call +disableNodeGetVolumeStats: false + +controller: + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + labels: {} + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + nodeSelector: {} + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + tolerations: [] + + affinity: {} + + +csp: + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + labels: {} + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + nodeSelector: {} + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + tolerations: [] + + affinity: {} + +node: + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + labels: {} + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + nodeSelector: {} + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + tolerations: [] + + affinity: {} diff --git a/charts/hpe/hpe-csi-driver/2.4.1/Chart.yaml b/charts/hpe/hpe-csi-driver/2.4.1/Chart.yaml new file mode 100644 index 0000000000..e74d74e5d3 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/Chart.yaml @@ -0,0 +1,39 @@ +annotations: + artifacthub.io/category: storage + artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Release Highlights + url: https://scod.hpedev.io/csi_driver/index.html#latest_release + - name: Release Notes + url: https://github.com/hpe-storage/csi-driver/tree/master/release-notes + - name: Documentation + url: https://scod.hpedev.io/csi_driver + - name: Chart Source + url: https://github.com/hpe-storage/co-deployments + artifacthub.io/prerelease: "false" + artifacthub.io/recommendations: | + - url: https://artifacthub.io/packages/olm/community-operators/hpe-csi-operator + - url: https://artifacthub.io/packages/helm/hpe-storage/hpe-csi-info-metrics + - url: https://artifacthub.io/packages/helm/hpe-storage/hpe-array-exporter + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: HPE CSI Driver for Kubernetes + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/namespace: hpe-storage + catalog.cattle.io/release-name: hpe-csi-driver +apiVersion: v1 +appVersion: 2.4.1 +description: A Helm chart for installing the HPE CSI Driver for Kubernetes +home: https://hpe.com/storage/containers +icon: https://raw.githubusercontent.com/hpe-storage/co-deployments/master/docs/assets/hpedev.png +keywords: +- HPE +- Storage +- CSI +maintainers: +- email: dev-hi-containers@hpe.com + name: datamattsson +name: hpe-csi-driver +sources: +- https://github.com/hpe-storage/csi-driver +version: 2.4.1 diff --git a/charts/hpe/hpe-csi-driver/README.md b/charts/hpe/hpe-csi-driver/2.4.1/README.md similarity index 100% rename from charts/hpe/hpe-csi-driver/README.md rename to charts/hpe/hpe-csi-driver/2.4.1/README.md diff --git a/charts/hpe/hpe-csi-driver/2.4.1/app-readme.md b/charts/hpe/hpe-csi-driver/2.4.1/app-readme.md new file mode 100644 index 0000000000..29ca912cb7 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/app-readme.md @@ -0,0 +1,3 @@ +# HPE CSI Driver for Kubernetes + +The [HPE CSI Driver for Kubernetes](https://github.com/hpe-storage/csi-driver) leverages HPE storage platforms to provide scalable and persistent storage for stateful applications. diff --git a/charts/hpe/hpe-csi-driver/2.4.1/crds/hpe-nodeinfo-crd.yaml b/charts/hpe/hpe-csi-driver/2.4.1/crds/hpe-nodeinfo-crd.yaml new file mode 100644 index 0000000000..86c60cf341 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/crds/hpe-nodeinfo-crd.yaml @@ -0,0 +1,70 @@ +--- +############################################# +############ HPE Node Info CRD ############ +############################################# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: hpenodeinfos.storage.hpe.com +spec: + group: storage.hpe.com + names: + kind: HPENodeInfo + plural: hpenodeinfos + scope: Cluster + versions: + - name: v1 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: true + schema: + openAPIV3Schema: + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object." + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents" + type: string + spec: + description: "spec defines the desired characteristics of a HPE nodeinfo requested by a user." + properties: + chapPassword: + description: "The CHAP Password" + type: string + chapUser: + description: "The CHAP User Name" + type: string + iqns: + description: "List of IQNs configured on the node." + items: + type: string + type: array + networks: + description: "List of networks configured on the node." + items: + type: string + type: array + uuid: + description: "The UUID of the node." + type: string + wwpns: + description: "List of WWPNs configured on the node." + items: + type: string + type: array + required: + - uuid + - networks + type: object + required: + - spec + type: object +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.1/crds/hpereplicated_deviceinfo_v2_crd.yaml b/charts/hpe/hpe-csi-driver/2.4.1/crds/hpereplicated_deviceinfo_v2_crd.yaml new file mode 100644 index 0000000000..b95a9eef9d --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/crds/hpereplicated_deviceinfo_v2_crd.yaml @@ -0,0 +1,115 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: hpereplicationdeviceinfos.storage.hpe.com +spec: + group: storage.hpe.com + names: + kind: HPEReplicationDeviceInfo + plural: hpereplicationdeviceinfos + shortNames: + - hperdi + + scope: Cluster + versions: + - name: v1 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: false + schema: + openAPIV3Schema: + type: object + #x-kubernetes-preserve-unknown-fields: true + properties: + hpeReplicationDeviceInfos: + description: List of HPE Replicated Device Information + type: object + items: + type: object + properties: + targets: + description: List of Target Array Details + type: object + items: + description: Target Array Details + type: object + properties: + targetName: + description: Target Name of the array + type: string + targetCpg: + description: Target CPG of the array + type: string + targetSnapCpg: + description: Target Snap CPG of the array + type: string + targetSecret: + description: Secret of the replicated array + type: string + targetMode: + description: Replication Mode + type: string + targetSecretNamespace: + description: Namespace of secret + type: string + required: + - targetName + - targetCpg + - targetSecret + - targetSecretNamespace + - name: v2 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + hpeReplicationDeviceInfos: + description: List of HPE Replicated Device Information + type: object + items: + type: object + properties: + targets: + description: List of Target Array Details + type: object + items: + description: Target Array Details + type: object + properties: + targetName: + description: Target Name of the array + type: string + targetCpg: + description: Target CPG of the array + type: string + targetSnapCpg: + description: Target Snap CPG of the array + type: string + targetSecret: + description: Secret of the replicated array + type: string + targetMode: + description: Replication Mode + type: string + targetSecretNamespace: + description: Namespace of secret + type: string + required: + - targetName + - targetCpg + - targetSecret + - targetSecretNamespace +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + + diff --git a/charts/hpe/hpe-csi-driver/2.4.1/crds/hpevolumegroupinfos_v2_crd.yaml b/charts/hpe/hpe-csi-driver/2.4.1/crds/hpevolumegroupinfos_v2_crd.yaml new file mode 100644 index 0000000000..2803998be7 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/crds/hpevolumegroupinfos_v2_crd.yaml @@ -0,0 +1,124 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: hpevolumegroupinfos.storage.hpe.com +spec: + group: storage.hpe.com + names: + kind: HPEVolumeGroupInfo + plural: hpevolumegroupinfos + shortNames: + - hpevgi + scope: Cluster + versions: + - name: v1 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: false + schema: + openAPIV3Schema: + type: object + #x-kubernetes-preserve-unknown-fields: true + properties: + hpeVolumeGroupInfos: + description: List of HPE volume groups configured for 3PAR/Primera arrays. + items: + type: object + properties: + uuid: + description: The UUID of the node. + type: string + + record: + description: Metadata for the volume group + type: object + + snapshotGroups: + description: Snapshot groups that are linked to this volume group + items: + type: object + properties: + id: + description: ID of the snapshot group + type: string + + name: + description: Name of the snapshot group + type: string + type: object + volumes: + description: Volumes that are members in this volume group + + items: + type: object + properties: + volumeId: + description: ID of the member volume + type: string + + volumeName: + description: Name of the member volume + type: string + type: object + type: object + - name: v2 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + hpeVolumeGroupInfos: + description: List of HPE volume groups configured for 3PAR/Primera arrays. + items: + type: object + properties: + uuid: + description: The UUID of the node. + type: string + + record: + description: Metadata for the volume group + type: object + + snapshotGroups: + description: Snapshot groups that are linked to this volume group + items: + type: object + properties: + id: + description: ID of the snapshot group + type: string + + name: + description: Name of the snapshot group + type: string + type: object + volumes: + description: Volumes that are members in this volume group + + items: + type: object + properties: + volumeId: + description: ID of the member volume + type: string + + volumeName: + description: Name of the member volume + type: string + type: object + type: object + +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + diff --git a/charts/hpe/hpe-csi-driver/2.4.1/crds/hpevolumeinfos_v2_crd.yaml b/charts/hpe/hpe-csi-driver/2.4.1/crds/hpevolumeinfos_v2_crd.yaml new file mode 100644 index 0000000000..7f995a724b --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/crds/hpevolumeinfos_v2_crd.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: hpevolumeinfos.storage.hpe.com +spec: + group: storage.hpe.com + names: + kind: HPEVolumeInfo + plural: hpevolumeinfos + scope: Cluster + # list of versions supported by this CustomResourceDefinition + versions: + - name: v1 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: false + schema: + openAPIV3Schema: + type: object + #x-kubernetes-preserve-unknown-fields: true + properties: + hpeVolumes: + description: List of HPE volumes configured for 3PAR/Primera arrays. + type: object + items: + type: object + properties: + uuid: + description: The UUID of the node. + type: string + + record: + description: Metadata for the volume + type: object + - name: v2 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + + properties: + hpeVolumes: + description: List of HPE volumes configured for 3PAR/Primera arrays. + type: object + items: + type: object + properties: + uuid: + description: The UUID of the node. + type: string + + record: + description: Metadata for the volume + type: object + +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + diff --git a/charts/hpe/hpe-csi-driver/2.4.1/crds/snapshotgroupinfos_v2_crd.yaml b/charts/hpe/hpe-csi-driver/2.4.1/crds/snapshotgroupinfos_v2_crd.yaml new file mode 100644 index 0000000000..6fc3519997 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/crds/snapshotgroupinfos_v2_crd.yaml @@ -0,0 +1,112 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: hpesnapshotgroupinfos.storage.hpe.com +spec: + group: storage.hpe.com + names: + kind: HPESnapshotGroupInfo + plural: hpesnapshotgroupinfos + shortNames: + - hpesgi + scope: Cluster + versions: + - name: v1 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: false + schema: + openAPIV3Schema: + type: object + #x-kubernetes-preserve-unknown-fields: true + properties: + hpeSnapshotGroupInfos: + description: List of HPE snapshot groups created for 3PAR/Primera arrays. + type: object + items: + type: object + properties: + uuid: + description: The UUID of the node. + type: string + + record: + description: Metadata for the volume group + type: object + + snapshotVolumes: + description: Snapshot volumes that are part of this snapshot group + type: object + items: + type: object + properties: + srcVolumeId: + description: ID of the volume that is the source of this snapshot volume + type: string + + srcVolumeName: + description: Name of the volume that is the source of this snapshot volume + type: string + + snapshotId: + description: Snapshot volume Id + type: string + + snapshotName: + description: Snapshot volume name + type: string + - name: v2 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + hpeSnapshotGroupInfos: + description: List of HPE snapshot groups created for 3PAR/Primera arrays. + type: object + items: + type: object + properties: + uuid: + description: The UUID of the node. + type: string + + record: + description: Metadata for the volume group + type: object + + snapshotVolumes: + description: Snapshot volumes that are part of this snapshot group + type: object + items: + type: object + properties: + srcVolumeId: + description: ID of the volume that is the source of this snapshot volume + type: string + + srcVolumeName: + description: Name of the volume that is the source of this snapshot volume + type: string + + snapshotId: + description: Snapshot volume Id + type: string + + snapshotName: + description: Snapshot volume name + type: string + +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + diff --git a/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_snapshotgroupclasses.yaml b/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_snapshotgroupclasses.yaml new file mode 100644 index 0000000000..b588784719 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_snapshotgroupclasses.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: snapshotgroupclasses.storage.hpe.com +spec: + conversion: + strategy: None + group: storage.hpe.com + names: + kind: SnapshotGroupClass + listKind: SnapshotGroupClassList + plural: snapshotgroupclasses + singular: snapshotgroupclass + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SnapshotGroupClass specifies parameters that a underlying + storage system uses when creating a volumegroup snapshot. A specific SnapshotGroupClass + is used by specifying its name in a VolumeGroupSnapshot object. SnapshotGroupClasses + are non-namespaced + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation + of an object. + type: string + deletionPolicy: + description: deletionPolicy determines whether a SnapshotGroupContent + created through the SnapshotGroupClass should be deleted when its + bound SnapshotGroup is deleted. Supported values are "Retain" and + "Delete". "Retain" means that the SnapshotGroupContent and its physical + snapshotGroup on underlying storage system are kept. "Delete" means that + the SnapshotGroupContent and its physical snapshotGroup on underlying + storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + snapshotter: + description: snapshotter is the name of the storage driver that handles this + SnapshotGroupClass. Required. + type: string + kind: + description: Kind is a string value representing the REST resource + this object represents. + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific + parameters for creating snapshotGroups. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - snapshotter + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_snapshotgroupcontents.yaml b/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_snapshotgroupcontents.yaml new file mode 100644 index 0000000000..a7132c59e1 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_snapshotgroupcontents.yaml @@ -0,0 +1,104 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: snapshotgroupcontents.storage.hpe.com +spec: + conversion: + strategy: None + group: storage.hpe.com + names: + kind: SnapshotGroupContent + listKind: SnapshotGroupContentList + plural: snapshotgroupcontents + singular: snapshotgroupcontent + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SnapshotGroupContent represents the actual "on-disk" snapshotGroup + object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint the + client submits requests to. Cannot be updated. In CamelCase. More + info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a SnapshotGroupContent created + by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this SnapshotGroupContent + and its physical snapshotgroup on the underlying storage system should + be deleted when its bound SnapshotGroup is deleted. Supported + values are "Retain" and "Delete". "Retain" means that the SnapshotGroupContent + and its physical snapshotGroup on underlying storage system are kept. + "Delete" means that the SnapshotGroupContent and its physical + snapshotGroup on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + source: + description: source specifies from where a snapshotGroup will be created.Required. + properties: + snapshotGroupHandle: + description: snapshotGroupHandle specifies the snapshotGroup Id + of a pre-existing snapshotGroup on the underlying storage system. + This field is immutable. + type: string + type: object + snapshotGroupClassName: + description: name of the SnapshotGroupClass to which this snapshotGroup belongs. + type: string + snapshotGroupRef: + description: snapshotGroupRef specifies the SnapshotGroup object + to which this SnapshotGroupContent object is bound. SnapshotGroup.Spec.SnapshotGroupContentName + field must reference to this SnapshotGroupContent's name for + the bidirectional binding to be valid. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + volumeSnapshotContentNames: + description: list of volumeSnapshotContentNames associated with this snapshotGroups + type: array + items: + type: string + required: + - deletionPolicy + - source + - snapshotGroupClassName + type: object + required: + - spec + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_snapshotgroups.yaml b/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_snapshotgroups.yaml new file mode 100644 index 0000000000..3372a7db71 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_snapshotgroups.yaml @@ -0,0 +1,83 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: snapshotgroups.storage.hpe.com +spec: + conversion: + strategy: None + group: storage.hpe.com + names: + kind: SnapshotGroup + listKind: SnapshotGroupList + plural: snapshotgroups + singular: snapshotgroup + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SnapshotGroup is a user's request for creating a snapshotgroup + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation + of an object. + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents' + type: string + spec: + description: spec defines the desired characteristics of a snapshotGroup + requested by a user. + Required. + properties: + source: + description: source specifies where a snapshotGroup will be created. + This field is immutable after creation. Required. + properties: + kind: + description: kind of the source (VolumeGroup) is the only supported one. + type: string + apiGroup: + description: apiGroup of the source. Current supported is storage.hpe.com + type: string + name: + description: name specifies the volumeGroupName of the VolumeGroup object in the same namespace as the SnapshotGroup object where the snapshotGroup should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the volumeSnapshotClass to create pre-provisioned snapshots + type: string + snapshotGroupClassName: + description: snapshotGroupClassName is the name of the SnapshotGroupClass requested by the SnapshotGroup. + type: string + snapshotGroupContentName: + description: snapshotGroupContentName is the name of the snapshotGroupContent the snapshotGroup is bound. + type: string + required: + - source + - volumeSnapshotClassName + - snapshotGroupClassName + type: object + status: + description: status represents the current information of a snapshotGroup. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time + snapshotGroup is taken by the underlying storage system. + format: date-time + type: string + phase: + description: the state of the snapshotgroup + enum: + - Pending + - Ready + - Failed + type: string + type: object + required: + - spec + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_volumegroupclasses.yaml b/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_volumegroupclasses.yaml new file mode 100644 index 0000000000..e201ec94e0 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_volumegroupclasses.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: volumegroupclasses.storage.hpe.com +spec: + conversion: + strategy: None + group: storage.hpe.com + names: + kind: VolumeGroupClass + listKind: VolumeGroupClassList + plural: volumegroupclasses + singular: volumegroupclass + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: VolumeGroupClass specifies parameters that a underlying + storage system uses when creating a volumegroup. A specific VolumeGroupClass + is used by specifying its name in a VolumeGroup object. VolumeGroupClasses + are non-namespaced + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation + of an object. + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeGroupContent + created through the VolumeGroupClass should be deleted when its + bound VolumeGroup is deleted. Supported values are "Retain" and + "Delete". "Retain" means that the VolumeGroupContent and its physical + volumeGroup on underlying storage system are kept. "Delete" means that + the VolumeGroupContent and its physical volumeGroup on underlying + storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + provisioner: + description: provisioner is the name of the storage driver that handles this + VolumeGroupClass. Required. + type: string + kind: + description: Kind is a string value representing the REST resource + this object represents. + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific + parameters for creating volumeGroups. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - provisioner + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_volumegroupcontents.yaml b/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_volumegroupcontents.yaml new file mode 100644 index 0000000000..d944909ebf --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_volumegroupcontents.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: volumegroupcontents.storage.hpe.com +spec: + conversion: + strategy: None + group: storage.hpe.com + names: + kind: VolumeGroupContent + listKind: VolumeGroupContentList + plural: volumegroupcontents + singular: volumegroupcontent + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: VolumeGroupContent represents the actual "on-disk" volumeGroup + object in the underlying storage system + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation + of an object. + type: string + kind: + description: Kind is a string value representing the REST resource + this object represents. + type: string + spec: + description: spec defines properties of a VolumeGroupContent created + by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeGroupContent + and its physical volumegroup on the underlying storage system should + be deleted when its bound VolumeGroup is deleted. Supported + values are "Retain" and "Delete". "Retain" means that the VolumeGroupContent + and its physical volumeGroup on underlying storage system are kept. + "Delete" means that the VolumeGroupContent and its physical + volumeGroup on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + source: + description: source specifies from where a volumeGroup will be created.Required. + properties: + volumeGroupHandle: + description: volumeGroupHandle specifies the volumeGroup Id + of a pre-existing volumeGroup on the underlying storage system. + This field is immutable. + type: string + type: object + volumeGroupClassName: + description: name of the VolumeGroupClass to which this volumeGroup belongs. + type: string + volumeGroupRef: + description: volumeGroupRef specifies the VolumeGroup object + to which this VolumeGroupContent object is bound. VolumeGroup.Spec.VolumeGroupContentName + field must reference to this VolumeGroupContent's name for + the bidirectional binding to be valid. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - source + - volumeGroupClassName + type: object + required: + - spec + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_volumegroups.yaml b/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_volumegroups.yaml new file mode 100644 index 0000000000..862b4398a8 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/crds/storage.hpe.com_volumegroups.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: volumegroups.storage.hpe.com +spec: + conversion: + strategy: None + group: storage.hpe.com + names: + kind: VolumeGroup + listKind: VolumeGroupList + plural: volumegroups + singular: volumegroup + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: VolumeGroup is a user's request for creating a volumegroup + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation + of an object. + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents' + type: string + spec: + description: spec defines the desired characteristics of a volumeGroup + requested by a user. + Required. + properties: + volumeGroupClassName: + description: name of the volumeGroupClassName to create volumeGroups + type: string + persistentVolumeClaimNames: + description: persistentVolumeClaimNames are the name of the PVC associated with this volumeGroup. + type: array + items: + type: string + volumeGroupContentName: + description: volumeGroupContentName is the name of the volumeGroupContent to which the volumeGroup is bound. + type: string + required: + - volumeGroupClassName + type: object + status: + description: status represents the current information of a volumeGroup. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time + volumeGroup is taken by the underlying storage system. + format: date-time + type: string + phase: + description: the state of the volumegroup + enum: + - Pending + - Ready + - Failed + type: string + type: object + required: + - spec + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.1/files/config.json b/charts/hpe/hpe-csi-driver/2.4.1/files/config.json new file mode 100644 index 0000000000..d7f893b2ad --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/files/config.json @@ -0,0 +1,405 @@ +{ + "Nimble": { + "Default": [ + { + "category": "iscsi", + "severity": "warning", + "description": "Manual startup of iSCSI nodes on boot. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "startup", + "recommendation": "manual" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Replacement_timeout of 10 seconds is recommended for faster failover of I/O by multipath on path failures. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "replacement_timeout", + "recommendation": "10" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum login timeout of 15 seconds is recommended with iSCSI. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "login_timeout", + "recommendation": "15" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum timeout of 10 seconds is recommended with noop requests. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "noop_out_timeout", + "recommendation": "10" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum cmds_max of 512 is recommended for each session if handling multiple LUN's. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "cmds_max", + "recommendation": "512" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum queue_depth of 256 is recommended for each iSCSI session/path. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "queue_depth", + "recommendation": "256" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum number of sessions per iSCSI login is recommended to be 1 by default. If additional sessions are needed this can be set in /etc/iscsi/iscsid.conf. If NCM is running, please change min_session_per_array in /etc/ncm.conf and restart nlt service instead", + "parameter": "nr_sessions", + "recommendation": "1" + }, + { + "category": "multipath", + "severity": "critical", + "description": "product attribute recommended to be set to Server in /etc/multipath.conf", + "parameter": "product", + "recommendation": "\"Server\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "alua prioritizer is recommended. Can be set in /etc/multipath.conf", + "parameter": "prio", + "recommendation": "alua" + }, + { + "category": "multipath", + "severity": "critical", + "description": "scsi_dh_alua device handler is recommended. Can be set in /etc/multipath.conf", + "parameter": "hardware_handler", + "recommendation": "\"1 alua\"" + }, + { + "category": "multipath", + "severity": "warning", + "description": "immediate failback setting is recommended. Can be set in /etc/multipath.conf", + "parameter": "failback", + "recommendation": "immediate" + }, + { + "category": "multipath", + "severity": "critical", + "description": "immediately fail i/o on transient path failures to retry on other paths, value=1. Can be set in /etc/multipath.conf", + "parameter": "fast_io_fail_tmo", + "recommendation": "5" + }, + { + "category": "multipath", + "severity": "critical", + "description": "queueing is recommended for 150 seconds, with no_path_retry value of 30. Can be set in /etc/multipath.conf", + "parameter": "no_path_retry", + "recommendation": "30" + }, + { + "category": "multipath", + "severity": "warning", + "description": "service-time path selector is recommended. Can be set in /etc/multipath.conf", + "parameter": "path_selector", + "recommendation": "\"service-time 0\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "vendor attribute recommended to be set to Nimble in /etc/multipath.conf", + "parameter": "vendor", + "recommendation": "\"Nimble\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "group paths according to ALUA path priority of active/standby. Recommended to be set to group_by_prio in /etc/multipath.conf", + "parameter": "path_grouping_policy", + "recommendation": "group_by_prio" + }, + { + "category": "multipath", + "severity": "critical", + "description": "tur path checker is recommended. Can be set in /etc/multipath.conf", + "parameter": "path_checker", + "recommendation": "tur" + }, + { + "category": "multipath", + "severity": "critical", + "description": "infinite value is recommended for timeout in cases of device loss for FC. Can be set in /etc/multipath.conf", + "parameter": "dev_loss_tmo", + "recommendation": "infinity" + } + ], + "Ubuntu": null + }, + "3PARdata": { + "Default": [ + { + "category": "iscsi", + "severity": "warning", + "description": "Manual startup of iSCSI nodes on boot. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "startup", + "recommendation": "manual" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Replacement_timeout of 10 seconds is recommended for faster failover of I/O by multipath on path failures. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "replacement_timeout", + "recommendation": "10" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum login timeout of 15 seconds is recommended with iSCSI. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "login_timeout", + "recommendation": "15" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum timeout of 10 seconds is recommended with noop requests. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "noop_out_timeout", + "recommendation": "10" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum cmds_max of 512 is recommended for each session if handling multiple LUN's. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "cmds_max", + "recommendation": "512" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum queue_depth of 256 is recommended for each iSCSI session/path. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "queue_depth", + "recommendation": "256" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum number of sessions per iSCSI login is recommended to be 1 by default. If additional sessions are needed this can be set in /etc/iscsi/iscsid.conf. If NCM is running, please change min_session_per_array in /etc/ncm.conf and restart nlt service instead", + "parameter": "nr_sessions", + "recommendation": "1" + }, + { + "category": "multipath", + "severity": "critical", + "description": "product attribute recommended to be set to VV in /etc/multipath.conf", + "parameter": "product", + "recommendation": "\"VV\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "alua prioritizer is recommended. Can be set in /etc/multipath.conf", + "parameter": "prio", + "recommendation": "alua" + }, + { + "category": "multipath", + "severity": "critical", + "description": "scsi_dh_alua device handler is recommended. Can be set in /etc/multipath.conf", + "parameter": "hardware_handler", + "recommendation": "\"1 alua\"" + }, + { + "category": "multipath", + "severity": "warning", + "description": "immediate failback setting is recommended. Can be set in /etc/multipath.conf", + "parameter": "failback", + "recommendation": "immediate" + }, + { + "category": "multipath", + "severity": "critical", + "description": "immediately fail i/o on transient path failures to retry on other paths, value=1. Can be set in /etc/multipath.conf", + "parameter": "fast_io_fail_tmo", + "recommendation": "10" + }, + { + "category": "multipath", + "severity": "critical", + "description": "queueing is recommended for 150 seconds, with no_path_retry value of 18. Can be set in /etc/multipath.conf", + "parameter": "no_path_retry", + "recommendation": "18" + }, + { + "category": "multipath", + "severity": "warning", + "description": "round-robin 0 path selector is recommended. Can be set in /etc/multipath.conf", + "parameter": "path_selector", + "recommendation": "\"round-robin 0\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "vendor attribute recommended to be set to 3PARdata. Can be set in /etc/multipath.conf", + "parameter": "vendor", + "recommendation": "\"3PARdata\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "group paths according to ALUA path priority of active/standby. Recommended to be set to group_by_prio in /etc/multipath.conf", + "parameter": "path_grouping_policy", + "recommendation": "group_by_prio" + }, + { + "category": "multipath", + "severity": "critical", + "description": "infinite value is recommended for timeout in cases of device loss for FC. Can be set in /etc/multipath.conf", + "parameter": "dev_loss_tmo", + "recommendation": "infinity" + }, + { + "category": "multipath", + "severity": "critical", + "description": "tur path checker is recommended. Can be set in /etc/multipath.conf", + "parameter": "path_checker", + "recommendation": "tur" + }, + { + "category": "multipath", + "severity": "critical", + "description": "0 value is recommended for features. Can be set in /etc/multipath.conf", + "parameter": "features", + "recommendation": "\"0\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "uniform rr_weight is recommended. Can be set in /etc/multipath.conf", + "parameter": "rr_weight", + "recommendation": "\"uniform\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "rr_min_io_rq 1 is recommended. Can be set in /etc/multipath.conf", + "parameter": "rr_min_io_rq", + "recommendation": "1" + }, + { + "category": "multipath", + "severity": "critical", + "description": "detect_prio yes is recommended. Can be set in /etc/multipath.conf", + "parameter": "detect_prio", + "recommendation": "yes" + } + ], + "Ubuntu": [ + { + "category": "iscsi", + "severity": "warning", + "description": "Automatic startup of iSCSI nodes on boot. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "startup", + "recommendation": "automatic" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Replacement_timeout of 10 seconds is recommended for faster failover of I/O by multipath on path failures. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "replacement_timeout", + "recommendation": "10" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum interval of 10 seconds is recommended with noop requests. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "noop_out_interval", + "recommendation": "10" + }, + { + "category": "multipath", + "severity": "critical", + "description": "product attribute recommended to be set to VV in /etc/multipath.conf", + "parameter": "product", + "recommendation": "\"VV\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "alua prioritizer is recommended. Can be set in /etc/multipath.conf", + "parameter": "prio", + "recommendation": "alua" + }, + { + "category": "multipath", + "severity": "critical", + "description": "scsi_dh_alua device handler is recommended. Can be set in /etc/multipath.conf", + "parameter": "hardware_handler", + "recommendation": "\"1 alua\"" + }, + { + "category": "multipath", + "severity": "warning", + "description": "immediate failback setting is recommended. Can be set in /etc/multipath.conf", + "parameter": "failback", + "recommendation": "immediate" + }, + { + "category": "multipath", + "severity": "critical", + "description": "queueing is recommended for 150 seconds, with no_path_retry value of 18. Can be set in /etc/multipath.conf", + "parameter": "no_path_retry", + "recommendation": "18" + }, + { + "category": "multipath", + "severity": "warning", + "description": "round-robin 0 path selector is recommended. Can be set in /etc/multipath.conf", + "parameter": "path_selector", + "recommendation": "\"round-robin 0\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "vendor attribute recommended to be set to 3PARdata in /etc/multipath.conf", + "parameter": "vendor", + "recommendation": "\"3PARdata\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "group paths according to ALUA path priority of active/standby. Recommended to be set to group_by_prio in /etc/multipath.conf", + "parameter": "path_grouping_policy", + "recommendation": "group_by_prio" + }, + { + "category": "multipath", + "severity": "critical", + "description": "getuid_callout whitelist is recommended. Can be set in /etc/multipath.conf", + "parameter": "getuid_callout", + "recommendation": "\"/lib/udev/scsi_id --whitelisted --device=/dev/%n\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "rr_min_io is recommended with value as 100. Can be set in /etc/multipath.conf", + "parameter": "rr_min_io", + "recommendation": "100" + }, + { + "category": "multipath", + "severity": "critical", + "description": " tur checker is recommended. Can be set in /etc/multipath.conf", + "parameter": "checker", + "recommendation": "tur" + }, + { + "category": "multipath", + "severity": "critical", + "description": " tur path checker is recommended. Can be set in /etc/multipath.conf", + "parameter": "path_checker", + "recommendation": "tur" + }, + { + "category": "multipath", + "severity": "critical", + "description": " features 0 is recommended. Can be set in /etc/multipath.conf", + "parameter": "features", + "recommendation": "\"0\"" + } + ] + } +} \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.1/questions.yml b/charts/hpe/hpe-csi-driver/2.4.1/questions.yml new file mode 100644 index 0000000000..e607a36185 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/questions.yml @@ -0,0 +1,87 @@ +labels: + io.rancher.certified: partner +questions: +- variable: disableNodeConformance + label: "Disable automatic installation of iSCSI/Multipath Packages" + type: boolean + default: false + description: "Disable automatic installation of iSCSI/Multipath Packages" + group: "HPE CSI Driver settings" +- variable: disableNodeGetVolumeStats + label: "Disable NoteGetVolumeStats" + type: boolean + default: false + description: "Disable NodeGetVolumeStats call to CSI driver" + group: "HPE CSI Driver settings" +- variable: imagePullPolicy + label: "ImagePullPolicy" + default: "IfNotPresent" + type: enum + options: + - "IfNotPresent" + - "Always" + - "Never" + description: "ImagePullPolicy for all CSI driver images" + group: "HPE CSI Driver settings" +- variable: iscsi.chapUser + label: "iSCSI CHAP Username" + type: string + required: false + description: "Specify username for iSCSI CHAP authentication" + group: "HPE iSCSI settings" +- variable: iscsi.chapPassword + label: "iSCSI CHAP Password" + type: password + min_length: 12 + max_length: 16 + required: false + description: "Specify password for iSCSI CHAP authentication" + group: "HPE iSCSI settings" +- variable: logLevel + label: "Set log level" + default: "info" + type: enum + options: + - "info" + - "debug" + - "trace" + - "warn" + - "error" + description: "Sets the CSI driver and sidecar log level" + group: "HPE CSI Driver settings" +- variable: registry + label: "Registry" + type: string + default: "quay.io" + description: "Specify registry prefix (hostname[:port]) for CSI driver images" + group: "HPE CSI Driver settings" +- variable: kubeletRootDir + label: "Set kubeletRootDir" + type: string + default: "/var/lib/kubelet" + description: "The kubelet root directory path" + group: "HPE CSI Driver settings" +- variable: disable.nimble + label: "Disable Nimble" + type: boolean + default: false + description: "Disable HPE Nimble Storage CSP Service" + group: "Disable Container Storage Providers" +- variable: disable.primera + label: "Disable Primera" + type: boolean + default: false + description: "Disable HPE Primera (and 3PAR) CSP Service" + group: "Disable Container Storage Providers" +- variable: disable.alletra6000 + label: "Disable Alletra 5000/6000" + type: boolean + default: false + description: "Disable HPE Alletra 5000/6000 CSP Service" + group: "Disable Container Storage Providers" +- variable: disable.alletra9000 + label: "Disable Alletra 9000" + type: boolean + default: false + description: "Disable HPE Alletra 9000 CSP Service" + group: "Disable Container Storage Providers" diff --git a/charts/hpe/hpe-csi-driver/2.4.1/templates/NOTES.txt b/charts/hpe/hpe-csi-driver/2.4.1/templates/NOTES.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/charts/hpe/hpe-csi-driver/2.4.1/templates/_helpers.tpl b/charts/hpe/hpe-csi-driver/2.4.1/templates/_helpers.tpl new file mode 100644 index 0000000000..165840d528 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "hpe-csi-storage.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "hpe-csi-storage.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "hpe-csi-storage.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/hpe/hpe-csi-driver/2.4.1/templates/csi-driver-crd.yaml b/charts/hpe/hpe-csi-driver/2.4.1/templates/csi-driver-crd.yaml new file mode 100644 index 0000000000..81fb29fa4b --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/templates/csi-driver-crd.yaml @@ -0,0 +1,24 @@ + + + +--- + +################# CSI Driver ########### +{{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "18") }} +apiVersion: storage.k8s.io/v1 +{{- else if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "14") }} +apiVersion: storage.k8s.io/v1beta1 +{{- end }} + +{{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "14") }} +kind: CSIDriver +metadata: + name: csi.hpe.com +spec: + podInfoOnMount: true + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "16") }} + volumeLifecycleModes: + - Persistent + - Ephemeral + {{- end }} +{{- end }} diff --git a/charts/hpe/hpe-csi-driver/2.4.1/templates/hpe-csi-controller.yaml b/charts/hpe/hpe-csi-driver/2.4.1/templates/hpe-csi-controller.yaml new file mode 100644 index 0000000000..f2fd92bcef --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/templates/hpe-csi-controller.yaml @@ -0,0 +1,241 @@ +--- + +############################################# +############ Controller driver ############ +############################################# + +kind: Deployment +apiVersion: apps/v1 +metadata: + name: hpe-csi-controller + namespace: {{ .Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: hpe-csi-controller + template: + metadata: + labels: + app: hpe-csi-controller + role: hpe-csi + {{- if .Values.controller.labels }} +{{ toYaml .Values.controller.labels | indent 8 }} + {{- end }} + spec: + serviceAccountName: hpe-csi-controller-sa + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} + priorityClassName: system-cluster-critical + {{- end }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + dnsConfig: + options: + - name: ndots + value: "1" + containers: + - name: csi-provisioner + {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} + image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 + {{- else if .Values.registry }} + image: {{ .Values.registry }}/sig-storage/csi-provisioner:v4.0.0 + {{- else }} + image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 + {{- end }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + - "--extra-create-metadata" + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "13") }} + - "--timeout=30s" + - "--worker-threads=16" + {{- end }} + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy + - name: csi-attacher + {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} + image: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 + {{- else if .Values.registry }} + image: {{ .Values.registry }}/sig-storage/csi-attacher:v4.5.0 + {{- else }} + image: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 + {{- end }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + {{- if and ( or (eq .Values.disable.primera false) (eq .Values.disable.alletra9000 false) ) ( or (eq .Values.disable.nimble true) (eq .Values.disable.alletra6000 true) ) }} + - "--timeout=180s" + {{- end }} + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy + - name: csi-snapshotter + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "20") }} + {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} + image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3 + {{- else if .Values.registry }} + image: {{ .Values.registry }}/sig-storage/csi-snapshotter:v6.3.3 + {{- else }} + image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.3 + {{- end }} + {{- end }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "15") }} + - name: csi-resizer + {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} + image: registry.k8s.io/sig-storage/csi-resizer:v1.9.3 + {{- else if .Values.registry }} + image: {{ .Values.registry }}/sig-storage/csi-resizer:v1.9.3 + {{- else }} + image: registry.k8s.io/sig-storage/csi-resizer:v1.9.3 + {{- end }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy + {{- end }} + - name: hpe-csi-driver + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/csi-driver:v2.4.1 + {{- else }} + image: quay.io/hpestorage/csi-driver:v2.4.1 + {{- end }} + args : + - "--endpoint=$(CSI_ENDPOINT)" + - "--flavor=kubernetes" + - "--pod-monitor" + - "--pod-monitor-interval=30" + env: + - name: CSI_ENDPOINT + value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock + - name: LOG_LEVEL + value: {{ .Values.logLevel }} + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy + - name: log-dir + mountPath: /var/log + - name: k8s + mountPath: /etc/kubernetes + - name: hpeconfig + mountPath: /etc/hpe-storage + - name: root-dir + mountPath: /host + - name: csi-volume-mutator + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/volume-mutator:v1.3.5 + {{- else }} + image: quay.io/hpestorage/volume-mutator:v1.3.5 + {{- end }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi-extensions.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-volume-group-snapshotter + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/volume-group-snapshotter:v1.0.5 + {{- else }} + image: quay.io/hpestorage/volume-group-snapshotter:v1.0.5 + {{- end }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi-extensions.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-volume-group-provisioner + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/volume-group-provisioner:v1.0.5 + {{- else }} + image: quay.io/hpestorage/volume-group-provisioner:v1.0.5 + {{- end }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi-extensions.sock + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-extensions + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/csi-extensions:v1.2.6 + {{- else }} + image: quay.io/hpestorage/csi-extensions:v1.2.6 + {{- end }} + args: + - "--v=5" + - "--endpoint=$(CSI_ENDPOINT)" + env: + - name: CSI_ENDPOINT + value: unix:///var/lib/csi/sockets/pluginproxy/csi-extensions.sock + - name: LOG_LEVEL + value: {{ .Values.logLevel }} + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + volumes: + - name: socket-dir + emptyDir: {} + - name: log-dir + hostPath: + path: /var/log + - name: k8s + hostPath: + path: /etc/kubernetes + - name: hpeconfig + hostPath: + path: /etc/hpe-storage + - name: root-dir + hostPath: + path: / + {{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 8 }} + {{- end }} + {{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} + {{- end }} diff --git a/charts/hpe/hpe-csi-driver/2.4.1/templates/hpe-csi-node.yaml b/charts/hpe/hpe-csi-driver/2.4.1/templates/hpe-csi-node.yaml new file mode 100644 index 0000000000..67f00473f4 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/templates/hpe-csi-node.yaml @@ -0,0 +1,242 @@ +--- + +####################################### +############ Node driver ############ +####################################### + +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: hpe-csi-node + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: hpe-csi-node + template: + metadata: + labels: + app: hpe-csi-node + role: hpe-csi + {{- if .Values.node.labels }} +{{ toYaml .Values.node.labels | indent 8 }} + {{- end }} + spec: + serviceAccountName: hpe-csi-node-sa + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} + priorityClassName: system-node-critical + {{- end }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + dnsConfig: + options: + - name: ndots + value: "1" + initContainers: + - name: hpe-csi-node-init + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/csi-driver:v2.4.1 + {{- else }} + image: quay.io/hpestorage/csi-driver:v2.4.1 + {{- end}} + args: ['--node-init'] + volumeMounts: + - name: root-dir + mountPath: /host + mountPropagation: "Bidirectional" + - name: device-dir + mountPath: /dev + - name: sys + mountPath: /sys + - name: etc-hpe-storage-dir + mountPath: /etc/hpe-storage + - name: runsystemd + mountPath: /run/systemd + - name: etcsystemd + mountPath: /etc/systemd/system + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + containers: + - name: csi-node-driver-registrar + {{- if and (.Values.registry) (eq .Values.registry "quay.io") }} + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 + {{- else if .Values.registry }} + image: {{ .Values.registry }}/sig-storage/csi-node-driver-registrar:v2.10.0 + {{- else }} + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 + {{- end}} + args: + - "--csi-address=$(ADDRESS)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + - "--v=5" + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + {{- if .Values.kubeletRootDir }} + value: {{ .Values.kubeletRootDir }}/plugins/csi.hpe.com/csi.sock + {{- else }} + value: /var/lib/kubelet/plugins/csi.hpe.com/csi.sock + {{- end }} + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( eq ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "12") }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + {{- end }} + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + - name: hpe-csi-driver + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/csi-driver:v2.4.1 + {{- else }} + image: quay.io/hpestorage/csi-driver:v2.4.1 + {{- end}} + args : + - "--endpoint=$(CSI_ENDPOINT)" + - "--node-service" + - "--flavor=kubernetes" + env: + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: LOG_LEVEL + value: {{ .Values.logLevel }} + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{ if and .Values.iscsi.chapUser .Values.iscsi.chapPassword }} + - name: CHAP_USER + value: {{ .Values.iscsi.chapUser }} + - name: CHAP_PASSWORD + value: {{ .Values.iscsi.chapPassword }} + {{- end }} + {{ if .Values.disableNodeConformance -}} + - name: DISABLE_NODE_CONFORMANCE + value: "true" + {{- end }} + {{ if .Values.disableNodeConfiguration -}} + - name: DISABLE_NODE_CONFIGURATION + value: "true" + {{- end }} + {{- if .Values.kubeletRootDir }} + - name: KUBELET_ROOT_DIR + value: {{ .Values.kubeletRootDir }} + {{- end }} + {{ if .Values.disableNodeGetVolumeStats -}} + - name: DISABLE_NODE_GET_VOLUMESTATS + value: "true" + {{- end }} + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + volumeMounts: + - name: plugin-dir + mountPath: /csi + - name: pods-mount-dir + {{- if .Values.kubeletRootDir }} + mountPath: {{ .Values.kubeletRootDir }} + {{- else }} + mountPath: /var/lib/kubelet + {{- end }} + # needed so that any mounts setup inside this container are + # propagated back to the host machine. + mountPropagation: "Bidirectional" + - name: root-dir + mountPath: /host + mountPropagation: "Bidirectional" + - name: device-dir + mountPath: /dev + - name: log-dir + mountPath: /var/log + - name: etc-hpe-storage-dir + mountPath: /etc/hpe-storage + - name: etc-kubernetes + mountPath: /etc/kubernetes + - name: sys + mountPath: /sys + - name: runsystemd + mountPath: /run/systemd + - name: etcsystemd + mountPath: /etc/systemd/system + - name: linux-config-file + mountPath: /opt/hpe-storage/nimbletune/config.json + subPath: config.json + volumes: + - name: registration-dir + hostPath: + {{ if .Values.kubeletRootDir }} + path: {{ .Values.kubeletRootDir }}/plugins_registry + {{- else }} + path: /var/lib/kubelet/plugins_registry + {{- end }} + type: Directory + - name: plugin-dir + hostPath: + {{ if .Values.kubeletRootDir }} + path: {{ .Values.kubeletRootDir }}/plugins/csi.hpe.com + {{- else }} + path: /var/lib/kubelet/plugins/csi.hpe.com + {{- end }} + type: DirectoryOrCreate + - name: pods-mount-dir + hostPath: + {{ if .Values.kubeletRootDir }} + path: {{ .Values.kubeletRootDir }} + {{- else }} + path: /var/lib/kubelet + {{- end }} + - name: root-dir + hostPath: + path: / + - name: device-dir + hostPath: + path: /dev + - name: log-dir + hostPath: + path: /var/log + - name: etc-hpe-storage-dir + hostPath: + path: /etc/hpe-storage + - name: etc-kubernetes + hostPath: + path: /etc/kubernetes + - name: runsystemd + hostPath: + path: /run/systemd + - name: etcsystemd + hostPath: + path: /etc/systemd/system + - name: sys + hostPath: + path: /sys + - name: linux-config-file + configMap: + name: hpe-linux-config + {{- if .Values.node.nodeSelector }} + nodeSelector: +{{ toYaml .Values.node.nodeSelector | indent 8 }} + {{- end }} + tolerations: + - effect: NoSchedule + key: csi.hpe.com/hpe-nfs + operator: Exists + {{- if .Values.node.tolerations }} +{{ toYaml .Values.node.tolerations | indent 8 }} + {{- end }} + {{- if .Values.node.affinity }} + affinity: +{{ toYaml .Values.node.affinity | indent 8 }} + {{- end }} diff --git a/charts/hpe/hpe-csi-driver/2.4.1/templates/hpe-csi-rbac.yaml b/charts/hpe/hpe-csi-driver/2.4.1/templates/hpe-csi-rbac.yaml new file mode 100644 index 0000000000..fd72c99567 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/templates/hpe-csi-rbac.yaml @@ -0,0 +1,565 @@ +--- + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-provisioner-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "create"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "list", "create"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: [""] + resources: ["services"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] +{{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] +{{- end }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "delete"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch", "delete"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: hpe-csi-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "create", "delete", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( eq ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "12") }} + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + {{- else if and (eq .Capabilities.KubeVersion.Major "1") ( eq ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "13") }} + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + {{ else }} + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + {{- end }} + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-attacher-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: hpe-csi-attacher-role + apiGroup: rbac.authorization.k8s.io + + +{{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-snapshotter-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["create", "update", "delete", "get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "update", "delete", "get", "list", "watch", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: hpe-csi-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +{{- end }} + +{{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "15") }} +--- +# Resizer must be able to work with PVCs, PVs, SCs. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-resizer-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-resizer-role +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- + +# Resizer must be able to work with end point in current namespace +# if (and only if) leadership election is enabled +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ .Release.Namespace }} + name: external-resizer-cfg +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + +--- + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-resizer-role-cfg + namespace: {{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: external-resizer-cfg + apiGroup: rbac.authorization.k8s.io + + +--- +# cluster role to support volumegroup +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-volumegroup-role +rules: + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroups"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroupcontents"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroupclasses"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroups/status"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroupcontents/status"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "create"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete", "get", "update"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-volumegroup-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: hpe-csi-volumegroup-role + apiGroup: rbac.authorization.k8s.io + +--- +# cluster role to support snapshotgroup +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-snapshotgroup-role +rules: + - apiGroups: ["storage.hpe.com"] + resources: ["snapshotgroups"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["snapshotgroupcontents"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["snapshotgroupclasses"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["snapshotgroups/status"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["snapshotgroupcontents/status"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "create"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete", "get", "update"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroups"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroupcontents"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroupclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-snapshotgroup-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: hpe-csi-snapshotgroup-role + apiGroup: rbac.authorization.k8s.io + +--- +# mutator must be able to work with PVCs, PVs, SCs. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-mutator-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-mutator-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + # replace with non-default namespace name + namespace: {{ .Release.Namespace }} + +roleRef: + kind: ClusterRole + name: csi-mutator-role + apiGroup: rbac.authorization.k8s.io + +--- +# mutator must be able to work with end point in current namespace +# if (and only if) leadership election is enabled +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ .Release.Namespace }} + name: csi-mutator-cfg +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-mutator-role-cfg + namespace: {{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} + +roleRef: + kind: Role + name: csi-mutator-cfg + apiGroup: rbac.authorization.k8s.io +{{- end }} + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-driver-role +rules: + - apiGroups: ["storage.hpe.com"] + resources: ["hpenodeinfos"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["hpevolumeinfos"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["hpereplicationdeviceinfos"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["hpevolumegroupinfos"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["hpesnapshotgroupinfos"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["services"] + verbs: ["get"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hpe-csi-node-sa + namespace: {{ .Release.Namespace }} + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-driver-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: hpe-csi-node-sa + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: hpe-csp-sa + namespace: {{ .Release.Namespace }} + +roleRef: + kind: ClusterRole + name: hpe-csi-driver-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: hpe-csp-sa + namespace: {{ .Release.Namespace }} diff --git a/charts/hpe/hpe-csi-driver/2.4.1/templates/hpe-linux-config.yaml b/charts/hpe/hpe-csi-driver/2.4.1/templates/hpe-linux-config.yaml new file mode 100644 index 0000000000..5e4c4944a1 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/templates/hpe-linux-config.yaml @@ -0,0 +1,13 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: hpe-linux-config + namespace: {{ .Release.Namespace }} +data: +{{ if and .Values.iscsi.chapUser .Values.iscsi.chapPassword }} + CHAP_USER: {{ .Values.iscsi.chapUser | quote }} + CHAP_PASSWORD: {{ .Values.iscsi.chapPassword | quote }} +{{- end }} + config.json: |- +{{ (.Files.Get "files/config.json") | indent 4 }} \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/templates/nimble-csp.yaml b/charts/hpe/hpe-csi-driver/2.4.1/templates/nimble-csp.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/templates/nimble-csp.yaml rename to charts/hpe/hpe-csi-driver/2.4.1/templates/nimble-csp.yaml diff --git a/charts/hpe/hpe-csi-driver/2.4.1/templates/primera-3par-csp.yaml b/charts/hpe/hpe-csi-driver/2.4.1/templates/primera-3par-csp.yaml new file mode 100644 index 0000000000..9c9a6d7cc9 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.1/templates/primera-3par-csp.yaml @@ -0,0 +1,119 @@ +{{- if not .Values.disable.alletraStorageMP }} +--- +### Alletra Storage MP CSP Service ### +kind: Service +apiVersion: v1 +metadata: + name: alletrastoragemp-csp-svc + namespace: {{ .Release.Namespace }} + labels: + app: alletrastoragemp-csp-svc +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: primera3par-csp + +{{- end }} + +{{- if not .Values.disable.alletra9000 }} +--- +### Alletra9000 CSP Service ### +kind: Service +apiVersion: v1 +metadata: + name: alletra9000-csp-svc + namespace: {{ .Release.Namespace }} + labels: + app: alletra9000-csp-svc +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: primera3par-csp + +{{- end }} + +{{- if not .Values.disable.primera }} +--- +### Primera3par CSP Service ### +kind: Service +apiVersion: v1 +metadata: + name: primera3par-csp-svc + namespace: {{ .Release.Namespace }} + labels: + app: primera3par-csp-svc +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: primera3par-csp +{{- end }} + +{{- if or (not .Values.disable.alletraStorageMP) (not .Values.disable.alletra9000) (not .Values.disable.primera) }} + +--- +### CSP deployment ### +kind: Deployment +apiVersion: apps/v1 +metadata: + name: primera3par-csp + labels: + app: primera3par-csp + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: primera3par-csp + replicas: 1 + template: + metadata: + labels: + app: primera3par-csp + {{- if .Values.csp.labels }} +{{ toYaml .Values.csp.labels | indent 8 }} + {{- end }} + spec: + serviceAccountName: hpe-csp-sa + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} + priorityClassName: system-cluster-critical + {{- end }} + containers: + - name: primera3par-csp + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/alletra-9000-primera-and-3par-csp:v2.4.1 + {{- else }} + image: quay.io/hpestorage/alletra-9000-primera-and-3par-csp:v2.4.1 + {{- end }} + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + env: + - name: CRD_CLIENT_CONFIG_QPS + value: "35" + - name: CRD_CLIENT_CONFIG_BURST + value: "20" + ports: + - containerPort: 8080 + volumeMounts: + - name: log-dir + mountPath: /var/log + volumes: + - name: log-dir + hostPath: + path: /var/log + {{- if .Values.csp.nodeSelector }} + nodeSelector: +{{ toYaml .Values.csp.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.csp.tolerations }} + tolerations: +{{ toYaml .Values.csp.tolerations | indent 8 }} + {{- end }} + {{- if .Values.csp.affinity }} + affinity: +{{ toYaml .Values.csp.affinity | indent 8 }} + {{- end }} +{{- end }} diff --git a/charts/hpe/hpe-csi-driver/values.schema.json b/charts/hpe/hpe-csi-driver/2.4.1/values.schema.json similarity index 100% rename from charts/hpe/hpe-csi-driver/values.schema.json rename to charts/hpe/hpe-csi-driver/2.4.1/values.schema.json diff --git a/charts/hpe/hpe-csi-driver/values.yaml b/charts/hpe/hpe-csi-driver/2.4.1/values.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/values.yaml rename to charts/hpe/hpe-csi-driver/2.4.1/values.yaml diff --git a/charts/hpe/hpe-csi-driver/Chart.yaml b/charts/hpe/hpe-csi-driver/2.4.2/Chart.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/Chart.yaml rename to charts/hpe/hpe-csi-driver/2.4.2/Chart.yaml diff --git a/charts/hpe/hpe-csi-driver/2.4.2/README.md b/charts/hpe/hpe-csi-driver/2.4.2/README.md new file mode 100644 index 0000000000..e6008b1e81 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/README.md @@ -0,0 +1,178 @@ +# HPE CSI Driver for Kubernetes Helm chart + +The [HPE CSI Driver for Kubernetes](https://scod.hpedev.io/csi_driver/index.html) leverages Hewlett Packard Enterprise primary storage platforms to provide scalable and persistent storage for stateful and ephemeral applications. Currently supported storage platforms include HPE GreenLake for Block Storage powered by HPE Alletra Storage MP, HPE Alletra 5000/6000/9000, HPE Nimble Storage, HPE Primera and HPE 3PAR. + +## Release highlights + +The HPE CSI Driver for Kubernetes Helm chart is the primary delivery vehicle for the HPE CSI Driver. + +- All resources for the HPE CSI Driver is available on [HPE Storage Container Orchestrator Documentation](https://scod.hpedev.io/) (SCOD). +- Visit [the latest release](https://scod.hpedev.io/csi_driver/index.html#latest_release) on SCOD to learn what's new in this chart. +- The release notes for the HPE CSI Driver are hosted on [GitHub](https://github.com/hpe-storage/csi-driver/tree/master/release-notes). + +## Prerequisites + +- Most recent Kubernetes distributions are supported +- Recent Ubuntu, SLES or RHEL (and its derives) compute nodes connected to their respective official package repositories +- Helm 3 (Version >= 3.2.0 required) + +Refer to [Compatibility & Support](https://scod.hpedev.io/csi_driver/index.html#compatibility_and_support) for currently supported versions of Kubernetes and compute node operating systems. + +Depending on which [Container Storage Provider](https://scod.hpedev.io/container_storage_provider/index.html) (CSP) is being used, other prerequisites and requirements may apply, such as storage platform OS and features. + +- [HPE Alletra 5000/6000 and Nimble Storage](https://scod.hpedev.io/container_storage_provider/hpe_alletra_6000/index.html) +- [HPE Alletra Storage MP, Alletra 9000, Primera and 3PAR](https://scod.hpedev.io/container_storage_provider/hpe_alletra_storage_mp/index.html) + +## Configuration and installation + +The following table lists the configurable parameters of the chart and their default values. + +| Parameter | Description | Default | +|---------------------------|------------------------------------------------------------------------|------------------| +| disable.nimble | Disable HPE Nimble Storage CSP `Service`. | false | +| disable.primera | Disable HPE Primera (and 3PAR) CSP `Service`. | false | +| disable.alletra6000 | Disable HPE Alletra 5000/6000 CSP `Service`. | false | +| disable.alletra9000 | Disable HPE Alletra 9000 CSP `Service`. | false | +| disable.alletraStorageMP | Disable HPE Alletra Storage MP CSP `Service`. | false | +| disableNodeConformance | Disable automatic installation of iSCSI, multipath and NFS packages. | false | +| disableNodeConfiguration | Disables node conformance and configuration.`*` | false | +| disableNodeGetVolumeStats | Disable NodeGetVolumeStats call to CSI driver. | false | +| imagePullPolicy | Image pull policy (`Always`, `IfNotPresent`, `Never`). | IfNotPresent | +| iscsi.chapUser | Username for iSCSI CHAP authentication. | "" | +| iscsi.chapPassword | Password for iSCSI CHAP authentication. | "" | +| logLevel | Log level. Can be one of `info`, `debug`, `trace`, `warn` and `error`. | info | +| registry | Registry to pull HPE CSI Driver container images from. | quay.io | +| kubeletRootDir | The kubelet root directory path. | /var/lib/kubelet | +| controller.labels | Additional labels for HPE CSI Driver controller Pods. | {} | +| controller.nodeSelector | Node labels for HPE CSI Driver controller Pods assignment. | {} | +| controller.affinity | Affinity rules for the HPE CSI Driver controller Pods. | {} | +| controller.tolerations | Node taints to tolerate for the HPE CSI Driver controller Pods. | [] | +| csp.labels | Additional labels for CSP Pods. | {} | +| csp.nodeSelector | Node labels for CSP Pods assignment. | {} | +| csp.affinity | Affinity rules for the CSP Pods. | {} | +| csp.tolerations | Node taints to tolerate for the CSP Pods. | [] | +| node.labels | Additional labels for HPE CSI Driver node Pods. | {} | +| node.nodeSelector | Node labels for HPE CSI Driver node Pods assignment. | {} | +| node.affinity | Affinity rules for the HPE CSI Driver node Pods. | {} | +| node.tolerations | Node taints to tolerate for the HPE CSI Driver node Pods. | [] | + +`*` = Disabling node conformance and configuration may prevent the CSI driver from functioning properly. See the [manual node configuration](https://scod.hpedev.io/csi_driver/operations.html#manual_node_configuration) section on SCOD to understand the consequences. + +It's recommended to create a [values.yaml](https://github.com/hpe-storage/co-deployments/blob/master/helm/values/csi-driver) file from the corresponding release of the chart and edit it to fit the environment the chart is being deployed to. Download and edit [a sample file](https://github.com/hpe-storage/co-deployments/blob/master/helm/values/csi-driver). + +These are the bare minimum required parameters for a successful deployment to an iSCSI environment if CHAP authentication is required. + +``` +iscsi: + chapUser: "" + chapPassword: "" +``` + +Tweak any additional parameters to suit the environment or as prescribed by HPE. + +### Installing the chart + +To install the chart with the name `my-hpe-csi-driver`: + +Add HPE helm repo: + +``` +helm repo add hpe-storage https://hpe-storage.github.io/co-deployments/ +helm repo update +``` + +Install the latest chart: + +``` +helm install --create-namespace -n hpe-storage my-hpe-csi-driver hpe-storage/hpe-csi-driver +``` + +**Note**: By default, the latest stable chart will be installed. If it's labeled with `prerelease` and a "beta" version tag, add `--version X.Y.Z-beta` to the command line to install a "beta" chart. + +### Upgrading the chart + +Due to the [helm limitation](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations) to not support upgrade of CRDs between different chart versions, helm chart upgrade is not supported. +Our recommendation is to uninstall the existing chart and install the chart with the desired version. CRDs will be preserved between uninstall and install. + +#### Upgrading 2.0.0 to 2.1.0 + +Before version 2.0.0 is uninstalled, the following CRDs needs to be updated. + +**Important:** If there are HPE Alletra Storage MP, Alletra 9000, Primera or 3PAR Remote Copy Groups configured on the cluster, follow the [next steps](#update-rcg-info) before uninstallation. + +##### Update RCG Info + +This step is only necessary if there are HPE Alletra Storage MP, Alletra 9000, Primera or 3PAR Remote Copy Groups configured on the cluster. If there are none, proceed to the [next step](#update-crds). + +Change kubectl context into the Namespace where the HPE CSI Driver is installed. The most common is "hpe-storage". + +``` +kubectl config set-context --current --namespace=hpe-storage +``` + +Create the Job using the below commands, which will modify the "rcg-info" record to the new key "RCGCreatedByCSP". + +``` +kubectl apply -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/yaml/rcg-info/v1.0.0/convert-rcg-info.yaml +``` + +Completion of job status can be verified using the below command. + +``` +kubectl wait --for=condition=complete --timeout=600s job/primera3par-rcg-info +``` + +Continue to [update the CRDs](#update-crds) followed by [uninstalling the chart](#uninstalling-the-chart). + +##### Update CRDs + +Before reinstallation of the driver, apply the new CRDs. + +``` +kubectl apply -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/helm/charts/hpe-csi-driver/crds/hpevolumeinfos_v2_crd.yaml +kubectl apply -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/helm/charts/hpe-csi-driver/crds/hpevolumegroupinfos_v2_crd.yaml +kubectl apply -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/helm/charts/hpe-csi-driver/crds/snapshotgroupinfos_v2_crd.yaml +kubectl apply -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/helm/charts/hpe-csi-driver/crds/hpereplicated_deviceinfo_v2_crd.yaml +``` + +#### Uninstalling the chart + +To uninstall the `my-hpe-csi-driver` chart: + +``` +helm uninstall my-hpe-csi-driver -n hpe-storage +``` + +**Note**: Due to a limitation in Helm, CRDs are not deleted as part of the chart uninstall. + +### Alternative install method + +In some cases it's more practical to provide the local configuration via the `helm` CLI directly. Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. These will take precedence over entries in [values.yaml](https://github.com/hpe-storage/co-deployments/blob/master/helm/values/csi-driver). For example: + +``` +helm install my-hpe-csi-driver hpe-storage/hpe-csi-driver -n hpe-storage \ + --set iscsi.chapUsername=admin \ + --set iscsi.chapPassword=xxxxxxxx +``` + +## Using persistent storage with Kubernetes + +Enable dynamic provisioning of persistent storage by creating a `StorageClass` API object that references a `Secret` which maps to a supported HPE primary storage backend. Refer to the [HPE CSI Driver for Kubernetes](https://scod.hpedev.io/csi_driver/deployment.html#add_a_hpe_storage_backend) documentation on SCOD. Also, it's helpful to be familiar with [persistent storage concepts](https://kubernetes.io/docs/concepts/storage/volumes/) in Kubernetes prior to deploying stateful workloads. + +## Support + +The HPE CSI Driver for Kubernetes Helm chart is fully supported by HPE. + +Formal support statements for each HPE supported CSP is [available on SCOD](https://scod.hpedev.io/legal/support). Use this facility for formal support of your HPE storage products, including the Helm chart. + +## Community + +Please file any issues, questions or feature requests you may have [here](https://github.com/hpe-storage/co-deployments/issues) (do not use this facility for support inquiries of your HPE storage product, see [SCOD](https://scod.hpedev.io/legal/support) for support). You may also join our Slack community to chat with HPE folks close to this project. We hang out in `#NimbleStorage`, `#3par-primera`, and `#Kubernetes`. Sign up at [slack.hpedev.io](https://slack.hpedev.io/) and login at [hpedev.slack.com](https://hpedev.slack.com/) + +## Contributing + +We value all feedback and contributions. If you find any issues or want to contribute, please feel free to open an issue or file a PR. More details in [CONTRIBUTING.md](https://github.com/hpe-storage/co-deployments/blob/master/CONTRIBUTING.md) + +## License + +This is open source software licensed using the Apache License 2.0. Please see [LICENSE](https://github.com/hpe-storage/co-deployments/blob/master/LICENSE) for details. diff --git a/charts/hpe/hpe-csi-driver/2.4.2/app-readme.md b/charts/hpe/hpe-csi-driver/2.4.2/app-readme.md new file mode 100644 index 0000000000..29ca912cb7 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/app-readme.md @@ -0,0 +1,3 @@ +# HPE CSI Driver for Kubernetes + +The [HPE CSI Driver for Kubernetes](https://github.com/hpe-storage/csi-driver) leverages HPE storage platforms to provide scalable and persistent storage for stateful applications. diff --git a/charts/hpe/hpe-csi-driver/2.4.2/crds/hpe-nodeinfo-crd.yaml b/charts/hpe/hpe-csi-driver/2.4.2/crds/hpe-nodeinfo-crd.yaml new file mode 100644 index 0000000000..86c60cf341 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/crds/hpe-nodeinfo-crd.yaml @@ -0,0 +1,70 @@ +--- +############################################# +############ HPE Node Info CRD ############ +############################################# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: hpenodeinfos.storage.hpe.com +spec: + group: storage.hpe.com + names: + kind: HPENodeInfo + plural: hpenodeinfos + scope: Cluster + versions: + - name: v1 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: true + schema: + openAPIV3Schema: + properties: + apiVersion: + description: "APIVersion defines the versioned schema of this representation of an object." + type: string + kind: + description: "Kind is a string value representing the REST resource this object represents" + type: string + spec: + description: "spec defines the desired characteristics of a HPE nodeinfo requested by a user." + properties: + chapPassword: + description: "The CHAP Password" + type: string + chapUser: + description: "The CHAP User Name" + type: string + iqns: + description: "List of IQNs configured on the node." + items: + type: string + type: array + networks: + description: "List of networks configured on the node." + items: + type: string + type: array + uuid: + description: "The UUID of the node." + type: string + wwpns: + description: "List of WWPNs configured on the node." + items: + type: string + type: array + required: + - uuid + - networks + type: object + required: + - spec + type: object +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.2/crds/hpereplicated_deviceinfo_v2_crd.yaml b/charts/hpe/hpe-csi-driver/2.4.2/crds/hpereplicated_deviceinfo_v2_crd.yaml new file mode 100644 index 0000000000..b95a9eef9d --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/crds/hpereplicated_deviceinfo_v2_crd.yaml @@ -0,0 +1,115 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: hpereplicationdeviceinfos.storage.hpe.com +spec: + group: storage.hpe.com + names: + kind: HPEReplicationDeviceInfo + plural: hpereplicationdeviceinfos + shortNames: + - hperdi + + scope: Cluster + versions: + - name: v1 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: false + schema: + openAPIV3Schema: + type: object + #x-kubernetes-preserve-unknown-fields: true + properties: + hpeReplicationDeviceInfos: + description: List of HPE Replicated Device Information + type: object + items: + type: object + properties: + targets: + description: List of Target Array Details + type: object + items: + description: Target Array Details + type: object + properties: + targetName: + description: Target Name of the array + type: string + targetCpg: + description: Target CPG of the array + type: string + targetSnapCpg: + description: Target Snap CPG of the array + type: string + targetSecret: + description: Secret of the replicated array + type: string + targetMode: + description: Replication Mode + type: string + targetSecretNamespace: + description: Namespace of secret + type: string + required: + - targetName + - targetCpg + - targetSecret + - targetSecretNamespace + - name: v2 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + hpeReplicationDeviceInfos: + description: List of HPE Replicated Device Information + type: object + items: + type: object + properties: + targets: + description: List of Target Array Details + type: object + items: + description: Target Array Details + type: object + properties: + targetName: + description: Target Name of the array + type: string + targetCpg: + description: Target CPG of the array + type: string + targetSnapCpg: + description: Target Snap CPG of the array + type: string + targetSecret: + description: Secret of the replicated array + type: string + targetMode: + description: Replication Mode + type: string + targetSecretNamespace: + description: Namespace of secret + type: string + required: + - targetName + - targetCpg + - targetSecret + - targetSecretNamespace +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + + diff --git a/charts/hpe/hpe-csi-driver/2.4.2/crds/hpevolumegroupinfos_v2_crd.yaml b/charts/hpe/hpe-csi-driver/2.4.2/crds/hpevolumegroupinfos_v2_crd.yaml new file mode 100644 index 0000000000..2803998be7 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/crds/hpevolumegroupinfos_v2_crd.yaml @@ -0,0 +1,124 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: hpevolumegroupinfos.storage.hpe.com +spec: + group: storage.hpe.com + names: + kind: HPEVolumeGroupInfo + plural: hpevolumegroupinfos + shortNames: + - hpevgi + scope: Cluster + versions: + - name: v1 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: false + schema: + openAPIV3Schema: + type: object + #x-kubernetes-preserve-unknown-fields: true + properties: + hpeVolumeGroupInfos: + description: List of HPE volume groups configured for 3PAR/Primera arrays. + items: + type: object + properties: + uuid: + description: The UUID of the node. + type: string + + record: + description: Metadata for the volume group + type: object + + snapshotGroups: + description: Snapshot groups that are linked to this volume group + items: + type: object + properties: + id: + description: ID of the snapshot group + type: string + + name: + description: Name of the snapshot group + type: string + type: object + volumes: + description: Volumes that are members in this volume group + + items: + type: object + properties: + volumeId: + description: ID of the member volume + type: string + + volumeName: + description: Name of the member volume + type: string + type: object + type: object + - name: v2 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + hpeVolumeGroupInfos: + description: List of HPE volume groups configured for 3PAR/Primera arrays. + items: + type: object + properties: + uuid: + description: The UUID of the node. + type: string + + record: + description: Metadata for the volume group + type: object + + snapshotGroups: + description: Snapshot groups that are linked to this volume group + items: + type: object + properties: + id: + description: ID of the snapshot group + type: string + + name: + description: Name of the snapshot group + type: string + type: object + volumes: + description: Volumes that are members in this volume group + + items: + type: object + properties: + volumeId: + description: ID of the member volume + type: string + + volumeName: + description: Name of the member volume + type: string + type: object + type: object + +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + diff --git a/charts/hpe/hpe-csi-driver/2.4.2/crds/hpevolumeinfos_v2_crd.yaml b/charts/hpe/hpe-csi-driver/2.4.2/crds/hpevolumeinfos_v2_crd.yaml new file mode 100644 index 0000000000..7f995a724b --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/crds/hpevolumeinfos_v2_crd.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: hpevolumeinfos.storage.hpe.com +spec: + group: storage.hpe.com + names: + kind: HPEVolumeInfo + plural: hpevolumeinfos + scope: Cluster + # list of versions supported by this CustomResourceDefinition + versions: + - name: v1 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: false + schema: + openAPIV3Schema: + type: object + #x-kubernetes-preserve-unknown-fields: true + properties: + hpeVolumes: + description: List of HPE volumes configured for 3PAR/Primera arrays. + type: object + items: + type: object + properties: + uuid: + description: The UUID of the node. + type: string + + record: + description: Metadata for the volume + type: object + - name: v2 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + + properties: + hpeVolumes: + description: List of HPE volumes configured for 3PAR/Primera arrays. + type: object + items: + type: object + properties: + uuid: + description: The UUID of the node. + type: string + + record: + description: Metadata for the volume + type: object + +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + diff --git a/charts/hpe/hpe-csi-driver/2.4.2/crds/snapshotgroupinfos_v2_crd.yaml b/charts/hpe/hpe-csi-driver/2.4.2/crds/snapshotgroupinfos_v2_crd.yaml new file mode 100644 index 0000000000..6fc3519997 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/crds/snapshotgroupinfos_v2_crd.yaml @@ -0,0 +1,112 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: hpesnapshotgroupinfos.storage.hpe.com +spec: + group: storage.hpe.com + names: + kind: HPESnapshotGroupInfo + plural: hpesnapshotgroupinfos + shortNames: + - hpesgi + scope: Cluster + versions: + - name: v1 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: false + schema: + openAPIV3Schema: + type: object + #x-kubernetes-preserve-unknown-fields: true + properties: + hpeSnapshotGroupInfos: + description: List of HPE snapshot groups created for 3PAR/Primera arrays. + type: object + items: + type: object + properties: + uuid: + description: The UUID of the node. + type: string + + record: + description: Metadata for the volume group + type: object + + snapshotVolumes: + description: Snapshot volumes that are part of this snapshot group + type: object + items: + type: object + properties: + srcVolumeId: + description: ID of the volume that is the source of this snapshot volume + type: string + + srcVolumeName: + description: Name of the volume that is the source of this snapshot volume + type: string + + snapshotId: + description: Snapshot volume Id + type: string + + snapshotName: + description: Snapshot volume name + type: string + - name: v2 + # Each version can be enabled/disabled by Served flag. + served: true + # One and only one version must be marked as the storage version. + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + hpeSnapshotGroupInfos: + description: List of HPE snapshot groups created for 3PAR/Primera arrays. + type: object + items: + type: object + properties: + uuid: + description: The UUID of the node. + type: string + + record: + description: Metadata for the volume group + type: object + + snapshotVolumes: + description: Snapshot volumes that are part of this snapshot group + type: object + items: + type: object + properties: + srcVolumeId: + description: ID of the volume that is the source of this snapshot volume + type: string + + srcVolumeName: + description: Name of the volume that is the source of this snapshot volume + type: string + + snapshotId: + description: Snapshot volume Id + type: string + + snapshotName: + description: Snapshot volume name + type: string + +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + diff --git a/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_snapshotgroupclasses.yaml b/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_snapshotgroupclasses.yaml new file mode 100644 index 0000000000..b588784719 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_snapshotgroupclasses.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: snapshotgroupclasses.storage.hpe.com +spec: + conversion: + strategy: None + group: storage.hpe.com + names: + kind: SnapshotGroupClass + listKind: SnapshotGroupClassList + plural: snapshotgroupclasses + singular: snapshotgroupclass + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SnapshotGroupClass specifies parameters that a underlying + storage system uses when creating a volumegroup snapshot. A specific SnapshotGroupClass + is used by specifying its name in a VolumeGroupSnapshot object. SnapshotGroupClasses + are non-namespaced + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation + of an object. + type: string + deletionPolicy: + description: deletionPolicy determines whether a SnapshotGroupContent + created through the SnapshotGroupClass should be deleted when its + bound SnapshotGroup is deleted. Supported values are "Retain" and + "Delete". "Retain" means that the SnapshotGroupContent and its physical + snapshotGroup on underlying storage system are kept. "Delete" means that + the SnapshotGroupContent and its physical snapshotGroup on underlying + storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + snapshotter: + description: snapshotter is the name of the storage driver that handles this + SnapshotGroupClass. Required. + type: string + kind: + description: Kind is a string value representing the REST resource + this object represents. + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific + parameters for creating snapshotGroups. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - snapshotter + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_snapshotgroupcontents.yaml b/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_snapshotgroupcontents.yaml new file mode 100644 index 0000000000..a7132c59e1 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_snapshotgroupcontents.yaml @@ -0,0 +1,104 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: snapshotgroupcontents.storage.hpe.com +spec: + conversion: + strategy: None + group: storage.hpe.com + names: + kind: SnapshotGroupContent + listKind: SnapshotGroupContentList + plural: snapshotgroupcontents + singular: snapshotgroupcontent + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SnapshotGroupContent represents the actual "on-disk" snapshotGroup + object in the underlying storage system + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint the + client submits requests to. Cannot be updated. In CamelCase. More + info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + spec: + description: spec defines properties of a SnapshotGroupContent created + by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this SnapshotGroupContent + and its physical snapshotgroup on the underlying storage system should + be deleted when its bound SnapshotGroup is deleted. Supported + values are "Retain" and "Delete". "Retain" means that the SnapshotGroupContent + and its physical snapshotGroup on underlying storage system are kept. + "Delete" means that the SnapshotGroupContent and its physical + snapshotGroup on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + source: + description: source specifies from where a snapshotGroup will be created.Required. + properties: + snapshotGroupHandle: + description: snapshotGroupHandle specifies the snapshotGroup Id + of a pre-existing snapshotGroup on the underlying storage system. + This field is immutable. + type: string + type: object + snapshotGroupClassName: + description: name of the SnapshotGroupClass to which this snapshotGroup belongs. + type: string + snapshotGroupRef: + description: snapshotGroupRef specifies the SnapshotGroup object + to which this SnapshotGroupContent object is bound. SnapshotGroup.Spec.SnapshotGroupContentName + field must reference to this SnapshotGroupContent's name for + the bidirectional binding to be valid. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + volumeSnapshotContentNames: + description: list of volumeSnapshotContentNames associated with this snapshotGroups + type: array + items: + type: string + required: + - deletionPolicy + - source + - snapshotGroupClassName + type: object + required: + - spec + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_snapshotgroups.yaml b/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_snapshotgroups.yaml new file mode 100644 index 0000000000..3372a7db71 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_snapshotgroups.yaml @@ -0,0 +1,83 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: snapshotgroups.storage.hpe.com +spec: + conversion: + strategy: None + group: storage.hpe.com + names: + kind: SnapshotGroup + listKind: SnapshotGroupList + plural: snapshotgroups + singular: snapshotgroup + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SnapshotGroup is a user's request for creating a snapshotgroup + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation + of an object. + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents' + type: string + spec: + description: spec defines the desired characteristics of a snapshotGroup + requested by a user. + Required. + properties: + source: + description: source specifies where a snapshotGroup will be created. + This field is immutable after creation. Required. + properties: + kind: + description: kind of the source (VolumeGroup) is the only supported one. + type: string + apiGroup: + description: apiGroup of the source. Current supported is storage.hpe.com + type: string + name: + description: name specifies the volumeGroupName of the VolumeGroup object in the same namespace as the SnapshotGroup object where the snapshotGroup should be dynamically taken from. This field is immutable. + type: string + type: object + volumeSnapshotClassName: + description: name of the volumeSnapshotClass to create pre-provisioned snapshots + type: string + snapshotGroupClassName: + description: snapshotGroupClassName is the name of the SnapshotGroupClass requested by the SnapshotGroup. + type: string + snapshotGroupContentName: + description: snapshotGroupContentName is the name of the snapshotGroupContent the snapshotGroup is bound. + type: string + required: + - source + - volumeSnapshotClassName + - snapshotGroupClassName + type: object + status: + description: status represents the current information of a snapshotGroup. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time + snapshotGroup is taken by the underlying storage system. + format: date-time + type: string + phase: + description: the state of the snapshotgroup + enum: + - Pending + - Ready + - Failed + type: string + type: object + required: + - spec + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_volumegroupclasses.yaml b/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_volumegroupclasses.yaml new file mode 100644 index 0000000000..e201ec94e0 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_volumegroupclasses.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: volumegroupclasses.storage.hpe.com +spec: + conversion: + strategy: None + group: storage.hpe.com + names: + kind: VolumeGroupClass + listKind: VolumeGroupClassList + plural: volumegroupclasses + singular: volumegroupclass + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: VolumeGroupClass specifies parameters that a underlying + storage system uses when creating a volumegroup. A specific VolumeGroupClass + is used by specifying its name in a VolumeGroup object. VolumeGroupClasses + are non-namespaced + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation + of an object. + type: string + deletionPolicy: + description: deletionPolicy determines whether a VolumeGroupContent + created through the VolumeGroupClass should be deleted when its + bound VolumeGroup is deleted. Supported values are "Retain" and + "Delete". "Retain" means that the VolumeGroupContent and its physical + volumeGroup on underlying storage system are kept. "Delete" means that + the VolumeGroupContent and its physical volumeGroup on underlying + storage system are deleted. Required. + enum: + - Delete + - Retain + type: string + provisioner: + description: provisioner is the name of the storage driver that handles this + VolumeGroupClass. Required. + type: string + kind: + description: Kind is a string value representing the REST resource + this object represents. + type: string + parameters: + additionalProperties: + type: string + description: parameters is a key-value map with storage driver specific + parameters for creating volumeGroups. These values are opaque to Kubernetes. + type: object + required: + - deletionPolicy + - provisioner + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_volumegroupcontents.yaml b/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_volumegroupcontents.yaml new file mode 100644 index 0000000000..d944909ebf --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_volumegroupcontents.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: volumegroupcontents.storage.hpe.com +spec: + conversion: + strategy: None + group: storage.hpe.com + names: + kind: VolumeGroupContent + listKind: VolumeGroupContentList + plural: volumegroupcontents + singular: volumegroupcontent + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: VolumeGroupContent represents the actual "on-disk" volumeGroup + object in the underlying storage system + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation + of an object. + type: string + kind: + description: Kind is a string value representing the REST resource + this object represents. + type: string + spec: + description: spec defines properties of a VolumeGroupContent created + by the underlying storage system. Required. + properties: + deletionPolicy: + description: deletionPolicy determines whether this VolumeGroupContent + and its physical volumegroup on the underlying storage system should + be deleted when its bound VolumeGroup is deleted. Supported + values are "Retain" and "Delete". "Retain" means that the VolumeGroupContent + and its physical volumeGroup on underlying storage system are kept. + "Delete" means that the VolumeGroupContent and its physical + volumeGroup on underlying storage system are deleted. + Required. + enum: + - Delete + - Retain + type: string + source: + description: source specifies from where a volumeGroup will be created.Required. + properties: + volumeGroupHandle: + description: volumeGroupHandle specifies the volumeGroup Id + of a pre-existing volumeGroup on the underlying storage system. + This field is immutable. + type: string + type: object + volumeGroupClassName: + description: name of the VolumeGroupClass to which this volumeGroup belongs. + type: string + volumeGroupRef: + description: volumeGroupRef specifies the VolumeGroup object + to which this VolumeGroupContent object is bound. VolumeGroup.Spec.VolumeGroupContentName + field must reference to this VolumeGroupContent's name for + the bidirectional binding to be valid. + Required. + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + required: + - deletionPolicy + - source + - volumeGroupClassName + type: object + required: + - spec + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_volumegroups.yaml b/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_volumegroups.yaml new file mode 100644 index 0000000000..862b4398a8 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/crds/storage.hpe.com_volumegroups.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: volumegroups.storage.hpe.com +spec: + conversion: + strategy: None + group: storage.hpe.com + names: + kind: VolumeGroup + listKind: VolumeGroupList + plural: volumegroups + singular: volumegroup + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: VolumeGroup is a user's request for creating a volumegroup + properties: + apiVersion: + description: APIVersion defines the versioned schema of this representation + of an object. + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents' + type: string + spec: + description: spec defines the desired characteristics of a volumeGroup + requested by a user. + Required. + properties: + volumeGroupClassName: + description: name of the volumeGroupClassName to create volumeGroups + type: string + persistentVolumeClaimNames: + description: persistentVolumeClaimNames are the name of the PVC associated with this volumeGroup. + type: array + items: + type: string + volumeGroupContentName: + description: volumeGroupContentName is the name of the volumeGroupContent to which the volumeGroup is bound. + type: string + required: + - volumeGroupClassName + type: object + status: + description: status represents the current information of a volumeGroup. + properties: + creationTime: + description: creationTime is the timestamp when the point-in-time + volumeGroup is taken by the underlying storage system. + format: date-time + type: string + phase: + description: the state of the volumegroup + enum: + - Pending + - Ready + - Failed + type: string + type: object + required: + - spec + type: object + served: true + storage: true \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.2/files/config.json b/charts/hpe/hpe-csi-driver/2.4.2/files/config.json new file mode 100644 index 0000000000..d7f893b2ad --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/files/config.json @@ -0,0 +1,405 @@ +{ + "Nimble": { + "Default": [ + { + "category": "iscsi", + "severity": "warning", + "description": "Manual startup of iSCSI nodes on boot. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "startup", + "recommendation": "manual" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Replacement_timeout of 10 seconds is recommended for faster failover of I/O by multipath on path failures. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "replacement_timeout", + "recommendation": "10" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum login timeout of 15 seconds is recommended with iSCSI. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "login_timeout", + "recommendation": "15" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum timeout of 10 seconds is recommended with noop requests. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "noop_out_timeout", + "recommendation": "10" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum cmds_max of 512 is recommended for each session if handling multiple LUN's. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "cmds_max", + "recommendation": "512" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum queue_depth of 256 is recommended for each iSCSI session/path. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "queue_depth", + "recommendation": "256" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum number of sessions per iSCSI login is recommended to be 1 by default. If additional sessions are needed this can be set in /etc/iscsi/iscsid.conf. If NCM is running, please change min_session_per_array in /etc/ncm.conf and restart nlt service instead", + "parameter": "nr_sessions", + "recommendation": "1" + }, + { + "category": "multipath", + "severity": "critical", + "description": "product attribute recommended to be set to Server in /etc/multipath.conf", + "parameter": "product", + "recommendation": "\"Server\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "alua prioritizer is recommended. Can be set in /etc/multipath.conf", + "parameter": "prio", + "recommendation": "alua" + }, + { + "category": "multipath", + "severity": "critical", + "description": "scsi_dh_alua device handler is recommended. Can be set in /etc/multipath.conf", + "parameter": "hardware_handler", + "recommendation": "\"1 alua\"" + }, + { + "category": "multipath", + "severity": "warning", + "description": "immediate failback setting is recommended. Can be set in /etc/multipath.conf", + "parameter": "failback", + "recommendation": "immediate" + }, + { + "category": "multipath", + "severity": "critical", + "description": "immediately fail i/o on transient path failures to retry on other paths, value=1. Can be set in /etc/multipath.conf", + "parameter": "fast_io_fail_tmo", + "recommendation": "5" + }, + { + "category": "multipath", + "severity": "critical", + "description": "queueing is recommended for 150 seconds, with no_path_retry value of 30. Can be set in /etc/multipath.conf", + "parameter": "no_path_retry", + "recommendation": "30" + }, + { + "category": "multipath", + "severity": "warning", + "description": "service-time path selector is recommended. Can be set in /etc/multipath.conf", + "parameter": "path_selector", + "recommendation": "\"service-time 0\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "vendor attribute recommended to be set to Nimble in /etc/multipath.conf", + "parameter": "vendor", + "recommendation": "\"Nimble\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "group paths according to ALUA path priority of active/standby. Recommended to be set to group_by_prio in /etc/multipath.conf", + "parameter": "path_grouping_policy", + "recommendation": "group_by_prio" + }, + { + "category": "multipath", + "severity": "critical", + "description": "tur path checker is recommended. Can be set in /etc/multipath.conf", + "parameter": "path_checker", + "recommendation": "tur" + }, + { + "category": "multipath", + "severity": "critical", + "description": "infinite value is recommended for timeout in cases of device loss for FC. Can be set in /etc/multipath.conf", + "parameter": "dev_loss_tmo", + "recommendation": "infinity" + } + ], + "Ubuntu": null + }, + "3PARdata": { + "Default": [ + { + "category": "iscsi", + "severity": "warning", + "description": "Manual startup of iSCSI nodes on boot. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "startup", + "recommendation": "manual" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Replacement_timeout of 10 seconds is recommended for faster failover of I/O by multipath on path failures. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "replacement_timeout", + "recommendation": "10" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum login timeout of 15 seconds is recommended with iSCSI. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "login_timeout", + "recommendation": "15" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum timeout of 10 seconds is recommended with noop requests. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "noop_out_timeout", + "recommendation": "10" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum cmds_max of 512 is recommended for each session if handling multiple LUN's. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "cmds_max", + "recommendation": "512" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum queue_depth of 256 is recommended for each iSCSI session/path. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "queue_depth", + "recommendation": "256" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum number of sessions per iSCSI login is recommended to be 1 by default. If additional sessions are needed this can be set in /etc/iscsi/iscsid.conf. If NCM is running, please change min_session_per_array in /etc/ncm.conf and restart nlt service instead", + "parameter": "nr_sessions", + "recommendation": "1" + }, + { + "category": "multipath", + "severity": "critical", + "description": "product attribute recommended to be set to VV in /etc/multipath.conf", + "parameter": "product", + "recommendation": "\"VV\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "alua prioritizer is recommended. Can be set in /etc/multipath.conf", + "parameter": "prio", + "recommendation": "alua" + }, + { + "category": "multipath", + "severity": "critical", + "description": "scsi_dh_alua device handler is recommended. Can be set in /etc/multipath.conf", + "parameter": "hardware_handler", + "recommendation": "\"1 alua\"" + }, + { + "category": "multipath", + "severity": "warning", + "description": "immediate failback setting is recommended. Can be set in /etc/multipath.conf", + "parameter": "failback", + "recommendation": "immediate" + }, + { + "category": "multipath", + "severity": "critical", + "description": "immediately fail i/o on transient path failures to retry on other paths, value=1. Can be set in /etc/multipath.conf", + "parameter": "fast_io_fail_tmo", + "recommendation": "10" + }, + { + "category": "multipath", + "severity": "critical", + "description": "queueing is recommended for 150 seconds, with no_path_retry value of 18. Can be set in /etc/multipath.conf", + "parameter": "no_path_retry", + "recommendation": "18" + }, + { + "category": "multipath", + "severity": "warning", + "description": "round-robin 0 path selector is recommended. Can be set in /etc/multipath.conf", + "parameter": "path_selector", + "recommendation": "\"round-robin 0\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "vendor attribute recommended to be set to 3PARdata. Can be set in /etc/multipath.conf", + "parameter": "vendor", + "recommendation": "\"3PARdata\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "group paths according to ALUA path priority of active/standby. Recommended to be set to group_by_prio in /etc/multipath.conf", + "parameter": "path_grouping_policy", + "recommendation": "group_by_prio" + }, + { + "category": "multipath", + "severity": "critical", + "description": "infinite value is recommended for timeout in cases of device loss for FC. Can be set in /etc/multipath.conf", + "parameter": "dev_loss_tmo", + "recommendation": "infinity" + }, + { + "category": "multipath", + "severity": "critical", + "description": "tur path checker is recommended. Can be set in /etc/multipath.conf", + "parameter": "path_checker", + "recommendation": "tur" + }, + { + "category": "multipath", + "severity": "critical", + "description": "0 value is recommended for features. Can be set in /etc/multipath.conf", + "parameter": "features", + "recommendation": "\"0\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "uniform rr_weight is recommended. Can be set in /etc/multipath.conf", + "parameter": "rr_weight", + "recommendation": "\"uniform\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "rr_min_io_rq 1 is recommended. Can be set in /etc/multipath.conf", + "parameter": "rr_min_io_rq", + "recommendation": "1" + }, + { + "category": "multipath", + "severity": "critical", + "description": "detect_prio yes is recommended. Can be set in /etc/multipath.conf", + "parameter": "detect_prio", + "recommendation": "yes" + } + ], + "Ubuntu": [ + { + "category": "iscsi", + "severity": "warning", + "description": "Automatic startup of iSCSI nodes on boot. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "startup", + "recommendation": "automatic" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Replacement_timeout of 10 seconds is recommended for faster failover of I/O by multipath on path failures. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "replacement_timeout", + "recommendation": "10" + }, + { + "category": "iscsi", + "severity": "warning", + "description": "Minimum interval of 10 seconds is recommended with noop requests. Can be set in /etc/iscsi/iscsid.conf", + "parameter": "noop_out_interval", + "recommendation": "10" + }, + { + "category": "multipath", + "severity": "critical", + "description": "product attribute recommended to be set to VV in /etc/multipath.conf", + "parameter": "product", + "recommendation": "\"VV\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "alua prioritizer is recommended. Can be set in /etc/multipath.conf", + "parameter": "prio", + "recommendation": "alua" + }, + { + "category": "multipath", + "severity": "critical", + "description": "scsi_dh_alua device handler is recommended. Can be set in /etc/multipath.conf", + "parameter": "hardware_handler", + "recommendation": "\"1 alua\"" + }, + { + "category": "multipath", + "severity": "warning", + "description": "immediate failback setting is recommended. Can be set in /etc/multipath.conf", + "parameter": "failback", + "recommendation": "immediate" + }, + { + "category": "multipath", + "severity": "critical", + "description": "queueing is recommended for 150 seconds, with no_path_retry value of 18. Can be set in /etc/multipath.conf", + "parameter": "no_path_retry", + "recommendation": "18" + }, + { + "category": "multipath", + "severity": "warning", + "description": "round-robin 0 path selector is recommended. Can be set in /etc/multipath.conf", + "parameter": "path_selector", + "recommendation": "\"round-robin 0\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "vendor attribute recommended to be set to 3PARdata in /etc/multipath.conf", + "parameter": "vendor", + "recommendation": "\"3PARdata\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "group paths according to ALUA path priority of active/standby. Recommended to be set to group_by_prio in /etc/multipath.conf", + "parameter": "path_grouping_policy", + "recommendation": "group_by_prio" + }, + { + "category": "multipath", + "severity": "critical", + "description": "getuid_callout whitelist is recommended. Can be set in /etc/multipath.conf", + "parameter": "getuid_callout", + "recommendation": "\"/lib/udev/scsi_id --whitelisted --device=/dev/%n\"" + }, + { + "category": "multipath", + "severity": "critical", + "description": "rr_min_io is recommended with value as 100. Can be set in /etc/multipath.conf", + "parameter": "rr_min_io", + "recommendation": "100" + }, + { + "category": "multipath", + "severity": "critical", + "description": " tur checker is recommended. Can be set in /etc/multipath.conf", + "parameter": "checker", + "recommendation": "tur" + }, + { + "category": "multipath", + "severity": "critical", + "description": " tur path checker is recommended. Can be set in /etc/multipath.conf", + "parameter": "path_checker", + "recommendation": "tur" + }, + { + "category": "multipath", + "severity": "critical", + "description": " features 0 is recommended. Can be set in /etc/multipath.conf", + "parameter": "features", + "recommendation": "\"0\"" + } + ] + } +} \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.2/questions.yml b/charts/hpe/hpe-csi-driver/2.4.2/questions.yml new file mode 100644 index 0000000000..e607a36185 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/questions.yml @@ -0,0 +1,87 @@ +labels: + io.rancher.certified: partner +questions: +- variable: disableNodeConformance + label: "Disable automatic installation of iSCSI/Multipath Packages" + type: boolean + default: false + description: "Disable automatic installation of iSCSI/Multipath Packages" + group: "HPE CSI Driver settings" +- variable: disableNodeGetVolumeStats + label: "Disable NoteGetVolumeStats" + type: boolean + default: false + description: "Disable NodeGetVolumeStats call to CSI driver" + group: "HPE CSI Driver settings" +- variable: imagePullPolicy + label: "ImagePullPolicy" + default: "IfNotPresent" + type: enum + options: + - "IfNotPresent" + - "Always" + - "Never" + description: "ImagePullPolicy for all CSI driver images" + group: "HPE CSI Driver settings" +- variable: iscsi.chapUser + label: "iSCSI CHAP Username" + type: string + required: false + description: "Specify username for iSCSI CHAP authentication" + group: "HPE iSCSI settings" +- variable: iscsi.chapPassword + label: "iSCSI CHAP Password" + type: password + min_length: 12 + max_length: 16 + required: false + description: "Specify password for iSCSI CHAP authentication" + group: "HPE iSCSI settings" +- variable: logLevel + label: "Set log level" + default: "info" + type: enum + options: + - "info" + - "debug" + - "trace" + - "warn" + - "error" + description: "Sets the CSI driver and sidecar log level" + group: "HPE CSI Driver settings" +- variable: registry + label: "Registry" + type: string + default: "quay.io" + description: "Specify registry prefix (hostname[:port]) for CSI driver images" + group: "HPE CSI Driver settings" +- variable: kubeletRootDir + label: "Set kubeletRootDir" + type: string + default: "/var/lib/kubelet" + description: "The kubelet root directory path" + group: "HPE CSI Driver settings" +- variable: disable.nimble + label: "Disable Nimble" + type: boolean + default: false + description: "Disable HPE Nimble Storage CSP Service" + group: "Disable Container Storage Providers" +- variable: disable.primera + label: "Disable Primera" + type: boolean + default: false + description: "Disable HPE Primera (and 3PAR) CSP Service" + group: "Disable Container Storage Providers" +- variable: disable.alletra6000 + label: "Disable Alletra 5000/6000" + type: boolean + default: false + description: "Disable HPE Alletra 5000/6000 CSP Service" + group: "Disable Container Storage Providers" +- variable: disable.alletra9000 + label: "Disable Alletra 9000" + type: boolean + default: false + description: "Disable HPE Alletra 9000 CSP Service" + group: "Disable Container Storage Providers" diff --git a/charts/hpe/hpe-csi-driver/2.4.2/templates/NOTES.txt b/charts/hpe/hpe-csi-driver/2.4.2/templates/NOTES.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/charts/hpe/hpe-csi-driver/2.4.2/templates/_helpers.tpl b/charts/hpe/hpe-csi-driver/2.4.2/templates/_helpers.tpl new file mode 100644 index 0000000000..165840d528 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "hpe-csi-storage.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "hpe-csi-storage.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "hpe-csi-storage.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/hpe/hpe-csi-driver/2.4.2/templates/csi-driver-crd.yaml b/charts/hpe/hpe-csi-driver/2.4.2/templates/csi-driver-crd.yaml new file mode 100644 index 0000000000..81fb29fa4b --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/templates/csi-driver-crd.yaml @@ -0,0 +1,24 @@ + + + +--- + +################# CSI Driver ########### +{{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "18") }} +apiVersion: storage.k8s.io/v1 +{{- else if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "14") }} +apiVersion: storage.k8s.io/v1beta1 +{{- end }} + +{{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "14") }} +kind: CSIDriver +metadata: + name: csi.hpe.com +spec: + podInfoOnMount: true + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "16") }} + volumeLifecycleModes: + - Persistent + - Ephemeral + {{- end }} +{{- end }} diff --git a/charts/hpe/hpe-csi-driver/templates/hpe-csi-controller.yaml b/charts/hpe/hpe-csi-driver/2.4.2/templates/hpe-csi-controller.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/templates/hpe-csi-controller.yaml rename to charts/hpe/hpe-csi-driver/2.4.2/templates/hpe-csi-controller.yaml diff --git a/charts/hpe/hpe-csi-driver/templates/hpe-csi-node.yaml b/charts/hpe/hpe-csi-driver/2.4.2/templates/hpe-csi-node.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/templates/hpe-csi-node.yaml rename to charts/hpe/hpe-csi-driver/2.4.2/templates/hpe-csi-node.yaml diff --git a/charts/hpe/hpe-csi-driver/2.4.2/templates/hpe-csi-rbac.yaml b/charts/hpe/hpe-csi-driver/2.4.2/templates/hpe-csi-rbac.yaml new file mode 100644 index 0000000000..fd72c99567 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/templates/hpe-csi-rbac.yaml @@ -0,0 +1,565 @@ +--- + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-provisioner-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "create"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "list", "create"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: [""] + resources: ["services"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] +{{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] +{{- end }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "delete"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch", "delete"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: hpe-csi-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["get", "list", "watch", "update", "create", "delete", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( eq ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "12") }} + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + {{- else if and (eq .Capabilities.KubeVersion.Major "1") ( eq ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "13") }} + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + {{ else }} + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + {{- end }} + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-attacher-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: hpe-csi-attacher-role + apiGroup: rbac.authorization.k8s.io + + +{{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-snapshotter-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["create", "update", "delete", "get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "update", "delete", "get", "list", "watch", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: hpe-csi-snapshotter-role + apiGroup: rbac.authorization.k8s.io + +{{- end }} + +{{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "15") }} +--- +# Resizer must be able to work with PVCs, PVs, SCs. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: external-resizer-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-resizer-role +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- + +# Resizer must be able to work with end point in current namespace +# if (and only if) leadership election is enabled +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ .Release.Namespace }} + name: external-resizer-cfg +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + +--- + +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-resizer-role-cfg + namespace: {{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: external-resizer-cfg + apiGroup: rbac.authorization.k8s.io + + +--- +# cluster role to support volumegroup +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-volumegroup-role +rules: + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroups"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroupcontents"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroupclasses"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroups/status"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroupcontents/status"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "create"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete", "get", "update"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-volumegroup-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: hpe-csi-volumegroup-role + apiGroup: rbac.authorization.k8s.io + +--- +# cluster role to support snapshotgroup +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-snapshotgroup-role +rules: + - apiGroups: ["storage.hpe.com"] + resources: ["snapshotgroups"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["snapshotgroupcontents"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["snapshotgroupclasses"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["snapshotgroups/status"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["snapshotgroupcontents/status"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "create"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete", "get", "update"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroups"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroupcontents"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.hpe.com"] + resources: ["volumegroupclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-snapshotgroup-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: hpe-csi-snapshotgroup-role + apiGroup: rbac.authorization.k8s.io + +--- +# mutator must be able to work with PVCs, PVs, SCs. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-mutator-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-mutator-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + # replace with non-default namespace name + namespace: {{ .Release.Namespace }} + +roleRef: + kind: ClusterRole + name: csi-mutator-role + apiGroup: rbac.authorization.k8s.io + +--- +# mutator must be able to work with end point in current namespace +# if (and only if) leadership election is enabled +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ .Release.Namespace }} + name: csi-mutator-cfg +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-mutator-role-cfg + namespace: {{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} + +roleRef: + kind: Role + name: csi-mutator-cfg + apiGroup: rbac.authorization.k8s.io +{{- end }} + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-driver-role +rules: + - apiGroups: ["storage.hpe.com"] + resources: ["hpenodeinfos"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["hpevolumeinfos"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["hpereplicationdeviceinfos"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["hpevolumegroupinfos"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["storage.hpe.com"] + resources: ["hpesnapshotgroupinfos"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["services"] + verbs: ["get"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hpe-csi-node-sa + namespace: {{ .Release.Namespace }} + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hpe-csi-driver-binding +subjects: + - kind: ServiceAccount + name: hpe-csi-controller-sa + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: hpe-csi-node-sa + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: hpe-csp-sa + namespace: {{ .Release.Namespace }} + +roleRef: + kind: ClusterRole + name: hpe-csi-driver-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ServiceAccount +apiVersion: v1 +metadata: + name: hpe-csp-sa + namespace: {{ .Release.Namespace }} diff --git a/charts/hpe/hpe-csi-driver/2.4.2/templates/hpe-linux-config.yaml b/charts/hpe/hpe-csi-driver/2.4.2/templates/hpe-linux-config.yaml new file mode 100644 index 0000000000..5e4c4944a1 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/templates/hpe-linux-config.yaml @@ -0,0 +1,13 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: hpe-linux-config + namespace: {{ .Release.Namespace }} +data: +{{ if and .Values.iscsi.chapUser .Values.iscsi.chapPassword }} + CHAP_USER: {{ .Values.iscsi.chapUser | quote }} + CHAP_PASSWORD: {{ .Values.iscsi.chapPassword | quote }} +{{- end }} + config.json: |- +{{ (.Files.Get "files/config.json") | indent 4 }} \ No newline at end of file diff --git a/charts/hpe/hpe-csi-driver/2.4.2/templates/nimble-csp.yaml b/charts/hpe/hpe-csi-driver/2.4.2/templates/nimble-csp.yaml new file mode 100644 index 0000000000..e020cee0c2 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/templates/nimble-csp.yaml @@ -0,0 +1,93 @@ +{{- if not .Values.disable.alletra6000 }} + +--- +### Alletra 5000/6000 CSP Service ### +kind: Service +apiVersion: v1 +metadata: + name: alletra6000-csp-svc + namespace: {{ .Release.Namespace }} + labels: + app: alletra6000-csp-svc +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: nimble-csp +{{- end }} + +{{- if not .Values.disable.nimble }} +--- +### Nimble CSP Service ### +kind: Service +apiVersion: v1 +metadata: + name: nimble-csp-svc + namespace: {{ .Release.Namespace }} + labels: + app: nimble-csp-svc +spec: + ports: + - port: 8080 + protocol: TCP + selector: + app: nimble-csp +{{- end }} + + +{{- if or (not .Values.disable.alletra6000) (not .Values.disable.nimble) }} +--- +### CSP deployment ### +kind: Deployment +apiVersion: apps/v1 +metadata: + name: nimble-csp + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: nimble-csp + replicas: 1 + template: + metadata: + labels: + app: nimble-csp + {{- if .Values.csp.labels }} +{{ toYaml .Values.csp.labels | indent 8 }} + {{- end }} + spec: + serviceAccountName: hpe-csp-sa + {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} + priorityClassName: system-cluster-critical + {{- end }} + containers: + - name: nimble-csp + {{- if .Values.registry }} + image: {{ .Values.registry }}/hpestorage/alletra-6000-and-nimble-csp:v2.4.1 + {{- else }} + image: quay.io/hpestorage/alletra-6000-and-nimble-csp:v2.4.1 + {{- end }} + imagePullPolicy: {{ .Values.imagePullPolicy | quote }} + ports: + - containerPort: 8080 + volumeMounts: + - name: log-dir + mountPath: /var/log + volumes: + - name: log-dir + hostPath: + path: /var/log + {{- if .Values.csp.nodeSelector }} + nodeSelector: +{{ toYaml .Values.csp.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.csp.tolerations }} + tolerations: +{{ toYaml .Values.csp.tolerations | indent 8 }} + {{- end }} + {{- if .Values.csp.affinity }} + affinity: +{{ toYaml .Values.csp.affinity | indent 8 }} + {{- end }} +{{- end }} diff --git a/charts/hpe/hpe-csi-driver/templates/primera-3par-csp.yaml b/charts/hpe/hpe-csi-driver/2.4.2/templates/primera-3par-csp.yaml similarity index 100% rename from charts/hpe/hpe-csi-driver/templates/primera-3par-csp.yaml rename to charts/hpe/hpe-csi-driver/2.4.2/templates/primera-3par-csp.yaml diff --git a/charts/hpe/hpe-csi-driver/2.4.2/values.schema.json b/charts/hpe/hpe-csi-driver/2.4.2/values.schema.json new file mode 100644 index 0000000000..8b2bd42733 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/values.schema.json @@ -0,0 +1,292 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "$id": "http://example.com/example.json", + "title": "HPE CSI Driver for Kubernetes Helm Chart JSON Schema", + "type": "object", + "default": + { + "disable": { + "nimble": false, + "primera": false, + "alletra6000": false, + "alletra9000": false, + "alletraStorageMP": false + }, + "disableNodeConformance": false, + "disableNodeConfiguration": false, + "imagePullPolicy": "IfNotPresent", + "iscsi": { + "chapUser": "", + "chapPassword": "" + }, + "logLevel": "info", + "registry": "quay.io", + "kubeletRootDir": "/var/lib/kubelet/", + "disableNodeGetVolumeStats": false, + "csp": { + "nodeSelector": {}, + "tolerations": [], + "affinity": {}, + "labels": {} + }, + "controller": { + "nodeSelector": {}, + "tolerations": [], + "affinity": {}, + "labels": {} + }, + "node": { + "nodeSelector": {}, + "tolerations": [], + "affinity": {}, + "labels": {} + } + + }, + "required": [ + "disable", + "disableNodeConformance", + "disableNodeConfiguration", + "imagePullPolicy", + "iscsi", + "logLevel", + "registry", + "kubeletRootDir", + "disableNodeGetVolumeStats", + "csp", + "controller", + "node" + ], + "properties": { + "disable": { + "$id": "#/properties/disable", + "title": "CSP Deployment and Service backend exclusion", + "description": "All backend Deployments and Services are installed by default.", + "type": "object", + "default": + { + "nimble": false, + "primera": false, + "alletra6000": false, + "alletra9000": false, + "alletraStorageMP": false + }, + "required": [ + "nimble", + "primera", + "alletra6000", + "alletra9000", + "alletraStorageMP" + ], + "properties": { + "nimble": { + "$id": "#/properties/disable/properties/nimble", + "title": "HPE Nimble Storage", + "type": "boolean", + "default": false + }, + "primera": { + "$id": "#/properties/disable/properties/primera", + "title": "HPE Primera", + "type": "boolean", + "default": false + }, + "alletra6000": { + "$id": "#/properties/disable/properties/alletra6000", + "title": "HPE Alletra 5000/6000", + "type": "boolean", + "default": false + }, + "alletra9000": { + "$id": "#/properties/disable/properties/alletra9000", + "title": "HPE Alletra 9000", + "type": "boolean", + "default": false + }, + "alletraStorageMP": { + "$id": "#/properties/disable/properties/alletraStorageMP", + "title": "HPE Alletra Storage MP", + "type": "boolean", + "default": false + } + }, + "additionalProperties": false + }, + "disableNodeConformance": { + "$id": "#/properties/disableNodeConformance", + "title": "Disable node conformance", + "description": "Disabling node conformance forces the cluster administrator to install required packages and ensure the correct node services are started to use external block storage.", + "type": "boolean", + "default": false + }, + "disableNodeConfiguration": { + "$id": "#/properties/disableNodeConfiguration", + "title": "Disable node configuration", + "description": "Disabling node configuration forces the cluster administrator to ensure all node services are configured and started to use external block storage.", + "type": "boolean", + "default": false + }, + "imagePullPolicy": { + "$id": "#/properties/imagePullPolicy", + "title": "CSI driver image pull policy", + "type": "string", + "default": "IfNotPresent", + "enum": [ "Always", "IfNotPresent", "Never" ] + }, + "iscsi": { + "$id": "#/properties/iscsi", + "title": "iSCSI CHAP credentials", + "type": "object", + "default": + { + "chapUser": "", + "chapPassword": "" + }, + "required": [ + "chapUser", + "chapPassword" + ], + "properties": { + "chapUser": { + "$id": "#/properties/iscsi/properties/chapUser", + "title": "CHAP username", + "type": "string", + "default": "" + }, + "chapPassword": { + "$id": "#/properties/iscsi/properties/chapPassword", + "title": "CHAP password", + "description": "Between 12 and 16 characters", + "type": "string", + "default": "", + "pattern": "^$|^[a-zA-Z0-9+_)(*^%$#@!]{12,16}$" + } + }, + "additionalProperties": false + }, + "logLevel": { + "$id": "#/properties/logLevel", + "title": "Set the log level of the HPE CSI Driver images", + "type": "string", + "default": "info", + "enum": [ "info", "debug", "trace", "warn", "error" ] + }, + "registry": { + "$id": "#/properties/registry", + "title": "Pull images from a different registry than default", + "description": "SIG Storage images needs to be mirrored from k8s.gcr.io to this registry if this parameter is changed.", + "type": "string", + "default": "quay.io" + }, + "kubeletRootDir": { + "$id": "#/properties/kubeletRootDir", + "title": "Kubelet root directory", + "description": "Only change this if the kubelet root dir has been altered by the Kubernetes platform installer.", + "type": "string", + "default": "/var/lib/kubelet", + "pattern": "^/" + }, + "disableNodeGetVolumeStats": { + "$id": "#/properties/disableNodeGetVolumeStats", + "title": "Disable the CSI nodeGetVolumeStats call", + "description": "In very large environments, disabling this feature may alleviate pressure on the CSP.", + "type": "boolean", + "default": false + }, + "csp": { + "nodeSelector": { + "$id": "#/properties/csp/properties/nodeSelector", + "title": "Node selector to control the selection of nodes (optional).", + "description": "Selector which must match a node's labels for the pod to be scheduled on that node.", + "type": "object", + "default": {} + }, + "tolerations": { + "$id": "#/properties/csp/properties/tolerations", + "title": "Set tolerations for the csp pods(optional).", + "description": "Tolerations is the list of tolerations for the csp pods.", + "type": "array", + "default": [] + }, + "affinity": { + "$id": "#/properties/csp/properties/affinity", + "title": "Node affinity for csp plugin (optional).", + "description": "Describes node affinity scheduling rules for the pod.", + "type": "object", + "default": {} + }, + "labels": { + "$id": "#/properties/csp/properties/labels", + "title": "labels", + "description": "labels.", + "type": "object", + "default": {} + } + + }, + "controller": { + "nodeSelector": { + "$id": "#/properties/controller/properties/nodeSelector", + "title": "Node selector to control the selection of nodes (optional).", + "description": "Selector which must match a node's labels for the pod to be scheduled on that node.", + "type": "object", + "default": {} + }, + "tolerations": { + "$id": "#/properties/controller/properties/tolerations", + "title": "Set tolerations for the driver pods(optional)", + "description": "Tolerations is the list of tolerations for the driver pods.", + "type": "array", + "default": [] + }, + "affinity": { + "$id": "#/properties/controller/properties/affinity", + "title": "Node affinity for controller plugin (optional).", + "description": "Describes node affinity scheduling rules for the pod.", + "type": "object", + "default": {} + }, + "labels": { + "$id": "#/properties/controller/properties/labels", + "title": "labels", + "description": "labels.", + "type": "object", + "default": {} + } + + }, + "node": { + "nodeSelector": { + "$id": "#/properties/node/properties/nodeSelector", + "title": "Node selector to control the selection of nodes (optional).", + "description": "Selector which must match a node's labels for the pod to be scheduled on that node.", + "type": "object", + "default": {} + }, + "tolerations": { + "$id": "#/properties/node/properties/tolerations", + "title": "Set tolerations for the node pods(optional).", + "description": "Tolerations is the list of tolerations for the node pods.", + "type": "array", + "default": [] + }, + "affinity": { + "$id": "#/properties/node/properties/affinity", + "title": "Node affinity for node plugin (optional).", + "description": "Describes node affinity scheduling rules for the pod.", + "type": "object", + "default": {} + }, + "labels": { + "$id": "#/properties/node/properties/labels", + "title": "labels", + "description": "labels.", + "type": "object", + "default": {} + } + + }, + "global": {} + }, + "additionalProperties": false +} diff --git a/charts/hpe/hpe-csi-driver/2.4.2/values.yaml b/charts/hpe/hpe-csi-driver/2.4.2/values.yaml new file mode 100644 index 0000000000..b69f4105d5 --- /dev/null +++ b/charts/hpe/hpe-csi-driver/2.4.2/values.yaml @@ -0,0 +1,77 @@ +# Default values for hpe-csi-driver Helm chart +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Control CSP Service and Deployments for HPE storage products +disable: + nimble: false + primera: false + alletra6000: false + alletra9000: false + alletraStorageMP: false + +# For controlling automatic iscsi/multipath package installation +disableNodeConformance: false + +# For controlling automatic iscsi/multipath service configuration +disableNodeConfiguration: false + +# imagePullPolicy applied for all hpe-csi-driver images +imagePullPolicy: "IfNotPresent" + +# Cluster wide values for CHAP authentication +iscsi: + chapUser: "" + chapPassword: "" + +# Log level for all hpe-csi-driver components +logLevel: "info" + +# Registry prefix for hpe-csi-driver images +registry: "quay.io" + +# Kubelet root directory path +kubeletRootDir: "/var/lib/kubelet/" + +# NodeGetVolumestats will be called by default, set true to disable the call +disableNodeGetVolumeStats: false + +controller: + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + labels: {} + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + nodeSelector: {} + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + tolerations: [] + + affinity: {} + + +csp: + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + labels: {} + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + nodeSelector: {} + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + tolerations: [] + + affinity: {} + +node: + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + labels: {} + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + nodeSelector: {} + + # These values map directly to yaml in the deployment spec, see the kubernetes docs for info + tolerations: [] + + affinity: {} diff --git a/charts/hpe/hpe-csi-info-metrics/Chart.yaml b/charts/hpe/hpe-csi-info-metrics/1.0.2/Chart.yaml similarity index 100% rename from charts/hpe/hpe-csi-info-metrics/Chart.yaml rename to charts/hpe/hpe-csi-info-metrics/1.0.2/Chart.yaml diff --git a/charts/hpe/hpe-csi-info-metrics/README.md b/charts/hpe/hpe-csi-info-metrics/1.0.2/README.md similarity index 100% rename from charts/hpe/hpe-csi-info-metrics/README.md rename to charts/hpe/hpe-csi-info-metrics/1.0.2/README.md diff --git a/charts/hpe/hpe-csi-info-metrics/app-readme.md b/charts/hpe/hpe-csi-info-metrics/1.0.2/app-readme.md similarity index 100% rename from charts/hpe/hpe-csi-info-metrics/app-readme.md rename to charts/hpe/hpe-csi-info-metrics/1.0.2/app-readme.md diff --git a/charts/hpe/hpe-csi-info-metrics/questions.yml b/charts/hpe/hpe-csi-info-metrics/1.0.2/questions.yml similarity index 100% rename from charts/hpe/hpe-csi-info-metrics/questions.yml rename to charts/hpe/hpe-csi-info-metrics/1.0.2/questions.yml diff --git a/charts/hpe/hpe-csi-info-metrics/templates/NOTES.txt b/charts/hpe/hpe-csi-info-metrics/1.0.2/templates/NOTES.txt similarity index 100% rename from charts/hpe/hpe-csi-info-metrics/templates/NOTES.txt rename to charts/hpe/hpe-csi-info-metrics/1.0.2/templates/NOTES.txt diff --git a/charts/hpe/hpe-csi-info-metrics/templates/hpe-csi-info-metrics.yaml b/charts/hpe/hpe-csi-info-metrics/1.0.2/templates/hpe-csi-info-metrics.yaml similarity index 100% rename from charts/hpe/hpe-csi-info-metrics/templates/hpe-csi-info-metrics.yaml rename to charts/hpe/hpe-csi-info-metrics/1.0.2/templates/hpe-csi-info-metrics.yaml diff --git a/charts/hpe/hpe-csi-info-metrics/templates/tests/test-hpe-csi-info-metrics.yaml b/charts/hpe/hpe-csi-info-metrics/1.0.2/templates/tests/test-hpe-csi-info-metrics.yaml similarity index 100% rename from charts/hpe/hpe-csi-info-metrics/templates/tests/test-hpe-csi-info-metrics.yaml rename to charts/hpe/hpe-csi-info-metrics/1.0.2/templates/tests/test-hpe-csi-info-metrics.yaml diff --git a/charts/hpe/hpe-csi-info-metrics/values.schema.json b/charts/hpe/hpe-csi-info-metrics/1.0.2/values.schema.json similarity index 100% rename from charts/hpe/hpe-csi-info-metrics/values.schema.json rename to charts/hpe/hpe-csi-info-metrics/1.0.2/values.schema.json diff --git a/charts/hpe/hpe-csi-info-metrics/values.yaml b/charts/hpe/hpe-csi-info-metrics/1.0.2/values.yaml similarity index 100% rename from charts/hpe/hpe-csi-info-metrics/values.yaml rename to charts/hpe/hpe-csi-info-metrics/1.0.2/values.yaml